aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2017-10-31 02:24:39 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2017-10-31 02:24:39 +0100
commit871dfe351fd8cf19c8c7f330187c994b911ec995 (patch)
treefc7839dff34b0b14e92a0cd87d45f56f744d45cd /etc
parentfix --ignore=quiet (diff)
downloadfirejail-871dfe351fd8cf19c8c7f330187c994b911ec995.tar.gz
firejail-871dfe351fd8cf19c8c7f330187c994b911ec995.tar.zst
firejail-871dfe351fd8cf19c8c7f330187c994b911ec995.zip
harden kde
and whitelist kioslaverc because we don't know if kdeinit will run outside or inside the sandbox.
Diffstat (limited to 'etc')
-rw-r--r--etc/ark.profile3
-rw-r--r--etc/disable-common.inc19
-rw-r--r--etc/gwenview.profile5
-rw-r--r--etc/kate.profile3
-rw-r--r--etc/kwrite.profile3
-rw-r--r--etc/okular.profile7
-rw-r--r--etc/whitelist-common.inc3
7 files changed, 35 insertions, 8 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index ba9cb1134..404206992 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -5,6 +5,8 @@ include /etc/firejail/ark.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
8noblacklist ~/.config/arkrc 10noblacklist ~/.config/arkrc
9 11
10include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
@@ -15,6 +17,7 @@ include /etc/firejail/disable-programs.inc
15include /etc/firejail/whitelist-var-common.inc 17include /etc/firejail/whitelist-var-common.inc
16 18
17caps.drop all 19caps.drop all
20# net none
18netfilter 21netfilter
19nodvd 22nodvd
20nogroups 23nogroups
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 09ab39968..6c8a68d9e 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -47,6 +47,8 @@ blacklist /etc/xdg/autostart
47blacklist ${HOME}/.config/*.notifyrc 47blacklist ${HOME}/.config/*.notifyrc
48blacklist ${HOME}/.config/khotkeysrc 48blacklist ${HOME}/.config/khotkeysrc
49blacklist ${HOME}/.config/krunnerrc 49blacklist ${HOME}/.config/krunnerrc
50blacklist ${HOME}/.config/kwinrc
51blacklist ${HOME}/.config/kwinrulesrc
50blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc 52blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
51blacklist ${HOME}/.kde/share/apps/konsole 53blacklist ${HOME}/.kde/share/apps/konsole
52blacklist ${HOME}/.kde/share/apps/kwin 54blacklist ${HOME}/.kde/share/apps/kwin
@@ -55,25 +57,32 @@ blacklist ${HOME}/.kde/share/apps/solid
55blacklist ${HOME}/.kde/share/config/*.notifyrc 57blacklist ${HOME}/.kde/share/config/*.notifyrc
56blacklist ${HOME}/.kde/share/config/khotkeysrc 58blacklist ${HOME}/.kde/share/config/khotkeysrc
57blacklist ${HOME}/.kde/share/config/krunnerrc 59blacklist ${HOME}/.kde/share/config/krunnerrc
60blacklist ${HOME}/.kde/share/config/kwinrc
61blacklist ${HOME}/.kde/share/config/kwinrulesrc
58blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc 62blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
59blacklist ${HOME}/.kde4/share/apps/plasma
60blacklist ${HOME}/.kde4/share/apps/konsole 63blacklist ${HOME}/.kde4/share/apps/konsole
61blacklist ${HOME}/.kde4/share/apps/kwin 64blacklist ${HOME}/.kde4/share/apps/kwin
62blacklist ${HOME}/.kde4/share/config/krunnerrc 65blacklist ${HOME}/.kde4/share/apps/plasma
63blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
64blacklist ${HOME}/.kde4/share/config/khotkeysrc
65blacklist ${HOME}/.kde4/share/apps/solid 66blacklist ${HOME}/.kde4/share/apps/solid
66blacklist ${HOME}/.kde4/share/config/*.notifyrc 67blacklist ${HOME}/.kde4/share/config/*.notifyrc
68blacklist ${HOME}/.kde4/share/config/khotkeysrc
69blacklist ${HOME}/.kde4/share/config/krunnerrc
70blacklist ${HOME}/.kde4/share/config/kwinrc
71blacklist ${HOME}/.kde4/share/config/kwinrulesrc
72blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
67blacklist ${HOME}/.local/share/kglobalaccel 73blacklist ${HOME}/.local/share/kglobalaccel
68blacklist ${HOME}/.local/share/konsole 74blacklist ${HOME}/.local/share/konsole
69blacklist ${HOME}/.local/share/kwin 75blacklist ${HOME}/.local/share/kwin
70blacklist ${HOME}/.local/share/plasma 76blacklist ${HOME}/.local/share/plasma
71blacklist ${HOME}/.local/share/solid 77blacklist ${HOME}/.local/share/solid
72read-only ${HOME}/.config/kdeglobals 78read-only ${HOME}/.config/kdeglobals
79read-only ${HOME}/.config/kioslaverc
73read-only ${HOME}/.kde/share/config/kdeglobals 80read-only ${HOME}/.kde/share/config/kdeglobals
81read-only ${HOME}/.kde/share/config/kioslaverc
74read-only ${HOME}/.kde/share/kde4/services 82read-only ${HOME}/.kde/share/kde4/services
75read-only ${HOME}/.kde4/share/kde4/services
76read-only ${HOME}/.kde4/share/config/kdeglobals 83read-only ${HOME}/.kde4/share/config/kdeglobals
84read-only ${HOME}/.kde4/share/config/kioslaverc
85read-only ${HOME}/.kde4/share/kde4/services
77read-only ${HOME}/.local/share/kservices5 86read-only ${HOME}/.local/share/kservices5
78 87
79# kdeinit socket 88# kdeinit socket
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 76b77ef1c..891c9865e 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gwenview.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
8noblacklist ~/.config/gwenviewrc 10noblacklist ~/.config/gwenviewrc
9noblacklist ~/.config/org.kde.gwenviewrc 11noblacklist ~/.config/org.kde.gwenviewrc
10noblacklist ~/.gimp* 12noblacklist ~/.gimp*
@@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc
23include /etc/firejail/whitelist-var-common.inc 25include /etc/firejail/whitelist-var-common.inc
24 26
25caps.drop all 27caps.drop all
28# net none
26nodvd 29nodvd
27nogroups 30nogroups
28nonewprivs 31nonewprivs
@@ -34,7 +37,7 @@ seccomp
34shell none 37shell none
35tracelog 38tracelog
36 39
37private-bin gwenview,kbuildsycoca4,gimp* 40private-bin gwenview,gimp*,kbuildsycoca4
38private-dev 41private-dev
39# private-etc X11 42# private-etc X11
40 43
diff --git a/etc/kate.profile b/etc/kate.profile
index 69100d49d..85a98d67f 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -5,6 +5,8 @@ include /etc/firejail/kate.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
8noblacklist ~/.config/katepartrc 10noblacklist ~/.config/katepartrc
9noblacklist ~/.config/katerc 11noblacklist ~/.config/katerc
10noblacklist ~/.config/kateschemarc 12noblacklist ~/.config/kateschemarc
@@ -20,6 +22,7 @@ include /etc/firejail/disable-programs.inc
20include /etc/firejail/whitelist-var-common.inc 22include /etc/firejail/whitelist-var-common.inc
21 23
22caps.drop all 24caps.drop all
25# net none
23netfilter 26netfilter
24nodvd 27nodvd
25nogroups 28nogroups
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 6b458ede3..af1fa179b 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -5,6 +5,8 @@ include /etc/firejail/kwrite.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
8noblacklist ~/.config/katepartrc 10noblacklist ~/.config/katepartrc
9noblacklist ~/.config/katerc 11noblacklist ~/.config/katerc
10noblacklist ~/.config/kateschemarc 12noblacklist ~/.config/kateschemarc
@@ -20,6 +22,7 @@ include /etc/firejail/disable-programs.inc
20include /etc/firejail/whitelist-var-common.inc 22include /etc/firejail/whitelist-var-common.inc
21 23
22caps.drop all 24caps.drop all
25# net none
23netfilter 26netfilter
24nodvd 27nodvd
25nogroups 28nogroups
diff --git a/etc/okular.profile b/etc/okular.profile
index 53148add5..89f76cda1 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -5,6 +5,8 @@ include /etc/firejail/okular.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# blacklist /run/user/*/bus
9
8noblacklist ~/.config/okularpartrc 10noblacklist ~/.config/okularpartrc
9noblacklist ~/.config/okularrc 11noblacklist ~/.config/okularrc
10noblacklist ~/.kde/share/apps/okular 12noblacklist ~/.kde/share/apps/okular
@@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc
23include /etc/firejail/whitelist-var-common.inc 25include /etc/firejail/whitelist-var-common.inc
24 26
25caps.drop all 27caps.drop all
28# net none
26netfilter 29netfilter
27nodvd 30nodvd
28nogroups 31nogroups
@@ -36,9 +39,9 @@ seccomp
36shell none 39shell none
37tracelog 40tracelog
38 41
39# private-bin okular,kbuildsycoca4,kdeinit4,lpr 42private-bin okular,kbuildsycoca4,kdeinit4,lpr
40private-dev 43private-dev
41# private-etc fonts,X11 44private-etc cups,fonts
42# private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird 45# private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird
43 46
44# memory-deny-write-execute 47# memory-deny-write-execute
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 310149ecd..0a8bc4685 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -52,9 +52,12 @@ whitelist ~/.config/dconf
52 52
53# qt/kde 53# qt/kde
54whitelist ~/.config/kdeglobals 54whitelist ~/.config/kdeglobals
55whitelist ~/.config/kioslaverc
55whitelist ~/.kde/share/config/oxygenrc 56whitelist ~/.kde/share/config/oxygenrc
56whitelist ~/.kde/share/config/kdeglobals 57whitelist ~/.kde/share/config/kdeglobals
58whitelist ~/.kde/share/config/kioslaverc
57whitelist ~/.kde/share/icons 59whitelist ~/.kde/share/icons
58whitelist ~/.kde4/share/config/oxygenrc 60whitelist ~/.kde4/share/config/oxygenrc
59whitelist ~/.kde4/share/config/kdeglobals 61whitelist ~/.kde4/share/config/kdeglobals
62whitelist ~/.kde4/share/config/kioslaverc
60whitelist ~/.kde4/share/icons 63whitelist ~/.kde4/share/icons
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 17:48:49 +0000