diff options
124 files changed, 205 insertions, 346 deletions
@@ -572,7 +572,7 @@ rusty-snake (https://github.com/rusty-snake) | |||
572 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk | 572 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk |
573 | - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl | 573 | - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl |
574 | - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter | 574 | - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter |
575 | - added profiles: keepassxc-cli, keepassxc-proxy | 575 | - added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client |
576 | - many profile fixing and hardening | 576 | - many profile fixing and hardening |
577 | - some typo fixes | 577 | - some typo fixes |
578 | - added profile templates | 578 | - added profile templates |
@@ -111,4 +111,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
111 | 111 | ||
112 | ## New profiles: | 112 | ## New profiles: |
113 | 113 | ||
114 | klatexformula, klatexformula_cmdl, links, pandoc, qgis, teams-for-linux, xlinks, OpenArena, gnome-sound-recorder, godot, tcpdump, tshark, keepassxc-cli, keepassxc-proxy, newsbeuter | 114 | klatexformula, klatexformula_cmdl, links, pandoc, qgis, teams-for-linux, xlinks, OpenArena, gnome-sound-recorder, godot, tcpdump, tshark, keepassxc-cli, keepassxc-proxy, newsbeuter, rhythmbox-client |
@@ -4,7 +4,7 @@ firejail (0.9.61) baseline; urgency=low | |||
4 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks | 4 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks |
5 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder | 5 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder |
6 | * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli | 6 | * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli |
7 | * new profiles: keepassxc-proxy | 7 | * new profiles: keepassxc-proxy, rhythmbox-client |
8 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 | 8 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 |
9 | 9 | ||
10 | firejail (0.9.60) baseline; urgency=low | 10 | firejail (0.9.60) baseline; urgency=low |
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ae863b73d..ece681c35 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -48,8 +48,6 @@ disable-mnt | |||
48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 48 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | # private-etc alternatives | ||
52 | # private-lib | ||
53 | private-tmp | 51 | private-tmp |
54 | 52 | ||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 230a88472..5ef75022b 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -34,8 +34,8 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # using a private home directory | 35 | # using a private home directory |
36 | private | 36 | private |
37 | # private-bin Xephyr,sh,xkbcomp | 37 | # private-bin sh,Xephyr,xkbcomp |
38 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 38 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 40 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
41 | #private-tmp | 41 | #private-tmp |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 259077d86..3ecda698e 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -37,8 +37,8 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | # using a private home directory | 38 | # using a private home directory |
39 | private | 39 | private |
40 | # private-bin Xvfb,sh,xkbcomp | 40 | # private-bin sh,xkbcomp,Xvfb |
41 | # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | 41 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 43 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/allow-java.inc b/etc/allow-java.inc index c6ab3b2eb..5204d2dea 100644 --- a/etc/allow-java.inc +++ b/etc/allow-java.inc | |||
@@ -1,3 +1,5 @@ | |||
1 | noblacklist ${HOME}/.java | ||
2 | |||
1 | noblacklist ${PATH}/java | 3 | noblacklist ${PATH}/java |
2 | noblacklist /usr/lib/java | 4 | noblacklist /usr/lib/java |
3 | noblacklist /etc/java | 5 | noblacklist /etc/java |
diff --git a/etc/amarok.profile b/etc/amarok.profile index 6cec3befc..0b974e9ac 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -31,5 +31,5 @@ shell none | |||
31 | 31 | ||
32 | # private-bin amarok | 32 | # private-bin amarok |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl |
35 | private-tmp | 35 | private-tmp |
diff --git a/etc/aosp.profile b/etc/aosp.profile index bdfefa923..701bf4733 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -5,7 +5,6 @@ include aosp.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | |||
9 | noblacklist ${HOME}/.android | 8 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.bash_history | 9 | noblacklist ${HOME}/.bash_history |
11 | noblacklist ${HOME}/.config/git | 10 | noblacklist ${HOME}/.config/git |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e353326df..2f08fa169 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -7,7 +7,6 @@ include arch-audit.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | |||
11 | noblacklist /var/lib/pacman | 10 | noblacklist /var/lib/pacman |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index bfd110bf2..19c37f90e 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile | |||
@@ -6,7 +6,6 @@ include archaudit-report.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist /var/lib/pacman | 9 | noblacklist /var/lib/pacman |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 16 | include disable-programs.inc |
18 | include disable-xdg.inc | 17 | include disable-xdg.inc |
19 | 18 | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | 19 | caps.drop all |
23 | ipc-namespace | 20 | ipc-namespace |
24 | netfilter | 21 | netfilter |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 211a32e22..5ebeafa76 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -34,9 +34,9 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 37 | #private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf | 40 | #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11 |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/arduino.profile b/etc/arduino.profile index 26bd3d0a7..fd1ca9a09 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -7,7 +7,6 @@ include arduino.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.arduino15 | 9 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
12 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
13 | 12 | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index b952ac8a6..3b9dfc365 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -38,7 +38,7 @@ private-bin aria2c,gzip | |||
38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 38 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
39 | #private-cache | 39 | #private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
42 | private-lib libreadline.so.* | 42 | private-lib libreadline.so.* |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/ark.profile b/etc/ark.profile index ee0899b1d..7f74a4d49 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -35,7 +35,7 @@ seccomp | |||
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo | 37 | private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo |
38 | #private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg | 38 | #private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 02a4798f4..074d82955 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database | 43 | private-bin assogiate,gtk-update-icon-cache,update-mime-database |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 46 | private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fa2479051..fc10739aa 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -34,7 +34,6 @@ protocol unix,inet,inet6 | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
38 | private-dev | 37 | private-dev |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 8aae5d668..ac1e21ba7 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin bitcoin-qt | 43 | private-bin bitcoin-qt |
44 | private-dev | 44 | private-dev |
45 | # Causes problem with loading of libGL.so | 45 | # Causes problem with loading of libGL.so |
46 | #private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 46 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 287e5f52e..62eeb88f3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -6,12 +6,15 @@ include bitlbee.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist /sbin | 11 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
11 | # noblacklist /var/log | 13 | # noblacklist /var/log |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -34,5 +37,4 @@ private-cache | |||
34 | private-dev | 37 | private-dev |
35 | private-tmp | 38 | private-tmp |
36 | 39 | ||
37 | noexec /tmp | ||
38 | read-write /var/lib/bitlbee | 40 | read-write /var/lib/bitlbee |
diff --git a/etc/bless.profile b/etc/bless.profile index d4ac80db1..35235962e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -33,7 +33,7 @@ protocol unix | |||
33 | seccomp | 33 | seccomp |
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin bless,sh,bash,mono | 36 | # private-bin bash,bless,mono,sh |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts,mono | 39 | private-etc alternatives,fonts,mono |
