diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-09-30 08:18:19 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-09-30 08:26:28 +0200 |
commit | f3912910c1a92883671fce6b75a72ec7de865716 (patch) | |
tree | 2dcacaf5d2e259ce4cf71c968d769533e6858591 /etc | |
parent | Rework D-Bus policy of nheko (diff) | |
download | firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.gz firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.zst firejail-f3912910c1a92883671fce6b75a72ec7de865716.zip |
Profile fixes and hardening
* cheese
- fix: dbus-user.own org.gnome.Cheese
- fix: whitelist /usr/share/gstreamer-1.0
- fix: include allow-python3.inc
- hardening: include disable-shell.inc
- hardening: include whitelist-run-common.inc and whitelist /run/udev/data
- hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
- hardening: noinput
- hardening: nosound
- hardening: seccomp.block-secondary
- hardening: private-dev
* geekbench (closes #4576)
- fix: noblacklist /sbin and noblacklist /usr/sbin
- fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
- fix: comment/remove private-bin, private-lib, private-opt
* inkscape
- add quiet for cli usage
* musixmatch (#4518)
- allow chroot
* pandoc
- fix: include allow-bin-sh.inc
- fix: drop private-bin
- hardening: include whitelist-runuser-common.inc
- hardening: seccomp.block-secondary
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/cheese.profile | 12 | ||||
-rw-r--r-- | etc/profile-a-l/geekbench.profile | 12 | ||||
-rw-r--r-- | etc/profile-a-l/inkscape.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/musixmatch.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/pandoc.profile | 5 |
6 files changed, 27 insertions, 6 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e77ceb41c..511d8730e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -496,6 +496,7 @@ blacklist ${HOME}/.frogatto | |||
496 | blacklist ${HOME}/.frozen-bubble | 496 | blacklist ${HOME}/.frozen-bubble |
497 | blacklist ${HOME}/.funnyboat | 497 | blacklist ${HOME}/.funnyboat |
498 | blacklist ${HOME}/.gallery-dl.conf | 498 | blacklist ${HOME}/.gallery-dl.conf |
499 | blacklist ${HOME}/.geekbench5 | ||
499 | blacklist ${HOME}/.gimp* | 500 | blacklist ${HOME}/.gimp* |
500 | blacklist ${HOME}/.gist | 501 | blacklist ${HOME}/.gist |
501 | blacklist ${HOME}/.gitconfig | 502 | blacklist ${HOME}/.gitconfig |
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 53d221631..978d727f4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -9,17 +9,24 @@ include globals.local | |||
9 | noblacklist ${VIDEOS} | 9 | noblacklist ${VIDEOS} |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | include allow-python3.inc | ||
13 | |||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-devel.inc | 15 | include disable-devel.inc |
14 | include disable-exec.inc | 16 | include disable-exec.inc |
15 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
16 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
19 | whitelist ${VIDEOS} | 22 | whitelist ${VIDEOS} |
20 | whitelist ${PICTURES} | 23 | whitelist ${PICTURES} |
24 | whitelist /run/udev/data | ||
25 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner | ||
21 | whitelist /usr/share/gnome-video-effects | 26 | whitelist /usr/share/gnome-video-effects |
27 | whitelist /usr/share/gstreamer-1.0 | ||
22 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
@@ -30,21 +37,26 @@ machine-id | |||
30 | net none | 37 | net none |
31 | nodvd | 38 | nodvd |
32 | nogroups | 39 | nogroups |
40 | noinput | ||
33 | nonewprivs | 41 | nonewprivs |
34 | noroot | 42 | noroot |
43 | nosound | ||
35 | notv | 44 | notv |
36 | nou2f | 45 | nou2f |
37 | protocol unix | 46 | protocol unix |
38 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
39 | shell none | 49 | shell none |
40 | tracelog | 50 | tracelog |
41 | 51 | ||
42 | disable-mnt | 52 | disable-mnt |
43 | private-bin cheese | 53 | private-bin cheese |
44 | private-cache | 54 | private-cache |
55 | private-dev | ||
45 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload | 56 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload |
46 | private-tmp | 57 | private-tmp |
47 | 58 | ||
48 | dbus-user filter | 59 | dbus-user filter |
60 | dbus-user.own org.gnome.Cheese | ||
49 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
50 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 60f2f338d..4812e1368 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -6,6 +6,10 @@ include geekbench.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.geekbench5 | ||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
9 | include disable-common.inc | 13 | include disable-common.inc |
10 | include disable-devel.inc | 14 | include disable-devel.inc |
11 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -13,6 +17,8 @@ include disable-interpreters.inc | |||
13 | include disable-programs.inc | 17 | include disable-programs.inc |
14 | include disable-xdg.inc | 18 | include disable-xdg.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.geekbench5 | ||
21 | whitelist ${HOME}/.geekbench5 | ||
16 | include whitelist-common.inc | 22 | include whitelist-common.inc |
17 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
@@ -39,16 +45,14 @@ shell none | |||
39 | tracelog | 45 | tracelog |
40 | 46 | ||
41 | disable-mnt | 47 | disable-mnt |
42 | private-bin bash,geekbenc*,sh | 48 | #private-bin bash,geekbench*,sh -- #4576 |
43 | private-cache | 49 | private-cache |
44 | private-dev | 50 | private-dev |
45 | private-etc alternatives,group,ld.so.preload,lsb-release,passwd | 51 | private-etc alternatives,group,ld.so.preload,lsb-release,passwd |
46 | private-lib gcc/*/*/libstdc++.so.* | ||
47 | private-opt none | ||
48 | private-tmp | 52 | private-tmp |
49 | 53 | ||
50 | dbus-user none | 54 | dbus-user none |
51 | dbus-system none | 55 | dbus-system none |
52 | 56 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
54 | read-only ${HOME} | 57 | read-only ${HOME} |
58 | read-write ${HOME}/.geekbench5 | ||
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 5e54b5441..e0015e69a 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for inkscape | 1 | # Firejail profile for inkscape |
2 | # Description: Vector-based drawing program | 2 | # Description: Vector-based drawing program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include inkscape.local | 6 | include inkscape.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index dac90cfa5..aab2ac19d 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -29,7 +29,7 @@ notv | |||
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
31 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
32 | seccomp | 32 | seccomp !chroot |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-dev | 35 | private-dev |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index b8e8a750f..460f60beb 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -11,6 +11,8 @@ blacklist ${RUNUSER} | |||
11 | 11 | ||
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | include allow-bin-sh.inc | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -19,6 +21,7 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 21 | include disable-shell.inc |
20 | include disable-xdg.inc | 22 | include disable-xdg.inc |
21 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
22 | # breaks pdf output | 25 | # breaks pdf output |
23 | #include whitelist-var-common.inc | 26 | #include whitelist-var-common.inc |
24 | 27 | ||
@@ -39,12 +42,12 @@ nou2f | |||
39 | novideo | 42 | novideo |
40 | protocol unix | 43 | protocol unix |
41 | seccomp | 44 | seccomp |
45 | seccomp.block-secondary | ||
42 | shell none | 46 | shell none |
43 | tracelog | 47 | tracelog |
44 | x11 none | 48 | x11 none |
45 | 49 | ||
46 | disable-mnt | 50 | disable-mnt |
47 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
48 | private-cache | 51 | private-cache |
49 | private-dev | 52 | private-dev |
50 | private-etc alternatives,ld.so.preload,texlive,texmf | 53 | private-etc alternatives,ld.so.preload,texlive,texmf |