Merge remote-tracking branch 'upstream/master'

author: valoq <valoq@mailbox.org> 2016-11-06 20:44:32 +0100
committer: valoq <valoq@mailbox.org> 2016-11-06 20:44:32 +0100
commit: cf2c9e6436f16c727d09b433c1ac821849d3daa1 (patch)
tree: 8a57806636d3671eabfe2fd4a577c40691725c97 /etc
parent: adopted wire profile to recent changes (diff)
parent: seccomp rework (diff)
download: firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.tar.gz
firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.tar.zst
firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.zip
4 files changed, 27 insertions, 5 deletions
diff --git a/etc/evince.profile b/etc/evince.profile
index 9a9113c70..cbb2083f4 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -6,7 +6,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
-net none
+#net none - creates some problems on some distributions
 nogroups
 nonewprivs
 noroot
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 7875ca6b9..7862bd010 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -47,8 +47,7 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
+#private-bin firefox,which,sh,dbus-launch,dbus-send,env
-private-bin firefox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
-private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev
 private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 65e6a8978..e022866e8 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -16,7 +16,7 @@ net none
 shell none
 tracelog
-seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 private-bin mupdf
 private-tmp
diff --git a/etc/zoom.profile b/etc/zoom.profile
new file mode 100644
index 000000000..f5831dd88
--- /dev/null
+++ b/etc/zoom.profile
@@ -0,0 +1,23 @@
+# Firejail profile for zoom.us
+noblacklist ~/.config/zoomus.conf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+# Whitelists
+mkdir ~/.zoom
+whitelist ~/.zoom
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+private-tmp
author	valoq <valoq@mailbox.org>	2016-11-06 20:44:32 +0100
committer	valoq <valoq@mailbox.org>	2016-11-06 20:44:32 +0100
commit	cf2c9e6436f16c727d09b433c1ac821849d3daa1 (patch)
tree	8a57806636d3671eabfe2fd4a577c40691725c97 /etc
parent	adopted wire profile to recent changes (diff)
parent	seccomp rework (diff)
download	firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.tar.gz firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.tar.zst firejail-cf2c9e6436f16c727d09b433c1ac821849d3daa1.zip

diff --git a/etc/evince.profile b/etc/evince.profile index 9a9113c70..cbb2083f4 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -6,7 +6,7 @@ include /etc/firejail/disable-passwdmgr.inc
6		6
7	caps.drop all	7	caps.drop all
8	netfilter	8	netfilter
9	net none	9	#net none - creates some problems on some distributions
10	nogroups	10	nogroups
11	nonewprivs	11	nonewprivs
12	noroot	12	noroot


diff --git a/etc/firefox.profile b/etc/firefox.profile index 7875ca6b9..7862bd010 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -47,8 +47,7 @@ whitelist ~/.config/pipelight-silverlight5.1
47	include /etc/firejail/whitelist-common.inc	47	include /etc/firejail/whitelist-common.inc
48		48
49	# experimental features	49	# experimental features
50		50	#private-bin firefox,which,sh,dbus-launch,dbus-send,env
51	private-bin firefox,which,sh,dbus-launch,dbus-send,env	51	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
52	private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
53	private-dev	52	private-dev
54	private-tmp	53	private-tmp


diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 65e6a8978..e022866e8 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile
@@ -16,7 +16,7 @@ net none
16	shell none	16	shell none
17	tracelog	17	tracelog
18		18
19	seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev	19	#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
20		20
21	private-bin mupdf	21	private-bin mupdf
22	private-tmp	22	private-tmp


diff --git a/etc/zoom.profile b/etc/zoom.profile new file mode 100644 index 000000000..f5831dd88 --- /dev/null +++ b/etc/zoom.profile
@@ -0,0 +1,23 @@
		1	# Firejail profile for zoom.us
		2
		3	noblacklist ~/.config/zoomus.conf
		4
		5	include /etc/firejail/disable-common.inc
		6	include /etc/firejail/disable-programs.inc
		7	include /etc/firejail/disable-devel.inc
		8
		9
		10	# Whitelists
		11
		12	mkdir ~/.zoom
		13	whitelist ~/.zoom
		14
		15
		16	caps.drop all
		17	netfilter
		18	nonewprivs
		19	noroot
		20	protocol unix,inet,inet6
		21	seccomp
		22
		23	private-tmp