diff options
-rw-r--r-- | etc/k3b.profile | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 74 |
2 files changed, 79 insertions, 4 deletions
diff --git a/etc/k3b.profile b/etc/k3b.profile index 68b825c5e..35b27a183 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -3,23 +3,24 @@ | |||
3 | include /etc/firejail/k3b.local | 3 | include /etc/firejail/k3b.local |
4 | 4 | ||
5 | # k3b profile | 5 | # k3b profile |
6 | noblacklist ~/.kde4/share/config/k3brc | ||
7 | noblacklist ~/.kde/share/config/k3brc | ||
8 | noblacklist ~/.config/k3brc | ||
6 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
8 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
10 | 13 | ||
11 | caps.drop all | 14 | caps.drop all |
12 | netfilter | 15 | no3d |
13 | nogroups | ||
14 | nonewprivs | 16 | nonewprivs |
15 | noroot | 17 | noroot |
16 | nosound | 18 | nosound |
17 | shell none | 19 | shell none |
18 | seccomp | 20 | seccomp |
19 | protocol unix | 21 | protocol unix |
22 | tracelog | ||
20 | 23 | ||
21 | # private-bin | 24 | # private-bin |
22 | # private-dev | ||
23 | # private-tmp | 25 | # private-tmp |
24 | # private-etc | 26 | # private-etc |
25 | |||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 172aff121..c515accc0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -830,6 +830,80 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
830 | return 0; | 830 | return 0; |
831 | } | 831 | } |
832 | 832 | ||
833 | |||
834 | #ifdef HAVE_OVERLAYFS | ||
835 | if (strncmp(ptr, "overlay-named ", 14) == 0) { | ||
836 | if (checkcfg(CFG_OVERLAYFS)) { | ||
837 | if (cfg.chrootdir) { | ||
838 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
839 | exit(1); | ||
840 | } | ||
841 | struct stat s; | ||
842 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
843 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
844 | exit(1); | ||
845 | } | ||
846 | arg_overlay = 1; | ||
847 | arg_overlay_keep = 1; | ||
848 | arg_overlay_reuse = 1; | ||
849 | |||
850 | char *subdirname = ptr + 14; | ||
851 | if (subdirname == '\0') { | ||
852 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
853 | exit(1); | ||
854 | } | ||
855 | |||
856 | // check name | ||
857 | invalid_filename(subdirname); | ||
858 | if (strstr(subdirname, "..") || strstr(subdirname, "/")) { | ||
859 | fprintf(stderr, "Error: invalid overlay name\n"); | ||
860 | exit(1); | ||
861 | } | ||
862 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
863 | } | ||
864 | |||
865 | return 0; | ||
866 | } else if (strcmp(ptr, "overlay-tmpfs") == 0) { | ||
867 | if (checkcfg(CFG_OVERLAYFS)) { | ||
868 | if (cfg.chrootdir) { | ||
869 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
870 | exit(1); | ||
871 | } | ||
872 | struct stat s; | ||
873 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
874 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
875 | exit(1); | ||
876 | } | ||
877 | arg_overlay = 1; | ||
878 | |||
879 | return 0; | ||
880 | } | ||
881 | } else if (strcmp(ptr, "overlay") == 0) { | ||
882 | if (checkcfg(CFG_OVERLAYFS)) { | ||
883 | if (cfg.chrootdir) { | ||
884 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
885 | exit(1); | ||
886 | } | ||
887 | struct stat s; | ||
888 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
889 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
890 | exit(1); | ||
891 | } | ||
892 | arg_overlay = 1; | ||
893 | arg_overlay_keep = 1; | ||
894 | |||
895 | char *subdirname; | ||
896 | if (asprintf(&subdirname, "%d", getpid()) == -1) | ||
897 | errExit("asprintf"); | ||
898 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
899 | |||
900 | free(subdirname); | ||
901 | |||
902 | return 0; | ||
903 | } | ||
904 | } | ||
905 | #endif | ||
906 | |||
833 | // filesystem bind | 907 | // filesystem bind |
834 | if (strncmp(ptr, "bind ", 5) == 0) { | 908 | if (strncmp(ptr, "bind ", 5) == 0) { |
835 | #ifdef HAVE_BIND | 909 | #ifdef HAVE_BIND |