Refactor Transmission profiles (#2516)

* Harden transmission-cli.profile * Harden transmission-gtk.profile * Harden transmission-qt.profile * Harden transmission-show.profile * Create transmission-create.profile * Create transmission-daemon.profile * Create transmission-edit.profile * Create transmission-remote.profile * Create transmission-remote-cli.profile * Create transmission-remote-gtk.profile * Fix spacing in transmission-remote-cli.profile * Add transmission-daemon to firecfg
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-05 07:06:21 +0000
committer: GitHub <noreply@github.com> 2019-03-05 07:06:21 +0000
commit: e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3 (patch)
tree: 359737ade1acf082e0970b74239faa8689f7654d /etc
parent: direct link for new profile requests (diff)
download: firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.tar.gz
firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.tar.zst
firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.zip
10 files changed, 183 insertions, 5 deletions
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 89b9b21dc..65682df52 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-cli
-# Description: Lightweight BitTorrent client
+# Description: Fast, easy and free BitTorrent client (CLI tools and web client)
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -16,9 +16,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
+nodbus
 nodvd
 nonewprivs
 noroot
@@ -26,14 +28,17 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol inet,inet6
 seccomp
 shell none
 tracelog
 # private-bin transmission-cli
 private-dev
-private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-lib
 private-tmp
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile
new file mode 100644
index 000000000..7aea44c3b
--- /dev/null
+++ b/etc/transmission-create.profile
@@ -0,0 +1,12 @@
+# Firejail profile for transmission-create
+# Description: CLI utility to create BitTorrent .torrent files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-create.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include transmission-cli.profile
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
new file mode 100644
index 000000000..c101e18b5
--- /dev/null
+++ b/etc/transmission-daemon.profile
@@ -0,0 +1,45 @@
+# Firejail profile for transmission-daemon
+# Description:  Fast, easy and free BitTorrent client (daemon)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-daemon.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin transmission-daemon
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile
new file mode 100644
index 000000000..5bc81c231
--- /dev/null
+++ b/etc/transmission-edit.profile
@@ -0,0 +1,12 @@
+# Firejail profile for transmission-edit
+# Description: CLI utility to modify BitTorrent .torrent files' announce URLs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-edit.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include transmission-cli.profile
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 00de26003..6fd310a73 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-gtk
-# Description: Lightweight BitTorrent client
+# Description: Fast, easy and free BitTorrent client (GTK GUI)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include transmission-gtk.local
@@ -47,3 +47,5 @@ private-tmp
 # Causes freeze during opening file dialog in Archlinux, see issue #1855
 # memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 96d9b4bb0..f35eb0036 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-qt
-# Description: Lightweight BitTorrent client
+# Description: Fast, easy and free BitTorrent client (Qt GUI)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include transmission-qt.local
@@ -46,3 +46,5 @@ private-dev
 private-tmp
 # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
new file mode 100644
index 000000000..a2e950176
--- /dev/null
+++ b/etc/transmission-remote-cli.profile
@@ -0,0 +1,28 @@
+# Firejail profile for transmission-remote-cli
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-remote-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Allow python (disabled by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-var-common.inc
+# private-bin python*
+private-etc fonts
+# Redirect
+include transmission-remote.profile
diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile
new file mode 100644
index 000000000..3ead56008
--- /dev/null
+++ b/etc/transmission-remote-gtk.profile
@@ -0,0 +1,21 @@
+# Firejail profile for transmission-remote-gtk
+# Description: A remote control utility for transmission-daemon (GTK GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-remote-gtk.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-var-common.inc
+private-etc fonts
+# Redirect
+include transmission-remote.profile
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile
new file mode 100644
index 000000000..7e6f67317
--- /dev/null
+++ b/etc/transmission-remote.profile
@@ -0,0 +1,44 @@
+# Firejail profile for transmission-remote
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin transmission-remote
+private-dev
+private-etc alternatives
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 6154ad15b..691b8959e 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -1,4 +1,5 @@
 # Firejail profile for transmission-show
+# Description: CLI utility to show BitTorrent .torrent file metadata
 # This file is overwritten after every install/update
 # Persistent local customizations
 include transmission-show.local
@@ -14,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
 machine-id
 net none
@@ -32,4 +34,9 @@ tracelog
 private-dev
 private-etc alternatives
+private-lib
 private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-05 07:06:21 +0000
committer	GitHub <noreply@github.com>	2019-03-05 07:06:21 +0000
commit	e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3 (patch)
tree	359737ade1acf082e0970b74239faa8689f7654d /etc
parent	direct link for new profile requests (diff)
download	firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.tar.gz firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.tar.zst firejail-e934c66dba83d30fbfdbe16c8d64406f6c2e6bd3.zip

diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 89b9b21dc..65682df52 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for transmission-cli	1	# Firejail profile for transmission-cli
2	# Description: Lightweight BitTorrent client	2	# Description: Fast, easy and free BitTorrent client (CLI tools and web client)
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	quiet	4	quiet
5	# Persistent local customizations	5	# Persistent local customizations
@@ -16,9 +16,11 @@ include disable-interpreters.inc
16	include disable-passwdmgr.inc	16	include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18		18
		19	apparmor
19	caps.drop all	20	caps.drop all
20	machine-id	21	machine-id
21	netfilter	22	netfilter
		23	nodbus
22	nodvd	24	nodvd
23	nonewprivs	25	nonewprivs
24	noroot	26	noroot
@@ -26,14 +28,17 @@ nosound
26	notv	28	notv
27	nou2f	29	nou2f
28	novideo	30	novideo
29	protocol unix,inet,inet6	31	protocol inet,inet6
30	seccomp	32	seccomp
31	shell none	33	shell none
32	tracelog	34	tracelog
33		35
34	# private-bin transmission-cli	36	# private-bin transmission-cli
35	private-dev	37	private-dev
36	private-etc alternatives,ca-certificates,ssl,pki,crypto-policies	38	private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
		39	private-lib
37	private-tmp	40	private-tmp
38		41
39	memory-deny-write-execute	42	memory-deny-write-execute
		43	noexec ${HOME}
		44	noexec /tmp


diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile new file mode 100644 index 000000000..7aea44c3b --- /dev/null +++ b/etc/transmission-create.profile
@@ -0,0 +1,12 @@
		1	# Firejail profile for transmission-create
		2	# Description: CLI utility to create BitTorrent .torrent files
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include transmission-create.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10
		11	# Redirect
		12	include transmission-cli.profile


diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile new file mode 100644 index 000000000..c101e18b5 --- /dev/null +++ b/etc/transmission-daemon.profile
@@ -0,0 +1,45 @@
		1	# Firejail profile for transmission-daemon
		2	# Description: Fast, easy and free BitTorrent client (daemon)
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include transmission-daemon.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.cache/transmission
		11	noblacklist ${HOME}/.config/transmission
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-interpreters.inc
		16	include disable-passwdmgr.inc
		17	include disable-programs.inc
		18
		19	apparmor
		20	caps.drop all
		21	machine-id
		22	netfilter
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	nosound
		29	notv
		30	nou2f
		31	novideo
		32	protocol inet,inet6
		33	seccomp
		34	shell none
		35	tracelog
		36
		37	# private-bin transmission-daemon
		38	private-dev
		39	private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
		40	private-lib
		41	private-tmp
		42
		43	memory-deny-write-execute
		44	noexec ${HOME}
		45	noexec /tmp


diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile new file mode 100644 index 000000000..5bc81c231 --- /dev/null +++ b/etc/transmission-edit.profile
@@ -0,0 +1,12 @@
		1	# Firejail profile for transmission-edit
		2	# Description: CLI utility to modify BitTorrent .torrent files' announce URLs
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include transmission-edit.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10
		11	# Redirect
		12	include transmission-cli.profile


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 00de26003..6fd310a73 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for transmission-gtk	1	# Firejail profile for transmission-gtk
2	# Description: Lightweight BitTorrent client	2	# Description: Fast, easy and free BitTorrent client (GTK GUI)
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include transmission-gtk.local	5	include transmission-gtk.local
@@ -47,3 +47,5 @@ private-tmp
47		47
48	# Causes freeze during opening file dialog in Archlinux, see issue #1855	48	# Causes freeze during opening file dialog in Archlinux, see issue #1855
49	# memory-deny-write-execute	49	# memory-deny-write-execute
		50	noexec ${HOME}
		51	noexec /tmp


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 96d9b4bb0..f35eb0036 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for transmission-qt	1	# Firejail profile for transmission-qt
2	# Description: Lightweight BitTorrent client	2	# Description: Fast, easy and free BitTorrent client (Qt GUI)
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include transmission-qt.local	5	include transmission-qt.local
@@ -46,3 +46,5 @@ private-dev
46	private-tmp	46	private-tmp
47		47
48	# memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0	48	# memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
		49	noexec ${HOME}
		50	noexec /tmp


diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile new file mode 100644 index 000000000..a2e950176 --- /dev/null +++ b/etc/transmission-remote-cli.profile
@@ -0,0 +1,28 @@
		1	# Firejail profile for transmission-remote-cli
		2	# Description: A remote control utility for transmission-daemon (CLI)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include transmission-remote-cli.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	# Allow python (disabled by disable-interpreters.inc)
		11	noblacklist ${PATH}/python2*
		12	noblacklist ${PATH}/python3*
		13	noblacklist /usr/lib/python2*
		14	noblacklist /usr/lib/python3*
		15
		16	mkdir ${HOME}/.cache/transmission
		17	mkdir ${HOME}/.config/transmission
		18	whitelist ${HOME}/.cache/transmission
		19	whitelist ${HOME}/.config/transmission
		20	include whitelist-common.inc
		21	include whitelist-var-common.inc
		22
		23	# private-bin python*
		24	private-etc fonts
		25
		26
		27	# Redirect
		28	include transmission-remote.profile


diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile new file mode 100644 index 000000000..3ead56008 --- /dev/null +++ b/etc/transmission-remote-gtk.profile
@@ -0,0 +1,21 @@
		1	# Firejail profile for transmission-remote-gtk
		2	# Description: A remote control utility for transmission-daemon (GTK GUI)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include transmission-remote-gtk.local
		6	# Persistent global definitions
		7	# added by included profile
		8	#include globals.local
		9
		10	mkdir ${HOME}/.cache/transmission
		11	mkdir ${HOME}/.config/transmission
		12	whitelist ${HOME}/.cache/transmission
		13	whitelist ${HOME}/.config/transmission
		14	include whitelist-common.inc
		15	include whitelist-var-common.inc
		16
		17	private-etc fonts
		18
		19
		20	# Redirect
		21	include transmission-remote.profile


diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile new file mode 100644 index 000000000..7e6f67317 --- /dev/null +++ b/etc/transmission-remote.profile
@@ -0,0 +1,44 @@
		1	# Firejail profile for transmission-remote
		2	# Description: A remote control utility for transmission-daemon (CLI)
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include transmission-remote.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.cache/transmission
		11	noblacklist ${HOME}/.config/transmission
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-interpreters.inc
		16	include disable-passwdmgr.inc
		17	include disable-programs.inc
		18
		19	apparmor
		20	caps.drop all
		21	machine-id
		22	net none
		23	nodbus
		24	nodvd
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	# private-bin transmission-remote
		37	private-dev
		38	private-etc alternatives
		39	private-lib
		40	private-tmp
		41
		42	memory-deny-write-execute
		43	noexec ${HOME}
		44	noexec /tmp


diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 6154ad15b..691b8959e 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile
@@ -1,4 +1,5 @@
1	# Firejail profile for transmission-show	1	# Firejail profile for transmission-show
		2	# Description: CLI utility to show BitTorrent .torrent file metadata
2	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
3	# Persistent local customizations	4	# Persistent local customizations
4	include transmission-show.local	5	include transmission-show.local
@@ -14,6 +15,7 @@ include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
15	include disable-programs.inc	16	include disable-programs.inc
16		17
		18	apparmor
17	caps.drop all	19	caps.drop all
18	machine-id	20	machine-id
19	net none	21	net none
@@ -32,4 +34,9 @@ tracelog
32		34
33	private-dev	35	private-dev
34	private-etc alternatives	36	private-etc alternatives
		37	private-lib
35	private-tmp	38	private-tmp
		39
		40	memory-deny-write-execute
		41	noexec ${HOME}
		42	noexec /tmp