diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2023-07-25 19:36:31 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-25 19:36:31 +0000 |
commit | a95a742727b09dd773fff08e1bdc9b9415dc0c27 (patch) | |
tree | 7772342cfab5ca067f84a634fed4a1e8ffc22a7c /etc | |
parent | profiles: Miscellaneous cleanups (#5918) (diff) | |
download | firejail-a95a742727b09dd773fff08e1bdc9b9415dc0c27.tar.gz firejail-a95a742727b09dd773fff08e1bdc9b9415dc0c27.tar.zst firejail-a95a742727b09dd773fff08e1bdc9b9415dc0c27.zip |
profiles: fixes and cleanups for opening links with firefox (#5919)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/profile-a-l/kube.profile | 19 | ||||
-rw-r--r-- | etc/profile-m-z/signal-desktop.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/trojita.profile | 11 |
3 files changed, 24 insertions, 14 deletions
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5cf30ed40..82336969d 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -6,11 +6,10 @@ include kube.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.gnupg | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/kube | 9 | noblacklist ${HOME}/.cache/kube |
12 | noblacklist ${HOME}/.config/kube | 10 | noblacklist ${HOME}/.config/kube |
13 | noblacklist ${HOME}/.config/sink | 11 | noblacklist ${HOME}/.config/sink |
12 | noblacklist ${HOME}/.gnupg | ||
14 | noblacklist ${HOME}/.local/share/kube | 13 | noblacklist ${HOME}/.local/share/kube |
15 | noblacklist ${HOME}/.local/share/sink | 14 | noblacklist ${HOME}/.local/share/sink |
16 | 15 | ||
@@ -22,23 +21,28 @@ include disable-programs.inc | |||
22 | include disable-shell.inc | 21 | include disable-shell.inc |
23 | include disable-xdg.inc | 22 | include disable-xdg.inc |
24 | 23 | ||
25 | mkdir ${HOME}/.gnupg | 24 | # The lines below are needed to find the default Firefox profile name, to allow |
25 | # opening links in an existing instance of Firefox (note that it still fails if | ||
26 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
27 | noblacklist ${HOME}/.mozilla | ||
28 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
29 | |||
26 | mkdir ${HOME}/.cache/kube | 30 | mkdir ${HOME}/.cache/kube |
27 | mkdir ${HOME}/.config/kube | 31 | mkdir ${HOME}/.config/kube |
28 | mkdir ${HOME}/.config/sink | 32 | mkdir ${HOME}/.config/sink |
33 | mkdir ${HOME}/.gnupg | ||
29 | mkdir ${HOME}/.local/share/kube | 34 | mkdir ${HOME}/.local/share/kube |
30 | mkdir ${HOME}/.local/share/sink | 35 | mkdir ${HOME}/.local/share/sink |
31 | whitelist ${HOME}/.gnupg | ||
32 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
33 | whitelist ${HOME}/.cache/kube | 36 | whitelist ${HOME}/.cache/kube |
34 | whitelist ${HOME}/.config/kube | 37 | whitelist ${HOME}/.config/kube |
35 | whitelist ${HOME}/.config/sink | 38 | whitelist ${HOME}/.config/sink |
39 | whitelist ${HOME}/.gnupg | ||
36 | whitelist ${HOME}/.local/share/kube | 40 | whitelist ${HOME}/.local/share/kube |
37 | whitelist ${HOME}/.local/share/sink | 41 | whitelist ${HOME}/.local/share/sink |
38 | whitelist ${RUNUSER}/gnupg | 42 | whitelist ${RUNUSER}/gnupg |
39 | whitelist /usr/share/kube | ||
40 | whitelist /usr/share/gnupg | 43 | whitelist /usr/share/gnupg |
41 | whitelist /usr/share/gnupg2 | 44 | whitelist /usr/share/gnupg2 |
45 | whitelist /usr/share/kube | ||
42 | include whitelist-common.inc | 46 | include whitelist-common.inc |
43 | include whitelist-runuser-common.inc | 47 | include whitelist-runuser-common.inc |
44 | include whitelist-usr-share-common.inc | 48 | include whitelist-usr-share-common.inc |
@@ -63,7 +67,6 @@ tracelog | |||
63 | 67 | ||
64 | # disable-mnt | 68 | # disable-mnt |
65 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 69 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
66 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
67 | private-bin kube,sink_synchronizer | 70 | private-bin kube,sink_synchronizer |
68 | private-cache | 71 | private-cache |
69 | private-dev | 72 | private-dev |
@@ -75,6 +78,8 @@ dbus-user filter | |||
75 | dbus-user.talk ca.desrt.dconf | 78 | dbus-user.talk ca.desrt.dconf |
