diff options
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/chromium.profile | 7 | ||||
-rw-r--r-- | etc/conkeror.profile | 6 | ||||
-rw-r--r-- | etc/firefox.profile | 7 | ||||
-rw-r--r-- | etc/spotify.profile | 9 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | todo | 8 |
9 files changed, 40 insertions, 3 deletions
diff --git a/Makefile.in b/Makefile.in index 27ecce4fb..aeb1d34d0 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -111,6 +111,7 @@ realinstall: | |||
111 | install -c -m 0644 etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 111 | install -c -m 0644 etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
112 | install -c -m 0644 etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 112 | install -c -m 0644 etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
113 | install -c -m 0644 etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 113 | install -c -m 0644 etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
114 | install -c -m 0644 etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
114 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 115 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
115 | # man pages | 116 | # man pages |
116 | rm -f firejail.1.gz | 117 | rm -f firejail.1.gz |
@@ -18,6 +18,8 @@ License: GPL v2 | |||
18 | Firejail Authors: | 18 | Firejail Authors: |
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | emacsomancer (https://github.com/emacsomancer) | ||
22 | - added profile for Conkeror browser | ||
21 | Daan Bakker (https://github.com/dbakker) | 23 | Daan Bakker (https://github.com/dbakker) |
22 | - protect shell startup files | 24 | - protect shell startup files |
23 | Duncan Overbruck (https://github.com/Duncaen) | 25 | Duncan Overbruck (https://github.com/Duncaen) |
@@ -2,7 +2,7 @@ firejail (0.9.34-rc1) baseline; urgency=low | |||
2 | * added --ignore option | 2 | * added --ignore option |
3 | * added --protocol option | 3 | * added --protocol option |
4 | * support dual i386/amd64 seccomp filters | 4 | * support dual i386/amd64 seccomp filters |
5 | * added Steam, Skype and Wine profiles | 5 | * added Steam, Skype, Wine and Conkeror profiles |
6 | * bugfixes | 6 | * bugfixes |
7 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Oct 2015 08:00:00 -0500 | 7 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Oct 2015 08:00:00 -0500 |
8 | 8 | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index bba2f0e10..ee5600170 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -7,3 +7,10 @@ include /etc/firejail/disable-devel.inc | |||
7 | netfilter | 7 | netfilter |
8 | whitelist ~/Downloads | 8 | whitelist ~/Downloads |
9 | whitelist ~/.config/chromium | 9 | whitelist ~/.config/chromium |
10 | |||
11 | # common | ||
12 | whitelist ~/.fonts | ||
13 | whitelist ~/.fonts.d | ||
14 | whitelist ~/.fontconfig | ||
15 | whitelist ~/.fonts.conf | ||
16 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index e33edac0e..7c1384523 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -19,4 +19,10 @@ whitelist ~/.vimperator | |||
19 | whitelist ~/.pentadactylrc | 19 | whitelist ~/.pentadactylrc |
20 | whitelist ~/.pentadactyl | 20 | whitelist ~/.pentadactyl |
21 | whitelist ~/.conkerorrc | 21 | whitelist ~/.conkerorrc |
22 | |||
23 | # common | ||
22 | whitelist ~/.fonts | 24 | whitelist ~/.fonts |
25 | whitelist ~/.fonts.d | ||
26 | whitelist ~/.fontconfig | ||
27 | whitelist ~/.fonts.conf | ||
28 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 50d5c940b..d926474d0 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -19,3 +19,10 @@ whitelist ~/.vimperatorrc | |||
19 | whitelist ~/.vimperator | 19 | whitelist ~/.vimperator |
20 | whitelist ~/.pentadactylrc | 20 | whitelist ~/.pentadactylrc |
21 | whitelist ~/.pentadactyl | 21 | whitelist ~/.pentadactyl |
22 | |||
23 | # common | ||
24 | whitelist ~/.fonts | ||
25 | whitelist ~/.fonts.d | ||
26 | whitelist ~/.fontconfig | ||
27 | whitelist ~/.fonts.conf | ||
28 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 36d8f2b7a..f77f900cf 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -10,11 +10,16 @@ include /etc/firejail/disable-devel.inc | |||
10 | whitelist ${HOME}/.config/spotify | 10 | whitelist ${HOME}/.config/spotify |
11 | whitelist ${HOME}/.local/share/spotify | 11 | whitelist ${HOME}/.local/share/spotify |
12 | whitelist ${HOME}/.cache/spotify | 12 | whitelist ${HOME}/.cache/spotify |
13 | # Whitelist the pulseaudio config, to allow PulseAudio workaround (Issue #69) | ||
14 | whitelist ${HOME}/.config/pulse | ||
15 | 13 | ||
16 | caps.drop all | 14 | caps.drop all |
17 | seccomp | 15 | seccomp |
18 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
19 | netfilter | 17 | netfilter |
20 | noroot | 18 | noroot |
19 | |||
20 | # common | ||
21 | whitelist ~/.fonts | ||
22 | whitelist ~/.fonts.d | ||
23 | whitelist ~/.fontconfig | ||
24 | whitelist ~/.fonts.conf | ||
25 | whitelist ~/.fonts.conf.d | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 78f42b83e..6ba79f9c7 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -37,3 +37,4 @@ | |||
37 | /etc/firejail/steam.profile | 37 | /etc/firejail/steam.profile |
38 | /etc/firejail/wine.profile | 38 | /etc/firejail/wine.profile |
39 | /etc/firejail/disable-devel.inc | 39 | /etc/firejail/disable-devel.inc |
40 | /etc/firejail/conkeror.profile | ||
@@ -54,3 +54,11 @@ cat <&3 | |||
54 | c) A list of attacks | 54 | c) A list of attacks |
55 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | 55 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ |
56 | 56 | ||
57 | 8. SELinux | ||
58 | |||
59 | Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html | ||
60 | Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ | ||
61 | "desktops are notoriously difficult to use a mandatory access control system on" | ||
62 | |||
63 | 9. blacklist .muttrc, contains passwords in clear text | ||
64 | |||