diff options
author | Tad <tad@spotco.us> | 2018-07-04 15:48:02 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2018-07-04 15:48:02 -0400 |
commit | e91e7b2b8165450e695c7f45492cca2ae6927678 (patch) | |
tree | a9379cc4330adfa679cdae89f64741c6f23df679 /etc | |
parent | Merge pull request #2025 from Bundy01/master (diff) | |
download | firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.gz firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.zst firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.zip |
Merges + misc fixes
- Change some links in README to HTTPS
- Fixup some typos in firejail-profile manpage
- Cleanup dash from private-etc
- Fixup gradio
- Synchronize server profile with default profile
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ark.profile | 2 | ||||
-rw-r--r-- | etc/bsdtar.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/gradio.profile | 8 | ||||
-rw-r--r-- | etc/server.profile | 10 |
6 files changed, 18 insertions, 8 deletions
diff --git a/etc/ark.profile b/etc/ark.profile index 0c7ef3dae..12675b30b 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh | 34 | private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh |
35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 35 | #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg |
36 | 36 | ||
37 | private-dev | 37 | private-dev |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index a49fc023a..d3bc76ba5 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # support compressed archives | 36 | # support compressed archives |
37 | private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 37 | private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
38 | private-dev | 38 | private-dev |
39 | private-etc passwd,group,localtime | 39 | private-etc passwd,group,localtime |
40 | 40 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 56121809a..b2357716a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak | |||
391 | blacklist /var/lib/flatpak | 391 | blacklist /var/lib/flatpak |
392 | blacklist /usr/share/flatpak | 392 | blacklist /usr/share/flatpak |
393 | # most of the time bwrap is SUID binary | 393 | # most of the time bwrap is SUID binary |
394 | blacklist /usr/bin/bwrap \ No newline at end of file | 394 | blacklist ${PATH}/bwrap |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f72b5a5c3..1dee73078 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos | |||
393 | blacklist ${HOME}/.local/share/gnome-recipes | 393 | blacklist ${HOME}/.local/share/gnome-recipes |
394 | blacklist ${HOME}/.local/share/gnome-ring | 394 | blacklist ${HOME}/.local/share/gnome-ring |
395 | blacklist ${HOME}/.local/share/gnome-twitch | 395 | blacklist ${HOME}/.local/share/gnome-twitch |
396 | blacklist ${HOME}/.local/share/gradio | ||
396 | blacklist ${HOME}/.local/share/gwenview | 397 | blacklist ${HOME}/.local/share/gwenview |
397 | blacklist ${HOME}/.local/share/kaffeine | 398 | blacklist ${HOME}/.local/share/kaffeine |
398 | blacklist ${HOME}/.local/share/kate | 399 | blacklist ${HOME}/.local/share/kate |
@@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
550 | blacklist ${HOME}/.cache/google-chrome-beta | 551 | blacklist ${HOME}/.cache/google-chrome-beta |
551 | blacklist ${HOME}/.cache/google-chrome-unstable | 552 | blacklist ${HOME}/.cache/google-chrome-unstable |
552 | blacklist ${HOME}/.cache/gnome-twitch | 553 | blacklist ${HOME}/.cache/gnome-twitch |
554 | blacklist ${HOME}/.cache/gradio | ||
553 | blacklist ${HOME}/.cache/icedove | 555 | blacklist ${HOME}/.cache/icedove |
554 | blacklist ${HOME}/.cache/INRIA/Natron | 556 | blacklist ${HOME}/.cache/INRIA/Natron |
555 | blacklist ${HOME}/.cache/inkscape | 557 | blacklist ${HOME}/.cache/inkscape |
diff --git a/etc/gradio.profile b/etc/gradio.profile index 1a7ff60ed..bba92a0bc 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile | |||
@@ -5,10 +5,8 @@ include /etc/firejail/gradio.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/gradio | ||
8 | noblacklist ${HOME}/.local/share/gradio | 9 | noblacklist ${HOME}/.local/share/gradio |
9 | mkdir ${HOME}/.local/share/gradio | ||
10 | whitelist ${HOME}/.local/share/gradio | ||
11 | whitelist ${HOME}/.cache/gradio | ||
12 | 10 | ||
13 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
@@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | mkdir ${HOME}/.cache/gradio | ||
18 | mkdir ${HOME}/.local/share/gradio | ||
19 | whitelist ${HOME}/.cache/gradio | ||
20 | whitelist ${HOME}/.local/share/gradio | ||
19 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 22 | include /etc/firejail/whitelist-var-common.inc |
21 | 23 | ||
diff --git a/etc/server.profile b/etc/server.profile index 9cc906e55..94e2d5da9 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
22 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
23 | 23 | ||
24 | caps | 24 | caps |
25 | # ipc-namespace | ||
26 | # netfilter /etc/firejail/webserver.net | ||
25 | no3d | 27 | no3d |
28 | # nodbus | ||
26 | nodvd | 29 | nodvd |
30 | # nogroups | ||
31 | # nonewprivs | ||
32 | # noroot | ||
27 | nosound | 33 | nosound |
28 | notv | 34 | notv |
29 | novideo | 35 | novideo |
30 | seccomp | 36 | seccomp |
31 | 37 | # shell none | |
32 | # netfilter /etc/firejail/webserver.net | ||
33 | 38 | ||
34 | # disable-mnt | 39 | # disable-mnt |
35 | private | 40 | private |
36 | # private-bin program | 41 | # private-bin program |
42 | # private-cache | ||
37 | private-dev | 43 | private-dev |
38 | # private-etc none | 44 | # private-etc none |
39 | # private-lib | 45 | # private-lib |