diff options
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/abrowser.profile | 1 | ||||
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/cyberfox.profile | 1 | ||||
-rw-r--r-- | etc/firefox.profile | 2 | ||||
-rw-r--r-- | etc/flashpeak-slimjet.profile | 1 | ||||
-rw-r--r-- | etc/franz.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome.profile | 1 | ||||
-rw-r--r-- | etc/icecat.profile | 1 | ||||
-rw-r--r-- | etc/inox.profile | 1 | ||||
-rw-r--r-- | etc/opera-beta.profile | 1 | ||||
-rw-r--r-- | etc/opera.profile | 1 | ||||
-rw-r--r-- | etc/seamonkey.profile | 1 |
15 files changed, 17 insertions, 0 deletions
@@ -13,6 +13,8 @@ firejail (0.9.45) baseline; urgency=low | |||
13 | * security: split seccomp filter code configuration in a separate executable | 13 | * security: split seccomp filter code configuration in a separate executable |
14 | * security: split file copying in private option in a separate executable | 14 | * security: split file copying in private option in a separate executable |
15 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) | 15 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) |
16 | * security: ~/.pki directory whitelisted and later blacklisted. This affects | ||
17 | most browsers, and disables the custom certificates installed by the user. | ||
16 | * feature: disable gnupg and systemd directories under /run/user | 18 | * feature: disable gnupg and systemd directories under /run/user |
17 | * feature: test coverage (gcov) support | 19 | * feature: test coverage (gcov) support |
18 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | 20 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) |
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 8515f5143..bdd56e42f 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/abrowser.local | |||
5 | # Firejail profile for Abrowser | 5 | # Firejail profile for Abrowser |
6 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
7 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/chromium.profile b/etc/chromium.profile index dfdbf2dd4..531f9156c 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/chromium.local | |||
5 | # Chromium browser profile | 5 | # Chromium browser profile |
6 | noblacklist ~/.config/chromium | 6 | noblacklist ~/.config/chromium |
7 | noblacklist ~/.cache/chromium | 7 | noblacklist ~/.cache/chromium |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | 11 | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index e885fc300..3dffe187c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/cyberfox.local | |||
5 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 5 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
6 | noblacklist ~/.8pecxstudios | 6 | noblacklist ~/.8pecxstudios |
7 | noblacklist ~/.cache/8pecxstudios | 7 | noblacklist ~/.cache/8pecxstudios |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/firefox.profile b/etc/firefox.profile index ba655dec6..5f891ea3c 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -8,6 +8,7 @@ noblacklist ~/.cache/mozilla | |||
8 | noblacklist ~/.config/qpdfview | 8 | noblacklist ~/.config/qpdfview |
9 | noblacklist ~/.local/share/qpdfview | 9 | noblacklist ~/.local/share/qpdfview |
10 | noblacklist ~/.kde/share/apps/okular | 10 | noblacklist ~/.kde/share/apps/okular |
11 | noblacklist ~/.pki | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -34,6 +35,7 @@ whitelist ~/.pentadactyl | |||
34 | whitelist ~/.keysnail.js | 35 | whitelist ~/.keysnail.js |
35 | whitelist ~/.config/gnome-mplayer | 36 | whitelist ~/.config/gnome-mplayer |
36 | whitelist ~/.cache/gnome-mplayer/plugin | 37 | whitelist ~/.cache/gnome-mplayer/plugin |
38 | mkdir ~/.pki | ||
37 | whitelist ~/.pki | 39 | whitelist ~/.pki |
38 | whitelist ~/.config/qpdfview | 40 | whitelist ~/.config/qpdfview |
39 | whitelist ~/.local/share/qpdfview | 41 | whitelist ~/.local/share/qpdfview |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 532749c1e..56437ba06 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/flashpeak-slimjet.local | |||
11 | # | 11 | # |
12 | noblacklist ~/.config/slimjet | 12 | noblacklist ~/.config/slimjet |
13 | noblacklist ~/.cache/slimjet | 13 | noblacklist ~/.cache/slimjet |
14 | noblacklist ~/.pki | ||
14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
16 | 17 | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 9e79e35f4..05ff72a47 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/franz.local | |||
5 | # Franz profile | 5 | # Franz profile |
6 | noblacklist ~/.config/Franz | 6 | noblacklist ~/.config/Franz |
7 | noblacklist ~/.cache/Franz | 7 | noblacklist ~/.cache/Franz |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 2b2aa39d3..2f09edb7a 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-beta.local | |||
5 | # Google Chrome beta browser profile | 5 | # Google Chrome beta browser profile |
6 | noblacklist ~/.config/google-chrome-beta | 6 | noblacklist ~/.config/google-chrome-beta |
7 | noblacklist ~/.cache/google-chrome-beta | 7 | noblacklist ~/.cache/google-chrome-beta |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | 11 | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 79ee6454b..e0dc37034 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-unstable.local | |||
5 | # Google Chrome unstable browser profile | 5 | # Google Chrome unstable browser profile |
6 | noblacklist ~/.config/google-chrome-unstable | 6 | noblacklist ~/.config/google-chrome-unstable |
7 | noblacklist ~/.cache/google-chrome-unstable | 7 | noblacklist ~/.cache/google-chrome-unstable |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | 11 | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 0fa69ea6a..dfb30dc7e 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome.local | |||
5 | # Google Chrome browser profile | 5 | # Google Chrome browser profile |
6 | noblacklist ~/.config/google-chrome | 6 | noblacklist ~/.config/google-chrome |
7 | noblacklist ~/.cache/google-chrome | 7 | noblacklist ~/.cache/google-chrome |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | 11 | ||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 1525e8c31..144f5c4eb 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/icecat.local | |||
5 | # Firejail profile for GNU Icecat | 5 | # Firejail profile for GNU Icecat |
6 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
7 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/inox.profile b/etc/inox.profile index 8ba031ea4..8e95208ab 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/inox.local | |||
5 | # Inox browser profile | 5 | # Inox browser profile |
6 | noblacklist ~/.config/inox | 6 | noblacklist ~/.config/inox |
7 | noblacklist ~/.cache/inox | 7 | noblacklist ~/.cache/inox |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | 11 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 2c20024e2..dba7cf68c 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/opera-beta.local | |||
5 | # Opera-beta browser profile | 5 | # Opera-beta browser profile |
6 | noblacklist ~/.config/opera-beta | 6 | noblacklist ~/.config/opera-beta |
7 | noblacklist ~/.cache/opera-beta | 7 | noblacklist ~/.cache/opera-beta |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/opera.profile b/etc/opera.profile index d6e44e7f6..57395ea72 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/opera.local | |||
6 | noblacklist ~/.config/opera | 6 | noblacklist ~/.config/opera |
7 | noblacklist ~/.cache/opera | 7 | noblacklist ~/.cache/opera |
8 | noblacklist ~/.opera | 8 | noblacklist ~/.opera |
9 | noblacklist ~/.pki | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b98834d37..bfcdf5873 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/seamonkey.local | |||
5 | # Firejail profile for Seamoneky based off Mozilla Firefox | 5 | # Firejail profile for Seamoneky based off Mozilla Firefox |
6 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
7 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |