diff options
116 files changed, 856 insertions, 132 deletions
diff --git a/.gitignore b/.gitignore index 9995da44c..661370b02 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -33,6 +33,7 @@ src/fsec-optimize/fsec-optimize | |||
33 | src/fcopy/fcopy | 33 | src/fcopy/fcopy |
34 | src/fldd/fldd | 34 | src/fldd/fldd |
35 | src/fbuilder/fbuilder | 35 | src/fbuilder/fbuilder |
36 | etc/profstats | ||
36 | uids.h | 37 | uids.h |
37 | seccomp | 38 | seccomp |
38 | seccomp.debug | 39 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 0285d8592..f7c94aa09 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,7 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \ |
4 | src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats | ||
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 5 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx | 6 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
6 | 7 | ||
@@ -149,6 +149,31 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
149 | 149 | ||
150 | ## Current development version: 0.9.63 | 150 | ## Current development version: 0.9.63 |
151 | 151 | ||
152 | ### Profile Statistics | ||
153 | |||
154 | A small tool to print profile statistics. Compile as usual and run: | ||
155 | ````` | ||
156 | $ make | ||
157 | $ cd etc | ||
158 | $ ./profstats *.profile | ||
159 | Stats: | ||
160 | profiles 925 | ||
161 | include local profile 925 (include profile-name.local) | ||
162 | include globals 925 (include globals.local) | ||
163 | blacklist ~/.ssh 910 (include disable-common.inc) | ||
164 | seccomp 868 | ||
165 | capabilities 924 | ||
166 | noexec 785 (include disable-exec.inc) | ||
167 | apparmor 426 | ||
168 | private-dev 788 | ||
169 | private-tmp 687 | ||
170 | whitelist var directory 595 (include whitelist-var-common.inc) | ||
171 | net none 274 | ||
172 | ````` | ||
173 | |||
174 | Run ./profstats -h for help. | ||
175 | |||
152 | ### New profiles: | 176 | ### New profiles: |
153 | 177 | ||
154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal | 178 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, |
179 | gnome-screenshot, ripperX, sound-juicer | ||
@@ -2,13 +2,14 @@ firejail (0.9.63) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * DHCP client support | 3 | * DHCP client support |
4 | * SELinux labeling support | 4 | * SELinux labeling support |
5 | * new condition: HAS_NOSOUND | ||
5 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 6 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
6 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 7 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
7 | * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 | 8 | * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 |
8 | * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool | 9 | * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool |
9 | * new profiles: desktopeditors, impressive, planmaker18, planmaker18free | 10 | * new profiles: desktopeditors, impressive, planmaker18, planmaker18free |
10 | * new profiles: presentations18, presentations18free, textmaker18, teams | 11 | * new profiles: presentations18, presentations18free, textmaker18, teams |
11 | * new profiles: textmaker18free, xournal | 12 | * new profiles: textmaker18free, xournal, gnome-screenshot |
12 | 13 | ||
13 | firejail (0.9.62) baseline; urgency=low | 14 | firejail (0.9.62) baseline; urgency=low |
14 | * added file-copy-limit in /etc/firejail/firejail.config | 15 | * added file-copy-limit in /etc/firejail/firejail.config |
@@ -683,6 +683,7 @@ infodir | |||
683 | docdir | 683 | docdir |
684 | oldincludedir | 684 | oldincludedir |
685 | includedir | 685 | includedir |
686 | runstatedir | ||
686 | localstatedir | 687 | localstatedir |
687 | sharedstatedir | 688 | sharedstatedir |
688 | sysconfdir | 689 | sysconfdir |
@@ -776,6 +777,7 @@ datadir='${datarootdir}' | |||
776 | sysconfdir='${prefix}/etc' | 777 | sysconfdir='${prefix}/etc' |
777 | sharedstatedir='${prefix}/com' | 778 | sharedstatedir='${prefix}/com' |
778 | localstatedir='${prefix}/var' | 779 | localstatedir='${prefix}/var' |
780 | runstatedir='${localstatedir}/run' | ||
779 | includedir='${prefix}/include' | 781 | includedir='${prefix}/include' |
780 | oldincludedir='/usr/include' | 782 | oldincludedir='/usr/include' |
781 | docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' | 783 | docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' |
@@ -1028,6 +1030,15 @@ do | |||
1028 | | -silent | --silent | --silen | --sile | --sil) | 1030 | | -silent | --silent | --silen | --sile | --sil) |
1029 | silent=yes ;; | 1031 | silent=yes ;; |
1030 | 1032 | ||
1033 | -runstatedir | --runstatedir | --runstatedi | --runstated \ | ||
1034 | | --runstate | --runstat | --runsta | --runst | --runs \ | ||
1035 | | --run | --ru | --r) | ||
1036 | ac_prev=runstatedir ;; | ||
1037 | -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | ||
1038 | | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | ||
1039 | | --run=* | --ru=* | --r=*) | ||
1040 | runstatedir=$ac_optarg ;; | ||
1041 | |||
1031 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) | 1042 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) |
1032 | ac_prev=sbindir ;; | 1043 | ac_prev=sbindir ;; |
1033 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | 1044 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ |
@@ -1165,7 +1176,7 @@ fi | |||
1165 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ | 1176 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ |
1166 | datadir sysconfdir sharedstatedir localstatedir includedir \ | 1177 | datadir sysconfdir sharedstatedir localstatedir includedir \ |
1167 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ | 1178 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ |
1168 | libdir localedir mandir | 1179 | libdir localedir mandir runstatedir |
1169 | do | 1180 | do |
1170 | eval ac_val=\$$ac_var | 1181 | eval ac_val=\$$ac_var |
1171 | # Remove trailing slashes. | 1182 | # Remove trailing slashes. |
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories: | |||
1318 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] | 1329 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] |
1319 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] | 1330 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] |
1320 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] | 1331 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] |
1332 | --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] | ||
1321 | --libdir=DIR object code libraries [EPREFIX/lib] | 1333 | --libdir=DIR object code libraries [EPREFIX/lib] |
1322 | --includedir=DIR C header files [PREFIX/include] | 1334 | --includedir=DIR C header files [PREFIX/include] |
1323 | --oldincludedir=DIR C header files for non-gcc [/usr/include] | 1335 | --oldincludedir=DIR C header files for non-gcc [/usr/include] |
@@ -4174,7 +4186,7 @@ if test "$prefix" = /usr; then | |||
4174 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
4175 | fi | 4187 | fi |
4176 | 4188 | ||
4177 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" | 4189 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" |
4178 | 4190 | ||
4179 | cat >confcache <<\_ACEOF | 4191 | cat >confcache <<\_ACEOF |
4180 | # This file is a shell script that caches the results of configure | 4192 | # This file is a shell script that caches the results of configure |
@@ -4902,6 +4914,7 @@ do | |||
4902 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; | 4914 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; |
4903 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 4915 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
4904 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 4916 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
4917 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | ||
4905 | 4918 | ||
4906 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4919 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4907 | esac | 4920 | esac |
diff --git a/configure.ac b/configure.ac index 3c9f901cb..8cf170c80 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -206,7 +206,8 @@ fi | |||
206 | 206 | ||
207 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 207 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
208 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 208 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
209 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) | 209 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
210 | src/profstats/Makefile) | ||
210 | 211 | ||
211 | echo | 212 | echo |
212 | echo "Configuration options:" | 213 | echo "Configuration options:" |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 2347039a6..12268706a 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -23,8 +23,9 @@ whitelist ${HOME}/.config/xiaoyong | |||
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | ||
26 | caps.drop all | 27 | caps.drop all |
27 | netfilter | 28 | net none |
28 | nodvd | 29 | nodvd |
29 | nogroups | 30 | nogroups |
30 | nonewprivs | 31 | nonewprivs |
diff --git a/etc/Screenshot.profile b/etc/Screenshot.profile new file mode 100644 index 000000000..d4b083736 --- /dev/null +++ b/etc/Screenshot.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-screenshot | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-screenshot.profile | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile index 925e130de..3195e39fa 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -6,6 +6,7 @@ include Viber.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.ViberPC | 8 | noblacklist ${HOME}/.ViberPC |
9 | noblacklist ${PATH}/dig | ||
9 | 10 | ||
10 | include disable-common.inc | 11 | include disable-common.inc |
11 | include disable-devel.inc | 12 | include disable-devel.inc |
diff --git a/etc/asunder.profile b/etc/asunder.profile index 1f3acd735..fceac7cf9 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -20,21 +20,25 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | apparmor | 26 | apparmor |
26 | caps.drop all | 27 | caps.drop all |
27 | netfilter | 28 | netfilter |
29 | no3d | ||
28 | nodbus | 30 | nodbus |
29 | # nogroups | 31 | # nogroups |
30 | nonewprivs | 32 | nonewprivs |
31 | noroot | 33 | noroot |
32 | nou2f | 34 | nou2f |
35 | notv | ||
33 | novideo | 36 | novideo |
34 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
35 | seccomp | 38 | seccomp |
36 | shell none | 39 | shell none |
37 | 40 | ||
41 | private-cache | ||
38 | private-dev | 42 | private-dev |
39 | private-tmp | 43 | private-tmp |
40 | 44 | ||
diff --git a/etc/atool.profile b/etc/atool.profile index 0250451fc..ff3c81a80 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -25,7 +25,6 @@ hostname atool | |||
25 | ipc-namespace | 25 | ipc-namespace |
26 | machine-id | 26 | machine-id |
27 | net none | 27 | net none |
28 | netfilter | ||
29 | no3d | 28 | no3d |
30 | nodvd | 29 | nodvd |
31 | nodbus | 30 | nodbus |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 18c862a4d..d87de9d66 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -29,6 +29,7 @@ novideo | |||
29 | protocol unix | 29 | protocol unix |
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | tracelog | ||
32 | 33 | ||
33 | private-bin baobab | 34 | private-bin baobab |
34 | private-dev | 35 | private-dev |
diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 412088ba9..a85840d2f 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | 15 | ||
16 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | apparmor | ||
18 | caps.drop all | 19 | caps.drop all |
19 | net none | 20 | net none |
20 | no3d | 21 | no3d |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 67fc07afb..417a6b3e0 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -15,6 +15,9 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
18 | caps.drop all | 21 | caps.drop all |
19 | net none | 22 | net none |
20 | nogroups | 23 | nogroups |
diff --git a/etc/calibre.profile b/etc/calibre.profile index ad6f0aa0d..d17cfa85f 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | ||
22 | caps.drop all | 23 | caps.drop all |
23 | netfilter | 24 | netfilter |
24 | nodvd | 25 | nodvd |
diff --git a/etc/catfish.profile b/etc/catfish.profile index c6c2d7e8a..577391c5d 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc | |||
24 | whitelist /var/lib/mlocate | 24 | whitelist /var/lib/mlocate |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | ||
27 | caps.drop all | 28 | caps.drop all |
28 | net none | 29 | net none |
29 | no3d | 30 | no3d |
diff --git a/etc/curl.profile b/etc/curl.profile index 3f93e5f7e..a720aca9b 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -19,7 +19,9 @@ include disable-programs.inc | |||
19 | #include disable-xdg.inc | 19 | #include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | ||
22 | 23 | ||
24 | apparmor | ||
23 | caps.drop all | 25 | caps.drop all |
24 | ipc-namespace | 26 | ipc-namespace |
25 | machine-id | 27 | machine-id |
diff --git a/etc/default.profile b/etc/default.profile index 95a6e8095..7731b6e00 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-xdg.inc | 17 | # include disable-xdg.inc |
18 | 18 | ||
19 | # include whitelist-common.inc | ||
20 | # include whitelist-usr-share-common.inc | ||
21 | # include whitelist-runuser-common.inc | ||
22 | # include whitelist-var-common.inc | ||
23 | |||
19 | # apparmor | 24 | # apparmor |
20 | caps.drop all | 25 | caps.drop all |
21 | # ipc-namespace | 26 | # ipc-namespace |
@@ -42,8 +47,11 @@ seccomp | |||
42 | # private-bin program | 47 | # private-bin program |
43 | # private-cache | 48 | # private-cache |
44 | # private-dev | 49 | # private-dev |
45 | # private-etc alternatives | 50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
51 | # private-etc alternatives,fonts,machine-id | ||
46 | # private-lib | 52 | # private-lib |
53 | # private-opt none | ||
47 | # private-tmp | 54 | # private-tmp |
48 | 55 | ||
49 | # memory-deny-write-execute | 56 | # memory-deny-write-execute |
57 | # read-only ${HOME} | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index 8f4f9fbe9..17c5059f5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -14,6 +14,7 @@ include allow-python3.inc | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | 16 | # include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -24,6 +25,7 @@ whitelist ${HOME}/.config/deluge | |||
24 | include whitelist-common.inc | 25 | include whitelist-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
28 | apparmor | ||
27 | caps.drop all | 29 | caps.drop all |
28 | machine-id | 30 | machine-id |
29 | netfilter | 31 | netfilter |
diff --git a/etc/dia.profile b/etc/dia.profile index bd79797b7..3a8651e2e 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -19,6 +19,9 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
22 | caps.drop all | 25 | caps.drop all |
23 | net none | 26 | net none |
24 | no3d | 27 | no3d |
diff --git a/etc/dig.profile b/etc/dig.profile index 054e4891d..e6b7e46d9 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -8,6 +8,7 @@ include dig.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.digrc | 10 | noblacklist ${HOME}/.digrc |
11 | noblacklist ${PATH}/dig | ||
11 | 12 | ||
12 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
13 | 14 | ||
@@ -25,6 +26,7 @@ include whitelist-common.inc | |||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
29 | apparmor | ||
28 | caps.drop all | 30 | caps.drop all |
29 | ipc-namespace | 31 | ipc-namespace |
30 | machine-id | 32 | machine-id |
@@ -47,7 +49,6 @@ tracelog | |||
47 | disable-mnt | 49 | disable-mnt |
48 | private | 50 | private |
49 | private-bin bash,dig,sh | 51 | private-bin bash,dig,sh |
50 | private-cache | ||
51 | private-dev | 52 | private-dev |
52 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 53 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
53 | #private-lib | 54 | #private-lib |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index bf29cd137..815e4b13d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -444,7 +444,14 @@ blacklist /.snapshots | |||
444 | 444 | ||
445 | # flatpak | 445 | # flatpak |
446 | blacklist ${HOME}/.config/flatpak | 446 | blacklist ${HOME}/.config/flatpak |
447 | blacklist ${HOME}/.local/share/flatpak | 447 | blacklist ${HOME}/.local/share/flatpak/app |
448 | blacklist ${HOME}/.local/share/flatpak/appstream | ||
449 | blacklist ${HOME}/.local/share/flatpak/db | ||
450 | read-only ${HOME}/.local/share/flatpak/exports | ||
451 | blacklist ${HOME}/.local/share/flatpak/oci | ||
452 | blacklist ${HOME}/.local/share/flatpak/overrides | ||
453 | blacklist ${HOME}/.local/share/flatpak/repo | ||
454 | blacklist ${HOME}/.local/share/flatpak/runtime | ||
448 | blacklist ${HOME}/.var | 455 | blacklist ${HOME}/.var |
449 | blacklist /usr/share/flatpak | 456 | blacklist /usr/share/flatpak |
450 | blacklist /var/lib/flatpak | 457 | blacklist /var/lib/flatpak |
@@ -462,3 +469,16 @@ blacklist ${HOME}/sent | |||
462 | 469 | ||
463 | # kernel configuration | 470 | # kernel configuration |
464 | blacklist /proc/config.gz | 471 | blacklist /proc/config.gz |
472 | |||
473 | # prevent DNS malware attempting to communicate with the server | ||
474 | # using regular DNS tools | ||
475 | blacklist ${PATH}/dig | ||
476 | blacklist ${PATH}/kdig | ||
477 | blacklist ${PATH}/nslookup | ||
478 | blacklist ${PATH}/host | ||
479 | blacklist ${PATH}/dlint | ||
480 | blacklist ${PATH}/dnswalk | ||
481 | blacklist ${PATH}/dns2tcp | ||
482 | blacklist ${PATH}/iodine | ||
483 | blacklist ${PATH}/knsupdate | ||
484 | blacklist ${PATH}/resolvectl | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 59df9fb0f..e1ba13380 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -26,7 +26,6 @@ blacklist ${PATH}/*-gcc* | |||
26 | blacklist ${PATH}/*-g++* | 26 | blacklist ${PATH}/*-g++* |
27 | blacklist ${PATH}/*-gcc* | 27 | blacklist ${PATH}/*-gcc* |
28 | blacklist ${PATH}/*-g++* | 28 | blacklist ${PATH}/*-g++* |
29 | blacklist /usr/include | ||
30 | # seems to create problems on Gentoo | 29 | # seems to create problems on Gentoo |
31 | #blacklist /usr/lib/gcc | 30 | #blacklist /usr/lib/gcc |
32 | 31 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index db257c1b6..b54c1cce3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -305,6 +305,7 @@ blacklist ${HOME}/.config/slimjet | |||
305 | blacklist ${HOME}/.config/smplayer | 305 | blacklist ${HOME}/.config/smplayer |
306 | blacklist ${HOME}/.config/smtube | 306 | blacklist ${HOME}/.config/smtube |
307 | blacklist ${HOME}/.config/snox | 307 | blacklist ${HOME}/.config/snox |
308 | blacklist ${HOME}/.config/sound-juicer | ||
308 | blacklist ${HOME}/.config/specialmailcollectionsrc | 309 | blacklist ${HOME}/.config/specialmailcollectionsrc |
309 | blacklist ${HOME}/.config/spotify | 310 | blacklist ${HOME}/.config/spotify |
310 | blacklist ${HOME}/.config/sqlitebrowser | 311 | blacklist ${HOME}/.config/sqlitebrowser |
@@ -650,6 +651,7 @@ blacklist ${HOME}/.remmina | |||
650 | blacklist ${HOME}/.repo_.gitconfig.json | 651 | blacklist ${HOME}/.repo_.gitconfig.json |
651 | blacklist ${HOME}/.repoconfig | 652 | blacklist ${HOME}/.repoconfig |
652 | blacklist ${HOME}/.retroshare | 653 | blacklist ${HOME}/.retroshare |
654 | blacklist ${HOME}/.ripperXrc | ||
653 | blacklist ${HOME}/.scorched3d | 655 | blacklist ${HOME}/.scorched3d |
654 | blacklist ${HOME}/.scribus | 656 | blacklist ${HOME}/.scribus |
655 | blacklist ${HOME}/.scribusrc | 657 | blacklist ${HOME}/.scribusrc |
@@ -759,6 +761,7 @@ blacklist ${HOME}/.cache/gfeeds | |||
759 | blacklist ${HOME}/.cache/gimp | 761 | blacklist ${HOME}/.cache/gimp |
