Merges + misc fixes

- Change some links in README to HTTPS - Fixup some typos in firejail-profile manpage - Cleanup dash from private-etc - Fixup gradio - Synchronize server profile with default profile
author: Tad <tad@spotco.us> 2018-07-04 15:48:02 -0400
committer: Tad <tad@spotco.us> 2018-07-04 15:48:02 -0400
commit: e91e7b2b8165450e695c7f45492cca2ae6927678 (patch)
tree: a9379cc4330adfa679cdae89f64741c6f23df679 /etc
parent: Merge pull request #2025 from Bundy01/master (diff)
download: firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.gz
firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.zst
firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.zip
6 files changed, 18 insertions, 8 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index 0c7ef3dae..12675b30b 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -31,7 +31,7 @@ protocol unix
 seccomp
 shell none
-private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh
+private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
 #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
 private-dev
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index a49fc023a..d3bc76ba5 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -34,7 +34,7 @@ shell none
 tracelog
 # support compressed archives
-private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
+private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
 private-dev
 private-etc passwd,group,localtime
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 56121809a..b2357716a 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak
 blacklist /var/lib/flatpak
 blacklist /usr/share/flatpak
 # most of the time bwrap is SUID binary
-blacklist /usr/bin/bwrap
-\ No newline at end of file
+blacklist ${PATH}/bwrap
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f72b5a5c3..1dee73078 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
@@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/gradio
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inkscape
diff --git a/etc/gradio.profile b/etc/gradio.profile
index 1a7ff60ed..bba92a0bc 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -5,10 +5,8 @@ include /etc/firejail/gradio.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/gradio
 noblacklist ${HOME}/.local/share/gradio
-mkdir ${HOME}/.local/share/gradio
-whitelist ${HOME}/.local/share/gradio
-whitelist ${HOME}/.cache/gradio
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.cache/gradio
+mkdir ${HOME}/.local/share/gradio
+whitelist ${HOME}/.cache/gradio
+whitelist ${HOME}/.local/share/gradio
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/server.profile b/etc/server.profile
index 9cc906e55..94e2d5da9 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
+# ipc-namespace
+# netfilter /etc/firejail/webserver.net
 no3d
+# nodbus
 nodvd
+# nogroups
+# nonewprivs
+# noroot
 nosound
 notv
 novideo
 seccomp
+# shell none
-# netfilter /etc/firejail/webserver.net
 # disable-mnt
 private
 # private-bin program
+# private-cache
 private-dev
 # private-etc none
 # private-lib
author	Tad <tad@spotco.us>	2018-07-04 15:48:02 -0400
committer	Tad <tad@spotco.us>	2018-07-04 15:48:02 -0400
commit	e91e7b2b8165450e695c7f45492cca2ae6927678 (patch)
tree	a9379cc4330adfa679cdae89f64741c6f23df679 /etc
parent	Merge pull request #2025 from Bundy01/master (diff)
download	firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.gz firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.tar.zst firejail-e91e7b2b8165450e695c7f45492cca2ae6927678.zip

diff --git a/etc/ark.profile b/etc/ark.profile index 0c7ef3dae..12675b30b 100644 --- a/etc/ark.profile +++ b/etc/ark.profile
@@ -31,7 +31,7 @@ protocol unix
31	seccomp	31	seccomp
32	shell none	32	shell none
33		33
34	private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh	34	private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
35	#private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg	35	#private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
36		36
37	private-dev	37	private-dev


diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index a49fc023a..d3bc76ba5 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile
@@ -34,7 +34,7 @@ shell none
34	tracelog	34	tracelog
35		35
36	# support compressed archives	36	# support compressed archives
37	private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive	37	private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
38	private-dev	38	private-dev
39	private-etc passwd,group,localtime	39	private-etc passwd,group,localtime
40		40


