diff options
author | smitsohu <smitsohu@gmail.com> | 2017-10-29 13:06:19 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2017-10-29 13:06:19 +0100 |
commit | 8ef2c87931fa83c2d1fd6b35f23ac650adee6355 (patch) | |
tree | ad154ca76315d658334fb06b587e1df835fb137a /etc | |
parent | fix for #1614 (--timeout) (diff) | |
download | firejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.tar.gz firejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.tar.zst firejail-8ef2c87931fa83c2d1fd6b35f23ac650adee6355.zip |
fix and harden various profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/atril.profile | 3 | ||||
-rw-r--r-- | etc/calligra.profile | 8 | ||||
-rw-r--r-- | etc/disable-common.inc | 9 | ||||
-rw-r--r-- | etc/evince.profile | 3 | ||||
-rw-r--r-- | etc/inox.profile | 8 | ||||
-rw-r--r-- | etc/iridium.profile | 10 | ||||
-rw-r--r-- | etc/kdenlive.profile | 10 | ||||
-rw-r--r-- | etc/krita.profile | 4 | ||||
-rw-r--r-- | etc/okular.profile | 2 | ||||
-rw-r--r-- | etc/thunderbird.profile | 1 | ||||
-rw-r--r-- | etc/vivaldi.profile | 1 | ||||
-rw-r--r-- | etc/xreader.profile | 3 |
12 files changed, 39 insertions, 23 deletions
diff --git a/etc/atril.profile b/etc/atril.profile index 8c5bdc6fb..98142012c 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -35,8 +35,7 @@ private-etc fonts,ld.so.cache | |||
35 | # atril uses webkit gtk to display epub files | 35 | # atril uses webkit gtk to display epub files |
36 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 | 36 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 |
37 | private-lib webkit2gtk-4.0 | 37 | private-lib webkit2gtk-4.0 |
38 | # atril needs access to /tmp/mozilla* to work in firefox | 38 | private-tmp |
39 | # private-tmp | ||
40 | 39 | ||
41 | # webkit gtk killed by memory-deny-write-execute | 40 | # webkit gtk killed by memory-deny-write-execute |
42 | #memory-deny-write-execute | 41 | #memory-deny-write-execute |
diff --git a/etc/calligra.profile b/etc/calligra.profile index a57694752..f09716bc3 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/calligra.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | ipc-namespace | 16 | ipc-namespace |
17 | net none | 17 | # net none |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
@@ -25,8 +25,8 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 28 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 |
29 | private-dev | 29 | private-dev |
30 | 30 | ||
31 | #noexec ${HOME} | 31 | # noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f01953ed4..09ab39968 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -76,10 +76,11 @@ read-only ${HOME}/.kde4/share/kde4/services | |||
76 | read-only ${HOME}/.kde4/share/config/kdeglobals | 76 | read-only ${HOME}/.kde4/share/config/kdeglobals |
77 | read-only ${HOME}/.local/share/kservices5 | 77 | read-only ${HOME}/.local/share/kservices5 |
78 | 78 | ||
79 | # kdeinit sockets | 79 | # kdeinit socket |
80 | blacklist /run/user/*/kdeinit* | 80 | blacklist /run/user/*/kdeinit5__* |
81 | blacklist /run/user/*/ksocket-*/kdeinit* | 81 | # blacklist /run/user/*/ksocket-*/kdeinit4__* |
82 | blacklist /tmp/ksocket-*/kdeinit* | 82 | # blacklist /tmp/ksocket-*/kdeinit4__* |
83 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | ||
83 | 84 | ||
84 | # systemd | 85 | # systemd |
85 | blacklist ${HOME}/.config/systemd | 86 | blacklist ${HOME}/.config/systemd |
diff --git a/etc/evince.profile b/etc/evince.profile index acca8878f..b68d272df 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -36,8 +36,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
36 | private-dev | 36 | private-dev |
37 | private-etc fonts | 37 | private-etc fonts |
38 | private-lib | 38 | private-lib |
39 | # evince needs access to /tmp/mozilla* to work in firefox | 39 | private-tmp |
40 | # private-tmp | ||
41 | 40 | ||
42 | memory-deny-write-execute | 41 | memory-deny-write-execute |
43 | noexec ${HOME} | 42 | noexec ${HOME} |
diff --git a/etc/inox.profile b/etc/inox.profile index de4d6205b..221acd309 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -20,11 +20,17 @@ whitelist ~/.cache/inox | |||
20 | whitelist ~/.config/inox | 20 | whitelist ~/.config/inox |
21 | whitelist ~/.pki | 21 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | ||
23 | 24 | ||
24 | caps.keep sys_chroot,sys_admin | 25 | caps.keep sys_chroot,sys_admin |
25 | netfilter | 26 | netfilter |
26 | nodvd | 27 | nodvd |
27 | nogroups | 28 | nogroups |
28 | noroot | ||
29 | notv | 29 | notv |
30 | shell none | 30 | shell none |
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/iridium.profile b/etc/iridium.profile index db9c5c7cf..5b1268f4e 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -21,7 +21,17 @@ whitelist ~/.cache/iridium | |||
21 | whitelist ~/.config/iridium | 21 | whitelist ~/.config/iridium |
22 | whitelist ~/.pki | 22 | whitelist ~/.pki |
23 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
24 | include /etc/firejail/whitelist-var-common.inc | ||
24 | 25 | ||
26 | caps.keep sys_chroot,sys_admin | ||
25 | netfilter | 27 | netfilter |
26 | nodvd | 28 | nodvd |
29 | nogroups | ||
27 | notv | 30 | notv |
31 | shell none | ||
32 | |||
33 | private-dev | ||
34 | # private-tmp - problems with multiple browser sessions | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index e42e5920a..871706b02 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/kdenlive.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
@@ -13,19 +13,19 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | # net none |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | 21 | notv |
22 | protocol unix,inet,inet6 | 22 | protocol unix,netlink |
23 | seccomp | 23 | seccomp |
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
27 | private-dev | 27 | private-dev |
28 | #private-etc fonts,alternatives,X11,pulse,passwd | 28 | # private-etc fonts,alternatives,X11,pulse,passwd |
29 | 29 | ||
30 | #noexec ${HOME} | 30 | # noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/krita.profile b/etc/krita.profile index ac723f303..52329eaab 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/krita.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | ipc-namespace | 16 | ipc-namespace |
17 | net none | 17 | # net none |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/okular.profile b/etc/okular.profile index 60390e4d8..53148add5 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr | 39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr |
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts,X11 | 41 | # private-etc fonts,X11 |
42 | private-tmp | 42 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird |
43 | 43 | ||
44 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
45 | noexec ${HOME} | 45 | noexec ${HOME} |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index db944a2c0..52965cf90 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -24,6 +24,7 @@ whitelist ~/.thunderbird | |||
24 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include /etc/firejail/whitelist-var-common.inc |
26 | 26 | ||
27 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | ||
27 | ignore private-tmp | 28 | ignore private-tmp |
28 | machine-id | 29 | machine-id |
29 | disable-mnt | 30 | disable-mnt |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 503916b26..3cbc5b45c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -18,6 +18,7 @@ whitelist ${DOWNLOADS} | |||
18 | whitelist ~/.cache/vivaldi | 18 | whitelist ~/.cache/vivaldi |
19 | whitelist ~/.config/vivaldi | 19 | whitelist ~/.config/vivaldi |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | ||
21 | 22 | ||
22 | caps.keep sys_chroot,sys_admin | 23 | caps.keep sys_chroot,sys_admin |
23 | netfilter | 24 | netfilter |
diff --git a/etc/xreader.profile b/etc/xreader.profile index 11e5d1102..9583b6ee1 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -33,8 +33,7 @@ tracelog | |||
33 | private-bin xreader,xreader-previewer,xreader-thumbnailer | 33 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
34 | private-dev | 34 | private-dev |
35 | private-etc fonts,ld.so.cache | 35 | private-etc fonts,ld.so.cache |
36 | # xreader needs access to /tmp/mozilla* to work in firefox | 36 | private-tmp |
37 | # private-tmp | ||
38 | 37 | ||
39 | memory-deny-write-execute | 38 | memory-deny-write-execute |
40 | noexec ${HOME} | 39 | noexec ${HOME} |