Merge pull request #1 from netblue30/master

merge upstream
author: SYN-cook <vinumconsult@posteo.de> 2016-12-27 20:33:14 +0100
committer: GitHub <noreply@github.com> 2016-12-27 20:33:14 +0100
commit: 702e15dfcb0f1028c25933328a376cbfab98b0ac (patch)
tree: 16109908b0fc81b0465c3c6ac13769c7b7e0ed59 /etc
parent: don't whitelist keepassx in browser profiles (diff)
parent: fixes (diff)
download: firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.gz
firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.zst
firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.zip
22 files changed, 63 insertions, 4 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index 0cb72ff8d..319126540 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,9 +1,14 @@
 # 7zip crompression tool profile
 quiet
 ignore noroot
 include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
 tracelog
 net none
 shell none
 private-dev
 nosound
+no3d
diff --git a/etc/atool.profile b/etc/atool.profile
index 3fbfb9fc7..578a88fc7 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin atool
 private-tmp
 private-dev
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 519bd244c..cf89acdac 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -16,6 +16,7 @@ shell none
 tracelog
 net none
 nosound
+no3d
+blacklist /tmp/.X11-unix
diff --git a/etc/elinks.profile b/etc/elinks.profile
index df817ea56..ade15f203 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -11,12 +11,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin elinks
 private-tmp
 private-dev
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 384695473..1cae8c093 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,9 +17,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin exiftool,perl
 private-tmp
 private-dev
diff --git a/etc/git.profile b/etc/git.profile
index d60e58c03..80e534e20 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 1b0fc9807..488c7e0b8 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-bin gnome-mplayer
+private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index b0ebdf43c..59c7383d7 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -14,9 +14,12 @@ nosound
 protocol unix
 seccomp
 netfilter
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin gpg-agent,gpg
 private-tmp
 private-dev
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 31372eb90..d711c6f3e 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -15,9 +15,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin gpg,gpg-agent
 private-tmp
 private-dev
diff --git a/etc/highlight.profile b/etc/highlight.profile
index f95f3924a..4bab18349 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -13,10 +13,14 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin highlight
+# private-etc none
 private-tmp
 private-dev
diff --git a/etc/less.profile b/etc/less.profile
index 08758aead..c01dfc466 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,7 +5,10 @@ include /etc/firejail/default.profile
 net none
 nosound
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 6e150f62e..3e8d72103 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -9,12 +9,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin lynx
 private-tmp
 private-dev
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index c07a9a9e8..65d12c49e 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -9,6 +9,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix
 seccomp
 netfilter
@@ -16,6 +17,8 @@ net none
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin mediainfo
 private-tmp
 private-dev
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 2718421c5..5a714de4a 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -33,8 +33,11 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 329275022..c4e28f70e 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin odt2txt
 private-tmp
 private-dev
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 632c9d15e..fe9e9e3cd 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin pdftotext
 private-tmp
 private-dev
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 548ede37d..bea3a6061 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -12,5 +12,8 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+no3d
 protocol unix,inet,inet6
 seccomp
+blacklist /tmp/.X11-unix
diff --git a/etc/strings.profile b/etc/strings.profile
index 2b7724b11..2bbab1366 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -7,5 +7,6 @@ net none
 nosound
 shell none
 tracelog
 private-dev
+no3d
+blacklist /tmp/.X11-unix
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 217631216..7f4f371eb 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -12,12 +12,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin tracker
 # private-tmp
 # private-dev
diff --git a/etc/w3m.profile b/etc/w3m.profile
index d765217cf..7ee91bb70 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -11,12 +11,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin w3m
 private-tmp
 private-dev
diff --git a/etc/wget.profile b/etc/wget.profile
index d9bca2acc..ff4b92bae 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -10,10 +10,12 @@ nonewprivs
 noroot
 nogroups
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 # private-bin wget
 # private-etc resolv.conf
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 8584e4e5b..32be90b19 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -14,6 +14,8 @@ shell none
 seccomp
 protocol unix,inet,inet6
+# blacklist /tmp/.X11-unix
 # private-bin 
 private-dev
 private-tmp
author	SYN-cook <vinumconsult@posteo.de>	2016-12-27 20:33:14 +0100
committer	GitHub <noreply@github.com>	2016-12-27 20:33:14 +0100
commit	702e15dfcb0f1028c25933328a376cbfab98b0ac (patch)
tree	16109908b0fc81b0465c3c6ac13769c7b7e0ed59 /etc
parent	don't whitelist keepassx in browser profiles (diff)
parent	fixes (diff)
download	firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.gz firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.zst firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.zip

diff --git a/etc/7z.profile b/etc/7z.profile index 0cb72ff8d..319126540 100644 --- a/etc/7z.profile +++ b/etc/7z.profile
@@ -1,9 +1,14 @@
1	# 7zip crompression tool profile	1	# 7zip crompression tool profile
2	quiet	2	quiet
3	ignore noroot	3	ignore noroot
		4
4	include /etc/firejail/default.profile	5	include /etc/firejail/default.profile
		6
		7	blacklist /tmp/.X11-unix
		8
5	tracelog	9	tracelog
6	net none	10	net none
7	shell none	11	shell none
8	private-dev	12	private-dev
9	nosound	13	nosound
		14	no3d


diff --git a/etc/atool.profile b/etc/atool.profile index 3fbfb9fc7..578a88fc7 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	# private-bin atool	22	# private-bin atool
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/cpio.profile b/etc/cpio.profile index 519bd244c..cf89acdac 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile
@@ -16,6 +16,7 @@ shell none
16	tracelog	16	tracelog
17	net none	17	net none
18	nosound	18	nosound
		19	no3d
19		20
20		21	blacklist /tmp/.X11-unix
21		22


diff --git a/etc/elinks.profile b/etc/elinks.profile index df817ea56..ade15f203 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile
@@ -11,12 +11,15 @@ nogroups
11	nonewprivs	11	nonewprivs
12	noroot	12	noroot
13	nosound	13	nosound
		14	no3d
14	protocol unix,inet,inet6	15	protocol unix,inet,inet6
15	seccomp	16	seccomp
16	netfilter	17	netfilter
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin elinks	23	# private-bin elinks
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 384695473..1cae8c093 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile
@@ -17,9 +17,12 @@ protocol unix
17	seccomp	17	seccomp
18	netfilter	18	netfilter
19	net none	19	net none
		20	no3d
20	shell none	21	shell none
21	tracelog	22	tracelog
22		23
		24	blacklist /tmp/.X11-unix
		25
23	# private-bin exiftool,perl	26	# private-bin exiftool,perl
24	private-tmp	27	private-tmp
25	private-dev	28	private-dev


diff --git a/etc/git.profile b/etc/git.profile index d60e58c03..80e534e20 100644 --- a/etc/git.profile +++ b/etc/git.profile
@@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14		14
15
16	caps.drop all	15	caps.drop all
17	netfilter	16	netfilter
18	nogroups	17	nogroups
19	nonewprivs	18	nonewprivs
20	noroot	19	noroot
21	nosound	20	nosound
		21	no3d
22	protocol unix,inet,inet6	22	protocol unix,inet,inet6
23	seccomp	23	seccomp
24	shell none	24	shell none
25		25
		26	blacklist /tmp/.X11-unix
		27
26	private-dev	28	private-dev


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1b0fc9807..488c7e0b8 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,6 @@ protocol unix,inet,inet6
12	seccomp	12	seccomp
13	shell none	13	shell none
14		14
15	private-bin gnome-mplayer	15	private-bin gnome-mplayer,mplayer
16	private-dev	16	private-dev
17	private-tmp	17	private-tmp


diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index b0ebdf43c..59c7383d7 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile
@@ -14,9 +14,12 @@ nosound
14	protocol unix	14	protocol unix
15	seccomp	15	seccomp
16	netfilter	16	netfilter
		17	no3d
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin gpg-agent,gpg	23	# private-bin gpg-agent,gpg
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/gpg.profile b/etc/gpg.profile index 31372eb90..d711c6f3e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile
@@ -15,9 +15,12 @@ protocol unix
15	seccomp	15	seccomp
16	netfilter	16	netfilter
17	net none	17	net none
		18	no3d
18	shell none	19	shell none
19	tracelog	20	tracelog
20		21
		22	blacklist /tmp/.X11-unix
		23
21	# private-bin gpg,gpg-agent	24	# private-bin gpg,gpg-agent
22	private-tmp	25	private-tmp
23	private-dev	26	private-dev


diff --git a/etc/highlight.profile b/etc/highlight.profile index f95f3924a..4bab18349 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile
@@ -13,10 +13,14 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin highlight	22	private-bin highlight
		23	# private-etc none
20	private-tmp	24	private-tmp
21	private-dev	25	private-dev
22		26


diff --git a/etc/less.profile b/etc/less.profile index 08758aead..c01dfc466 100644 --- a/etc/less.profile +++ b/etc/less.profile
@@ -5,7 +5,10 @@ include /etc/firejail/default.profile
5		5
6	net none	6	net none
7	nosound	7	nosound
		8	no3d
8	shell none	9	shell none
9	tracelog	10	tracelog
10		11
		12	blacklist /tmp/.X11-unix
		13
11	private-dev	14	private-dev


diff --git a/etc/lynx.profile b/etc/lynx.profile index 6e150f62e..3e8d72103 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile
@@ -9,12 +9,15 @@ nogroups
9	nonewprivs	9	nonewprivs
10	noroot	10	noroot
11	nosound	11	nosound
		12	no3d
12	protocol unix,inet,inet6	13	protocol unix,inet,inet6
13	seccomp	14	seccomp
14	netfilter	15	netfilter
15	shell none	16	shell none
16	tracelog	17	tracelog
17		18
		19	blacklist /tmp/.X11-unix
		20
18	# private-bin lynx	21	# private-bin lynx
19	private-tmp	22	private-tmp
20	private-dev	23	private-dev


diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c07a9a9e8..65d12c49e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile
@@ -9,6 +9,7 @@ nogroups
9	nonewprivs	9	nonewprivs
10	noroot	10	noroot
11	nosound	11	nosound
		12	no3d
12	protocol unix	13	protocol unix
13	seccomp	14	seccomp
14	netfilter	15	netfilter
@@ -16,6 +17,8 @@ net none
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin mediainfo	22	private-bin mediainfo
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/mutt.profile b/etc/mutt.profile index 2718421c5..5a714de4a 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile
@@ -33,8 +33,11 @@ nogroups
33	nonewprivs	33	nonewprivs
34	noroot	34	noroot
35	nosound	35	nosound
		36	no3d
36	protocol unix,inet,inet6	37	protocol unix,inet,inet6
37	seccomp	38	seccomp
38	shell none	39	shell none
39		40
		41	blacklist /tmp/.X11-unix
		42
40	private-dev	43	private-dev


diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 329275022..c4e28f70e 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin odt2txt	22	private-bin odt2txt
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 632c9d15e..fe9e9e3cd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin pdftotext	22	private-bin pdftotext
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 548ede37d..bea3a6061 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile
@@ -12,5 +12,8 @@ caps.drop all
12	netfilter	12	netfilter
13	nonewprivs	13	nonewprivs
14	noroot	14	noroot
		15	no3d
15	protocol unix,inet,inet6	16	protocol unix,inet,inet6
16	seccomp	17	seccomp
		18
		19	blacklist /tmp/.X11-unix


diff --git a/etc/strings.profile b/etc/strings.profile index 2b7724b11..2bbab1366 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -7,5 +7,6 @@ net none
7	nosound	7	nosound
8	shell none	8	shell none
9	tracelog	9	tracelog
10
11	private-dev	10	private-dev
		11	no3d
		12	blacklist /tmp/.X11-unix


diff --git a/etc/tracker.profile b/etc/tracker.profile index 217631216..7f4f371eb 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile
@@ -12,12 +12,15 @@ nogroups
12	nonewprivs	12	nonewprivs
13	noroot	13	noroot
14	nosound	14	nosound
		15	no3d
15	protocol unix	16	protocol unix
16	seccomp	17	seccomp
17	netfilter	18	netfilter
18	shell none	19	shell none
19	tracelog	20	tracelog
20		21
		22	blacklist /tmp/.X11-unix
		23
21	# private-bin tracker	24	# private-bin tracker
22	# private-tmp	25	# private-tmp
23	# private-dev	26	# private-dev


diff --git a/etc/w3m.profile b/etc/w3m.profile index d765217cf..7ee91bb70 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile
@@ -11,12 +11,15 @@ nogroups
11	nonewprivs	11	nonewprivs
12	noroot	12	noroot
13	nosound	13	nosound
		14	no3d
14	protocol unix,inet,inet6	15	protocol unix,inet,inet6
15	seccomp	16	seccomp
16	netfilter	17	netfilter
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin w3m	23	# private-bin w3m
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/wget.profile b/etc/wget.profile index d9bca2acc..ff4b92bae 100644 --- a/etc/wget.profile +++ b/etc/wget.profile
@@ -10,10 +10,12 @@ nonewprivs
10	noroot	10	noroot
11	nogroups	11	nogroups
12	nosound	12	nosound
		13	no3d
13	protocol unix,inet,inet6	14	protocol unix,inet,inet6
14	seccomp	15	seccomp
15	shell none	16	shell none
16		17
		18	blacklist /tmp/.X11-unix
17		19
18	# private-bin wget	20	# private-bin wget
19	# private-etc resolv.conf	21	# private-etc resolv.conf


diff --git a/etc/xpra.profile b/etc/xpra.profile index 8584e4e5b..32be90b19 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile
@@ -14,6 +14,8 @@ shell none
14	seccomp	14	seccomp
15	protocol unix,inet,inet6	15	protocol unix,inet,inet6
16		16
		17	# blacklist /tmp/.X11-unix
		18
17	# private-bin	19	# private-bin
18	private-dev	20	private-dev
19	private-tmp	21	private-tmp