760 | blacklist ${HOME}/.cache/gnome-builder | 762 | blacklist ${HOME}/.cache/gnome-builder |
761 | blacklist ${HOME}/.cache/gnome-recipes | 763 | blacklist ${HOME}/.cache/gnome-recipes |
764 | blacklist ${HOME}/.cache/gnome-screenshot | ||
762 | blacklist ${HOME}/.cache/gnome-twitch | 765 | blacklist ${HOME}/.cache/gnome-twitch |
763 | blacklist ${HOME}/.cache/godot | 766 | blacklist ${HOME}/.cache/godot |
764 | blacklist ${HOME}/.cache/google-chrome | 767 | blacklist ${HOME}/.cache/google-chrome |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index a6e730937..43e8d5cd7 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -6,8 +6,11 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 15 | include disable-programs.inc |
13 | 16 | ||
@@ -25,11 +28,9 @@ notv | |||
25 | nou2f | 28 | nou2f |
26 | novideo | 29 | novideo |
27 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
28 | seccomp | 31 | seccomp !chroot |
29 | 32 | ||
30 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh | 33 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
31 | private-dev | 34 | private-dev |
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 35 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
33 | private-tmp | 36 | private-tmp |
34 | |||
35 | noexec /tmp | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 701f14dce..af670cee2 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -18,8 +19,9 @@ include disable-xdg.inc | |||
18 | 19 | ||
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
22 | apparmor | ||
21 | caps.drop all | 23 | caps.drop all |
22 | netfilter | 24 | net none |
23 | nodvd | 25 | nodvd |
24 | nonewprivs | 26 | nonewprivs |
25 | noroot | 27 | noroot |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 253b82cfe..9d84f07de 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo | 39 | private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc dconf,fonts,gtk-3.0,xdg | 42 | private-etc dconf,fonts,gtk-3.0,xdg |
diff --git a/etc/file.profile b/etc/file.profile index 9b21818f8..82b161d48 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -38,8 +38,8 @@ x11 none | |||
38 | #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd | 38 | #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,localtime,magic,magic.mgc | 41 | #private-etc alternatives,localtime,magic,magic.mgc |
42 | private-lib file,libarchive.so.*,libfakeroot,libmagic.so.* | 42 | #private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.* |
43 | 43 | ||
44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
45 | read-only ${HOME} | 45 | read-only ${HOME} |
diff --git a/etc/firejail-default b/etc/firejail-default index 763b838d3..e68e51c63 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -65,6 +65,8 @@ owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, | |||
65 | 65 | ||
66 | # Needed for electron apps | 66 | # Needed for electron apps |
67 | /proc/@{PID}/comm w, | 67 | /proc/@{PID}/comm w, |
68 | # Needed for nslookup, dig, host | ||
69 | /proc/@{PID}/task/@{PID}/comm w, | ||
68 | 70 | ||
69 | # Used by chromium | 71 | # Used by chromium |
70 | owner /proc/@{PID}/oom_score_adj w, | 72 | owner /proc/@{PID}/oom_score_adj w, |
diff --git a/etc/freeciv.profile b/etc/freeciv.profile index fa115d325..379c5eca9 100644 --- a/etc/freeciv.profile +++ b/etc/freeciv.profile | |||
@@ -21,6 +21,7 @@ whitelist ${HOME}/.freeciv | |||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | ipc-namespace | 26 | ipc-namespace |
26 | netfilter | 27 | netfilter |
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile index b6ca167eb..9449e7c48 100644 --- a/etc/freeoffice-planmaker.profile +++ b/etc/freeoffice-planmaker.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile index 43661028c..636868e2e 100644 --- a/etc/freeoffice-presentations.profile +++ b/etc/freeoffice-presentations.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-presentations.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile index f7d30eaed..5d98d1cc6 100644 --- a/etc/freeoffice-textmaker.profile +++ b/etc/freeoffice-textmaker.profile | |||
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include softmaker-common.profile | 9 | include softmaker-common.inc |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 6cef181c8..c089d2e35 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -13,6 +13,7 @@ include allow-perl.inc | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -22,6 +23,7 @@ whitelist ${HOME}/.frozen-bubble | |||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
26 | apparmor | ||
25 | caps.drop all | 27 | caps.drop all |
26 | net none | 28 | net none |
27 | nodbus | 29 | nodbus |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 56f8e136f..3c6f9d72f 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -19,6 +19,14 @@ include disable-interpreters.inc | |||
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | #whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY | ||
23 | #whitelist ${HOME}/.config/git | ||
24 | #whitelist ${HOME}/.gitconfig | ||
25 | #whitelist ${HOME}/.git-credentials | ||
26 | #whitelist ${HOME}/.local/share/gitg | ||
27 | #whitelist ${HOME}/.ssh | ||
28 | #include whitelist-common.inc | ||
29 | |||
22 | whitelist /usr/share/gitg | 30 | whitelist /usr/share/gitg |
23 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 62350b862..12415a937 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -13,7 +13,6 @@ include globals.local | |||
13 | 13 | ||
14 | noblacklist ${HOME}/.cache/champlain | 14 | noblacklist ${HOME}/.cache/champlain |
15 | noblacklist ${HOME}/.cache/org.gnome.Maps | 15 | noblacklist ${HOME}/.cache/org.gnome.Maps |
16 | noblacklist ${HOME}/.local/share/flatpak | ||
17 | noblacklist ${HOME}/.local/share/maps-places.json | 16 | noblacklist ${HOME}/.local/share/maps-places.json |
18 | 17 | ||
19 | # Allow gjs (blacklisted by disable-interpreters.inc) | 18 | # Allow gjs (blacklisted by disable-interpreters.inc) |
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile new file mode 100644 index 000000000..c00aefdb7 --- /dev/null +++ b/etc/gnome-screenshot.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for gnome-screenshot | ||
2 | # Description: GNOME screenshot tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-screenshot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | noblacklist ${HOME}/.cache/gnome-screenshot | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${RUNUSER}/bus | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist ${RUNUSER}/gdm/Xauthority | ||
23 | whitelist ${RUNUSER}/wayland-0 | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin gnome-screenshot | ||
45 | private-dev | ||
46 | private-etc dconf,fonts,gtk-3.0,localtime,machine-id | ||
47 | private-tmp | ||
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile index 7f8fc8a0c..a64ec25a9 100644 --- a/etc/gnome-sound-recorder.profile +++ b/etc/gnome-sound-recorder.profile | |||
@@ -7,7 +7,6 @@ include gnome-sound-recorder.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | noblacklist ${HOME}/.local/share/flatpak | ||
11 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
12 | 11 | ||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | 12 | # Allow gjs (blacklisted by disable-interpreters.inc) |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 324c629e3..add3f407c 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -22,7 +22,7 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | net none |
26 | nodbus | 26 | nodbus |
27 | nogroups | 27 | nogroups |
28 | nonewprivs | 28 | nonewprivs |
diff --git a/etc/host.profile b/etc/host.profile new file mode 100644 index 000000000..51b372361 --- /dev/null +++ b/etc/host.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for host | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include host.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/host | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin bash,host,sh | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/kino.profile b/etc/kino.profile index 9e8d61391..b3ade0dd9 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -16,6 +16,9 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
19 | caps.drop all | 22 | caps.drop all |
20 | netfilter | 23 | netfilter |
21 | nogroups | 24 | nogroups |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 56a792c8e..c456541aa 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -17,8 +17,9 @@ include disable-programs.inc | |||
17 | 17 | ||
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | apparmor | ||
20 | caps.drop all | 21 | caps.drop all |
21 | netfilter | 22 | net none |
22 | no3d | 23 | no3d |
23 | nodvd | 24 | nodvd |
24 | nogroups | 25 | nogroups |
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile index b55ac9a15..748d38221 100644 --- a/etc/lincity-ng.profile +++ b/etc/lincity-ng.profile | |||
@@ -21,6 +21,7 @@ whitelist ${HOME}/.lincity-ng | |||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | ipc-namespace | 26 | ipc-namespace |
26 | net none | 27 | net none |
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile index 245d1c669..17215a5d7 100644 --- a/etc/lrzuntar.profile +++ b/etc/lrzuntar.profile | |||
@@ -7,6 +7,7 @@ include lrzuntar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | # added by included profile |
9 | #include globals.local | 9 | #include globals.local |
10 | quiet | ||
10 | 11 | ||
11 | # Redirect | 12 | # Redirect |
12 | include cpio.profile | 13 | include cpio.profile |
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 74adb7a67..a33ddab78 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -14,9 +14,11 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include whitelist-var-common.inc | ||
17 | 18 | ||
19 | apparmor | ||
18 | caps.drop all | 20 | caps.drop all |
19 | netfilter | 21 | net none |
20 | no3d | 22 | no3d |
