diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-29 12:37:33 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-29 12:37:33 -0500 |
commit | 567001a826653195881f4a4cb1c46b6f13da4466 (patch) | |
tree | c9a81ac26307b79553985212361ea4d3ab5fd6f8 /etc | |
parent | Merge pull request #4316 from kmk3/configure-improvements (diff) | |
parent | Restrict /usr/libexec (diff) | |
download | firejail-567001a826653195881f4a4cb1c46b6f13da4466.tar.gz firejail-567001a826653195881f4a4cb1c46b6f13da4466.tar.zst firejail-567001a826653195881f4a4cb1c46b6f13da4466.zip |
Merge pull request #4287 from rusty-snake/restrict-usr-libexec
Restrict /usr/libexec
Diffstat (limited to 'etc')
24 files changed, 40 insertions, 0 deletions
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 454a15ab2..4009853d3 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/0ad | |||
10 | noblacklist ${HOME}/.config/0ad | 10 | noblacklist ${HOME}/.config/0ad |
11 | noblacklist ${HOME}/.local/share/0ad | 11 | noblacklist ${HOME}/.local/share/0ad |
12 | 12 | ||
13 | blacklist /usr/libexec | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 54abdb234..01566314f 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -31,6 +31,7 @@ include disable-programs.inc | |||
31 | include disable-shell.inc | 31 | include disable-shell.inc |
32 | include disable-xdg.inc | 32 | include disable-xdg.inc |
33 | 33 | ||
34 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
34 | whitelist /usr/share/apostrophe | 35 | whitelist /usr/share/apostrophe |
35 | whitelist /usr/share/texlive | 36 | whitelist /usr/share/texlive |
36 | whitelist /usr/share/texmf | 37 | whitelist /usr/share/texmf |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 721a6c082..854fe5cb9 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.local/share/bijiben | 20 | mkdir ${HOME}/.local/share/bijiben |
21 | whitelist ${HOME}/.local/share/bijiben | 21 | whitelist ${HOME}/.local/share/bijiben |
22 | whitelist ${HOME}/.cache/tracker | 22 | whitelist ${HOME}/.cache/tracker |
23 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
23 | whitelist /usr/share/bijiben | 24 | whitelist /usr/share/bijiben |
24 | whitelist /usr/share/tracker | 25 | whitelist /usr/share/tracker |
25 | whitelist /usr/share/tracker3 | 26 | whitelist /usr/share/tracker3 |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index f02161b9b..1c539cc93 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -17,6 +17,8 @@ include allow-lua.inc | |||
17 | include allow-python2.inc | 17 | include allow-python2.inc |
18 | include allow-python3.inc | 18 | include allow-python3.inc |
19 | 19 | ||
20 | blacklist /usr/libexec | ||
21 | |||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
22 | include disable-exec.inc | 24 | include disable-exec.inc |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile index 0283a6934..8803a4d9d 100644 --- a/etc/profile-a-l/chromium-browser-privacy.profile +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -6,6 +6,8 @@ include chromium-browser-privacy.local | |||
6 | noblacklist ${HOME}/.cache/ungoogled-chromium | 6 | noblacklist ${HOME}/.cache/ungoogled-chromium |
7 | noblacklist ${HOME}/.config/ungoogled-chromium | 7 | noblacklist ${HOME}/.config/ungoogled-chromium |
8 | 8 | ||
9 | blacklist /usr/libexec | ||
10 | |||
9 | mkdir ${HOME}/.cache/ungoogled-chromium | 11 | mkdir ${HOME}/.cache/ungoogled-chromium |
10 | mkdir ${HOME}/.config/ungoogled-chromium | 12 | mkdir ${HOME}/.config/ungoogled-chromium |
11 | whitelist ${HOME}/.cache/ungoogled-chromium | 13 | whitelist ${HOME}/.cache/ungoogled-chromium |
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 8e8047b00..fe7913e77 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/Trash | |||
11 | noblacklist ${HOME}/.Steam | 11 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | 13 | ||
14 | blacklist /usr/libexec | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index d44d419c1..fdff1e4b5 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
@@ -8,6 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.etr | 9 | noblacklist ${HOME}/.etr |
10 | 10 | ||
11 | blacklist /usr/libexec | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index adcb29063..a9e39b15c 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -13,6 +13,8 @@ include globals.local | |||
13 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
14 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
15 | 15 | ||
16 | blacklist /usr/libexec | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 0b8a8cd6c..4e651ed61 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -13,6 +13,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /usr/libexec/file-roller | ||
16 | whitelist /usr/share/file-roller | 17 | whitelist /usr/share/file-roller |
17 | include whitelist-runuser-common.inc | 18 | include whitelist-runuser-common.inc |
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index b22a78458..7874c882f 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -17,6 +17,8 @@ include globals.local | |||
17 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
19 | 19 | ||
20 | blacklist /usr/libexec | ||
21 | |||
20 | mkdir ${HOME}/.cache/mozilla/firefox | 22 | mkdir ${HOME}/.cache/mozilla/firefox |
21 | mkdir ${HOME}/.mozilla | 23 | mkdir ${HOME}/.mozilla |
22 | whitelist ${HOME}/.cache/mozilla/firefox | 24 | whitelist ${HOME}/.cache/mozilla/firefox |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index fa56d2b2d..b4ad81046 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -18,6 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.frogatto | 19 | mkdir ${HOME}/.frogatto |
20 | whitelist ${HOME}/.frogatto | 20 | whitelist ${HOME}/.frogatto |
21 | whitelist /usr/libexec/frogatto | ||
21 | whitelist /usr/share/frogatto | 22 | whitelist /usr/share/frogatto |