diff --git a/etc/brasero.profile b/etc/brasero.profile index aa838380a..058253308 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | # private-bin brasero | 31 | # private-bin brasero |
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-etc alternatives,fonts | ||
35 | # private-tmp | 34 | # private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/caja.profile b/etc/caja.profile index 2a95649af..c5cef7b27 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -39,5 +39,4 @@ tracelog | |||
39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | 39 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files |
40 | # private-bin caja | 40 | # private-bin caja |
41 | # private-dev | 41 | # private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
diff --git a/etc/cantata.profile b/etc/cantata.profile index 19abbfea2..c44d56b90 100644 --- a/etc/cantata.profile +++ b/etc/cantata.profile | |||
@@ -34,6 +34,6 @@ protocol unix,inet,inet6,netlink | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | # private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl | 37 | # private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg |
38 | private-bin cantata,mpd,perl | 38 | private-bin cantata,mpd,perl |
39 | private-dev | 39 | private-dev |
diff --git a/etc/catfish.profile b/etc/catfish.profile index f615b5323..c6c2d7e8a 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.config/catfish | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | include disable-common.inc | 18 | # include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 22 | # include disable-programs.inc |
23 | 23 | ||
24 | whitelist /var/lib/mlocate | 24 | whitelist /var/lib/mlocate |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 63983d93b..ba6f9d88c 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,10 +27,9 @@ include whitelist-common.inc | |||
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.keep sys_chroot,sys_admin | 30 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 31 | netfilter |
32 | # Breaks Gnome connector - disable if you use that | 32 | # nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
33 | nodbus | ||
34 | nodvd | 33 | nodvd |
35 | nogroups | 34 | nogroups |
36 | notv | 35 | notv |
@@ -42,4 +41,4 @@ private-dev | |||
42 | # private-tmp - problems with multiple browser sessions | 41 | # private-tmp - problems with multiple browser sessions |
43 | 42 | ||
44 | # the file dialog needs to work without d-bus | 43 | # the file dialog needs to work without d-bus |
45 | env NO_CHROME_KDE_FILE_DIALOG=1 | 44 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/curl.profile b/etc/curl.profile index b8b91d278..76beee46a 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -34,5 +34,5 @@ shell none | |||
34 | # private-bin curl | 34 | # private-bin curl |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index fcb448b30..d1fff0004 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios | |||
13 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
14 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
15 | 15 | ||
16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
17 | # private-etc must first be enabled in firefox-common.profile | 17 | # private-etc must first be enabled in firefox-common.profile |
18 | #private-etc cyberfox | 18 | #private-etc cyberfox |
19 | 19 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index 9bc4ee0ca..6f2c1f755 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | mkfile ${HOME}/.digrc | 20 | #mkfile ${HOME}/.digrc -- see #903 |
21 | whitelist ${HOME}/.digrc | 21 | whitelist ${HOME}/.digrc |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
@@ -45,7 +45,6 @@ private | |||
45 | private-bin bash,dig,sh | 45 | private-bin bash,dig,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | # private-etc alternatives,resolv.conf | ||
49 | private-lib | 48 | private-lib |
50 | private-tmp | 49 | private-tmp |
51 | 50 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index e9c89a1b9..1b80981f7 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -33,11 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | seccomp |
36 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
37 | shell none | 36 | shell none |
38 | 37 | ||
39 | # private-bin program | ||
40 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
42 | private-tmp | 40 | private-tmp |
43 | |||
diff --git a/etc/dino.profile b/etc/dino.profile index 2db395e02..f7b220936 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -37,6 +37,6 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin dino | 38 | private-bin dino |
39 | private-dev | 39 | private-dev |
40 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection | 40 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ffced747b..ae248f2e8 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 29 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private | 32 | private |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 980fa7617..94f4179c7 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -36,5 +36,5 @@ tracelog | |||
36 | # private-bin elinks | 36 | # private-bin elinks |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 562e8f542..aaf3e3382 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -35,7 +35,6 @@ tracelog | |||
35 | 35 | ||
36 | # private-bin engrampa | 36 | # private-bin engrampa |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | # private-tmp | 38 | # private-tmp |
40 | 39 | ||
41 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/evince.profile b/etc/evince.profile index 1a429d673..c1fbc7a4f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,group,machine-id,passwd | 45 | private-etc alternatives,fonts,group,machine-id,passwd |
46 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv | 46 | private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
diff --git a/etc/feh-network.inc b/etc/feh-network.inc index f3876475e..e94e7205c 100644 --- a/etc/feh-network.inc +++ b/etc/feh-network.inc | |||
@@ -1,4 +1,4 @@ | |||
1 | ignore net none | 1 | ignore net none |
2 | netfilter | 2 | netfilter |
3 | protocol unix,inet,inet6 | 3 | protocol unix,inet,inet6 |
4 | private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies | 4 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 46d0bd08e..d64fe830f 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -30,5 +30,5 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | #private-bin fetchmail,procmail,bash,chmod | 33 | #private-bin bash,chmod,fetchmail,procmail |
34 | private-dev | 34 | private-dev |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 9c1c5b7de..0771bf6a5 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -36,7 +36,6 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol inet,inet6 | 37 | protocol inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
40 | shell none | 39 | shell none |
41 | tracelog | 40 | tracelog |
42 | 41 | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 95accdd36..59d2f3ec8 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | # private-bin file-roller | 40 | # private-bin file-roller |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | # private-tmp | 42 | # private-tmp |
44 | 43 | ||
45 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index bccbb3412..961b338e7 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -34,11 +34,8 @@ caps.drop all | |||
34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | 34 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. |
35 | #machine-id | 35 | #machine-id |
36 | netfilter | 36 | netfilter |
37 | # Breaks Gnome connector and KDE Connect. | 37 | # nodbus breaks various desktop integration features |
38 | # Also seems to break Ubuntu titlebar menu. | 38 | # among other things global menus, Gnome connector, KDE connect and power management on KDE Plasma |
39 | # Also breaks enigmail apparently? | ||
40 | # During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on. | ||
41 | # Therefore disable if you use that. | ||
42 | nodbus | 39 | nodbus |
43 | nodvd | 40 | nodvd |
44 | nogroups | 41 | nogroups |
@@ -57,5 +54,5 @@ shell none | |||
57 | disable-mnt | 54 | disable-mnt |
58 | private-dev | 55 | private-dev |
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 56 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
60 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
61 | private-tmp | 58 | private-tmp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 830bbc6a7..84c647cb9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox | |||
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # firefox requires a shell to launch on Arch. | 17 | # firefox requires a shell to launch on Arch. |
18 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
19 | # private-etc must first be enabled in firefox-common.profile | 19 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc firefox | 20 | #private-etc firefox |
21 | 21 | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile index 2d2853c9c..baeb4c528 100644 --- a/etc/freecol.profile +++ b/etc/freecol.profile | |||
@@ -7,7 +7,6 @@ include freecol.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.freecol | 9 | noblacklist ${HOME}/.freecol |
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.cache/freecol | 10 | noblacklist ${HOME}/.cache/freecol |