21 | nodvd | 23 | nodvd |
22 | nogroups | 24 | nogroups |
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index e1a37343e..9094f4377 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
25 | no3d | 26 | no3d |
diff --git a/etc/lzcat.profile b/etc/lzcat.profile index f7410b928..d9c72407f 100644 --- a/etc/lzcat.profile +++ b/etc/lzcat.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile index f7410b928..d9c72407f 100644 --- a/etc/lzcmp.profile +++ b/etc/lzcmp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile index f7410b928..d9c72407f 100644 --- a/etc/lzegrep.profile +++ b/etc/lzegrep.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile index f7410b928..d9c72407f 100644 --- a/etc/lzfgrep.profile +++ b/etc/lzfgrep.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile index f7410b928..d9c72407f 100644 --- a/etc/lzgrep.profile +++ b/etc/lzgrep.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzip.profile b/etc/lzip.profile index f7410b928..d9c72407f 100644 --- a/etc/lzip.profile +++ b/etc/lzip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzless.profile b/etc/lzless.profile index f7410b928..d9c72407f 100644 --- a/etc/lzless.profile +++ b/etc/lzless.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzma.profile b/etc/lzma.profile index f7410b928..d9c72407f 100644 --- a/etc/lzma.profile +++ b/etc/lzma.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile index f7410b928..d9c72407f 100644 --- a/etc/lzmainfo.profile +++ b/etc/lzmainfo.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/lzmore.profile b/etc/lzmore.profile index f7410b928..d9c72407f 100644 --- a/etc/lzmore.profile +++ b/etc/lzmore.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 2f6020ad3..8bd62ae0b 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -22,7 +22,9 @@ whitelist ${HOME}/.cache/mate-calc | |||
22 | whitelist ${HOME}/.config/caja | 22 | whitelist ${HOME}/.config/caja |
23 | whitelist ${HOME}/.config/mate-menu | 23 | whitelist ${HOME}/.config/mate-menu |
24 | include whitelist-common.inc | 24 | include whitelist-common.inc |
25 | include whitelist-var-common.inc | ||
25 | 26 | ||
27 | apparmor | ||
26 | caps.drop all | 28 | caps.drop all |
27 | net none | 29 | net none |
28 | no3d | 30 | no3d |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 49a776766..59f439c91 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/mate/mate-dictionary | |||
18 | whitelist ${HOME}/.config/mate/mate-dictionary | 18 | whitelist ${HOME}/.config/mate/mate-dictionary |
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
22 | netfilter | 23 | netfilter |
23 | no3d | 24 | no3d |
diff --git a/etc/midori.profile b/etc/midori.profile index e11e2acaa..e15259608 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -48,7 +48,9 @@ whitelist ${HOME}/.local/share/webkitgtk | |||
48 | whitelist ${HOME}/.pki | 48 | whitelist ${HOME}/.pki |
49 | whitelist ${HOME}/.local/share/pki | 49 | whitelist ${HOME}/.local/share/pki |
50 | include whitelist-common.inc | 50 | include whitelist-common.inc |
51 | include whitelist-var-common.inc | ||
51 | 52 | ||
53 | apparmor | ||
52 | caps.drop all | 54 | caps.drop all |
53 | netfilter | 55 | netfilter |
54 | nodvd | 56 | nodvd |
@@ -60,3 +62,4 @@ seccomp | |||
60 | tracelog | 62 | tracelog |
61 | 63 | ||
62 | disable-mnt | 64 | disable-mnt |
65 | private-tmp | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 20370a5b5..868313c40 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -17,8 +17,9 @@ include disable-programs.inc | |||
17 | 17 | ||
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | apparmor | ||
20 | caps.drop all | 21 | caps.drop all |
21 | netfilter | 22 | net none |
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 9ab4f8c7f..cd25d6c0b 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -21,7 +21,9 @@ include disable-xdg.inc | |||
21 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
26 | # net none - mplayer can be used for streaming. | ||
25 | netfilter | 27 | netfilter |
26 | # nogroups | 28 | # nogroups |
27 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 43afbc859..592467658 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -18,6 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
22 | machine-id | 23 | machine-id |
23 | net none | 24 | net none |
diff --git a/etc/musescore.profile b/etc/musescore.profile index b3693c956..679e82ae8 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -23,6 +23,7 @@ include disable-xdg.inc | |||
23 | 23 | ||
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | ||
26 | caps.drop all | 27 | caps.drop all |
27 | netfilter | 28 | netfilter |
28 | no3d | 29 | no3d |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile new file mode 100644 index 000000000..40cb3b6d8 --- /dev/null +++ b/etc/nslookup.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for nslookup | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include nslookup.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/nslookup | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin bash,nslookup,sh | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 5925ccc09..0ba9451d8 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.openinvaders | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,7 +18,9 @@ include disable-programs.inc | |||
17 | mkdir ${HOME}/.openinvaders | 18 | mkdir ${HOME}/.openinvaders |
18 | whitelist ${HOME}/.openinvaders | 19 | whitelist ${HOME}/.openinvaders |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
21 | include whitelist-var-common.inc | ||
20 | 22 | ||
23 | apparmor | ||
21 | caps.drop all | 24 | caps.drop all |
22 | net none | 25 | net none |
23 | nodbus | 26 | nodbus |
diff --git a/etc/opencity.profile b/etc/opencity.profile index 6a27c8095..b0192c947 100644 --- a/etc/opencity.profile +++ b/etc/opencity.profile | |||
@@ -21,6 +21,7 @@ whitelist ${HOME}/.opencity | |||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | ipc-namespace | 26 | ipc-namespace |
26 | net none | 27 | net none |
diff --git a/etc/openclonk.profile b/etc/openclonk.profile index da60006b3..20b2a9626 100644 --- a/etc/openclonk.profile +++ b/etc/openclonk.profile | |||
@@ -21,9 +21,11 @@ whitelist ${HOME}/.clonk | |||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | ipc-namespace | 26 | ipc-namespace |
26 | net none | 27 | # net none - networked game |
28 | netfilter | ||
27 | nodbus | 29 | nodbus |
28 | nodvd | 30 | nodvd |
29 | nogroups | 31 | nogroups |
diff --git a/etc/openttd.profile b/etc/openttd.profile index 5de4d325d..10f2f39c3 100644 --- a/etc/openttd.profile +++ b/etc/openttd.profile | |||
@@ -21,9 +21,10 @@ whitelist ${HOME}/.openttd | |||
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | ipc-namespace | 26 | ipc-namespace |
26 | netfilter | 27 | net none |
27 | nodbus | 28 | nodbus |
28 | nodvd | 29 | nodvd |
29 | nogroups | 30 | nogroups |
diff --git a/etc/ping.profile b/etc/ping.profile index 5f68ee011..75ad0ee31 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -19,6 +19,7 @@ include whitelist-common.inc | |||
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | ||
22 | caps.keep net_raw | 23 | caps.keep net_raw |
23 | ipc-namespace | 24 | ipc-namespace |
24 | #net tun0 | 25 | #net tun0 |
diff --git a/etc/pingus.profile b/etc/pingus.profile index a3adc55a2..8e77a26d0 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.pingus | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,7 +18,9 @@ include disable-programs.inc | |||
17 | mkdir ${HOME}/.pingus | 18 | mkdir ${HOME}/.pingus |
18 | whitelist ${HOME}/.pingus | 19 | whitelist ${HOME}/.pingus |
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
21 | include whitelist-var-common.inc | ||
20 | 22 | ||
23 | apparmor | ||
21 | caps.drop all | 24 | caps.drop all |
22 | net none | 25 | net none |
23 | nodbus | 26 | nodbus |
diff --git a/etc/planmaker18.profile b/etc/planmaker18.profile index 4cf1efb7f..2ba8e86c0 100644 --- a/etc/planmaker18.profile +++ b/etc/planmaker18.profile | |||
@@ -7,4 +7,4 @@ include planmaker18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
diff --git a/etc/planmaker18free.profile b/etc/planmaker18free.profile index bb85f1fc7..d0bce44f5 100644 --- a/etc/planmaker18free.profile +++ b/etc/planmaker18free.profile | |||
@@ -7,4 +7,4 @@ include planmaker18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 970290002..0b5da661a 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -21,7 +21,6 @@ include whitelist-var-common.inc | |||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
24 | netfilter | ||
25 | net none | 24 | net none |
26 | nodbus | 25 | nodbus |
27 | nodvd | 26 | nodvd |
diff --git a/etc/presentations18.profile b/etc/presentations18.profile index ac844d1af..d4f531060 100644 --- a/etc/presentations18.profile +++ b/etc/presentations18.profile | |||
@@ -7,4 +7,5 @@ include presentations18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
11 | |||
diff --git a/etc/presentations18free.profile b/etc/presentations18free.profile index 218747224..e2319f13f 100644 --- a/etc/presentations18free.profile +++ b/etc/presentations18free.profile | |||
@@ -7,4 +7,4 @@ include presentations18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 863f57ba4..dace1634f 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | ||
23 | caps.drop all | 24 | caps.drop all |
24 | machine-id | 25 | machine-id |
25 | # needs D-Bus when started from a file manager | 26 | # needs D-Bus when started from a file manager |
diff --git a/etc/ripperx.profile b/etc/ripperx.profile new file mode 100644 index 000000000..b572aa1b4 --- /dev/null +++ b/etc/ripperx.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for mpv | ||
