various profile fixes (#1433)

* calibre: add netlink protocol (FB note: removed before merge) calibre started without netlink protocol throws following error in console: Exception in thread Thread-8: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/calibre/calibre/utils/mdns.py", line 43, in run _all_ip_addresses = self.get_all_ips() File "/usr/lib/calibre/calibre/utils/mdns.py", line 27, in get_all_ips for x in netifaces.interfaces(): OSError: [Errno 95] Operation not supported * mpv: add nogroups, tracelog, ipc-namespace, private-dev I used testes all above options and didn't noticed any breakage. * qbittorrent: add netlink protocol, private-etc Netlink protocol is needed if user select to bind specific network interface in config. Otherwise it throws an error in qbittorent log: The network interface defined is invalid: tun0 Example private-etc is added but commented out by default. It's tested but as there are many different system configurations users should enable it manually. * vlc: disable memory-deny-write-execute With memory-deny-write-execute vlc freezes after loading video file. According to https://github.com/VladimirSchowalter20/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca memory-deny-write-execute is similar to PAX mprotect feature and linked github project explicitly disables that feature for vlc binary, see https://github.com/copperhead/paxd-archive/commit/deb39e0b91996e2e9c7917b3543030880cd476f4 * Update vlc.profile * wine: add nogroups Nogroups should be safe addition for wine * wireshark: allow users to run wireshark as non-root Wireshark can be run unprivileged when user is part of wireshark group. Unfortunately enabling nogroups,nonewprivs and seccomp will break it with permissions errors. Also added example private-etc option which is commented out by default for now. * cosmetic fix * mpv: comment out ipc-namespace for now As requested in review https://github.com/netblue30/firejail/pull/1433#discussion_r131550515 * calibre: disable netlink protocol It throws an error but actual breakage isn't observed for now.
author: Vladimir Schowalter <VladimirSchowalter20@users.noreply.github.com> 2017-08-06 22:42:24 +0100
committer: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-06 16:42:24 -0500
commit: 20fbc19e57da1c409b139ffb1b211ceb5f8c6050 (patch)
tree: ed575e03159767a085c55e42ff54fc46b05bc9fb /etc
parent: Seccomp: split @default into more meaningful smaller groups (diff)
download: firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.gz
firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.zst
firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.zip
5 files changed, 12 insertions, 5 deletions
diff --git a/etc/mpv.profile b/etc/mpv.profile
index abf6f1668..0cda3e4e1 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -16,11 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+tracelog
 # to test
+# ipc-namespace
 shell none
 private-bin mpv,youtube-dl,python,python2.7,python3.6,env
+private-dev
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 5dc0eb4c8..7ae8a22d4 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -34,11 +34,12 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 # there are some problems with "Open destination folder", see bug #536
 #shell none
 #private-bin qbittorrent
 private-dev
+# private-etc X11,fonts,xdg,resolv.conf
 private-tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 34f4aa5ff..6ae8b0d15 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -27,6 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
-memory-deny-write-execute
+# memory-deny-write-execute - breaks playing videos
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/wine.profile b/etc/wine.profile
index 8985071f3..5ee8bae38 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -18,6 +18,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 seccomp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 98a4f3a9d..d5f3b8c4b 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -23,14 +23,15 @@ include /etc/firejail/disable-passwdmgr.inc
 #ipc-namespace
 netfilter
 no3d
-nogroups
+# nogroups - breaks unprivileged wireshark usage
-nonewprivs
+# nonewprivs - breaks unprivileged wireshark usage
 nosound
-seccomp
+# seccomp - breaks unprivileged wireshark usage
 shell none
 tracelog
 #private-bin wireshark
+# private-etc fonts,group,hosts,machine-id,passwd
 private-dev
 private-tmp
author	Vladimir Schowalter <VladimirSchowalter20@users.noreply.github.com>	2017-08-06 22:42:24 +0100
committer	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-06 16:42:24 -0500
commit	20fbc19e57da1c409b139ffb1b211ceb5f8c6050 (patch)
tree	ed575e03159767a085c55e42ff54fc46b05bc9fb /etc
parent	Seccomp: split @default into more meaningful smaller groups (diff)
download	firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.gz firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.tar.zst firejail-20fbc19e57da1c409b139ffb1b211ceb5f8c6050.zip

diff --git a/etc/mpv.profile b/etc/mpv.profile index abf6f1668..0cda3e4e1 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -16,11 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
16		16
17	caps.drop all	17	caps.drop all
18	netfilter	18	netfilter
		19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
21	protocol unix,inet,inet6	22	protocol unix,inet,inet6
22	seccomp	23	seccomp
		24	tracelog
23		25
24	# to test	26	# to test
		27	# ipc-namespace
25	shell none	28	shell none
26	private-bin mpv,youtube-dl,python,python2.7,python3.6,env	29	private-bin mpv,youtube-dl,python,python2.7,python3.6,env
		30	private-dev


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 5dc0eb4c8..7ae8a22d4 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -34,11 +34,12 @@ nogroups
34	nonewprivs	34	nonewprivs
35	noroot	35	noroot
36	nosound	36	nosound
37	protocol unix,inet,inet6	37	protocol unix,inet,inet6,netlink
38	seccomp	38	seccomp
39		39
40	# there are some problems with "Open destination folder", see bug #536	40	# there are some problems with "Open destination folder", see bug #536
41	#shell none	41	#shell none
42	#private-bin qbittorrent	42	#private-bin qbittorrent
43	private-dev	43	private-dev
		44	# private-etc X11,fonts,xdg,resolv.conf
44	private-tmp	45	private-tmp


diff --git a/etc/vlc.profile b/etc/vlc.profile index 34f4aa5ff..6ae8b0d15 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -27,6 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
27	private-dev	27	private-dev
28	private-tmp	28	private-tmp
29		29
30	memory-deny-write-execute	30	# memory-deny-write-execute - breaks playing videos
31	noexec ${HOME}	31	noexec ${HOME}
32	noexec /tmp	32	noexec /tmp


diff --git a/etc/wine.profile b/etc/wine.profile index 8985071f3..5ee8bae38 100644 --- a/etc/wine.profile +++ b/etc/wine.profile
@@ -18,6 +18,7 @@ include /etc/firejail/disable-devel.inc
18		18
19	caps.drop all	19	caps.drop all
20	netfilter	20	netfilter
		21	nogroups
21	nonewprivs	22	nonewprivs
22	noroot	23	noroot
23	seccomp	24	seccomp


diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 98a4f3a9d..d5f3b8c4b 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile
@@ -23,14 +23,15 @@ include /etc/firejail/disable-passwdmgr.inc
23	#ipc-namespace	23	#ipc-namespace
24	netfilter	24	netfilter
25	no3d	25	no3d
26	nogroups	26	# nogroups - breaks unprivileged wireshark usage
27	nonewprivs	27	# nonewprivs - breaks unprivileged wireshark usage
28	nosound	28	nosound
29	seccomp	29	# seccomp - breaks unprivileged wireshark usage
30	shell none	30	shell none
31	tracelog	31	tracelog
32		32
33	#private-bin wireshark	33	#private-bin wireshark
		34	# private-etc fonts,group,hosts,machine-id,passwd
34	private-dev	35	private-dev
35	private-tmp	36	private-tmp
36		37