12 | noblacklist ${HOME}/.config/freecol | 11 | noblacklist ${HOME}/.config/freecol |
13 | noblacklist ${HOME}/.local/share/freecol | 12 | noblacklist ${HOME}/.local/share/freecol |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 9596bc610..3931aa64a 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -38,5 +38,4 @@ shell none | |||
38 | disable-mnt | 38 | disable-mnt |
39 | # private-bin frozen-bubble | 39 | # private-bin frozen-bubble |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
diff --git a/etc/gedit.profile b/etc/gedit.profile index ca2cf6e92..8232bbae4 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -44,7 +44,6 @@ tracelog | |||
44 | 44 | ||
45 | # private-bin gedit | 45 | # private-bin gedit |
46 | private-dev | 46 | private-dev |
47 | # private-etc alternatives,fonts | 47 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* |
48 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell | ||
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index adfc3ef1c..8810ca161 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -31,4 +31,3 @@ shell none | |||
31 | 31 | ||
32 | # private-bin geeqie | 32 | # private-bin geeqie |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,X11 | ||
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile index 4a969f9ad..b25b138ad 100644 --- a/etc/github-desktop.profile +++ b/etc/github-desktop.profile | |||
@@ -42,7 +42,6 @@ disable-mnt | |||
42 | private-cache | 42 | private-cache |
43 | ?HAS_APPIMAGE: ignore private-dev | 43 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives | ||
46 | # private-lib | 45 | # private-lib |
47 | private-tmp | 46 | private-tmp |
48 | 47 | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index f119e5b34..17b0aa5cf 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -32,7 +32,7 @@ seccomp | |||
32 | shell none | 32 | shell none |
33 | tracelog | 33 | tracelog |
34 | 34 | ||
35 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 35 | # private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 184751132..25cd94f0c 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -36,8 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin gjs gnome-books | 39 | # private-bin gjs,gnome-books |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,fonts | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 97de9c2be..be8e809ce 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/champlain | 11 | noblacklist ${HOME}/.cache/champlain |
12 | noblacklist ${HOME}/.local/share/flatpak | 12 | noblacklist ${HOME}/.local/share/flatpak |
13 | noblacklist ${HOME}/.local/share/maps-places.json | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -19,6 +20,13 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | mkdir ${HOME}/.cache/champlain | ||
24 | mkfile ${HOME}/.local/share/maps-places.json | ||
25 | whitelist ${HOME}/.cache/champlain | ||
26 | whitelist ${HOME}/.local/share/maps-places.json | ||
27 | whitelist ${DOWNLOADS} | ||
28 | whitelist ${PICTURES} | ||
29 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
23 | 31 | ||
24 | apparmor | 32 | apparmor |
@@ -39,8 +47,9 @@ shell none | |||
39 | tracelog | 47 | tracelog |
40 | 48 | ||
41 | disable-mnt | 49 | disable-mnt |
42 | # private-bin gjs gnome-maps | 50 | private-bin gjs,gnome-maps |
51 | # private-cache -- gnome-maps cache all maps/satelite-images | ||
43 | private-dev | 52 | private-dev |
44 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 53 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg |
45 | private-tmp | 54 | private-tmp |
46 | 55 | ||
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index 3f28b7efe..001274372 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | #include whitelist-common.inc -- see #903 |
18 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.keep net_raw | 20 | caps.keep net_raw |
@@ -39,6 +39,6 @@ disable-mnt | |||
39 | private | 39 | private |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* | 42 | private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 4e5a3b109..3bbad67bb 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -33,8 +33,7 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # private-bin gjs gnome-photos | 36 | # private-bin gjs,gnome-photos |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts | ||
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 08256f3a5..0fca08505 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -69,6 +69,5 @@ tracelog | |||
69 | disable-mnt | 69 | disable-mnt |
70 | private-cache | 70 | private-cache |
71 | private-dev | 71 | private-dev |
72 | # private-etc alternatives | ||
73 | writable-var | 72 | writable-var |
74 | 73 | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index ef7255130..a43db7e2f 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -37,8 +37,8 @@ shell none | |||
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | # private-bin gjs gnome-weather | 40 | # private-bin gjs,gnome-weather |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile index be332665e..c932ad528 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -31,5 +31,5 @@ tracelog | |||
31 | 31 | ||
32 | # private-bin goobox | 32 | # private-bin goobox |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 34 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
35 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/highlight.profile b/etc/highlight.profile index 243643aea..cae8e29d7 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -34,5 +34,4 @@ tracelog | |||
34 | private-bin highlight | 34 | private-bin highlight |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index ade50048e..a36af8abf 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -38,7 +38,6 @@ tracelog | |||
38 | # private-bin img2txt | 38 | # private-bin img2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives | ||
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
44 | memory-deny-write-execute | 43 | memory-deny-write-execute |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 74fadb4a9..5b7275718 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -6,7 +6,6 @@ include jd-gui.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | ||
10 | 9 | ||
11 | # Allow java (blacklisted by disable-devel.inc) | 10 | # Allow java (blacklisted by disable-devel.inc) |
12 | include allow-java.inc | 11 | include allow-java.inc |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 710c86e9a..361109127 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -35,4 +35,4 @@ shell none | |||
35 | 35 | ||
36 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine | 36 | private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine |
37 | private-dev | 37 | private-dev |
38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 | 38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 009b2c063..0b602c79a 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink | |||
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | # tracelog | 55 | # tracelog |
56 | # writable-run-user is needed for signing and encrypting emails | ||
57 | writable-run-user | ||
58 | 56 | ||
59 | private-dev | 57 | private-dev |
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 58 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | 59 | # writable-run-user is needed for signing and encrypting emails | |
60 | writable-run-user | ||
diff --git a/etc/kopete.profile b/etc/kopete.profile index 5e931ddac..e0bdce059 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile | |||
@@ -31,8 +31,8 @@ notv | |||
31 | nou2f | 31 | nou2f |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp | 33 | seccomp |
34 | writable-var | ||
35 | 34 | ||
36 | private-dev | 35 | private-dev |
37 | private-tmp | 36 | private-tmp |
37 | writable-var | ||
38 | 38 | ||
diff --git a/etc/less.profile b/etc/less.profile index bc85e5ad5..897d38b9d 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -34,7 +34,6 @@ protocol unix | |||
34 | seccomp | 34 | seccomp |
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | writable-var-log | ||
38 | 37 | ||
39 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. | 38 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
40 | # Enable private-bin and private-lib if you are not using any filter. | 39 | # Enable private-bin and private-lib if you are not using any filter. |
@@ -42,5 +41,6 @@ writable-var-log | |||
42 | # private-lib | 41 | # private-lib |
43 | private-cache | 42 | private-cache |
44 | private-dev | 43 | private-dev |
44 | writable-var-log | ||
45 | 45 | ||
46 | memory-deny-write-execute | 46 | memory-deny-write-execute |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 05dfd4ca6..b8a6201b2 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -6,7 +6,6 @@ include libreoffice.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
11 | noblacklist ${HOME}/.config/libreoffice | 10 | noblacklist ${HOME}/.config/libreoffice |
12 | 11 | ||
diff --git a/etc/lynx.profile b/etc/lynx.profile index 2f043c9b9..063285316 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -34,5 +34,5 @@ tracelog | |||
34 | # private-bin lynx | 34 | # private-bin lynx |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 37 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 4ebb5429a..95cd673c6 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/smplayer | |||