2 | # Description: Graphical audio CD ripper and encoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ripperx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ripperXrc | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodbus | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nou2f | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index e20cd1b5a..e7faccea1 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -40,6 +40,7 @@ include disable-xdg.inc | |||
40 | 40 | ||
41 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
42 | 42 | ||
43 | apparmor | ||
43 | caps.drop all | 44 | caps.drop all |
44 | net none | 45 | net none |
45 | nodbus | 46 | nodbus |
diff --git a/etc/slack.profile b/etc/slack.profile index 54069f657..9a10e38fe 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -28,7 +28,7 @@ noroot | |||
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
diff --git a/etc/sol.profile b/etc/sol.profile index ea1620b31..4c8fdfbb1 100644 --- a/etc/sol.profile +++ b/etc/sol.profile | |||
@@ -17,6 +17,7 @@ include disable-xdg.inc | |||
17 | include whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | apparmor | ||
20 | caps.drop all | 21 | caps.drop all |
21 | ipc-namespace | 22 | ipc-namespace |
22 | net none | 23 | net none |
diff --git a/etc/sound-juicer.profile b/etc/sound-juicer.profile new file mode 100644 index 000000000..ebd321573 --- /dev/null +++ b/etc/sound-juicer.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for mpv | ||
2 | # Description: Graphical audio CD ripper and encoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sound-juicer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/sound-juicer | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | #nodbus | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | nou2f | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index bc90af837..5c8ced875 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -38,14 +38,13 @@ include disable-programs.inc | |||
38 | 38 | ||
39 | include whitelist-var-common.inc | 39 | include whitelist-var-common.inc |
40 | 40 | ||
41 | # allow-debuggers needed for running some games with proton | ||
42 | allow-debuggers | ||
43 | caps.drop all | 41 | caps.drop all |
44 | #ipc-namespace | 42 | #ipc-namespace |
45 | netfilter | 43 | netfilter |
46 | # nodbus disabled as it breaks appindicator support | 44 | # nodbus disabled as it breaks appindicator support |
47 | #nodbus | 45 | #nodbus |
48 | nodvd | 46 | nodvd |
47 | # nVidia user may need to comment / ignore nogroups and noroot | ||
49 | nogroups | 48 | nogroups |
50 | nonewprivs | 49 | nonewprivs |
51 | noroot | 50 | noroot |
@@ -54,9 +53,9 @@ nou2f | |||
54 | # novideo should be commented for VR | 53 | # novideo should be commented for VR |
55 | novideo | 54 | novideo |
56 | protocol unix,inet,inet6,netlink | 55 | protocol unix,inet,inet6,netlink |
57 | # seccomp cause sometimes issues (see #2860, #2951), | 56 | # seccomp cause sometimes issues (see #2951, #3267), |
58 | # comment it or add 'ignore seccomp' to steam.local if so. | 57 | # comment it or add 'ignore seccomp' to steam.local if so. |
59 | seccomp | 58 | seccomp !kcmp,!ptrace |
60 | shell none | 59 | shell none |
61 | # tracelog disabled as it breaks integrated browser | 60 | # tracelog disabled as it breaks integrated browser |
62 | #tracelog | 61 | #tracelog |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 4c64ee766..a702faa9e 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/supertux2 | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -19,6 +20,7 @@ whitelist ${HOME}/.local/share/supertux2 | |||
19 | include whitelist-common.inc | 20 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
23 | apparmor | ||
22 | caps.drop all | 24 | caps.drop all |
23 | net none | 25 | net none |
24 | nodbus | 26 | nodbus |
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile index 3c46dfdcb..881fbf49e 100644 --- a/etc/tcpdump.profile +++ b/etc/tcpdump.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | include whitelist-common.inc | 20 | include whitelist-common.inc |
21 | 21 | ||
22 | apparmor | ||
22 | caps.keep net_raw | 23 | caps.keep net_raw |
23 | ipc-namespace | 24 | ipc-namespace |
24 | #net tun0 | 25 | #net tun0 |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 9a8426435..3324a18be 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -28,7 +28,6 @@ include whitelist-common.inc | |||
28 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | 29 | ipc-namespace |
30 | net none | 30 | net none |
31 | netfilter | ||
32 | nodbus | 31 | nodbus |
33 | nodvd | 32 | nodvd |
34 | nogroups | 33 | nogroups |
diff --git a/etc/textmaker18.profile b/etc/textmaker18.profile index 8284df791..d28947394 100644 --- a/etc/textmaker18.profile +++ b/etc/textmaker18.profile | |||
@@ -7,4 +7,5 @@ include textmaker18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
11 | |||
diff --git a/etc/textmaker18free.profile b/etc/textmaker18free.profile index ad945ca55..7b4fd5b08 100644 --- a/etc/textmaker18free.profile +++ b/etc/textmaker18free.profile | |||
@@ -7,4 +7,5 @@ include textmaker18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.inc |
11 | |||
diff --git a/etc/tshark.profile b/etc/tshark.profile index 22ced5d8a..211f59f29 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -19,6 +19,7 @@ include whitelist-common.inc | |||
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | ||
22 | #caps.keep net_raw | 23 | #caps.keep net_raw |
23 | caps.keep dac_override,net_admin,net_raw | 24 | caps.keep dac_override,net_admin,net_raw |
24 | ipc-namespace | 25 | ipc-namespace |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index ae868a022..d2b13d9ee 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -15,6 +15,7 @@ include allow-java.inc | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -22,6 +23,7 @@ include disable-xdg.inc | |||
22 | 23 | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
26 | apparmor | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | netfilter |
27 | no3d | 29 | no3d |
diff --git a/etc/unlzma.profile b/etc/unlzma.profile index f7410b928..d9c72407f 100644 --- a/etc/unlzma.profile +++ b/etc/unlzma.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/unxz.profile b/etc/unxz.profile index f7410b928..d9c72407f 100644 --- a/etc/unxz.profile +++ b/etc/unxz.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index e65e0a0c3..e33cace49 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -22,6 +22,7 @@ whitelist ${HOME}/.warzone2100-3.2 | |||
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | ||
25 | caps.drop all | 26 | caps.drop all |
26 | netfilter | 27 | netfilter |
27 | nodvd | 28 | nodvd |
diff --git a/etc/wget.profile b/etc/wget.profile index 401926e2d..d402316e9 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -26,6 +26,7 @@ include disable-programs.inc | |||
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | ||
29 | caps.drop all | 30 | caps.drop all |
30 | ipc-namespace | 31 | ipc-namespace |
31 | machine-id | 32 | machine-id |
diff --git a/etc/whois.profile b/etc/whois.profile index 0e60e18ab..9af6d6843 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -21,6 +21,7 @@ include disable-xdg.inc | |||
21 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | hostname whois | 26 | hostname whois |
26 | ipc-namespace | 27 | ipc-namespace |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index e21b74030..b6424f342 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | caps.drop all | 8 | caps.drop all |
9 | ipc-namespace | 9 | ipc-namespace |
10 | net none | 10 | net none |
11 | netfilter | ||
12 | nodbus | 11 | nodbus |
13 | nogroups | 12 | nogroups |
14 | noroot | 13 | noroot |
diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 0ad423d30..a096f803c 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile | |||
@@ -17,7 +17,6 @@ include whitelist-var-common.inc | |||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
20 | netfilter | ||
21 | no3d | 20 | no3d |
22 | nodbus | 21 | nodbus |
23 | nodvd | 22 | nodvd |
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index bc499bd30..a3e0c4633 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -15,6 +15,9 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
18 | caps.drop all | 21 | caps.drop all |
19 | netfilter | 22 | netfilter |
20 | no3d | 23 | no3d |
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 4dad1bf7a..c3d0930ff 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -17,6 +17,9 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
20 | caps.drop all | 23 | caps.drop all |
21 | netfilter | 24 | netfilter |
22 | no3d | 25 | no3d |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 8c405ba1d..cb7ac4a59 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | ||
22 | caps.drop all | 23 | caps.drop all |
23 | machine-id | 24 | machine-id |
24 | net none | 25 | net none |
@@ -38,4 +39,4 @@ shell none | |||
38 | 39 | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | memory-deny-write-execute | |
diff --git a/etc/xxd.profile b/etc/xxd.profile index 569f194d3..864e8ce9c 100644 --- a/etc/xxd.profile +++ b/etc/xxd.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for xxd | 1 | # Firejail profile for xxd |
2 | # Description: Tool to make (or reverse) a hex dump | 2 | # Description: Tool to make (or reverse) a hex dump |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include xxd.local | 6 | include xxd.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -8,4 +9,4 @@ include xxd.local | |||
8 | #include globals.local | 9 | #include globals.local |
9 | 10 | ||
10 | # Redirect | 11 | # Redirect |
11 | include vim.profile | 12 | include cpio.profile |
