diff options
207 files changed, 2094 insertions, 589 deletions
diff --git a/.gitignore b/.gitignore index 7f5913727..cad656506 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -6,6 +6,7 @@ | |||
6 | *.rpm | 6 | *.rpm |
7 | *.gcda | 7 | *.gcda |
8 | *.gcno | 8 | *.gcno |
9 | .directory | ||
9 | Makefile | 10 | Makefile |
10 | autom4te.cache/ | 11 | autom4te.cache/ |
11 | config.log | 12 | config.log |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 737003874..07a9eef04 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -33,3 +33,7 @@ Pull requests with enhancements, bugfixes or new profiles are very welcome. | |||
33 | If you want to write a new profile, the easiest way to do this is to use the | 33 | If you want to write a new profile, the easiest way to do this is to use the |
34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 34 | [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
35 | If you have already written a profile, please make sure it follows the rules described in the template. | 35 | If you have already written a profile, please make sure it follows the rules described in the template. |
36 | |||
37 | # Editing the wiki | ||
38 | |||
39 | You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). | ||
diff --git a/Makefile.in b/Makefile.in index c6bacff31..44137c0bc 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -116,6 +116,7 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes) | |||
116 | install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. | 116 | install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. |
117 | install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/. | 117 | install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/. |
118 | install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/. | 118 | install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/. |
119 | install -c -m 0755 contrib/syscalls.sh $(DESTDIR)/$(libdir)/firejail/. | ||
119 | endif | 120 | endif |
120 | # documents | 121 | # documents |
121 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) | 122 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) |
@@ -192,6 +193,7 @@ uninstall: | |||
192 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail | 193 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail |
193 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 194 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
194 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 195 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
196 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." | ||
195 | 197 | ||
196 | DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" | 198 | DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" |
197 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 199 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
@@ -99,6 +99,8 @@ announ (https://github.com/announ) | |||
99 | Antonio Russo (https://github.com/aerusso) | 99 | Antonio Russo (https://github.com/aerusso) |
100 | - enumerate root directories in apparmor profile | 100 | - enumerate root directories in apparmor profile |
101 | - fix join-or-start | 101 | - fix join-or-start |
102 | aoand (https://github.com/aoand) | ||
103 | - seccomp fix: allow numeric syscalls | ||
102 | Austin Morton (https://github.com/apmorton) | 104 | Austin Morton (https://github.com/apmorton) |
103 | - deterministic-exit-code option | 105 | - deterministic-exit-code option |
104 | - private-cwd options | 106 | - private-cwd options |
@@ -165,6 +167,9 @@ Christian Stadelmann (https://github.com/genodeftest) | |||
165 | - evolution profile fix | 167 | - evolution profile fix |
166 | Clayton Williams (https://github.com/gosre) | 168 | Clayton Williams (https://github.com/gosre) |
167 | - addition of RLIMIT_AS | 169 | - addition of RLIMIT_AS |
170 | corecontingency (https://https://github.com/corecontingency) | ||
171 | - tighten private-bin and etc for torbrowser-launcher.profile | ||
172 | - added i2prouter profile | ||
168 | crass (https://github.com/crass) | 173 | crass (https://github.com/crass) |
169 | - extract_command_name fixes | 174 | - extract_command_name fixes |
170 | - update appimage size calculation to newest code from libappimage | 175 | - update appimage size calculation to newest code from libappimage |
@@ -232,6 +237,8 @@ floxo (https://github.com/floxo) | |||
232 | - fixed qml disk cache issue | 237 | - fixed qml disk cache issue |
233 | Franco (nextime) Lanza (https://github.com/nextime) | 238 | Franco (nextime) Lanza (https://github.com/nextime) |
234 | - added --private-template/--private-home | 239 | - added --private-template/--private-home |
240 | František Polášek (https://github.com/fandaa) | ||
241 | - fix QOwnNotes profile | ||
235 | fuelflo (https://github.com/fuelflo) | 242 | fuelflo (https://github.com/fuelflo) |
236 | - added rambox profile | 243 | - added rambox profile |
237 | Fred-Barclay (https://github.com/Fred-Barclay) | 244 | Fred-Barclay (https://github.com/Fred-Barclay) |
@@ -314,6 +321,8 @@ glitsj16 (https://github.com/glitsj16) | |||
314 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | 321 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh |
315 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | 322 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie |
316 | - new profiles: masterpdfeditor | 323 | - new profiles: masterpdfeditor |
324 | gm10 (https://github.com/gm10) | ||
325 | - get_user() do not use the unreliable getlogin() | ||
317 | graywolf (https://github.com/graywolf) | 326 | graywolf (https://github.com/graywolf) |
318 | - spelling fix | 327 | - spelling fix |
319 | greigdp (https://github.com/greigdp) | 328 | greigdp (https://github.com/greigdp) |
@@ -365,11 +374,14 @@ Jean Lucas (https://github.com/flacks) | |||
365 | - add AnyDesk profile | 374 | - add AnyDesk profile |
366 | - add WebStorm profile | 375 | - add WebStorm profile |
367 | - add XMind profile | 376 | - add XMind profile |
377 | - add Whalebird profile | ||
378 | - add zulip profile | ||
368 | - add nvm to list of disabled interpreters | 379 | - add nvm to list of disabled interpreters |
369 | - fixes for tor-browser-* profiles | 380 | - fixes for tor-browser-* profiles |
370 | - alias for riot-desktop | 381 | - alias for riot-desktop |
371 | - add gnome-mpv profile | 382 | - add gnome-mpv profile |
372 | - fix wire profile | 383 | - fix wire profile |
384 | - fix itch profile | ||
373 | - add Beaker profile | 385 | - add Beaker profile |
374 | - fixes for gnome-music | 386 | - fixes for gnome-music |
375 | - allow reading of system-wide Flatpak locale in gajim profile | 387 | - allow reading of system-wide Flatpak locale in gajim profile |
@@ -497,6 +509,8 @@ Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) | |||
497 | - fixes to keepassxc, thunderbird and pluma | 509 | - fixes to keepassxc, thunderbird and pluma |
498 | Panzerfather (https://github.com/Panzerfather) | 510 | Panzerfather (https://github.com/Panzerfather) |
499 | - allow eog to access user's trash | 511 | - allow eog to access user's trash |
512 | Patrick Schleizer (https://github.com/adrelanos) | ||
513 | - fix tb-starter-wrapper profile | ||
500 | Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) | 514 | Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) |
501 | - user namespace implementation | 515 | - user namespace implementation |
502 | Paul Moore <pmoore@redhat.com> | 516 | Paul Moore <pmoore@redhat.com> |
@@ -35,6 +35,8 @@ Wiki: https://github.com/netblue30/firejail/wiki | |||
35 | 35 | ||
36 | Travis-CI status: https://travis-ci.org/netblue30/firejail | 36 | Travis-CI status: https://travis-ci.org/netblue30/firejail |
37 | 37 | ||
38 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | ||
39 | |||
38 | 40 | ||
39 | ## Security vulnerabilities | 41 | ## Security vulnerabilities |
40 | 42 | ||
@@ -116,4 +118,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
116 | 118 | ||
117 | ## New profiles: | 119 | ## New profiles: |
118 | 120 | ||
119 | gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map | 121 | gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop |
@@ -1,8 +1,10 @@ | |||
1 | firejail (0.9.61) baseline; urgency=low | 1 | firejail (0.9.61) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * added file-copy-limit in /etc/firejail/firejail.config | 3 | * added file-copy-limit in /etc/firejail/firejail.config |
4 | * profile templates | 4 | * profile templates (/usr/share/doc/firejail) |
5 | * allow-debuggers support in profiles | 5 | * allow-debuggers support in profiles |
6 | * several seccomp enhancements | ||
7 | * compiler flags autodetection | ||
6 | * new scripts in conrib: gdb-firejail.sh and sort.py | 8 | * new scripts in conrib: gdb-firejail.sh and sort.py |
7 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks | 9 | * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks |
8 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder | 10 | * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder |
@@ -11,7 +13,10 @@ firejail (0.9.61) baseline; urgency=low | |||
11 | * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 | 13 | * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123 |
12 | * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss | 14 | * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss |
13 | * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt | 15 | * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt |
14 | * new profiles: gnome-characters, gnome-character-map | 16 | * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird, |
17 | * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, | ||
18 | * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless | ||
19 | * new profiles: zstdmt, unzstd, i2p | ||
15 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 | 20 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 |
16 | 21 | ||
17 | firejail (0.9.60) baseline; urgency=low | 22 | firejail (0.9.60) baseline; urgency=low |
diff --git a/contrib/fjclip.py b/contrib/fjclip.py index 30323b1d5..e374479a1 100755 --- a/contrib/fjclip.py +++ b/contrib/fjclip.py | |||
@@ -1,4 +1,4 @@ | |||
1 | #!/usr/bin/env python | 1 | #!/usr/bin/env python3 |
2 | 2 | ||
3 | import sys | 3 | import sys |
4 | import subprocess | 4 | import subprocess |
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py index 7b2db549a..e6c1476f6 100755 --- a/contrib/fjdisplay.py +++ b/contrib/fjdisplay.py | |||
@@ -1,4 +1,4 @@ | |||
1 | #!/usr/bin/env python | 1 | #!/usr/bin/env python3 |
2 | 2 | ||
3 | import re | 3 | import re |
4 | import sys | 4 | import sys |
diff --git a/contrib/fjresize.py b/contrib/fjresize.py index 95b76259d..b29b170ef 100755 --- a/contrib/fjresize.py +++ b/contrib/fjresize.py | |||
@@ -1,4 +1,4 @@ | |||
1 | #!/usr/bin/env python | 1 | #!/usr/bin/env python3 |
2 | 2 | ||
3 | import sys | 3 | import sys |
4 | import fjdisplay | 4 | import fjdisplay |
diff --git a/contrib/sort.py b/contrib/sort.py index d0fcabac2..97315fba8 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -78,6 +78,8 @@ def fix_profile(filename): | |||
78 | fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}" | 78 | fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}" |
79 | elif line[:8] == "protocol": | 79 | elif line[:8] == "protocol": |
80 | fixed_line = f"protocol {sort_protocol(line[9:])}" | 80 | fixed_line = f"protocol {sort_protocol(line[9:])}" |
81 | elif line[:8] == "seccomp ": | ||
82 | fixed_line = f"{line[:8]}{sort_alphabetical(line[8:])}" | ||
81 | else: | 83 | else: |
82 | fixed_line = line | 84 | fixed_line = line |
83 | if fixed_line != line: | 85 | if fixed_line != line: |
diff --git a/etc/0ad.profile b/etc/0ad.profile index 88c9c453b..565d42567 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -24,6 +24,7 @@ whitelist ${HOME}/.cache/0ad | |||
24 | whitelist ${HOME}/.config/0ad | 24 | whitelist ${HOME}/.config/0ad |
25 | whitelist ${HOME}/.local/share/0ad | 25 | whitelist ${HOME}/.local/share/0ad |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-var-common.inc | ||
27 | 28 | ||
28 | caps.drop all | 29 | caps.drop all |
29 | netfilter | 30 | netfilter |
diff --git a/etc/7z.profile b/etc/7z.profile index 15e99e936..284aa37a2 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -13,7 +13,9 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | apparmor | ||
16 | caps.drop all | 17 | caps.drop all |
18 | hostname 7z | ||
17 | ipc-namespace | 19 | ipc-namespace |
18 | machine-id | 20 | machine-id |
19 | net none | 21 | net none |
@@ -33,4 +35,8 @@ shell none | |||
33 | tracelog | 35 | tracelog |
34 | x11 none | 36 | x11 none |
35 | 37 | ||
38 | #private-bin 7z,7z*,p7zip | ||
39 | private-cache | ||
36 | private-dev | 40 | private-dev |
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/7za.profile b/etc/7za.profile index 28e483a8c..14188e1f0 100644 --- a/etc/7za.profile +++ b/etc/7za.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for 7za | 1 | # Firejail profile for 7za |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include 7za.local | 5 | include 7za.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/7zr.profile b/etc/7zr.profile index 1b85badbc..2cb42fa40 100644 --- a/etc/7zr.profile +++ b/etc/7zr.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for 7zr | 1 | # Firejail profile for 7zr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include 7zr.local | 5 | include 7zr.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ece681c35..eb21349a9 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -39,6 +39,7 @@ nonewprivs | |||
39 | noroot | 39 | noroot |
40 | notv | 40 | notv |
41 | nou2f | 41 | nou2f |
42 | novideo | ||
42 | protocol unix,inet,inet6,netlink | 43 | protocol unix,inet,inet6,netlink |
43 | seccomp | 44 | seccomp |
44 | shell none | 45 | shell none |
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile index c774f3a60..af7c10448 100644 --- a/etc/QOwnNotes.profile +++ b/etc/QOwnNotes.profile | |||
@@ -20,7 +20,7 @@ include disable-programs.inc | |||
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/Nextcloud/Notes | 22 | mkdir ${HOME}/Nextcloud/Notes |
23 | mkdir ${HOME}.config/PBE | 23 | mkdir ${HOME}/.config/PBE |
24 | mkdir ${HOME}/.local/share/PBE | 24 | mkdir ${HOME}/.local/share/PBE |
25 | whitelist ${DOCUMENTS} | 25 | whitelist ${DOCUMENTS} |
26 | whitelist ${HOME}/Nextcloud/Notes | 26 | whitelist ${HOME}/Nextcloud/Notes |
diff --git a/etc/Viber.profile b/etc/Viber.profile index ecc500769..925e130de 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -28,12 +28,10 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | env QTWEBENGINE_DISABLE_SANDBOX=1 | ||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 5ef75022b..ab5fdf942 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for Xephyr | 1 | # Firejail profile for Xephyr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | quiet | ||
4 | include Xephyr.local | 5 | include Xephyr.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | include globals.local |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 3ecda698e..937d02d60 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for Xvfb | 1 | # Firejail profile for Xvfb |
2 | # Description: Virtual Framebuffer 'fake' X server | 2 | # Description: Virtual Framebuffer 'fake' X server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include Xvfb.local | 6 | include Xvfb.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -30,6 +31,7 @@ nonewprivs | |||
30 | nosound | 31 | nosound |
31 | notv | 32 | notv |
32 | nou2f | 33 | nou2f |
34 | novideo | ||
33 | protocol unix | 35 | protocol unix |
34 | seccomp | 36 | seccomp |
35 | shell none | 37 | shell none |
diff --git a/etc/acat.profile b/etc/acat.profile index f35adf3dc..522d8db4e 100644 --- a/etc/acat.profile +++ b/etc/acat.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for acat | 1 | # Firejail profile for acat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include acat.local | 5 | include acat.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/adiff.profile b/etc/adiff.profile index f22a27e79..a80886d56 100644 --- a/etc/adiff.profile +++ b/etc/adiff.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for adiff | 1 | # Firejail profile for adiff |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include adiff.local | 5 | include adiff.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 1c16f940e..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer | |||
17 | noblacklist ${HOME}/.local/share/contacts | 17 | noblacklist ${HOME}/.local/share/contacts |
18 | noblacklist ${HOME}/.local/share/local-mail | 18 | noblacklist ${HOME}/.local/share/local-mail |
19 | noblacklist ${HOME}/.local/share/notes | 19 | noblacklist ${HOME}/.local/share/notes |
20 | noblacklist /sbin | ||
20 | noblacklist /tmp/akonadi-* | 21 | noblacklist /tmp/akonadi-* |
21 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
22 | 23 | ||
@@ -45,8 +46,8 @@ nosound | |||
45 | notv | 46 | notv |
46 | nou2f | 47 | nou2f |
47 | novideo | 48 | novideo |
48 | # protocol unix,inet,inet6 | 49 | # protocol unix,inet,inet6,netlink |
49 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 50 | # seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set |
50 | tracelog | 51 | tracelog |
51 | 52 | ||
52 | private-dev | 53 | private-dev |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -36,7 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # chroot syscalls are needed for setting up the built-in sandbox | 38 | # chroot syscalls are needed for setting up the built-in sandbox |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc new file mode 100644 index 000000000..1d794462c --- /dev/null +++ b/etc/allow-common-devel.inc | |||
@@ -0,0 +1,17 @@ | |||
1 | # Rust | ||
2 | noblacklist ${HOME}/.cargo/config | ||
3 | noblacklist ${HOME}/.cargo/registry | ||
4 | |||
5 | # Git | ||
6 | noblacklist ${HOME}/.config/git | ||
7 | noblacklist ${HOME}/.gitconfig | ||
8 | noblacklist ${HOME}/.git-credentials | ||
9 | |||
10 | # Python | ||
11 | noblacklist ${HOME}/.python-history | ||
12 | noblacklist ${HOME}/.python_history | ||
13 | noblacklist ${HOME}/.pythonhist | ||
14 | |||
15 | # Java | ||
16 | noblacklist ${HOME}/.gradle | ||
17 | noblacklist ${HOME}/.java | ||
diff --git a/etc/als.profile b/etc/als.profile index aa7f29337..5eae228b6 100644 --- a/etc/als.profile +++ b/etc/als.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for als | 1 | # Firejail profile for als |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include als.local | 5 | include als.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index ff7fb6711..2e4e564dd 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -7,17 +7,15 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.AndroidStudio* | 8 | noblacklist ${HOME}/.AndroidStudio* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
18 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
19 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
20 | 15 | ||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
21 | include disable-common.inc | 19 | include disable-common.inc |
22 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/aosp.profile b/etc/aosp.profile index 701bf4733..a5b1ba9f1 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -7,18 +7,16 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.android | 8 | noblacklist ${HOME}/.android |
9 | noblacklist ${HOME}/.bash_history | 9 | noblacklist ${HOME}/.bash_history |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.repo_.gitconfig.json | 12 | noblacklist ${HOME}/.repo_.gitconfig.json |
18 | noblacklist ${HOME}/.repoconfig | 13 | noblacklist ${HOME}/.repoconfig |
19 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
20 | noblacklist ${HOME}/.tooling | 15 | noblacklist ${HOME}/.tooling |
21 | 16 | ||
17 | # Allows files commonly used by IDEs | ||
18 | include allow-common-devel.inc | ||
19 | |||
22 | include disable-common.inc | 20 | include disable-common.inc |
23 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 22 | include disable-programs.inc |
diff --git a/etc/apack.profile b/etc/apack.profile index b09d3d718..9fef911af 100644 --- a/etc/apack.profile +++ b/etc/apack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for apack | 1 | # Firejail profile for apack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include apack.local | 5 | include apack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/arepack.profile b/etc/arepack.profile index d23fc21db..012f2f049 100644 --- a/etc/arepack.profile +++ b/etc/arepack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for arepack | 1 | # Firejail profile for arepack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include arepack.local | 5 | include arepack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/asunder.profile b/etc/asunder.profile index fc10739aa..1f3acd735 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -30,6 +30,7 @@ nodbus | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/atom.profile b/etc/atom.profile index 8928baf5d..b9cb49d08 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -8,18 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.atom | 9 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | # allow rust | 11 | |
12 | noblacklist ${HOME}/.cargo/config | 12 | # Allows files commonly used by IDEs |
13 | noblacklist ${HOME}/.cargo/registry | 13 | include allow-common-devel.inc |
14 | # allow git config files | ||
15 | noblacklist ${HOME}/.config/git | ||
16 | noblacklist ${HOME}/.gitconfig | ||
17 | noblacklist ${HOME}/.git-credentials | ||
18 | # allow python dev files | ||
19 | noblacklist ${HOME}/.python-history | ||
20 | noblacklist ${HOME}/.python_history | ||
21 | noblacklist ${HOME}/.pythonhist | ||
22 | noblacklist ${HOME}/.pythonrc.py | ||
23 | 14 | ||
24 | include disable-common.inc | 15 | include disable-common.inc |
25 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/atool.profile b/etc/atool.profile index c9d950259..fb75c8408 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for atool | 1 | # Firejail profile for atool |
2 | # Description: Tool for managing file archives of various types | 2 | # Description: Tool for managing file archives of various types |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include atool.local | 6 | include atool.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/aunpack.profile b/etc/aunpack.profile index c119ed9ad..6ce4aa491 100644 --- a/etc/aunpack.profile +++ b/etc/aunpack.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for aunpack | 1 | # Firejail profile for aunpack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include aunpack.local | 5 | include aunpack.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -39,7 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | # blacklisting of ioprio_set system calls breaks baloo_file | 41 | # blacklisting of ioprio_set system calls breaks baloo_file |
42 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 42 | seccomp !ioprio_set |
43 | shell none | 43 | shell none |
44 | # x11 xorg | 44 | # x11 xorg |
45 | 45 | ||
diff --git a/etc/baobab.profile b/etc/baobab.profile index d2980f75c..c419aa202 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -32,5 +32,3 @@ shell none | |||
32 | private-bin baobab | 32 | private-bin baobab |
33 | private-dev | 33 | private-dev |
34 | private-tmp | 34 | private-tmp |
35 | |||
36 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5bc91dc74..8dc3847a0 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin basilisk | 20 | #private-bin basilisk |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6,netlink | 44 | protocol unix,inet,inet6,netlink |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 3e157d841..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -8,13 +8,9 @@ include globals.local | |||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | # Uncomment the next two lines if you are developing rust. | 11 | |
12 | # or put it in your brackets.local | 12 | # Allows files commonly used by IDEs |
13 | #noblacklist ${HOME}/.cargo/config | 13 | include allow-common-devel.inc |
14 | #noblacklist ${HOME}/.cargo/registry | ||
15 | noblacklist ${HOME}/.config/git | ||
16 | noblacklist ${HOME}/.gitconfig | ||
17 | noblacklist ${HOME}/.git-credentials | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
@@ -31,7 +27,7 @@ notv | |||
31 | nou2f | 27 | nou2f |
32 | novideo | 28 | novideo |
33 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
34 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !chroot,!ioperm |
35 | shell none | 31 | shell none |
36 | 32 | ||
37 | private-cache | 33 | private-cache |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index 1411ce7bd..17c67ed26 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -20,8 +20,8 @@ ipc-namespace | |||
20 | machine-id | 20 | machine-id |
21 | net none | 21 | net none |
22 | no3d | 22 | no3d |
23 | nodvd | ||
24 | nodbus | 23 | nodbus |
24 | nodvd | ||
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | # noroot | 27 | # noroot |
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index ff86cbdfc..37b47c2ce 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # Description: A high-quality data compression program | 2 | # Description: A high-quality data compression program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include bunzip2.local | 6 | include bunzip2.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/bzcat.profile b/etc/bzcat.profile new file mode 100644 index 000000000..edefb6bb8 --- /dev/null +++ b/etc/bzcat.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for bzcat | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | ignore read-write | ||
12 | read-only ${HOME} | ||
13 | |||
14 | # Redirect | ||
15 | include gzip.profile | ||
diff --git a/etc/bzip2.profile b/etc/bzip2.profile index 0f2fdd35a..0756e0537 100644 --- a/etc/bzip2.profile +++ b/etc/bzip2.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for bzip2 | 1 | # Firejail profile for bzip2 |
2 | # Description: A high-quality data compression program | 2 | # Description: A high-quality data compression program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include bzip2.local | 6 | include bzip2.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index fe3202cea..7b2d344e5 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -44,7 +44,7 @@ x11 none | |||
44 | 44 | ||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-lib perl* | 47 | private-lib libfreebl3.so,perl* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp !ioprio_set |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/code.profile b/etc/code.profile index 6faf429e1..7ac4e1619 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -5,20 +5,14 @@ include code.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cargo/config | ||
9 | noblacklist ${HOME}/.cargo/registry | ||
10 | noblacklist ${HOME}/.config/Code | 8 | noblacklist ${HOME}/.config/Code |
11 | noblacklist ${HOME}/.config/Code - OSS | 9 | noblacklist ${HOME}/.config/Code - OSS |
12 | noblacklist ${HOME}/.config/git | ||
13 | noblacklist ${HOME}/.gitconfig | ||
14 | noblacklist ${HOME}/.git-credentials | ||
15 | noblacklist ${HOME}/.python-history | ||
16 | noblacklist ${HOME}/.python_history | ||
17 | noblacklist ${HOME}/.pythonhist | ||
18 | noblacklist ${HOME}/.pythonrc.py | ||
19 | noblacklist ${HOME}/.vscode | 10 | noblacklist ${HOME}/.vscode |
20 | noblacklist ${HOME}/.vscode-oss | 11 | noblacklist ${HOME}/.vscode-oss |
21 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
22 | include disable-common.inc | 16 | include disable-common.inc |
23 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 18 | include disable-programs.inc |
diff --git a/etc/conplay.profile b/etc/conplay.profile index 101ce2f17..d0ad7c753 100644 --- a/etc/conplay.profile +++ b/etc/conplay.profile | |||
@@ -1,4 +1,6 @@ | |||
1 | # Firejail profile for conplay | 1 | # Firejail profile for conplay |
2 | # Description: MPEG audio player/decoder | ||
3 | # This file is overwritten after every install/update | ||
2 | # Persistent local customizations | 4 | # Persistent local customizations |
3 | include conplay.local | 5 | include conplay.local |
4 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 7cd39ca6a..29f676535 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -41,5 +41,3 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id | 41 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id |
42 | private-lib | 42 | private-lib |
43 | private-tmp | 43 | private-tmp |
44 | |||
45 | # memory-deny-write-execute | ||
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 60bebb0c9..02b752b5f 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -41,6 +41,6 @@ private-dev | |||
41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | #memory-deny-write-execute - breaks on Arch (see issue 1803) | 44 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
45 | 45 | ||
46 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/dig.profile b/etc/dig.profile index 6f2c1f755..611cbf026 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for dig | 1 | # Firejail profile for dig |
2 | # Description: DNS lookup utility | 2 | # Description: DNS lookup utility |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include dig.local | 6 | include dig.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/dino.profile b/etc/dino.profile index f7b220936..82ddf2819 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include dino.local | 5 | include dino.local |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 7ca5a6b89..fe49ce2f4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc | |||
67 | blacklist ${HOME}/.config/krunnerrc | 67 | blacklist ${HOME}/.config/krunnerrc |
68 | blacklist ${HOME}/.config/kscreenlockerrc | 68 | blacklist ${HOME}/.config/kscreenlockerrc |
69 | blacklist ${HOME}/.config/ksslcertificatemanager | 69 | blacklist ${HOME}/.config/ksslcertificatemanager |
70 | blacklist ${HOME}/.config/kwalletrc | ||
70 | blacklist ${HOME}/.config/kwinrc | 71 | blacklist ${HOME}/.config/kwinrc |
71 | blacklist ${HOME}/.config/kwinrulesrc | 72 | blacklist ${HOME}/.config/kwinrulesrc |
72 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 73 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc | |||
79 | blacklist ${HOME}/.kde/share/config/krunnerrc | 80 | blacklist ${HOME}/.kde/share/config/krunnerrc |
80 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | 81 | blacklist ${HOME}/.kde/share/config/kscreensaverrc |
81 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | 82 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
83 | blacklist ${HOME}/.kde/share/config/kwalletrc | ||
82 | blacklist ${HOME}/.kde/share/config/kwinrc | 84 | blacklist ${HOME}/.kde/share/config/kwinrc |
83 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 85 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
84 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 86 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc | |||
89 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 91 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
90 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | 92 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc |
91 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | 93 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
94 | blacklist ${HOME}/.kde4/share/config/kwalletrc | ||
92 | blacklist ${HOME}/.kde4/share/config/kwinrc | 95 | blacklist ${HOME}/.kde4/share/config/kwinrc |
93 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 96 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
94 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 97 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
@@ -281,8 +284,7 @@ read-only ${HOME}/bin | |||
281 | read-only ${HOME}/.bin | 284 | read-only ${HOME}/.bin |
282 | read-only ${HOME}/.local/bin | 285 | read-only ${HOME}/.local/bin |
283 | read-only ${HOME}/.cargo/bin | 286 | read-only ${HOME}/.cargo/bin |
284 | blacklist ${HOME}/.cargo/registry | 287 | read-only ${HOME}/.cargo/env |
285 | blacklist ${HOME}/.cargo/config | ||
286 | 288 | ||
287 | # Write-protection for desktop entries | 289 | # Write-protection for desktop entries |
288 | read-only ${HOME}/.config/menus | 290 | read-only ${HOME}/.config/menus |
@@ -297,11 +299,14 @@ blacklist ${HOME}/*.kdbx | |||
297 | blacklist ${HOME}/*.key | 299 | blacklist ${HOME}/*.key |
298 | blacklist ${HOME}/.Private | 300 | blacklist ${HOME}/.Private |
299 | blacklist ${HOME}/.caff | 301 | blacklist ${HOME}/.caff |
302 | blacklist ${HOME}/.cargo/credentials | ||
300 | blacklist ${HOME}/.cert | 303 | blacklist ${HOME}/.cert |
301 | blacklist ${HOME}/.config/keybase | 304 | blacklist ${HOME}/.config/keybase |
302 | blacklist ${HOME}/.davfs2/secrets | 305 | blacklist ${HOME}/.davfs2/secrets |
303 | blacklist ${HOME}/.ecryptfs | 306 | blacklist ${HOME}/.ecryptfs |
304 | blacklist ${HOME}/.fetchmailrc | 307 | blacklist ${HOME}/.fetchmailrc |
308 | blacklist ${HOME}/.git-credential-cache | ||
309 | blacklist ${HOME}/.git-credentials | ||
305 | blacklist ${HOME}/.gnome2/keyrings | 310 | blacklist ${HOME}/.gnome2/keyrings |
306 | blacklist ${HOME}/.gnupg | 311 | blacklist ${HOME}/.gnupg |
307 | blacklist ${HOME}/.config/hub | 312 | blacklist ${HOME}/.config/hub |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index cc6877693..e54b651a6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -3,6 +3,7 @@ | |||
3 | include disable-programs.local | 3 | include disable-programs.local |
4 | 4 | ||
5 | blacklist ${HOME}/Arduino | 5 | blacklist ${HOME}/Arduino |
6 | blacklist ${HOME}/i2p | ||
6 | blacklist ${HOME}/Monero/wallets | 7 | blacklist ${HOME}/Monero/wallets |
7 | blacklist ${HOME}/Nextcloud/Notes | 8 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/SoftMaker | 9 | blacklist ${HOME}/SoftMaker |
@@ -28,9 +29,9 @@ blacklist ${HOME}/.Steam | |||
28 | blacklist ${HOME}/.Steampath | 29 | blacklist ${HOME}/.Steampath |
29 | blacklist ${HOME}/.Steampid | 30 | blacklist ${HOME}/.Steampid |
30 | blacklist ${HOME}/.TelegramDesktop | 31 | blacklist ${HOME}/.TelegramDesktop |
32 | blacklist ${HOME}/.VSCodium | ||
31 | blacklist ${HOME}/.ViberPC | 33 | blacklist ${HOME}/.ViberPC |
32 | blacklist ${HOME}/.VirtualBox | 34 | blacklist ${HOME}/.VirtualBox |
33 | blacklist ${HOME}/.VSCodium | ||
34 | blacklist ${HOME}/.WebStorm* | 35 | blacklist ${HOME}/.WebStorm* |
35 | blacklist ${HOME}/.Wolfram Research | 36 | blacklist ${HOME}/.Wolfram Research |
36 | blacklist ${HOME}/.ZAP | 37 | blacklist ${HOME}/.ZAP |
@@ -51,6 +52,8 @@ blacklist ${HOME}/.bibletime | |||
51 | blacklist ${HOME}/.bitcoin | 52 | blacklist ${HOME}/.bitcoin |
52 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
53 | blacklist ${HOME}/.bzf | 54 | blacklist ${HOME}/.bzf |
55 | blacklist ${HOME}/.cargo/registry | ||
56 | blacklist ${HOME}/.cargo/config | ||
54 | blacklist ${HOME}/.claws-mail | 57 | blacklist ${HOME}/.claws-mail |
55 | blacklist ${HOME}/.cliqz | 58 | blacklist ${HOME}/.cliqz |
56 | blacklist ${HOME}/.clonk | 59 | blacklist ${HOME}/.clonk |
@@ -94,9 +97,9 @@ blacklist ${HOME}/.config/MusicBrainz | |||
94 | blacklist ${HOME}/.config/Nathan Osman | 97 | blacklist ${HOME}/.config/Nathan Osman |
95 | blacklist ${HOME}/.config/Nylas Mail | 98 | blacklist ${HOME}/.config/Nylas Mail |
96 | blacklist ${HOME}/.config/PBE | 99 | blacklist ${HOME}/.config/PBE |
97 | blacklist ${HOME}/.config/Qlipper | ||
98 | blacklist ${HOME}/.config/QGIS | 100 | blacklist ${HOME}/.config/QGIS |
99 | blacklist ${HOME}/.config/QMediathekView | 101 | blacklist ${HOME}/.config/QMediathekView |
102 | blacklist ${HOME}/.config/Qlipper | ||
100 | blacklist ${HOME}/.config/QuiteRss | 103 | blacklist ${HOME}/.config/QuiteRss |
101 | blacklist ${HOME}/.config/QuiteRssrc | 104 | blacklist ${HOME}/.config/QuiteRssrc |
102 | blacklist ${HOME}/.config/Rambox | 105 | blacklist ${HOME}/.config/Rambox |
@@ -179,10 +182,11 @@ blacklist ${HOME}/.config/ghb | |||
179 | blacklist ${HOME}/.config/ghostwriter | 182 | blacklist ${HOME}/.config/ghostwriter |
180 | blacklist ${HOME}/.config/git | 183 | blacklist ${HOME}/.config/git |
181 | blacklist ${HOME}/.config/globaltime | 184 | blacklist ${HOME}/.config/globaltime |
185 | blacklist ${HOME}/.config/gnome-builder | ||
182 | blacklist ${HOME}/.config/gnome-mplayer | 186 | blacklist ${HOME}/.config/gnome-mplayer |
183 | blacklist ${HOME}/.config/gnome-mpv | 187 | blacklist ${HOME}/.config/gnome-mpv |
184 | blacklist ${HOME}/.config/godot | ||
185 | blacklist ${HOME}/.config/gnome-pie | 188 | blacklist ${HOME}/.config/gnome-pie |
189 | blacklist ${HOME}/.config/godot | ||
186 | blacklist ${HOME}/.config/google-chrome | 190 | blacklist ${HOME}/.config/google-chrome |
187 | blacklist ${HOME}/.config/google-chrome-beta | 191 | blacklist ${HOME}/.config/google-chrome-beta |
188 | blacklist ${HOME}/.config/google-chrome-unstable | 192 | blacklist ${HOME}/.config/google-chrome-unstable |
@@ -190,6 +194,7 @@ blacklist ${HOME}/.config/gpicview | |||
190 | blacklist ${HOME}/.config/gthumb | 194 | blacklist ${HOME}/.config/gthumb |
191 | blacklist ${HOME}/.config/gwenviewrc | 195 | blacklist ${HOME}/.config/gwenviewrc |
192 | blacklist ${HOME}/.config/hexchat | 196 | blacklist ${HOME}/.config/hexchat |
197 | blacklist ${HOME}/.config/i2p | ||
193 | blacklist ${HOME}/.config/inkscape | 198 | blacklist ${HOME}/.config/inkscape |
194 | blacklist ${HOME}/.config/inox | 199 | blacklist ${HOME}/.config/inox |
195 | blacklist ${HOME}/.config/iridium | 200 | blacklist ${HOME}/.config/iridium |
@@ -231,8 +236,8 @@ blacklist ${HOME}/.config/meteo-qt | |||
231 | blacklist ${HOME}/.config/mfusion | 236 | blacklist ${HOME}/.config/mfusion |
232 | blacklist ${HOME}/.config/midori | 237 | blacklist ${HOME}/.config/midori |
233 | blacklist ${HOME}/.config/mono | 238 | blacklist ${HOME}/.config/mono |
234 | blacklist ${HOME}/.config/mpd | ||
235 | blacklist ${HOME}/.config/mpDris2 | 239 | blacklist ${HOME}/.config/mpDris2 |
240 | blacklist ${HOME}/.config/mpd | ||
236 | blacklist ${HOME}/.config/mps-youtube | 241 | blacklist ${HOME}/.config/mps-youtube |
237 | blacklist ${HOME}/.config/mpv | 242 | blacklist ${HOME}/.config/mpv |
238 | blacklist ${HOME}/.config/mupen64plus | 243 | blacklist ${HOME}/.config/mupen64plus |
@@ -253,8 +258,8 @@ blacklist ${HOME}/.config/opera | |||
253 | blacklist ${HOME}/.config/opera-beta | 258 | blacklist ${HOME}/.config/opera-beta |
254 | blacklist ${HOME}/.config/orage | 259 | blacklist ${HOME}/.config/orage |
255 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 260 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
256 | blacklist ${HOME}/.config/pavucontrol.ini | ||
257 | blacklist ${HOME}/.config/pavucontrol-qt | 261 | blacklist ${HOME}/.config/pavucontrol-qt |
262 | blacklist ${HOME}/.config/pavucontrol.ini | ||
258 | blacklist ${HOME}/.config/pcmanfm | 263 | blacklist ${HOME}/.config/pcmanfm |
259 | blacklist ${HOME}/.config/pdfmod | 264 | blacklist ${HOME}/.config/pdfmod |
260 | blacklist ${HOME}/.config/Pinta | 265 | blacklist ${HOME}/.config/Pinta |
@@ -302,6 +307,7 @@ blacklist ${HOME}/.config/vivaldi | |||
302 | blacklist ${HOME}/.config/vivaldi-snapshot | 307 | blacklist ${HOME}/.config/vivaldi-snapshot |
303 | blacklist ${HOME}/.config/vlc | 308 | blacklist ${HOME}/.config/vlc |
304 | blacklist ${HOME}/.config/wesnoth | 309 | blacklist ${HOME}/.config/wesnoth |
310 | blacklist ${HOME}/.config/Whalebird | ||
305 | blacklist ${HOME}/.config/wireshark | 311 | blacklist ${HOME}/.config/wireshark |
306 | blacklist ${HOME}/.config/xchat | 312 | blacklist ${HOME}/.config/xchat |
307 | blacklist ${HOME}/.config/xed | 313 | blacklist ${HOME}/.config/xed |
@@ -322,6 +328,7 @@ blacklist ${HOME}/.config/yelp | |||
322 | blacklist ${HOME}/.config/youtube-dl | 328 | blacklist ${HOME}/.config/youtube-dl |
323 | blacklist ${HOME}/.config/zathura | 329 | blacklist ${HOME}/.config/zathura |
324 | blacklist ${HOME}/.config/zoomus.conf | 330 | blacklist ${HOME}/.config/zoomus.conf |
331 | blacklist ${HOME}/.config/Zulip | ||
325 | blacklist ${HOME}/.conkeror.mozdev.org | 332 | blacklist ${HOME}/.conkeror.mozdev.org |
326 | blacklist ${HOME}/.crawl | 333 | blacklist ${HOME}/.crawl |
327 | blacklist ${HOME}/.curlrc | 334 | blacklist ${HOME}/.curlrc |
@@ -350,8 +357,6 @@ blacklist ${HOME}/.freecol | |||
350 | blacklist ${HOME}/.freemind | 357 | blacklist ${HOME}/.freemind |
351 | blacklist ${HOME}/.frozen-bubble | 358 | blacklist ${HOME}/.frozen-bubble |
352 | blacklist ${HOME}/.gimp* | 359 | blacklist ${HOME}/.gimp* |
353 | blacklist ${HOME}/.git-credentials | ||
354 | blacklist ${HOME}/.git-credential-cache | ||
355 | blacklist ${HOME}/.gitconfig | 360 | blacklist ${HOME}/.gitconfig |
356 | blacklist ${HOME}/.gnome/gnome-schedule | 361 | blacklist ${HOME}/.gnome/gnome-schedule |
357 | blacklist ${HOME}/.googleearth/Cache/ | 362 | blacklist ${HOME}/.googleearth/Cache/ |
@@ -364,9 +369,11 @@ blacklist ${HOME}/.guayadeque | |||
364 | blacklist ${HOME}/.hashcat | 369 | blacklist ${HOME}/.hashcat |
365 | blacklist ${HOME}/.hedgewars | 370 | blacklist ${HOME}/.hedgewars |
366 | blacklist ${HOME}/.hugin | 371 | blacklist ${HOME}/.hugin |
372 | blacklist ${HOME}/.i2p | ||
367 | blacklist ${HOME}/.icedove | 373 | blacklist ${HOME}/.icedove |
368 | blacklist ${HOME}/.imagej | 374 | blacklist ${HOME}/.imagej |
369 | blacklist ${HOME}/.inkscape | 375 | blacklist ${HOME}/.inkscape |
376 | blacklist ${HOME}/.itch | ||
370 | blacklist ${HOME}/.jack-server | 377 | blacklist ${HOME}/.jack-server |
371 | blacklist ${HOME}/.jack-settings | 378 | blacklist ${HOME}/.jack-settings |
372 | blacklist ${HOME}/.jak | 379 | blacklist ${HOME}/.jak |
@@ -409,13 +416,13 @@ blacklist ${HOME}/.kde4/share/apps/kaffeine | |||
409 | blacklist ${HOME}/.kde4/share/apps/kcookiejar | 416 | blacklist ${HOME}/.kde4/share/apps/kcookiejar |
410 | blacklist ${HOME}/.kde4/share/apps/kget | 417 | blacklist ${HOME}/.kde4/share/apps/kget |
411 | blacklist ${HOME}/.kde4/share/apps/khtml | 418 | blacklist ${HOME}/.kde4/share/apps/khtml |
412 | blacklist ${HOME}/.kde4/share/apps/konqueror | ||
413 | blacklist ${HOME}/.kde4/share/apps/konqsidebartng | 419 | blacklist ${HOME}/.kde4/share/apps/konqsidebartng |
420 | blacklist ${HOME}/.kde4/share/apps/konqueror | ||
414 | blacklist ${HOME}/.kde4/share/apps/kopete | 421 | blacklist ${HOME}/.kde4/share/apps/kopete |
415 | blacklist ${HOME}/.kde4/share/apps/ktorrent | 422 | blacklist ${HOME}/.kde4/share/apps/ktorrent |
416 | blacklist ${HOME}/.kde4/share/apps/okular | 423 | blacklist ${HOME}/.kde4/share/apps/okular |
417 | blacklist ${HOME}/.kde4/share/config/baloorc | ||
418 | blacklist ${HOME}/.kde4/share/config/baloofilerc | 424 | blacklist ${HOME}/.kde4/share/config/baloofilerc |
425 | blacklist ${HOME}/.kde4/share/config/baloorc | ||
419 | blacklist ${HOME}/.kde4/share/config/digikam | 426 | blacklist ${HOME}/.kde4/share/config/digikam |
420 | blacklist ${HOME}/.kde4/share/config/gwenviewrc | 427 | blacklist ${HOME}/.kde4/share/config/gwenviewrc |
421 | blacklist ${HOME}/.kde4/share/config/k3brc | 428 | blacklist ${HOME}/.kde4/share/config/k3brc |
@@ -438,9 +445,9 @@ blacklist ${HOME}/.kinorc | |||
438 | blacklist ${HOME}/.klatexformula | 445 | blacklist ${HOME}/.klatexformula |
439 | blacklist ${HOME}/.kodi | 446 | blacklist ${HOME}/.kodi |
440 | blacklist ${HOME}/.lincity-ng | 447 | blacklist ${HOME}/.lincity-ng |
448 | blacklist ${HOME}/.links | ||
441 | blacklist ${HOME}/.linphone-history.db | 449 | blacklist ${HOME}/.linphone-history.db |
442 | blacklist ${HOME}/.linphonerc | 450 | blacklist ${HOME}/.linphonerc |
443 | blacklist ${HOME}/.links | ||
444 | blacklist ${HOME}/.lmmsrc.xml | 451 | blacklist ${HOME}/.lmmsrc.xml |
445 | blacklist ${HOME}/.local/lib/vivaldi | 452 | blacklist ${HOME}/.local/lib/vivaldi |
446 | blacklist ${HOME}/.local/share/0ad | 453 | blacklist ${HOME}/.local/share/0ad |
@@ -494,6 +501,7 @@ blacklist ${HOME}/.local/share/geeqie | |||
494 | blacklist ${HOME}/.local/share/gitg | 501 | blacklist ${HOME}/.local/share/gitg |
495 | blacklist ${HOME}/.local/share/gnome-2048 | 502 | blacklist ${HOME}/.local/share/gnome-2048 |
496 | blacklist ${HOME}/.local/share/gnome-chess | 503 | blacklist ${HOME}/.local/share/gnome-chess |
504 | blacklist ${HOME}/.local/share/gnome-builder | ||
497 | blacklist ${HOME}/.local/share/gnome-music | 505 | blacklist ${HOME}/.local/share/gnome-music |
498 | blacklist ${HOME}/.local/share/gnome-photos | 506 | blacklist ${HOME}/.local/share/gnome-photos |
499 | blacklist ${HOME}/.local/share/gnome-recipes | 507 | blacklist ${HOME}/.local/share/gnome-recipes |
@@ -502,10 +510,13 @@ blacklist ${HOME}/.local/share/gnome-twitch | |||
502 | blacklist ${HOME}/.local/share/godot | 510 | blacklist ${HOME}/.local/share/godot |
503 | blacklist ${HOME}/.local/share/gradio | 511 | blacklist ${HOME}/.local/share/gradio |
504 | blacklist ${HOME}/.local/share/gwenview | 512 | blacklist ${HOME}/.local/share/gwenview |
513 | blacklist ${HOME}/.local/share/i2p | ||
505 | blacklist ${HOME}/.local/share/kaffeine | 514 | blacklist ${HOME}/.local/share/kaffeine |
506 | blacklist ${HOME}/.local/share/kate | 515 | blacklist ${HOME}/.local/share/kate |
507 | blacklist ${HOME}/.local/share/kdenlive | 516 | blacklist ${HOME}/.local/share/kdenlive |
508 | blacklist ${HOME}/.local/share/kget | 517 | blacklist ${HOME}/.local/share/kget |
518 | blacklist ${HOME}/.local/share/kiwix | ||
519 | blacklist ${HOME}/.local/share/kiwix-desktop | ||
509 | blacklist ${HOME}/.local/share/klavaro | 520 | blacklist ${HOME}/.local/share/klavaro |
510 | blacklist ${HOME}/.local/share/kmail2 | 521 | blacklist ${HOME}/.local/share/kmail2 |
511 | blacklist ${HOME}/.local/share/knotes | 522 | blacklist ${HOME}/.local/share/knotes |
@@ -626,8 +637,7 @@ blacklist ${HOME}/.teeworlds | |||
626 | blacklist ${HOME}/.thunderbird | 637 | blacklist ${HOME}/.thunderbird |
627 | blacklist ${HOME}/.tilp | 638 | blacklist ${HOME}/.tilp |
628 | blacklist ${HOME}/.tooling | 639 | blacklist ${HOME}/.tooling |
629 | blacklist ${HOME}/.tor-browser-* | 640 | blacklist ${HOME}/.tor-browser* |
630 | blacklist ${HOME}/.tor-browser_* | ||
631 | blacklist ${HOME}/.torcs | 641 | blacklist ${HOME}/.torcs |
632 | blacklist ${HOME}/.tremulous | 642 | blacklist ${HOME}/.tremulous |
633 | blacklist ${HOME}/.ts3client | 643 | blacklist ${HOME}/.ts3client |
@@ -635,6 +645,8 @@ blacklist ${HOME}/.tuxguitar* | |||
635 | blacklist ${HOME}/.unknown-horizons | 645 | blacklist ${HOME}/.unknown-horizons |
636 | blacklist ${HOME}/.viking | 646 | blacklist ${HOME}/.viking |
637 | blacklist ${HOME}/.viking-maps | 647 | blacklist ${HOME}/.viking-maps |
648 | blacklist ${HOME}/.vim | ||
649 | blacklist ${HOME}/.vimrc | ||
638 | blacklist ${HOME}/.vscode | 650 | blacklist ${HOME}/.vscode |
639 | blacklist ${HOME}/.vscode-oss | 651 | blacklist ${HOME}/.vscode-oss |
640 | blacklist ${HOME}/.vst | 652 | blacklist ${HOME}/.vst |
@@ -704,6 +716,7 @@ blacklist ${HOME}/.cache/godot | |||
704 | blacklist ${HOME}/.cache/google-chrome | 716 | blacklist ${HOME}/.cache/google-chrome |
705 | blacklist ${HOME}/.cache/google-chrome-beta | 717 | blacklist ${HOME}/.cache/google-chrome-beta |
706 | blacklist ${HOME}/.cache/google-chrome-unstable | 718 | blacklist ${HOME}/.cache/google-chrome-unstable |
719 | blacklist ${HOME}/.cache/gnome-builder | ||
707 | blacklist ${HOME}/.cache/gnome-recipes | 720 | blacklist ${HOME}/.cache/gnome-recipes |
708 | blacklist ${HOME}/.cache/gnome-twitch | 721 | blacklist ${HOME}/.cache/gnome-twitch |
709 | blacklist ${HOME}/.cache/gradio | 722 | blacklist ${HOME}/.cache/gradio |
@@ -726,6 +739,7 @@ blacklist ${HOME}/.cache/libgweather | |||
726 | blacklist ${HOME}/.cache/liferea | 739 | blacklist ${HOME}/.cache/liferea |
727 | blacklist ${HOME}/.cache/Mendeley Ltd. | 740 | blacklist ${HOME}/.cache/Mendeley Ltd. |
728 | blacklist ${HOME}/.cache/midori | 741 | blacklist ${HOME}/.cache/midori |
742 | blacklist ${HOME}/.cache/minetest | ||
729 | blacklist ${HOME}/.cache/moonchild productions/basilisk | 743 | blacklist ${HOME}/.cache/moonchild productions/basilisk |
730 | blacklist ${HOME}/.cache/moonchild productions/pale moon | 744 | blacklist ${HOME}/.cache/moonchild productions/pale moon |
731 | blacklist ${HOME}/.cache/mozilla | 745 | blacklist ${HOME}/.cache/mozilla |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index c04451373..bba94e3cb 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for dnscrypt-proxy | 1 | # Firejail profile for dnscrypt-proxy |
2 | # Description: Tool for securing communications between a client and a DNS resolver | 2 | # Description: Tool for securing communications between a client and a DNS resolver |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include dnscrypt-proxy.local | 6 | include dnscrypt-proxy.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index daf4795c3..dfb1b61c1 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for dnsmasq | 1 | # Firejail profile for dnsmasq |
2 | # Description: Small caching DNS proxy and DHCP/TFTP server | 2 | # Description: Small caching DNS proxy and DHCP/TFTP server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include dnsmasq.local | 6 | include dnsmasq.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/emacs.profile b/etc/emacs.profile index f8b451f02..ab378105e 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -11,10 +11,9 @@ noblacklist ${HOME}/.emacs.d | |||
11 | # if you need gpg uncomment the following line | 11 | # if you need gpg uncomment the following line |
12 | # or put it into your emacs.local | 12 | # or put it into your emacs.local |
13 | #noblacklist ${HOME}/.gnupg | 13 | #noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.python-history | 14 | |
15 | noblacklist ${HOME}/.python_history | 15 | # Allows files commonly used by IDEs |
16 | noblacklist ${HOME}/.pythonhist | 16 | include allow-common-devel.inc |
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 17 | ||
19 | include disable-common.inc | 18 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
@@ -27,5 +26,6 @@ nogroups | |||
27 | nonewprivs | 26 | nonewprivs |
28 | noroot | 27 | noroot |
29 | notv | 28 | notv |
29 | novideo | ||
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index f4b263f50..c4ad8ced4 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -43,5 +43,3 @@ private-dev | |||
43 | private-etc alternatives,dconf,fonts,gtk-3.0 | 43 | private-etc alternatives,dconf,fonts,gtk-3.0 |
44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | |||
47 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/etr.profile b/etc/etr.profile index d93d3de63..97a43bb59 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for etr | 1 | # Firejail profile for etr |
2 | # Description: High speed arctic racing game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include etr.local | 5 | include etr.local |
@@ -29,6 +30,7 @@ nonewprivs | |||
29 | noroot | 30 | noroot |
30 | notv | 31 | notv |
31 | nou2f | 32 | nou2f |
33 | novideo | ||
32 | protocol unix,netlink | 34 | protocol unix,netlink |
33 | seccomp | 35 | seccomp |
34 | shell none | 36 | shell none |
diff --git a/etc/falkon.profile b/etc/falkon.profile index cabf5aeba..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -34,9 +34,10 @@ notv | |||
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | # blacklisting of chroot system calls breaks falkon | 36 | # blacklisting of chroot system calls breaks falkon |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | # tracelog | 38 | # tracelog |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
41 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | ||
41 | # private-tmp - interferes with the opening of downloaded files | 42 | # private-tmp - interferes with the opening of downloaded files |
42 | 43 | ||
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index e453cc611..e381b12d6 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -15,6 +15,7 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.cache/feedreader | 20 | mkdir ${HOME}/.cache/feedreader |
20 | mkdir ${HOME}/.local/share/feedreader | 21 | mkdir ${HOME}/.local/share/feedreader |
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile index 3681c40f1..6d72c3b99 100644 --- a/etc/ffmpegthumbnailer.profile +++ b/etc/ffmpegthumbnailer.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffmpegthumbnailer | 1 | # Firejail profile for ffmpegthumbnailer |
2 | # Description: FFmpeg-based video thumbnailer | 2 | # Description: FFmpeg-based video thumbnailer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffmpegthumbnailer.local | 6 | include ffmpegthumbnailer.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/ffplay.profile b/etc/ffplay.profile index b42cc29bc..71187a5b5 100644 --- a/etc/ffplay.profile +++ b/etc/ffplay.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffplay | 1 | # Firejail profile for ffplay |
2 | # Description: FFmpeg-based media player | 2 | # Description: FFmpeg-based media player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffplay.local | 6 | include ffplay.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile index bd8643206..cb24a7d05 100644 --- a/etc/ffprobe.profile +++ b/etc/ffprobe.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for ffprobe | 1 | # Firejail profile for ffprobe |
2 | # Description: FFmpeg-based media prober | 2 | # Description: FFmpeg-based media prober |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include ffprobe.local | 6 | include ffprobe.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index db1426f36..496152540 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -37,5 +37,3 @@ tracelog | |||
37 | # private-bin file-roller | 37 | # private-bin file-roller |
38 | private-dev | 38 | private-dev |
39 | # private-tmp | 39 | # private-tmp |
40 | |||
41 | # memory-deny-write-execute | ||
diff --git a/etc/file.profile b/etc/file.profile index 69fa7d8cd..37c7ee9e7 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -33,10 +33,11 @@ shell none | |||
33 | tracelog | 33 | tracelog |
34 | x11 none | 34 | x11 none |
35 | 35 | ||
36 | #private-bin file | 36 | #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,localtime,magic,magic.mgc | 39 | private-etc alternatives,localtime,magic,magic.mgc |
40 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* | 40 | private-lib file,libarchive.so.*,libfakeroot,libmagic.so.* |
41 | 41 | ||
42 | memory-deny-write-execute | 42 | memory-deny-write-execute |
43 | read-only ${HOME} | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -46,7 +46,7 @@ notv | |||
46 | ?BROWSER_DISABLE_U2F: nou2f | 46 | ?BROWSER_DISABLE_U2F: nou2f |
47 | protocol unix,inet,inet6,netlink | 47 | protocol unix,inet,inet6,netlink |
48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | 48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. |
49 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 49 | seccomp !chroot |
50 | shell none | 50 | shell none |
51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | 51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
52 | #tracelog | 52 | #tracelog |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 84c647cb9..8d90a0917 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla | |||
16 | 16 | ||
17 | # firefox requires a shell to launch on Arch. | 17 | # firefox requires a shell to launch on Arch. |
18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 18 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
19 | # Fedora use shell scripts to launch firefox, at least this is required | ||
20 | #private-bin awk,basename,bash,cat,dbus-launch,dbus-send,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which | ||
19 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc firefox | 22 | #private-etc firefox |
21 | 23 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index 1f80cedee..565796d5a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -2,9 +2,6 @@ | |||
2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
4 | 4 | ||
5 | # Resolve symbolic links in path of user home directories, default disabled. | ||
6 | # homedir-symlink no | ||
7 | |||
8 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
9 | # apparmor yes | 6 | # apparmor yes |
10 | 7 | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 3931aa64a..6cef181c8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | ||
34 | protocol unix,netlink | 35 | protocol unix,netlink |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/geany.profile b/etc/geany.profile index 2cffb8777..31599e32a 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -7,13 +7,9 @@ include geany.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/geany | 9 | noblacklist ${HOME}/.config/geany |
10 | noblacklist ${HOME}/.config/git | 10 | |
11 | noblacklist ${HOME}/.gitconfig | 11 | # Allows files commonly used by IDEs |
12 | noblacklist ${HOME}/.git-credentials | 12 | include allow-common-devel.inc |
13 | noblacklist ${HOME}/.python-history | ||
14 | noblacklist ${HOME}/.python_history | ||
15 | noblacklist ${HOME}/.pythonhist | ||
16 | noblacklist ${HOME}/.pythonrc.py | ||
17 | 13 | ||
18 | include disable-common.inc | 14 | include disable-common.inc |
19 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
diff --git a/etc/gedit.profile b/etc/gedit.profile index ed6efc3b6..837396654 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -8,13 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | 9 | noblacklist ${HOME}/.config/enchant |
10 | noblacklist ${HOME}/.config/gedit | 10 | noblacklist ${HOME}/.config/gedit |
11 | noblacklist ${HOME}/.config/git | 11 | |
12 | noblacklist ${HOME}/.gitconfig | 12 | # Allows files commonly used by IDEs |
13 | noblacklist ${HOME}/.git-credentials | 13 | include allow-common-devel.inc |
14 | noblacklist ${HOME}/.python-history | ||
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 14 | ||
19 | include disable-common.inc | 15 | include disable-common.inc |
20 | # include disable-devel.inc | 16 | # include disable-devel.inc |
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 1fb2d8f58..2479ec16d 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile | |||
@@ -35,9 +35,9 @@ protocol unix,inet,inet6,netlink | |||
35 | shell none | 35 | shell none |
36 | #tracelog -- breaks | 36 | #tracelog -- breaks |
37 | 37 | ||
38 | # Breaks Translation | 38 | private-bin gettext,ghostwriter,pandoc |
39 | #private-bin ghostwriter,pandoc | ||
40 | private-cache | 39 | private-cache |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | 41 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
42 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 762e743c8..fab7fa123 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -8,7 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | 10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'ignore ignore noexec ${HOME}' in your gimp.local | 11 | # or put 'noexec ${HOME}' in your gimp.local |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | 13 | ||
14 | noblacklist ${HOME}/.config/GIMP | 14 | noblacklist ${HOME}/.config/GIMP |
diff --git a/etc/git.profile b/etc/git.profile index f7c812e65..8b1c81ca4 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.gitconfig | |||
15 | noblacklist ${HOME}/.git-credentials | 15 | noblacklist ${HOME}/.git-credentials |
16 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.nanorc | 17 | noblacklist ${HOME}/.nanorc |
18 | noblacklist ${HOME}/.oh-my-zsh | ||
19 | noblacklist ${HOME}/.ssh | 18 | noblacklist ${HOME}/.ssh |
20 | noblacklist ${HOME}/.vim | 19 | noblacklist ${HOME}/.vim |
21 | noblacklist ${HOME}/.viminfo | 20 | noblacklist ${HOME}/.viminfo |
diff --git a/etc/gitg.profile b/etc/gitg.profile index f6f51ef6f..08c1c94b6 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -22,6 +22,7 @@ include disable-programs.inc | |||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | ||
25 | no3d | 26 | no3d |
26 | nodvd | 27 | nodvd |
27 | nogroups | 28 | nogroups |
@@ -39,6 +40,3 @@ private-bin git,gitg,ssh | |||
39 | private-cache | 40 | private-cache |
40 | private-dev | 41 | private-dev |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | # mdwe breaks diff in older versions | ||
44 | #memory-deny-write-execute | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index dfa1a5da8..726a74089 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -6,15 +6,12 @@ include gnome-builder.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cargo/config | 9 | noblacklist ${HOME}/.cache/gnome-builder |
10 | noblacklist ${HOME}/.cargo/registry | 10 | noblacklist ${HOME}/.config/gnome-builder |
11 | noblacklist ${HOME}/.config/git | 11 | noblacklist ${HOME}/.local/share/gnome-builder |
12 | noblacklist ${HOME}/.gitconfig | 12 | |
13 | noblacklist ${HOME}/.git-credentials | 13 | # Allows files commonly used by IDEs |
14 | noblacklist ${HOME}/.python-history | 14 | include allow-common-devel.inc |
15 | noblacklist ${HOME}/.python_history | ||
16 | noblacklist ${HOME}/.pythonhist | ||
17 | noblacklist ${HOME}/.pythonrc.py | ||
18 | 15 | ||
19 | include disable-common.inc | 16 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/gnome-character-map.profile b/etc/gnome-character-map.profile index 35db448f2..27804fdd0 100644 --- a/etc/gnome-character-map.profile +++ b/etc/gnome-character-map.profile | |||
@@ -6,4 +6,5 @@ include gnome-character-map.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # Redirect | ||
9 | include gucharmap.profile | 10 | include gucharmap.profile |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 3bbad67bb..aa0b7dbe3 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -28,6 +28,7 @@ noroot | |||
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index 6c9c83e5f..cbeb82465 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -13,15 +13,9 @@ noblacklist ${PATH}/at | |||
13 | noblacklist ${PATH}/crontab | 13 | noblacklist ${PATH}/crontab |
14 | 14 | ||
15 | # Needs access to these files/dirs | 15 | # Needs access to these files/dirs |
16 | noblacklist /etc/at.allow | ||
17 | noblacklist /etc/at.deny | ||
18 | noblacklist /etc/cron.allow | 16 | noblacklist /etc/cron.allow |
19 | noblacklist /etc/cron.deny | 17 | noblacklist /etc/cron.deny |
20 | noblacklist /etc/fonts | ||
21 | noblacklist /etc/ld.so.preload | ||
22 | noblacklist /etc/pam.d | ||
23 | noblacklist /etc/shadow | 18 | noblacklist /etc/shadow |
24 | noblacklist /var/spool/at | ||
25 | noblacklist /var/spool/cron | 19 | noblacklist /var/spool/cron |
26 | 20 | ||
27 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) | 21 | # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc) |
@@ -41,14 +35,6 @@ include disable-xdg.inc | |||
41 | 35 | ||
42 | mkfile ${HOME}/.gnome/gnome-schedule | 36 | mkfile ${HOME}/.gnome/gnome-schedule |
43 | whitelist ${HOME}/.gnome/gnome-schedule | 37 | whitelist ${HOME}/.gnome/gnome-schedule |
44 | whitelist /etc/at.allow | ||
45 | whitelist /etc/at.deny | ||
46 | whitelist /etc/cron.allow | ||
47 | whitelist /etc/cron.deny | ||
48 | whitelist /etc/fonts | ||
49 | whitelist /etc/pam.d | ||
50 | whitelist /etc/ld.so.preload | ||
51 | whitelist /etc/shadow | ||
52 | whitelist /var/spool/atd | 38 | whitelist /var/spool/atd |
53 | whitelist /var/spool/cron | 39 | whitelist /var/spool/cron |
54 | include whitelist-common.inc | 40 | include whitelist-common.inc |
@@ -72,5 +58,6 @@ tracelog | |||
72 | disable-mnt | 58 | disable-mnt |
73 | private-cache | 59 | private-cache |
74 | private-dev | 60 | private-dev |
61 | private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow | ||
75 | writable-var | 62 | writable-var |
76 | 63 | ||
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile index f1347a8dc..b2907b32c 100644 --- a/etc/gnome-system-log.profile +++ b/etc/gnome-system-log.profile | |||
@@ -6,8 +6,6 @@ include gnome-system-log.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/log | ||
10 | |||
11 | include disable-common.inc | 9 | include disable-common.inc |
12 | include disable-devel.inc | 10 | include disable-devel.inc |
13 | include disable-exec.inc | 11 | include disable-exec.inc |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile index aff990ec0..6e97c6b78 100644 --- a/etc/gunzip.profile +++ b/etc/gunzip.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for gunzip | 1 | # Firejail profile for gunzip |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include gunzip.local | 5 | include gunzip.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 489be3931..5a5d81378 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -45,6 +45,6 @@ shell none | |||
45 | 45 | ||
46 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | 46 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg |
49 | 49 | ||
50 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 1e9f898e0..898a07a5f 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | 28 | nou2f |
29 | novideo | ||
29 | seccomp | 30 | seccomp |
30 | tracelog | 31 | tracelog |
31 | 32 | ||
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile new file mode 100644 index 000000000..e46fb3317 --- /dev/null +++ b/etc/i2prouter.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Firejail profile for I2P | ||
2 | # Description: A distributed anonymous network | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include i2prouter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Notice: default browser will not be able to automatically open, due to sandbox. | ||
10 | # Auto-opening default browser can be disabled in the I2P router console. | ||
11 | # This profile will not currently work with any Arch User Repository i2p packages, | ||
12 | # use the distro-independent official java installer instead | ||
13 | |||
14 | # Only needed if i2prouter binary is in home directory, java installer does this | ||
15 | ignore noexec ${HOME} | ||
16 | |||
17 | noblacklist ${HOME}/.config/i2p | ||
18 | noblacklist ${HOME}/.i2p | ||
19 | noblacklist ${HOME}/.local/share/i2p | ||
20 | noblacklist ${HOME}/i2p | ||
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | ||
22 | noblacklist /usr/sbin | ||
23 | |||
24 | # Allow java (blacklisted by disable-devel.inc) | ||
25 | include allow-java.inc | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-passwdmgr.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | mkdir ${HOME}/.config/i2p | ||
36 | mkdir ${HOME}/.i2p | ||
37 | mkdir ${HOME}/.local/share/i2p | ||
38 | mkdir ${HOME}/i2p | ||
39 | whitelist ${HOME}/.config/i2p | ||
40 | whitelist ${HOME}/.i2p | ||
41 | whitelist ${HOME}/.local/share/i2p | ||
42 | whitelist ${HOME}/i2p | ||
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | ||
44 | whitelist /usr/sbin/wrapper* | ||
45 | |||
46 | include whitelist-common.inc | ||
47 | |||
48 | # May break I2P if wrapper is placed in the home directory | ||
49 | # If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | ||
50 | #apparmor | ||
51 | caps.drop all | ||
52 | ipc-namespace | ||
53 | machine-id | ||
54 | netfilter | ||
55 | no3d | ||
56 | nodvd | ||
57 | nogroups | ||
58 | nonewprivs | ||
59 | nosound | ||
60 | notv | ||
61 | nou2f | ||
62 | novideo | ||
63 | protocol unix,inet,inet6 | ||
64 | seccomp | ||
65 | shell none | ||
66 | |||
67 | disable-mnt | ||
68 | private-cache | ||
69 | private-dev | ||
70 | private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl | ||
71 | private-tmp | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 4f3047e08..a7d0d531f 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -7,17 +7,15 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.IdeaIC* | 8 | noblacklist ${HOME}/.IdeaIC* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
15 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
16 | noblacklist ${HOME}/.java | ||
17 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
18 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
19 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
20 | 15 | ||
16 | # Allows files commonly used by IDEs | ||
17 | include allow-common-devel.inc | ||
18 | |||
21 | include disable-common.inc | 19 | include disable-common.inc |
22 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/itch.profile b/etc/itch.profile index c0b4fe6ce..b3c78c810 100644 --- a/etc/itch.profile +++ b/etc/itch.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | # itch.io has native firejail/sandboxing support bundled in | 8 | # itch.io has native firejail/sandboxing support bundled in |
9 | # See https://itch.io/docs/itch/using/sandbox/linux.html | 9 | # See https://itch.io/docs/itch/using/sandbox/linux.html |
10 | 10 | ||
11 | noblacklist ${HOME}/.itch | ||
11 | noblacklist ${HOME}/.config/itch | 12 | noblacklist ${HOME}/.config/itch |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
@@ -16,7 +17,9 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | 19 | ||
20 | mkdir ${HOME}/.itch | ||
19 | mkdir ${HOME}/.config/itch | 21 | mkdir ${HOME}/.config/itch |
22 | whitelist ${HOME}/.itch | ||
20 | whitelist ${HOME}/.config/itch | 23 | whitelist ${HOME}/.config/itch |
21 | include whitelist-common.inc | 24 | include whitelist-common.inc |
22 | 25 | ||
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile new file mode 100644 index 000000000..8b7b12882 --- /dev/null +++ b/etc/kiwix-desktop.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for kiwix-desktop | ||
2 | # Description: view/manage ZIM files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kiwix-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/kiwix | ||
10 | noblacklist ${HOME}/.local/share/kiwix-desktop | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/kiwix | ||
21 | mkdir ${HOME}/.local/share/kiwix-desktop | ||
22 | whitelist ${HOME}/.local/share/kiwix | ||
23 | whitelist ${HOME}/.local/share/kiwix-desktop | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | # no3d | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | # nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp !chroot | ||
43 | shell none | ||
44 | |||
45 | disable-mnt | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | ||
49 | private-tmp | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..198b05a11 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -51,7 +51,7 @@ nou2f | |||
51 | novideo | 51 | novideo |
52 | protocol unix,inet,inet6,netlink | 52 | protocol unix,inet,inet6,netlink |
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
55 | # tracelog | 55 | # tracelog |
56 | 56 | ||
57 | private-dev | 57 | private-dev |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index ee07636d3..d512dd100 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -5,6 +5,9 @@ include kwin_x11.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # fix automatical kwin_x11 sandboxing: | ||
9 | # echo KDEWM=kwin_x11 >> ~/.pam_environment | ||
10 | |||
8 | noblacklist ${HOME}/.cache/kwin | 11 | noblacklist ${HOME}/.cache/kwin |
9 | noblacklist ${HOME}/.config/kwinrc | 12 | noblacklist ${HOME}/.config/kwinrc |
10 | noblacklist ${HOME}/.config/kwinrulesrc | 13 | noblacklist ${HOME}/.config/kwinrulesrc |
diff --git a/etc/less.profile b/etc/less.profile index 0f31d344b..282b033a6 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -8,8 +8,6 @@ include less.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.lesshst | 10 | noblacklist ${HOME}/.lesshst |
11 | read-only ${HOME} | ||
12 | read-write ${HOME}/.lesshst | ||
13 | 11 | ||
14 | include disable-devel.inc | 12 | include disable-devel.inc |
15 | include disable-exec.inc | 13 | include disable-exec.inc |
@@ -45,3 +43,5 @@ private-dev | |||
45 | writable-var-log | 43 | writable-var-log |
46 | 44 | ||
47 | memory-deny-write-execute | 45 | memory-deny-write-execute |
46 | read-only ${HOME} | ||
47 | read-write ${HOME}/.lesshst | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index b8a6201b2..aa113883e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | notv | 35 | notv |
36 | nou2f | 36 | nou2f |
37 | novideo | ||
37 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile | 38 | # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile | 40 | # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile |
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile index 72abec8bb..c010cbd96 100644 --- a/etc/lrunzip.profile +++ b/etc/lrunzip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrunzip | 1 | # Firejail profile for lrunzip |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrunzip.local | 6 | include lrunzip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrz.profile b/etc/lrz.profile index c1f928bde..8077be945 100644 --- a/etc/lrz.profile +++ b/etc/lrz.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrz | 1 | # Firejail profile for lrz |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrz.local | 6 | include lrz.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile index edcd7f8cd..d05ee7aae 100644 --- a/etc/lrzcat.profile +++ b/etc/lrzcat.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzcat | 1 | # Firejail profile for lrzcat |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzcat.local | 6 | include lrzcat.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzip.profile b/etc/lrzip.profile index a69096e28..3767767f6 100644 --- a/etc/lrzip.profile +++ b/etc/lrzip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzip | 1 | # Firejail profile for lrzip |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzip.local | 6 | include lrzip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrztar.profile b/etc/lrztar.profile index 54b04b4ec..673e9f62e 100644 --- a/etc/lrztar.profile +++ b/etc/lrztar.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrztar | 1 | # Firejail profile for lrztar |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrztar.local | 6 | include lrztar.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile index f21169b24..245d1c669 100644 --- a/etc/lrzuntar.profile +++ b/etc/lrzuntar.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lrzuntar | 1 | # Firejail profile for lrzuntar |
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | 2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lrzuntar.local | 6 | include lrzuntar.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/mencoder.profile b/etc/mencoder.profile index 136412d11..aac394a59 100644 --- a/etc/mencoder.profile +++ b/etc/mencoder.profile | |||
@@ -25,4 +25,5 @@ shell none | |||
25 | 25 | ||
26 | private-bin mencoder | 26 | private-bin mencoder |
27 | 27 | ||
28 | # Redirect | ||
28 | include mplayer.profile | 29 | include mplayer.profile |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 3b9807b28..20370a5b5 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -26,6 +26,7 @@ noroot | |||
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | 28 | nou2f |
29 | novideo | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -31,7 +31,7 @@ novideo | |||
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
32 | # blacklisting of ioprio_set system calls breaks auto-updating of | 32 | # blacklisting of ioprio_set system calls breaks auto-updating of |
33 | # MPD's database when files in music_directory are changed | 33 | # MPD's database when files in music_directory are changed |
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp !ioprio_set |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin bash,mpd | 37 | #private-bin bash,mpd |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 878a5f654..546755ecb 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -48,16 +48,22 @@ include whitelist-var-common.inc | |||
48 | apparmor | 48 | apparmor |
49 | caps.drop all | 49 | caps.drop all |
50 | netfilter | 50 | netfilter |
51 | nodbus | ||
52 | nodvd | ||
51 | # Seems to cause issues with Nvidia drivers sometimes | 53 | # Seems to cause issues with Nvidia drivers sometimes |
52 | nogroups | 54 | nogroups |
53 | nonewprivs | 55 | nonewprivs |
54 | noroot | 56 | noroot |
57 | notv | ||
58 | nou2f | ||
59 | novideo | ||
55 | protocol unix,inet,inet6 | 60 | protocol unix,inet,inet6 |
56 | seccomp | 61 | seccomp |
57 | shell none | 62 | shell none |
58 | tracelog | 63 | tracelog |
59 | 64 | ||
60 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl | 65 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl |
66 | #private-cache | ||
61 | private-dev | 67 | private-dev |
62 | private-tmp | 68 | private-tmp |
63 | 69 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index d8163d20a..289a3cd5d 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -16,6 +16,7 @@ include allow-python2.inc | |||
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | noblacklist ${MUSIC} | 18 | noblacklist ${MUSIC} |
19 | noblacklist ${PICTURES} | ||
19 | noblacklist ${VIDEOS} | 20 | noblacklist ${VIDEOS} |
20 | 21 | ||
21 | include disable-common.inc | 22 | include disable-common.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index c424dbb85..92babd50f 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -17,7 +17,6 @@ noblacklist ${HOME}/.emacs | |||
17 | noblacklist ${HOME}/.emacs.d | 17 | noblacklist ${HOME}/.emacs.d |
18 | noblacklist ${HOME}/.gnupg | 18 | noblacklist ${HOME}/.gnupg |
19 | noblacklist ${HOME}/.mail | 19 | noblacklist ${HOME}/.mail |
20 | noblacklist ${HOME}/.mailcap | ||
21 | noblacklist ${HOME}/.msmtprc | 20 | noblacklist ${HOME}/.msmtprc |
22 | noblacklist ${HOME}/.mutt | 21 | noblacklist ${HOME}/.mutt |
23 | noblacklist ${HOME}/.muttrc | 22 | noblacklist ${HOME}/.muttrc |
diff --git a/etc/nano.profile b/etc/nano.profile index 30a6e03e7..9965d8a6b 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for nano | 1 | # Firejail profile for nano |
2 | # Description: nano is an easy text editor for the terminal | 2 | # Description: nano is an easy text editor for the terminal |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include nano.local | 6 | include nano.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile index e1294153b..079f44ee7 100644 --- a/etc/nethack-vultures.profile +++ b/etc/nethack-vultures.profile | |||
@@ -7,7 +7,6 @@ include nethack.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.vultures | 9 | noblacklist ${HOME}/.vultures |
10 | noblacklist /var/log | ||
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
13 | include disable-devel.inc | 12 | include disable-devel.inc |
diff --git a/etc/okular.profile b/etc/okular.profile index 99357934d..56fd21fc8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | 49 | ||
50 | private-bin kbuildsycoca4,kdeinit4,lpr,okular | 50 | private-bin kbuildsycoca4,kdeinit4,lpr,okular |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 52 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg |
53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
54 | 54 | ||
55 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index d80b3d351..5925ccc09 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix,netlink | 31 | protocol unix,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index 644292f2b..7e0069afc 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for p7zip | 1 | # Firejail profile for p7zip |
2 | # Description: 7zr file archiver with high compression ratio | 2 | # Description: 7zr file archiver with high compression ratio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include p7zip.local | 6 | include p7zip.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11464e6cf..acb2ce176 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin palemoon | 20 | #private-bin palemoon |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index c5016201d..f1a5741d0 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for pdftotext | 1 | # Firejail profile for pdftotext |
2 | # Description: Portable Document Format (PDF) to text converter | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include pdftotext.local | 5 | include pdftotext.local |
diff --git a/etc/ping.profile b/etc/ping.profile index 00ac45c5a..4ff5250d7 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for ping | 1 | # Firejail profile for ping |
2 | # Description: send ICMP ECHO_REQUEST to network hosts | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/pingus.profile b/etc/pingus.profile index 782ee200d..a3adc55a2 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix,netlink | 31 | protocol unix,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 81b2b1481..dadfcc44e 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -6,11 +6,11 @@ include pluma.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | ||
9 | noblacklist ${HOME}/.config/pluma | 10 | noblacklist ${HOME}/.config/pluma |
10 | noblacklist ${HOME}/.python-history | 11 | |
11 | noblacklist ${HOME}/.python_history | 12 | # Allows files commonly used by IDEs |
12 | noblacklist ${HOME}/.pythonhist | 13 | include allow-common-devel.inc |
13 | noblacklist ${HOME}/.pythonrc.py | ||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | private-bin pluma | 43 | private-bin pluma |
44 | private-dev | 44 | private-dev |
45 | private-lib pluma | 45 | private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 116698312..970290002 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -8,8 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ppsspp | 9 | noblacklist ${HOME}/.config/ppsspp |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | # with >=llvm-4 mesa drivers need llvm stuff | ||
12 | noblacklist /usr/lib/llvm* | ||
13 | 11 | ||
14 | include disable-common.inc | 12 | include disable-common.inc |
15 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 17218adee..9ee426a95 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -6,14 +6,13 @@ include pycharm-community.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | 9 | ||
14 | # Allow java (blacklisted by disable-devel.inc) | 10 | # Allow java (blacklisted by disable-devel.inc) |
15 | include allow-java.inc | 11 | include allow-java.inc |
16 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-devel.inc | 17 | include disable-devel.inc |
19 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
diff --git a/etc/pzstd.profile b/etc/pzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/pzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 1399328d3..47b9d6a9a 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for qemu-system-x86_64 | 1 | # Firejail profile for qemu-system-x86_64 |
2 | # Description: QEMU system emulator for x86_64 | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include qemu-system-x86_64.local | 5 | include qemu-system-x86_64.local |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice | 48 | seccomp !mbind |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile index cf459472a..2cdff33a6 100644 --- a/etc/qt-faststart.profile +++ b/etc/qt-faststart.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for qt-faststart | 1 | # Firejail profile for qt-faststart |
2 | # Description: FFmpeg-based media utility | 2 | # Description: FFmpeg-based media utility |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include qt-faststart.local | 6 | include qt-faststart.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 954b1a3b4..3f3270dd6 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include qupzilla.local | 4 | include qupzilla.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | noblacklist ${HOME}/.cache/qupzilla | 9 | noblacklist ${HOME}/.cache/qupzilla |
9 | noblacklist ${HOME}/.config/qupzilla | 10 | noblacklist ${HOME}/.config/qupzilla |
@@ -17,26 +18,10 @@ include disable-programs.inc | |||
17 | 18 | ||
18 | mkdir ${HOME}/.cache/qupzilla | 19 | mkdir ${HOME}/.cache/qupzilla |
19 | mkdir ${HOME}/.config/qupzilla | 20 | mkdir ${HOME}/.config/qupzilla |
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
22 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | 23 | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | # blacklisting of chroot system calls breaks qupzilla | ||
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
37 | # tracelog | ||
38 | |||
39 | private-dev | ||
40 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | ||
41 | # private-tmp - interferes with the opening of downloaded files | 24 | # private-tmp - interferes with the opening of downloaded files |
42 | 25 | ||
26 | # Redirect | ||
27 | include falkon.profile | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index e556ecf1f..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | # with >=llvm-4 mesa drivers need llvm stuff | ||
13 | noblacklist /usr/lib/llvm* | ||
14 | 12 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 14 | include allow-python2.inc |
@@ -38,5 +36,5 @@ noroot | |||
38 | notv | 36 | notv |
39 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
40 | # blacklisting of chroot system calls breaks qt webengine | 38 | # blacklisting of chroot system calls breaks qt webengine |
41 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
42 | # tracelog | 40 | # tracelog |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e6af4c2cb..4372fabe1 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -7,8 +7,7 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore seccomp | 10 | seccomp !chroot |
11 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
12 | 11 | ||
13 | # Redirect | 12 | # Redirect |
14 | include riot-web.profile | 13 | include riot-web.profile |
diff --git a/etc/rnano.profile b/etc/rnano.profile index 565c957e0..d9048982a 100644 --- a/etc/rnano.profile +++ b/etc/rnano.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for rnano | 1 | # Firejail profile for rnano |
2 | # Description: A restricted nano | 2 | # Description: A restricted nano |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include rnano.local | 6 | include rnano.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile new file mode 100644 index 000000000..bda3bca92 --- /dev/null +++ b/etc/rsync-download_only.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for rsync | ||
2 | # Description: a fast, versatile, remote (and local) file-copying tool | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include rsync.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Warning: This profile is writte to use rsync as an client for downloading, | ||
11 | # it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. | ||
12 | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | ||
14 | |||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | # Uncomment or add to rsync.local to enable extra hardening | ||
26 | #whitelist ${DOWNLOADS} | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | netfilter | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin rsync | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
53 | private-tmp | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/scallion.profile b/etc/scallion.profile index 232ec4346..dee9e1f40 100644 --- a/etc/scallion.profile +++ b/etc/scallion.profile | |||
@@ -7,7 +7,6 @@ include scallion.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/llvm* | 9 | noblacklist ${PATH}/llvm* |
10 | noblacklist /usr/lib/llvm* | ||
11 | noblacklist ${PATH}/openssl | 10 | noblacklist ${PATH}/openssl |
12 | noblacklist ${PATH}/openssl-1.0 | 11 | noblacklist ${PATH}/openssl-1.0 |
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
diff --git a/etc/scp.profile b/etc/scp.profile index ca902061c..287b8029a 100644 --- a/etc/scp.profile +++ b/etc/scp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for scp | 1 | # Firejail profile for scp |
2 | # Description: Secure shell copy | 2 | # Description: Secure shell copy |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include scp.local | 6 | include scp.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile index 7c0e59c74..6410da4d8 100644 --- a/etc/seahorse-daemon.profile +++ b/etc/seahorse-daemon.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for seahorse-daemon | 1 | # Firejail profile for seahorse-daemon |
2 | # Description: PGP encryption and signing | 2 | # Description: PGP encryption and signing |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include seahorse-daemon.local | 6 | include seahorse-daemon.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 96f365a4b..4bf23c512 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,8 +7,6 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${DOWNLOADS} | ||
11 | |||
12 | private-tmp | 10 | private-tmp |
13 | 11 | ||
14 | memory-deny-write-execute | 12 | memory-deny-write-execute |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0c824e95b..b9a0fd149 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -8,7 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/dconf | ||
12 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
13 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
14 | noblacklist /tmp/ssh-* | 13 | noblacklist /tmp/ssh-* |
diff --git a/etc/sftp.profile b/etc/sftp.profile index c980e1751..66dc2a57b 100644 --- a/etc/sftp.profile +++ b/etc/sftp.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for sftp | 1 | # Firejail profile for sftp |
2 | # Description: Secure file transport protocol | 2 | # Description: Secure file transport protocol |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include sftp.local | 6 | include sftp.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e6c48561f..5b3c5439d 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for shotcut | 1 | # Firejail profile for shotcut |
2 | # Description: A free, open source, cross-platform video editor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include shotcut.local | 5 | include shotcut.local |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks simple-scan | 29 | # blacklisting of ioperm system calls breaks simple-scan |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 7febcde46..c6f5f70b0 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | ||
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks skanlite | 29 | # blacklisting of ioperm system calls breaks skanlite |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index eae7dada0..fe9ededa4 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -25,7 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | 28 | seccomp !chroot |
29 | shell none | 29 | shell none |
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
diff --git a/etc/slack.profile b/etc/slack.profile index 5c10ef0ba..8b5338fa7 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -20,7 +20,6 @@ include whitelist-common.inc | |||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | name slack | ||
24 | netfilter | 23 | netfilter |
25 | nodvd | 24 | nodvd |
26 | nogroups | 25 | nogroups |
@@ -35,5 +34,5 @@ shell none | |||
35 | disable-mnt | 34 | disable-mnt |
36 | private-bin locale,slack | 35 | private-bin locale,slack |
37 | private-dev | 36 | private-dev |
38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl | 37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
39 | private-tmp | 38 | private-tmp |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 9cba69a77..d423bb65c 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -42,4 +42,4 @@ private-dev | |||
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | #memory-deny-write-execute - breaks on Arch | 45 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 15e2de9b0..9934e92b0 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 7a9bb5abe..6949299af 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 9c3175ad7..2f73c9fee 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -6,8 +6,7 @@ include start-tor-browser.desktop.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.tor-browser-* | 9 | noblacklist ${HOME}/.tor-browser* |
10 | noblacklist ${HOME}/.tor-browser_* | ||
11 | 10 | ||
12 | whitelist ${HOME}/.tor-browser-ar | 11 | whitelist ${HOME}/.tor-browser-ar |
13 | whitelist ${HOME}/.tor-browser-ca | 12 | whitelist ${HOME}/.tor-browser-ca |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -28,7 +28,7 @@ notv | |||
28 | nou2f | 28 | nou2f |
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | # tracelog may cause issues, see github issue #1930 | 33 | # tracelog may cause issues, see github issue #1930 |
34 | #tracelog | 34 | #tracelog |
diff --git a/etc/steam.profile b/etc/steam.profile index 569f281a0..654ea825e 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -19,8 +19,6 @@ noblacklist ${HOME}/.local/share/vulkan | |||
19 | noblacklist ${HOME}/.steam | 19 | noblacklist ${HOME}/.steam |
20 | noblacklist ${HOME}/.steampath | 20 | noblacklist ${HOME}/.steampath |
21 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
22 | # with >=llvm-4 mesa drivers need llvm stuff | ||
23 | noblacklist /usr/lib/llvm* | ||
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 22 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
25 | noblacklist /sbin | 23 | noblacklist /sbin |
26 | noblacklist /usr/sbin | 24 | noblacklist /usr/sbin |
diff --git a/etc/strings.profile b/etc/strings.profile index 621e8e177..0817d7331 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for strings | 1 | # Firejail profile for strings |
2 | # Description: print the strings of printable characters in files | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
@@ -43,3 +44,4 @@ private-lib libfakeroot | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
47 | read-only ${HOME} | ||
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index d0176a657..6de408740 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | ||
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 287a078b3..4c64ee766 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for supertux2 | 1 | # Firejail profile for supertux2 |
2 | # Description: Jump'n run like game | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include supertux2.local | 5 | include supertux2.local |
@@ -27,6 +28,7 @@ nonewprivs | |||
27 | noroot | 28 | noroot |
28 | notv | 29 | notv |
29 | nou2f | 30 | nou2f |
31 | novideo | ||
30 | protocol unix,netlink | 32 | protocol unix,netlink |
31 | seccomp | 33 | seccomp |
32 | shell none | 34 | shell none |
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 2cd5ec3ad..8a48eeac8 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin supertuxkart | 47 | private-bin supertuxkart |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | private-opt none | 52 | private-opt none |
53 | private-srv none | 53 | private-srv none |
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile index 8a7d45449..ffe9605b6 100644 --- a/etc/tb-starter-wrapper.profile +++ b/etc/tb-starter-wrapper.profile | |||
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.tb | |||
13 | mkdir ${HOME}/.tb | 13 | mkdir ${HOME}/.tb |
14 | whitelist ${HOME}/.tb | 14 | whitelist ${HOME}/.tb |
15 | 15 | ||
16 | x11 xorg | 16 | private-bin tb-starter-wrapper |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include torbrowser-launcher.profile | 19 | include torbrowser-launcher.profile |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 8d5917148..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -33,7 +33,7 @@ notv | |||
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp | 36 | seccomp !chroot |
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 2fc5c3ef1..0d67e222f 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -87,6 +87,9 @@ include globals.local | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | 87 | # Allow lua (blacklisted by disable-interpreters.inc) |
88 | #include allow-lua.inc | 88 | #include allow-lua.inc |
89 | 89 | ||
90 | # Allows files commonly used by IDEs | ||
91 | #include allow-common-devel.inc | ||
92 | |||
90 | #include disable-common.inc | 93 | #include disable-common.inc |
91 | #include disable-devel.inc | 94 | #include disable-devel.inc |
92 | #include disable-exec.inc | 95 | #include disable-exec.inc |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 30ad6feea..bc45d9f9d 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,6 +1,9 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints for writing seccomp.drop lines |
2 | ==================================== | 2 | ==================================== |
3 | 3 | ||
4 | Definition of groups | ||
5 | -------------------- | ||
6 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
5 | @module=delete_module,finit_module,init_module | 8 | @module=delete_module,finit_module,init_module |
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines | |||
20 | 23 | ||
21 | @default-keep=execve,prctl | 24 | @default-keep=execve,prctl |
22 | 25 | ||
26 | Inheritance of groups | ||
27 | --------------------- | ||
23 | 28 | ||
24 | +---------+----------------+---------------+ | 29 | +---------+----------------+---------------+ |
25 | | @clock | @cpu-emulation | @default-keep | | 30 | | @clock | @cpu-emulation | @default-keep | |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines | |||
41 | | @default-nodebuggers | | 46 | | @default-nodebuggers | |
42 | +----------------------+ | 47 | +----------------------+ |
43 | 48 | ||
49 | common used seccomp.drop lines | ||
50 | ------------------------------ | ||
44 | 51 | ||
45 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
46 | 53 | ||
47 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
55 | |||
56 | Building a seccomp.drop line if seccomp breaks a programm | ||
57 | --------------------------------------------------------- | ||
58 | |||
59 | ``` | ||
60 | $ journalctl --grep=syscall --follow | ||
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | ||
62 | $ firejail --debug-syscalls | grep 161 | ||
63 | 161 - chroot | ||
64 | ``` | ||
65 | |||
66 | TODO: write a short explanation | ||
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | ||
68 | |||
69 | see also | ||
70 | -------- | ||
71 | |||
72 | - contrib/syscalls.sh | ||
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile new file mode 100644 index 000000000..0cd84abf5 --- /dev/null +++ b/etc/tor-browser.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser | ||
7 | whitelist ${HOME}/.tor-browser | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 75bcb04b4..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -42,13 +42,13 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | # tracelog may cause issues, see github issue #1930 | 47 | # tracelog may cause issues, see github issue #1930 |
48 | #tracelog | 48 | #tracelog |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
52 | private-dev | 52 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 60732bcf2..486be5fe6 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -7,37 +7,8 @@ include transmission-cli.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-cli |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin transmission-cli | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 11 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-lib | ||
41 | private-tmp | ||
42 | 12 | ||
43 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile new file mode 100644 index 000000000..1b1fc4af7 --- /dev/null +++ b/etc/transmission-common.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for transmission-common | ||
2 | # Description: Fast, easy and free BitTorrent client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include transmission-common.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/transmission | ||
8 | noblacklist ${HOME}/.config/transmission | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.cache/transmission | ||
18 | mkdir ${HOME}/.config/transmission | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/transmission | ||
21 | whitelist ${HOME}/.config/transmission | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-dev | ||
43 | private-lib | ||
44 | private-tmp | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile index 9b84bc33a..8220b7887 100644 --- a/etc/transmission-create.profile +++ b/etc/transmission-create.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Firejail profile for transmission-create | 1 | # Firejail profile for transmission-create |
2 | # Description: CLI utility to create BitTorrent .torrent files | 2 | # Description: CLI utility to create BitTorrent .torrent files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-create.local | 6 | include transmission-create.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | 9 | |
10 | private-bin transmission-create | ||
9 | 11 | ||
10 | # Redirect | 12 | # Redirect |
11 | include transmission-cli.profile | 13 | include transmission-common.profile |
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index 9a6052ada..f1e7fcb17 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -7,38 +7,16 @@ include transmission-daemon.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | whitelist /var/lib/transmission |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | 11 | ||
13 | include disable-common.inc | 12 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | 13 | ||
20 | apparmor | 14 | private-bin transmission-daemon |
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | # private-bin transmission-daemon | ||
39 | private-dev | ||
40 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 15 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
41 | private-lib | ||
42 | private-tmp | ||
43 | 16 | ||
44 | memory-deny-write-execute | 17 | read-write /var/lib/transmission |
18 | writable-var-log | ||
19 | writable-run-user | ||
20 | |||
21 | # Redirect | ||
22 | include transmission-common.profile | ||
diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile index 07990aa15..df381b5cd 100644 --- a/etc/transmission-edit.profile +++ b/etc/transmission-edit.profile | |||
@@ -1,11 +1,13 @@ | |||
1 | # Firejail profile for transmission-edit | 1 | # Firejail profile for transmission-edit |
2 | # Description: CLI utility to modify BitTorrent .torrent files' announce URLs | 2 | # Description: CLI utility to modify BitTorrent .torrent files' announce URLs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-edit.local | 6 | include transmission-edit.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | 9 | |
10 | private-bin transmission-edit | ||
9 | 11 | ||
10 | # Redirect | 12 | # Redirect |
11 | include transmission-cli.profile | 13 | include transmission-common.profile |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 29df63573..01bdeb4ef 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,50 +1,15 @@ | |||
1 | # Firejail profile for transmission-gtk | 1 | # Firejail profile for transmission-gtk |
2 | # Description: Fast, easy and free BitTorrent client (GTK GUI) | 2 | # Description: Fast, easy and free BitTorrent client (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-gtk.local | 6 | include transmission-gtk.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | ||
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/transmission | ||
20 | mkdir ${HOME}/.config/transmission | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/transmission | ||
23 | whitelist ${HOME}/.config/transmission | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-bin transmission-gtk | 10 | private-bin transmission-gtk |
45 | private-dev | ||
46 | private-lib | ||
47 | private-tmp | ||
48 | 11 | ||
49 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 | 12 | ignore memory-deny-write-execute |
50 | # memory-deny-write-execute | 13 | |
14 | # Redirect | ||
15 | include transmission-common.profile | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 9fda5245f..94f3c3a20 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,49 +1,18 @@ | |||
1 | # Firejail profile for transmission-qt | 1 | # Firejail profile for transmission-qt |
2 | # Description: Fast, easy and free BitTorrent client (Qt GUI) | 2 | # Description: Fast, easy and free BitTorrent client (Qt GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-qt.local | 6 | include transmission-qt.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-qt |
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/transmission | ||
20 | mkdir ${HOME}/.config/transmission | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/transmission | ||
23 | whitelist ${HOME}/.config/transmission | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | 11 | ||
27 | apparmor | 12 | # private-lib - breaks on Arch |
28 | caps.drop all | 13 | ignore private-lib |
29 | machine-id | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | 14 | ||
44 | private-bin transmission-qt | 15 | ignore memory-deny-write-execute |
45 | private-dev | ||
46 | # private-lib - problems on Arch | ||
47 | private-tmp | ||
48 | 16 | ||
49 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 | 17 | # Redirect |
18 | include transmission-common.profile | ||
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index 98b875fc5..8b3a966c1 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -1,25 +1,17 @@ | |||
1 | # Firejail profile for transmission-remote-cli | 1 | # Firejail profile for transmission-remote-cli |
2 | # Description: A remote control utility for transmission-daemon (CLI) | 2 | # Description: A remote control utility for transmission-daemon (CLI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-remote-cli.local | 6 | include transmission-remote-cli.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | ||
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | include allow-python2.inc | 11 | include allow-python2.inc |
12 | include allow-python3.inc | 12 | include allow-python3.inc |
13 | 13 | ||
14 | mkdir ${HOME}/.cache/transmission | 14 | private-bin python*,transmission-remote-cli |
15 | mkdir ${HOME}/.config/transmission | ||
16 | whitelist ${HOME}/.cache/transmission | ||
17 | whitelist ${HOME}/.config/transmission | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # private-bin python* | ||
22 | private-etc fonts | ||
23 | 15 | ||
24 | # Redirect | 16 | # Redirect |
25 | include transmission-remote.profile | 17 | include transmission-common.profile |
diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile index b7173def5..a6400e2c0 100644 --- a/etc/transmission-remote-gtk.profile +++ b/etc/transmission-remote-gtk.profile | |||
@@ -1,20 +1,22 @@ | |||
1 | # Firejail profile for transmission-remote-gtk | 1 | # Firejail profile for transmission-remote-gtk |
2 | # Description: A remote control utility for transmission-daemon (GTK GUI) | 2 | # Description: A remote control utility for transmission-daemon (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-remote-gtk.local | 6 | include transmission-remote-gtk.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | # added by included profile | 8 | include globals.local |
8 | #include globals.local | ||
9 | 9 | ||
10 | mkdir ${HOME}/.cache/transmission | 10 | noblacklist ${HOME}/.config/transmission-remote-gtk |
11 | mkdir ${HOME}/.config/transmission | ||
12 | whitelist ${HOME}/.cache/transmission | ||
13 | whitelist ${HOME}/.config/transmission | ||
14 | include whitelist-common.inc | ||
15 | include whitelist-var-common.inc | ||
16 | 11 | ||
17 | private-etc fonts | 12 | mkdir ${HOME}/.config/transmission-remote-gtk |
13 | whitelist ${HOME}/.config/transmission-remote-gtk | ||
14 | |||
15 | private-etc fonts,hostname,hosts,resolv.conf | ||
16 | # Problems with private-lib (see issue #2889) | ||
17 | ignore private-lib | ||
18 | |||
19 | ignore memory-deny-write-execute | ||
18 | 20 | ||
19 | # Redirect | 21 | # Redirect |
20 | include transmission-remote.profile | 22 | include transmission-common.profile |
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index ddeb9adf9..fee4999e6 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile | |||
@@ -7,37 +7,8 @@ include transmission-remote.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-remote |
11 | noblacklist ${HOME}/.config/transmission | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin transmission-remote | ||
38 | private-dev | ||
39 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,nsswitch.conf |
40 | private-lib | ||
41 | private-tmp | ||
42 | 12 | ||
43 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 779606f04..5a3c83f58 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -1,41 +1,14 @@ | |||
1 | # Firejail profile for transmission-show | 1 | # Firejail profile for transmission-show |
2 | # Description: CLI utility to show BitTorrent .torrent file metadata | 2 | # Description: CLI utility to show BitTorrent .torrent file metadata |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include transmission-show.local | 6 | include transmission-show.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${HOME}/.cache/transmission | 10 | private-bin transmission-show |
10 | noblacklist ${HOME}/.config/transmission | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | machine-id | ||
22 | netfilter | ||
23 | nodbus | ||
24 | nodvd | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-dev | ||
37 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,nsswitch.conf |
38 | private-lib | ||
39 | private-tmp | ||
40 | 12 | ||
41 | memory-deny-write-execute | 13 | # Redirect |
14 | include transmission-common.profile | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index b62d3111d..7223ea2e1 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | 25 | nou2f |
26 | novideo | ||
26 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/unzstd.profile b/etc/unzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/unzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/vim.profile b/etc/vim.profile index 49abb0d44..d27a9a633 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -6,14 +6,13 @@ include vim.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | noblacklist ${HOME}/.vim | 9 | noblacklist ${HOME}/.vim |
14 | noblacklist ${HOME}/.viminfo | 10 | noblacklist ${HOME}/.viminfo |
15 | noblacklist ${HOME}/.vimrc | 11 | noblacklist ${HOME}/.vimrc |
16 | 12 | ||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
17 | include disable-common.inc | 16 | include disable-common.inc |
18 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 18 | include disable-programs.inc |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 45f9949f3..c0dbc9116 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -26,7 +26,7 @@ whitelist ${DOWNLOADS} | |||
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.keep net_raw,sys_admin,sys_nice |
30 | netfilter | 30 | netfilter |
31 | nodvd | 31 | nodvd |
32 | notv | 32 | notv |
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 85cbc5e43..e65e0a0c3 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index e820bae00..fc4e8e571 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -7,14 +7,13 @@ include globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.config/git | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.git-credentials | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.local/share/JetBrains | 10 | noblacklist ${HOME}/.local/share/JetBrains |
15 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
16 | noblacklist ${HOME}/.tooling | 12 | noblacklist ${HOME}/.tooling |
17 | 13 | ||
14 | # Allows files commonly used by IDEs | ||
15 | include allow-common-devel.inc | ||
16 | |||
18 | noblacklist ${PATH}/node | 17 | noblacklist ${PATH}/node |
19 | noblacklist ${HOME}/.nvm | 18 | noblacklist ${HOME}/.nvm |
20 | 19 | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a67d3a1b8..934edfce9 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | 32 | nou2f |
33 | novideo | ||
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
35 | 36 | ||
diff --git a/etc/whalebird.profile b/etc/whalebird.profile new file mode 100644 index 000000000..26932b6b3 --- /dev/null +++ b/etc/whalebird.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for whalebird | ||
2 | # Description: Electron-based Mastodon/Pleroma client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include whalebird.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Whalebird | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Whalebird | ||
20 | whitelist ${HOME}/.config/Whalebird | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin whalebird | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts,machine-id | ||
45 | private-tmp | ||
diff --git a/etc/whois.profile b/etc/whois.profile index f101ee637..859542533 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for whois | 1 | # Firejail profile for whois |
2 | # Description: Intelligent WHOIS client | 2 | # Description: Intelligent WHOIS client |
3 | quiet | ||
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include whois.local | 6 | include whois.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/wine.profile b/etc/wine.profile index 34c695cf1..192c375cd 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/Steam | |||
11 | noblacklist ${HOME}/.local/share/steam | 11 | noblacklist ${HOME}/.local/share/steam |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | noblacklist ${HOME}/.wine | 13 | noblacklist ${HOME}/.wine |
14 | # with >=llvm-4 mesa drivers need llvm stuff | ||
15 | noblacklist /usr/lib/llvm* | ||
16 | 14 | ||
17 | include disable-common.inc | 15 | include disable-common.inc |
18 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/xed.profile b/etc/xed.profile index a02f1ef51..a67230e51 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -9,7 +9,6 @@ noblacklist ${HOME}/.config/xed | |||
9 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
10 | noblacklist ${HOME}/.python_history | 10 | noblacklist ${HOME}/.python_history |
11 | noblacklist ${HOME}/.pythonhist | 11 | noblacklist ${HOME}/.pythonhist |
12 | noblacklist ${HOME}/.pythonrc.py | ||
13 | 12 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
15 | include allow-python2.inc | 14 | include allow-python2.inc |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile index 3fbdf66ab..c6ba9bd9d 100644 --- a/etc/xmr-stak.profile +++ b/etc/xmr-stak.profile | |||
@@ -6,7 +6,6 @@ include xmr-stak.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.xmr-stak | 8 | noblacklist ${HOME}/.xmr-stak |
9 | noblacklist /usr/lib/llvm* | ||
10 | 9 | ||
11 | include disable-common.inc | 10 | include disable-common.inc |
12 | include disable-devel.inc | 11 | include disable-devel.inc |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 6f66b9300..1033a7471 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for xpra | 1 | # Firejail profile for xpra |
2 | # Description: Tool to detach/reattach running X programs | 2 | # Description: Tool to detach/reattach running X programs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include xpra.local | 6 | include xpra.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 6fc519bee..d87d29ee8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${VIDEOS} | |||
19 | include allow-python2.inc | 19 | include allow-python2.inc |
20 | include allow-python3.inc | 20 | include allow-python3.inc |
21 | 21 | ||
22 | blacklist /tmp/.X11-unix | ||
23 | |||
22 | include disable-common.inc | 24 | include disable-common.inc |
23 | include disable-devel.inc | 25 | include disable-devel.inc |
24 | include disable-exec.inc | 26 | include disable-exec.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 922284353..db03076be 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -28,6 +28,7 @@ noroot | |||
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | 30 | nou2f |
31 | novideo | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6bf3605eb..80329ecfd 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for zpaq | 1 | # Firejail profile for zpaq |
2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. | 2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include zpaq.local | 6 | include zpaq.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/zstd.profile b/etc/zstd.profile new file mode 100644 index 000000000..ea7bbfb0d --- /dev/null +++ b/etc/zstd.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for zstd | ||
2 | # Description: Zstandard - Fast real-time compression algorithm | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include zstd.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | apparmor | ||
18 | caps.drop all | ||
19 | hostname zstd | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/zstdcat.profile b/etc/zstdcat.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdcat.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdgrep.profile b/etc/zstdgrep.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdgrep.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdless.profile b/etc/zstdless.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdless.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zstdmt.profile b/etc/zstdmt.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/zstdmt.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/zulip.profile b/etc/zulip.profile new file mode 100644 index 000000000..999c2f77a --- /dev/null +++ b/etc/zulip.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for zulip | ||
2 | # Description: Real-time team chat based on the email threading model | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zulip.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Zulip | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Zulip | ||
22 | whitelist ${HOME}/.config/Zulip | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin locale,zulip | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc asound.conf,fonts,machine-id | ||
47 | private-tmp | ||
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index b63340e43..351b92beb 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -33,7 +33,7 @@ sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${nam | |||
33 | # FIXME: We could parse RELNOTES and create a %changelog section here | 33 | # FIXME: We could parse RELNOTES and create a %changelog section here |
34 | 34 | ||
35 | # Copy the source to build into a tarball | 35 | # Copy the source to build into a tarball |
36 | tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='./.git*' --exclude='./test*' | 36 | tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . |
37 | 37 | ||
38 | # Build the files (rpm, debug rpm and source rpm) | 38 | # Build the files (rpm, debug rpm and source rpm) |
39 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} | 39 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 3f507a361..a08cc66b3 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -28,11 +28,10 @@ int arg_quiet = 0; | |||
28 | int arg_debug = 0; | 28 | int arg_debug = 0; |
29 | static int arg_follow_link = 0; | 29 | static int arg_follow_link = 0; |
30 | 30 | ||
31 | static int copy_limit = 500 * 1024 *1024; // 500 MB | 31 | static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB |
32 | #define COPY_LIMIT ( | 32 | static unsigned long long size_cnt = 0; |
33 | static int size_limit_reached = 0; | 33 | static int size_limit_reached = 0; |
34 | static unsigned file_cnt = 0; | 34 | static unsigned file_cnt = 0; |
35 | static unsigned size_cnt = 0; | ||
36 | 35 | ||
37 | static char *outpath = NULL; | 36 | static char *outpath = NULL; |
38 | static char *inpath = NULL; | 37 | static char *inpath = NULL; |
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
187 | 186 | ||
188 | // recalculate size | 187 | // recalculate size |
189 | if ((s.st_size + size_cnt) > copy_limit) { | 188 | if ((s.st_size + size_cnt) > copy_limit) { |
190 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024); | 189 | fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024); |
191 | size_limit_reached = 1; | 190 | size_limit_reached = 1; |
192 | free(outfname); | 191 | free(outfname); |
193 | return 0; | 192 | return 0; |
@@ -392,9 +391,9 @@ int main(int argc, char **argv) { | |||
392 | // extract copy limit size from env variable, if any | 391 | // extract copy limit size from env variable, if any |
393 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | 392 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); |
394 | if (cl) { | 393 | if (cl) { |
395 | copy_limit = atoi(cl) * 1024 * 1024; | 394 | copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024; |
396 | if (arg_debug) | 395 | if (arg_debug) |
397 | printf("file copy limit %d bytes\n", copy_limit); | 396 | printf("file copy limit %llu bytes\n", copy_limit); |
398 | } | 397 | } |
399 | 398 | ||
400 | // copy files | 399 | // copy files |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9645215ef..6b2a92ad5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -81,6 +81,7 @@ brasero | |||
81 | brave | 81 | brave |
82 | brave-browser | 82 | brave-browser |
83 | bunzip2 | 83 | bunzip2 |
84 | bzcat | ||
84 | bzflag | 85 | bzflag |
85 | bzip2 | 86 | bzip2 |
86 | calibre | 87 | calibre |
@@ -277,6 +278,7 @@ hedgewars | |||
277 | hexchat | 278 | hexchat |
278 | highlight | 279 | highlight |
279 | hugin | 280 | hugin |
281 | i2prouter | ||
280 | icecat | 282 | icecat |
281 | icedove | 283 | icedove |
282 | iceweasel | 284 | iceweasel |
@@ -313,6 +315,7 @@ kid3 | |||
313 | kid3-cli | 315 | kid3-cli |
314 | kid3-qt | 316 | kid3-qt |
315 | kino | 317 | kino |
318 | kiwix-desktop | ||
316 | klatexformula | 319 | klatexformula |
317 | klatexformula_cmdl | 320 | klatexformula_cmdl |
318 | klavaro | 321 | klavaro |
@@ -476,6 +479,7 @@ psi-plus | |||
476 | pybitmessage | 479 | pybitmessage |
477 | # pycharm-community - FB note: may enable later | 480 | # pycharm-community - FB note: may enable later |
478 | # pycharm-professional | 481 | # pycharm-professional |
482 | pzstd | ||
479 | qbittorrent | 483 | qbittorrent |
480 | qemu-launcher | 484 | qemu-launcher |
481 | qgis | 485 | qgis |
@@ -561,6 +565,7 @@ thunderbird | |||
561 | thunderbird-beta | 565 | thunderbird-beta |
562 | thunderbird-wayland | 566 | thunderbird-wayland |
563 | tilp | 567 | tilp |
568 | tor-browser | ||
564 | tor-browser-ar | 569 | tor-browser-ar |
565 | tor-browser-ca | 570 | tor-browser-ca |
566 | tor-browser-cs | 571 | tor-browser-cs |
@@ -616,6 +621,7 @@ uefitool | |||
616 | uget-gtk | 621 | uget-gtk |
617 | unbound | 622 | unbound |
618 | unknown-horizons | 623 | unknown-horizons |
624 | unzstd | ||
619 | utox | 625 | utox |
620 | uudeview | 626 | uudeview |
621 | uzbl-browser | 627 | uzbl-browser |
@@ -640,6 +646,7 @@ weechat | |||
640 | weechat-curses | 646 | weechat-curses |
641 | wesnoth | 647 | wesnoth |
642 | wget | 648 | wget |
649 | whalebird | ||
643 | whois | 650 | whois |
644 | widelands | 651 | widelands |
645 | wine | 652 | wine |
@@ -679,3 +686,9 @@ zathura | |||
679 | zeal | 686 | zeal |
680 | zoom | 687 | zoom |
681 | zpaq | 688 | zpaq |
689 | zstd | ||
690 | zstdcat | ||
691 | zstdgrep | ||
692 | zstdless | ||
693 | zstdmt | ||
694 | zulip | ||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index ff66dea08..3f5921322 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -284,9 +284,9 @@ static void set_links_homedir(const char *homedir) { | |||
284 | } | 284 | } |
285 | 285 | ||
286 | static char *get_user(void) { | 286 | static char *get_user(void) { |
287 | char *user = getlogin(); | 287 | char *user = getenv("SUDO_USER"); |
288 | if (!user) { | 288 | if (!user) { |
289 | user = getenv("SUDO_USER"); | 289 | user = getpwuid(getuid())->pw_name; |
290 | if (!user) { | 290 | if (!user) { |
291 | fprintf(stderr, "Error: cannot detect login user\n"); | 291 | fprintf(stderr, "Error: cannot detect login user\n"); |
292 | exit(1); | 292 | exit(1); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 84054fe76..f94b95d60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -50,7 +50,6 @@ int checkcfg(int val) { | |||
50 | cfg_val[CFG_DISABLE_MNT] = 0; | 50 | cfg_val[CFG_DISABLE_MNT] = 0; |
51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
52 | cfg_val[CFG_XPRA_ATTACH] = 0; | 52 | cfg_val[CFG_XPRA_ATTACH] = 0; |
53 | cfg_val[CFG_HOMEDIR_SYMLINK] = 0; | ||
54 | 53 | ||
55 | // open configuration file | 54 | // open configuration file |
56 | const char *fname = SYSCONFDIR "/firejail.config"; | 55 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -86,7 +85,6 @@ int checkcfg(int val) { | |||
86 | ptr = line_remove_spaces(buf); | 85 | ptr = line_remove_spaces(buf); |
87 | if (!ptr) | 86 | if (!ptr) |
88 | continue; | 87 | continue; |
89 | PARSE_YESNO(CFG_HOMEDIR_SYMLINK, "homedir-symlink") | ||
90 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") | 88 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") |
91 | PARSE_YESNO(CFG_DBUS, "dbus") | 89 | PARSE_YESNO(CFG_DBUS, "dbus") |
92 | PARSE_YESNO(CFG_JOIN, "join") | 90 | PARSE_YESNO(CFG_JOIN, "join") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d547f9840..14cad4190 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -722,7 +722,6 @@ enum { | |||
722 | CFG_PRIVATE_CACHE, | 722 | CFG_PRIVATE_CACHE, |
723 | CFG_CGROUP, | 723 | CFG_CGROUP, |
724 | CFG_NAME_CHANGE, | 724 | CFG_NAME_CHANGE, |
725 | CFG_HOMEDIR_SYMLINK, | ||
726 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 725 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
727 | CFG_MAX // this should always be the last entry | 726 | CFG_MAX // this should always be the last entry |
728 | }; | 727 | }; |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 86e6b0949..25c167af1 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -110,17 +110,12 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
110 | } | 110 | } |
111 | 111 | ||
112 | static int store_xauthority(void) { | 112 | static int store_xauthority(void) { |
113 | if (arg_x11_block) | ||
114 | return 0; | ||
115 | |||
113 | // put a copy of .Xauthority in XAUTHORITY_FILE | 116 | // put a copy of .Xauthority in XAUTHORITY_FILE |
114 | char *src; | ||
115 | char *dest = RUN_XAUTHORITY_FILE; | 117 | char *dest = RUN_XAUTHORITY_FILE; |
116 | // create an empty file as root, and change ownership to user | 118 | char *src; |
117 | FILE *fp = fopen(dest, "w"); | ||
118 | if (fp) { | ||
119 | fprintf(fp, "\n"); | ||
120 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
121 | fclose(fp); | ||
122 | } | ||
123 | |||
124 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) | 119 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) |
125 | errExit("asprintf"); | 120 | errExit("asprintf"); |
126 | 121 | ||
@@ -128,29 +123,37 @@ static int store_xauthority(void) { | |||
128 | if (stat(src, &s) == 0) { | 123 | if (stat(src, &s) == 0) { |
129 | if (is_link(src)) { | 124 | if (is_link(src)) { |
130 | fwarning("invalid .Xauthority file\n"); | 125 | fwarning("invalid .Xauthority file\n"); |
126 | free(src); | ||
131 | return 0; | 127 | return 0; |
132 | } | 128 | } |
133 | 129 | ||
130 | // create an empty file as root, and change ownership to user | ||
131 | FILE *fp = fopen(dest, "w"); | ||
132 | if (fp) { | ||
133 | fprintf(fp, "\n"); | ||
134 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
135 | fclose(fp); | ||
136 | } | ||
137 | else | ||
138 | errExit("fopen"); | ||
139 | |||
134 | copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user | 140 | copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user |
135 | fs_logger2("clone", dest); | 141 | fs_logger2("clone", dest); |
142 | free(src); | ||
136 | return 1; // file copied | 143 | return 1; // file copied |
137 | } | 144 | } |
138 | 145 | ||
146 | free(src); | ||
139 | return 0; | 147 | return 0; |
140 | } | 148 | } |
141 | 149 | ||
142 | static int store_asoundrc(void) { | 150 | static int store_asoundrc(void) { |
143 | // put a copy of .Xauthority in XAUTHORITY_FILE | 151 | if (arg_nosound) |
144 | char *src; | 152 | return 0; |
145 | char *dest = RUN_ASOUNDRC_FILE; | ||
146 | // create an empty file as root, and change ownership to user | ||
147 | FILE *fp = fopen(dest, "w"); | ||
148 | if (fp) { | ||
149 | fprintf(fp, "\n"); | ||
150 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | ||
151 | fclose(fp); | ||
152 | } | ||
153 | 153 | ||
154 | // put a copy of .asoundrc in ASOUNDRC_FILE | ||
155 | char *dest = RUN_ASOUNDRC_FILE; | ||
156 | char *src; | ||
154 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) | 157 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) |
155 | errExit("asprintf"); | 158 | errExit("asprintf"); |
156 | 159 | ||
@@ -164,18 +167,30 @@ static int store_asoundrc(void) { | |||
164 | fprintf(stderr, "Error: Cannot access %s\n", src); | 167 | fprintf(stderr, "Error: Cannot access %s\n", src); |
165 | exit(1); | 168 | exit(1); |
166 | } | 169 | } |
167 | if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) { | 170 | if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') { |
168 | fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n"); | 171 | fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n"); |
169 | exit(1); | 172 | exit(1); |
170 | } | 173 | } |
171 | free(rp); | 174 | free(rp); |
172 | } | 175 | } |
173 | 176 | ||
177 | // create an empty file as root, and change ownership to user | ||
178 | FILE *fp = fopen(dest, "w"); | ||
179 | if (fp) { | ||
180 | fprintf(fp, "\n"); | ||
181 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | ||
182 | fclose(fp); | ||
183 | } | ||
184 | else | ||
185 | errExit("fopen"); | ||
186 | |||
174 | copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user | 187 | copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user |
175 | fs_logger2("clone", dest); | 188 | fs_logger2("clone", dest); |
189 | free(src); | ||
176 | return 1; // file copied | 190 | return 1; // file copied |
177 | } | 191 | } |
178 | 192 | ||
193 | free(src); | ||
179 | return 0; | 194 | return 0; |
180 | } | 195 | } |
181 | 196 | ||
@@ -194,13 +209,14 @@ static void copy_xauthority(void) { | |||
194 | 209 | ||
195 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | 210 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user |
196 | fs_logger2("clone", dest); | 211 | fs_logger2("clone", dest); |
212 | free(dest); | ||
197 | 213 | ||
198 | // delete the temporary file | 214 | // delete the temporary file |
199 | unlink(src); | 215 | unlink(src); |
200 | } | 216 | } |
201 | 217 | ||
202 | static void copy_asoundrc(void) { | 218 | static void copy_asoundrc(void) { |
203 | // copy XAUTHORITY_FILE in the new home directory | 219 | // copy ASOUNDRC_FILE in the new home directory |
204 | char *src = RUN_ASOUNDRC_FILE ; | 220 | char *src = RUN_ASOUNDRC_FILE ; |
205 | char *dest; | 221 | char *dest; |
206 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) | 222 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) |
@@ -214,6 +230,7 @@ static void copy_asoundrc(void) { | |||
214 | 230 | ||
215 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | 231 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user |
216 | fs_logger2("clone", dest); | 232 | fs_logger2("clone", dest); |
233 | free(dest); | ||
217 | 234 | ||
218 | // delete the temporary file | 235 | // delete the temporary file |
219 | unlink(src); | 236 | unlink(src); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 122c100f8..fa93751cc 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -743,9 +743,9 @@ void fs_whitelist(void) { | |||
743 | errExit("asprintf"); | 743 | errExit("asprintf"); |
744 | if (strcmp(env, pamtmpdir) == 0) { | 744 | if (strcmp(env, pamtmpdir) == 0) { |
745 | // create empty user-owned /tmp/user/$uid directory | 745 | // create empty user-owned /tmp/user/$uid directory |
746 | mkdir_attr("/tmp/user", 0755, 0, 0); | 746 | mkdir_attr("/tmp/user", 0711, 0, 0); |
747 | fs_logger("mkdir /tmp/user"); | 747 | fs_logger("mkdir /tmp/user"); |
748 | mkdir_attr(pamtmpdir, 0700, getuid(), getgid()); | 748 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); |
749 | fs_logger2("mkdir", pamtmpdir); | 749 | fs_logger2("mkdir", pamtmpdir); |
750 | } | 750 | } |
751 | free(pamtmpdir); | 751 | free(pamtmpdir); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f5785ff50..9f44c6281 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -259,25 +259,17 @@ static int has_link(const char *dir) { | |||
259 | return 0; | 259 | return 0; |
260 | } | 260 | } |
261 | 261 | ||
262 | static void build_cfg_homedir(const char *dir) { | 262 | static void check_homedir(void) { |
263 | EUID_ASSERT(); | 263 | assert(cfg.homedir); |
264 | assert(dir); | 264 | if (cfg.homedir[0] != '/' || cfg.homedir[1] == '\0') { // system users sometimes have root directory as home |
265 | if (dir[0] != '/' || dir[1] == '\0') { // system users sometimes have root directory as home | 265 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); |
266 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir); | ||
267 | exit(1); | 266 | exit(1); |
268 | } | 267 | } |
269 | // symlinks are rejected in many places, offer a solution for home directories | 268 | // symlinks are rejected in many places |
270 | if (checkcfg(CFG_HOMEDIR_SYMLINK)) { | 269 | if (has_link(cfg.homedir)) { |
271 | cfg.homedir = realpath(dir, NULL); | 270 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" |
272 | if (cfg.homedir) | 271 | "Please provide resolved path in password database (/etc/passwd).\n\n"); |
273 | return; | ||
274 | } | 272 | } |
275 | else if (has_link(dir)) { | ||
276 | fwarning("no full support for symbolic links in path of user directory.\n" | ||
277 | "Please provide resolved path in password database (/etc/passwd)\n" | ||
278 | "or enable symbolic link resolution in Firejail configuration file.\n\n"); | ||
279 | } | ||
280 | cfg.homedir = clean_pathname(dir); | ||
281 | } | 273 | } |
282 | 274 | ||
283 | // init configuration | 275 | // init configuration |
@@ -323,8 +315,8 @@ static void init_cfg(int argc, char **argv) { | |||
323 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); | 315 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); |
324 | exit(1); | 316 | exit(1); |
325 | } | 317 | } |
326 | build_cfg_homedir(pw->pw_dir); | 318 | cfg.homedir = clean_pathname(pw->pw_dir); |
327 | assert(cfg.homedir); | 319 | check_homedir(); |
328 | 320 | ||
329 | // initialize random number generator | 321 | // initialize random number generator |
330 | sandbox_pid = getpid(); | 322 | sandbox_pid = getpid(); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 81ab18aa1..609ebb7be 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -48,10 +48,11 @@ char *seccomp_check_list(const char *str) { | |||
48 | const char *ptr1 = str; | 48 | const char *ptr1 = str; |
49 | char *ptr2 = rv; | 49 | char *ptr2 = rv; |
50 | while (*ptr1 != '\0') { | 50 | while (*ptr1 != '\0') { |
51 | if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' || *ptr1 == '@' || *ptr1 == '-') | 51 | if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' |
52 | || *ptr1 == '@' || *ptr1 == '-' || *ptr1 == '$' || *ptr1 == '!') | ||
52 | *ptr2++ = *ptr1++; | 53 | *ptr2++ = *ptr1++; |
53 | else { | 54 | else { |
54 | fprintf(stderr, "Error: invalid syscall list\n"); | 55 | fprintf(stderr, "Error: invalid syscall list entry %s\n", str); |
55 | exit(1); | 56 | exit(1); |
56 | } | 57 | } |
57 | } | 58 | } |
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 593963e76..e1579d098 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -52,7 +52,9 @@ void seccomp_secondary_block(const char *fname); | |||
52 | void write_to_file(int fd, const void *data, int size); | 52 | void write_to_file(int fd, const void *data, int size); |
53 | void filter_init(int fd); | 53 | void filter_init(int fd); |
54 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); | 54 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); |
55 | void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg); | ||
55 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); | 56 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); |
57 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg); | ||
56 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg); | 58 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg); |
57 | void filter_end_blacklist(int fd); | 59 | void filter_end_blacklist(int fd); |
58 | void filter_end_whitelist(int fd); | 60 | void filter_end_whitelist(int fd); |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 2a719725e..95c20d388 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -80,6 +80,10 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_ | |||
80 | 80 | ||
81 | // build pre-exec filter: don't blacklist any syscalls in @default-keep | 81 | // build pre-exec filter: don't blacklist any syscalls in @default-keep |
82 | filter_init(fd); | 82 | filter_init(fd); |
83 | |||
84 | // allow exceptions in form of !syscall | ||
85 | syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); | ||
86 | |||
83 | char *prelist, *postlist; | 87 | char *prelist, *postlist; |
84 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | 88 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); |
85 | if (prelist) | 89 | if (prelist) |
@@ -128,6 +132,10 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in | |||
128 | // build pre-exec filter: blacklist @default, don't blacklist | 132 | // build pre-exec filter: blacklist @default, don't blacklist |
129 | // any listed syscalls in @default-keep | 133 | // any listed syscalls in @default-keep |
130 | filter_init(fd); | 134 | filter_init(fd); |
135 | |||
136 | // allow exceptions in form of !syscall | ||
137 | syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); | ||
138 | |||
131 | add_default_list(fd, allow_debuggers); | 139 | add_default_list(fd, allow_debuggers); |
132 | char *prelist, *postlist; | 140 | char *prelist, *postlist; |
133 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | 141 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); |
@@ -175,6 +183,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
175 | 183 | ||
176 | // build pre-exec filter: whitelist also @default-keep | 184 | // build pre-exec filter: whitelist also @default-keep |
177 | filter_init(fd); | 185 | filter_init(fd); |
186 | |||
187 | // allow exceptions in form of !syscall | ||
188 | syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL); | ||
189 | |||
178 | // these syscalls are used by firejail after the seccomp filter is initialized | 190 | // these syscalls are used by firejail after the seccomp filter is initialized |
179 | int r; | 191 | int r; |
180 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); | 192 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); |
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 2e1f317ed..266ef0c55 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -60,26 +60,58 @@ void filter_init(int fd) { | |||
60 | write_to_file(fd, filter, sizeof(filter)); | 60 | write_to_file(fd, filter, sizeof(filter)); |
61 | } | 61 | } |
62 | 62 | ||
63 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | 63 | static void write_whitelist(int fd, int syscall) { |
64 | (void) arg; | ||
65 | (void) ptrarg; | ||
66 | |||
67 | struct sock_filter filter[] = { | 64 | struct sock_filter filter[] = { |
68 | WHITELIST(syscall) | 65 | WHITELIST(syscall) |
69 | }; | 66 | }; |
70 | write_to_file(fd, filter, sizeof(filter)); | 67 | write_to_file(fd, filter, sizeof(filter)); |
71 | } | 68 | } |
72 | 69 | ||
73 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | 70 | static void write_blacklist(int fd, int syscall) { |
74 | (void) arg; | ||
75 | (void) ptrarg; | ||
76 | |||
77 | struct sock_filter filter[] = { | 71 | struct sock_filter filter[] = { |
78 | BLACKLIST(syscall) | 72 | BLACKLIST(syscall) |
79 | }; | 73 | }; |
80 | write_to_file(fd, filter, sizeof(filter)); | 74 | write_to_file(fd, filter, sizeof(filter)); |
81 | } | 75 | } |
82 | 76 | ||
77 | void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { | ||
78 | (void) arg; | ||
79 | (void) ptrarg; | ||
80 | |||
81 | if (syscall >= 0) { | ||
82 | write_whitelist(fd, syscall); | ||
83 | } | ||
84 | } | ||
85 | |||
86 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
87 | void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
88 | (void) arg; | ||
89 | (void) ptrarg; | ||
90 | |||
91 | if (syscall < 0) { | ||
92 | write_whitelist(fd, -syscall); | ||
93 | } | ||
94 | } | ||
95 | |||
96 | void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { | ||
97 | (void) arg; | ||
98 | (void) ptrarg; | ||
99 | |||
100 | if (syscall >= 0) { | ||
101 | write_blacklist(fd, syscall); | ||
102 | } | ||
103 | } | ||
104 | |||
105 | // handle seccomp list exceptions (seccomp x,y,!z) | ||
106 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { | ||
107 | (void) arg; | ||
108 | (void) ptrarg; | ||
109 | |||
110 | if (syscall < 0) { | ||
111 | write_blacklist(fd, -syscall); | ||
112 | } | ||
113 | } | ||
114 | |||
83 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { | 115 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { |
84 | (void) ptrarg; | 116 | (void) ptrarg; |
85 | struct sock_filter filter[] = { | 117 | struct sock_filter filter[] = { |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 3b698d2dd..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -50,6 +50,99 @@ static const SyscallEntry syslist[] = { | |||
50 | }; // end of syslist | 50 | }; // end of syslist |
51 | 51 | ||
52 | static const SyscallGroupList sysgroups[] = { | 52 | static const SyscallGroupList sysgroups[] = { |
53 | { .name = "@aio", .list = | ||
54 | #ifdef SYS_io_cancel | ||
55 | "io_cancel," | ||
56 | #endif | ||
57 | #ifdef SYS_io_destroy | ||
58 | "io_destroy," | ||
59 | #endif | ||
60 | #ifdef SYS_io_getevents | ||
61 | "io_getevents," | ||
62 | #endif | ||
63 | #ifdef SYS_io_pgetevents | ||
64 | "io_pgetevents," | ||
65 | #endif | ||
66 | #ifdef SYS_io_setup | ||
67 | "io_setup," | ||
68 | #endif | ||
69 | #ifdef SYS_io_submit | ||
70 | "io_submit" | ||
71 | #endif | ||
72 | }, | ||
73 | { .name = "@basic-io", .list = | ||
74 | #ifdef SYS__llseek | ||
75 | "_llseek," | ||
76 | #endif | ||
77 | #ifdef SYS_close | ||
78 | "close," | ||
79 | #endif | ||
80 | #ifdef SYS_dup | ||
81 | "dup," | ||
82 | #endif | ||
83 | #ifdef SYS_dup2 | ||
84 | "dup2," | ||
85 | #endif | ||
86 | #ifdef SYS_dup3 | ||
87 | "dup3," | ||
88 | #endif | ||
89 | #ifdef SYS_lseek | ||
90 | "lseek," | ||
91 | #endif | ||
92 | #ifdef SYS_pread64 | ||
93 | "pread64," | ||
94 | #endif | ||
95 | #ifdef SYS_preadv | ||
96 | "preadv," | ||
97 | #endif | ||
98 | #ifdef SYS_preadv2 | ||
99 | "preadv2," | ||
100 | #endif | ||
101 | #ifdef SYS_pwrite64 | ||
102 | "pwrite64," | ||
103 | #endif | ||
104 | #ifdef SYS_pwritev | ||
105 | "pwritev," | ||
106 | #endif | ||
107 | #ifdef SYS_pwritev2 | ||
108 | "pwritev2," | ||
109 | #endif | ||
110 | #ifdef SYS_read | ||
111 | "read," | ||
112 | #endif | ||
113 | #ifdef SYS_readv | ||
114 | "readv," | ||
115 | #endif | ||
116 | #ifdef SYS_write | ||
117 | "write," | ||
118 | #endif | ||
119 | #ifdef SYS_writev | ||
120 | "writev" | ||
121 | #endif | ||
122 | }, | ||
123 | { .name = "@chown", .list = | ||
124 | #ifdef SYS_chown | ||
125 | "chown," | ||
126 | #endif | ||
127 | #ifdef SYS_chown32 | ||
128 | "chown32," | ||
129 | #endif | ||
130 | #ifdef SYS_fchown | ||
131 | "fchown," | ||
132 | #endif | ||
133 | #ifdef SYS_fchown32 | ||
134 | "fchown32," | ||
135 | #endif | ||
136 | #ifdef SYS_fchownat | ||
137 | "fchownat," | ||
138 | #endif | ||
139 | #ifdef SYS_lchown | ||
140 | "lchown," | ||
141 | #endif | ||
142 | #ifdef SYS_lchown32 | ||
143 | "lchown32" | ||
144 | #endif | ||
145 | }, | ||
53 | { .name = "@clock", .list = | 146 | { .name = "@clock", .list = |
54 | #ifdef SYS_adjtimex | 147 | #ifdef SYS_adjtimex |
55 | "adjtimex," | 148 | "adjtimex," |
@@ -108,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { | |||
108 | #endif | 201 | #endif |
109 | }, | 202 | }, |
110 | { .name = "@default", .list = | 203 | { .name = "@default", .list = |
204 | "@clock," | ||
111 | "@cpu-emulation," | 205 | "@cpu-emulation," |
112 | "@debug," | 206 | "@debug," |
207 | "@module," | ||
113 | "@obsolete," | 208 | "@obsolete," |
114 | "@privileged," | 209 | "@raw-io," |
115 | "@resources," | 210 | "@reboot," |
211 | "@swap," | ||
116 | #ifdef SYS_open_by_handle_at | 212 | #ifdef SYS_open_by_handle_at |
117 | "open_by_handle_at," | 213 | "open_by_handle_at," |
118 | #endif | 214 | #endif |
@@ -140,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { | |||
140 | #ifdef SYS_request_key | 236 | #ifdef SYS_request_key |
141 | "request_key," | 237 | "request_key," |
142 | #endif | 238 | #endif |
239 | #ifdef SYS_mbind | ||
240 | "mbind," | ||
241 | #endif | ||
242 | #ifdef SYS_migrate_pages | ||
243 | "migrate_pages," | ||
244 | #endif | ||
245 | #ifdef SYS_move_pages | ||
246 | "move_pages," | ||
247 | #endif | ||
143 | #ifdef SYS_keyctl | 248 | #ifdef SYS_keyctl |
144 | "keyctl," | 249 | "keyctl," |
145 | #endif | 250 | #endif |
@@ -161,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { | |||
161 | #ifdef SYS_remap_file_pages | 266 | #ifdef SYS_remap_file_pages |
162 | "remap_file_pages," | 267 | "remap_file_pages," |
163 | #endif | 268 | #endif |
269 | #ifdef SYS_set_mempolicy | ||
270 | "set_mempolicy" | ||
271 | #endif | ||
164 | #ifdef SYS_vmsplice | 272 | #ifdef SYS_vmsplice |
165 | "vmsplice," | 273 | "vmsplice," |
166 | #endif | 274 | #endif |
@@ -170,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { | |||
170 | #ifdef SYS_userfaultfd | 278 | #ifdef SYS_userfaultfd |
171 | "userfaultfd," | 279 | "userfaultfd," |
172 | #endif | 280 | #endif |
281 | #ifdef SYS_acct | ||
282 | "acct," | ||
283 | #endif | ||
284 | #ifdef SYS_bpf | ||
285 | "bpf," | ||
286 | #endif | ||
287 | #ifdef SYS_chroot | ||
288 | "chroot," | ||
289 | #endif | ||
290 | #ifdef SYS_mount | ||
291 | "mount," | ||
292 | #endif | ||
293 | #ifdef SYS_nfsservctl | ||
294 | "nfsservctl," | ||
295 | #endif | ||
296 | #ifdef SYS_pivot_root | ||
297 | "pivot_root," | ||
298 | #endif | ||
299 | #ifdef SYS_setdomainname | ||
300 | "setdomainname," | ||
301 | #endif | ||
302 | #ifdef SYS_sethostname | ||
303 | "sethostname," | ||
304 | #endif | ||
305 | #ifdef SYS_umount2 | ||
306 | "umount2," | ||
307 | #endif | ||
308 | #ifdef SYS_vhangup | ||
309 | "vhangup" | ||
310 | #endif | ||
173 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem | 311 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
174 | // "mincore" | 312 | // "mincore" |
175 | //#endif | 313 | //#endif |
@@ -190,6 +328,382 @@ static const SyscallGroupList sysgroups[] = { | |||
190 | "execve," | 328 | "execve," |
191 | "prctl" | 329 | "prctl" |
192 | }, | 330 | }, |
331 | { .name = "@file-system", .list = | ||
332 | #ifdef SYS_access | ||
333 | "access," | ||
334 | #endif | ||
335 | #ifdef SYS_chdir | ||
336 | "chdir," | ||
337 | #endif | ||
338 | #ifdef SYS_chmod | ||
339 | "chmod," | ||
340 | #endif | ||
341 | #ifdef SYS_close | ||
342 | "close," | ||
343 | #endif | ||
344 | #ifdef SYS_creat | ||
345 | "creat," | ||
346 | #endif | ||
347 | #ifdef SYS_faccessat | ||
348 | "faccessat," | ||
349 | #endif | ||
350 | #ifdef SYS_fallocate | ||
351 | "fallocate," | ||
352 | #endif | ||
353 | #ifdef SYS_fchdir | ||
354 | "fchdir," | ||
355 | #endif | ||
356 | #ifdef SYS_fchmod | ||
357 | "fchmod," | ||
358 | #endif | ||
359 | #ifdef SYS_fchmodat | ||
360 | "fchmodat," | ||
361 | #endif | ||
362 | #ifdef SYS_fcntl | ||
363 | "fcntl," | ||
364 | #endif | ||
365 | #ifdef SYS_fcntl64 | ||
366 | "fcntl64," | ||
367 | #endif | ||
368 | #ifdef SYS_fgetxattr | ||
369 | "fgetxattr," | ||
370 | #endif | ||
371 | #ifdef SYS_flistxattr | ||
372 | "flistxattr," | ||
373 | #endif | ||
374 | #ifdef SYS_fremovexattr | ||
375 | "fremovexattr," | ||
376 | #endif | ||
377 | #ifdef SYS_fsetxattr | ||
378 | "fsetxattr," | ||
379 | #endif | ||
380 | #ifdef SYS_fstat | ||
381 | "fstat," | ||
382 | #endif | ||
383 | #ifdef SYS_fstat64 | ||
384 | "fstat64," | ||
385 | #endif | ||
386 | #ifdef SYS_fstatat64 | ||
387 | "fstatat64," | ||
388 | #endif | ||
389 | #ifdef SYS_fstatfs | ||
390 | "fstatfs," | ||
391 | #endif | ||
392 | #ifdef SYS_fstatfs64 | ||
393 | "fstatfs64," | ||
394 | #endif | ||
395 | #ifdef SYS_ftruncate | ||
396 | "ftruncate," | ||
397 | #endif | ||
398 | #ifdef SYS_ftruncate64 | ||
399 | "ftruncate64," | ||
400 | #endif | ||
401 | #ifdef SYS_futimesat | ||
402 | "futimesat," | ||
403 | #endif | ||
404 | #ifdef SYS_getcwd | ||
405 | "getcwd," | ||
406 | #endif | ||
407 | #ifdef SYS_getdents | ||
408 | "getdents," | ||
409 | #endif | ||
410 | #ifdef SYS_getdents64 | ||
411 | "getdents64," | ||
412 | #endif | ||
413 | #ifdef SYS_getxattr | ||
414 | "getxattr," | ||
415 | #endif | ||
416 | #ifdef SYS_inotify_add_watch | ||
417 | "inotify_add_watch," | ||
418 | #endif | ||
419 | #ifdef SYS_inotify_init | ||
420 | "inotify_init," | ||
421 | #endif | ||
422 | #ifdef SYS_inotify_init1 | ||
423 | "inotify_init1," | ||
424 | #endif | ||
425 | #ifdef SYS_inotify_rm_watch | ||
426 | "inotify_rm_watch," | ||
427 | #endif | ||
428 | #ifdef SYS_lgetxattr | ||
429 | "lgetxattr," | ||
430 | #endif | ||
431 | #ifdef SYS_link | ||
432 | "link," | ||
433 | #endif | ||
434 | #ifdef SYS_linkat | ||
435 | "linkat," | ||
436 | #endif | ||
437 | #ifdef SYS_listxattr | ||
438 | "listxattr," | ||
439 | #endif | ||
440 | #ifdef SYS_llistxattr | ||
441 | "llistxattr," | ||
442 | #endif | ||
443 | #ifdef SYS_lremovexattr | ||
444 | "lremovexattr," | ||
445 | #endif | ||
446 | #ifdef SYS_lsetxattr | ||
447 | "lsetxattr," | ||
448 | #endif | ||
449 | #ifdef SYS_lstat | ||
450 | "lstat," | ||
451 | #endif | ||
452 | #ifdef SYS_lstat64 | ||
453 | "lstat64," | ||
454 | #endif | ||
455 | #ifdef SYS_mkdir | ||
456 | "mkdir," | ||
457 | #endif | ||
458 | #ifdef SYS_mkdirat | ||
459 | "mkdirat," | ||
460 | #endif | ||
461 | #ifdef SYS_mknod | ||
462 | "mknod," | ||
463 | #endif | ||
464 | #ifdef SYS_mknodat | ||
465 | "mknodat," | ||
466 | #endif | ||
467 | #ifdef SYS_mmap | ||
468 | "mmap," | ||
469 | #endif | ||
470 | #ifdef SYS_mmap2 | ||
471 | "mmap2," | ||
472 | #endif | ||
473 | #ifdef SYS_munmap | ||
474 | "munmap," | ||
475 | #endif | ||
476 | #ifdef SYS_newfstatat | ||
477 | "newfstatat," | ||
478 | #endif | ||
479 | #ifdef SYS_oldfstat | ||
480 | "oldfstat," | ||
481 | #endif | ||
482 | #ifdef SYS_oldlstat | ||
483 | "oldlstat," | ||
484 | #endif | ||
485 | #ifdef SYS_oldstat | ||
486 | "oldstat," | ||
487 | #endif | ||
488 | #ifdef SYS_open | ||
489 | "open," | ||
490 | #endif | ||
491 | #ifdef SYS_openat | ||
492 | "openat," | ||
493 | #endif | ||
494 | #ifdef SYS_readlink | ||
495 | "readlink," | ||
496 | #endif | ||
497 | #ifdef SYS_readlinkat | ||
498 | "readlinkat," | ||
499 | #endif | ||
500 | #ifdef SYS_removexattr | ||
501 | "removexattr," | ||
502 | #endif | ||
503 | #ifdef SYS_rename | ||
504 | "rename," | ||
505 | #endif | ||
506 | #ifdef SYS_renameat | ||
507 | "renameat," | ||
508 | #endif | ||
509 | #ifdef SYS_renameat2 | ||
510 | "renameat2," | ||
511 | #endif | ||
512 | #ifdef SYS_rmdir | ||
513 | "rmdir," | ||
514 | #endif | ||
515 | #ifdef SYS_setxattr | ||
516 | "setxattr," | ||
517 | #endif | ||
518 | #ifdef SYS_stat | ||
519 | "stat," | ||
520 | #endif | ||
521 | #ifdef SYS_stat64 | ||
522 | "stat64," | ||
523 | #endif | ||
524 | #ifdef SYS_statfs | ||
525 | "statfs," | ||
526 | #endif | ||
527 | #ifdef SYS_statfs64 | ||
528 | "statfs64," | ||
529 | #endif | ||
530 | #ifdef SYS_statx | ||
531 | "statx," | ||
532 | #endif | ||
533 | #ifdef SYS_symlink | ||
534 | "symlink," | ||
535 | #endif | ||
536 | #ifdef SYS_symlinkat | ||
537 | "symlinkat," | ||
538 | #endif | ||
539 | #ifdef SYS_truncate | ||
540 | "truncate," | ||
541 | #endif | ||
542 | #ifdef SYS_truncate64 | ||
543 | "truncate64," | ||
544 | #endif | ||
545 | #ifdef SYS_unlink | ||
546 | "unlink," | ||
547 | #endif | ||
548 | #ifdef SYS_unlinkat | ||
549 | "unlinkat," | ||
550 | #endif | ||
551 | #ifdef SYS_utime | ||
552 | "utime," | ||
553 | #endif | ||
554 | #ifdef SYS_utimensat | ||
555 | "utimensat," | ||
556 | #endif | ||
557 | #ifdef SYS_utimes | ||
558 | "utimes" | ||
559 | #endif | ||
560 | }, | ||
561 | { .name = "@io-event", .list = | ||
562 | #ifdef SYS__newselect | ||
563 | "_newselect," | ||
564 | #endif | ||
565 | #ifdef SYS_epoll_create | ||
566 | "epoll_create," | ||
567 | #endif | ||
568 | #ifdef SYS_epoll_create1 | ||
569 | "epoll_create1," | ||
570 | #endif | ||
571 | #ifdef SYS_epoll_ctl | ||
572 | "epoll_ctl," | ||
573 | #endif | ||
574 | #ifdef SYS_epoll_ctl_old | ||
575 | "epoll_ctl_old," | ||
576 | #endif | ||
577 | #ifdef SYS_epoll_pwait | ||
578 | "epoll_pwait," | ||
579 | #endif | ||
580 | #ifdef SYS_epoll_wait | ||
581 | "epoll_wait," | ||
582 | #endif | ||
583 | #ifdef SYS_epoll_wait_old | ||
584 | "epoll_wait_old," | ||
585 | #endif | ||
586 | #ifdef SYS_eventfd | ||
587 | "eventfd," | ||
588 | #endif | ||
589 | #ifdef SYS_eventfd2 | ||
590 | "eventfd2," | ||
591 | #endif | ||
592 | #ifdef SYS_poll | ||
593 | "poll," | ||
594 | #endif | ||
595 | #ifdef SYS_ppoll | ||
596 | "ppoll," | ||
597 | #endif | ||
598 | #ifdef SYS_pselect6 | ||
599 | "pselect6," | ||
600 | #endif | ||
601 | #ifdef SYS_select | ||
602 | "select" | ||
603 | #endif | ||
604 | }, | ||
605 | { .name = "@ipc", .list = | ||
606 | #ifdef SYS_ipc | ||
607 | "ipc," | ||
608 | #endif | ||
609 | #ifdef SYS_memfd_create | ||
610 | "memfd_create," | ||
611 | #endif | ||
612 | #ifdef SYS_mq_getsetattr | ||
613 | "mq_getsetattr," | ||
614 | #endif | ||
615 | #ifdef SYS_mq_notify | ||
616 | "mq_notify," | ||
617 | #endif | ||
618 | #ifdef SYS_mq_open | ||
619 | "mq_open," | ||
620 | #endif | ||
621 | #ifdef SYS_mq_timedreceive | ||
622 | "mq_timedreceive," | ||
623 | #endif | ||
624 | #ifdef SYS_mq_timedsend | ||
625 | "mq_timedsend," | ||
626 | #endif | ||
627 | #ifdef SYS_mq_unlink | ||
628 | "mq_unlink," | ||
629 | #endif | ||
630 | #ifdef SYS_msgctl | ||
631 | "msgctl," | ||
632 | #endif | ||
633 | #ifdef SYS_msgget | ||
634 | "msgget," | ||
635 | #endif | ||
636 | #ifdef SYS_msgrcv | ||
637 | "msgrcv," | ||
638 | #endif | ||
639 | #ifdef SYS_msgsnd | ||
640 | "msgsnd," | ||
641 | #endif | ||
642 | #ifdef SYS_pipe | ||
643 | "pipe," | ||
644 | #endif | ||
645 | #ifdef SYS_pipe2 | ||
646 | "pipe2," | ||
647 | #endif | ||
648 | #ifdef SYS_process_vm_readv | ||
649 | "process_vm_readv," | ||
650 | #endif | ||
651 | #ifdef SYS_process_vm_writev | ||
652 | "process_vm_writev," | ||
653 | #endif | ||
654 | #ifdef SYS_semctl | ||
655 | "semctl," | ||
656 | #endif | ||
657 | #ifdef SYS_semget | ||
658 | "semget," | ||
659 | #endif | ||
660 | #ifdef SYS_semop | ||
661 | "semop," | ||
662 | #endif | ||
663 | #ifdef SYS_semtimedop | ||
664 | "semtimedop," | ||
665 | #endif | ||
666 | #ifdef SYS_shmat | ||
667 | "shmat," | ||
668 | #endif | ||
669 | #ifdef SYS_shmctl | ||
670 | "shmctl," | ||
671 | #endif | ||
672 | #ifdef SYS_shmdt | ||
673 | "shmdt," | ||
674 | #endif | ||
675 | #ifdef SYS_shmget | ||
676 | "shmget" | ||
677 | #endif | ||
678 | }, | ||
679 | { .name = "@keyring", .list = | ||
680 | #ifdef SYS_add_key | ||
681 | "add_key," | ||
682 | #endif | ||
683 | #ifdef SYS_keyctl | ||
684 | "keyctl," | ||
685 | #endif | ||
686 | #ifdef SYS_request_key | ||
687 | "request_key" | ||
688 | #endif | ||
689 | }, | ||
690 | { .name = "@memlock", .list = | ||
691 | #ifdef SYS_mlock | ||
692 | "mlock," | ||
693 | #endif | ||
694 | #ifdef SYS_mlock2 | ||
695 | "mlock2," | ||
696 | #endif | ||
697 | #ifdef SYS_mlockall | ||
698 | "mlockall," | ||
699 | #endif | ||
700 | #ifdef SYS_munlock | ||
701 | "munlock," | ||
702 | #endif | ||
703 | #ifdef SYS_munlockall | ||
704 | "munlockall" | ||
705 | #endif | ||
706 | }, | ||
193 | { .name = "@module", .list = | 707 | { .name = "@module", .list = |
194 | #ifdef SYS_delete_module | 708 | #ifdef SYS_delete_module |
195 | "delete_module," | 709 | "delete_module," |
@@ -201,6 +715,88 @@ static const SyscallGroupList sysgroups[] = { | |||
201 | "init_module" | 715 | "init_module" |
202 | #endif | 716 | #endif |
203 | }, | 717 | }, |
718 | { .name = "@mount", .list = | ||
719 | #ifdef SYS_chroot | ||
720 | "chroot," | ||
721 | #endif | ||
722 | #ifdef SYS_mount | ||
723 | "mount," | ||
724 | #endif | ||
725 | #ifdef SYS_pivot_root | ||
726 | "pivot_root," | ||
727 | #endif | ||
728 | #ifdef SYS_umount | ||
729 | "umount," | ||
730 | #endif | ||
731 | #ifdef SYS_umount2 | ||
732 | "umount2" | ||
733 | #endif | ||
734 | }, | ||
735 | { .name = "@network-io", .list = | ||
736 | #ifdef SYS_accept | ||
737 | "accept," | ||
738 | #endif | ||
739 | #ifdef SYS_accept4 | ||
740 | "accept4," | ||
741 | #endif | ||
742 | #ifdef SYS_bind | ||
743 | "bind," | ||
744 | #endif | ||
745 | #ifdef SYS_connect | ||
746 | "connect," | ||
747 | #endif | ||
748 | #ifdef SYS_getpeername | ||
749 | "getpeername," | ||
750 | #endif | ||
751 | #ifdef SYS_getsockname | ||
752 | "getsockname," | ||
753 | #endif | ||
754 | #ifdef SYS_getsockopt | ||
755 | "getsockopt," | ||
756 | #endif | ||
757 | #ifdef SYS_listen | ||
758 | "listen," | ||
759 | #endif | ||
760 | #ifdef SYS_recv | ||
761 | "recv," | ||
762 | #endif | ||
763 | #ifdef SYS_recvfrom | ||
764 | "recvfrom," | ||
765 | #endif | ||
766 | #ifdef SYS_recvmmsg | ||
767 | "recvmmsg," | ||
768 | #endif | ||
769 | #ifdef SYS_recvmsg | ||
770 | "recvmsg," | ||
771 | #endif | ||
772 | #ifdef SYS_send | ||
773 | "send," | ||
774 | #endif | ||
775 | #ifdef SYS_sendmmsg | ||
776 | "sendmmsg," | ||
777 | #endif | ||
778 | #ifdef SYS_sendmsg | ||
779 | "sendmsg," | ||
780 | #endif | ||
781 | #ifdef SYS_sendto | ||
782 | "sendto," | ||
783 | #endif | ||
784 | #ifdef SYS_setsockopt | ||
785 | "setsockopt," | ||
786 | #endif | ||
787 | #ifdef SYS_shutdown | ||
788 | "shutdown," | ||
789 | #endif | ||
790 | #ifdef SYS_socket | ||
791 | "socket," | ||
792 | #endif | ||
793 | #ifdef SYS_socketcall | ||
794 | "socketcall," | ||
795 | #endif | ||
796 | #ifdef SYS_socketpair | ||
797 | "socketpair" | ||
798 | #endif | ||
799 | }, | ||
204 | { .name = "@obsolete", .list = | 800 | { .name = "@obsolete", .list = |
205 | #ifdef SYS__sysctl | 801 | #ifdef SYS__sysctl |
206 | "_sysctl," | 802 | "_sysctl," |
@@ -229,6 +825,9 @@ static const SyscallGroupList sysgroups[] = { | |||
229 | #ifdef SYS_gtty | 825 | #ifdef SYS_gtty |
230 | "gtty," | 826 | "gtty," |
231 | #endif | 827 | #endif |
828 | #ifdef SYS_idle | ||
829 | "idle," | ||
830 | #endif | ||
232 | #ifdef SYS_lock | 831 | #ifdef SYS_lock |
233 | "lock," | 832 | "lock," |
234 | #endif | 833 | #endif |
@@ -282,35 +881,81 @@ static const SyscallGroupList sysgroups[] = { | |||
282 | #endif | 881 | #endif |
283 | }, | 882 | }, |
284 | { .name = "@privileged", .list = | 883 | { .name = "@privileged", .list = |
884 | "@chown," | ||
285 | "@clock," | 885 | "@clock," |
286 | "@module," | 886 | "@module," |
287 | "@raw-io," | 887 | "@raw-io," |
288 | "@reboot," | 888 | "@reboot," |
289 | "@swap," | 889 | "@swap," |
890 | #ifdef SYS__sysctl | ||
891 | "_sysctl," | ||
892 | #endif | ||
290 | #ifdef SYS_acct | 893 | #ifdef SYS_acct |
291 | "acct," | 894 | "acct," |
292 | #endif | 895 | #endif |
293 | #ifdef SYS_bpf | 896 | #ifdef SYS_bpf |
294 | "bpf," | 897 | "bpf," |
295 | #endif | 898 | #endif |
899 | #ifdef SYS_capset | ||
900 | "capset," | ||
901 | #endif | ||
296 | #ifdef SYS_chroot | 902 | #ifdef SYS_chroot |
297 | "chroot," | 903 | "chroot," |
298 | #endif | 904 | #endif |
905 | #ifdef SYS_fanotify_init | ||
906 | "fanotify_init," | ||
907 | #endif | ||
299 | #ifdef SYS_mount | 908 | #ifdef SYS_mount |
300 | "mount," | 909 | "mount," |
301 | #endif | 910 | #endif |
302 | #ifdef SYS_nfsservctl | 911 | #ifdef SYS_nfsservctl |
303 | "nfsservctl," | 912 | "nfsservctl," |
304 | #endif | 913 | #endif |
914 | #ifdef SYS_open_by_handle_at | ||
915 | "open_by_handle_at," | ||
916 | #endif | ||
305 | #ifdef SYS_pivot_root | 917 | #ifdef SYS_pivot_root |
306 | "pivot_root," | 918 | "pivot_root," |
307 | #endif | 919 | #endif |
920 | #ifdef SYS_quotactl | ||
921 | "quotactl," | ||
922 | #endif | ||
308 | #ifdef SYS_setdomainname | 923 | #ifdef SYS_setdomainname |
309 | "setdomainname," | 924 | "setdomainname," |
310 | #endif | 925 | #endif |
926 | #ifdef SYS_setfsuid | ||
927 | "setfsuid," | ||
928 | #endif | ||
929 | #ifdef SYS_setfsuid32 | ||
930 | "setfsuid32," | ||
931 | #endif | ||
932 | #ifdef SYS_setgroups | ||
933 | "setgroups," | ||
934 | #endif | ||
935 | #ifdef SYS_setgroups32 | ||
936 | "setgroups32," | ||
937 | #endif | ||
311 | #ifdef SYS_sethostname | 938 | #ifdef SYS_sethostname |
312 | "sethostname," | 939 | "sethostname," |
313 | #endif | 940 | #endif |
941 | #ifdef SYS_setresuid | ||
942 | "setresuid," | ||
943 | #endif | ||
944 | #ifdef SYS_setresuid32 | ||
945 | "setresuid32," | ||
946 | #endif | ||
947 | #ifdef SYS_setreuid | ||
948 | "setreuid," | ||
949 | #endif | ||
950 | #ifdef SYS_setreuid32 | ||
951 | "setreuid32," | ||
952 | #endif | ||
953 | #ifdef SYS_setuid | ||
954 | "setuid," | ||
955 | #endif | ||
956 | #ifdef SYS_setuid32 | ||
957 | "setuid32," | ||
958 | #endif | ||
314 | #ifdef SYS_umount2 | 959 | #ifdef SYS_umount2 |
315 | "umount2," | 960 | "umount2," |
316 | #endif | 961 | #endif |
@@ -318,6 +963,71 @@ static const SyscallGroupList sysgroups[] = { | |||
318 | "vhangup" | 963 | "vhangup" |
319 | #endif | 964 | #endif |
320 | }, | 965 | }, |
966 | { .name = "@process", .list = | ||
967 | #ifdef SYS_arch_prctl | ||
968 | "arch_prctl," | ||
969 | #endif | ||
970 | #ifdef SYS_capget | ||
971 | "capget," | ||
972 | #endif | ||
973 | #ifdef SYS_clone | ||
974 | "clone," | ||
975 | #endif | ||
976 | #ifdef SYS_execveat | ||
977 | "execveat," | ||
978 | #endif | ||
979 | #ifdef SYS_fork | ||
980 | "fork," | ||
981 | #endif | ||
982 | #ifdef SYS_getrusage | ||
983 | "getrusage," | ||
984 | #endif | ||
985 | #ifdef SYS_kill | ||
986 | "kill," | ||
987 | #endif | ||
988 | #ifdef SYS_pidfd_send_signal | ||
989 | "pidfd_send_signal," | ||
990 | #endif | ||
991 | #ifdef SYS_prctl | ||
992 | "prctl," | ||
993 | #endif | ||
994 | #ifdef SYS_rt_sigqueueinfo | ||
995 | "rt_sigqueueinfo," | ||
996 | #endif | ||
997 | #ifdef SYS_rt_tgsigqueueinfo | ||
998 | "rt_tgsigqueueinfo," | ||
999 | #endif | ||
1000 | #ifdef SYS_setns | ||
1001 | "setns," | ||
1002 | #endif | ||
1003 | #ifdef SYS_swapcontext | ||
1004 | "swapcontext," | ||
1005 | #endif | ||
1006 | #ifdef SYS_tgkill | ||
1007 | "tgkill," | ||
1008 | #endif | ||
1009 | #ifdef SYS_times | ||
1010 | "times," | ||
1011 | #endif | ||
1012 | #ifdef SYS_tkill | ||
1013 | "tkill," | ||
1014 | #endif | ||
1015 | #ifdef SYS_unshare | ||
1016 | "unshare," | ||
1017 | #endif | ||
1018 | #ifdef SYS_vfork | ||
1019 | "vfork," | ||
1020 | #endif | ||
1021 | #ifdef SYS_wait4 | ||
1022 | "wait4," | ||
1023 | #endif | ||
1024 | #ifdef SYS_waitid | ||
1025 | "waitid," | ||
1026 | #endif | ||
1027 | #ifdef SYS_waitpid | ||
1028 | "waitpid" | ||
1029 | #endif | ||
1030 | }, | ||
321 | { .name = "@raw-io", .list = | 1031 | { .name = "@raw-io", .list = |
322 | #ifdef SYS_ioperm | 1032 | #ifdef SYS_ioperm |
323 | "ioperm," | 1033 | "ioperm," |
@@ -356,8 +1066,11 @@ static const SyscallGroupList sysgroups[] = { | |||
356 | #endif | 1066 | #endif |
357 | }, | 1067 | }, |
358 | { .name = "@resources", .list = | 1068 | { .name = "@resources", .list = |
359 | #ifdef SYS_set_mempolicy | 1069 | #ifdef SYS_ioprio_set |
360 | "set_mempolicy," | 1070 | "ioprio_set," |
1071 | #endif | ||
1072 | #ifdef SYS_mbind | ||
1073 | "mbind," | ||
361 | #endif | 1074 | #endif |
362 | #ifdef SYS_migrate_pages | 1075 | #ifdef SYS_migrate_pages |
363 | "migrate_pages," | 1076 | "migrate_pages," |
@@ -365,8 +1078,108 @@ static const SyscallGroupList sysgroups[] = { | |||
365 | #ifdef SYS_move_pages | 1078 | #ifdef SYS_move_pages |
366 | "move_pages," | 1079 | "move_pages," |
367 | #endif | 1080 | #endif |
368 | #ifdef SYS_mbind | 1081 | #ifdef SYS_nice |
369 | "mbind" | 1082 | "nice," |
1083 | #endif | ||
1084 | #ifdef SYS_sched_setaffinity | ||
1085 | "sched_setaffinity," | ||
1086 | #endif | ||
1087 | #ifdef SYS_sched_setattr | ||
1088 | "sched_setattr," | ||
1089 | #endif | ||
1090 | #ifdef SYS_sched_setparam | ||
1091 | "sched_setparam," | ||
1092 | #endif | ||
1093 | #ifdef SYS_sched_setscheduler | ||
1094 | "sched_setscheduler," | ||
1095 | #endif | ||
1096 | #ifdef SYS_set_mempolicy | ||
1097 | "set_mempolicy" | ||
1098 | #endif | ||
1099 | }, | ||
1100 | { .name = "@setuid", .list = | ||
1101 | #ifdef SYS_setgid | ||
1102 | "setgid," | ||
1103 | #endif | ||
1104 | #ifdef SYS_setgid32 | ||
1105 | "setgid32," | ||
1106 | #endif | ||
1107 | #ifdef SYS_setgroups | ||
1108 | "setgroups," | ||
1109 | #endif | ||
1110 | #ifdef SYS_setgroups32 | ||
1111 | "setgroups32," | ||
1112 | #endif | ||
1113 | #ifdef SYS_setregid | ||
1114 | "setregid," | ||
1115 | #endif | ||
1116 | #ifdef SYS_setregid32 | ||
1117 | "setregid32," | ||
1118 | #endif | ||
1119 | #ifdef SYS_setresgid | ||
1120 | "setresgid," | ||
1121 | #endif | ||
1122 | #ifdef SYS_setresgid32 | ||
1123 | "setresgid32," | ||
1124 | #endif | ||
1125 | #ifdef SYS_setresuid | ||
1126 | "setresuid," | ||
1127 | #endif | ||
1128 | #ifdef SYS_setresuid32 | ||
1129 | "setresuid32," | ||
1130 | #endif | ||
1131 | #ifdef SYS_setreuid | ||
1132 | "setreuid," | ||
1133 | #endif | ||
1134 | #ifdef SYS_setreuid32 | ||
1135 | "setreuid32," | ||
1136 | #endif | ||
1137 | #ifdef SYS_setuid | ||
1138 | "setuid," | ||
1139 | #endif | ||
1140 | #ifdef SYS_setuid32 | ||
1141 | "setuid32" | ||
1142 | #endif | ||
1143 | }, | ||
1144 | { .name = "@signal", .list = | ||
1145 | #ifdef SYS_rt_sigaction | ||
1146 | "rt_sigaction," | ||
1147 | #endif | ||
1148 | #ifdef SYS_rt_sigpending | ||
1149 | "rt_sigpending," | ||
1150 | #endif | ||
1151 | #ifdef SYS_rt_sigprocmask | ||
1152 | "rt_sigprocmask," | ||
1153 | #endif | ||
1154 | #ifdef SYS_rt_sigsuspend | ||
1155 | "rt_sigsuspend," | ||
1156 | #endif | ||
1157 | #ifdef SYS_rt_sigtimedwait | ||
1158 | "rt_sigtimedwait," | ||
1159 | #endif | ||
1160 | #ifdef SYS_sigaction | ||
1161 | "sigaction," | ||
1162 | #endif | ||
1163 | #ifdef SYS_sigaltstack | ||
1164 | "sigaltstack," | ||
1165 | #endif | ||
1166 | #ifdef SYS_signal | ||
1167 | "signal," | ||
1168 | #endif | ||
1169 | #ifdef SYS_signalfd | ||
1170 | "signalfd," | ||
1171 | #endif | ||
1172 | #ifdef SYS_signalfd4 | ||
1173 | "signalfd4," | ||
1174 | #endif | ||
1175 | #ifdef SYS_sigpending | ||
1176 | "sigpending," | ||
1177 | #endif | ||
1178 | #ifdef SYS_sigprocmask | ||
1179 | "sigprocmask," | ||
1180 | #endif | ||
1181 | #ifdef SYS_sigsuspend | ||
1182 | "sigsuspend" | ||
370 | #endif | 1183 | #endif |
371 | }, | 1184 | }, |
372 | { .name = "@swap", .list = | 1185 | { .name = "@swap", .list = |
@@ -376,6 +1189,226 @@ static const SyscallGroupList sysgroups[] = { | |||
376 | #ifdef SYS_swapoff | 1189 | #ifdef SYS_swapoff |
377 | "swapoff" | 1190 | "swapoff" |
378 | #endif | 1191 | #endif |
1192 | }, | ||
1193 | { .name = "@sync", .list = | ||
1194 | #ifdef SYS_fdatasync | ||
1195 | "fdatasync," | ||
1196 | #endif | ||
1197 | #ifdef SYS_fsync | ||
1198 | "fsync," | ||
1199 | #endif | ||
1200 | #ifdef SYS_msync | ||
1201 | "msync," | ||
1202 | #endif | ||
1203 | #ifdef SYS_sync | ||
1204 | "sync," | ||
1205 | #endif | ||
1206 | #ifdef SYS_sync_file_range | ||
1207 | "sync_file_range," | ||
1208 | #endif | ||
1209 | #ifdef SYS_sync_file_range2 | ||
1210 | "sync_file_range2," | ||
1211 | #endif | ||
1212 | #ifdef SYS_syncfs | ||
1213 | "syncfs" | ||
1214 | #endif | ||
1215 | }, | ||
1216 | { .name = "@system-service", .list = | ||
1217 | "@aio," | ||
1218 | "@basic-io," | ||
1219 | "@chown," | ||
1220 | "@default," | ||
1221 | "@file-system," | ||
1222 | "@io-event," | ||
1223 | "@ipc," | ||
1224 | "@keyring," | ||
1225 | "@memlock," | ||
1226 | "@network-io," | ||
1227 | "@process," | ||
1228 | "@resources," | ||
1229 | "@setuid," | ||
1230 | "@signal," | ||
1231 | "@sync," | ||
1232 | "@timer," | ||
1233 | #ifdef SYS_brk | ||
1234 | "brk," | ||
1235 | #endif | ||
1236 | #ifdef SYS_capget | ||
1237 | "capget," | ||
1238 | #endif | ||
1239 | #ifdef SYS_capset | ||
1240 | "capset," | ||
1241 | #endif | ||
1242 | #ifdef SYS_copy_file_range | ||
1243 | "copy_file_range," | ||
1244 | #endif | ||
1245 | #ifdef SYS_fadvise64 | ||
1246 | "fadvise64," | ||
1247 | #endif | ||
1248 | #ifdef SYS_fadvise64_64 | ||
1249 | "fadvise64_64," | ||
1250 | #endif | ||
1251 | #ifdef SYS_flock | ||
1252 | "flock," | ||
1253 | #endif | ||
1254 | #ifdef SYS_get_mempolicy | ||
1255 | "get_mempolicy," | ||
1256 | #endif | ||
1257 | #ifdef SYS_getcpu | ||
1258 | "getcpu," | ||
1259 | #endif | ||
1260 | #ifdef SYS_getpriority | ||
1261 | "getpriority," | ||
1262 | #endif | ||
1263 | #ifdef SYS_getrandom | ||
1264 | "getrandom," | ||
1265 | #endif | ||
1266 | #ifdef SYS_ioctl | ||
1267 | "ioctl," | ||
1268 | #endif | ||
1269 | #ifdef SYS_ioprio_get | ||
1270 | "ioprio_get," | ||
1271 | #endif | ||
1272 | #ifdef SYS_kcmp | ||
1273 | "kcmp," | ||
1274 | #endif | ||
1275 | #ifdef SYS_madvise | ||
1276 | "madvise," | ||
1277 | #endif | ||
1278 | #ifdef SYS_mprotect | ||
1279 | "mprotect," | ||
1280 | #endif | ||
1281 | #ifdef SYS_mremap | ||
1282 | "mremap," | ||
1283 | #endif | ||
1284 | #ifdef SYS_name_to_handle_at | ||
1285 | "name_to_handle_at," | ||
1286 | #endif | ||
1287 | #ifdef SYS_oldolduname | ||
1288 | "oldolduname," | ||
1289 | #endif | ||
1290 | #ifdef SYS_olduname | ||
1291 | "olduname," | ||
1292 | #endif | ||
1293 | #ifdef SYS_personality | ||
1294 | "personality," | ||
1295 | #endif | ||
1296 | #ifdef SYS_readahead | ||
1297 | "readahead," | ||
1298 | #endif | ||
1299 | #ifdef SYS_readdir | ||
1300 | "readdir," | ||
1301 | #endif | ||
1302 | #ifdef SYS_remap_file_pages | ||
1303 | "remap_file_pages," | ||
1304 | #endif | ||
1305 | #ifdef SYS_sched_get_priority_max | ||
1306 | "sched_get_priority_max," | ||
1307 | #endif | ||
1308 | #ifdef SYS_sched_get_priority_min | ||
1309 | "sched_get_priority_min," | ||
1310 | #endif | ||
1311 | #ifdef SYS_sched_getaffinity | ||
1312 | "sched_getaffinity," | ||
1313 | #endif | ||
1314 | #ifdef SYS_sched_getattr | ||
1315 | "sched_getattr," | ||
1316 | #endif | ||
1317 | #ifdef SYS_sched_getparam | ||
1318 | "sched_getparam," | ||
1319 | #endif | ||
1320 | #ifdef SYS_sched_getscheduler | ||
1321 | "sched_getscheduler," | ||
1322 | #endif | ||
1323 | #ifdef SYS_sched_rr_get_interval | ||
1324 | "sched_rr_get_interval," | ||
1325 | #endif | ||
1326 | #ifdef SYS_sched_yield | ||
1327 | "sched_yield," | ||
1328 | #endif | ||
1329 | #ifdef SYS_sendfile | ||
1330 | "sendfile," | ||
1331 | #endif | ||
1332 | #ifdef SYS_sendfile64 | ||
1333 | "sendfile64," | ||
1334 | #endif | ||
1335 | #ifdef SYS_setfsgid | ||
1336 | "setfsgid," | ||
1337 | #endif | ||
1338 | #ifdef SYS_setfsgid32 | ||
1339 | "setfsgid32," | ||
1340 | #endif | ||
1341 | #ifdef SYS_setfsuid | ||
1342 | "setfsuid," | ||
1343 | #endif | ||
1344 | #ifdef SYS_setfsuid32 | ||
1345 | "setfsuid32," | ||
1346 | #endif | ||
1347 | #ifdef SYS_setpgid | ||
1348 | "setpgid," | ||
1349 | #endif | ||
1350 | #ifdef SYS_setsid | ||
1351 | "setsid," | ||
1352 | #endif | ||
1353 | #ifdef SYS_splice | ||
1354 | "splice," | ||
1355 | #endif | ||
1356 | #ifdef SYS_sysinfo | ||
1357 | "sysinfo," | ||
1358 | #endif | ||
1359 | #ifdef SYS_tee | ||
1360 | "tee," | ||
1361 | #endif | ||
1362 | #ifdef SYS_umask | ||
1363 | "umask," | ||
1364 | #endif | ||
1365 | #ifdef SYS_uname | ||
1366 | "uname," | ||
1367 | #endif | ||
1368 | #ifdef SYS_userfaultfd | ||
1369 | "userfaultfd," | ||
1370 | #endif | ||
1371 | #ifdef SYS_vmsplice | ||
1372 | "vmsplice" | ||
1373 | #endif | ||
1374 | }, | ||
1375 | { .name = "@timer", .list = | ||
1376 | #ifdef SYS_alarm | ||
1377 | "alarm," | ||
1378 | #endif | ||
1379 | #ifdef SYS_getitimer | ||
1380 | "getitimer," | ||
1381 | #endif | ||
1382 | #ifdef SYS_setitimer | ||
1383 | "setitimer," | ||
1384 | #endif | ||
1385 | #ifdef SYS_timer_create | ||
1386 | "timer_create," | ||
1387 | #endif | ||
1388 | #ifdef SYS_timer_delete | ||
1389 | "timer_delete," | ||
1390 | #endif | ||
1391 | #ifdef SYS_timer_getoverrun | ||
1392 | "timer_getoverrun," | ||
1393 | #endif | ||
1394 | #ifdef SYS_timer_gettime | ||
1395 | "timer_gettime," | ||
1396 | #endif | ||
1397 | #ifdef SYS_timer_settime | ||
1398 | "timer_settime," | ||
1399 | #endif | ||
1400 | #ifdef SYS_timerfd_create | ||
1401 | "timerfd_create," | ||
1402 | #endif | ||
1403 | #ifdef SYS_timerfd_gettime | ||
1404 | "timerfd_gettime," | ||
1405 | #endif | ||
1406 | #ifdef SYS_timerfd_settime | ||
1407 | "timerfd_settime," | ||
1408 | #endif | ||
1409 | #ifdef SYS_times | ||
1410 | "times" | ||
1411 | #endif | ||
379 | } | 1412 | } |
380 | }; | 1413 | }; |
381 | 1414 | ||
@@ -497,9 +1530,17 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
497 | syscall_check_list(new_list, callback, fd, arg, ptrarg); | 1530 | syscall_check_list(new_list, callback, fd, arg, ptrarg); |
498 | } | 1531 | } |
499 | else { | 1532 | else { |
1533 | bool negate = false; | ||
1534 | if (*ptr == '!') { | ||
1535 | negate = true; | ||
1536 | ptr++; | ||
1537 | } | ||
500 | syscall_process_name(ptr, &syscall_nr, &error_nr); | 1538 | syscall_process_name(ptr, &syscall_nr, &error_nr); |
501 | if (syscall_nr == -1) {;} | 1539 | if (syscall_nr == -1) {;} |
502 | else if (callback != NULL) { | 1540 | else if (callback != NULL) { |
1541 | if (negate) { | ||
1542 | syscall_nr = -syscall_nr; | ||
1543 | } | ||
503 | if (error_nr != -1 && fd != 0) { | 1544 | if (error_nr != -1 && fd != 0) { |
504 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); | 1545 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); |
505 | } | 1546 | } |
@@ -522,7 +1563,7 @@ static void find_syscall(int fd, int syscall, int arg, void *ptrarg) { | |||
522 | (void)fd; | 1563 | (void)fd; |
523 | (void) arg; | 1564 | (void) arg; |
524 | SyscallCheckList *ptr = ptrarg; | 1565 | SyscallCheckList *ptr = ptrarg; |
525 | if (syscall == ptr->syscall) | 1566 | if (abs(syscall) == ptr->syscall) |
526 | ptr->found = true; | 1567 | ptr->found = true; |
527 | } | 1568 | } |
528 | 1569 | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 60fdb5470..745dd2260 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -34,6 +34,13 @@ | |||
34 | #include <dirent.h> | 34 | #include <dirent.h> |
35 | #include <limits.h> | 35 | #include <limits.h> |
36 | 36 | ||
37 | #define tprintf(fp, args...) \ | ||
38 | do { \ | ||
39 | if (!fp)\ | ||
40 | init(); \ | ||
41 | fprintf(fp, args); \ | ||
42 | } while(0) | ||
43 | |||
37 | // break recursivity on fopen call | 44 | // break recursivity on fopen call |
38 | typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); | 45 | typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); |
39 | static orig_fopen_t orig_fopen = NULL; | 46 | static orig_fopen_t orig_fopen = NULL; |
@@ -43,6 +50,10 @@ static orig_fopen64_t orig_fopen64 = NULL; | |||
43 | // | 50 | // |
44 | // library constructor/destructor | 51 | // library constructor/destructor |
45 | // | 52 | // |
53 | // Replacing printf with fprintf to /dev/tty in order to fix #561 | ||
54 | // If you really want to turn it off, comment the following line, but its a | ||
55 | // really bad idea. | ||
56 | #define PRINTF_DEVTTY | ||
46 | static FILE *ftty = NULL; | 57 | static FILE *ftty = NULL; |
47 | static pid_t mypid = 0; | 58 | static pid_t mypid = 0; |
48 | #define MAXNAME 16 | 59 | #define MAXNAME 16 |
@@ -50,10 +61,18 @@ static char myname[MAXNAME] = {'\0', }; | |||
50 | 61 | ||
51 | static void init(void) __attribute__((constructor)); | 62 | static void init(void) __attribute__((constructor)); |
52 | void init(void) { | 63 | void init(void) { |
64 | if (ftty) | ||
65 | return; | ||
66 | |||
53 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 67 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
54 | 68 | ||
55 | // tty | 69 | // tty |
70 | #ifdef PRINTF_DEVTTY | ||
56 | ftty = orig_fopen("/dev/tty", "w"); | 71 | ftty = orig_fopen("/dev/tty", "w"); |
72 | #else | ||
73 | ftty = stderr; | ||
74 | #endif | ||
75 | tprintf(ftty, "=== tracelib init() === \n"); | ||
57 | 76 | ||
58 | // pid | 77 | // pid |
59 | mypid = getpid(); | 78 | mypid = getpid(); |
@@ -226,23 +245,23 @@ static char *translate(XTable *table, int val) { | |||
226 | static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { | 245 | static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { |
227 | if (addr->sa_family == AF_INET) { | 246 | if (addr->sa_family == AF_INET) { |
228 | struct sockaddr_in *a = (struct sockaddr_in *) addr; | 247 | struct sockaddr_in *a = (struct sockaddr_in *) addr; |
229 | fprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); | 248 | tprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv); |
230 | } | 249 | } |
231 | else if (addr->sa_family == AF_INET6) { | 250 | else if (addr->sa_family == AF_INET6) { |
232 | struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr; | 251 | struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr; |
233 | char str[INET6_ADDRSTRLEN]; | 252 | char str[INET6_ADDRSTRLEN]; |
234 | inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN); | 253 | inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN); |
235 | fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv); | 254 | tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv); |
236 | } | 255 | } |
237 | else if (addr->sa_family == AF_UNIX) { | 256 | else if (addr->sa_family == AF_UNIX) { |
238 | struct sockaddr_un *a = (struct sockaddr_un *) addr; | 257 | struct sockaddr_un *a = (struct sockaddr_un *) addr; |
239 | if (a->sun_path[0]) | 258 | if (a->sun_path[0]) |
240 | fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv); | 259 | tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv); |
241 | else | 260 | else |
242 | fprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv); | 261 | tprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv); |
243 | } | 262 | } |
244 | else { | 263 | else { |
245 | fprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv); | 264 | tprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv); |
246 | } | 265 | } |
247 | } | 266 | } |
248 | 267 | ||
@@ -258,7 +277,7 @@ int open(const char *pathname, int flags, mode_t mode) { | |||
258 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); | 277 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); |
259 | 278 | ||
260 | int rv = orig_open(pathname, flags, mode); | 279 | int rv = orig_open(pathname, flags, mode); |
261 | fprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv); | 280 | tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv); |
262 | return rv; | 281 | return rv; |
263 | } | 282 | } |
264 | 283 | ||
@@ -269,7 +288,7 @@ int open64(const char *pathname, int flags, mode_t mode) { | |||
269 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); | 288 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); |
270 | 289 | ||
271 | int rv = orig_open64(pathname, flags, mode); | 290 | int rv = orig_open64(pathname, flags, mode); |
272 | fprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv); | 291 | tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv); |
273 | return rv; | 292 | return rv; |
274 | } | 293 | } |
275 | 294 | ||
@@ -281,7 +300,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
281 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); | 300 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); |
282 | 301 | ||
283 | int rv = orig_openat(dirfd, pathname, flags, mode); | 302 | int rv = orig_openat(dirfd, pathname, flags, mode); |
284 | fprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv); | 303 | tprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv); |
285 | return rv; | 304 | return rv; |
286 | } | 305 | } |
287 | 306 | ||
@@ -292,7 +311,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
292 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); | 311 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); |
293 | 312 | ||
294 | int rv = orig_openat64(dirfd, pathname, flags, mode); | 313 | int rv = orig_openat64(dirfd, pathname, flags, mode); |
295 | fprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv); | 314 | tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv); |
296 | return rv; | 315 | return rv; |
297 | } | 316 | } |
298 | 317 | ||
@@ -303,7 +322,7 @@ FILE *fopen(const char *pathname, const char *mode) { | |||
303 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 322 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
304 | 323 | ||
305 | FILE *rv = orig_fopen(pathname, mode); | 324 | FILE *rv = orig_fopen(pathname, mode); |
306 | fprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv); | 325 | tprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv); |
307 | return rv; | 326 | return rv; |
308 | } | 327 | } |
309 | 328 | ||
@@ -313,7 +332,7 @@ FILE *fopen64(const char *pathname, const char *mode) { | |||
313 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); | 332 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); |
314 | 333 | ||
315 | FILE *rv = orig_fopen64(pathname, mode); | 334 | FILE *rv = orig_fopen64(pathname, mode); |
316 | fprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv); | 335 | tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv); |
317 | return rv; | 336 | return rv; |
318 | } | 337 | } |
319 | #endif /* __GLIBC__ */ | 338 | #endif /* __GLIBC__ */ |
@@ -327,7 +346,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) { | |||
327 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); | 346 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); |
328 | 347 | ||
329 | FILE *rv = orig_freopen(pathname, mode, stream); | 348 | FILE *rv = orig_freopen(pathname, mode, stream); |
330 | fprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv); | 349 | tprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv); |
331 | return rv; | 350 | return rv; |
332 | } | 351 | } |
333 | 352 | ||
@@ -339,7 +358,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { | |||
339 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); | 358 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); |
340 | 359 | ||
341 | FILE *rv = orig_freopen64(pathname, mode, stream); | 360 | FILE *rv = orig_freopen64(pathname, mode, stream); |
342 | fprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv); | 361 | tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv); |
343 | return rv; | 362 | return rv; |
344 | } | 363 | } |
345 | #endif /* __GLIBC__ */ | 364 | #endif /* __GLIBC__ */ |
@@ -352,7 +371,7 @@ int unlink(const char *pathname) { | |||
352 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); | 371 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); |
353 | 372 | ||
354 | int rv = orig_unlink(pathname); | 373 | int rv = orig_unlink(pathname); |
355 | fprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv); | 374 | tprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv); |
356 | return rv; | 375 | return rv; |
357 | } | 376 | } |
358 | 377 | ||
@@ -363,7 +382,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) { | |||
363 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); | 382 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); |
364 | 383 | ||
365 | int rv = orig_unlinkat(dirfd, pathname, flags); | 384 | int rv = orig_unlinkat(dirfd, pathname, flags); |
366 | fprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv); | 385 | tprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv); |
367 | return rv; | 386 | return rv; |
368 | } | 387 | } |
369 | 388 | ||
@@ -375,7 +394,7 @@ int mkdir(const char *pathname, mode_t mode) { | |||
375 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); | 394 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); |
376 | 395 | ||
377 | int rv = orig_mkdir(pathname, mode); | 396 | int rv = orig_mkdir(pathname, mode); |
378 | fprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv); | 397 | tprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv); |
379 | return rv; | 398 | return rv; |
380 | } | 399 | } |
381 | 400 | ||
@@ -386,7 +405,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) { | |||
386 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); | 405 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); |
387 | 406 | ||
388 | int rv = orig_mkdirat(dirfd, pathname, mode); | 407 | int rv = orig_mkdirat(dirfd, pathname, mode); |
389 | fprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv); | 408 | tprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv); |
390 | return rv; | 409 | return rv; |
391 | } | 410 | } |
392 | 411 | ||
@@ -397,7 +416,7 @@ int rmdir(const char *pathname) { | |||
397 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); | 416 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); |
398 | 417 | ||
399 | int rv = orig_rmdir(pathname); | 418 | int rv = orig_rmdir(pathname); |
400 | fprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv); | 419 | tprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv); |
401 | return rv; | 420 | return rv; |
402 | } | 421 | } |
403 | 422 | ||
@@ -409,7 +428,7 @@ int stat(const char *pathname, struct stat *statbuf) { | |||
409 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); | 428 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); |
410 | 429 | ||
411 | int rv = orig_stat(pathname, statbuf); | 430 | int rv = orig_stat(pathname, statbuf); |
412 | fprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv); | 431 | tprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv); |
413 | return rv; | 432 | return rv; |
414 | } | 433 | } |
415 | 434 | ||
@@ -421,7 +440,7 @@ int stat64(const char *pathname, struct stat64 *statbuf) { | |||
421 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 440 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
422 | 441 | ||
423 | int rv = orig_stat64(pathname, statbuf); | 442 | int rv = orig_stat64(pathname, statbuf); |
424 | fprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); | 443 | tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); |
425 | return rv; | 444 | return rv; |
426 | } | 445 | } |
427 | #endif /* __GLIBC__ */ | 446 | #endif /* __GLIBC__ */ |
@@ -434,7 +453,7 @@ int lstat(const char *pathname, struct stat *statbuf) { | |||
434 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); | 453 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); |
435 | 454 | ||
436 | int rv = orig_lstat(pathname, statbuf); | 455 | int rv = orig_lstat(pathname, statbuf); |
437 | fprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv); | 456 | tprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv); |
438 | return rv; | 457 | return rv; |
439 | } | 458 | } |
440 | 459 | ||
@@ -446,7 +465,7 @@ int lstat64(const char *pathname, struct stat64 *statbuf) { | |||
446 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); | 465 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); |
447 | 466 | ||
448 | int rv = orig_lstat64(pathname, statbuf); | 467 | int rv = orig_lstat64(pathname, statbuf); |
449 | fprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); | 468 | tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); |
450 | return rv; | 469 | return rv; |
451 | } | 470 | } |
452 | #endif /* __GLIBC__ */ | 471 | #endif /* __GLIBC__ */ |
@@ -459,7 +478,7 @@ DIR *opendir(const char *pathname) { | |||
459 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); | 478 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); |
460 | 479 | ||
461 | DIR *rv = orig_opendir(pathname); | 480 | DIR *rv = orig_opendir(pathname); |
462 | fprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv); | 481 | tprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv); |
463 | return rv; | 482 | return rv; |
464 | } | 483 | } |
465 | 484 | ||
@@ -471,7 +490,7 @@ int access(const char *pathname, int mode) { | |||
471 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); | 490 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); |
472 | 491 | ||
473 | int rv = orig_access(pathname, mode); | 492 | int rv = orig_access(pathname, mode); |
474 | fprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv); | 493 | tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv); |
475 | return rv; | 494 | return rv; |
476 | } | 495 | } |
477 | 496 | ||
@@ -529,7 +548,7 @@ int socket(int domain, int type, int protocol) { | |||
529 | sprintf(ptr, "%s", str); | 548 | sprintf(ptr, "%s", str); |
530 | } | 549 | } |
531 | 550 | ||
532 | fprintf(ftty, "%s:%d\n", socketbuf, rv); | 551 | tprintf(ftty, "%s:%d\n", socketbuf, rv); |
533 | return rv; | 552 | return rv; |
534 | } | 553 | } |
535 | 554 | ||
@@ -567,7 +586,7 @@ int system(const char *command) { | |||
567 | orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); | 586 | orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); |
568 | 587 | ||
569 | int rv = orig_system(command); | 588 | int rv = orig_system(command); |
570 | fprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv); | 589 | tprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv); |
571 | 590 | ||
572 | return rv; | 591 | return rv; |
573 | } | 592 | } |
@@ -579,7 +598,7 @@ int setuid(uid_t uid) { | |||
579 | orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); | 598 | orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); |
580 | 599 | ||
581 | int rv = orig_setuid(uid); | 600 | int rv = orig_setuid(uid); |
582 | fprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv); | 601 | tprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv); |
583 | 602 | ||
584 | return rv; | 603 | return rv; |
585 | } | 604 | } |
@@ -591,7 +610,7 @@ int setgid(gid_t gid) { | |||
591 | orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); | 610 | orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); |
592 | 611 | ||
593 | int rv = orig_setgid(gid); | 612 | int rv = orig_setgid(gid); |
594 | fprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv); | 613 | tprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv); |
595 | 614 | ||
596 | return rv; | 615 | return rv; |
597 | } | 616 | } |
@@ -603,7 +622,7 @@ int setfsuid(uid_t uid) { | |||
603 | orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); | 622 | orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); |
604 | 623 | ||
605 | int rv = orig_setfsuid(uid); | 624 | int rv = orig_setfsuid(uid); |
606 | fprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv); | 625 | tprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv); |
607 | 626 | ||
608 | return rv; | 627 | return rv; |
609 | } | 628 | } |
@@ -615,7 +634,7 @@ int setfsgid(gid_t gid) { | |||
615 | orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); | 634 | orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); |
616 | 635 | ||
617 | int rv = orig_setfsgid(gid); | 636 | int rv = orig_setfsgid(gid); |
618 | fprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv); | 637 | tprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv); |
619 | 638 | ||
620 | return rv; | 639 | return rv; |
621 | } | 640 | } |
@@ -627,7 +646,7 @@ int setreuid(uid_t ruid, uid_t euid) { | |||
627 | orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); | 646 | orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); |
628 | 647 | ||
629 | int rv = orig_setreuid(ruid, euid); | 648 | int rv = orig_setreuid(ruid, euid); |
630 | fprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv); | 649 | tprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv); |
631 | 650 | ||
632 | return rv; | 651 | return rv; |
633 | } | 652 | } |
@@ -639,7 +658,7 @@ int setregid(gid_t rgid, gid_t egid) { | |||
639 | orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); | 658 | orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); |
640 | 659 | ||
641 | int rv = orig_setregid(rgid, egid); | 660 | int rv = orig_setregid(rgid, egid); |
642 | fprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv); | 661 | tprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv); |
643 | 662 | ||
644 | return rv; | 663 | return rv; |
645 | } | 664 | } |
@@ -651,7 +670,7 @@ int setresuid(uid_t ruid, uid_t euid, uid_t suid) { | |||
651 | orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); | 670 | orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); |
652 | 671 | ||
653 | int rv = orig_setresuid(ruid, euid, suid); | 672 | int rv = orig_setresuid(ruid, euid, suid); |
654 | fprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv); | 673 | tprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv); |
655 | 674 | ||
656 | return rv; | 675 | return rv; |
657 | } | 676 | } |
@@ -663,7 +682,7 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { | |||
663 | orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); | 682 | orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); |
664 | 683 | ||
665 | int rv = orig_setresgid(rgid, egid, sgid); | 684 | int rv = orig_setresgid(rgid, egid, sgid); |
666 | fprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv); | 685 | tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv); |
667 | 686 | ||
668 | return rv; | 687 | return rv; |
669 | } | 688 | } |
@@ -678,6 +697,6 @@ static void log_exec(int argc, char** argv) { | |||
678 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); | 697 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); |
679 | if (rv != -1) { | 698 | if (rv != -1) { |
680 | buf[rv] = '\0'; // readlink does not add a '\0' at the end | 699 | buf[rv] = '\0'; // readlink does not add a '\0' at the end |
681 | fprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); | 700 | tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); |
682 | } | 701 | } |
683 | } | 702 | } |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index b418faa15..2887a6c53 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -42,7 +42,7 @@ The following actions are implemented by default by running sudo firecfg: | |||
42 | .br | 42 | .br |
43 | 43 | ||
44 | .br | 44 | .br |
45 | -fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). | 45 | - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). |
46 | .RE | 46 | .RE |
47 | 47 | ||
48 | .SH OPTIONS | 48 | .SH OPTIONS |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index c2fa63dc4..430e86cc8 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo | |||
11 | 11 | ||
12 | Example: | 12 | Example: |
13 | 13 | ||
14 | netblue:--net=none --protocol=unix | 14 | netblue: --net=none --protocol=unix |
15 | 15 | ||
16 | Wildcard patterns are accepted in the user name field: | 16 | Wildcard patterns are accepted in the user name field: |
17 | 17 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 74f99b538..3db8c782d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -75,7 +75,13 @@ Child process initialized | |||
75 | .RE | 75 | .RE |
76 | 76 | ||
77 | .SH Templates | 77 | .SH Templates |
78 | Templates for writing own profiles can be found in /usr/share/doc/firejail. | 78 | In /usr/share/doc/firejail there are two templates to write new profiles. |
79 | .RS | ||
80 | profile.template - for regular profiles | ||
81 | .br | ||
82 | redirect_alias-profile.template - for aliasing/redirecting profiles | ||
83 | .RE | ||
84 | |||
79 | 85 | ||
80 | .SH Scripting | 86 | .SH Scripting |
81 | Scripting commands: | 87 | Scripting commands: |
@@ -144,7 +150,7 @@ Ignore command. | |||
144 | 150 | ||
145 | Example: "ignore seccomp" | 151 | Example: "ignore seccomp" |
146 | .br | 152 | .br |
147 | Example: "ignore net ehh0" | 153 | Example: "ignore net eth0" |
148 | 154 | ||
149 | .TP | 155 | .TP |
150 | \fBquiet | 156 | \fBquiet |
@@ -154,10 +160,10 @@ Example: "quiet" | |||
154 | 160 | ||
155 | .SH Filesystem | 161 | .SH Filesystem |
156 | These profile entries define a chroot filesystem built on top of the existing | 162 | These profile entries define a chroot filesystem built on top of the existing |
157 | host filesystem. Each line describes a file element that is removed from | 163 | host filesystem. Each line describes a file/directory that is inaccessible |
158 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), | 164 | (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), |
159 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | 165 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), |
160 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | 166 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). |
161 | Use \fBprivate\fR to set private mode. | 167 | Use \fBprivate\fR to set private mode. |
162 | File globbing is supported, and PATH and HOME directories are searched. | 168 | File globbing is supported, and PATH and HOME directories are searched. |
163 | Examples: | 169 | Examples: |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 951618669..500850413 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile. | |||
71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 71 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 72 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
73 | .PP | 73 | .PP |
74 | If a program argument is not specified, Firejail starts /bin/bash shell. | 74 | If a program argument is not specified, Firejail starts the default shell from the current user. |
75 | Examples: | 75 | Examples: |
76 | .PP | 76 | .PP |
77 | $ firejail [OPTIONS] # starting a /bin/bash shell | 77 | $ firejail [OPTIONS] # starting the user default shell (normally /bin/bash) |
78 | .PP | 78 | .PP |
79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 79 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
80 | .PP | 80 | .PP |
@@ -1776,11 +1776,14 @@ vm86, vm86old, vmsplice and vserver. | |||
1776 | 1776 | ||
1777 | .br | 1777 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1778 | To help creating useful seccomp filters more easily, the following |
1779 | system call groups are defined: @clock, @cpu-emulation, @debug, | 1779 | system call groups are defined: @aio, @basic-io, @chown, @clock, |
1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1780 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, |
1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1781 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1782 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | ||
1783 | @resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a | ||
1782 | system call can be specified by its number instead of name with prefix | 1784 | system call can be specified by its number instead of name with prefix |
1783 | $, so for example $165 would be equal to mount on i386. | 1785 | $, so for example $165 would be equal to mount on i386. Exceptions |
1786 | can be allowed with prefix !. | ||
1784 | 1787 | ||
1785 | .br | 1788 | .br |
1786 | System architecture is strictly imposed only if flag | 1789 | System architecture is strictly imposed only if flag |
@@ -1798,8 +1801,10 @@ Example: | |||
1798 | .br | 1801 | .br |
1799 | $ firejail \-\-seccomp | 1802 | $ firejail \-\-seccomp |
1800 | .TP | 1803 | .TP |
1801 | \fB\-\-seccomp=syscall,@group | 1804 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1805 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1806 | list (@default) and the syscalls or syscall groups specified by the | ||
1807 | command. | ||
1803 | .br | 1808 | .br |
1804 | 1809 | ||
1805 | .br | 1810 | .br |
@@ -1863,8 +1868,9 @@ domain with personality(2) system call. | |||
1863 | .br | 1868 | .br |
1864 | 1869 | ||
1865 | .TP | 1870 | .TP |
1866 | \fB\-\-seccomp.drop=syscall,@group | 1871 | \fB\-\-seccomp.drop=syscall,@group,!syscall2 |
1867 | Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. | 1872 | Enable seccomp filter, whitelist "syscall2" but blacklist the |
1873 | syscalls or the syscall groups specified by the command. | ||
1868 | .br | 1874 | .br |
1869 | 1875 | ||
1870 | .br | 1876 | .br |
@@ -1899,10 +1905,11 @@ rm: cannot remove `testfile': Operation not permitted | |||
1899 | 1905 | ||
1900 | 1906 | ||
1901 | .TP | 1907 | .TP |
1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1908 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1909 | Enable seccomp filter, blacklist "syscall2" but whitelist the |
1904 | command. The system calls needed by Firejail (group @default-keep: | 1910 | syscalls or the syscall groups specified by the command. The system |
1905 | prctl, execve) are handled with the preload library. | 1911 | calls needed by Firejail (group @default-keep: prctl, execve) are |
1912 | handled with the preload library. | ||
1906 | .br | 1913 | .br |
1907 | 1914 | ||
1908 | .br | 1915 | .br |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 114978f65..10e50539b 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -110,6 +110,9 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod | |||
110 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" | 110 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" |
111 | ./seccomp-empty.exp | 111 | ./seccomp-empty.exp |
112 | 112 | ||
113 | echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" | ||
114 | ./seccomp-numeric.exp | ||
115 | |||
113 | if [ "$(uname -m)" = "x86_64" ]; then | 116 | if [ "$(uname -m)" = "x86_64" ]; then |
114 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | 117 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" |
115 | ./seccomp-dualfilter.exp | 118 | ./seccomp-dualfilter.exp |
diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp new file mode 100755 index 000000000..77f6d60b0 --- /dev/null +++ b/test/filters/seccomp-numeric.exp | |||
@@ -0,0 +1,44 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "touch seccomp-test-file\r" | ||
11 | after 100 | ||
12 | |||
13 | send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT rm seccomp-test-file\r" | ||
14 | expect { | ||
15 | timeout {puts "TESTING ERROR 0\n";exit} | ||
16 | "No such file or directory" | ||
17 | } | ||
18 | after 100 | ||
19 | |||
20 | send -- "firejail --seccomp=\\\$263:ENOENT,mkdir:ENOENT rm seccomp-test-file\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1\n";exit} | ||
23 | "No such file or directory" | ||
24 | } | ||
25 | after 100 | ||
26 | |||
27 | send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT mkdir seccomp-test-dir\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 2\n";exit} | ||
30 | "No such file or directory" | ||
31 | } | ||
32 | after 100 | ||
33 | |||
34 | send -- "firejail --seccomp=unlinkat:ENOENT,\\\$83:ENOENT mkdir seccomp-test-dir\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 3\n";exit} | ||
37 | "No such file or directory" | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | send -- "rm seccomp-test-file\r" | ||
42 | #send -- "rm -fr seccomp-test-dir\r" | ||
43 | after 100 | ||
44 | puts "all done\n" | ||
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index d2cb72edd..1df8c361c 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -14,10 +14,10 @@ expect { | |||
14 | } | 14 | } |
15 | sleep 1 | 15 | sleep 1 |
16 | 16 | ||
17 | send -- "find /dev | wc -l\r" | 17 | send -- "ls /dev | wc -l\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "2" | 20 | "1" |
21 | } | 21 | } |
22 | after 100 | 22 | after 100 |
23 | send -- "exit\r" | 23 | send -- "exit\r" |
@@ -33,7 +33,7 @@ sleep 1 | |||
33 | send -- "find /dev | wc -l\r" | 33 | send -- "find /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 3\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "4" | 36 | "1" |
37 | } | 37 | } |
38 | after 100 | 38 | after 100 |
39 | send -- "exit\r" | 39 | send -- "exit\r" |
@@ -46,7 +46,7 @@ expect { | |||
46 | } | 46 | } |
47 | sleep 1 | 47 | sleep 1 |
48 | 48 | ||
49 | send -- "ls -l /dev | wc -l\r" | 49 | send -- "ls /dev | wc -l\r" |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 5\n";exit} | 51 | timeout {puts "TESTING ERROR 5\n";exit} |
52 | "12" {puts "OK\n"} | 52 | "12" {puts "OK\n"} |