11 | noblacklist ${HOME}/.config/totem | 11 | noblacklist ${HOME}/.config/totem |
12 | noblacklist ${HOME}/.config/vlc | 12 | noblacklist ${HOME}/.config/vlc |
13 | noblacklist ${HOME}/.config/xplayer | 13 | noblacklist ${HOME}/.config/xplayer |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/totem | 14 | noblacklist ${HOME}/.local/share/totem |
16 | noblacklist ${HOME}/.local/share/xplayer | 15 | noblacklist ${HOME}/.local/share/xplayer |
17 | noblacklist ${HOME}/.mediathek3 | 16 | noblacklist ${HOME}/.mediathek3 |
diff --git a/etc/minetest.profile b/etc/minetest.profile index b3e692446..0439a1ccc 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -6,6 +6,7 @@ include minetest.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/minetest | ||
9 | noblacklist ${HOME}/.minetest | 10 | noblacklist ${HOME}/.minetest |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
20 | mkdir ${HOME}/.cache/minetest | ||
19 | mkdir ${HOME}/.minetest | 21 | mkdir ${HOME}/.minetest |
22 | whitelist ${HOME}/.cache/minetest | ||
20 | whitelist ${HOME}/.minetest | 23 | whitelist ${HOME}/.minetest |
21 | include whitelist-common.inc | 24 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
@@ -42,5 +45,5 @@ private-bin minetest | |||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | # private-etc needs to be updated, see #1702 | 47 | # private-etc needs to be updated, see #1702 |
45 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 48 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 49 | private-tmp |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0a98de7c4..0b5ebf705 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -34,7 +34,7 @@ protocol unix,inet,inet6 | |||
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin mpd,bash | 37 | #private-bin bash,mpd |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 98edf273e..475307418 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -5,7 +5,6 @@ include multimc5.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | ||
9 | noblacklist ${HOME}/.local/share/multimc | 8 | noblacklist ${HOME}/.local/share/multimc |
10 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
11 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
@@ -43,7 +42,7 @@ shell none | |||
43 | 42 | ||
44 | disable-mnt | 43 | disable-mnt |
45 | # private-bin works, but causes weirdness | 44 | # private-bin works, but causes weirdness |
46 | # private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname | 45 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper |
47 | private-dev | 46 | private-dev |
48 | private-tmp | 47 | private-tmp |
49 | 48 | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 1d5953ff7..673c9fd0b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin mupdf,sh,tempfile,rm | 39 | # private-bin mupdf,rm,sh,tempfile |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 419e17e95..c424dbb85 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -54,6 +54,6 @@ novideo | |||
54 | protocol unix,inet,inet6 | 54 | protocol unix,inet,inet6 |
55 | seccomp | 55 | seccomp |
56 | shell none | 56 | shell none |
57 | writable-run-user | ||
58 | 57 | ||
59 | private-dev | 58 | private-dev |
59 | writable-run-user | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index b81313b6a..d6d08679b 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -40,5 +40,4 @@ tracelog | |||
40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | 40 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files |
41 | # private-bin nautilus | 41 | # private-bin nautilus |
42 | # private-dev | 42 | # private-dev |
43 | # private-etc alternatives,fonts | ||
44 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index bff42fb19..d80b3d351 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin open-invaders | 34 | # private-bin open-invaders |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/openarena.profile b/etc/openarena.profile index f36d3270f..c83e78e2c 100644 --- a/etc/openarena.profile +++ b/etc/openarena.profile | |||
@@ -21,16 +21,12 @@ include whitelist-var-common.inc | |||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | # ipc-namespace | 23 | # ipc-namespace |
24 | # machine-id | ||
25 | # net none | ||
26 | # netfilter | 24 | # netfilter |
27 | # no3d | ||
28 | # nodbus | 25 | # nodbus |
29 | # nodvd | 26 | # nodvd |
30 | # nogroups | 27 | # nogroups |
31 | nonewprivs | 28 | nonewprivs |
32 | noroot | 29 | noroot |
33 | # nosound | ||
34 | notv | 30 | notv |
35 | # nou2f | 31 | # nou2f |
36 | novideo | 32 | novideo |
@@ -40,12 +36,8 @@ shell none | |||
40 | # tracelog | 36 | # tracelog |
41 | 37 | ||
42 | # disable-mnt | 38 | # disable-mnt |
43 | # private | ||
44 | # private-bin openarena | 39 | # private-bin openarena |
45 | private-cache | 40 | private-cache |
46 | private-dev | 41 | private-dev |
47 | # private-etc machine-id,xdg,openal,udev,drirc,passwd,selinux | 42 | # private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg |
48 | # private-lib | ||
49 | private-tmp | 43 | private-tmp |
50 | |||
51 | # memory-deny-write-execute | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index adff2af3e..48f424190 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -6,7 +6,6 @@ include pdfsam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
11 | 10 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | 11 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/peek.profile b/etc/peek.profile index fd836560e..8cbff0c64 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -34,7 +34,7 @@ seccomp | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | # private-bin breaks gif mode, mp4 and webm mode work fine however | 36 | # private-bin breaks gif mode, mp4 and webm mode work fine however |
37 | # private-bin peek,convert,ffmpeg | 37 | # private-bin convert,ffmpeg,peek |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 66574bab5..00ac45c5a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -30,10 +30,8 @@ nosound | |||
30 | notv | 30 | notv |
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | |||
34 | # protocol command is built using seccomp; nonewprivs will kill it | 33 | # protocol command is built using seccomp; nonewprivs will kill it |
35 | #protocol unix,inet,inet6,netlink,packet | 34 | #protocol unix,inet,inet6,netlink,packet |
36 | |||
37 | # killed by no-new-privs | 35 | # killed by no-new-privs |
38 | #seccomp | 36 | #seccomp |
39 | 37 | ||
@@ -42,7 +40,7 @@ private | |||
42 | #private-bin has mammoth problems with execvp: "No such file or directory" | 40 | #private-bin has mammoth problems with execvp: "No such file or directory" |
43 | private-dev | 41 | private-dev |
44 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
45 | #private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies | 43 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
46 | private-tmp | 44 | private-tmp |
47 | 45 | ||
48 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6b664248f..782ee200d 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin pingus | 34 | # private-bin pingus |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 47626753a..91e6edc65 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin pluma | 40 | private-bin pluma |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts | ||
43 | private-lib pluma | 42 | private-lib pluma |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 0531aee4a..e35d70c46 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.pythonrc.py | 10 | noblacklist ${HOME}/.pythonrc.py |
11 | noblacklist ${HOME}/.java | ||
12 | 11 | ||
13 | # Allow java (blacklisted by disable-devel.inc) | 12 | # Allow java (blacklisted by disable-devel.inc) |
14 | include allow-java.inc | 13 | include allow-java.inc |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index d5198ef61..fe9caec77 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -53,8 +53,7 @@ shell none | |||
53 | 53 | ||
54 | private-bin python*,qbittorrent | 54 | private-bin python*,qbittorrent |
55 | private-dev | 55 | private-dev |
56 | # private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 56 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
57 | # private-lib - problems on Arch | ||
58 | private-tmp | 57 | private-tmp |
59 | 58 | ||
60 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 59 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 15ef4c22a..80a10efce 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | 48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index e2a3c9c23..ca1abcdc9 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -50,5 +50,5 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin quiterss | 51 | private-bin quiterss |
52 | private-dev | 52 | private-dev |
53 | # private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies | 53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 |
54 | 54 | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index a77f2d8aa..e85ceca13 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -31,7 +31,6 @@ nou2f | |||
31 | novideo | 31 | novideo |
32 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | seccomp | 33 | seccomp |
34 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
35 | shell none | 34 | shell none |
