Merge branch 'master' of https://github.com/netblue30/firejail

author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2018-04-09 19:13:33 -0500
committer: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2018-04-09 19:13:33 -0500
commit: de1a38978be7a7ba01b8d7b2d0efa3337b818731 (patch)
tree: 3727a6551d0c0f68fcd8b7eca6b6c46f250f8a3c /etc
parent: Spotify requires /etc/group when alsa is audio provider (diff)
parent: Merge pull request #1875 from glitsj16/sqlitebrowser (diff)
download: firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.gz
firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.zst
firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.zip
12 files changed, 43 insertions, 6 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 11474fdc3..0cbe306e8 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -34,8 +34,8 @@ include /etc/firejail/whitelist-var-common.inc
 # apparmor
 caps.drop all
 ipc-namespace
-no3d
 netfilter
+no3d
 nodvd
 nogroups
 # nonewprivs
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 19da62916..1b8807757 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -20,7 +20,6 @@ whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
@@ -33,7 +32,8 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+# chroot syscalls are needed for setting up the built-in sandbox
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 disable-mnt
diff --git a/etc/atool.profile b/etc/atool.profile
index e21d352b4..83b681437 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -38,5 +38,5 @@ tracelog
 # private-bin atool
 private-dev
-private-etc none
+private-etc passwd,group
 private-tmp
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index ac7f30c04..43ba5adcb 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,6 +14,10 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
+# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
+ignore seccomp.drop
+seccomp
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
 #private-etc basilisk
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
new file mode 100644
index 000000000..f483a1d3d
--- /dev/null
+++ b/etc/bunzip2.profile
@@ -0,0 +1,9 @@
+# Firejail profile for bunzip2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/bunzip2.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f7cc1ce94..b68dde0c4 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -205,6 +205,7 @@ blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
@@ -440,6 +441,8 @@ blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.minetest
+blacklist ${HOME}/.moonchild productions/basilisk
+blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
@@ -555,6 +558,7 @@ blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
 blacklist ${HOME}/.cache/mutt
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 3fe83eda0..9ebcdba6c 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -33,7 +33,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 tracelog
diff --git a/etc/firejail-default b/etc/firejail-default
index 5d116fbbc..ad3fdd718 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -72,6 +72,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 ##########
 /proc/ r,
 /proc/** r,
+owner /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
 # Uncomment to silence all denied write warnings
 #deny /proc/** w,
 deny /proc/@{PID}/oom_adj w,
diff --git a/etc/gunzip.profile b/etc/gunzip.profile
new file mode 100644
index 000000000..8ea523df7
--- /dev/null
+++ b/etc/gunzip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for gunzip
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gunzip.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/gzip.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index ff7087e55..1104acff4 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -13,6 +13,10 @@ mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
+ignore seccomp.drop
+seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
 #private-etc palemoon
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 944417083..3d231cf5b 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -5,6 +5,12 @@ include /etc/firejail/soundconverter.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 4c473a9ad..9711276c8 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -32,6 +32,6 @@ private-bin sqlitebrowser
 private-dev
 private-tmp
-memory-deny-write-execute
+# memory-deny-write-execute - breaks on Arch
 noexec ${HOME}
 noexec /tmp
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2018-04-09 19:13:33 -0500
committer	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2018-04-09 19:13:33 -0500
commit	de1a38978be7a7ba01b8d7b2d0efa3337b818731 (patch)
tree	3727a6551d0c0f68fcd8b7eca6b6c46f250f8a3c /etc
parent	Spotify requires /etc/group when alsa is audio provider (diff)
parent	Merge pull request #1875 from glitsj16/sqlitebrowser (diff)
download	firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.gz firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.tar.zst firejail-de1a38978be7a7ba01b8d7b2d0efa3337b818731.zip