aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md25
-rw-r--r--etc/profile-a-l/curl.profile2
-rw-r--r--etc/profile-a-l/firefox-common.profile2
-rw-r--r--etc/profile-a-l/gimp.profile2
-rw-r--r--etc/profile-a-l/inkscape.profile2
-rw-r--r--etc/profile-m-z/warzone2100.profile2
-rw-r--r--src/firejail/fs_etc.c12
-rw-r--r--src/include/etc_groups.h16
-rw-r--r--src/man/firejail.txt18
9 files changed, 41 insertions, 40 deletions
diff --git a/README.md b/README.md
index f261da2a3..7d1c88c65 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
184 184
185### private-etc rework 185### private-etc rework
186````` 186`````
187 --private-etc, --private-etc=file,directory 187 --private-etc, --private-etc=file,directory,@group
188 The files installed by --private-etc are copies of the original 188 The files installed by --private-etc are copies of the original
189 system files from /etc directory. By default, the command 189 system files from /etc directory. By default, the command
190 brings in a skeleton of files and directories used by most con‐ 190 brings in a skeleton of files and directories used by most con‐
@@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
192 192
193 $ firejail --private-etc dig debian.org 193 $ firejail --private-etc dig debian.org
194 194
195 For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. 195 For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame
196 Example: 196 ter. Example:
197 197
198 $ firejail --private-etc=GUI,python* gimp 198 $ firejail --private-etc=@x11,gcrypt,python* gimp
199 199
200 /etc/python* directories are not part of the generic GUI group. 200 gcrypt and /etc/python* directories are not part of the generic
201 These directories are reuqired by Gimp plugin system. File glob‐ 201 @x11 group. File globbing is supported.
202 bing is supported.
203 202
204 For games, add GAMES group: 203 For games, add @games group:
205 204
206 $ firejail --private-etc=GUI,GAMES warzone2100 205 $ firejail --private-etc=@games,@x11 warzone2100
207 206
208 Sound and networking files are included automatically, unless 207 Sound and networking files are included automatically, unless
209 --nosound or --net=none are specified. Files for encrypted 208 --nosound or --net=none are specified. Files for encrypted
210 TLS/SSL protocol are in TLS-CA group. 209 TLS/SSL protocol are in @tls-ca group.
211 210
212 $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org 211 $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
213 212
214 Note: The easiest way to extract the list of /etc files accessed 213 Note: The easiest way to extract the list of /etc files accessed
215 by your program is using strace utility: 214 by your program is using strace utility:
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 88b29cfbd..bfe8764d5 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -54,7 +54,7 @@ tracelog
54private-cache 54private-cache
55private-dev 55private-dev
56# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 56# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
57private-etc TLS-CA 57private-etc @tls-ca
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 3365c0829..57c9b5dfb 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -60,7 +60,7 @@ disable-mnt
60# private-etc below works fine on most distributions. There are some problems on CentOS. 60# private-etc below works fine on most distributions. There are some problems on CentOS.
61# Add it to your firefox-common.local if you want to enable it. 61# Add it to your firefox-common.local if you want to enable it.
62#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 62#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
63private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA 63private-etc @tls-ca,@x11,mailcap,mime.types,os-release
64private-tmp 64private-tmp
65 65
66blacklist ${PATH}/curl 66blacklist ${PATH}/curl
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index d9515c867..f29929a72 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
59tracelog 59tracelog
60 60
61private-dev 61private-dev
62private-etc gcrypt,GUI,python* 62private-etc @x11,gcrypt,python*
63private-tmp 63private-tmp
64 64
65dbus-user none 65dbus-user none
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 1e75781ab..abe75f2ae 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -54,7 +54,7 @@ tracelog
54# private-bin inkscape,potrace,python* - problems on Debian stretch 54# private-bin inkscape,potrace,python* - problems on Debian stretch
55private-cache 55private-cache
56private-dev 56private-dev
57private-etc ImageMagick*,inkscape: GUI,python* 57private-etc @x11,ImageMagick*,python*
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 6000bd98f..b0eea4380 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -46,7 +46,7 @@ tracelog
46disable-mnt 46disable-mnt
47private-bin bash,dash,sh,warzone2100,which 47private-bin bash,dash,sh,warzone2100,which
48private-dev 48private-dev
49private-etc GAMES,GUI 49private-etc @games,@x11
50private-tmp 50private-tmp
51 51
52restrict-namespaces 52restrict-namespaces
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index ad5e8585d..83f140d80 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
77 char* ptr = strtok(str, ","); 77 char* ptr = strtok(str, ",");
78 while (ptr) { 78 while (ptr) {
79 // look for standard groups 79 // look for standard groups
80 if (strcmp(ptr, "TLS-CA") == 0) 80 if (strcmp(ptr, "@tls-ca") == 0)
81 etc_copy_group(&etc_group_tls_ca[0]); 81 etc_copy_group(&etc_group_tls_ca[0]);
82 if (strcmp(ptr, "GUI") == 0) 82 if (strcmp(ptr, "@x11") == 0)
83 etc_copy_group(&etc_group_gui[0]); 83 etc_copy_group(&etc_group_x11[0]);
84 if (strcmp(ptr, "SOUND") == 0) 84 if (strcmp(ptr, "@sound") == 0)
85 etc_copy_group(&etc_group_sound[0]); 85 etc_copy_group(&etc_group_sound[0]);
86 if (strcmp(ptr, "NETWORK") == 0) 86 if (strcmp(ptr, "@network") == 0)
87 etc_copy_group(&etc_group_network[0]); 87 etc_copy_group(&etc_group_network[0]);
88 if (strcmp(ptr, "GAMES") == 0) 88 if (strcmp(ptr, "@games") == 0)
89 etc_copy_group(&etc_group_games[0]); 89 etc_copy_group(&etc_group_games[0]);
90 else 90 else
91 etc_add(ptr); 91 etc_add(ptr);
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 421837fbb..fcb824778 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -23,7 +23,7 @@
23 23
24#define ETC_MAX 256 24#define ETC_MAX 256
25 25
26// DEFAULT 26// @default
27static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer 27static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
28 "alternatives", 28 "alternatives",
29 "fonts", 29 "fonts",
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
42 NULL 42 NULL
43}; 43};
44 44
45// SOUND 45// @sound
46static char *etc_group_sound[] = { 46static char *etc_group_sound[] = {
47 "alsa", 47 "alsa",
48 "asound.conf", 48 "asound.conf",
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
51 NULL 51 NULL
52}; 52};
53 53
54// NETWORK 54// @network
55static char*etc_group_network[] = { 55static char*etc_group_network[] = {
56 "hostname", 56 "hostname",
57 "hosts", 57 "hosts",
@@ -60,7 +60,7 @@ static char*etc_group_network[] = {
60 NULL 60 NULL
61}; 61};
62 62
63// TLS-CA 63// @tls-ca
64static char *etc_group_tls_ca[] = { 64static char *etc_group_tls_ca[] = {
65 "ca-certificates", 65 "ca-certificates",
66 "crypto-policies", 66 "crypto-policies",
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
70 NULL 70 NULL
71}; 71};
72 72
73// GUI 73// @x11
74static char *etc_group_gui[] = { 74static char *etc_group_x11[] = {
75 "xdg", 75 "xdg",
76 "drirc", 76 "drirc",
77 "dconf", 77 "dconf",
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
80 "kde4rc", 80 "kde4rc",
81 "kde5rc", 81 "kde5rc",
82 "pango", // text rendering/internationalization 82 "pango", // text rendering/internationalization
83 "nvidia",
84 "X11",
83 NULL 85 NULL
84}; 86};
85 87
86// GAMES 88// @games
87static char *etc_group_games[] = { 89static char *etc_group_games[] = {
88 "timidity", // MIDI 90 "timidity", // MIDI
89 "timidity.cfg", 91 "timidity.cfg",
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e60c139a5..a088d971a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2127,27 +2127,27 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0
2127.br 2127.br
2128$ 2128$
2129.TP 2129.TP
2130\fB\-\-private-etc, \-\-private-etc=file,directory 2130\fB\-\-private-etc, \-\-private-etc=file,directory,@group
2131The files installed by \-\-private-etc are copies of the original system files from /etc directory. 2131The files installed by \-\-private-etc are copies of the original system files from /etc directory.
2132By default, the command brings in a skeleton of files and directories used by most console tools: 2132By default, the command brings in a skeleton of files and directories used by most console tools:
2133 2133
2134$ firejail --private-etc dig debian.org 2134$ firejail --private-etc dig debian.org
2135 2135
2136For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example: 2136For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example:
2137 2137
2138$ firejail --private-etc=GUI,python* gimp 2138$ firejail --private-etc=@x11,gcrypt,python* gimp
2139 2139
2140/etc/python* directories are not part of the generic GUI group. 2140gcrypt and /etc/python* directories are not part of the generic @x11 group.
2141These directories are reuqired by Gimp plugin system. File globbing is supported. 2141File globbing is supported.
2142 2142
2143For games, add GAMES group: 2143For games, add @games group:
2144 2144
2145$ firejail --private-etc=GUI,GAMES warzone2100 2145$ firejail --private-etc=@games,@x11 warzone2100
2146 2146
2147Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. 2147Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
2148Files for encrypted TLS/SSL protocol are in TLS-CA group. 2148Files for encrypted TLS/SSL protocol are in @tls-ca group.
2149 2149
2150$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org 2150$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
2151 2151
2152 2152
2153Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: 2153Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 20:06:09 +0000