diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2021-07-28 14:12:48 -0500 |
---|---|---|
committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2021-07-28 14:12:48 -0500 |
commit | 060e34d233d7f0fe0e91e80b753f6b7658e21373 (patch) | |
tree | ed7e524cabe4c382335d78fae13b97276f0e70b5 /etc | |
parent | Revert allow/deny additional files (diff) | |
parent | Merge pull request #4420 from glitsj16/dci (diff) | |
download | firejail-060e34d233d7f0fe0e91e80b753f6b7658e21373.tar.gz firejail-060e34d233d7f0fe0e91e80b753f6b7658e21373.tar.zst firejail-060e34d233d7f0fe0e91e80b753f6b7658e21373.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-common.inc | 100 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 2 |
3 files changed, 54 insertions, 49 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 6df0c4990..05349d52d 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -159,23 +159,23 @@ blacklist ${RUNUSER}/gsconnect | |||
159 | # systemd | 159 | # systemd |
160 | blacklist ${HOME}/.config/systemd | 160 | blacklist ${HOME}/.config/systemd |
161 | blacklist ${HOME}/.local/share/systemd | 161 | blacklist ${HOME}/.local/share/systemd |
162 | blacklist /var/lib/systemd | 162 | blacklist ${PATH}/systemctl |
163 | blacklist ${PATH}/systemd-run | 163 | blacklist ${PATH}/systemd-run |
164 | blacklist ${RUNUSER}/systemd | 164 | blacklist ${RUNUSER}/systemd |
165 | blacklist ${PATH}/systemctl | ||
166 | blacklist /etc/systemd/system | ||
167 | blacklist /etc/systemd/network | 165 | blacklist /etc/systemd/network |
166 | blacklist /etc/systemd/system | ||
167 | blacklist /var/lib/systemd | ||
168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
169 | #blacklist /var/run/systemd | 169 | #blacklist /var/run/systemd |
170 | 170 | ||
171 | # openrc | 171 | # openrc |
172 | blacklist /etc/runlevels/ | 172 | blacklist /etc/init.d |
173 | blacklist /etc/init.d/ | ||
174 | blacklist /etc/rc.conf | 173 | blacklist /etc/rc.conf |
174 | blacklist /etc/runlevels | ||
175 | 175 | ||
176 | # VirtualBox | 176 | # VirtualBox |
177 | blacklist ${HOME}/.VirtualBox | ||
178 | blacklist ${HOME}/.config/VirtualBox | 177 | blacklist ${HOME}/.config/VirtualBox |
178 | blacklist ${HOME}/.VirtualBox | ||
179 | blacklist ${HOME}/VirtualBox VMs | 179 | blacklist ${HOME}/VirtualBox VMs |
180 | 180 | ||
181 | # GNOME Boxes | 181 | # GNOME Boxes |
@@ -245,32 +245,34 @@ blacklist /var/spool/cron | |||
245 | blacklist /var/spool/mail | 245 | blacklist /var/spool/mail |
246 | 246 | ||
247 | # etc | 247 | # etc |
248 | blacklist /etc/adduser.conf | ||
248 | blacklist /etc/anacrontab | 249 | blacklist /etc/anacrontab |
250 | blacklist /etc/apparmor* | ||
249 | blacklist /etc/cron* | 251 | blacklist /etc/cron* |
252 | blacklist /etc/default | ||
253 | blacklist /etc/dkms | ||
254 | blacklist /etc/grub* | ||
255 | blacklist /etc/kernel* | ||
256 | blacklist /etc/logrotate* | ||
257 | blacklist /etc/modules* | ||
250 | blacklist /etc/profile.d | 258 | blacklist /etc/profile.d |
251 | blacklist /etc/rc.local | 259 | blacklist /etc/rc.local |
252 | # rc1.d, rc2.d, ... | 260 | # rc1.d, rc2.d, ... |
253 | blacklist /etc/rc?.d | 261 | blacklist /etc/rc?.d |
254 | blacklist /etc/kernel* | 262 | blacklist /etc/sysconfig |
255 | blacklist /etc/grub* | ||
256 | blacklist /etc/dkms | ||
257 | blacklist /etc/apparmor* | ||
258 | blacklist /etc/selinux | ||
259 | blacklist /etc/modules* | ||
