diff options
-rw-r--r-- | README.md | 5 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/firefox.profile | 1 | ||||
-rw-r--r-- | etc/galculator.profile | 1 | ||||
-rw-r--r-- | etc/gimp.profile | 2 | ||||
-rw-r--r-- | etc/inkscape.profile | 2 | ||||
-rw-r--r-- | etc/leafpad.profile | 2 | ||||
-rw-r--r-- | etc/mousepad.profile | 2 | ||||
-rw-r--r-- | etc/mpv.profile | 2 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 1 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 1 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | etc/whitelist-var-common.inc | 10 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 |
15 files changed, 34 insertions, 0 deletions
@@ -98,6 +98,11 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Whitelisting /var | ||
102 | |||
103 | Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working, | ||
104 | send a pull request. I did it so far for some more common applications like Firefox, Chromium etc. | ||
105 | |||
101 | ## Profile build tool | 106 | ## Profile build tool |
102 | ````` | 107 | ````` |
103 | $ firejail --build appname | 108 | $ firejail --build appname |
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * feature: --writable-run-user | 3 | * feature: --writable-run-user |
4 | * feature: profile build tool (--build) | ||
4 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 |
5 | 6 | ||
6 | firejail (0.9.50~rc1) baseline; urgency=low | 7 | firejail (0.9.50~rc1) baseline; urgency=low |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium | |||
23 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
24 | whitelist ~/.pki | 24 | whitelist ~/.pki |
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | include /etc/firejail/whitelist-var-common.inc | ||
26 | 27 | ||
27 | caps.keep sys_chroot,sys_admin | 28 | caps.keep sys_chroot,sys_admin |
28 | netfilter | 29 | netfilter |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bd45ebd1..f65b020a9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64 | |||
59 | whitelist ~/.zotero | 59 | whitelist ~/.zotero |
60 | whitelist ~/dwhelper | 60 | whitelist ~/dwhelper |
61 | include /etc/firejail/whitelist-common.inc | 61 | include /etc/firejail/whitelist-common.inc |
62 | include /etc/firejail/whitelist-var-common.inc | ||
62 | 63 | ||
63 | caps.drop all | 64 | caps.drop all |
64 | netfilter | 65 | netfilter |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
16 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | net none | 21 | net none |
diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | nodvd | 18 | nodvd |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..3266d8230 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | # nogroups | 19 | # nogroups |
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..67c2a14c2 --- /dev/null +++ b/etc/whitelist-var-common.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include /etc/firejail/whitelist-var-common.local | ||
3 | |||
4 | # common /var whitelist for all profiles | ||
5 | |||
6 | whitelist /var/lib/dbus/machine-id | ||
7 | whitelist /var/lib/menu-xdg | ||
8 | whitelist /var/cache/fontconfig | ||
9 | whitelist /var/tmp | ||
10 | whitelist /var/run | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -357,3 +357,4 @@ | |||
357 | /etc/firejail/zoom.profile | 357 | /etc/firejail/zoom.profile |
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | 359 | /etc/firejail/itch.profile |
360 | /etc/firejail/whitelist-var-common.inc | ||