Sort caps.keep and seccomp.drop options (#2780)

* Sort seccomp.drop in unbound.profile * Sort caps.keep in tor.profile * Sort seccomp.drop in qgjs.profile * Sort seccomp.drop in dnscrypt-proxy.profile * Sort caps.keep in chromium-common.profile
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-06-16 01:26:18 +0000
committer: GitHub <noreply@github.com> 2019-06-16 01:26:18 +0000
commit: 0a9beba3c6b1058b045993e2bc2ba711bfef70a9 (patch)
tree: dd0c033b00d8aa65ecc52b300dd38165064685a3 /etc
parent: Merge branch 'master' of github.com:netblue30/firejail (diff)
download: firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.tar.gz
firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.tar.zst
firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.zip
5 files changed, 5 insertions, 5 deletions
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index b64fc820a..b227ba9ef 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
-caps.keep sys_chroot,sys_admin
+caps.keep sys_admin,sys_chroot
 netfilter
 # nodbus - prevents access to passwords saved in GNOME Keyring, also breaks Gnome connector
 nodvd
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index ffced747b..ae248f2e8 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 disable-mnt
 private
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 15ef4c22a..80a10efce 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/tor.profile b/etc/tor.profile
index 4aebe0a1e..8d6622241 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-caps.keep setuid,setgid,net_bind_service,dac_read_search
+caps.keep dac_read_search,net_bind_service,setgid,setuid
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 8e7a4a8a8..50304d223 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -29,7 +29,7 @@ nosound
 notv
 nou2f
 novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 writable-var
 disable-mnt
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-06-16 01:26:18 +0000
committer	GitHub <noreply@github.com>	2019-06-16 01:26:18 +0000
commit	0a9beba3c6b1058b045993e2bc2ba711bfef70a9 (patch)
tree	dd0c033b00d8aa65ecc52b300dd38165064685a3 /etc
parent	Merge branch 'master' of github.com:netblue30/firejail (diff)
download	firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.tar.gz firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.tar.zst firejail-0a9beba3c6b1058b045993e2bc2ba711bfef70a9.zip

diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index b64fc820a..b227ba9ef 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
27	include whitelist-var-common.inc	27	include whitelist-var-common.inc
28		28
29	apparmor	29	apparmor
30	caps.keep sys_chroot,sys_admin	30	caps.keep sys_admin,sys_chroot
31	netfilter	31	netfilter
32	# nodbus - prevents access to passwords saved in GNOME Keyring, also breaks Gnome connector	32	# nodbus - prevents access to passwords saved in GNOME Keyring, also breaks Gnome connector
33	nodvd	33	nodvd


diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ffced747b..ae248f2e8 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -26,7 +26,7 @@ nosound
26	notv	26	notv
27	nou2f	27	nou2f
28	novideo	28	novideo
29	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	29	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
30		30
31	disable-mnt	31	disable-mnt
32	private	32	private


diff --git a/etc/qgis.profile b/etc/qgis.profile index 15ef4c22a..80a10efce 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
45	nou2f	45	nou2f
46	novideo	46	novideo
47	# blacklisting of mbind system calls breaks old version	47	# blacklisting of mbind system calls breaks old version
48	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore	48	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
49	protocol unix,inet,inet6,netlink	49	protocol unix,inet,inet6,netlink
50	shell none	50	shell none
51	tracelog	51	tracelog


diff --git a/etc/tor.profile b/etc/tor.profile index 4aebe0a1e..8d6622241 100644 --- a/etc/tor.profile +++ b/etc/tor.profile
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
25	include disable-programs.inc	25	include disable-programs.inc
26	include disable-xdg.inc	26	include disable-xdg.inc
27		27
28	caps.keep setuid,setgid,net_bind_service,dac_read_search	28	caps.keep dac_read_search,net_bind_service,setgid,setuid
29	ipc-namespace	29	ipc-namespace
30	machine-id	30	machine-id
31	netfilter	31	netfilter


diff --git a/etc/unbound.profile b/etc/unbound.profile index 8e7a4a8a8..50304d223 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -29,7 +29,7 @@ nosound
29	notv	29	notv
30	nou2f	30	nou2f
31	novideo	31	novideo
32	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	32	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
33	writable-var	33	writable-var
34		34
35	disable-mnt	35	disable-mnt