36 | 35 | ||
37 | private-cache | 36 | private-cache |
diff --git a/etc/rhythmbox-client.profile b/etc/rhythmbox-client.profile new file mode 100644 index 000000000..29e65d716 --- /dev/null +++ b/etc/rhythmbox-client.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for rhythmbox-client | ||
2 | # Description: controls a running instance of rhythmbox | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rhythmbox-client.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include rhythmbox.profile | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 1c9f0e4d1..9bcbdb561 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -26,7 +26,6 @@ include whitelist-var-common.inc | |||
26 | # apparmor - makes settings immutable | 26 | # apparmor - makes settings immutable |
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | # no3d | ||
30 | # nodbus - makes settings immutable | 29 | # nodbus - makes settings immutable |
31 | nogroups | 30 | nogroups |
32 | nonewprivs | 31 | nonewprivs |
@@ -39,7 +38,6 @@ seccomp | |||
39 | shell none | 38 | shell none |
40 | tracelog | 39 | tracelog |
41 | 40 | ||
42 | private-bin rhythmbox | 41 | private-bin rhythmbox,rhythmbox-client |
43 | private-dev | 42 | private-dev |
44 | private-tmp | 43 | private-tmp |
45 | |||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index fc770d62d..1b8fbbc97 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -37,5 +37,5 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin ricochet,tor | 38 | private-bin ricochet,tor |
39 | private-dev | 39 | private-dev |
40 | #private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies | 40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 |
41 | 41 | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index c50e0861c..e20cd1b5a 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -56,7 +56,7 @@ seccomp | |||
56 | shell none | 56 | shell none |
57 | tracelog | 57 | tracelog |
58 | 58 | ||
59 | # private-bin scribus,gs,gimp* | 59 | # private-bin gimp*,gs,scribus |
60 | private-dev | 60 | private-dev |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index be63f9382..a7c95c073 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -50,6 +50,5 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,hostname,host.conf,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | 53 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 |
54 | |||
55 | writable-run-user | 54 | writable-run-user |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index ca74efe68..807effbeb 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -52,4 +52,4 @@ seccomp | |||
52 | tracelog | 52 | tracelog |
53 | 53 | ||
54 | disable-mnt | 54 | disable-mnt |
55 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | 55 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 264566dcd..e6c48561f 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,10 +5,13 @@ include shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
9 | |||
8 | noblacklist ${HOME}/.config/Meltytech | 10 | noblacklist ${HOME}/.config/Meltytech |
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -26,9 +29,6 @@ protocol unix | |||
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | 31 | ||
29 | #private-bin shotcut,melt,qmelt,nice | 32 | #private-bin melt,nice,qmelt,shotcut |
30 | private-cache | 33 | private-cache |
31 | private-dev | 34 | private-dev |
32 | |||
33 | #noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 4ad841880..64441483d 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -33,5 +33,5 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin simple-scan | 34 | # private-bin simple-scan |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 36 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl |
37 | # private-tmp | 37 | # private-tmp |
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index ead475e07..a3caedf88 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -31,7 +31,6 @@ tracelog | |||
31 | 31 | ||
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | # private-etc alternatives | ||
35 | private-tmp | 34 | private-tmp |
36 | 35 | ||
37 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index c07b1c145..7febcde46 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -33,5 +33,4 @@ shell none | |||
33 | 33 | ||
34 | # private-bin simutrans | 34 | # private-bin simutrans |
35 | private-dev | 35 | private-dev |
36 | # private-etc alternatives | ||
37 | private-tmp | 36 | private-tmp |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 76b050d18..c10be717b 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -16,7 +16,6 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none | ||
20 | netfilter | 19 | netfilter |
21 | # nodbus | 20 | # nodbus |
22 | nodvd | 21 | nodvd |
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink | |||
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | shell none | 31 | shell none |
33 | 32 | ||
34 | # private-bin skanlite,kbuildsycoca4,kdeinit4 | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
35 | # private-dev | 34 | # private-dev |
36 | # private-tmp | 35 | # private-tmp |
diff --git a/etc/skype.profile b/etc/skype.profile index 55057c546..5fab8bdc7 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -28,7 +28,7 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | #private-bin skype,bash | 31 | #private-bin bash,skype |
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 17d286b18..ce0e54a0d 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -37,6 +37,6 @@ tracelog | |||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | # private-tmp # Breaks when exiting | 39 | # private-tmp # Breaks when exiting |
40 | writable-run-user | ||
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | writable-run-user | ||
diff --git a/etc/steam.profile b/etc/steam.profile index df7bfba85..b6b340980 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -6,7 +6,6 @@ include steam.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.killingfloor | 9 | noblacklist ${HOME}/.killingfloor |
11 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
12 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
@@ -60,7 +59,7 @@ shell none | |||
60 | #tracelog | 59 | #tracelog |
61 | 60 | ||
62 | # private-bin is disabled while in testing, but has been tested working with multiple games | 61 | # private-bin is disabled while in testing, but has been tested working with multiple games |
63 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 62 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
64 | # extra programs are available which might be needed for select games | 63 | # extra programs are available which might be needed for select games |
65 | #private-bin java,java-config,mono | 64 | #private-bin java,java-config,mono |
66 | # picture viewers are needed for viewing screenshots | 65 | # picture viewers are needed for viewing screenshots |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 793e4126c..287a078b3 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -34,5 +34,4 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | # private-bin supertux2 | 35 | # private-bin supertux2 |
36 | private-dev | 36 | private-dev |
37 | # private-etc alternatives | ||
38 | private-tmp | 37 | private-tmp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 33086a99d..30b0ad762 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -31,7 +31,7 @@ protocol unix | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | #private-bin synfigstudio,synfig,ffmpeg | 34 | #private-bin ffmpeg,synfig,synfigstudio |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/tar.profile b/etc/tar.profile index 71f7414bc..7e1fa8b92 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -43,7 +43,7 @@ private-cache | |||
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,group,localtime,passwd | 44 | private-etc alternatives,group,localtime,passwd |
45 | private-lib libfakeroot | 45 | private-lib libfakeroot |
46 | |||
47 | memory-deny-write-execute | ||
48 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 46 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
49 | writable-var | 47 | writable-var |
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile index 7713ac6c0..3c46dfdcb 100644 --- a/etc/tcpdump.profile +++ b/etc/tcpdump.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | |||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
@@ -15,6 +16,7 @@ include disable-interpreters.inc | |||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | |||
18 | include whitelist-common.inc | 20 | include whitelist-common.inc |
19 | 21 | ||
20 | caps.keep net_raw | 22 | caps.keep net_raw |
@@ -30,7 +32,6 @@ nosound | |||
30 | notv | 32 | notv |
31 | nou2f | 33 | nou2f |
32 | novideo | 34 | novideo |
33 | |||
34 | protocol unix,inet,inet6,netlink,packet | 35 | protocol unix,inet,inet6,netlink,packet |
35 | seccomp | 36 | seccomp |
36 | 37 | ||
@@ -38,7 +39,6 @@ disable-mnt | |||
38 | #private | 39 | #private |
39 | #private-bin tcpdump | 40 | #private-bin tcpdump |
40 | private-dev | 41 | private-dev |
41 | #private-etc | ||
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | memory-deny-write-execute | 44 | memory-deny-write-execute |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9ca711719..0ccb3fae0 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -30,8 +30,8 @@ | |||