diff --git a/etc/xz.profile b/etc/xz.profile index f7410b928..d9c72407f 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzcat.profile b/etc/xzcat.profile index f7410b928..d9c72407f 100644 --- a/etc/xzcat.profile +++ b/etc/xzcat.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile index f7410b928..d9c72407f 100644 --- a/etc/xzcmp.profile +++ b/etc/xzcmp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile index f7410b928..d9c72407f 100644 --- a/etc/xzdiff.profile +++ b/etc/xzdiff.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile index f7410b928..d9c72407f 100644 --- a/etc/xzegrep.profile +++ b/etc/xzegrep.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile index f7410b928..d9c72407f 100644 --- a/etc/xzfgrep.profile +++ b/etc/xzfgrep.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzmore.profile b/etc/xzmore.profile index f7410b928..d9c72407f 100644 --- a/etc/xzmore.profile +++ b/etc/xzmore.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
6 | include cpio.profile | 7 | include cpio.profile |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 703c8edd4..9ca5fd862 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -25,6 +25,7 @@ whitelist /usr/share/zathura | |||
25 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | apparmor | ||
28 | caps.drop all | 29 | caps.drop all |
29 | ipc-namespace | 30 | ipc-namespace |
30 | machine-id | 31 | machine-id |
@@ -47,7 +48,8 @@ private-bin zathura | |||
47 | private-cache | 48 | private-cache |
48 | private-dev | 49 | private-dev |
49 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id | 50 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id |
50 | private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura | 51 | # private-lib has problems on Debian 10 |
52 | #private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura | ||
51 | private-tmp | 53 | private-tmp |
52 | 54 | ||
53 | read-only ${HOME} | 55 | read-only ${HOME} |
diff --git a/etc/zoom.profile b/etc/zoom.profile index 6d312aff6..6eac10703 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -27,7 +27,7 @@ nodvd | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6,netlink |
31 | seccomp | 31 | seccomp !chroot |
32 | 32 | ||
33 | private-tmp | 33 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4cd4fad6c..2798605d5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -23,6 +23,7 @@ Natron | |||
23 | PPSSPPQt | 23 | PPSSPPQt |
24 | QMediathekView | 24 | QMediathekView |
25 | QOwnNotes | 25 | QOwnNotes |
26 | Screenshot | ||
26 | Telegram | 27 | Telegram |
27 | Viber | 28 | Viber |
28 | VirtualBox | 29 | VirtualBox |
@@ -148,6 +149,7 @@ desktopeditors | |||
148 | devhelp | 149 | devhelp |
149 | dex2jar | 150 | dex2jar |
150 | dia | 151 | dia |
152 | dig | ||
151 | digikam | 153 | digikam |
152 | dillo | 154 | dillo |
153 | dino | 155 | dino |
@@ -275,6 +277,7 @@ gnome-passwordsafe | |||
275 | gnome-photos | 277 | gnome-photos |
276 | gnome-recipes | 278 | gnome-recipes |
277 | gnome-schedule | 279 | gnome-schedule |
280 | gnome-screenshot | ||
278 | gnome-system-log | 281 | gnome-system-log |
279 | gnome-twitch | 282 | gnome-twitch |
280 | gnome-weather | 283 | gnome-weather |
@@ -303,6 +306,7 @@ hashcat | |||
303 | hedgewars | 306 | hedgewars |
304 | hexchat | 307 | hexchat |
305 | highlight | 308 | highlight |
309 | host | ||
306 | hugin | 310 | hugin |
307 | icecat | 311 | icecat |
308 | icedove | 312 | icedove |
@@ -466,6 +470,7 @@ nitroshare-nmh | |||
466 | nitroshare-send | 470 | nitroshare-send |
467 | nitroshare-ui | 471 | nitroshare-ui |
468 | nomacs | 472 | nomacs |
473 | nslookup | ||
469 | nylas | 474 | nylas |
470 | nyx | 475 | nyx |
471 | obs | 476 | obs |
@@ -479,6 +484,7 @@ ooviewdoc | |||
479 | open-invaders | 484 | open-invaders |
480 | openarena | 485 | openarena |
481 | opencity | 486 | opencity |
487 | openclonk | ||
482 | openoffice.org | 488 | openoffice.org |
483 | openshot | 489 | openshot |
484 | openshot-qt | 490 | openshot-qt |
@@ -546,6 +552,7 @@ rhythmbox-client | |||
546 | ricochet | 552 | ricochet |
547 | riot-desktop | 553 | riot-desktop |
548 | riot-web | 554 | riot-web |
555 | ripperx | ||
549 | ristretto | 556 | ristretto |
550 | rocketchat | 557 | rocketchat |
551 | rtorrent | 558 | rtorrent |
@@ -578,6 +585,7 @@ smtube | |||
578 | snox | 585 | snox |
579 | soffice | 586 | soffice |
580 | sol | 587 | sol |
588 | sound-juicer | ||
581 | soundconverter | 589 | soundconverter |
582 | spotify | 590 | spotify |
583 | sqlitebrowser | 591 | sqlitebrowser |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0e4fcea6a..7391a8994 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -395,6 +395,7 @@ typedef enum { | |||
395 | MOUNT_TMPFS, | 395 | MOUNT_TMPFS, |
396 | MOUNT_NOEXEC, | 396 | MOUNT_NOEXEC, |
397 | MOUNT_RDWR, | 397 | MOUNT_RDWR, |
398 | MOUNT_RDWR_NOCHECK, // no check of ownership | ||
398 | OPERATION_MAX | 399 | OPERATION_MAX |
399 | } OPERATION; | 400 | } OPERATION; |
400 | 401 | ||
@@ -403,8 +404,7 @@ void fs_blacklist(void); | |||
403 | // mount a writable tmpfs | 404 | // mount a writable tmpfs |
404 | void fs_tmpfs(const char *dir, unsigned check_owner); | 405 | void fs_tmpfs(const char *dir, unsigned check_owner); |
405 | // remount noexec/nodev/nosuid or read-only or read-write | 406 | // remount noexec/nodev/nosuid or read-only or read-write |
406 | void fs_remount(const char *dir, OPERATION op, unsigned check_mnt); | 407 | void fs_remount(const char *dir, OPERATION op, int rec); |
407 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt); | ||
408 | // mount /proc and /sys directories | 408 | // mount /proc and /sys directories |
409 | void fs_proc_sys_dev_boot(void); | 409 | void fs_proc_sys_dev_boot(void); |
410 | // blacklist firejail configuration and runtime directories | 410 | // blacklist firejail configuration and runtime directories |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c7dd91b06..b642329bf 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -28,10 +28,9 @@ | |||
28 | #include <dirent.h> | 28 | #include <dirent.h> |
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | 30 | ||
31 | |||
32 | #include <fcntl.h> | 31 | #include <fcntl.h> |
33 | #ifndef O_PATH | 32 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 33 | #define O_PATH 010000000 |
35 | #endif | 34 | #endif |
36 | 35 | ||
37 | #define MAX_BUF 4096 | 36 | #define MAX_BUF 4096 |
@@ -43,6 +42,8 @@ | |||
43 | //*********************************************** | 42 | //*********************************************** |
44 | // process profile file | 43 | // process profile file |
45 | //*********************************************** | 44 | //*********************************************** |
45 | static void fs_remount_rec(const char *dir, OPERATION op); | ||
46 | |||
46 | static char *opstr[] = { | 47 | static char *opstr[] = { |
47 | [BLACKLIST_FILE] = "blacklist", | 48 | [BLACKLIST_FILE] = "blacklist", |
48 | [BLACKLIST_NOLOG] = "blacklist-nolog", | 49 | [BLACKLIST_NOLOG] = "blacklist-nolog", |
@@ -50,6 +51,7 @@ static char *opstr[] = { | |||
50 | [MOUNT_TMPFS] = "tmpfs", | 51 | [MOUNT_TMPFS] = "tmpfs", |
51 | [MOUNT_NOEXEC] = "noexec", | 52 | [MOUNT_NOEXEC] = "noexec", |
52 | [MOUNT_RDWR] = "read-write", | 53 | [MOUNT_RDWR] = "read-write", |
54 | [MOUNT_RDWR_NOCHECK] = "read-write", | ||
53 | }; | 55 | }; |
54 | 56 | ||
55 | typedef enum { | 57 | typedef enum { |
@@ -148,7 +150,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
148 | } | 150 | } |
149 | } | 151 | } |
150 | else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { | 152 | else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { |
151 | fs_remount_rec(fname, op, 1); | 153 | fs_remount_rec(fname, op); |
152 | // todo: last_disable = SUCCESSFUL; | 154 | // todo: last_disable = SUCCESSFUL; |
153 | } | 155 | } |
154 | else if (op == MOUNT_TMPFS) { | 156 | else if (op == MOUNT_TMPFS) { |
@@ -425,21 +427,11 @@ void fs_blacklist(void) { | |||
425 | free(noblacklist); | 427 | free(noblacklist); |
426 | } | 428 | } |
427 | 429 | ||
428 | static int get_mount_flags(const char *path, unsigned long *flags) { | ||
429 | struct statvfs buf; | ||
430 | |||
431 | if (statvfs(path, &buf) < 0) | ||
432 | return -errno; | ||
433 | *flags = buf.f_flag; | ||
434 | return 0; | ||
435 | } | ||
436 | |||
437 | //*********************************************** | 430 | //*********************************************** |
438 | // mount namespace | 431 | // mount namespace |
439 | // - functions need fully resolved paths | ||
440 | //*********************************************** | 432 | //*********************************************** |
441 | 433 | ||
442 | // mount a writable tmpfs on directory | 434 | // mount a writable tmpfs on directory; requires a resolved path |
443 | void fs_tmpfs(const char *dir, unsigned check_owner) { | 435 | void fs_tmpfs(const char *dir, unsigned check_owner) { |
444 | assert(dir); | 436 | assert(dir); |
445 | if (arg_debug) | 437 | if (arg_debug) |
@@ -480,71 +472,114 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
480 | close(fd); | 472 | close(fd); |
481 | } | 473 | } |
482 | 474 | ||
483 | void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { | 475 | // remount path, but preserve existing mount flags; requires a resolved path |
484 | assert(dir); | 476 | static void fs_remount_simple(const char *path, OPERATION op) { |
485 | // check directory exists | 477 | assert(path); |
478 | |||
479 | // open path without following symbolic links | ||
480 | int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
481 | if (fd == -1) | ||
482 | goto out; | ||
483 | // identify file owner | ||
486 | struct stat s; | 484 | struct stat s; |
487 | int rv = stat(dir, &s); | 485 | if (fstat(fd, &s) == -1) { |
488 | if (rv == 0) { | 486 | // fstat can fail with EACCES if path is a FUSE mount, |
489 | unsigned long flags = 0; | 487 | // mounted without 'allow_root' or 'allow_other' |
490 | if (get_mount_flags(dir, &flags) != 0) { | 488 | if (errno != EACCES) |
491 | fwarning("cannot remount %s\n", dir); | 489 | errExit("fstat"); |
490 | close(fd); | ||
491 | goto out; | ||
492 | } | ||
493 | // get mount flags | ||
494 | struct statvfs buf; | ||
495 | if (fstatvfs(fd, &buf) == -1) | ||
496 | errExit("fstatvfs"); | ||
497 | unsigned long flags = buf.f_flag; | ||
498 | |||
499 | // read-write option | ||
500 | if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { | ||
501 | // nothing to do if there is no read-only flag | ||
502 | if ((flags & MS_RDONLY) == 0) { | ||
503 | close(fd); | ||
492 | return; | 504 | return; |
493 | } | 505 | } |
494 | if (op == MOUNT_RDWR) { | 506 | // allow only user owned directories, except the user is root |
495 | // allow only user owned directories, except the user is root | 507 | if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) { |
496 | if (getuid() != 0 && s.st_uid != getuid()) { | 508 | fwarning("you are not allowed to change %s to read-write\n", path); |
497 | fwarning("you are not allowed to change %s to read-write\n", dir); | 509 | close(fd); |
498 | return; | 510 | return; |
499 | } | ||
500 | if ((flags & MS_RDONLY) == 0) | ||
501 | return; | ||
502 | flags &= ~MS_RDONLY; | ||
503 | } | ||
504 | else if (op == MOUNT_NOEXEC) { | ||
505 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) | ||
506 | return; | ||
507 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; | ||
508 | } | 511 | } |
509 | else if (op == MOUNT_READONLY) { | 512 | flags &= ~MS_RDONLY; |
510 | if ((flags & MS_RDONLY) == MS_RDONLY) | 513 | } |
511 | return; | 514 | // noexec option |
512 | flags |= MS_RDONLY; | 515 | else if (op == MOUNT_NOEXEC) { |
516 | // nothing to do if path is mounted noexec already | ||
517 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) { | ||
518 | close(fd); | ||
519 | return; | ||
513 | } | 520 | } |
514 | else | 521 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; |
515 | assert(0); | 522 | } |
516 | 523 | // read-only option | |
517 | if (arg_debug) | 524 | else if (op == MOUNT_READONLY) { |
518 | printf("Mounting %s %s\n", opstr[op], dir); | 525 | // nothing to do if path is mounted read-only already |
519 | // mount --bind /bin /bin | 526 | if ((flags & MS_RDONLY) == MS_RDONLY) { |
520 | // mount --bind -o remount,rw /bin | 527 | close(fd); |
521 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 528 | return; |
522 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
523 | errExit("remounting"); | ||
524 | // run a sanity check on /proc/self/mountinfo | ||
525 | if (check_mnt) { | ||
526 | // confirm target of the last mount operation was dir; if there are other | ||
527 | // mount points contained inside dir, one of those will show up as target | ||
528 | // of the last mount operation instead | ||
529 | MountData *mptr = get_last_mount(); | ||
530 | size_t len = strlen(dir); | ||
531 | if ((strncmp(mptr->dir, dir, len) != 0 || | ||
532 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | ||
533 | && strcmp(dir, "/") != 0) // support read-only=/ | ||
534 | errLogExit("invalid %s mount", opstr[op]); | ||
535 | } | 529 | } |
536 | fs_logger2(opstr[op], dir); | 530 | flags |= MS_RDONLY; |
537 | } | 531 | } |
532 | else | ||
533 | assert(0); | ||
534 | |||
535 | if (arg_debug) | ||
536 | printf("Mounting %s %s\n", opstr[op], path); | ||
537 | // mount --bind /bin /bin | ||
538 | char *proc; | ||
539 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
540 | errExit("asprintf"); | ||
541 | if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
542 | errExit("mount"); | ||
543 | free(proc); | ||
544 | close(fd); | ||
545 | |||
546 | // mount --bind -o remount,ro /bin | ||
547 | // we need to open path again | ||
548 | fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
549 | if (fd == -1) | ||
550 | errExit("open"); | ||
551 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
552 | errExit("asprintf"); | ||
553 | if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
554 | errExit("mount"); | ||
555 | |||
556 | // run a sanity check on /proc/self/mountinfo and confirm that target of the last | ||
557 | // mount operation was path; if there are other mount points contained inside path, | ||
558 | // one of those will show up as target of the last mount operation instead | ||
559 | MountData *mptr = get_last_mount(); | ||
560 | size_t len = strlen(path); | ||
561 | if ((strncmp(mptr->dir, path, len) != 0 || | ||
562 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | ||
563 | && strcmp(path, "/") != 0) // support read-only=/ | ||
564 | errLogExit("invalid %s mount", opstr[op]); | ||
565 | fs_logger2(opstr[op], path); | ||
566 | free(proc); | ||
567 | close(fd); | ||
568 | return; | ||
569 | |||
570 | out: | ||
571 | fwarning("not remounting %s\n", path); | ||
538 | } | 572 | } |
539 | 573 | ||
540 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { | 574 | // remount recursively; requires a resolved path |
575 | static void fs_remount_rec(const char *dir, OPERATION op) { | ||
541 | assert(dir); | 576 | assert(dir); |
542 | struct stat s; | 577 | struct stat s; |
543 | if (stat(dir, &s) != 0) | 578 | if (stat(dir, &s) != 0) |
544 | return; | 579 | return; |
545 | if (!S_ISDIR(s.st_mode)) { | 580 | if (!S_ISDIR(s.st_mode)) { |
546 | // no need to search in /proc/self/mountinfo for submounts if not a directory | 581 | // no need to search in /proc/self/mountinfo for submounts if not a directory |
547 | fs_remount(dir, op, check_mnt); | 582 | fs_remount_simple(dir, op); |
548 | return; | 583 | return; |
549 | } | 584 | } |
550 | // get mount point of the directory | 585 | // get mount point of the directory |
@@ -558,7 +593,7 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { | |||
558 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | 593 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); |
559 | mount_warning = 1; | 594 | mount_warning = 1; |
560 | } | 595 | } |
561 | fs_remount(dir, op, check_mnt); | 596 | fs_remount_simple(dir, op); |
562 | return; | 597 | return; |
563 | } | 598 | } |
564 | // build array with all mount points that need to get remounted | 599 | // build array with all mount points that need to get remounted |
@@ -567,12 +602,25 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { | |||
567 | // remount | 602 | // remount |
568 | char **tmp = arr; | 603 | char **tmp = arr; |
569 | while (*tmp) { | 604 | while (*tmp) { |
570 | fs_remount(*tmp, op, check_mnt); | 605 | fs_remount_simple(*tmp, op); |
571 | free(*tmp++); | 606 | free(*tmp++); |
572 | } | 607 | } |
573 | free(arr); | 608 | free(arr); |
574 | } | 609 | } |
575 | 610 | ||
611 | // resolve a path and remount it | ||
612 | void fs_remount(const char *path, OPERATION op, int rec) { | ||
613 | assert(path); | ||
614 | char *rpath = realpath(path, NULL); | ||
615 | if (rpath) { | ||
616 | if (rec) | ||
617 | fs_remount_rec(rpath, op); | ||
618 | else | ||
619 | fs_remount_simple(rpath, op); | ||
620 | free(rpath); | ||
621 | } | ||
622 | } | ||
623 | |||
576 | // Disable /mnt, /media, /run/mount and /run/media access | 624 | // Disable /mnt, /media, /run/mount and /run/media access |
577 | void fs_mnt(const int enforce) { | 625 | void fs_mnt(const int enforce) { |
578 | if (enforce) { | 626 | if (enforce) { |
@@ -749,22 +797,22 @@ void fs_basic_fs(void) { | |||
749 | if (arg_debug) | 797 | if (arg_debug) |
750 | printf("Basic read-only filesystem:\n"); | 798 | printf("Basic read-only filesystem:\n"); |
751 | if (!arg_writable_etc) { | 799 | if (!arg_writable_etc) { |
752 | fs_remount("/etc", MOUNT_READONLY, 0); | 800 | fs_remount("/etc", MOUNT_READONLY, 1); |
753 | if (uid) | 801 | if (uid) |
754 | fs_remount("/etc", MOUNT_NOEXEC, 0); | 802 | fs_remount("/etc", MOUNT_NOEXEC, 1); |
755 | } | 803 | } |
756 | if (!arg_writable_var) { | 804 | if (!arg_writable_var) { |
757 | fs_remount("/var", MOUNT_READONLY, 0); | 805 | fs_remount("/var", MOUNT_READONLY, 1); |
758 | if (uid) | 806 | if (uid) |
759 | fs_remount("/var", MOUNT_NOEXEC, 0); | 807 | fs_remount("/var", MOUNT_NOEXEC, 1); |
760 | } | 808 | } |
761 | fs_remount("/bin", MOUNT_READONLY, 0); | 809 | fs_remount("/usr", MOUNT_READONLY, 1); |
762 | fs_remount("/sbin", MOUNT_READONLY, 0); | 810 | fs_remount("/bin", MOUNT_READONLY, 1); |
763 | fs_remount("/lib", MOUNT_READONLY, 0); | 811 | fs_remount("/sbin", MOUNT_READONLY, 1); |
764 | fs_remount("/lib64", MOUNT_READONLY, 0); | 812 | fs_remount("/lib", MOUNT_READONLY, 1); |
765 | fs_remount("/lib32", MOUNT_READONLY, 0); | 813 | fs_remount("/lib64", MOUNT_READONLY, 1); |
766 | fs_remount("/libx32", MOUNT_READONLY, 0); | 814 | fs_remount("/lib32", MOUNT_READONLY, 1); |
767 | fs_remount("/usr", MOUNT_READONLY, 0); | 815 | fs_remount("/libx32", MOUNT_READONLY, 1); |
768 | 816 | ||
769 | // update /var directory in order to support multiple sandboxes running on the same root directory | 817 | // update /var directory in order to support multiple sandboxes running on the same root directory |
770 | fs_var_lock(); | 818 | fs_var_lock(); |
@@ -773,7 +821,7 @@ void fs_basic_fs(void) { | |||
773 | if (!arg_writable_var_log) | 821 | if (!arg_writable_var_log) |
774 | fs_var_log(); | 822 | fs_var_log(); |
775 | else | 823 | else |
776 | fs_remount("/var/log", MOUNT_RDWR, 0); | 824 | fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0); |
777 | 825 | ||
778 | fs_var_lib(); | 826 | fs_var_lib(); |
779 | fs_var_cache(); | 827 | fs_var_cache(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 969209869..c7269857d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -151,6 +151,10 @@ static int check_nodbus(void) { | |||
151 | return arg_nodbus != 0; | 151 | return arg_nodbus != 0; |
152 | } | 152 | } |
153 | 153 | ||
154 | static int check_nosound(void) { | ||
155 | return arg_nosound != 0; | ||
156 | } | ||
157 | |||
154 | static int check_x11(void) { | 158 | static int check_x11(void) { |
