Merge pull request #1488 from SpotComms/mf

Various changes
author: netblue30 <netblue30@yahoo.com> 2017-08-23 07:44:41 -0400
committer: GitHub <noreply@github.com> 2017-08-23 07:44:41 -0400
commit: 1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee (patch)
tree: aee88ca3e5d38f7f6ae02a9ebcc34db6dbdf26ba /etc
parent: undo RELNOTES (diff)
parent: Add private-etc to Xonotic (diff)
download: firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.tar.gz
firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.tar.zst
firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.zip
7 files changed, 67 insertions, 5 deletions
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 0b61e7b9f..1b7b2c258 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c220b9c50..294ff6bcb 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
 blacklist ${PATH}/zuluMount-cli
 # var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
 blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/systemd
+blacklist /var/lib/upower
+blacklist /var/log
 blacklist /var/mail
+blacklist /var/opt
 blacklist /var/run/acpid.socket
 blacklist /var/run/docker.sock
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/mysql/mysqld.sock
 blacklist /var/run/mysqld/mysqld.sock
 blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/run/systemd
 blacklist /var/spool/anacron
 blacklist /var/spool/cron
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7b0e6e9eb..d02377036 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.mutt/muttrc
 blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.neverball
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openinvaders
diff --git a/etc/neverball.profile b/etc/neverball.profile
new file mode 100644
index 000000000..6a9a3a577
--- /dev/null
+++ b/etc/neverball.profile
@@ -0,0 +1,37 @@
+# Firejail profile for neverball
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/neverball.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.neverball
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.neverball
+whitelist ${HOME}/.neverball
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+disable-mnt
+private-bin neverball
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/server.profile b/etc/server.profile
index 04ef555de..edd4666e1 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+# noblacklist /var/log
+# noblacklist /var/opt
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/steam.profile b/etc/steam.profile
index 96899038a..227162e1f 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.Steampath
-noblacklist ${HOME}/.Steampid
 noblacklist ${HOME}/.java
+noblacklist ${HOME}/.killingfloor
+noblacklist ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vulkan
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -29,12 +34,15 @@ nogroups
 nonewprivs
 noroot
 notv
-# novideo
+# novideo should be commented for VR
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
 # tracelog
+# private-dev should be commented for controllers
 private-dev
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index c7db00daf..fefeac76b 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -31,6 +31,7 @@ shell none
 disable-mnt
 private-bin xonotic-sdl,xonotic-glx,blind-id
 private-dev
+private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl
 private-tmp
 noexec ${HOME}
author	netblue30 <netblue30@yahoo.com>	2017-08-23 07:44:41 -0400
committer	GitHub <noreply@github.com>	2017-08-23 07:44:41 -0400
commit	1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee (patch)
tree	aee88ca3e5d38f7f6ae02a9ebcc34db6dbdf26ba /etc
parent	undo RELNOTES (diff)
parent	Add private-etc to Xonotic (diff)
download	firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.tar.gz firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.tar.zst firejail-1ebc6a73e1354a34bb580d04cb5d7c8de73bc1ee.zip

diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0b61e7b9f..1b7b2c258 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
7		7
8	noblacklist /sbin	8	noblacklist /sbin
9	noblacklist /usr/sbin	9	noblacklist /usr/sbin
		10	noblacklist /var/log
10		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-devel.inc	13	include /etc/firejail/disable-devel.inc


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c220b9c50..294ff6bcb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
107	blacklist ${PATH}/zuluMount-cli	107	blacklist ${PATH}/zuluMount-cli
108		108
109	# var	109	# var
		110	blacklist /var/cache/apt
		111	blacklist /var/cache/pacman
		112	blacklist /var/lib/apt
		113	blacklist /var/lib/clamav
		114	blacklist /var/lib/dkms
110	blacklist /var/lib/mysql/mysql.sock	115	blacklist /var/lib/mysql/mysql.sock
111	blacklist /var/lib/mysqld/mysql.sock	116	blacklist /var/lib/mysqld/mysql.sock
		117	blacklist /var/lib/pacman
		118	blacklist /var/lib/systemd
		119	blacklist /var/lib/upower
		120	blacklist /var/log
112	blacklist /var/mail	121	blacklist /var/mail
		122	blacklist /var/opt
113	blacklist /var/run/acpid.socket	123	blacklist /var/run/acpid.socket
114	blacklist /var/run/docker.sock	124	blacklist /var/run/docker.sock
115	blacklist /var/run/minissdpd.sock	125	blacklist /var/run/minissdpd.sock
116	blacklist /var/run/mysql/mysqld.sock	126	blacklist /var/run/mysql/mysqld.sock
117	blacklist /var/run/mysqld/mysqld.sock	127	blacklist /var/run/mysqld/mysqld.sock
118	blacklist /var/run/rpcbind.sock	128	blacklist /var/run/rpcbind.sock
		129	blacklist /var/run/screens
		130	blacklist /var/run/systemd
119	blacklist /var/spool/anacron	131	blacklist /var/spool/anacron
120	blacklist /var/spool/cron	132	blacklist /var/spool/cron
121		133