30 | # MKDIRS | 30 | # MKDIRS |
31 | # WHITELISTS | 31 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 32 | # WHITELIST INCLUDES |
33 | # OPTIONS (no*) | 33 | # OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog) |
34 | # PRIVATE OPTIONS (disable-mnt, private-*) | 34 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 35 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
36 | # REDIRECT INCLUDES | 36 | # REDIRECT INCLUDES |
37 | # | 37 | # |
@@ -98,7 +98,7 @@ | |||
98 | # in PROFILE.local but still be protected by BLACKLISTS section | 98 | # in PROFILE.local but still be protected by BLACKLISTS section |
99 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | 99 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) |
100 | #mkdir PATH | 100 | #mkdir PATH |
101 | #mkfile PATH | 101 | ##mkfile PATH |
102 | #whitelist PATH | 102 | #whitelist PATH |
103 | #include whitelist-common.inc | 103 | #include whitelist-common.inc |
104 | #include whitelist-var-common.inc | 104 | #include whitelist-var-common.inc |
@@ -136,7 +136,7 @@ | |||
136 | # private-etc templates (see also #1734, #2093) | 136 | # private-etc templates (see also #1734, #2093) |
137 | # Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg | 137 | # Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg |
138 | # Extra: magic,magic.mgc,passwd,group | 138 | # Extra: magic,magic.mgc,passwd,group |
139 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv,conf,hosts,host.conf,hostname,protocols,services,rpc | 139 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc |
140 | # Extra: proxychains.conf,gai.conf | 140 | # Extra: proxychains.conf,gai.conf |
141 | # Sound: alsa,asound.conf,pulse,machine-id | 141 | # Sound: alsa,asound.conf,pulse,machine-id |
142 | # GUI: fonts,pango,X11 | 142 | # GUI: fonts,pango,X11 |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 7b273c23d..9a8426435 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -7,7 +7,6 @@ include globals.local | |||
7 | 7 | ||
8 | ignore noexec /tmp | 8 | ignore noexec /tmp |
9 | 9 | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.local/share/terasology | 10 | noblacklist ${HOME}/.local/share/terasology |
12 | 11 | ||
13 | # Allow java (blacklisted by disable-devel.inc) | 12 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/etc/tor.profile b/etc/tor.profile index 4aebe0a1e..13d071635 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 28 | caps.keep dac_read_search,net_bind_service,setgid,setuid |
29 | ipc-namespace | 29 | ipc-namespace |
30 | machine-id | 30 | machine-id |
31 | netfilter | 31 | netfilter |
@@ -40,7 +40,6 @@ novideo | |||
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | writable-var | ||
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | private | 45 | private |
@@ -49,4 +48,4 @@ private-cache | |||
49 | private-dev | 48 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor |
51 | private-tmp | 50 | private-tmp |
52 | 51 | writable-var | |
diff --git a/etc/totem.profile b/etc/totem.profile index 9e6684824..5b74709e3 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -40,6 +40,6 @@ private-bin totem | |||
40 | # totem needs access to ~/.cache/tracker or it exits | 40 | # totem needs access to ~/.cache/tracker or it exits |
41 | #private-cache | 41 | #private-cache |
42 | private-dev | 42 | private-dev |
43 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 43 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index c1779ae3e..6e107d99e 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -33,5 +33,4 @@ tracelog | |||
33 | 33 | ||
34 | # private-bin tracker | 34 | # private-bin tracker |
35 | # private-dev | 35 | # private-dev |
36 | # private-etc alternatives,fonts | ||
37 | # private-tmp | 36 | # private-tmp |
diff --git a/etc/tshark.profile b/etc/tshark.profile index 52ee228a3..ea85f4e8a 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -13,6 +13,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | |||
16 | include whitelist-common.inc | 17 | include whitelist-common.inc |
17 | 18 | ||
18 | #caps.keep net_raw | 19 | #caps.keep net_raw |
@@ -29,7 +30,6 @@ nosound | |||
29 | notv | 30 | notv |
30 | nou2f | 31 | nou2f |
31 | novideo | 32 | novideo |
32 | |||
33 | #protocol unix,inet,inet6,netlink,packet | 33 | #protocol unix,inet,inet6,netlink,packet |
34 | #seccomp | 34 | #seccomp |
35 | 35 | ||
@@ -38,7 +38,4 @@ disable-mnt | |||
38 | private-cache | 38 | private-cache |
39 | #private-bin tshark | 39 | #private-bin tshark |
40 | private-dev | 40 | private-dev |
41 | #private-etc | ||
42 | private-tmp | 41 | private-tmp |
43 | |||
44 | # memory-deny-write-execute | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 3111a1e22..ae868a022 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -6,7 +6,6 @@ include tuxguitar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.tuxguitar* | 9 | noblacklist ${HOME}/.tuxguitar* |
11 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 8e7a4a8a8..e152ee7ea 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -29,12 +29,12 @@ nosound | |||
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | 31 | novideo |
32 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 32 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
33 | writable-var | ||
34 | 33 | ||
35 | disable-mnt | 34 | disable-mnt |
36 | private | 35 | private |
37 | private-dev | 36 | private-dev |
37 | writable-var | ||
38 | 38 | ||
39 | # mdwe can break modules/plugins | 39 | # mdwe can break modules/plugins |
40 | memory-deny-write-execute | 40 | memory-deny-write-execute |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 36d1319d1..b62d3111d 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -23,11 +23,11 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | 25 | nou2f |
26 | protocol unix,netlink,inet,inet6 | 26 | protocol unix,inet,inet6,netlink |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | # private-bin unknown-horizons | 30 | # private-bin unknown-horizons |
31 | private-dev | 31 | private-dev |
32 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 32 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 3dc21958d..b8ee67ae0 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla | |||
20 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
21 | 21 | ||
22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which |
24 | # private-etc must first be enabled in firefox-common.profile | 24 | # private-etc must first be enabled in firefox-common.profile |
25 | #private-etc waterfox | 25 | #private-etc waterfox |
26 | 26 | ||
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index b97ea8d2f..e820bae00 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/git | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gradle | 13 | noblacklist ${HOME}/.gradle |
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/JetBrains | 14 | noblacklist ${HOME}/.local/share/JetBrains |
16 | noblacklist ${HOME}/.ssh | 15 | noblacklist ${HOME}/.ssh |
17 | noblacklist ${HOME}/.tooling | 16 | noblacklist ${HOME}/.tooling |
diff --git a/etc/wget.profile b/etc/wget.profile index ff10b2316..2d5c0c4d6 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -36,6 +36,6 @@ shell none | |||
36 | 36 | ||
37 | # private-bin wget | 37 | # private-bin wget |
38 | private-dev | 38 | private-dev |
39 | # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 39 | # private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl |
40 | # private-tmp | 40 | # private-tmp |
41 | 41 | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index b44eae128..58ff93750 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | 43 | ||
44 | # private-bin wireshark | 44 | # private-bin wireshark |
45 | private-dev | 45 | private-dev |
46 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies | 46 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/xed.profile b/etc/xed.profile index 9a7806b19..2ee299b9a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -42,7 +42,6 @@ tracelog | |||
42 | 42 | ||
43 | private-bin xed | 43 | private-bin xed |
44 | private-dev | 44 | private-dev |
45 | # private-etc alternatives,fonts | ||
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | # xed uses python plugins, memory-deny-write-execute breaks python | 47 | # xed uses python plugins, memory-deny-write-execute breaks python |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1cb7f568a..cd9561e74 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -29,5 +29,4 @@ tracelog | |||
29 | 29 | ||
30 | # private-bin xfburn | 30 | # private-bin xfburn |
31 | # private-dev | 31 | # private-dev |
32 | # private-etc alternatives,fonts | ||
33 | # private-tmp | 32 | # private-tmp |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 5f4e3bf4c..325ce7627 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -39,6 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 42 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index dc8d7a665..6f66b9300 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | # private home directory doesn't work on some distros, so we go for a regular home | 47 | # private home directory doesn't work on some distros, so we go for a regular home |
