private-bin conversion

author: netblue30 <netblue30@yahoo.com> 2016-06-10 10:41:57 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-10 10:41:57 -0400
commit: e3abab47dcda4dba4a1412261e35cb1608ffd900 (patch)
tree: c1b75716185ea40aa77ff947991c868f7d5d8628 /etc
parent: private-bin conversion (diff)
download: firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.gz
firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.zst
firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.zip
7 files changed, 21 insertions, 3 deletions
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index bc6fe1d86..7b6238d98 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink
 tracelog
 include /etc/firejail/whitelist-common.inc
+# no private-bin support for various reasons:
+#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree 
+#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"  
+#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree 
+#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
+#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc 
+# it requires acces to browser to show the online help
+# it doesn't play nicely with expect
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 8c18ec2c3..071a82f76 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
-# Programs using python: deluge, some firefox addons, filezilla
+# Programs using python: deluge, firefox addons, filezilla, cherrytree
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*
diff --git a/etc/evince.profile b/etc/evince.profile
index 8c84a1daa..8671c1251 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -10,3 +10,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin evince,evince-previewer,evince-thumbnailer
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index c4d84691c..df359e50a 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -13,3 +13,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin fbreader,FBReader
+\ No newline at end of file
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index f15778534..1caea177d 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -9,3 +9,6 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin gnome-mplayer
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 55041b5cc..68d6a52d9 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -13,5 +13,5 @@ noroot
 protocol unix,inet,inet6
 seccomp
-private-bin gthumb
 shell none
+private-bin gthumb
diff --git a/etc/vlc.profile b/etc/vlc.profile
index e225e80e9..1a6e5a151 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -16,4 +16,4 @@ seccomp
 # to test
 shell none
-private-bin vlc
+private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
author	netblue30 <netblue30@yahoo.com>	2016-06-10 10:41:57 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-10 10:41:57 -0400
commit	e3abab47dcda4dba4a1412261e35cb1608ffd900 (patch)
tree	c1b75716185ea40aa77ff947991c868f7d5d8628 /etc
parent	private-bin conversion (diff)
download	firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.gz firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.zst firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.zip

diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile
@@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink
24	tracelog	24	tracelog
25		25
26	include /etc/firejail/whitelist-common.inc	26	include /etc/firejail/whitelist-common.inc
		27
		28	# no private-bin support for various reasons:
		29	#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree
		30	#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"
		31	#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree
		32	#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null
		33	#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc
		34	# it requires acces to browser to show the online help
		35	# it doesn't play nicely with expect


diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
37	blacklist /usr/bin/ruby	37	blacklist /usr/bin/ruby
38	blacklist /usr/lib/ruby	38	blacklist /usr/lib/ruby
39		39
40	# Programs using python: deluge, some firefox addons, filezilla	40	# Programs using python: deluge, firefox addons, filezilla, cherrytree
41	# Python 2	41	# Python 2
42	#blacklist /usr/bin/python2*	42	#blacklist /usr/bin/python2*
43	#blacklist /usr/lib/python2*	43	#blacklist /usr/lib/python2*


diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -10,3 +10,6 @@ noroot
10	nosound	10	nosound
11	protocol unix,inet,inet6	11	protocol unix,inet,inet6
12	seccomp	12	seccomp
		13
		14	shell none
		15	private-bin evince,evince-previewer,evince-thumbnailer


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -13,3 +13,6 @@ noroot
13	nosound	13	nosound
14	protocol unix,inet,inet6	14	protocol unix,inet,inet6
15	seccomp	15	seccomp
		16
		17	shell none
		18	private-bin fbreader,FBReader \ No newline at end of file


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile
@@ -9,3 +9,6 @@ nonewprivs
9	noroot	9	noroot
10	protocol unix,inet,inet6	10	protocol unix,inet,inet6
11	seccomp	11	seccomp
		12
		13	shell none
		14	private-bin gnome-mplayer


diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile
@@ -13,5 +13,5 @@ noroot
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	seccomp	14	seccomp
15		15
16	private-bin gthumb
17	shell none	16	shell none
		17	private-bin gthumb


diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -16,4 +16,4 @@ seccomp
16		16
17	# to test	17	# to test
18	shell none	18	shell none
19	private-bin vlc	19	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc