diff options
-rw-r--r-- | etc/inc/disable-programs.inc | 5 | ||||
-rw-r--r-- | etc/profile-a-l/chatterino.profile | 92 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/ytmdesktop.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 16 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
9 files changed, 131 insertions, 2 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b52bcaa11..5e253f232 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -116,6 +116,7 @@ blacklist ${HOME}/.cache/fossamail | |||
116 | blacklist ${HOME}/.cache/fractal | 116 | blacklist ${HOME}/.cache/fractal |
117 | blacklist ${HOME}/.cache/freecol | 117 | blacklist ${HOME}/.cache/freecol |
118 | blacklist ${HOME}/.cache/gajim | 118 | blacklist ${HOME}/.cache/gajim |
119 | blacklist ${HOME}/.cache/gdfuse | ||
119 | blacklist ${HOME}/.cache/geary | 120 | blacklist ${HOME}/.cache/geary |
120 | blacklist ${HOME}/.cache/geeqie | 121 | blacklist ${HOME}/.cache/geeqie |
121 | blacklist ${HOME}/.cache/gegl-0.4 | 122 | blacklist ${HOME}/.cache/gegl-0.4 |
@@ -436,6 +437,7 @@ blacklist ${HOME}/.config/gajim | |||
436 | blacklist ${HOME}/.config/galculator | 437 | blacklist ${HOME}/.config/galculator |
437 | blacklist ${HOME}/.config/gallery-dl | 438 | blacklist ${HOME}/.config/gallery-dl |
438 | blacklist ${HOME}/.config/gconf | 439 | blacklist ${HOME}/.config/gconf |
440 | blacklist ${HOME}/.config/gdfuse | ||
439 | blacklist ${HOME}/.config/geany | 441 | blacklist ${HOME}/.config/geany |
440 | blacklist ${HOME}/.config/geary | 442 | blacklist ${HOME}/.config/geary |
441 | blacklist ${HOME}/.config/gedit | 443 | blacklist ${HOME}/.config/gedit |
@@ -708,6 +710,7 @@ blacklist ${HOME}/.frozen-bubble | |||
708 | blacklist ${HOME}/.funnyboat | 710 | blacklist ${HOME}/.funnyboat |
709 | blacklist ${HOME}/.g8 | 711 | blacklist ${HOME}/.g8 |
710 | blacklist ${HOME}/.gallery-dl.conf | 712 | blacklist ${HOME}/.gallery-dl.conf |
713 | blacklist ${HOME}/.gdfuse | ||
711 | blacklist ${HOME}/.geekbench5 | 714 | blacklist ${HOME}/.geekbench5 |
712 | blacklist ${HOME}/.gimp* | 715 | blacklist ${HOME}/.gimp* |
713 | blacklist ${HOME}/.gist | 716 | blacklist ${HOME}/.gist |
@@ -876,6 +879,7 @@ blacklist ${HOME}/.local/share/caja-python | |||
876 | blacklist ${HOME}/.local/share/calligragemini | 879 | blacklist ${HOME}/.local/share/calligragemini |
877 | blacklist ${HOME}/.local/share/cantata | 880 | blacklist ${HOME}/.local/share/cantata |
878 | blacklist ${HOME}/.local/share/cdprojektred | 881 | blacklist ${HOME}/.local/share/cdprojektred |
882 | blacklist ${HOME}/.local/share/chatterino | ||
879 | blacklist ${HOME}/.local/share/clipit | 883 | blacklist ${HOME}/.local/share/clipit |
880 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | 884 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate |
881 | blacklist ${HOME}/.local/share/contacts | 885 | blacklist ${HOME}/.local/share/contacts |
@@ -897,6 +901,7 @@ blacklist ${HOME}/.local/share/feral-interactive | |||
897 | blacklist ${HOME}/.local/share/five-or-more | 901 | blacklist ${HOME}/.local/share/five-or-more |
898 | blacklist ${HOME}/.local/share/freecol | 902 | blacklist ${HOME}/.local/share/freecol |
899 | blacklist ${HOME}/.local/share/gajim | 903 | blacklist ${HOME}/.local/share/gajim |
904 | blacklist ${HOME}/.local/share/gdfuse | ||
900 | blacklist ${HOME}/.local/share/geary | 905 | blacklist ${HOME}/.local/share/geary |
901 | blacklist ${HOME}/.local/share/geeqie | 906 | blacklist ${HOME}/.local/share/geeqie |
902 | blacklist ${HOME}/.local/share/ghostwriter | 907 | blacklist ${HOME}/.local/share/ghostwriter |
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..4dfd85740 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile | |||
@@ -0,0 +1,92 @@ | |||
1 | # Firejail profile for Chatterino | ||
2 | # Description: Chat client for https://twitch.tv | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include chatterino.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # To upload images, whitelist/noblacklist their path in chatterino.local. | ||
10 | #whitelist ${PICTURES} | ||
11 | # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. | ||
12 | #whitelist ${MUSIC} | ||
13 | |||
14 | # Also allow access to mpv/vlc, they're usable via streamlink. | ||
15 | noblacklist ${HOME}/.config/mpv | ||
16 | noblacklist ${HOME}/.config/pulse | ||
17 | noblacklist ${HOME}/.config/vlc | ||
18 | noblacklist ${HOME}/.local/share/chatterino | ||
19 | noblacklist ${HOME}/.local/share/vlc | ||
20 | |||
21 | # Allow Lua for mpv (blacklisted by disable-interpreters.inc) | ||
22 | include allow-lua.inc | ||
23 | |||
24 | # Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) | ||
25 | include allow-python3.inc | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-proc.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | # Also allow read-only access to mpv/VLC, they're usable via streamlink. | ||
36 | mkdir ${HOME}/.local/share/chatterino | ||
37 | # VLC preferences will fail to save with read-only set. | ||
38 | whitelist ${HOME}/.local/share/chatterino | ||
39 | whitelist-ro ${HOME}/.config/mpv | ||
40 | whitelist-ro ${HOME}/.config/pulse | ||
41 | whitelist-ro ${HOME}/.config/vlc | ||
42 | whitelist-ro ${HOME}/.local/share/vlc | ||
43 | include whitelist-common.inc | ||
44 | include whitelist-run-common.inc | ||
45 | include whitelist-runuser-common.inc | ||
46 | include whitelist-usr-share-common.inc | ||
47 | include whitelist-var-common.inc | ||
48 | |||
49 | # Streamlink+VLC doesn't seem to close properly with apparmor enabled. | ||
50 | #apparmor | ||
51 | caps.drop all | ||
52 | netfilter | ||
53 | nodvd | ||
54 | nogroups | ||
55 | nonewprivs | ||
56 | noprinters | ||
57 | noroot | ||
58 | notv | ||
59 | nou2f | ||
60 | # Netlink is required for streamlink integration. | ||
61 | protocol unix,inet,inet6,netlink | ||
62 | # Seccomp may break browser integration. | ||
63 | seccomp | ||
64 | seccomp.block-secondary | ||
65 | tracelog | ||
66 | |||
67 | disable-mnt | ||
68 | # Add more private-bin lines for browsers or video players to chatterino.local if wanted. | ||
69 | private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc | ||
70 | # private-cache may cause issues with mpv (see #2838) | ||
71 | private-cache | ||
72 | private-dev | ||
73 | private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 | ||
74 | private-srv none | ||
75 | private-tmp | ||
76 | |||
77 | dbus-user filter | ||
78 | dbus-user.own com.chatterino.* | ||
79 | # Allow notifications. | ||
80 | dbus-user.talk org.freedesktop.Notifications | ||
81 | # For media player integration. | ||
82 | dbus-user.talk org.freedesktop.ScreenSaver | ||
83 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
84 | dbus-user.own org.mpris.MediaPlayer2.chatterino | ||
85 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
86 | dbus-system none | ||
87 | |||
88 | # Prevents browsers/players from lingering after Chatterino is closed. | ||
89 | #deterministic-shutdown | ||
90 | # memory-deny-write-execute may break streamlink and browser integration. | ||
91 | #memory-deny-write-execute | ||
92 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 13313cb67..60d64736e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc | |||
35 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
36 | 36 | ||
37 | apparmor | 37 | apparmor |
38 | # Fixme! | ||
39 | apparmor-replace | ||
38 | caps.drop all | 40 | caps.drop all |
39 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. | 41 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
40 | #machine-id | 42 | #machine-id |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 59b6e2543..aa466871c 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for ytmdesktop | 1 | # Firejail profile for ytmdesktop |
2 | # Description: Unofficial electron based desktop warpper for YouTube Music | 2 | # Description: Unofficial electron based desktop wrapper for YouTube Music |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include youtube.local | 5 | include youtube.local |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 152263f04..15169f983 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -130,6 +130,7 @@ catfish | |||
130 | cawbird | 130 | cawbird |
131 | celluloid | 131 | celluloid |
132 | chafa | 132 | chafa |
133 | chatterino | ||
133 | checkbashisms | 134 | checkbashisms |
134 | cheese | 135 | cheese |
135 | cherrytree | 136 | cherrytree |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776649131..4fe3a5974 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log | |||
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | 341 | extern char *apparmor_profile; // apparmor profile |
342 | extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) | ||
342 | extern int arg_allow_debuggers; // allow debuggers | 343 | extern int arg_allow_debuggers; // allow debuggers |
343 | extern int arg_x11_block; // block X11 | 344 | extern int arg_x11_block; // block X11 |
344 | extern int arg_x11_xorg; // use X11 security extension | 345 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c95964503..18e9ae651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log | |||
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | 136 | char *apparmor_profile = NULL; // apparmor profile |
137 | bool apparmor_replace = false; // apparmor profile | ||
137 | int arg_allow_debuggers = 0; // allow debuggers | 138 | int arg_allow_debuggers = 0; // allow debuggers |
138 | int arg_x11_block = 0; // block X11 | 139 | int arg_x11_block = 0; // block X11 |
139 | int arg_x11_xorg = 0; // use X11 security extension | 140 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { | |||
1383 | arg_apparmor = 1; | 1384 | arg_apparmor = 1; |
1384 | apparmor_profile = argv[i] + 11; | 1385 | apparmor_profile = argv[i] + 11; |
1385 | } | 1386 | } |
1387 | else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { | ||
1388 | arg_apparmor = 1; | ||
1389 | apparmor_replace = true; | ||
1390 | } | ||
1386 | #endif | 1391 | #endif |
1387 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1392 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1388 | if (checkcfg(CFG_SECCOMP)) { | 1393 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4e6ebdbca..acf206da6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -966,6 +966,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
966 | return 0; | 966 | return 0; |
967 | } | 967 | } |
968 | 968 | ||
969 | if (strcmp(ptr, "apparmor-replace") == 0) { | ||
970 | #ifdef HAVE_APPARMOR | ||
971 | arg_apparmor = 1; | ||
972 | apparmor_replace = true; | ||
973 | #endif | ||
974 | return 0; | ||
975 | } | ||
976 | |||
977 | if (strcmp(ptr, "apparmor-stack") == 0) { | ||
978 | #ifdef HAVE_APPARMOR | ||
979 | arg_apparmor = 1; | ||
980 | apparmor_replace = false; | ||
981 | #endif | ||
982 | return 0; | ||
983 | } | ||
984 | |||
969 | if (strncmp(ptr, "protocol ", 9) == 0) { | 985 | if (strncmp(ptr, "protocol ", 9) == 0) { |
970 | if (checkcfg(CFG_SECCOMP)) { | 986 | if (checkcfg(CFG_SECCOMP)) { |
971 | const char *add = ptr + 9; | 987 | const char *add = ptr + 9; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index bae189a0d..77fe73174 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,14 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_stack_onexec(apparmor_profile)) { | 133 | int res = 0; |
134 | if(apparmor_replace){ | ||
135 | fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); | ||
136 | res = aa_change_onexec(apparmor_profile); | ||
137 | } else { | ||
138 | res = aa_stack_onexec(apparmor_profile); | ||
139 | } | ||
140 | if (res) { | ||
134 | fwarning("Cannot confine the application using AppArmor.\n" | 141 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 142 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 143 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |