diff options
| author |  glitsj16 <glitsj16@users.noreply.github.com> | 2019-06-20 20:59:39 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2019-06-20 20:59:39 +0000 |
| commit | 7dfd850505c9d99f3e7b95b29f99bb68bd4459ea (patch) | |
| tree | 2bca781d4090a53651ba809d69d596a98f43442e /etc | |
| parent | Merge pull request #2771 from smitsohu/homedir2 (diff) | |
| download | firejail-7dfd850505c9d99f3e7b95b29f99bb68bd4459ea.tar.gz firejail-7dfd850505c9d99f3e7b95b29f99bb68bd4459ea.tar.zst firejail-7dfd850505c9d99f3e7b95b29f99bb68bd4459ea.zip | |
Arch Linux specific changes (#2788)
* Arch Linux specific addition to gzip.profile
* Arch Linux specifics for tar.profile
* Arch Linux specifics for gzip.profile
* Minor re-ordering and wording edits for makepkg.profile
* Spacing fix for cower.profile
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/cower.profile | 1 | ||||
| -rw-r--r-- | etc/gzip.profile | 3 | ||||
| -rw-r--r-- | etc/makepkg.profile | 15 | ||||
| -rw-r--r-- | etc/tar.profile | 3 |
4 files changed, 13 insertions, 9 deletions
diff --git a/etc/cower.profile b/etc/cower.profile index 69575cea4..8efe48240 100644 --- a/etc/cower.profile +++ b/etc/cower.profile | |||
| @@ -45,4 +45,5 @@ private-dev | |||
| 45 | private-tmp | 45 | private-tmp |
| 46 | 46 | ||
| 47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
| 48 | |||
| 48 | read-only ${HOME}/.config/cower/config | 49 | read-only ${HOME}/.config/cower/config |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 38f6ee65e..48e495c60 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
| @@ -7,6 +7,9 @@ include gzip.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | ||
| 11 | noblacklist /var/lib/pacman | ||
| 12 | |||
| 10 | include disable-common.inc | 13 | include disable-common.inc |
| 11 | include disable-devel.inc | 14 | include disable-devel.inc |
| 12 | include disable-exec.inc | 15 | include disable-exec.inc |
diff --git a/etc/makepkg.profile b/etc/makepkg.profile index 55bea9c5e..0120fc2cd 100644 --- a/etc/makepkg.profile +++ b/etc/makepkg.profile | |||
| @@ -1,5 +1,10 @@ | |||
| 1 | # Firejail profile for makepkg | 1 | # Firejail profile for makepkg |
| 2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
| 3 | quiet | ||
| 4 | # Persistent local customizations | ||
| 5 | include makepkg.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 3 | 8 | ||
| 4 | # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 | 9 | # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 |
| 5 | # for potential issues and their solutions when Firejailing makepkg | 10 | # for potential issues and their solutions when Firejailing makepkg |
| @@ -8,13 +13,6 @@ | |||
| 8 | # whitelist ${HOME}/<Your Build Folder> | 13 | # whitelist ${HOME}/<Your Build Folder> |
| 9 | # whitelist ${HOME}/.gnupg | 14 | # whitelist ${HOME}/.gnupg |
| 10 | 15 | ||
| 11 | quiet | ||
| 12 | # Persistent local customizations | ||
| 13 | include makepkg.local | ||
| 14 | # Persistent global definitions | ||
| 15 | include globals.local | ||
| 16 | |||
| 17 | |||
| 18 | # Enable severely restricted access to ${HOME}/.gnupg | 16 | # Enable severely restricted access to ${HOME}/.gnupg |
| 19 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.gnupg |
| 20 | read-only ${HOME}/.gnupg/gpg.conf | 18 | read-only ${HOME}/.gnupg/gpg.conf |
| @@ -26,8 +24,7 @@ blacklist ${HOME}/.gnupg/private-keys-v1.d | |||
| 26 | blacklist ${HOME}/.gnupg/crls.d | 24 | blacklist ${HOME}/.gnupg/crls.d |
| 27 | blacklist ${HOME}/.gnupg/openpgp-revocs.d | 25 | blacklist ${HOME}/.gnupg/openpgp-revocs.d |
| 28 | 26 | ||
| 29 | 27 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | |
| 30 | # Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only} | ||
| 31 | noblacklist /var/lib/pacman | 28 | noblacklist /var/lib/pacman |
| 32 | 29 | ||
| 33 | include disable-common.inc | 30 | include disable-common.inc |
diff --git a/etc/tar.profile b/etc/tar.profile index 1232bb372..cace89965 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
| @@ -7,6 +7,9 @@ include tar.local | |||
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | ||
| 11 | noblacklist /var/lib/pacman | ||
| 12 | |||
| 10 | include disable-common.inc | 13 | include disable-common.inc |
| 11 | include disable-devel.inc | 14 | include disable-devel.inc |
| 12 | include disable-exec.inc | 15 | include disable-exec.inc |