diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-08-09 20:16:35 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-08-09 20:16:35 +0200 |
commit | 613dad2103e5690e621a9182a520890f17b69a3c (patch) | |
tree | 8b43e1dc007907a8787b8b880261feb504dfb368 /etc | |
parent | profile fixes (1) (diff) | |
download | firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.gz firejail-613dad2103e5690e621a9182a520890f17b69a3c.tar.zst firejail-613dad2103e5690e621a9182a520890f17b69a3c.zip |
profile fixes (2)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/allow-ruby.inc | 2 | ||||
-rw-r--r-- | etc/anki.profile | 3 | ||||
-rw-r--r-- | etc/artha.profile | 2 | ||||
-rw-r--r-- | etc/baobab.profile | 2 | ||||
-rw-r--r-- | etc/celluloid.profile | 2 | ||||
-rw-r--r-- | etc/claws-mail.profile | 2 | ||||
-rw-r--r-- | etc/cmus.profile | 2 | ||||
-rw-r--r-- | etc/digikam.profile | 3 | ||||
-rw-r--r-- | etc/evince.profile | 4 | ||||
-rw-r--r-- | etc/exiftool.profile | 1 | ||||
-rw-r--r-- | etc/freecad.profile | 6 | ||||
-rw-r--r-- | etc/gedit.profile | 2 | ||||
-rw-r--r-- | etc/hexchat.profile | 2 | ||||
-rw-r--r-- | etc/mpv.profile | 1 | ||||
-rw-r--r-- | etc/mupdf.profile | 5 | ||||
-rw-r--r-- | etc/musescore.profile | 3 | ||||
-rw-r--r-- | etc/neverputt.profile | 2 | ||||
-rw-r--r-- | etc/pavucontrol.profile | 11 | ||||
-rw-r--r-- | etc/psi-plus.profile | 4 | ||||
-rw-r--r-- | etc/quassel.profile | 3 | ||||
-rw-r--r-- | etc/templates/profile.template | 3 | ||||
-rw-r--r-- | etc/wget.profile | 2 | ||||
-rw-r--r-- | etc/youtube-dl.profile | 2 |
23 files changed, 43 insertions, 26 deletions
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc new file mode 100644 index 000000000..3165a981a --- /dev/null +++ b/etc/allow-ruby.inc | |||
@@ -0,0 +1,2 @@ | |||
1 | noblacklist ${PATH}/ruby | ||
2 | noblacklist /usr/lib/ruby | ||
diff --git a/etc/anki.profile b/etc/anki.profile index c349376ff..a0a79ef48 100644 --- a/etc/anki.profile +++ b/etc/anki.profile | |||
@@ -42,7 +42,8 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp | 45 | # QtWebengine needs chroot to set up its own sandbox |
46 | seccomp !chroot | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
diff --git a/etc/artha.profile b/etc/artha.profile index f1d30a415..e7278fe10 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -16,7 +16,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/artha.conf | 19 | mkfile ${HOME}/.config/artha.conf |
20 | mkdir ${HOME}/.config/enchant | 20 | mkdir ${HOME}/.config/enchant |
21 | whitelist ${HOME}/.config/artha.conf | 21 | whitelist ${HOME}/.config/artha.conf |
22 | whitelist ${HOME}/.config/enchant | 22 | whitelist ${HOME}/.config/enchant |
diff --git a/etc/baobab.profile b/etc/baobab.profile index c419aa202..eb0064115 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
18 | no3d | 18 | no3d |
19 | nodbus | 19 | #nodbus |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index d06eb7a65..ab68c7f13 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl | 42 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl |
43 | private-cache | 43 | private-cache |
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg |
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 33c0a3369..1790b0b17 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -16,7 +16,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | whitelist /usr/share/doc | 19 | whitelist /usr/share/doc/claws-mail |
20 | whitelist /usr/share/gnupg | 20 | whitelist /usr/share/gnupg |
21 | whitelist /usr/share/gnupg2 | 21 | whitelist /usr/share/gnupg2 |
22 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 7e12a06de..fa1e5d722 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/digikam.profile b/etc/digikam.profile index 1b80981f7..e66434444 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -32,7 +32,8 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | # QtWebengine needs chroot to set up its own sandbox |
36 | seccomp !chroot | ||
36 | shell none | 37 | shell none |
37 | 38 | ||
38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 39 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
diff --git a/etc/evince.profile b/etc/evince.profile index ba68e45b4..143a347e6 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin evince,evince-previewer,evince-thumbnailer | 47 | private-bin evince,evince-previewer,evince-thumbnailer |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,fonts,group,machine-id,passwd | 50 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd |
51 | # private-lib might break two-page-view on some systems | 51 | # private-lib might break two-page-view on some systems |
52 | private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 52 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
53 | private-tmp | 53 | private-tmp |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e455d32c7..e9c7d290a 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | whitelist /usr/share/perl5 | 19 | whitelist /usr/share/perl5 |
20 | whitelist /usr/share/perl-image-exiftool | ||
20 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/freecad.profile b/etc/freecad.profile index 079c85fb1..6f0f52a55 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -9,6 +9,10 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/FreeCAD | 9 | noblacklist ${HOME}/.config/FreeCAD |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
12 | include disable-common.inc | 16 | include disable-common.inc |
13 | include disable-devel.inc | 17 | include disable-devel.inc |
14 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -33,7 +37,7 @@ protocol unix | |||
33 | seccomp | 37 | seccomp |
34 | shell none | 38 | shell none |
35 | 39 | ||
36 | private-bin freecad,freecadcmd | 40 | private-bin freecad,freecadcmd,python* |
37 | private-cache | 41 | private-cache |
38 | private-dev | 42 | private-dev |
39 | private-tmp | 43 | private-tmp |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 6d575e850..7dd6f270e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | 42 | ||
43 | # private-bin gedit | 43 | # private-bin gedit |
44 | private-dev | 44 | private-dev |
45 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-3.0.so.*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | 45 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index d032c93e6..835205f03 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -26,14 +26,12 @@ include whitelist-common.inc | |||
26 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | machine-id | ||
30 | netfilter | 29 | netfilter |
31 | no3d | 30 | no3d |
32 | nodvd | 31 | nodvd |
33 | nogroups | 32 | nogroups |
34 | nonewprivs | 33 | nonewprivs |
35 | noroot | 34 | noroot |
36 | nosound | ||
37 | notv | 35 | notv |
38 | nou2f | 36 | nou2f |
39 | novideo | 37 | novideo |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 6e587fc6a..56cd66199 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc | |||
27 | include disable-programs.inc | 27 | include disable-programs.inc |
28 | include disable-xdg.inc | 28 | include disable-xdg.inc |
29 | 29 | ||
30 | whitelist /usr/share/vulkan | ||
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
32 | 33 | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 673c9fd0b..99945bdc9 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -32,14 +32,13 @@ nou2f | |||
32 | novideo | 32 | novideo |
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp |
35 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
36 | shell none | 35 | shell none |
37 | tracelog | 36 | tracelog |
38 | 37 | ||
39 | # private-bin mupdf,rm,sh,tempfile | 38 | # private-bin mupdf,rm,sh,tempfile |
40 | private-dev | 39 | private-dev |
41 | private-etc alternatives,fonts | 40 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
44 | memory-deny-write-execute | 43 | # memory-deny-write-execute |
45 | read-only ${HOME} | 44 | read-only ${HOME} |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 9750a31f4..b3693c956 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -33,7 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
36 | seccomp | 36 | # QtWebengine needs chroot to set up its own sandbox |
37 | seccomp !chroot | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/neverputt.profile b/etc/neverputt.profile index 93fb14e07..d370d1218 100644 --- a/etc/neverputt.profile +++ b/etc/neverputt.profile | |||
@@ -5,5 +5,7 @@ include neverputt.local | |||
5 | # added by included profile | 5 | # added by included profile |
6 | #include globals.local | 6 | #include globals.local |
7 | 7 | ||
8 | private-bin neverputt | ||
9 | |||
8 | # Redirect | 10 | # Redirect |
9 | include neverball.profile | 11 | include neverball.profile |
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 5bbe1386f..0ae9f08af 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkfile ${HOME}/.config/pavucontrol.ini | 19 | # whitelisting in ${HOME} is broken, see #3112 |
20 | whitelist ${HOME}/.config/pavucontrol.ini | 20 | #mkfile ${HOME}/.config/pavucontrol.ini |
21 | #whitelist ${HOME}/.config/pavucontrol.ini | ||
21 | whitelist /usr/share/pavucontrol | 22 | whitelist /usr/share/pavucontrol |
22 | whitelist /usr/share/pavucontrol-qt | 23 | whitelist /usr/share/pavucontrol-qt |
23 | include whitelist-common.inc | 24 | #include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
@@ -39,6 +40,7 @@ novideo | |||
39 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
40 | seccomp | 41 | seccomp |
41 | shell none | 42 | shell none |
43 | tracelog | ||
42 | 44 | ||
43 | disable-mnt | 45 | disable-mnt |
44 | private-bin pavucontrol | 46 | private-bin pavucontrol |
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse | |||
48 | private-lib | 50 | private-lib |
49 | private-tmp | 51 | private-tmp |
50 | 52 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | # mdwe is broken under Wayland, but works under Xorg. |
54 | #memory-deny-write-execute | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 087f90966..16fffe517 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -36,10 +36,10 @@ notv | |||
36 | nou2f | 36 | nou2f |
37 | novideo | 37 | novideo |
38 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
39 | seccomp | 39 | # QtWebengine needs chroot to set up its own sandbox |
40 | seccomp !chroot | ||
40 | shell none | 41 | shell none |
41 | 42 | ||
42 | disable-mnt | 43 | disable-mnt |
43 | private-dev | 44 | private-dev |
44 | private-tmp | 45 | private-tmp |
45 | |||
diff --git a/etc/quassel.profile b/etc/quassel.profile index a78d1edcd..c65089e20 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -19,7 +19,8 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | seccomp | 22 | # QtWebengine needs chroot to set up its own sandbox |
23 | seccomp !chroot | ||
23 | 24 | ||
24 | private-cache | 25 | private-cache |
25 | private-tmp | 26 | private-tmp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index dcf6dd201..7bfc3cf0d 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -87,6 +87,9 @@ include globals.local | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | 87 | # Allow lua (blacklisted by disable-interpreters.inc) |
88 | #include allow-lua.inc | 88 | #include allow-lua.inc |
89 | 89 | ||
90 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
91 | #include allow-ruby.inc | ||
92 | |||
90 | # Allows files commonly used by IDEs | 93 | # Allows files commonly used by IDEs |
91 | #include allow-common-devel.inc | 94 | #include allow-common-devel.inc |
92 | 95 | ||
diff --git a/etc/wget.profile b/etc/wget.profile index 4bf354652..9c2cddb67 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -35,6 +35,6 @@ shell none | |||
35 | 35 | ||
36 | # private-bin wget | 36 | # private-bin wget |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl | 38 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
39 | # private-tmp | 39 | # private-tmp |
40 | 40 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 74c07d96b..5fa72c9dc 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -56,7 +56,7 @@ tracelog | |||
56 | private-bin env,ffmpeg,python*,youtube-dl | 56 | private-bin env,ffmpeg,python*,youtube-dl |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | 59 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |