diff options
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/audacity.profile | 3 | ||||
| -rw-r--r-- | etc/profile-a-l/gdu.profile | 46 | ||||
| -rw-r--r-- | etc/profile-m-z/makepkg.profile | 1 | ||||
| -rw-r--r-- | src/firecfg/firecfg.config | 1 |
7 files changed, 58 insertions, 6 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4a09ad9d8..e5e86d8e0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
| @@ -53,7 +53,7 @@ jobs: | |||
| 53 | 53 | ||
| 54 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
| 55 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
| 56 | uses: github/codeql-action/init@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 | 56 | uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
| 57 | with: | 57 | with: |
| 58 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
| 59 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
| @@ -64,7 +64,7 @@ jobs: | |||
| 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
| 65 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
| 66 | - name: Autobuild | 66 | - name: Autobuild |
| 67 | uses: github/codeql-action/autobuild@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 | 67 | uses: github/codeql-action/autobuild@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
| 68 | 68 | ||
| 69 | # âšī¸ Command-line programs to run using the OS shell. | 69 | # âšī¸ Command-line programs to run using the OS shell. |
| 70 | # đ https://git.io/JvXDl | 70 | # đ https://git.io/JvXDl |
| @@ -78,4 +78,4 @@ jobs: | |||
| 78 | # make release | 78 | # make release |
| 79 | 79 | ||
| 80 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
| 81 | uses: github/codeql-action/analyze@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 | 81 | uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 |
| @@ -179,8 +179,8 @@ uninstall: config.mk | |||
| 179 | rm -f $(DESTDIR)$(bindir)/firejail | 179 | rm -f $(DESTDIR)$(bindir)/firejail |
| 180 | rm -f $(DESTDIR)$(bindir)/firemon | 180 | rm -f $(DESTDIR)$(bindir)/firemon |
| 181 | rm -f $(DESTDIR)$(bindir)/firecfg | 181 | rm -f $(DESTDIR)$(bindir)/firecfg |
| 182 | rm -f $(DESTDIR)$(bindir)/jailcheck | ||
| 182 | rm -fr $(DESTDIR)$(libdir)/firejail | 183 | rm -fr $(DESTDIR)$(libdir)/firejail |
| 183 | rm -fr $(DESTDIR)$(libdir)/jailcheck | ||
| 184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
| 185 | for man in $(MANPAGES); do \ | 185 | for man in $(MANPAGES); do \ |
| 186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
| @@ -189,6 +189,9 @@ uninstall: config.mk | |||
| 189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
| 190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
| 191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
| 192 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | ||
| 193 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | ||
| 194 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | ||
| 192 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 195 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
| 193 | 196 | ||
| 194 | DISTFILES = \ | 197 | DISTFILES = \ |
| @@ -221,4 +221,4 @@ Stats: | |||
| 221 | 221 | ||
| 222 | ### New profiles: | 222 | ### New profiles: |
| 223 | 223 | ||
| 224 | onionshare, onionshare-cli, opera-developer, songrec | 224 | onionshare, onionshare-cli, opera-developer, songrec, gdu |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
| @@ -20,7 +20,8 @@ include disable-xdg.inc | |||
| 20 | 20 | ||
| 21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
| 22 | 22 | ||
| 23 | apparmor | 23 | ## Enabling App Armor appears to break some Fedora / Arch installs |
| 24 | #apparmor | ||
| 24 | caps.drop all | 25 | caps.drop all |
| 25 | net none | 26 | net none |
| 26 | no3d | 27 | no3d |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | # Firejail profile for gdu | ||
| 2 | # Description: Fast disk usage analyzer with console interface | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | quiet | ||
| 5 | # Persistent local customizations | ||
| 6 | include gdu.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | blacklist ${RUNUSER}/wayland-* | ||
| 11 | |||
| 12 | include disable-exec.inc | ||
| 13 | |||
| 14 | apparmor | ||
| 15 | caps.drop all | ||
| 16 | ipc-namespace | ||
| 17 | machine-id | ||
| 18 | net none | ||
| 19 | no3d | ||
| 20 | nodvd | ||
| 21 | nogroups | ||
| 22 | noinput | ||
| 23 | nonewprivs | ||
| 24 | noroot | ||
| 25 | nosound | ||
| 26 | notv | ||
| 27 | nou2f | ||
| 28 | novideo | ||
| 29 | # block the socket syscall to simulate an be empty protocol line, see #639 | ||
| 30 | seccomp socket | ||
| 31 | seccomp.block-secondary | ||
| 32 | x11 none | ||
| 33 | |||
| 34 | private-dev | ||
| 35 | |||
| 36 | dbus-user none | ||
| 37 | dbus-system none | ||
| 38 | |||
| 39 | memory-deny-write-execute | ||
| 40 | |||
| 41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. | ||
| 42 | # Depending on workflow and use case the sandbox can be hardened by adding the | ||
| 43 | # lines below to your gdu.local if you don't need/want these functionalities. | ||
| 44 | #include disable-shell.inc | ||
| 45 | #private-bin gdu | ||
| 46 | #read-only ${HOME} | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index dd2f0b318..4ec6ef82e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | # Firejail profile for makepkg | 1 | # Firejail profile for makepkg |
| 2 | # Description: A utility to automate the building of Arch Linux packages | ||
| 2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 3 | quiet | 4 | quiet |
| 4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 71cec5eaf..1e10258d5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -289,6 +289,7 @@ gapplication | |||
| 289 | gcalccmd | 289 | gcalccmd |
| 290 | gcloud | 290 | gcloud |
| 291 | gconf-editor | 291 | gconf-editor |
| 292 | gdu | ||
| 292 | geany | 293 | geany |
| 293 | geary | 294 | geary |
| 294 | gedit | 295 | gedit |