155 | return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); | 159 | return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); |
156 | } | 160 | } |
@@ -167,6 +171,7 @@ Cond conditionals[] = { | |||
167 | {"HAS_APPIMAGE", check_appimage}, | 171 | {"HAS_APPIMAGE", check_appimage}, |
168 | {"HAS_NET", check_netoptions}, | 172 | {"HAS_NET", check_netoptions}, |
169 | {"HAS_NODBUS", check_nodbus}, | 173 | {"HAS_NODBUS", check_nodbus}, |
174 | {"HAS_NOSOUND", check_nosound}, | ||
170 | {"HAS_X11", check_x11}, | 175 | {"HAS_X11", check_x11}, |
171 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 176 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
172 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | 177 | {"BROWSER_ALLOW_DRM", check_allow_drm}, |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 84aed41a4..9af25bf63 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
103 | 103 | ||
104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
105 | 105 | ||
106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
107 | can be enabled or disabled globally in Firejail's configuration file. | 107 | can be enabled or disabled globally in Firejail's configuration file. |
108 | 108 | ||
109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in new file mode 100644 index 000000000..4ada23c23 --- /dev/null +++ b/src/profstats/Makefile.in | |||
@@ -0,0 +1,14 @@ | |||
1 | all: ../../etc/profstats | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | ../../etc/profstats: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c new file mode 100644 index 000000000..775142643 --- /dev/null +++ b/src/profstats/main.c | |||
@@ -0,0 +1,240 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include <stdio.h> | ||
21 | #include <stdlib.h> | ||
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | |||
25 | #define MAXBUF 2048 | ||
26 | // stats | ||
27 | static int cnt_profiles = 0; | ||
28 | static int cnt_apparmor = 0; | ||
29 | static int cnt_seccomp = 0; | ||
30 | static int cnt_caps = 0; | ||
31 | static int cnt_dotlocal = 0; | ||
32 | static int cnt_globalsdotlocal = 0; | ||
33 | static int cnt_netnone = 0; | ||
34 | static int cnt_noexec = 0; // include disable-exec.inc | ||
35 | static int cnt_privatedev = 0; | ||
36 | static int cnt_privatetmp = 0; | ||
37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | ||
38 | static int cnt_ssh = 0; | ||
39 | |||
40 | static int level = 0; | ||
41 | static int arg_debug = 0; | ||
42 | static int arg_apparmor = 0; | ||
43 | static int arg_caps = 0; | ||
44 | static int arg_seccomp = 0; | ||
45 | static int arg_noexec = 0; | ||
46 | static int arg_privatedev = 0; | ||
47 | static int arg_privatetmp = 0; | ||
48 | static int arg_whitelistvar = 0; | ||
49 | static int arg_ssh = 0; | ||
50 | |||
51 | static void usage(void) { | ||
52 | printf("proftool - print profile statistics\n"); | ||
53 | printf("Usage: proftool [options] file[s]\n"); | ||
54 | printf("Options:\n"); | ||
55 | printf(" --apparmor - print profiles without apparmor\n"); | ||
56 | printf(" --caps - print profiles without caps\n"); | ||
57 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | ||
58 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | ||
59 | printf(" --private-dev - print profiles without private-dev\n"); | ||
60 | printf(" --private-tmp - print profiles without private-tmp\n"); | ||
61 | printf(" --seccomp - print profiles without seccomp\n"); | ||
62 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | ||
63 | printf(" --debug\n"); | ||
64 | printf("\n"); | ||
65 | } | ||
66 | |||
67 | void process_file(const char *fname) { | ||
68 | assert(fname); | ||
69 | |||
70 | if (arg_debug) | ||
71 | printf("processing #%s#\n", fname); | ||
72 | level++; | ||
73 | assert(level < 32); // to do - check in firejail code | ||
74 | |||
75 | FILE *fp = fopen(fname, "r"); | ||
76 | if (!fp) { | ||
77 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
78 | exit(1); | ||
79 | } | ||
80 | |||
81 | char buf[MAXBUF]; | ||
82 | while (fgets(buf, MAXBUF, fp)) { | ||
83 | char *ptr = strchr(buf, '\n'); | ||
84 | if (ptr) | ||
85 | *ptr = '\0'; | ||
86 | ptr = buf; | ||
87 | |||
88 | while (*ptr == ' ' || *ptr == '\t') | ||
89 | ptr++; | ||
90 | if (*ptr == '\n' || *ptr == '#') | ||
91 | continue; | ||
92 | |||
93 | if (strncmp(ptr, "seccomp", 7) == 0) | ||
94 | cnt_seccomp++; | ||
95 | else if (strncmp(ptr, "caps", 4) == 0) | ||
96 | cnt_caps++; | ||
97 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | ||
98 | cnt_noexec++; | ||
99 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | ||
100 | cnt_whitelistvar++; | ||
101 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | ||
102 | cnt_ssh++; | ||
103 | else if (strncmp(ptr, "net none", 8) == 0) | ||
104 | cnt_netnone++; | ||
105 | else if (strncmp(ptr, "apparmor", 8) == 0) | ||
106 | cnt_apparmor++; | ||
107 | else if (strncmp(ptr, "private-dev", 11) == 0) | ||
108 | cnt_privatedev++; | ||
109 | else if (strncmp(ptr, "private-tmp", 11) == 0) | ||
110 | cnt_privatetmp++; | ||
111 | else if (strncmp(ptr, "include ", 8) == 0) { | ||
112 | // not processing .local files | ||
113 | if (strstr(ptr, ".local")) { | ||
114 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); | ||
115 | if (strstr(ptr, "globals.local")) | ||
116 | cnt_globalsdotlocal++; | ||
117 | else | ||
118 | cnt_dotlocal++; | ||
119 | continue; | ||
120 | } | ||
121 | process_file(buf + 8); | ||
122 | } | ||
123 | } | ||
124 | |||
125 | fclose(fp); | ||
126 | level--; | ||
127 | } | ||
128 | |||
129 | int main(int argc, char **argv) { | ||
130 | if (argc <= 1) { | ||
131 | usage(); | ||
132 | return 1; | ||
133 | } | ||
134 | |||
135 | int start = 1; | ||
136 | int i; | ||
137 | for (i = 1; i < argc; i++) { | ||
138 | if (strcmp(argv[i], "--help") == 0) { | ||
139 | usage(); | ||
140 | return 0; | ||
141 | } | ||
142 | else if (strcmp(argv[i], "--debug") == 0) | ||
143 | arg_debug = 1; | ||
144 | else if (strcmp(argv[i], "--apparmor") == 0) | ||
145 | arg_apparmor = 1; | ||
146 | else if (strcmp(argv[i], "--caps") == 0) | ||
147 | arg_caps = 1; | ||
148 | else if (strcmp(argv[i], "--seccomp") == 0) | ||
149 | arg_seccomp = 1; | ||
150 | else if (strcmp(argv[i], "--noexec") == 0) | ||
151 | arg_noexec = 1; | ||
152 | else if (strcmp(argv[i], "--private-dev") == 0) | ||
153 | arg_privatedev = 1; | ||
154 | else if (strcmp(argv[i], "--private-tmp") == 0) | ||
155 | arg_privatetmp = 1; | ||
156 | else if (strcmp(argv[i], "--whitelist-var") == 0) | ||
157 | arg_whitelistvar = 1; | ||
158 | else if (strcmp(argv[i], "--ssh") == 0) | ||
159 | arg_ssh = 1; | ||
160 | else if (*argv[i] == '-') { | ||
161 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | ||
162 | return 1; | ||
163 | } | ||
164 | else | ||
165 | break; | ||
166 | } | ||
167 | |||
168 | start = i; | ||
169 | if (i == argc) { | ||
170 | fprintf(stderr, "Error: no porfile file specified\n"); | ||
171 | return 1; | ||
172 | } | ||
173 | |||
174 | for (i = start; i < argc; i++) { | ||
175 | cnt_profiles++; | ||
176 | |||
177 | // watch seccomp | ||
178 | int seccomp = cnt_seccomp; | ||
179 | int caps = cnt_caps; | ||
180 | int apparmor = cnt_apparmor; | ||
181 | int noexec = cnt_noexec; | ||
182 | int privatetmp = cnt_privatetmp; | ||
183 | int privatedev = cnt_privatedev; | ||
184 | int dotlocal = cnt_dotlocal; | ||
185 | int globalsdotlocal = cnt_globalsdotlocal; | ||
186 | int whitelistvar = cnt_whitelistvar; | ||
187 | int ssh = cnt_ssh; | ||
188 | |||
189 | // process file | ||
190 | process_file(argv[i]); | ||
191 | |||
192 | // warnings | ||
193 | if ((caps + 2) <= cnt_caps) { | ||
194 | printf("Warning: multiple caps in %s\n", argv[i]); | ||
195 | cnt_caps = caps + 1; | ||
196 | } | ||
197 | |||
198 | // fix redirections | ||
199 | if (cnt_dotlocal > (dotlocal + 1)) | ||
200 | cnt_dotlocal = dotlocal + 1; | ||
201 | if (cnt_globalsdotlocal > (globalsdotlocal + 1)) | ||
202 | cnt_globalsdotlocal = globalsdotlocal + 1; | ||
203 | |||
204 | if (arg_apparmor && apparmor == cnt_apparmor) | ||
205 | printf("No apparmor found in %s\n", argv[i]); | ||
206 | if (arg_caps && caps == cnt_caps) | ||
207 | printf("No caps found in %s\n", argv[i]); | ||
208 | if (arg_seccomp && seccomp == cnt_seccomp) | ||
209 | printf("No seccomp found in %s\n", argv[i]); | ||
210 | if (arg_noexec && noexec == cnt_noexec) | ||
211 | printf("No include disable-exec.inc found in %s\n", argv[i]); | ||
212 | if (arg_privatedev && privatedev == cnt_privatedev) | ||
213 | printf("No private-dev found in %s\n", argv[i]); | ||
214 | if (arg_privatetmp && privatetmp == cnt_privatetmp) | ||
215 | printf("No private-tmp found in %s\n", argv[i]); | ||
216 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | ||
217 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | ||
218 | if (arg_ssh && ssh == cnt_ssh) | ||
219 | printf("No include disable-common.inc found in %s\n", argv[i]); | ||
220 | |||
221 | assert(level == 0); | ||
222 | } | ||
223 | |||
224 | printf("\n"); | ||
225 | printf("Stats:\n"); | ||
226 | printf(" profiles\t\t\t%d\n", cnt_profiles); | ||
227 | printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal); | ||
228 | printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal); | ||
229 | printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh); | ||
230 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | ||
231 | printf(" capabilities\t\t%d\n", cnt_caps); | ||
232 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | ||
233 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | ||
234 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | ||
235 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | ||
236 | printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | ||
237 | printf(" net none\t\t\t%d\n", cnt_netnone); | ||
238 | printf("\n"); | ||
239 | return 0; | ||
240 | } \ No newline at end of file | ||