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index f2da60c87..3a8c055f2 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -7,6 +7,7 @@ include gapplication.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist /usr/libexec | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 7ec8ba810..f894a42ca 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -31,6 +31,7 @@ whitelist ${HOME}/.cache/gfeeds | |||
31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | 31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds |
32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | 33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles |
34 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
34 | whitelist /usr/share/gfeeds | 35 | whitelist /usr/share/gfeeds |
35 | include whitelist-common.inc | 36 | include whitelist-common.inc |
36 | include whitelist-runuser-common.inc | 37 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index cf2ac2f75..23aab343f 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -18,6 +18,8 @@ noblacklist ${HOME}/.local/share/maps-places.json | |||
18 | # Allow gjs (blacklisted by disable-interpreters.inc) | 18 | # Allow gjs (blacklisted by disable-interpreters.inc) |
19 | include allow-gjs.inc | 19 | include allow-gjs.inc |
20 | 20 | ||
21 | blacklist /usr/libexec | ||
22 | |||
21 | include disable-common.inc | 23 | include disable-common.inc |
22 | include disable-devel.inc | 24 | include disable-devel.inc |
23 | include disable-exec.inc | 25 | include disable-exec.inc |
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 763d67b92..fee5f88b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${HOME}/*.kdbx | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python3.inc | 14 | include allow-python3.inc |
15 | 15 | ||
16 | blacklist /usr/libexec | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index c352a5d89..f71dcf82b 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -22,6 +22,8 @@ noblacklist ${HOME}/.config/vivaldi | |||
22 | noblacklist ${HOME}/.local/share/torbrowser | 22 | noblacklist ${HOME}/.local/share/torbrowser |
23 | noblacklist ${HOME}/.mozilla | 23 | noblacklist ${HOME}/.mozilla |
24 | 24 | ||
25 | blacklist /usr/libexec | ||
26 | |||
25 | include disable-common.inc | 27 | include disable-common.inc |
26 | include disable-devel.inc | 28 | include disable-devel.inc |
27 | include disable-exec.inc | 29 | include disable-exec.inc |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index e4440eac0..b1a24888c 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.config/libreoffice | |||
14 | # Allow java (blacklisted by disable-devel.inc) | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | include allow-java.inc | 15 | include allow-java.inc |
16 | 16 | ||
17 | blacklist /usr/libexec | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 087c02964..bd56a8221 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -25,6 +25,7 @@ include disable-programs.inc | |||
25 | include disable-shell.inc | 25 | include disable-shell.inc |
26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
28 | whitelist /usr/share/com.github.fabiocolacio.marker | 29 | whitelist /usr/share/com.github.fabiocolacio.marker |
29 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 1225cc107..2a8bb3acf 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -29,6 +29,8 @@ include allow-python3.inc | |||
29 | # Allow ssh (blacklisted by disable-common.inc) | 29 | # Allow ssh (blacklisted by disable-common.inc) |
30 | include allow-ssh.inc | 30 | include allow-ssh.inc |
31 | 31 | ||
32 | blacklist /usr/libexec | ||
33 | |||
32 | # Add the next line to your meld.local if you don't need to compare files in disable-common.inc. | 34 | # Add the next line to your meld.local if you don't need to compare files in disable-common.inc. |
33 | #include disable-common.inc | 35 | #include disable-common.inc |
34 | include disable-devel.inc | 36 | include disable-devel.inc |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 310f36ea1..af5c214f7 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -35,6 +35,8 @@ include allow-lua.inc | |||
35 | include allow-python2.inc | 35 | include allow-python2.inc |
36 | include allow-python3.inc | 36 | include allow-python3.inc |
37 | 37 | ||
38 | blacklist /usr/libexec | ||
39 | |||
38 | include disable-common.inc | 40 | include disable-common.inc |
39 | include disable-devel.inc | 41 | include disable-devel.inc |
40 | include disable-exec.inc | 42 | include disable-exec.inc |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 035a7e625..e3ceb3bd4 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -14,6 +14,8 @@ include allow-bin-sh.inc | |||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | 14 | # Allow lua (blacklisted by disable-interpreters.inc) |
15 | include allow-lua.inc | 15 | include allow-lua.inc |
16 | 16 | ||
17 | blacklist /usr/libexec | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3889d87d2..f1fdfcbad 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.pingus | |||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
12 | include allow-bin-sh.inc | 12 | include allow-bin-sh.inc |
13 | 13 | ||
14 | blacklist /usr/libexec | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 6a0ed46e0..095cea7b8 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.config/supertuxkart | |||
10 | noblacklist ${HOME}/.cache/supertuxkart | 10 | noblacklist ${HOME}/.cache/supertuxkart |
11 | noblacklist ${HOME}/.local/share/supertuxkart | 11 | noblacklist ${HOME}/.local/share/supertuxkart |
12 | 12 | ||
13 | blacklist /usr/libexec | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 93054bfed..dee154409 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkdir ${HOME}/.config/yelp | 20 | mkdir ${HOME}/.config/yelp |
21 | whitelist ${HOME}/.config/yelp | 21 | whitelist ${HOME}/.config/yelp |
22 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
22 | whitelist /usr/share/doc | 23 | whitelist /usr/share/doc |
23 | whitelist /usr/share/groff | 24 | whitelist /usr/share/groff |
24 | whitelist /usr/share/help | 25 | whitelist /usr/share/help |