76 | dbus-user.talk org.freedesktop.secrets | 79 | dbus-user.talk org.freedesktop.secrets |
77 | dbus-user.talk org.freedesktop.Notifications | 80 | dbus-user.talk org.freedesktop.Notifications |
81 | # allow D-Bus communication with firefox for opening links | ||
82 | dbus-user.talk org.mozilla.* | ||
78 | dbus-system none | 83 | dbus-system none |
79 | 84 | ||
80 | restrict-namespaces | 85 | restrict-namespaces |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 3e1899ef3..8cb4e4173 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -11,7 +11,9 @@ ignore noexec /tmp | |||
11 | 11 | ||
12 | noblacklist ${HOME}/.config/Signal | 12 | noblacklist ${HOME}/.config/Signal |
13 | 13 | ||
14 | # These lines are needed to allow Firefox to open links | 14 | # The lines below are needed to find the default Firefox profile name, to allow |
15 | # opening links in an existing instance of Firefox (note that it still fails if | ||
16 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | 17 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 18 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | 19 | ||
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal | |||
21 | private-etc @tls-ca | 23 | private-etc @tls-ca |
22 | 24 | ||
23 | dbus-user filter | 25 | dbus-user filter |
24 | |||
25 | # allow D-Bus notifications | 26 | # allow D-Bus notifications |
26 | dbus-user.talk org.freedesktop.Notifications | 27 | dbus-user.talk org.freedesktop.Notifications |
27 | 28 | # allow D-Bus communication with firefox for opening links | |
28 | # allow D-Bus communication with Firefox browsers for opening links | ||
29 | dbus-user.talk org.mozilla.* | 29 | dbus-user.talk org.mozilla.* |
30 | 30 | ||
31 | ignore dbus-user none | 31 | ignore dbus-user none |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index ba68ccb53..2578eb0be 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -7,7 +7,6 @@ include trojita.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.abook | 9 | noblacklist ${HOME}/.abook |
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/flaska.net/trojita | 10 | noblacklist ${HOME}/.cache/flaska.net/trojita |
12 | noblacklist ${HOME}/.config/flaska.net | 11 | noblacklist ${HOME}/.config/flaska.net |
13 | 12 | ||
@@ -19,11 +18,16 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 18 | include disable-shell.inc |
20 | include disable-xdg.inc | 19 | include disable-xdg.inc |
21 | 20 | ||
21 | # The lines below are needed to find the default Firefox profile name, to allow | ||
22 | # opening links in an existing instance of Firefox (note that it still fails if | ||
23 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
24 | noblacklist ${HOME}/.mozilla | ||
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
26 | |||
22 | mkdir ${HOME}/.abook | 27 | mkdir ${HOME}/.abook |
23 | mkdir ${HOME}/.cache/flaska.net/trojita | 28 | mkdir ${HOME}/.cache/flaska.net/trojita |
24 | mkdir ${HOME}/.config/flaska.net | 29 | mkdir ${HOME}/.config/flaska.net |
25 | whitelist ${HOME}/.abook | 30 | whitelist ${HOME}/.abook |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | whitelist ${HOME}/.cache/flaska.net/trojita | 31 | whitelist ${HOME}/.cache/flaska.net/trojita |
28 | whitelist ${HOME}/.config/flaska.net | 32 | whitelist ${HOME}/.config/flaska.net |
29 | include whitelist-common.inc | 33 | include whitelist-common.inc |
@@ -49,7 +53,6 @@ seccomp | |||
49 | tracelog | 53 | tracelog |
50 | 54 | ||
51 | # disable-mnt | 55 | # disable-mnt |
52 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
53 | private-bin trojita | 56 | private-bin trojita |
54 | private-cache | 57 | private-cache |
55 | private-dev | 58 | private-dev |
@@ -58,6 +61,8 @@ private-tmp | |||
58 | 61 | ||
59 | dbus-user filter | 62 | dbus-user filter |
60 | dbus-user.talk org.freedesktop.secrets | 63 | dbus-user.talk org.freedesktop.secrets |
64 | # allow D-Bus communication with firefox for opening links | ||
65 | dbus-user.talk org.mozilla.* | ||
61 | dbus-system none | 66 | dbus-system none |
62 | 67 | ||
63 | restrict-namespaces | 68 | restrict-namespaces |