260 | blacklist /etc/logrotate* | ||
261 | blacklist /etc/adduser.conf | ||
262 | 263 | ||
263 | # hide config for various intrusion detection systems | 264 | # hide config for various intrusion detection systems |
264 | blacklist /etc/rkhunter.conf | ||
265 | blacklist /var/lib/rkhunter | ||
266 | blacklist /etc/chkrootkit.conf | ||
267 | blacklist /etc/lynis | ||
268 | blacklist /etc/aide | 265 | blacklist /etc/aide |
266 | blacklist /etc/aide.conf | ||
267 | blacklist /etc/chkrootkit.conf | ||
268 | blacklist /etc/fail2ban.conf | ||
269 | blacklist /etc/logcheck | 269 | blacklist /etc/logcheck |
270 | blacklist /etc/tripwire | 270 | blacklist /etc/lynis |
271 | blacklist /etc/rkhunter.* | ||
271 | blacklist /etc/snort | 272 | blacklist /etc/snort |
272 | blacklist /etc/fail2ban.conf | ||
273 | blacklist /etc/suricata | 273 | blacklist /etc/suricata |
274 | blacklist /etc/tripwire | ||
275 | blacklist /var/lib/rkhunter | ||
274 | 276 | ||
275 | # Startup files | 277 | # Startup files |
276 | read-only ${HOME}/.antigen | 278 | read-only ${HOME}/.antigen |
@@ -350,15 +352,15 @@ read-only ${HOME}/_vimrc | |||
350 | read-only ${HOME}/dotfiles | 352 | read-only ${HOME}/dotfiles |
351 | 353 | ||
352 | # Make directories commonly found in $PATH read-only | 354 | # Make directories commonly found in $PATH read-only |
355 | read-only ${HOME}/.bin | ||
356 | read-only ${HOME}/.cargo/bin | ||
353 | read-only ${HOME}/.gem | 357 | read-only ${HOME}/.gem |
358 | read-only ${HOME}/.local/bin | ||
354 | read-only ${HOME}/.luarocks | 359 | read-only ${HOME}/.luarocks |
355 | read-only ${HOME}/.npm-packages | 360 | read-only ${HOME}/.npm-packages |
356 | read-only ${HOME}/.nvm | 361 | read-only ${HOME}/.nvm |
357 | read-only ${HOME}/bin | ||
358 | read-only ${HOME}/.bin | ||
359 | read-only ${HOME}/.local/bin | ||
360 | read-only ${HOME}/.cargo/bin | ||
361 | read-only ${HOME}/.rustup | 362 | read-only ${HOME}/.rustup |
363 | read-only ${HOME}/bin | ||
362 | 364 | ||
363 | # Write-protection for desktop entries | 365 | # Write-protection for desktop entries |
364 | read-only ${HOME}/.config/menus | 366 | read-only ${HOME}/.config/menus |
@@ -377,6 +379,22 @@ read-only ${HOME}/.local/share/thumbnailers | |||
377 | blacklist /tmp/ssh-* | 379 | blacklist /tmp/ssh-* |
378 | 380 | ||
379 | # top secret | 381 | # top secret |
382 | blacklist /.fscrypt | ||
383 | blacklist /etc/davfs2/secrets | ||
384 | blacklist /etc/group+ | ||
385 | blacklist /etc/group- | ||
386 | blacklist /etc/gshadow | ||
387 | blacklist /etc/gshadow+ | ||
388 | blacklist /etc/gshadow- | ||
389 | blacklist /etc/passwd+ | ||
390 | blacklist /etc/passwd- | ||
391 | blacklist /etc/shadow | ||
392 | blacklist /etc/shadow+ | ||
393 | blacklist /etc/shadow- | ||
394 | blacklist /etc/ssh | ||
395 | blacklist /etc/ssh/* | ||
396 | blacklist /home/.ecryptfs | ||
397 | blacklist /home/.fscrypt | ||
380 | blacklist ${HOME}/*.kdb | 398 | blacklist ${HOME}/*.kdb |
381 | blacklist ${HOME}/*.kdbx | 399 | blacklist ${HOME}/*.kdbx |
382 | blacklist ${HOME}/*.key | 400 | blacklist ${HOME}/*.key |
@@ -385,6 +403,7 @@ blacklist ${HOME}/.caff | |||
385 | blacklist ${HOME}/.cargo/credentials | 403 | blacklist ${HOME}/.cargo/credentials |
386 | blacklist ${HOME}/.cargo/credentials.toml | 404 | blacklist ${HOME}/.cargo/credentials.toml |
387 | blacklist ${HOME}/.cert | 405 | blacklist ${HOME}/.cert |
406 | blacklist ${HOME}/.config/hub | ||
388 | blacklist ${HOME}/.config/keybase | 407 | blacklist ${HOME}/.config/keybase |
389 | blacklist ${HOME}/.davfs2/secrets | 408 | blacklist ${HOME}/.davfs2/secrets |
390 | blacklist ${HOME}/.ecryptfs | 409 | blacklist ${HOME}/.ecryptfs |
@@ -394,11 +413,11 @@ blacklist ${HOME}/.git-credential-cache | |||
394 | blacklist ${HOME}/.git-credentials | 413 | blacklist ${HOME}/.git-credentials |
395 | blacklist ${HOME}/.gnome2/keyrings | 414 | blacklist ${HOME}/.gnome2/keyrings |
396 | blacklist ${HOME}/.gnupg | 415 | blacklist ${HOME}/.gnupg |
397 | blacklist ${HOME}/.config/hub | ||
398 | blacklist ${HOME}/.kde/share/apps/kwallet | 416 | blacklist ${HOME}/.kde/share/apps/kwallet |
399 | blacklist ${HOME}/.kde4/share/apps/kwallet | 417 | blacklist ${HOME}/.kde4/share/apps/kwallet |
400 | blacklist ${HOME}/.local/share/keyrings | 418 | blacklist ${HOME}/.local/share/keyrings |
401 | blacklist ${HOME}/.local/share/kwalletd | 419 | blacklist ${HOME}/.local/share/kwalletd |
420 | blacklist ${HOME}/.local/share/pki | ||
402 | blacklist ${HOME}/.local/share/plasma-vault | 421 | blacklist ${HOME}/.local/share/plasma-vault |
403 | blacklist ${HOME}/.msmtprc | 422 | blacklist ${HOME}/.msmtprc |
404 | blacklist ${HOME}/.mutt | 423 | blacklist ${HOME}/.mutt |
@@ -406,26 +425,9 @@ blacklist ${HOME}/.muttrc | |||
406 | blacklist ${HOME}/.netrc | 425 | blacklist ${HOME}/.netrc |
407 | blacklist ${HOME}/.nyx | 426 | blacklist ${HOME}/.nyx |
408 | blacklist ${HOME}/.pki | 427 | blacklist ${HOME}/.pki |
409 | blacklist ${HOME}/.local/share/pki | ||
410 | blacklist ${HOME}/.smbcredentials | 428 | blacklist ${HOME}/.smbcredentials |
411 | blacklist ${HOME}/.ssh | 429 | blacklist ${HOME}/.ssh |
412 | blacklist ${HOME}/.vaults | 430 | blacklist ${HOME}/.vaults |
413 | blacklist /.fscrypt | ||
414 | blacklist /etc/davfs2/secrets | ||
415 | blacklist /etc/group+ | ||
416 | blacklist /etc/group- | ||
417 | blacklist /etc/gshadow | ||
418 | blacklist /etc/gshadow+ | ||
419 | blacklist /etc/gshadow- | ||
420 | blacklist /etc/passwd+ | ||
421 | blacklist /etc/passwd- | ||
422 | blacklist /etc/shadow | ||
423 | blacklist /etc/shadow+ | ||
424 | blacklist /etc/shadow- | ||
425 | blacklist /etc/ssh | ||
426 | blacklist /etc/ssh/* | ||
427 | blacklist /home/.ecryptfs | ||
428 | blacklist /home/.fscrypt | ||
429 | blacklist /var/backup | 431 | blacklist /var/backup |
430 | 432 | ||
431 | # cloud provider configuration | 433 | # cloud provider configuration |
@@ -488,10 +490,12 @@ blacklist /tmp/.lxterminal-socket* | |||
488 | blacklist /tmp/tmux-* | 490 | blacklist /tmp/tmux-* |
489 | 491 | ||
490 | # disable terminals running as server resulting in sandbox escape | 492 | # disable terminals running as server resulting in sandbox escape |
491 | blacklist ${PATH}/lxterminal | ||
492 | blacklist ${PATH}/gnome-terminal | 493 | blacklist ${PATH}/gnome-terminal |
493 | blacklist ${PATH}/gnome-terminal.wrapper | 494 | blacklist ${PATH}/gnome-terminal.wrapper |
495 | # blacklist ${PATH}/konsole | ||
496 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
494 | blacklist ${PATH}/lilyterm | 497 | blacklist ${PATH}/lilyterm |
498 | blacklist ${PATH}/lxterminal | ||
495 | blacklist ${PATH}/mate-terminal | 499 | blacklist ${PATH}/mate-terminal |
496 | blacklist ${PATH}/mate-terminal.wrapper | 500 | blacklist ${PATH}/mate-terminal.wrapper |
497 | blacklist ${PATH}/pantheon-terminal | 501 | blacklist ${PATH}/pantheon-terminal |
@@ -503,8 +507,6 @@ blacklist ${PATH}/urxvtc | |||
503 | blacklist ${PATH}/urxvtcd | 507 | blacklist ${PATH}/urxvtcd |
504 | blacklist ${PATH}/xfce4-terminal | 508 | blacklist ${PATH}/xfce4-terminal |
505 | blacklist ${PATH}/xfce4-terminal.wrapper | 509 | blacklist ${PATH}/xfce4-terminal.wrapper |
506 | # blacklist ${PATH}/konsole | ||
507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
508 | 510 | ||
509 | # kernel files | 511 | # kernel files |
510 | blacklist /initrd* | 512 | blacklist /initrd* |
@@ -520,17 +522,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports | |||
520 | read-only ${HOME}/.local/share/flatpak/exports | 522 | read-only ${HOME}/.local/share/flatpak/exports |
521 | blacklist ${HOME}/.local/share/flatpak/* | 523 | blacklist ${HOME}/.local/share/flatpak/* |
522 | blacklist ${HOME}/.var | 524 | blacklist ${HOME}/.var |
523 | blacklist ${RUNUSER}/app | 525 | # most of the time bwrap is SUID binary |
524 | blacklist ${RUNUSER}/doc | 526 | blacklist ${PATH}/bwrap |
525 | blacklist ${RUNUSER}/.dbus-proxy | 527 | blacklist ${RUNUSER}/.dbus-proxy |
526 | blacklist ${RUNUSER}/.flatpak | 528 | blacklist ${RUNUSER}/.flatpak |
527 | blacklist ${RUNUSER}/.flatpak-cache | 529 | blacklist ${RUNUSER}/.flatpak-cache |
528 | blacklist ${RUNUSER}/.flatpak-helper | 530 | blacklist ${RUNUSER}/.flatpak-helper |
531 | blacklist ${RUNUSER}/app | ||
532 | blacklist ${RUNUSER}/doc | ||
529 | blacklist /usr/share/flatpak | 533 | blacklist /usr/share/flatpak |
530 | noblacklist /var/lib/flatpak/exports | 534 | noblacklist /var/lib/flatpak/exports |
531 | blacklist /var/lib/flatpak/* | 535 | blacklist /var/lib/flatpak/* |
532 | # most of the time bwrap is SUID binary | ||
533 | blacklist ${PATH}/bwrap | ||
534 | 536 | ||
535 | # snap | 537 | # snap |
536 | blacklist ${RUNUSER}/snapd-session-agent.socket | 538 | blacklist ${RUNUSER}/snapd-session-agent.socket |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 44983dd14..7da2f276c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -1103,4 +1103,5 @@ blacklist ${HOME}/.cache/yandex-browser | |||
1103 | blacklist ${HOME}/.cache/yandex-browser-beta | 1103 | blacklist ${HOME}/.cache/yandex-browser-beta |
1104 | blacklist ${HOME}/.cache/youtube-dl | 1104 | blacklist ${HOME}/.cache/youtube-dl |
1105 | blacklist ${HOME}/.cache/youtube-viewer | 1105 | blacklist ${HOME}/.cache/youtube-viewer |
1106 | blacklist ${RUNUSER}/*firefox* | ||
1106 | blacklist ${HOME}/.cache/zim | 1107 | blacklist ${HOME}/.cache/zim |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 3ad67734d..ff2a499dc 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -16,6 +16,7 @@ include globals.local | |||
16 | 16 | ||
17 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | ||
19 | 20 | ||
20 | blacklist /usr/libexec | 21 | blacklist /usr/libexec |
21 | 22 | ||
@@ -35,6 +36,7 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | |||
35 | whitelist /usr/share/gtk-doc/html | 36 | whitelist /usr/share/gtk-doc/html |
36 | whitelist /usr/share/mozilla | 37 | whitelist /usr/share/mozilla |
37 | whitelist /usr/share/webext | 38 | whitelist /usr/share/webext |
39 | whitelist ${RUNUSER}/*firefox* | ||
38 | include whitelist-usr-share-common.inc | 40 | include whitelist-usr-share-common.inc |
39 | 41 | ||
40 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. | 42 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. |