diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-09-07 17:30:47 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-09-07 17:38:07 +0200 |
commit | 5d3e0e812bbdb45958031955bb2ed9b961e7f329 (patch) | |
tree | 07cc0a8390652dc450ea4d278cb64649e6f75983 /etc | |
parent | Blacklist ~/.minisign in disable-common (diff) | |
download | firejail-5d3e0e812bbdb45958031955bb2ed9b961e7f329.tar.gz firejail-5d3e0e812bbdb45958031955bb2ed9b961e7f329.tar.zst firejail-5d3e0e812bbdb45958031955bb2ed9b961e7f329.zip |
Rework pipewire/wayland
- closes #4483 -- mpv requires whitelisting /usr/share/pipewire
- wruc: whitelist pipewire-?, pipewire is becoming more popular and was
developed with isolation (container/sandbox) in mind.
- wruc: whitelist wayland-? instead of only -0 and -1
- wusc: whitelist /usr/share/pipewire
- remove these wruc/wusc lines from other profiles
- firefox-common-addons: Make ignore wruc work again (#4512)
- firefox: org.freedesktop.portal.Desktop should be enough
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/whitelist-runuser-common.inc | 4 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common-addons.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 6 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 6 | ||||
-rw-r--r-- | etc/profile-m-z/xournalpp.profile | 1 |
7 files changed, 8 insertions, 15 deletions
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 48309ffe3..a8cab8d07 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority | |||
10 | whitelist ${RUNUSER}/ICEauthority | 10 | whitelist ${RUNUSER}/ICEauthority |
11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* | 11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* |
12 | whitelist ${RUNUSER}/pulse/native | 12 | whitelist ${RUNUSER}/pulse/native |
13 | whitelist ${RUNUSER}/wayland-0 | 13 | whitelist ${RUNUSER}/pipewire-? |
14 | whitelist ${RUNUSER}/wayland-1 | 14 | whitelist ${RUNUSER}/wayland-? |
15 | whitelist ${RUNUSER}/xauth_* | 15 | whitelist ${RUNUSER}/xauth_* |
16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] | 16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index fe0097934..0049ce804 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell | |||
45 | whitelist /usr/share/p11-kit | 45 | whitelist /usr/share/p11-kit |
46 | whitelist /usr/share/perl | 46 | whitelist /usr/share/perl |
47 | whitelist /usr/share/perl5 | 47 | whitelist /usr/share/perl5 |
48 | whitelist /usr/share/pipewire | ||
48 | whitelist /usr/share/pixmaps | 49 | whitelist /usr/share/pixmaps |
49 | whitelist /usr/share/pki | 50 | whitelist /usr/share/pki |
50 | whitelist /usr/share/plasma | 51 | whitelist /usr/share/plasma |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index b35b6ae80..c42243e02 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -37,10 +37,6 @@ include whitelist-var-common.inc | |||
37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
38 | #include chromium-common-hardened.inc.profile | 38 | #include chromium-common-hardened.inc.profile |
39 | 39 | ||
40 | # Add the next two lines to your chromium-common.local to allow screen sharing under wayland. | ||
41 | #whitelist ${RUNUSER}/pipewire-0 | ||
42 | #whitelist /usr/share/pipewire/client.conf | ||
43 | |||
44 | apparmor | 40 | apparmor |
45 | caps.keep sys_admin,sys_chroot | 41 | caps.keep sys_admin,sys_chroot |
46 | netfilter | 42 | netfilter |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index d282f9a60..b2b7c362a 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore whitelist ${RUNUSER}/*firefox* | ||
5 | ignore include whitelist-runuser-common.inc | 6 | ignore include whitelist-runuser-common.inc |
6 | ignore private-cache | 7 | ignore private-cache |
7 | 8 | ||
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 5a123d081..9138fed90 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
59 | #dbus-user.talk org.kde.JobViewServer | 59 | #dbus-user.talk org.kde.JobViewServer |
60 | #dbus-user.talk org.kde.kuiserver | 60 | #dbus-user.talk org.kde.kuiserver |
61 | # Add the next three lines to your firefox.local to allow screen sharing under wayland. | 61 | # Add the next line to your firefox.local to allow screen sharing under wayland. |
62 | #whitelist ${RUNUSER}/pipewire-0 | 62 | #dbus-user.talk org.freedesktop.portal.Desktop |
63 | #whitelist /usr/share/pipewire/client.conf | ||
64 | #dbus-user.talk org.freedesktop.portal.* | ||
65 | # Add the next line to your firefox.local if screen sharing sharing still does not work | 63 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
66 | # with the above lines (might depend on the portal implementation). | 64 | # with the above lines (might depend on the portal implementation). |
67 | #ignore noroot | 65 | #ignore noroot |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da047357a..c9f5221f7 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -44,10 +44,8 @@ dbus-user filter | |||
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 45 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 46 | #dbus-user.talk org.kde.kuiserver |
47 | # Add the next three lines to your librewolf.local to allow screensharing under Wayland. | 47 | # Add the next line to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 48 | #dbus-user.talk org.freedesktop.portal.Desktop |
49 | #whitelist /usr/share/pipewire/client.conf | ||
50 | #dbus-user.talk org.freedesktop.portal.* | ||
51 | # Also add the next line to your librewolf.local if screensharing does not work with | 49 | # Also add the next line to your librewolf.local if screensharing does not work with |
52 | # the above lines (depends on the portal implementation). | 50 | # the above lines (depends on the portal implementation). |
53 | #ignore noroot | 51 | #ignore noroot |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 1ef789689..a23ad68df 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp | |||
13 | 13 | ||
14 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | 15 | ||
16 | whitelist /usr/share/pipewire | ||
17 | whitelist /usr/share/texlive | 16 | whitelist /usr/share/texlive |
18 | whitelist /usr/share/xournalpp | 17 | whitelist /usr/share/xournalpp |
19 | whitelist /var/lib/texmf | 18 | whitelist /var/lib/texmf |