diff options
72 files changed, 1111 insertions, 78 deletions
@@ -58,6 +58,8 @@ Firejail Authors (alphabetical order) | |||
58 | - fix flameshot raw screenshots | 58 | - fix flameshot raw screenshots |
59 | 1dnrr (https://github.com/1dnrr) | 59 | 1dnrr (https://github.com/1dnrr) |
60 | - add pybitmessage profile | 60 | - add pybitmessage profile |
61 | Adrian L. Shaw (https://github.com/adrianlshaw) | ||
62 | - add profanity profile | ||
61 | Aidan Gauland (https://github.com/aidalgol) | 63 | Aidan Gauland (https://github.com/aidalgol) |
62 | - added electron and riot-web profiles | 64 | - added electron and riot-web profiles |
63 | Akhil Hans Maulloo (https://github.com/kouul) | 65 | Akhil Hans Maulloo (https://github.com/kouul) |
@@ -735,6 +737,9 @@ startx2017 (https://github.com/startx2017) | |||
735 | - kwrite and geary profiles | 737 | - kwrite and geary profiles |
736 | StelFux (https://github.com/StelFux) | 738 | StelFux (https://github.com/StelFux) |
737 | - Fix youtube video in totem | 739 | - Fix youtube video in totem |
740 | the-antz (https://github.com/the-antz) | ||
741 | - Fix libx265 encoding in ffmpeg profile | ||
742 | - Profile tweaks | ||
738 | thewisenerd (https://github.com/thewisenerd) | 743 | thewisenerd (https://github.com/thewisenerd) |
739 | - allow multiple private-home commands | 744 | - allow multiple private-home commands |
740 | - use $SHELL variable if the shell is not specified | 745 | - use $SHELL variable if the shell is not specified |
@@ -18,8 +18,41 @@ The sandbox is lightweight, the overhead is low. There are no complicated config | |||
18 | no socket connections open, no daemons running in the background. All security features are | 18 | no socket connections open, no daemons running in the background. All security features are |
19 | implemented directly in Linux kernel and available on any Linux computer. | 19 | implemented directly in Linux kernel and available on any Linux computer. |
20 | 20 | ||
21 | [![Firejail Firefox Demo](video.png)](https://www.youtube.com/watch?v=kCnAxD144nU) | 21 | <table><tr> |
22 | 22 | ||
23 | <td> | ||
24 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98 | ||
25 | " target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg" | ||
26 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Intro</a> | ||
27 | </td> | ||
28 | |||
29 | <td> | ||
30 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU | ||
31 | " target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" | ||
32 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Demo</a> | ||
33 | </td> | ||
34 | |||
35 | <td> | ||
36 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 | ||
37 | " target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" | ||
38 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian Install</a> | ||
39 | </td> | ||
40 | |||
41 | |||
42 | </tr><tr> | ||
43 | <td> | ||
44 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w | ||
45 | " target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" | ||
46 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Arch Linux Install</a> | ||
47 | |||
48 | </td> | ||
49 | <td> | ||
50 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ | ||
51 | " target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" | ||
52 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Disable Network Access</a> | ||
53 | |||
54 | </td> | ||
55 | </tr></table> | ||
23 | 56 | ||
24 | Project webpage: https://firejail.wordpress.com/ | 57 | Project webpage: https://firejail.wordpress.com/ |
25 | 58 | ||
@@ -112,14 +145,14 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
112 | ````` | 145 | ````` |
113 | 146 | ||
114 | ````` | 147 | ````` |
115 | ## Latest released version: 0.9.60 | 148 | ## Latest released version: 0.9.60 - release 0.9.62 pending |
149 | |||
150 | The development for 0.9.62 is handled on release-0.9.62 branch. | ||
116 | 151 | ||
117 | ## Current development version: 0.9.61 | 152 | I had to cut the release branch again as of this commit - big fixes from @smitsohu and @glitsj16. |
153 | Also problems with the configure script as reported by @matu3ba. I am reusing the same | ||
154 | name for the release branch, release-0.9.62, so if you have an old release-0.9.62 branch around, | ||
155 | get rid of it and load the new one. | ||
118 | 156 | ||
119 | ## New profiles: | ||
120 | 157 | ||
121 | gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, | 158 | ## Current development version: 0.9.63 |
122 | pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, | ||
123 | mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, | ||
124 | gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop, ar, | ||
125 | gnome-latex, pngquant, kalgebra, kalgebramobile, signal-cli, amuled, kfind | ||
@@ -22,7 +22,9 @@ firejail (0.9.61) baseline; urgency=low | |||
22 | * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, | 22 | * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, |
23 | * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless | 23 | * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless |
24 | * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra | 24 | * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra |
25 | * new profiles: kalgebramobile, signal-cli, amuled, kfind | 25 | * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity |
26 | * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc | ||
27 | * new profiles: electron-mail, gist, gist-paste | ||
26 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 | 28 | -- netblue30 <netblue30@yahoo.com> Sat, 1 Jun 2019 08:00:00 -0500 |
27 | 29 | ||
28 | firejail (0.9.60) baseline; urgency=low | 30 | firejail (0.9.60) baseline; urgency=low |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.61. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.63. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.61' | 583 | PACKAGE_VERSION='0.9.63' |
584 | PACKAGE_STRING='firejail 0.9.61' | 584 | PACKAGE_STRING='firejail 0.9.63' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then | |||
1276 | # Omit some internal or obsolete options to make the list less imposing. | 1276 | # Omit some internal or obsolete options to make the list less imposing. |
1277 | # This message is too long to be a string in the A/UX 3.1 sh. | 1277 | # This message is too long to be a string in the A/UX 3.1 sh. |
1278 | cat <<_ACEOF | 1278 | cat <<_ACEOF |
1279 | \`configure' configures firejail 0.9.61 to adapt to many kinds of systems. | 1279 | \`configure' configures firejail 0.9.63 to adapt to many kinds of systems. |
1280 | 1280 | ||
1281 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1281 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1282 | 1282 | ||
@@ -1337,7 +1337,7 @@ fi | |||
1337 | 1337 | ||
1338 | if test -n "$ac_init_help"; then | 1338 | if test -n "$ac_init_help"; then |
1339 | case $ac_init_help in | 1339 | case $ac_init_help in |
1340 | short | recursive ) echo "Configuration of firejail 0.9.61:";; | 1340 | short | recursive ) echo "Configuration of firejail 0.9.63:";; |
1341 | esac | 1341 | esac |
1342 | cat <<\_ACEOF | 1342 | cat <<\_ACEOF |
1343 | 1343 | ||
@@ -1450,7 +1450,7 @@ fi | |||
1450 | test -n "$ac_init_help" && exit $ac_status | 1450 | test -n "$ac_init_help" && exit $ac_status |
1451 | if $ac_init_version; then | 1451 | if $ac_init_version; then |
1452 | cat <<\_ACEOF | 1452 | cat <<\_ACEOF |
1453 | firejail configure 0.9.61 | 1453 | firejail configure 0.9.63 |
1454 | generated by GNU Autoconf 2.69 | 1454 | generated by GNU Autoconf 2.69 |
1455 | 1455 | ||
1456 | Copyright (C) 2012 Free Software Foundation, Inc. | 1456 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1752,7 +1752,7 @@ cat >config.log <<_ACEOF | |||
1752 | This file contains any messages produced by compilers while | 1752 | This file contains any messages produced by compilers while |
1753 | running configure, to aid debugging if configure makes a mistake. | 1753 | running configure, to aid debugging if configure makes a mistake. |
1754 | 1754 | ||
1755 | It was created by firejail $as_me 0.9.61, which was | 1755 | It was created by firejail $as_me 0.9.63, which was |
1756 | generated by GNU Autoconf 2.69. Invocation command line was | 1756 | generated by GNU Autoconf 2.69. Invocation command line was |
1757 | 1757 | ||
1758 | $ $0 $@ | 1758 | $ $0 $@ |
@@ -3386,8 +3386,8 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3386 | HAVE_APPARMOR="-DHAVE_APPARMOR" | 3386 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
3387 | 3387 | ||
3388 | pkg_failed=no | 3388 | pkg_failed=no |
3389 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5 | 3389 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5 |
3390 | $as_echo_n "checking for libapparmor... " >&6; } | 3390 | $as_echo_n "checking for AA... " >&6; } |
3391 | 3391 | ||
3392 | if test -n "$AA_CFLAGS"; then | 3392 | if test -n "$AA_CFLAGS"; then |
3393 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" | 3393 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" |
@@ -3427,7 +3427,7 @@ fi | |||
3427 | 3427 | ||
3428 | 3428 | ||
3429 | if test $pkg_failed = yes; then | 3429 | if test $pkg_failed = yes; then |
3430 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3430 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3431 | $as_echo "no" >&6; } | 3431 | $as_echo "no" >&6; } |
3432 | 3432 | ||
3433 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then | 3433 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then |
@@ -3454,7 +3454,7 @@ Alternatively, you may set the environment variables AA_CFLAGS | |||
3454 | and AA_LIBS to avoid the need to call pkg-config. | 3454 | and AA_LIBS to avoid the need to call pkg-config. |
3455 | See the pkg-config man page for more details." "$LINENO" 5 | 3455 | See the pkg-config man page for more details." "$LINENO" 5 |
3456 | elif test $pkg_failed = untried; then | 3456 | elif test $pkg_failed = untried; then |
3457 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3457 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3458 | $as_echo "no" >&6; } | 3458 | $as_echo "no" >&6; } |
3459 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | 3459 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 |
3460 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | 3460 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} |
@@ -4701,7 +4701,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4701 | # report actual input values of CONFIG_FILES etc. instead of their | 4701 | # report actual input values of CONFIG_FILES etc. instead of their |
4702 | # values after options handling. | 4702 | # values after options handling. |
4703 | ac_log=" | 4703 | ac_log=" |
4704 | This file was extended by firejail $as_me 0.9.61, which was | 4704 | This file was extended by firejail $as_me 0.9.63, which was |
4705 | generated by GNU Autoconf 2.69. Invocation command line was | 4705 | generated by GNU Autoconf 2.69. Invocation command line was |
4706 | 4706 | ||
4707 | CONFIG_FILES = $CONFIG_FILES | 4707 | CONFIG_FILES = $CONFIG_FILES |
@@ -4755,7 +4755,7 @@ _ACEOF | |||
4755 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4755 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4756 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4756 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4757 | ac_cs_version="\\ | 4757 | ac_cs_version="\\ |
4758 | firejail config.status 0.9.61 | 4758 | firejail config.status 0.9.63 |
4759 | configured by $0, generated by GNU Autoconf 2.69, | 4759 | configured by $0, generated by GNU Autoconf 2.69, |
4760 | with options \\"\$ac_cs_config\\" | 4760 | with options \\"\$ac_cs_config\\" |
4761 | 4761 | ||
diff --git a/configure.ac b/configure.ac index 27dcb39c5..8ee2fbadc 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -12,7 +12,7 @@ | |||
12 | # | 12 | # |
13 | 13 | ||
14 | AC_PREREQ([2.68]) | 14 | AC_PREREQ([2.68]) |
15 | AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com) | 15 | AC_INIT(firejail, 0.9.63, netblue30@yahoo.com, , https://firejail.wordpress.com) |
16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
17 | 17 | ||
18 | AC_CONFIG_MACRO_DIR([m4]) | 18 | AC_CONFIG_MACRO_DIR([m4]) |
diff --git a/etc/7z.profile b/etc/7z.profile index 284aa37a2..5ff02e1c0 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7z | 1 | # Firejail profile for 7z |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/7za.profile b/etc/7za.profile index 14188e1f0..9cd04cad1 100644 --- a/etc/7za.profile +++ b/etc/7za.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7za | 1 | # Firejail profile for 7za |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/7zr.profile b/etc/7zr.profile index 2cb42fa40..bd3842900 100644 --- a/etc/7zr.profile +++ b/etc/7zr.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for 7zr | 1 | # Firejail profile for 7zr |
2 | # Description: File archiver with high compression ratio | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile new file mode 100644 index 000000000..afd1033de --- /dev/null +++ b/etc/audio-recorder.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for audio-recorder | ||
2 | # Description: Audio Recorder Application | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include audio-recorder.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${MUSIC} | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/audio-recorder | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | # private-bin audio-recorder | ||
47 | private-cache | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | |||
51 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/baobab.profile b/etc/baobab.profile index c419aa202..79d4b23f9 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -6,7 +6,7 @@ include baobab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-common.inc | 9 | # include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 058253308..67fc07afb 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -32,5 +32,3 @@ tracelog | |||
32 | private-cache | 32 | private-cache |
33 | # private-dev | 33 | # private-dev |
34 | # private-tmp | 34 | # private-tmp |
35 | |||
36 | memory-deny-write-execute | ||
diff --git a/etc/brave-browser-beta.profile b/etc/brave-browser-beta.profile new file mode 100644 index 000000000..528a6402d --- /dev/null +++ b/etc/brave-browser-beta.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (beta channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-dev.profile b/etc/brave-browser-dev.profile new file mode 100644 index 000000000..4601de119 --- /dev/null +++ b/etc/brave-browser-dev.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (development channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-nightly.profile b/etc/brave-browser-nightly.profile new file mode 100644 index 000000000..43d3cc724 --- /dev/null +++ b/etc/brave-browser-nightly.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (nightly channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave-browser-stable.profile b/etc/brave-browser-stable.profile new file mode 100644 index 000000000..06d33dea4 --- /dev/null +++ b/etc/brave-browser-stable.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for brave (release channel) | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include brave.profile | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 984fab5a8..35c59f5a3 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | # Firejail profile for brave | 1 | # Firejail profile for brave |
2 | # This file is overwritten after every install/update | ||
3 | # Description: Web browser that blocks ads and trackers by default. | 2 | # Description: Web browser that blocks ads and trackers by default. |
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include brave.local | 5 | include brave.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
@@ -9,16 +9,24 @@ include globals.local | |||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | 9 | # noexec /tmp is included in chromium-common.profile and breaks Brave |
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | 11 | ||
12 | noblacklist ${HOME}/.config/brave | 12 | noblacklist ${HOME}/.cache/BraveSoftware |
13 | noblacklist ${HOME}/.config/BraveSoftware | 13 | noblacklist ${HOME}/.config/BraveSoftware |
14 | noblacklist ${HOME}/.config/brave | ||
15 | noblacklist ${HOME}/.config/brave-flags.conf | ||
14 | # brave uses gpg for built-in password manager | 16 | # brave uses gpg for built-in password manager |
15 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.gnupg |
16 | 18 | ||
17 | mkdir ${HOME}/.config/brave | 19 | mkdir ${HOME}/.cache/BraveSoftware |
18 | mkdir ${HOME}/.config/BraveSoftware | 20 | mkdir ${HOME}/.config/BraveSoftware |
19 | whitelist ${HOME}/.config/brave | 21 | mkdir ${HOME}/.config/brave |
22 | whitelist ${HOME}/.cache/BraveSoftware | ||
20 | whitelist ${HOME}/.config/BraveSoftware | 23 | whitelist ${HOME}/.config/BraveSoftware |
24 | whitelist ${HOME}/.config/brave | ||
25 | whitelist ${HOME}/.config/brave-flags.conf | ||
21 | whitelist ${HOME}/.gnupg | 26 | whitelist ${HOME}/.gnupg |
22 | 27 | ||
28 | # Brave sandbox needs read access to /proc/config.gz | ||
29 | noblacklist /proc/config.gz | ||
30 | |||
23 | # Redirect | 31 | # Redirect |
24 | include chromium-common.profile | 32 | include chromium-common.profile |
diff --git a/etc/cameramonitor.profile b/etc/cameramonitor.profile new file mode 100644 index 000000000..1d7aa0f9c --- /dev/null +++ b/etc/cameramonitor.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for cameramonitor | ||
2 | # Description: A little monitor to check your webcam status | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cameramonitor.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | whitelist /usr/share/cameramonitor | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | #nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin cameramonitor,python* | ||
49 | private-cache | ||
50 | private-etc alternatives,fonts | ||
51 | private-tmp | ||
52 | |||
53 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile new file mode 100644 index 000000000..ef65046e1 --- /dev/null +++ b/etc/ddgtk.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ddgtk | ||
2 | # Description: A frontend GUI to dd for making bootable USB disks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ddgtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist /usr/share/ddgtk | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | x11 none | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | ||
50 | private-cache | ||
51 | private-etc alternatives,fonts | ||
52 | private-tmp | ||
53 | |||
54 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b2837b443..16f231108 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -376,7 +376,10 @@ blacklist ${PATH}/crontab | |||
376 | blacklist ${PATH}/evtest | 376 | blacklist ${PATH}/evtest |
377 | blacklist ${PATH}/expiry | 377 | blacklist ${PATH}/expiry |
378 | blacklist ${PATH}/fusermount | 378 | blacklist ${PATH}/fusermount |
379 | blacklist ${PATH}/gksu | ||
380 | blacklist ${PATH}/gksudo | ||
379 | blacklist ${PATH}/gpasswd | 381 | blacklist ${PATH}/gpasswd |
382 | blacklist ${PATH}/kdesudo | ||
380 | blacklist ${PATH}/ksu | 383 | blacklist ${PATH}/ksu |
381 | blacklist ${PATH}/mount | 384 | blacklist ${PATH}/mount |
382 | blacklist ${PATH}/mount.ecryptfs_private | 385 | blacklist ${PATH}/mount.ecryptfs_private |
@@ -449,3 +452,6 @@ blacklist ${HOME}/Mail | |||
449 | blacklist ${HOME}/mail | 452 | blacklist ${HOME}/mail |
450 | blacklist ${HOME}/postponed | 453 | blacklist ${HOME}/postponed |
451 | blacklist ${HOME}/sent | 454 | blacklist ${HOME}/sent |
455 | |||
456 | # kernel configuration | ||
457 | blacklist /proc/config.gz | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index fa98825f4..b1605e757 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/bnox | |||
132 | blacklist ${HOME}/.config/borg | 132 | blacklist ${HOME}/.config/borg |
133 | blacklist ${HOME}/.config/brasero | 133 | blacklist ${HOME}/.config/brasero |
134 | blacklist ${HOME}/.config/brave | 134 | blacklist ${HOME}/.config/brave |
135 | blacklist ${HOME}/.config/brave-flags.conf | ||
135 | blacklist ${HOME}/.config/caja | 136 | blacklist ${HOME}/.config/caja |
136 | blacklist ${HOME}/.config/calibre | 137 | blacklist ${HOME}/.config/calibre |
137 | blacklist ${HOME}/.config/cantata | 138 | blacklist ${HOME}/.config/cantata |
@@ -158,7 +159,9 @@ blacklist ${HOME}/.config/dkl | |||
158 | blacklist ${HOME}/.config/dnox | 159 | blacklist ${HOME}/.config/dnox |
159 | blacklist ${HOME}/.config/dolphinrc | 160 | blacklist ${HOME}/.config/dolphinrc |
160 | blacklist ${HOME}/.config/dragonplayerrc | 161 | blacklist ${HOME}/.config/dragonplayerrc |
162 | blacklist ${HOME}/.config/draw.io | ||
161 | blacklist ${HOME}/.config/d-feet | 163 | blacklist ${HOME}/.config/d-feet |
164 | blacklist ${HOME}/.config/electron-mail | ||
162 | blacklist ${HOME}/.config/emaildefaults | 165 | blacklist ${HOME}/.config/emaildefaults |
163 | blacklist ${HOME}/.config/emailidentities | 166 | blacklist ${HOME}/.config/emailidentities |
164 | blacklist ${HOME}/.config/enchant | 167 | blacklist ${HOME}/.config/enchant |
@@ -181,6 +184,7 @@ blacklist ${HOME}/.config/ghb | |||
181 | blacklist ${HOME}/.config/ghostwriter | 184 | blacklist ${HOME}/.config/ghostwriter |
182 | blacklist ${HOME}/.config/git | 185 | blacklist ${HOME}/.config/git |
183 | blacklist ${HOME}/.config/globaltime | 186 | blacklist ${HOME}/.config/globaltime |
187 | blacklist ${HOME}/.config/gmpc | ||
184 | blacklist ${HOME}/.config/gnome-builder | 188 | blacklist ${HOME}/.config/gnome-builder |
185 | blacklist ${HOME}/.config/gnome-latex | 189 | blacklist ${HOME}/.config/gnome-latex |
186 | blacklist ${HOME}/.config/gnome-mplayer | 190 | blacklist ${HOME}/.config/gnome-mplayer |
@@ -260,6 +264,7 @@ blacklist ${HOME}/.config/onionshare | |||
260 | blacklist ${HOME}/.config/opera | 264 | blacklist ${HOME}/.config/opera |
261 | blacklist ${HOME}/.config/opera-beta | 265 | blacklist ${HOME}/.config/opera-beta |
262 | blacklist ${HOME}/.config/orage | 266 | blacklist ${HOME}/.config/orage |
267 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json | ||
263 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 268 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
264 | blacklist ${HOME}/.config/pavucontrol-qt | 269 | blacklist ${HOME}/.config/pavucontrol-qt |
265 | blacklist ${HOME}/.config/pavucontrol.ini | 270 | blacklist ${HOME}/.config/pavucontrol.ini |
@@ -271,6 +276,7 @@ blacklist ${HOME}/.config/pix | |||
271 | blacklist ${HOME}/.config/pluma | 276 | blacklist ${HOME}/.config/pluma |
272 | blacklist ${HOME}/.config/ppsspp | 277 | blacklist ${HOME}/.config/ppsspp |
273 | blacklist ${HOME}/.config/pragha | 278 | blacklist ${HOME}/.config/pragha |
279 | blacklist ${HOME}/.config/profanity | ||
274 | blacklist ${HOME}/.config/psi+ | 280 | blacklist ${HOME}/.config/psi+ |
275 | blacklist ${HOME}/.config/qBittorrent | 281 | blacklist ${HOME}/.config/qBittorrent |
276 | blacklist ${HOME}/.config/qBittorrentrc | 282 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -360,6 +366,7 @@ blacklist ${HOME}/.freecol | |||
360 | blacklist ${HOME}/.freemind | 366 | blacklist ${HOME}/.freemind |
361 | blacklist ${HOME}/.frozen-bubble | 367 | blacklist ${HOME}/.frozen-bubble |
362 | blacklist ${HOME}/.gimp* | 368 | blacklist ${HOME}/.gimp* |
369 | blacklist ${HOME}/.gist | ||
363 | blacklist ${HOME}/.gitconfig | 370 | blacklist ${HOME}/.gitconfig |
364 | blacklist ${HOME}/.gnome/gnome-schedule | 371 | blacklist ${HOME}/.gnome/gnome-schedule |
365 | blacklist ${HOME}/.googleearth/Cache | 372 | blacklist ${HOME}/.googleearth/Cache |
@@ -557,6 +564,7 @@ blacklist ${HOME}/.local/share/orage | |||
557 | blacklist ${HOME}/.local/share/org.kde.gwenview | 564 | blacklist ${HOME}/.local/share/org.kde.gwenview |
558 | blacklist ${HOME}/.local/share/pix | 565 | blacklist ${HOME}/.local/share/pix |
559 | blacklist ${HOME}/.local/share/plasma_notes | 566 | blacklist ${HOME}/.local/share/plasma_notes |
567 | blacklist ${HOME}/.local/share/profanity | ||
560 | blacklist ${HOME}/.local/share/psi+ | 568 | blacklist ${HOME}/.local/share/psi+ |
561 | blacklist ${HOME}/.local/share/qpdfview | 569 | blacklist ${HOME}/.local/share/qpdfview |
562 | blacklist ${HOME}/.local/share/qutebrowser | 570 | blacklist ${HOME}/.local/share/qutebrowser |
@@ -689,6 +697,7 @@ blacklist /var/lib/games/Maelstrom-Scores | |||
689 | blacklist ${HOME}/.cache/0ad | 697 | blacklist ${HOME}/.cache/0ad |
690 | blacklist ${HOME}/.cache/8pecxstudios | 698 | blacklist ${HOME}/.cache/8pecxstudios |
691 | blacklist ${HOME}/.cache/Authenticator | 699 | blacklist ${HOME}/.cache/Authenticator |
700 | blacklist ${HOME}/.cache/BraveSoftware | ||
692 | blacklist ${HOME}/.cache/Clementine | 701 | blacklist ${HOME}/.cache/Clementine |
693 | blacklist ${HOME}/.cache/Enox | 702 | blacklist ${HOME}/.cache/Enox |
694 | blacklist ${HOME}/.cache/Enpass | 703 | blacklist ${HOME}/.cache/Enpass |
@@ -701,6 +710,7 @@ blacklist ${HOME}/.cache/Zeal | |||
701 | blacklist ${HOME}/.cache/akonadi* | 710 | blacklist ${HOME}/.cache/akonadi* |
702 | blacklist ${HOME}/.cache/atril | 711 | blacklist ${HOME}/.cache/atril |
703 | blacklist ${HOME}/.cache/attic | 712 | blacklist ${HOME}/.cache/attic |
713 | blacklist ${HOME}/.cache/babl | ||
704 | blacklist ${HOME}/.cache/bnox | 714 | blacklist ${HOME}/.cache/bnox |
705 | blacklist ${HOME}/.cache/borg | 715 | blacklist ${HOME}/.cache/borg |
706 | blacklist ${HOME}/.cache/calibre | 716 | blacklist ${HOME}/.cache/calibre |
@@ -713,6 +723,7 @@ blacklist ${HOME}/.cache/darktable | |||
713 | blacklist ${HOME}/.cache/discover | 723 | blacklist ${HOME}/.cache/discover |
714 | blacklist ${HOME}/.cache/dnox | 724 | blacklist ${HOME}/.cache/dnox |
715 | blacklist ${HOME}/.cache/dolphin | 725 | blacklist ${HOME}/.cache/dolphin |
726 | blacklist ${HOME}/.cache/ephemeral | ||
716 | blacklist ${HOME}/.cache/epiphany | 727 | blacklist ${HOME}/.cache/epiphany |
717 | blacklist ${HOME}/.cache/evolution | 728 | blacklist ${HOME}/.cache/evolution |
718 | blacklist ${HOME}/.cache/falkon | 729 | blacklist ${HOME}/.cache/falkon |
@@ -721,6 +732,7 @@ blacklist ${HOME}/.cache/font-manager | |||
721 | blacklist ${HOME}/.cache/fossamail | 732 | blacklist ${HOME}/.cache/fossamail |
722 | blacklist ${HOME}/.cache/freecol | 733 | blacklist ${HOME}/.cache/freecol |
723 | blacklist ${HOME}/.cache/gajim | 734 | blacklist ${HOME}/.cache/gajim |
735 | blacklist ${HOME}/.cache/gegl-0.4 | ||
724 | blacklist ${HOME}/.cache/geeqie | 736 | blacklist ${HOME}/.cache/geeqie |
725 | blacklist ${HOME}/.cache/gimp | 737 | blacklist ${HOME}/.cache/gimp |
726 | blacklist ${HOME}/.cache/godot | 738 | blacklist ${HOME}/.cache/godot |
@@ -769,6 +781,7 @@ blacklist ${HOME}/.cache/netsurf | |||
769 | blacklist ${HOME}/.cache/okular | 781 | blacklist ${HOME}/.cache/okular |
770 | blacklist ${HOME}/.cache/opera | 782 | blacklist ${HOME}/.cache/opera |
771 | blacklist ${HOME}/.cache/opera-beta | 783 | blacklist ${HOME}/.cache/opera-beta |
784 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
772 | blacklist ${HOME}/.cache/org.gnome.Books | 785 | blacklist ${HOME}/.cache/org.gnome.Books |
773 | blacklist ${HOME}/.cache/org.gnome.Maps | 786 | blacklist ${HOME}/.cache/org.gnome.Maps |
774 | blacklist ${HOME}/.cache/pdfmod | 787 | blacklist ${HOME}/.cache/pdfmod |
diff --git a/etc/drawio.profile b/etc/drawio.profile new file mode 100644 index 000000000..d4fd735a1 --- /dev/null +++ b/etc/drawio.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for drawio | ||
2 | # Description: Diagram drawing application built on web technology - desktop version | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include drawio.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/draw.io | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/draw.io | ||
20 | whitelist ${HOME}/.config/draw.io | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | # tracelog - breaks on Arch | ||
44 | |||
45 | private-bin drawio | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-tmp | ||
50 | |||
51 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/electron-mail.profile b/etc/electron-mail.profile new file mode 100644 index 000000000..bde8978df --- /dev/null +++ b/etc/electron-mail.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for electron-mail | ||
2 | # Description: Unofficial desktop app for several E2E encrypted email providers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include electron-mail.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/electron-mail | ||
10 | |||
11 | whitelist ${DOWNLOADS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/electron-mail | ||
22 | whitelist ${HOME}/.config/electron-mail | ||
23 | |||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | # nodbus - breaks tray functionality | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | shell none | ||
43 | # tracelog - breaks on Arch | ||
44 | |||
45 | private-bin electron-mail | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,fonts | ||
49 | private-opt ElectronMail | ||
50 | private-tmp | ||
51 | |||
52 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile new file mode 100644 index 000000000..fa7746da5 --- /dev/null +++ b/etc/ephemeral.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for ephemeral | ||
2 | # Description: The always-incognito web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ephemeral.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # enforce private-cache | ||
10 | #noblacklist ${HOME}/.cache/ephemeral | ||
11 | |||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.local/share/pki | ||
14 | |||
15 | # noexec ${HOME} breaks DRM binaries. | ||
16 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | # enforce private-cache | ||
25 | #mkdir ${HOME}/.cache/ephemeral | ||
26 | mkdir ${HOME}/.pki | ||
27 | mkdir ${HOME}/.local/share/pki | ||
28 | # enforce private-cache | ||
29 | #whitelist ${HOME}/.cache/ephemeral | ||
30 | whitelist ${HOME}/.pki | ||
31 | whitelist ${HOME}/.local/share/pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | include whitelist-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. | ||
40 | #machine-id | ||
41 | netfilter | ||
42 | # nodbus breaks preferences | ||
43 | #nodbus | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | ||
48 | noroot | ||
49 | notv | ||
50 | ?BROWSER_DISABLE_U2F: nou2f | ||
51 | protocol unix,inet,inet6,netlink | ||
52 | seccomp | ||
53 | shell none | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
61 | private-tmp | ||
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 19d9a7644..67c0ed311 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -18,6 +18,7 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /usr/share/devedeng | ||
21 | whitelist /usr/share/ffmpeg | 22 | whitelist /usr/share/ffmpeg |
22 | whitelist /usr/share/qtchooser | 23 | whitelist /usr/share/qtchooser |
23 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
@@ -38,7 +39,8 @@ notv | |||
38 | nou2f | 39 | nou2f |
39 | novideo | 40 | novideo |
40 | protocol inet,inet6 | 41 | protocol inet,inet6 |
41 | seccomp | 42 | # allow set_mempolicy, which is required to encode using libx265 |
43 | seccomp !set_mempolicy | ||
42 | shell none | 44 | shell none |
43 | tracelog | 45 | tracelog |
44 | 46 | ||
diff --git a/etc/firefox-wayland.profile b/etc/firefox-wayland.profile index 068da5ee3..17c9f059e 100644 --- a/etc/firefox-wayland.profile +++ b/etc/firefox-wayland.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for firefox-wayland | 1 | # Firejail profile alias for firefox-wayland |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include firefox-wayland.local | 4 | include firefox-wayland.local |
diff --git a/etc/firejail-default b/etc/firejail-default index a012f5440..2987e538c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -57,6 +57,9 @@ owner /{,var/}run/media/** w, | |||
57 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
58 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
59 | 59 | ||
60 | # Allow access to pcscd socket (smartcards) | ||
61 | /{,var/}run/pcscd/pcscd.comm w, | ||
62 | |||
60 | # Needed for firefox sandbox | 63 | # Needed for firefox sandbox |
61 | /proc/@{PID}/{uid_map,gid_map,setgroups} w, | 64 | /proc/@{PID}/{uid_map,gid_map,setgroups} w, |
62 | 65 | ||
@@ -148,14 +151,6 @@ capability setfcap, | |||
148 | #capability mac_override, | 151 | #capability mac_override, |
149 | #capability mac_admin, | 152 | #capability mac_admin, |
150 | 153 | ||
151 | ########## | ||
152 | # We let Firejail deal with mount/umount functionality. | ||
153 | ########## | ||
154 | mount, | ||
155 | remount, | ||
156 | umount, | ||
157 | pivot_root, | ||
158 | |||
159 | # Site-specific additions and overrides. See local/README for details. | 154 | # Site-specific additions and overrides. See local/README for details. |
160 | #include <local/firejail-local> | 155 | #include <local/firejail-local> |
161 | } | 156 | } |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 2f930235c..25145c77d 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -52,7 +52,7 @@ private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert, | |||
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,fonts,gconf | 54 | private-etc alternatives,fonts,gconf |
55 | private-lib libpython*,python2* | 55 | private-lib GConf,libpython*,python2* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile new file mode 100644 index 000000000..dcb33bc38 --- /dev/null +++ b/etc/gfeeds.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for gfeeds | ||
2 | # Description: RSS/Atom feed reader for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gfeeds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
10 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | ||
24 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | ||
25 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | ||
26 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | ||
27 | whitelist /usr/share/gfeeds | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | netfilter | ||
36 | no3d | ||
37 | #nodbus | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin gfeeds,python3* | ||
53 | # private-cache -- feeds are stored in ~/.cache | ||
54 | private-dev | ||
55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg | ||
56 | private-tmp | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index 81ae95645..5c0631eb2 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include globals.local | |||
11 | # or put 'noexec ${HOME}' in your gimp.local | 11 | # or put 'noexec ${HOME}' in your gimp.local |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | 13 | ||
14 | noblacklist ${HOME}/.cache/babl | ||
15 | noblacklist ${HOME}/.cache/gegl-0.4 | ||
14 | noblacklist ${HOME}/.cache/gimp | 16 | noblacklist ${HOME}/.cache/gimp |
15 | noblacklist ${HOME}/.config/GIMP | 17 | noblacklist ${HOME}/.config/GIMP |
16 | noblacklist ${HOME}/.gimp* | 18 | noblacklist ${HOME}/.gimp* |
@@ -23,8 +25,10 @@ include disable-passwdmgr.inc | |||
23 | include disable-programs.inc | 25 | include disable-programs.inc |
24 | include disable-xdg.inc | 26 | include disable-xdg.inc |
25 | 27 | ||
28 | whitelist /usr/share/gegl-0.4 | ||
26 | whitelist /usr/share/gimp | 29 | whitelist /usr/share/gimp |
27 | whitelist /usr/share/mypaint-data | 30 | whitelist /usr/share/mypaint-data |
31 | whitelist /usr/share/lensfun | ||
28 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
diff --git a/etc/gist-paste.profile b/etc/gist-paste.profile new file mode 100644 index 000000000..56b3176ed --- /dev/null +++ b/etc/gist-paste.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gist-paste | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist-paste.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include gist.profile | ||
diff --git a/etc/gist.profile b/etc/gist.profile new file mode 100644 index 000000000..7413238c8 --- /dev/null +++ b/etc/gist.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for gist | ||
2 | # Description: Potentially the best command line gister | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gist.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | noblacklist ${HOME}/.gist | ||
13 | |||
14 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
15 | include allow-ruby.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.gist | ||
26 | whitelist ${HOME}/.gist | ||
27 | whitelist ${DOWNLOADS} | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | ipc-namespace | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives | ||
56 | private-tmp | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/gmpc.profile b/etc/gmpc.profile new file mode 100644 index 000000000..b1546db30 --- /dev/null +++ b/etc/gmpc.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for gmpc | ||
2 | # Description: MPD client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gmpc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gmpc | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/gmpc | ||
21 | whitelist ${HOME}/.config/gmpc | ||
22 | whitelist ${MUSIC} | ||
23 | whitelist /usr/share/gmpc | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | no3d | ||
33 | #nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | #private-bin gmpc | ||
48 | private-cache | ||
49 | private-etc alternatives,fonts | ||
50 | private-tmp | ||
51 | writable-run-user | ||
52 | |||
53 | # memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 36e50370e..c11773147 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for gpg-agent | 1 | # Firejail profile for gpg-agent |
2 | # Description: GNU privacy guard - cryptographic agent | 2 | # Description: GNU privacy guard - cryptographic agent |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include gpg-agent.local | 6 | include gpg-agent.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 1ed5e484a..5eb18a0bc 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for gpg | 1 | # Firejail profile for gpg |
2 | # Description: GNU Privacy Guard -- minimalist public key operations | 2 | # Description: GNU Privacy Guard -- minimalist public key operations |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include gpg.local | 6 | include gpg.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/gpg2.profile b/etc/gpg2.profile new file mode 100644 index 000000000..b831b0f62 --- /dev/null +++ b/etc/gpg2.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for gpg2 | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gpg2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # private-bin gpg2 | ||
11 | |||
12 | # Redirect | ||
13 | include gpg.profile | ||
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile new file mode 100644 index 000000000..fd35a563b --- /dev/null +++ b/etc/gtk-update-icon-cache.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for gtk-update-icon-cache | ||
2 | # Description: Icon theme caching utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gtk-update-icon-cache.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin gtk-update-icon-cache | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc none | ||
48 | private-lib | ||
49 | private-tmp | ||
50 | |||
51 | memory-deny-write-execute | ||
diff --git a/etc/gzexe.profile b/etc/gzexe.profile new file mode 100644 index 000000000..bb570d553 --- /dev/null +++ b/etc/gzexe.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for gzexe | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include gzexe.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/ooffice.profile b/etc/ooffice.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/ooffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/ooviewdoc.profile b/etc/ooviewdoc.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/ooviewdoc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/openoffice.org.profile b/etc/openoffice.org.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/openoffice.org.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index 7e0069afc..652fac7bd 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for p7zip | 1 | # Firejail profile for p7zip |
2 | # Description: 7zr file archiver with high compression ratio | 2 | # Description: File archiver with high compression ratio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/profanity.profile b/etc/profanity.profile new file mode 100644 index 000000000..6ca9314e9 --- /dev/null +++ b/etc/profanity.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for profanity | ||