48 | # private | 48 | # private |
49 | # older Xpra versions also use Xvfb | 49 | # older Xpra versions also use Xvfb |
50 | # private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls | 50 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb |
51 | private-dev | 51 | private-dev |
52 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | 52 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra |
53 | private-tmp | 53 | private-tmp |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b483e9404..b09bf8ab1 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -39,7 +39,6 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xviewer | 40 | private-bin xviewer |
41 | private-dev | 41 | private-dev |
42 | #private-etc alternatives,fonts | ||
43 | private-lib | 42 | private-lib |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 0598ea18d..6228ff3bd 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -6,7 +6,6 @@ include zaproxy.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.ZAP | 9 | noblacklist ${HOME}/.ZAP |
11 | 10 | ||
12 | # Allow java (blacklisted by disable-devel.inc) | 11 | # Allow java (blacklisted by disable-devel.inc) |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3273eb8e7..b4efa3add 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -475,6 +475,7 @@ redshift | |||
475 | regextester | 475 | regextester |
476 | remmina | 476 | remmina |
477 | rhythmbox | 477 | rhythmbox |
478 | rhythmbox-client | ||
478 | ricochet | 479 | ricochet |
479 | riot-desktop | 480 | riot-desktop |
480 | riot-web | 481 | riot-web |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fd6cb9ff2..912a1864a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -364,16 +364,23 @@ void preproc_mount_mnt_dir(void); | |||
364 | void preproc_clean_run(void); | 364 | void preproc_clean_run(void); |
365 | 365 | ||
366 | // fs.c | 366 | // fs.c |
367 | typedef enum { | ||
368 | BLACKLIST_FILE, | ||
369 | BLACKLIST_NOLOG, | ||
370 | MOUNT_READONLY, | ||
371 | MOUNT_TMPFS, | ||
372 | MOUNT_NOEXEC, | ||
373 | MOUNT_RDWR, | ||
374 | OPERATION_MAX | ||
375 | } OPERATION; | ||
376 | |||
367 | // blacklist files or directories by mounting empty files on top of them | 377 | // blacklist files or directories by mounting empty files on top of them |
368 | void fs_blacklist(void); | 378 | void fs_blacklist(void); |
369 | // mount a writable tmpfs | 379 | // mount a writable tmpfs |
370 | void fs_tmpfs(const char *dir, unsigned check_owner); | 380 | void fs_tmpfs(const char *dir, unsigned check_owner); |
371 | // remount a directory read-only | 381 | // remount noexec/nodev/nosuid or read-only or read-write |
372 | void fs_rdonly(const char *dir); | 382 | void fs_remount(const char *dir, OPERATION op); |
373 | void fs_rdonly_rec(const char *dir); | 383 | void fs_remount_rec(const char *dir, OPERATION op); |
374 | // remount a directory noexec, nodev and nosuid | ||
375 | void fs_noexec(const char *dir); | ||
376 | void fs_noexec_rec(const char *dir); | ||
377 | // mount /proc and /sys directories | 384 | // mount /proc and /sys directories |
378 | void fs_proc_sys_dev_boot(void); | 385 | void fs_proc_sys_dev_boot(void); |
379 | // build a basic read-only filesystem | 386 | // build a basic read-only filesystem |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f3ef97aeb..d94f6a121 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -39,24 +39,17 @@ | |||
39 | //#define TEST_NO_BLACKLIST_MATCHING | 39 | //#define TEST_NO_BLACKLIST_MATCHING |
40 | 40 | ||
41 | 41 | ||
42 | static int mount_warning = 0; | ||
43 | static void fs_rdwr(const char *dir); | ||
44 | static void fs_rdwr_rec(const char *dir); | ||
45 | |||
46 | |||
47 | |||
48 | //*********************************************** | 42 | //*********************************************** |
49 | // process profile file | 43 | // process profile file |
50 | //*********************************************** | 44 | //*********************************************** |
51 | typedef enum { | 45 | static char *opstr[] = { |
52 | BLACKLIST_FILE, | 46 | [BLACKLIST_FILE] = "blacklist", |
53 | BLACKLIST_NOLOG, | 47 | [BLACKLIST_NOLOG] = "blacklist-nolog", |
54 | MOUNT_READONLY, | 48 | [MOUNT_READONLY] = "read-only", |
55 | MOUNT_TMPFS, | 49 | [MOUNT_TMPFS] = "tmpfs", |
56 | MOUNT_NOEXEC, | 50 | [MOUNT_NOEXEC] = "noexec", |
57 | MOUNT_RDWR, | 51 | [MOUNT_RDWR] = "read-write", |
58 | OPERATION_MAX | 52 | }; |
59 | } OPERATION; | ||
60 | 53 | ||
61 | typedef enum { | 54 | typedef enum { |
62 | UNSUCCESSFUL, | 55 | UNSUCCESSFUL, |
@@ -153,17 +146,9 @@ static void disable_file(OPERATION op, const char *filename) { | |||
153 | fs_logger2("blacklist-nolog", fname); | 146 | fs_logger2("blacklist-nolog", fname); |
154 | } | 147 | } |
155 | } | 148 | } |
156 | else if (op == MOUNT_READONLY) { | 149 | else if (op == MOUNT_READONLY | op == MOUNT_RDWR | op == MOUNT_NOEXEC) { |
157 | fs_rdonly_rec(fname); | 150 | fs_remount_rec(fname, op); |
158 | // todo: last_disable = SUCCESSFUL; | 151 | // todo: last_disable = SUCCESSFUL; |
159 | } | ||
160 | else if (op == MOUNT_RDWR) { | ||
161 | fs_rdwr_rec(fname); | ||
162 | // todo: last_disable = SUCCESSFUL; | ||
163 | } | ||
164 | else if (op == MOUNT_NOEXEC) { | ||
165 | fs_noexec_rec(fname); | ||
166 | // todo: last_disable = SUCCESSFUL; | ||
167 | } | 152 | } |
168 | else if (op == MOUNT_TMPFS) { | 153 | else if (op == MOUNT_TMPFS) { |
169 | if (S_ISDIR(s.st_mode)) { | 154 | if (S_ISDIR(s.st_mode)) { |
@@ -493,145 +478,58 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
493 | close(fd); | 478 | close(fd); |
494 | } | 479 | } |
495 | 480 | ||
496 | // remount directory read-only | 481 | void fs_remount(const char *dir, OPERATION op) { |
497 | void fs_rdonly(const char *dir) { | ||
498 | assert(dir); | 482 | assert(dir); |
499 | // check directory exists | 483 | // check directory exists |
500 | struct stat s; | 484 | struct stat s; |
501 | int rv = stat(dir, &s); | 485 | int rv = stat(dir, &s); |
502 | if (rv == 0) { | 486 | if (rv == 0) { |
503 | unsigned long flags = 0; | 487 | unsigned long flags = 0; |
504 | get_mount_flags(dir, &flags); | 488 | if (get_mount_flags(dir, &flags) != 0) { |
505 | if ((flags & MS_RDONLY) == MS_RDONLY) | 489 | fwarning("cannot remount %s\n", dir); |
506 | return; | 490 | return; |
507 | flags |= MS_RDONLY; | ||
508 | if (arg_debug) | ||
509 | printf("Mounting read-only %s\n", dir); | ||
510 | // mount --bind /bin /bin | ||
511 | // mount --bind -o remount,ro /bin | ||
512 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
513 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
514 | errExit("mount read-only"); | ||
515 | fs_logger2("read-only", dir); | ||
516 | } | ||
517 | } | ||
518 | |||
519 | // remount directory read-only recursively | ||
520 | void fs_rdonly_rec(const char *dir) { | ||
521 | assert(dir); | ||
522 | // get mount point of the directory | ||
523 | int mountid = get_mount_id(dir); | ||
524 | if (mountid == -1) | ||
525 | return; | ||
526 | if (mountid == -2) { | ||
527 | // falling back to a simple remount on old kernels | ||
528 | if (!mount_warning) { | ||
529 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
530 | mount_warning = 1; | ||
531 | } | 491 | } |
532 | fs_rdonly(dir); | 492 | if (op == MOUNT_RDWR) { |
533 | return; | 493 | // allow only user owned directories, except the user is root |
534 | } | 494 | if (getuid() != 0 && s.st_uid != getuid()) { |
535 | // build array with all mount points that need to get remounted | 495 | fwarning("you are not allowed to change %s to read-write\n", dir); |
536 | char **arr = build_mount_array(mountid, dir); | 496 | return; |
537 | assert(arr); | 497 | } |
538 | // remount | 498 | if ((flags & MS_RDONLY) == 0) |
539 | char **tmp = arr; | 499 | return; |
540 | while (*tmp) { | 500 | flags &= ~MS_RDONLY; |
541 | fs_rdonly(*tmp); | ||
542 | free(*tmp++); | ||
543 | } | ||
544 | free(arr); | ||
545 | } | ||
546 | |||
547 | // remount directory read-write | ||
548 | static void fs_rdwr(const char *dir) { | ||
549 | assert(dir); | ||
550 | // check directory exists | ||
551 | struct stat s; | ||
552 | int rv = stat(dir, &s); | ||
553 | if (rv == 0) { | ||
554 | // allow only user owned directories, except the user is root | ||
555 | uid_t u = getuid(); | ||
556 | if (u != 0 && s.st_uid != u) { | ||
557 | fwarning("you are not allowed to change %s to read-write\n", dir); | ||
558 | return; | ||
559 | } | 501 | } |
560 | unsigned long flags = 0; | 502 | else if (op == MOUNT_NOEXEC) { |
561 | get_mount_flags(dir, &flags); | 503 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) |
562 | if ((flags & MS_RDONLY) == 0) | 504 | return; |
563 | return; | 505 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; |
564 | flags &= ~MS_RDONLY; | 506 | } |
507 | else if (op == MOUNT_READONLY) { | ||
508 | if ((flags & MS_RDONLY) == MS_RDONLY) | ||
509 | return; | ||
510 | flags |= MS_RDONLY; | ||
511 | } | ||
512 | else | ||
513 | assert(0); | ||
514 | |||
565 | if (arg_debug) | 515 | if (arg_debug) |
566 | printf("Mounting read-write %s\n", dir); | 516 | printf("Mounting %s %s\n", opstr[op], dir); |
567 | // mount --bind /bin /bin | 517 | // mount --bind /bin /bin |
568 | // mount --bind -o remount,rw /bin | 518 | // mount --bind -o remount,rw /bin |
569 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 519 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
570 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | 520 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) |
571 | errExit("mount read-write"); | 521 | errExit("remounting"); |
572 | fs_logger2("read-write", dir); | ||
573 | // run a sanity check on /proc/self/mountinfo | 522 | // run a sanity check on /proc/self/mountinfo |
574 | MountData *mptr = get_last_mount(); | 523 | MountData *mptr = get_last_mount(); |
575 | size_t len = strlen(dir); | 524 | size_t len = strlen(dir); |
576 | if (strncmp(mptr->dir, dir, len) != 0 || | 525 | if (strncmp(mptr->dir, dir, len) != 0 || |
577 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | 526 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) |
578 | errLogExit("invalid read-write mount"); | 527 | errLogExit("invalid %s mount", opstr[op]); |
579 | } | 528 | fs_logger2(opstr[op], dir); |
580 | } | ||
581 | |||
582 | // remount directory read-write recursively | ||
583 | static void fs_rdwr_rec(const char *dir) { | ||
584 | assert(dir); | ||
585 | // get mount point of the directory | ||
586 | int mountid = get_mount_id(dir); | ||
587 | if (mountid == -1) | ||
588 | return; | ||
589 | if (mountid == -2) { | ||
590 | // falling back to a simple remount on old kernels | ||
591 | if (!mount_warning) { | ||
592 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
593 | mount_warning = 1; | ||
594 | } | ||
595 | fs_rdwr(dir); | ||
596 | return; | ||
597 | } | ||
598 | // build array with all mount points that need to get remounted | ||
599 | char **arr = build_mount_array(mountid, dir); | ||
600 | assert(arr); | ||
601 | // remount | ||
602 | char **tmp = arr; | ||
603 | while (*tmp) { | ||
604 | fs_rdwr(*tmp); | ||
605 | free(*tmp++); | ||
606 | } | ||
607 | free(arr); | ||
608 | } | ||
609 | |||
610 | // remount directory noexec, nodev, nosuid | ||
611 | void fs_noexec(const char *dir) { | ||
612 | assert(dir); | ||
613 | // check directory exists | ||
614 | struct stat s; | ||
615 | int rv = stat(dir, &s); | ||
616 | if (rv == 0) { | ||
617 | unsigned long flags = 0; | ||
618 | get_mount_flags(dir, &flags); | ||
619 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) | ||
620 | return; | ||
621 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; | ||
622 | if (arg_debug) | ||
623 | printf("Mounting noexec %s\n", dir); | ||
624 | // mount --bind /bin /bin | ||
625 | // mount --bind -o remount,noexec /bin | ||
626 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
627 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
628 | errExit("mount noexec"); | ||
629 | fs_logger2("noexec", dir); | ||
630 | } | 529 | } |
631 | } | 530 | } |
632 | 531 | ||
633 | // remount directory noexec, nodev, nosuid recursively | 532 | void fs_remount_rec(const char *dir, OPERATION op) { |
634 | void fs_noexec_rec(const char *dir) { | ||
635 | assert(dir); | 533 | assert(dir); |
636 | // get mount point of the directory | 534 | // get mount point of the directory |
637 | int mountid = get_mount_id(dir); | 535 | int mountid = get_mount_id(dir); |
@@ -639,11 +537,12 @@ void fs_noexec_rec(const char *dir) { | |||
639 | return; | 537 | return; |
640 | if (mountid == -2) { | 538 | if (mountid == -2) { |
641 | // falling back to a simple remount on old kernels | 539 | // falling back to a simple remount on old kernels |
540 | static int mount_warning = 0; | ||
642 | if (!mount_warning) { | 541 | if (!mount_warning) { |
643 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | 542 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); |
644 | mount_warning = 1; | 543 | mount_warning = 1; |
645 | } | 544 | } |
646 | fs_noexec(dir); | 545 | fs_remount(dir, op); |
647 | return; | 546 | return; |
648 | } | 547 | } |
649 | // build array with all mount points that need to get remounted | 548 | // build array with all mount points that need to get remounted |
@@ -652,7 +551,7 @@ void fs_noexec_rec(const char *dir) { | |||
652 | // remount | 551 | // remount |
653 | char **tmp = arr; | 552 | char **tmp = arr; |
654 | while (*tmp) { | 553 | while (*tmp) { |
655 | fs_noexec(*tmp); | 554 | fs_remount(*tmp, op); |
656 | free(*tmp++); | 555 | free(*tmp++); |
657 | } | 556 | } |
658 | free(arr); | 557 | free(arr); |
@@ -827,22 +726,22 @@ void fs_basic_fs(void) { | |||
827 | if (arg_debug) | 726 | if (arg_debug) |
828 | printf("Basic read-only filesystem:\n"); | 727 | printf("Basic read-only filesystem:\n"); |
829 | if (!arg_writable_etc) { | 728 | if (!arg_writable_etc) { |
830 | fs_rdonly("/etc"); | 729 | fs_remount("/etc", MOUNT_READONLY); |
831 | if (uid) | 730 | if (uid) |
832 | fs_noexec("/etc"); | 731 | fs_remount("/etc", MOUNT_NOEXEC); |
833 | } | 732 | } |
834 | if (!arg_writable_var) { | 733 | if (!arg_writable_var) { |
835 | fs_rdonly("/var"); | 734 | fs_remount("/var", MOUNT_READONLY); |
836 | if (uid) | 735 | if (uid) |
837 | fs_noexec("/var"); | 736 | fs_remount("/var", MOUNT_NOEXEC); |
838 | } | 737 | } |
839 | fs_rdonly("/bin"); | 738 | fs_remount("/bin", MOUNT_READONLY); |
840 | fs_rdonly("/sbin"); | 739 | fs_remount("/sbin", MOUNT_READONLY); |
841 | fs_rdonly("/lib"); | 740 | fs_remount("/lib", MOUNT_READONLY); |
842 | fs_rdonly("/lib64"); | 741 | fs_remount("/lib64", MOUNT_READONLY); |
843 | fs_rdonly("/lib32"); | 742 | fs_remount("/lib32", MOUNT_READONLY); |
844 | fs_rdonly("/libx32"); | 743 | fs_remount("/libx32", MOUNT_READONLY); |
845 | fs_rdonly("/usr"); | 744 | fs_remount("/usr", MOUNT_READONLY); |
846 | 745 | ||
847 | // update /var directory in order to support multiple sandboxes running on the same root directory | 746 | // update /var directory in order to support multiple sandboxes running on the same root directory |
848 | fs_var_lock(); | 747 | fs_var_lock(); |
@@ -851,7 +750,7 @@ void fs_basic_fs(void) { | |||
851 | if (!arg_writable_var_log) | 750 | if (!arg_writable_var_log) |
852 | fs_var_log(); | 751 | fs_var_log(); |
853 | else | 752 | else |
854 | fs_rdwr("/var/log"); | 753 | fs_remount("/var/log", MOUNT_RDWR); |
855 | 754 | ||
856 | fs_var_lib(); | 755 | fs_var_lib(); |
857 | fs_var_cache(); | 756 | fs_var_cache(); |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e3f237b8e..a62d123ae 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -88,7 +88,7 @@ void pulseaudio_init(void) { | |||
88 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) | 88 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) |
89 | errExit("mkdir"); | 89 | errExit("mkdir"); |
90 | // mount it nosuid, noexec, nodev | 90 | // mount it nosuid, noexec, nodev |
91 | fs_noexec(RUN_PULSE_DIR); | 91 | fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC); |
92 | 92 | ||
93 | // create the new client.conf file | 93 | // create the new client.conf file |
94 | char *pulsecfg = NULL; | 94 | char *pulsecfg = NULL; |
@@ -155,7 +155,7 @@ void pulseaudio_init(void) { | |||
155 | if (fstatvfs(fd, &vfs) == -1) | 155 | if (fstatvfs(fd, &vfs) == -1) |
156 | errExit("fstatvfs"); | 156 | errExit("fstatvfs"); |
157 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | 157 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) |
158 | fs_rdonly(RUN_PULSE_DIR); | 158 | fs_remount(RUN_PULSE_DIR, MOUNT_READONLY); |
159 | // mount via the link in /proc/self/fd | 159 | // mount via the link in /proc/self/fd |
160 | char *proc; | 160 | char *proc; |
161 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 161 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2c5c5fc12..0c08a76c6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1106,7 +1106,7 @@ int sandbox(void* sandbox_arg) { | |||
1106 | (void) rv; | 1106 | (void) rv; |
1107 | } | 1107 | } |
1108 | // make seccomp filters read-only | 1108 | // make seccomp filters read-only |
1109 | fs_rdonly(RUN_SECCOMP_DIR); | 1109 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY); |
1110 | #endif | 1110 | #endif |
1111 | 1111 | ||
1112 | // set capabilities | 1112 | // set capabilities |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9d821d980..7cfc5b683 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1169,7 +1169,7 @@ void x11_xorg(void) { | |||
1169 | umount("/tmp"); | 1169 | umount("/tmp"); |
1170 | 1170 | ||
1171 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | 1171 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid |
1172 | fs_noexec(RUN_XAUTHORITY_SEC_FILE); | 1172 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC); |
1173 | 1173 | ||
1174 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1174 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
1175 | char *dest; | 1175 | char *dest; |
@@ -1202,7 +1202,7 @@ void x11_xorg(void) { | |||
1202 | if (fstatvfs(fd, &vfs) == -1) | 1202 | if (fstatvfs(fd, &vfs) == -1) |
1203 | errExit("fstatvfs"); | 1203 | errExit("fstatvfs"); |
1204 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | 1204 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) |
1205 | fs_rdonly(RUN_XAUTHORITY_SEC_FILE); | 1205 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY); |
1206 | 1206 | ||
1207 | // mount via the link in /proc/self/fd | 1207 | // mount via the link in /proc/self/fd |
1208 | char *proc; | 1208 | char *proc; |