diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-09-07 07:55:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-07 07:55:47 +0000 |
commit | 0c73dbc88bc917e50962405d32cb6b3b0da182cd (patch) | |
tree | 1943ee7fba4787639cc9387451951c4631eb72b0 /etc | |
parent | build: remove preproc from gitignore (diff) | |
download | firejail-0c73dbc88bc917e50962405d32cb6b3b0da182cd.tar.gz firejail-0c73dbc88bc917e50962405d32cb6b3b0da182cd.tar.zst firejail-0c73dbc88bc917e50962405d32cb6b3b0da182cd.zip |
New disable include: disable-write-mnt.inc (#3622)
* New disable include: disable-write-mnt.inc
It is for profiles which have a reasonable mnt access (we can not add
disable-mnt), but no edit function (e.g. any kind of viewer).
Added to
- profile.template
- default.profile
- eo-common.profile
* Update default.profile
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-write-mnt.inc | 8 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/eo-common.profile | 1 | ||||
-rw-r--r-- | etc/templates/profile.template | 1 |
4 files changed, 11 insertions, 0 deletions
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc new file mode 100644 index 000000000..3990cf760 --- /dev/null +++ b/etc/inc/disable-write-mnt.inc | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-write-mnt.local | ||
4 | |||
5 | read-only /mnt | ||
6 | read-only /media | ||
7 | read-only /run/mount | ||
8 | read-only /run/media | ||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 74314cf92..7eb7660dd 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -14,6 +14,7 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-write-mnt.inc | ||
17 | # include disable-xdg.inc | 18 | # include disable-xdg.inc |
18 | 19 | ||
19 | # include whitelist-common.inc | 20 | # include whitelist-common.inc |
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 80c704c6b..e8b49a395 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -17,6 +17,7 @@ include disable-exec.inc | |||
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-write-mnt.inc | ||
20 | 21 | ||
21 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 02d9fa076..d57306aee 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -110,6 +110,7 @@ include globals.local | |||
110 | #include disable-passwdmgr.inc | 110 | #include disable-passwdmgr.inc |
111 | #include disable-programs.inc | 111 | #include disable-programs.inc |
112 | #include disable-shell.inc | 112 | #include disable-shell.inc |
113 | #include disable-write-mnt.inc | ||
113 | #include disable-xdg.inc | 114 | #include disable-xdg.inc |
114 | 115 | ||
115 | # This section often mirrors noblacklist section above. The idea is | 116 | # This section often mirrors noblacklist section above. The idea is |