Profile fixes and hardening

* cheese - fix: dbus-user.own org.gnome.Cheese - fix: whitelist /usr/share/gstreamer-1.0 - fix: include allow-python3.inc - hardening: include disable-shell.inc - hardening: include whitelist-run-common.inc and whitelist /run/udev/data - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner - hardening: noinput - hardening: nosound - hardening: seccomp.block-secondary - hardening: private-dev * geekbench (closes #4576) - fix: noblacklist /sbin and noblacklist /usr/sbin - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5 - fix: comment/remove private-bin, private-lib, private-opt * inkscape - add quiet for cli usage * musixmatch (#4518) - allow chroot * pandoc - fix: include allow-bin-sh.inc - fix: drop private-bin - hardening: include whitelist-runuser-common.inc - hardening: seccomp.block-secondary
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-30 08:18:19 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-09-30 08:26:28 +0200
commit: f3912910c1a92883671fce6b75a72ec7de865716 (patch)
tree: 2dcacaf5d2e259ce4cf71c968d769533e6858591 /etc
parent: Rework D-Bus policy of nheko (diff)
download: firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.gz
firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.zst
firejail-f3912910c1a92883671fce6b75a72ec7de865716.zip
6 files changed, 27 insertions, 6 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e77ceb41c..511d8730e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -496,6 +496,7 @@ blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 53d221631..978d727f4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /run/udev/data
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 disable-mnt
 private-bin cheese
 private-cache
+private-dev
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
 private-tmp
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 60f2f338d..4812e1368 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
 private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 5e54b5441..e0015e69a 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
 # Firejail profile for inkscape
 # Description: Vector-based drawing program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include inkscape.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index dac90cfa5..aab2ac19d 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,7 +29,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 disable-mnt
 private-dev
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index b8e8a750f..460f60beb 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
@@ -39,12 +42,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload,texlive,texmf
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-30 08:18:19 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-09-30 08:26:28 +0200
commit	f3912910c1a92883671fce6b75a72ec7de865716 (patch)
tree	2dcacaf5d2e259ce4cf71c968d769533e6858591 /etc
parent	Rework D-Bus policy of nheko (diff)
download	firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.gz firejail-f3912910c1a92883671fce6b75a72ec7de865716.tar.zst firejail-f3912910c1a92883671fce6b75a72ec7de865716.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e77ceb41c..511d8730e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -496,6 +496,7 @@ blacklist ${HOME}/.frogatto
496	blacklist ${HOME}/.frozen-bubble	496	blacklist ${HOME}/.frozen-bubble
497	blacklist ${HOME}/.funnyboat	497	blacklist ${HOME}/.funnyboat
498	blacklist ${HOME}/.gallery-dl.conf	498	blacklist ${HOME}/.gallery-dl.conf
		499	blacklist ${HOME}/.geekbench5
499	blacklist ${HOME}/.gimp*	500	blacklist ${HOME}/.gimp*
500	blacklist ${HOME}/.gist	501	blacklist ${HOME}/.gist
501	blacklist ${HOME}/.gitconfig	502	blacklist ${HOME}/.gitconfig


diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 53d221631..978d727f4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
9	noblacklist ${VIDEOS}	9	noblacklist ${VIDEOS}
10	noblacklist ${PICTURES}	10	noblacklist ${PICTURES}
11		11
		12	include allow-python3.inc
		13
12	include disable-common.inc	14	include disable-common.inc
13	include disable-devel.inc	15	include disable-devel.inc
14	include disable-exec.inc	16	include disable-exec.inc
15	include disable-interpreters.inc	17	include disable-interpreters.inc
16	include disable-programs.inc	18	include disable-programs.inc
		19	include disable-shell.inc
17	include disable-xdg.inc	20	include disable-xdg.inc
18		21
19	whitelist ${VIDEOS}	22	whitelist ${VIDEOS}
20	whitelist ${PICTURES}	23	whitelist ${PICTURES}
		24	whitelist /run/udev/data
		25	whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
21	whitelist /usr/share/gnome-video-effects	26	whitelist /usr/share/gnome-video-effects
		27	whitelist /usr/share/gstreamer-1.0
22	include whitelist-common.inc	28	include whitelist-common.inc
		29	include whitelist-run-common.inc
23	include whitelist-runuser-common.inc	30	include whitelist-runuser-common.inc
24	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	32	include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
30	net none	37	net none
31	nodvd	38	nodvd
32	nogroups	39	nogroups
		40	noinput
33	nonewprivs	41	nonewprivs
34	noroot	42	noroot
		43	nosound
35	notv	44	notv
36	nou2f	45	nou2f
37	protocol unix	46	protocol unix
38	seccomp	47	seccomp
		48	seccomp.block-secondary
39	shell none	49	shell none
40	tracelog	50	tracelog
41		51
42	disable-mnt	52	disable-mnt
43	private-bin cheese	53	private-bin cheese
44	private-cache	54	private-cache
		55	private-dev
45	private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload	56	private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
46	private-tmp	57	private-tmp
47		58
48	dbus-user filter	59	dbus-user filter
		60	dbus-user.own org.gnome.Cheese
49	dbus-user.talk ca.desrt.dconf	61	dbus-user.talk ca.desrt.dconf
50	dbus-system none	62	dbus-system none


diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 60f2f338d..4812e1368 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${HOME}/.geekbench5
		10	noblacklist /sbin
		11	noblacklist /usr/sbin
		12
9	include disable-common.inc	13	include disable-common.inc
10	include disable-devel.inc	14	include disable-devel.inc
11	include disable-exec.inc	15	include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
13	include disable-programs.inc	17	include disable-programs.inc
14	include disable-xdg.inc	18	include disable-xdg.inc
15		19
		20	mkdir ${HOME}/.geekbench5
		21	whitelist ${HOME}/.geekbench5
16	include whitelist-common.inc	22	include whitelist-common.inc
17	include whitelist-usr-share-common.inc	23	include whitelist-usr-share-common.inc
18	include whitelist-var-common.inc	24	include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
39	tracelog	45	tracelog
40		46
41	disable-mnt	47	disable-mnt
42	private-bin bash,geekbenc*,sh	48	#private-bin bash,geekbench*,sh -- #4576
43	private-cache	49	private-cache
44	private-dev	50	private-dev
45	private-etc alternatives,group,ld.so.preload,lsb-release,passwd	51	private-etc alternatives,group,ld.so.preload,lsb-release,passwd
46	private-lib gcc///libstdc++.so.*
47	private-opt none
48	private-tmp	52	private-tmp
49		53
50	dbus-user none	54	dbus-user none
51	dbus-system none	55	dbus-system none
52		56
53	#memory-deny-write-execute - breaks on Arch (see issue #1803)
54	read-only ${HOME}	57	read-only ${HOME}
		58	read-write ${HOME}/.geekbench5


diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 5e54b5441..e0015e69a 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
1	# Firejail profile for inkscape	1	# Firejail profile for inkscape
2	# Description: Vector-based drawing program	2	# Description: Vector-based drawing program
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
		4	quiet
4	# Persistent local customizations	5	# Persistent local customizations
5	include inkscape.local	6	include inkscape.local
6	# Persistent global definitions	7	# Persistent global definitions


diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index dac90cfa5..aab2ac19d 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile
@@ -29,7 +29,7 @@ notv
29	nou2f	29	nou2f
30	novideo	30	novideo
31	protocol unix,inet,inet6,netlink	31	protocol unix,inet,inet6,netlink
32	seccomp	32	seccomp !chroot
33		33
34	disable-mnt	34	disable-mnt
35	private-dev	35	private-dev


diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index b8e8a750f..460f60beb 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
11		11
12	noblacklist ${DOCUMENTS}	12	noblacklist ${DOCUMENTS}
13		13
		14	include allow-bin-sh.inc
		15
14	include disable-common.inc	16	include disable-common.inc
15	include disable-devel.inc	17	include disable-devel.inc
16	include disable-exec.inc	18	include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
19	include disable-shell.inc	21	include disable-shell.inc
20	include disable-xdg.inc	22	include disable-xdg.inc
21		23
		24	include whitelist-runuser-common.inc
22	# breaks pdf output	25	# breaks pdf output
23	#include whitelist-var-common.inc	26	#include whitelist-var-common.inc
24		27
@@ -39,12 +42,12 @@ nou2f
39	novideo	42	novideo
40	protocol unix	43	protocol unix
41	seccomp	44	seccomp
		45	seccomp.block-secondary
42	shell none	46	shell none
43	tracelog	47	tracelog
44	x11 none	48	x11 none
45		49
46	disable-mnt	50	disable-mnt
47	private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
48	private-cache	51	private-cache
49	private-dev	52	private-dev
50	private-etc alternatives,ld.so.preload,texlive,texmf	53	private-etc alternatives,ld.so.preload,texlive,texmf