diff options
-rw-r--r-- | README | 10 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 13 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/curl.profile | 6 | ||||
-rw-r--r-- | etc/profile-a-l/drill.profile | 56 | ||||
-rw-r--r-- | etc/profile-m-z/playonlinux.profile | 25 | ||||
-rw-r--r-- | etc/profile-m-z/server.profile | 20 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
8 files changed, 103 insertions, 29 deletions
@@ -252,12 +252,14 @@ Danil Semelenov (https://github.com/sgtpep) | |||
252 | Dara Adib (https://github.com/daradib) | 252 | Dara Adib (https://github.com/daradib) |
253 | - ssh profile fix | 253 | - ssh profile fix |
254 | - evince profile fix | 254 | - evince profile fix |
255 | - linphone profile fix | ||
255 | Dario Pellegrini (https://github.com/dpellegr) | 256 | Dario Pellegrini (https://github.com/dpellegr) |
256 | - allowing links in netns | 257 | - allowing links in netns |
257 | David Thole (https://github.com/TheDarkTrumpet) | 258 | David Thole (https://github.com/TheDarkTrumpet) |
258 | - added profile for teams-for-linux | 259 | - added profile for teams-for-linux |
259 | Davide Beatrici (https://github.com/davidebeatrici) | 260 | Davide Beatrici (https://github.com/davidebeatrici) |
260 | - steam.profile: correctly blacklist unneeded directories in user's home | 261 | - steam.profile: correctly blacklist unneeded directories in user's home |
262 | - minetest fixes | ||
261 | David Hyrule (https://github.com/Svaag) | 263 | David Hyrule (https://github.com/Svaag) |
262 | - remove nou2f in ssh profile | 264 | - remove nou2f in ssh profile |
263 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 265 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
@@ -515,6 +517,8 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
515 | - added support for .local profile files in /etc/firejail | 517 | - added support for .local profile files in /etc/firejail |
516 | - fixed Cryptocat profile | 518 | - fixed Cryptocat profile |
517 | - make ~/.local read-only | 519 | - make ~/.local read-only |
520 | Kelvin (https://github.com/kmk3) | ||
521 | - disable ldns utilities | ||
518 | Kishore96in (https://github.com/Kishore96in) | 522 | Kishore96in (https://github.com/Kishore96in) |
519 | - added falkon profile | 523 | - added falkon profile |
520 | - kxmlgui fixes | 524 | - kxmlgui fixes |
@@ -546,6 +550,7 @@ Liorst4 (https://github.com/Liorst4) | |||
546 | - Preserve CFLAGS given to configure in common.mk.in | 550 | - Preserve CFLAGS given to configure in common.mk.in |
547 | - fix emacs config to load as read-write | 551 | - fix emacs config to load as read-write |
548 | - disable browser drm by default | 552 | - disable browser drm by default |
553 | - minetest fixes | ||
549 | Lockdis (https://github.com/Lockdis) | 554 | Lockdis (https://github.com/Lockdis) |
550 | - Added crow, nyx, and google-earth-pro profiles | 555 | - Added crow, nyx, and google-earth-pro profiles |
551 | Lukáš Krejčí (https://github.com/lskrejci) | 556 | Lukáš Krejčí (https://github.com/lskrejci) |
@@ -604,6 +609,7 @@ Neo00001 (https://github.com/Neo00001) | |||
604 | - add vmware profile | 609 | - add vmware profile |
605 | - update virtualbox profile | 610 | - update virtualbox profile |
606 | - update telegram profile | 611 | - update telegram profile |
612 | - add spectacle profile | ||
607 | Nick Fox (https://github.com/njfox) | 613 | Nick Fox (https://github.com/njfox) |
608 | - add a profile alias for code-oss | 614 | - add a profile alias for code-oss |
609 | - add code-oss config directory | 615 | - add code-oss config directory |
@@ -701,6 +707,8 @@ Rahiel Kasim (https://github.com/rahiel) | |||
701 | - added telegram-desktop profile | 707 | - added telegram-desktop profile |
702 | Rahul Golam (https://github.com/technoLord) | 708 | Rahul Golam (https://github.com/technoLord) |
703 | - strings profile | 709 | - strings profile |
710 | RandomVoid (https://github.com/RandomVoid) | ||
711 | - fix building C# projects in Godot | ||
704 | Raphaël Droz (https://github.com/drzraf) | 712 | Raphaël Droz (https://github.com/drzraf) |
705 | - zoom profile fixes | 713 | - zoom profile fixes |
706 | Reiner Herrmann (https://github.com/reinerh) | 714 | Reiner Herrmann (https://github.com/reinerh) |
@@ -953,6 +961,8 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20) | |||
953 | read-only kde5 services directory | 961 | read-only kde5 services directory |
954 | xee5ch (https://github.com/xee5ch) | 962 | xee5ch (https://github.com/xee5ch) |
955 | - skypeforlinux profile | 963 | - skypeforlinux profile |
964 | Ypnose (https://github.com/Ypnose) | ||
965 | - disable-shell.inc: add mksh shell | ||
956 | yumkam (https://github.com/yumkam) | 966 | yumkam (https://github.com/yumkam) |
957 | - add compile-time option to restrict --net= to root only | 967 | - add compile-time option to restrict --net= to root only |
958 | - man page fixes | 968 | - man page fixes |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index bf40457a2..2b56bb5be 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -515,18 +515,21 @@ blacklist /proc/config.gz | |||
515 | # prevent DNS malware attempting to communicate with the server | 515 | # prevent DNS malware attempting to communicate with the server |
516 | # using regular DNS tools | 516 | # using regular DNS tools |
517 | blacklist ${PATH}/dig | 517 | blacklist ${PATH}/dig |
518 | blacklist ${PATH}/kdig | ||
519 | blacklist ${PATH}/nslookup | ||
520 | blacklist ${PATH}/host | ||
521 | blacklist ${PATH}/dlint | 518 | blacklist ${PATH}/dlint |
522 | blacklist ${PATH}/dnswalk | ||
523 | blacklist ${PATH}/dns2tcp | 519 | blacklist ${PATH}/dns2tcp |
520 | blacklist ${PATH}/dnswalk | ||
521 | blacklist ${PATH}/drill | ||
522 | blacklist ${PATH}/host | ||
524 | blacklist ${PATH}/iodine | 523 | blacklist ${PATH}/iodine |
524 | blacklist ${PATH}/kdig | ||
525 | blacklist ${PATH}/knsupdate | 525 | blacklist ${PATH}/knsupdate |
526 | blacklist ${PATH}/ldns-* | ||
527 | blacklist ${PATH}/ldnsd | ||
528 | blacklist ${PATH}/nslookup | ||
526 | blacklist ${PATH}/resolvectl | 529 | blacklist ${PATH}/resolvectl |
527 | 530 | ||
528 | # rest of ${RUNUSER} | 531 | # rest of ${RUNUSER} |
529 | blacklist ${RUNUSER}/*.lock | 532 | blacklist ${RUNUSER}/*.lock |
530 | blacklist ${RUNUSER}/inaccessible | 533 | blacklist ${RUNUSER}/inaccessible |
531 | blacklist ${RUNUSER}/update-notifier.pid | ||
532 | blacklist ${RUNUSER}/pk-debconf-socket | 534 | blacklist ${RUNUSER}/pk-debconf-socket |
535 | blacklist ${RUNUSER}/update-notifier.pid | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 25c7796da..9b098f43c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -430,6 +430,7 @@ blacklist ${HOME}/.config/Zulip | |||
430 | blacklist ${HOME}/.conkeror.mozdev.org | 430 | blacklist ${HOME}/.conkeror.mozdev.org |
431 | blacklist ${HOME}/.crawl | 431 | blacklist ${HOME}/.crawl |
432 | blacklist ${HOME}/.cups | 432 | blacklist ${HOME}/.cups |
433 | blacklist ${HOME}/.curl-hsts | ||
433 | blacklist ${HOME}/.curlrc | 434 | blacklist ${HOME}/.curlrc |
434 | blacklist ${HOME}/.dashcore | 435 | blacklist ${HOME}/.dashcore |
435 | blacklist ${HOME}/.devilspie | 436 | blacklist ${HOME}/.devilspie |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 996ff51d3..5a5a7496a 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -7,6 +7,12 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # curl 7.74.0 introduces experimental support for HSTS cache | ||
11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | ||
12 | # technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts | ||
13 | # if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local | ||
14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact | ||
15 | noblacklist ${HOME}/.curl-hsts | ||
10 | noblacklist ${HOME}/.curlrc | 16 | noblacklist ${HOME}/.curlrc |
11 | 17 | ||
12 | blacklist /tmp/.X11-unix | 18 | blacklist /tmp/.X11-unix |
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile new file mode 100644 index 000000000..8c59b0cb6 --- /dev/null +++ b/etc/profile-a-l/drill.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for drill | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include drill.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/drill | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | ||
15 | |||
16 | include disable-common.inc | ||
17 | # include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | # include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | private-bin bash,drill,sh | ||
50 | private-dev | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile index 03091af6d..0ebef226a 100644 --- a/etc/profile-m-z/playonlinux.profile +++ b/etc/profile-m-z/playonlinux.profile | |||
@@ -4,34 +4,17 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include playonlinux.local | 5 | include playonlinux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.local/share/Steam | ||
11 | noblacklist ${HOME}/.local/share/steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | noblacklist ${HOME}/.PlayOnLinux | 10 | noblacklist ${HOME}/.PlayOnLinux |
14 | 11 | ||
15 | # nc is needed to run playonlinux | 12 | # nc is needed to run playonlinux |
16 | noblacklist ${PATH}/nc | 13 | noblacklist ${PATH}/nc |
17 | 14 | ||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
19 | include allow-python2.inc | 15 | include allow-python2.inc |
20 | include allow-python3.inc | 16 | include allow-python3.inc |
21 | |||
22 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
23 | include allow-perl.inc | 17 | include allow-perl.inc |
24 | 18 | ||
25 | include disable-common.inc | 19 | # Redirect |
26 | include disable-devel.inc | 20 | include wine.profile |
27 | include disable-interpreters.inc | ||
28 | include disable-programs.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | seccomp | ||
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 5bc4735ae..d47f1289a 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -45,10 +45,17 @@ include disable-common.inc | |||
45 | # include disable-interpreters.inc | 45 | # include disable-interpreters.inc |
46 | include disable-passwdmgr.inc | 46 | include disable-passwdmgr.inc |
47 | include disable-programs.inc | 47 | include disable-programs.inc |
48 | # include disable-xdg.inc | 48 | include disable-write-mnt.inc |
49 | include disable-xdg.inc | ||
49 | 50 | ||
51 | # include whitelist-runuser-common.inc | ||
52 | # include whitelist-usr-share-common.inc | ||
53 | # include whitelist-var-common.inc | ||
54 | |||
55 | apparmor | ||
50 | caps | 56 | caps |
51 | # ipc-namespace | 57 | # ipc-namespace |
58 | machine-id | ||
52 | # netfilter /etc/firejail/webserver.net | 59 | # netfilter /etc/firejail/webserver.net |
53 | no3d | 60 | no3d |
54 | nodvd | 61 | nodvd |
@@ -59,19 +66,26 @@ nosound | |||
59 | notv | 66 | notv |
60 | nou2f | 67 | nou2f |
61 | novideo | 68 | novideo |
69 | # protocol unix,inet,inet6,netlink | ||
62 | seccomp | 70 | seccomp |
63 | # shell none | 71 | # shell none |
64 | 72 | ||
65 | # disable-mnt | 73 | disable-mnt |
66 | private | 74 | private |
67 | # private-bin program | 75 | # private-bin program |
68 | # private-cache | 76 | # private-cache |
69 | private-dev | 77 | private-dev |
78 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
70 | # private-etc alternatives | 79 | # private-etc alternatives |
71 | # private-lib | 80 | # private-lib |
81 | # private-opt none | ||
72 | private-tmp | 82 | private-tmp |
73 | 83 | ||
74 | # dbus-user none | 84 | dbus-user none |
75 | # dbus-system none | 85 | # dbus-system none |
76 | 86 | ||
77 | # memory-deny-write-execute | 87 | # memory-deny-write-execute |
88 | # read-only ${HOME} | ||
89 | # writable-run-user | ||
90 | # writable-var | ||
91 | # writable-var-log | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 000ed5258..fe6990229 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -180,6 +180,7 @@ dooble-qt4 | |||
180 | dosbox | 180 | dosbox |
181 | dragon | 181 | dragon |
182 | drawio | 182 | drawio |
183 | drill | ||
183 | dropbox | 184 | dropbox |
184 | d-feet | 185 | d-feet |
185 | easystroke | 186 | easystroke |