diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | README.md | 29 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 8 | ||||
-rw-r--r-- | etc/unbound.profile | 8 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 |
6 files changed, 54 insertions, 0 deletions
diff --git a/Makefile.in b/Makefile.in index 461fa4086..d9343d149 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -113,6 +113,8 @@ realinstall: | |||
113 | install -c -m 0644 etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 113 | install -c -m 0644 etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
114 | install -c -m 0644 etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 114 | install -c -m 0644 etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
115 | install -c -m 0644 etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 115 | install -c -m 0644 etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
116 | install -c -m 0644 etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
117 | install -c -m 0644 etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
116 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 118 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
117 | # man pages | 119 | # man pages |
118 | rm -f firejail.1.gz | 120 | rm -f firejail.1.gz |
@@ -32,5 +32,34 @@ Usage: https://l3net.wordpress.com/projects/firejail/firejail-usage/ | |||
32 | 32 | ||
33 | FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/ | 33 | FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/ |
34 | 34 | ||
35 | ## Development version 0.9.35 | ||
35 | 36 | ||
37 | ### Firefox whitelists: | ||
38 | |||
39 | The current whitelist of files and directories for Firefox is as follows: | ||
40 | ````` | ||
41 | whitelist ~/.mozilla (0.9.34) | ||
42 | whitelist ~/Downloads (0.9.34) | ||
43 | whitelist ~/Загрузки (new in 0.9.35) | ||
44 | whitelist ~/dwhelper (0.9.34) | ||
45 | whitelist ~/.zotero (0.9.34) | ||
46 | whitelist ~/.lastpass (0.9.34) | ||
47 | whitelist ~/.gtkrc-2.0 (0.9.34) | ||
48 | whitelist ~/.config/gtk-3.0 (new in 0.9.35) | ||
49 | whitelist ~/.vimperatorrc (0.9.34) | ||
50 | whitelist ~/.vimperator (0.9.34) | ||
51 | whitelist ~/.pentadactylrc (0.9.34) | ||
52 | whitelist ~/.pentadactyl (0.9.34) | ||
53 | |||
54 | # common | ||
55 | whitelist ~/.fonts (0.9.34) | ||
56 | whitelist ~/.fonts.d (0.9.34) | ||
57 | whitelist ~/.fontconfig (0.9.34) | ||
58 | whitelist ~/.fonts.conf (0.9.34) | ||
59 | whitelist ~/.fonts.conf.d (0.9.34) | ||
60 | ````` | ||
61 | If you are using a plugin or extension that requires other directories, please open a new issue: https://github.com/netblue30/firejail/issues | ||
62 | |||
63 | ### New security profiles: | ||
64 | New profiles introduced in this version: unbound, dnscrypt-proxy | ||
36 | 65 | ||
@@ -1,4 +1,9 @@ | |||
1 | firejail (0.9.34) baseline; urgency=low | 1 | firejail (0.9.34) baseline; urgency=low |
2 | * added unbound and dnscrypt-proxy profiles | ||
3 | * bugfixes | ||
4 | -- netblue30 <netblue30@yahoo.com> ongoing development | ||
5 | |||
6 | firejail (0.9.34) baseline; urgency=low | ||
2 | * added --ignore option | 7 | * added --ignore option |
3 | * added --protocol option | 8 | * added --protocol option |
4 | * support dual i386/amd64 seccomp filters | 9 | * support dual i386/amd64 seccomp filters |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile new file mode 100644 index 000000000..e0c5c93a3 --- /dev/null +++ b/etc/dnscrypt-proxy.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # security profile for dnscrypt-proxy | ||
2 | noblacklist /sbin | ||
3 | noblacklist /usr/sbin | ||
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | private | ||
6 | private-dev | ||
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | ||
8 | |||
diff --git a/etc/unbound.profile b/etc/unbound.profile new file mode 100644 index 000000000..4dd00178b --- /dev/null +++ b/etc/unbound.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # security profile for unbound (https://unbound.net) | ||
2 | noblacklist /sbin | ||
3 | noblacklist /usr/sbin | ||
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | private | ||
6 | private-dev | ||
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | ||
8 | |||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 579e6caad..60f375cb6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -39,3 +39,5 @@ | |||
39 | /etc/firejail/wine.profile | 39 | /etc/firejail/wine.profile |
40 | /etc/firejail/disable-devel.inc | 40 | /etc/firejail/disable-devel.inc |
41 | /etc/firejail/conkeror.profile | 41 | /etc/firejail/conkeror.profile |
42 | /etc/firejail/unbound.profile | ||
43 | /etc/firejail/dnscrypt-proxy.profile | ||