some profile enhancements

author: smitsohu <smitsohu@gmail.com> 2017-10-08 01:51:06 +0200
committer: smitsohu <smitsohu@gmail.com> 2017-10-08 01:51:06 +0200
commit: c6ce7577ca78c831d15215333e4f7fb9a0977909 (patch)
tree: 8bb555158f55e3078825319244359a9895c952e6 /etc
parent: fldd fixes (diff)
download: firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.tar.gz
firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.tar.zst
firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.zip
6 files changed, 10 insertions, 10 deletions
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 6d4f6349a..458de81e2 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-caps
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 no3d
 nodvd
 nonewprivs
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 2a1302adb..e6086d1b2 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-caps
+caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
-# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
 no3d
 nodvd
 nonewprivs
diff --git a/etc/unbound.profile b/etc/unbound.profile
index d380b5698..c03a25752 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-caps
+caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
-# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
 nonewprivs
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index f1a17ba93..35e781f67 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -12,18 +12,19 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+# caps.drop all
 caps.keep dac_override,net_admin,net_raw
 netfilter
 no3d
-# nogroups - breaks unprivileged wireshark usage
+# nogroups - breaks network traffic capture for unprivileged users
-# nonewprivs - breaks unprivileged wireshark usage
+# nonewprivs - breaks network traffic capture for unprivileged users
 # noroot
 nodvd
 nosound
 notv
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp - breaks unprivileged wireshark usage
+# seccomp - breaks network traffic capture for unprivileged users
 shell none
 tracelog
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 5c845e977..d4a2fa846 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/xreader.profile b/etc/xreader.profile
index bebcb262f..11e5d1102 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -32,7 +32,7 @@ tracelog
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-# private-etc fonts,ld.so.cache
+private-etc fonts,ld.so.cache
 # xreader needs access to /tmp/mozilla* to work in firefox
 # private-tmp
author	smitsohu <smitsohu@gmail.com>	2017-10-08 01:51:06 +0200
committer	smitsohu <smitsohu@gmail.com>	2017-10-08 01:51:06 +0200
commit	c6ce7577ca78c831d15215333e4f7fb9a0977909 (patch)
tree	8bb555158f55e3078825319244359a9895c952e6 /etc
parent	fldd fixes (diff)
download	firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.tar.gz firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.tar.zst firejail-c6ce7577ca78c831d15215333e4f7fb9a0977909.zip

diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 6d4f6349a..458de81e2 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps	18	caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
19	# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
20	no3d	19	no3d
21	nodvd	20	nodvd
22	nonewprivs	21	nonewprivs


diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 2a1302adb..e6086d1b2 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps	18	caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
19	# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
20	no3d	19	no3d
21	nodvd	20	nodvd
22	nonewprivs	21	nonewprivs


diff --git a/etc/unbound.profile b/etc/unbound.profile index d380b5698..c03a25752 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -15,8 +15,7 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps	18	caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
19	# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
20	no3d	19	no3d
21	nodvd	20	nodvd
22	nonewprivs	21	nonewprivs


diff --git a/etc/wireshark.profile b/etc/wireshark.profile index f1a17ba93..35e781f67 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile
@@ -12,18 +12,19 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	# caps.drop all
15	caps.keep dac_override,net_admin,net_raw	16	caps.keep dac_override,net_admin,net_raw
16	netfilter	17	netfilter
17	no3d	18	no3d
18	# nogroups - breaks unprivileged wireshark usage	19	# nogroups - breaks network traffic capture for unprivileged users
19	# nonewprivs - breaks unprivileged wireshark usage	20	# nonewprivs - breaks network traffic capture for unprivileged users
20	# noroot	21	# noroot
21	nodvd	22	nodvd
22	nosound	23	nosound
23	notv	24	notv
24	novideo	25	novideo
25	# protocol unix,inet,inet6,netlink	26	# protocol unix,inet,inet6,netlink
26	# seccomp - breaks unprivileged wireshark usage	27	# seccomp - breaks network traffic capture for unprivileged users
27	shell none	28	shell none
28	tracelog	29	tracelog
29		30


diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 5c845e977..d4a2fa846 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	netfilter	19	netfilter
18	nogroups	20	nogroups


diff --git a/etc/xreader.profile b/etc/xreader.profile index bebcb262f..11e5d1102 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile
@@ -32,7 +32,7 @@ tracelog
32		32
33	private-bin xreader,xreader-previewer,xreader-thumbnailer	33	private-bin xreader,xreader-previewer,xreader-thumbnailer
34	private-dev	34	private-dev
35	# private-etc fonts,ld.so.cache	35	private-etc fonts,ld.so.cache
36	# xreader needs access to /tmp/mozilla* to work in firefox	36	# xreader needs access to /tmp/mozilla* to work in firefox
37	# private-tmp	37	# private-tmp
38		38