create blink-common.profile

author: pirate486743186 <> 2023-03-16 02:30:52 +0100
committer: pirate486743186 <> 2023-03-16 15:00:37 +0100
commit: 47e3c82ab58b0d0c02066666aea3f7a04078c86b (patch)
tree: 10d06366bb00a50209ea0c24366e599061cff53a /etc
parent: firejail.txt: remove extraneous endif (diff)
download: firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.tar.gz
firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.tar.zst
firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.zip
5 files changed, 65 insertions, 53 deletions
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile
new file mode 100644
index 000000000..c092a9746
--- /dev/null
+++ b/etc/profile-a-l/blink-common-hardened.inc.profile
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include blink-common-hardened.inc.local
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+#restrict-namespaces
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile
new file mode 100644
index 000000000..ff17dc479
--- /dev/null
+++ b/etc/profile-a-l/blink-common.profile
@@ -0,0 +1,40 @@
+# Firejail profile for blink-common
+# Description: Common profile for Blink-based applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blink-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+#include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your blink-common.local.
+#include blink-common-hardened.inc.profile
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+disable-mnt
+private-cache
+dbus-system none
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index c3944bd65..0e0416de1 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -1,11 +1,10 @@
-# This file is overwritten during software install.
+# Firejail profile alias for blink-common-hardened.inc
-# Persistent customizations should go in a .local file.
+# This file is overwritten after every install/update
+# Persistent local customizations
 include chromium-common-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
-caps.drop all
+# Redirect
-nonewprivs
+include blink-common-hardened.inc.profile
-noroot
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-#restrict-namespaces
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f1f2f5f68..878e0fe1d 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
 #include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
 mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
 whitelist /usr/share/mozilla/extensions
 whitelist /usr/share/webext
-include whitelist-common.inc
 include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your chromium-common.local.
 #include chromium-common-hardened.inc.profile
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 ?BROWSER_DISABLE_U2F: nou2f
-disable-mnt
-private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-dbus-system none
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile
index 73b6d1067..bb48d6332 100644
--- a/etc/profile-a-l/electron-common.profile
+++ b/etc/profile-a-l/electron-common.profile
@@ -7,40 +7,21 @@ include electron-common.local
 noblacklist ${HOME}/.config/Electron
 noblacklist ${HOME}/.config/electron*-flag*.conf
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Electron
 whitelist ${HOME}/.config/electron*-flag*.conf
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your electron-common.local.
 #include electron-common-hardened.inc.profile
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 nou2f
 novideo
-disable-mnt
-private-cache
 private-dev
 private-tmp
 dbus-user none
-dbus-system none
+# Redirect
+include blink-common.profile
author	pirate486743186 <>	2023-03-16 02:30:52 +0100
committer	pirate486743186 <>	2023-03-16 15:00:37 +0100
commit	47e3c82ab58b0d0c02066666aea3f7a04078c86b (patch)
tree	10d06366bb00a50209ea0c24366e599061cff53a /etc
parent	firejail.txt: remove extraneous endif (diff)
download	firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.tar.gz firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.tar.zst firejail-47e3c82ab58b0d0c02066666aea3f7a04078c86b.zip

diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile new file mode 100644 index 000000000..c092a9746 --- /dev/null +++ b/etc/profile-a-l/blink-common-hardened.inc.profile
@@ -0,0 +1,11 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include blink-common-hardened.inc.local
		4
		5	caps.drop all
		6	nonewprivs
		7	noroot
		8	protocol unix,inet,inet6,netlink
		9	seccomp !chroot
		10
		11	#restrict-namespaces


diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile new file mode 100644 index 000000000..ff17dc479 --- /dev/null +++ b/etc/profile-a-l/blink-common.profile
@@ -0,0 +1,40 @@
		1	# Firejail profile for blink-common
		2	# Description: Common profile for Blink-based applications
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include blink-common.local
		6	# Persistent global definitions
		7	# added by caller profile
		8	#include globals.local
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-programs.inc
		15	include disable-xdg.inc
		16
		17	whitelist ${DOWNLOADS}
		18	include whitelist-common.inc
		19	#include whitelist-run-common.inc
		20	include whitelist-runuser-common.inc
		21	include whitelist-usr-share-common.inc
		22	include whitelist-var-common.inc
		23
		24	# If your kernel allows the creation of user namespaces by unprivileged users
		25	# (for example, if running `unshare -U echo enabled` prints "enabled"), you
		26	# can add the next line to your blink-common.local.
		27	#include blink-common-hardened.inc.profile
		28
		29	apparmor
		30	caps.keep sys_admin,sys_chroot
		31	netfilter
		32	nodvd
		33	nogroups
		34	noinput
		35	notv
		36
		37	disable-mnt
		38	private-cache
		39
		40	dbus-system none


diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index c3944bd65..0e0416de1 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -1,11 +1,10 @@
1	# This file is overwritten during software install.	1	# Firejail profile alias for blink-common-hardened.inc
2	# Persistent customizations should go in a .local file.	2	# This file is overwritten after every install/update
		3	# Persistent local customizations
3	include chromium-common-hardened.inc.local	4	include chromium-common-hardened.inc.local
		5	# Persistent global definitions
		6	# added by caller profile
		7	#include globals.local
4		8
5	caps.drop all	9	# Redirect
6	nonewprivs	10	include blink-common-hardened.inc.profile
7	noroot
8	protocol unix,inet,inet6,netlink
9	seccomp !chroot
10
11	#restrict-namespaces


diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f1f2f5f68..878e0fe1d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox
17	# to have access to Gnome extensions (extensions.gnome.org) via browser connector	17	# to have access to Gnome extensions (extensions.gnome.org) via browser connector
18	#include allow-python3.inc	18	#include allow-python3.inc
19		19
20	include disable-common.inc
21	include disable-devel.inc
22	include disable-exec.inc
23	include disable-interpreters.inc
24	include disable-programs.inc
25	include disable-xdg.inc
26
27	mkdir ${HOME}/.local/share/pki	20	mkdir ${HOME}/.local/share/pki
28	mkdir ${HOME}/.pki	21	mkdir ${HOME}/.pki
29	whitelist ${DOWNLOADS}
30	whitelist ${HOME}/.local/share/pki	22	whitelist ${HOME}/.local/share/pki
31	whitelist ${HOME}/.pki	23	whitelist ${HOME}/.pki
32	whitelist /usr/share/mozilla/extensions	24	whitelist /usr/share/mozilla/extensions
33	whitelist /usr/share/webext	25	whitelist /usr/share/webext
34	include whitelist-common.inc
35	include whitelist-run-common.inc	26	include whitelist-run-common.inc
36	include whitelist-runuser-common.inc
37	include whitelist-usr-share-common.inc
38	include whitelist-var-common.inc
39		27
40	# If your kernel allows the creation of user namespaces by unprivileged users	28	# If your kernel allows the creation of user namespaces by unprivileged users
41	# (for example, if running `unshare -U echo enabled` prints "enabled"), you	29	# (for example, if running `unshare -U echo enabled` prints "enabled"), you
42	# can add the next line to your chromium-common.local.	30	# can add the next line to your chromium-common.local.
43	#include chromium-common-hardened.inc.profile	31	#include chromium-common-hardened.inc.profile
44		32
45	apparmor
46	caps.keep sys_admin,sys_chroot
47	netfilter
48	nodvd
49	nogroups
50	noinput
51	notv
52	?BROWSER_DISABLE_U2F: nou2f	33	?BROWSER_DISABLE_U2F: nou2f
53		34
54	disable-mnt
55	private-cache
56	?BROWSER_DISABLE_U2F: private-dev	35	?BROWSER_DISABLE_U2F: private-dev
57	#private-tmp - issues when using multiple browser sessions	36	#private-tmp - issues when using multiple browser sessions
58		37
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget
61	blacklist ${PATH}/wget2	40	blacklist ${PATH}/wget2
62		41
63	#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.	42	#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
64	dbus-system none
65		43
66	# The file dialog needs to work without d-bus.	44	# The file dialog needs to work without d-bus.
67	?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1	45	?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
		46
		47	# Redirect
		48	include blink-common.profile


diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile index 73b6d1067..bb48d6332 100644 --- a/etc/profile-a-l/electron-common.profile +++ b/etc/profile-a-l/electron-common.profile
@@ -7,40 +7,21 @@ include electron-common.local
7	noblacklist ${HOME}/.config/Electron	7	noblacklist ${HOME}/.config/Electron
8	noblacklist ${HOME}/.config/electron-flag.conf	8	noblacklist ${HOME}/.config/electron-flag.conf
9		9
10	include disable-common.inc
11	include disable-devel.inc
12	include disable-exec.inc
13	include disable-interpreters.inc
14	include disable-programs.inc
15	include disable-xdg.inc
16
17	whitelist ${DOWNLOADS}
18	whitelist ${HOME}/.config/Electron	10	whitelist ${HOME}/.config/Electron
19	whitelist ${HOME}/.config/electron-flag.conf	11	whitelist ${HOME}/.config/electron-flag.conf
20	include whitelist-common.inc
21	include whitelist-runuser-common.inc
22	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc
24		12
25	# If your kernel allows the creation of user namespaces by unprivileged users	13	# If your kernel allows the creation of user namespaces by unprivileged users
26	# (for example, if running `unshare -U echo enabled` prints "enabled"), you	14	# (for example, if running `unshare -U echo enabled` prints "enabled"), you
27	# can add the next line to your electron-common.local.	15	# can add the next line to your electron-common.local.
28	#include electron-common-hardened.inc.profile	16	#include electron-common-hardened.inc.profile
29		17
30	apparmor
31	caps.keep sys_admin,sys_chroot
32	netfilter
33	nodvd
34	nogroups
35	noinput
36	notv
37	nou2f	18	nou2f
38	novideo	19	novideo
39		20
40	disable-mnt
41	private-cache
42	private-dev	21	private-dev
43	private-tmp	22	private-tmp
44		23
45	dbus-user none	24	dbus-user none
46	dbus-system none	25
		26	# Redirect
		27	include blink-common.profile