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7b0e6e9eb..d02377036 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5
334	blacklist ${HOME}/.mutt	334	blacklist ${HOME}/.mutt
335	blacklist ${HOME}/.mutt/muttrc	335	blacklist ${HOME}/.mutt/muttrc
336	blacklist ${HOME}/.muttrc	336	blacklist ${HOME}/.muttrc
		337	blacklist ${HOME}/.neverball
337	blacklist ${HOME}/.nv	338	blacklist ${HOME}/.nv
338	blacklist ${HOME}/.nylas-mail	339	blacklist ${HOME}/.nylas-mail
339	blacklist ${HOME}/.openinvaders	340	blacklist ${HOME}/.openinvaders


diff --git a/etc/neverball.profile b/etc/neverball.profile new file mode 100644 index 000000000..6a9a3a577 --- /dev/null +++ b/etc/neverball.profile
@@ -0,0 +1,37 @@
		1	# Firejail profile for neverball
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/neverball.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.neverball
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	mkdir ${HOME}/.neverball
		16	whitelist ${HOME}/.neverball
		17	include /etc/firejail/whitelist-common.inc
		18
		19	caps.drop all
		20	netfilter
		21	nodvd
		22	nogroups
		23	nonewprivs
		24	noroot
		25	notv
		26	novideo
		27	protocol unix,netlink
		28	seccomp
		29	shell none
		30
		31	disable-mnt
		32	private-bin neverball
		33	private-dev
		34	private-tmp
		35
		36	noexec ${HOME}
		37	noexec /tmp


diff --git a/etc/server.profile b/etc/server.profile index 04ef555de..edd4666e1 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
13		13
14	noblacklist /sbin	14	noblacklist /sbin
15	noblacklist /usr/sbin	15	noblacklist /usr/sbin
		16	# noblacklist /var/log
		17	# noblacklist /var/opt
16		18
17	include /etc/firejail/disable-common.inc	19	include /etc/firejail/disable-common.inc
18	# include /etc/firejail/disable-devel.inc	20	# include /etc/firejail/disable-devel.inc


diff --git a/etc/steam.profile b/etc/steam.profile index 96899038a..227162e1f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
8	noblacklist ${HOME}/.Steam
9	noblacklist ${HOME}/.Steampath
10	noblacklist ${HOME}/.Steampid
11	noblacklist ${HOME}/.java	8	noblacklist ${HOME}/.java
		9	noblacklist ${HOME}/.killingfloor
		10	noblacklist ${HOME}/.local/share/3909/PapersPlease
		11	noblacklist ${HOME}/.local/share/aspyr-media
		12	noblacklist ${HOME}/.local/share/cdprojektred
		13	noblacklist ${HOME}/.local/share/feral-interactive
12	noblacklist ${HOME}/.local/share/Steam	14	noblacklist ${HOME}/.local/share/Steam
13	noblacklist ${HOME}/.local/share/steam	15	noblacklist ${HOME}/.local/share/SuperHexagon
		16	noblacklist ${HOME}/.local/share/Terraria
		17	noblacklist ${HOME}/.local/share/vpltd
		18	noblacklist ${HOME}/.local/share/vulkan
14	noblacklist ${HOME}/.steam	19	noblacklist ${HOME}/.steam
15	noblacklist ${HOME}/.steampath	20	noblacklist ${HOME}/.steampath
16	noblacklist ${HOME}/.steampid	21	noblacklist ${HOME}/.steampid
@@ -29,12 +34,15 @@ nogroups
29	nonewprivs	34	nonewprivs
30	noroot	35	noroot
31	notv	36	notv
32	# novideo	37	# novideo should be commented for VR
		38	novideo
33	protocol unix,inet,inet6,netlink	39	protocol unix,inet,inet6,netlink
34	seccomp	40	seccomp
35	shell none	41	shell none
36	# tracelog disabled as it breaks integrated browser	42	# tracelog disabled as it breaks integrated browser
37	# tracelog	43	# tracelog
38		44
		45	# private-dev should be commented for controllers
39	private-dev	46	private-dev
		47	private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
40	private-tmp	48	private-tmp


diff --git a/etc/xonotic.profile b/etc/xonotic.profile index c7db00daf..fefeac76b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile
@@ -31,6 +31,7 @@ shell none
31	disable-mnt	31	disable-mnt
32	private-bin xonotic-sdl,xonotic-glx,blind-id	32	private-bin xonotic-sdl,xonotic-glx,blind-id
33	private-dev	33	private-dev
		34	private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl
34	private-tmp	35	private-tmp
35		36
36	noexec ${HOME}	37	noexec ${HOME}