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 56121809a..b2357716a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak
391	blacklist /var/lib/flatpak	391	blacklist /var/lib/flatpak
392	blacklist /usr/share/flatpak	392	blacklist /usr/share/flatpak
393	# most of the time bwrap is SUID binary	393	# most of the time bwrap is SUID binary
394	blacklist /usr/bin/bwrap \ No newline at end of file	394	blacklist ${PATH}/bwrap


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f72b5a5c3..1dee73078 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos
393	blacklist ${HOME}/.local/share/gnome-recipes	393	blacklist ${HOME}/.local/share/gnome-recipes
394	blacklist ${HOME}/.local/share/gnome-ring	394	blacklist ${HOME}/.local/share/gnome-ring
395	blacklist ${HOME}/.local/share/gnome-twitch	395	blacklist ${HOME}/.local/share/gnome-twitch
		396	blacklist ${HOME}/.local/share/gradio
396	blacklist ${HOME}/.local/share/gwenview	397	blacklist ${HOME}/.local/share/gwenview
397	blacklist ${HOME}/.local/share/kaffeine	398	blacklist ${HOME}/.local/share/kaffeine
398	blacklist ${HOME}/.local/share/kate	399	blacklist ${HOME}/.local/share/kate
@@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome
550	blacklist ${HOME}/.cache/google-chrome-beta	551	blacklist ${HOME}/.cache/google-chrome-beta
551	blacklist ${HOME}/.cache/google-chrome-unstable	552	blacklist ${HOME}/.cache/google-chrome-unstable
552	blacklist ${HOME}/.cache/gnome-twitch	553	blacklist ${HOME}/.cache/gnome-twitch
		554	blacklist ${HOME}/.cache/gradio
553	blacklist ${HOME}/.cache/icedove	555	blacklist ${HOME}/.cache/icedove
554	blacklist ${HOME}/.cache/INRIA/Natron	556	blacklist ${HOME}/.cache/INRIA/Natron
555	blacklist ${HOME}/.cache/inkscape	557	blacklist ${HOME}/.cache/inkscape


diff --git a/etc/gradio.profile b/etc/gradio.profile index 1a7ff60ed..bba92a0bc 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile
@@ -5,10 +5,8 @@ include /etc/firejail/gradio.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	noblacklist ${HOME}/.cache/gradio
8	noblacklist ${HOME}/.local/share/gradio	9	noblacklist ${HOME}/.local/share/gradio
9	mkdir ${HOME}/.local/share/gradio
10	whitelist ${HOME}/.local/share/gradio
11	whitelist ${HOME}/.cache/gradio
12		10
13	include /etc/firejail/disable-common.inc	11	include /etc/firejail/disable-common.inc
14	include /etc/firejail/disable-devel.inc	12	include /etc/firejail/disable-devel.inc
@@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc
16	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
18		16
		17	mkdir ${HOME}/.cache/gradio
		18	mkdir ${HOME}/.local/share/gradio
		19	whitelist ${HOME}/.cache/gradio
		20	whitelist ${HOME}/.local/share/gradio
19	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
20	include /etc/firejail/whitelist-var-common.inc	22	include /etc/firejail/whitelist-var-common.inc
21		23


diff --git a/etc/server.profile b/etc/server.profile index 9cc906e55..94e2d5da9 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc
22	include /etc/firejail/disable-programs.inc	22	include /etc/firejail/disable-programs.inc
23		23
24	caps	24	caps
		25	# ipc-namespace
		26	# netfilter /etc/firejail/webserver.net
25	no3d	27	no3d
		28	# nodbus
26	nodvd	29	nodvd
		30	# nogroups
		31	# nonewprivs
		32	# noroot
27	nosound	33	nosound
28	notv	34	notv
29	novideo	35	novideo
30	seccomp	36	seccomp
31		37	# shell none
32	# netfilter /etc/firejail/webserver.net
33		38
34	# disable-mnt	39	# disable-mnt
35	private	40	private
36	# private-bin program	41	# private-bin program
		42	# private-cache
37	private-dev	43	private-dev
38	# private-etc none	44	# private-etc none
39	# private-lib	45	# private-lib