2 | # Description: profanity is an XMPP chat client for the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include profanity.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/profanity | ||
11 | noblacklist ${HOME}/.local/share/profanity | ||
12 | |||
13 | # Allow Python | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin profanity | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 4bf23c512..96ff74edf 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,9 +7,9 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-etc workaround for: #2877 | ||
11 | private-etc firejail,login.defs,passwd | ||
10 | private-tmp | 12 | private-tmp |
11 | 13 | ||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | 14 | # Redirect |
15 | include seahorse.profile | 15 | include seahorse.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 6acf8aa5d..5a742d05f 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -20,17 +20,19 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.gnupg | 23 | # whitelisting in ${HOME} breaks file encryption feature of nautilus. |
24 | mkdir ${HOME}/.ssh | 24 | # once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile |
25 | whitelist ${HOME}/.gnupg | 25 | #mkdir ${HOME}/.gnupg |
26 | whitelist ${HOME}/.ssh | 26 | #mkdir ${HOME}/.ssh |
27 | #whitelist ${HOME}/.gnupg | ||
28 | #whitelist ${HOME}/.ssh | ||
27 | whitelist /tmp/ssh-* | 29 | whitelist /tmp/ssh-* |
28 | whitelist /usr/share/gnupg | 30 | whitelist /usr/share/gnupg |
29 | whitelist /usr/share/gnupg2 | 31 | whitelist /usr/share/gnupg2 |
30 | whitelist /usr/share/seahorse | 32 | whitelist /usr/share/seahorse |
31 | whitelist /usr/share/seahorse-nautilus | 33 | whitelist /usr/share/seahorse-nautilus |
34 | #include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
33 | include whitelist-common.inc | ||
34 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
35 | 37 | ||
36 | apparmor | 38 | apparmor |
diff --git a/etc/thunderbird-wayland.profile b/etc/thunderbird-wayland.profile index 031d331e7..9fbb80d29 100644 --- a/etc/thunderbird-wayland.profile +++ b/etc/thunderbird-wayland.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for thunderbird-wayland | 1 | # Firejail profile alias for thunderbird-wayland |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include thunderbird-wayland.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include thunderbird.profile | 10 | include thunderbird.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index ea6e3855d..e30b57498 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.gnupg | |||
14 | # noblacklist ${HOME}/.icedove | 14 | # noblacklist ${HOME}/.icedove |
15 | noblacklist ${HOME}/.thunderbird | 15 | noblacklist ${HOME}/.thunderbird |
16 | 16 | ||
17 | # Uncomment the next 4 lines or put they in your thunderbird.local to | 17 | # Uncomment the next 4 lines or put them in your thunderbird.local to |
18 | # allow Firefox to load your profile when clicking a link in an email | 18 | # allow Firefox to load your profile when clicking a link in an email |
19 | #noblacklist ${HOME}/.cache/mozilla | 19 | #noblacklist ${HOME}/.cache/mozilla |
20 | #noblacklist ${HOME}/.mozilla | 20 | #noblacklist ${HOME}/.mozilla |
@@ -39,7 +39,7 @@ whitelist ${HOME}/.thunderbird | |||
39 | 39 | ||
40 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 40 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
41 | ignore private-tmp | 41 | ignore private-tmp |
42 | # machine-id breaks audio in browsers; enable it when sound is not required | 42 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required |
43 | # machine-id | 43 | # machine-id |
44 | read-only ${HOME}/.config/mimeapps.list | 44 | read-only ${HOME}/.config/mimeapps.list |
45 | # writable-run-user and dbus are needed by enigmail | 45 | # writable-run-user and dbus are needed by enigmail |
diff --git a/etc/uncompress.profile b/etc/uncompress.profile new file mode 100644 index 000000000..f659d8e87 --- /dev/null +++ b/etc/uncompress.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for uncompress | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include uncompress.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/unf.profile b/etc/unf.profile new file mode 100644 index 000000000..1f0b2aa32 --- /dev/null +++ b/etc/unf.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for unf | ||
2 | # Description: UNixize Filename -- replace annoying anti-unix characters in filenames | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include unf.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | hostname unf | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodbus | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin unf | ||
47 | private-cache | ||
48 | ?HAS_APPIMAGE: ignore private-dev | ||
49 | private-dev | ||
50 | private-etc alternatives | ||
51 | private-lib libgcc_s.so.* | ||
52 | private-tmp | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index f1b7bd960..322bdefe9 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -15,6 +15,7 @@ whitelist /usr/share/enchant | |||
15 | whitelist /usr/share/enchant-2 | 15 | whitelist /usr/share/enchant-2 |
16 | whitelist /usr/share/fontconfig | 16 | whitelist /usr/share/fontconfig |
17 | whitelist /usr/share/fonts | 17 | whitelist /usr/share/fonts |
18 | whitelist /usr/share/gir-1.0 | ||
18 | whitelist /usr/share/gjs-1.0 | 19 | whitelist /usr/share/gjs-1.0 |
19 | whitelist /usr/share/glib-2.0 | 20 | whitelist /usr/share/glib-2.0 |
20 | whitelist /usr/share/glvnd | 21 | whitelist /usr/share/glvnd |
@@ -40,6 +41,7 @@ whitelist /usr/share/p11-kit | |||
40 | whitelist /usr/share/pixmaps | 41 | whitelist /usr/share/pixmaps |
41 | whitelist /usr/share/pki | 42 | whitelist /usr/share/pki |
42 | whitelist /usr/share/plasma | 43 | whitelist /usr/share/plasma |
44 | whitelist /usr/share/publicsuffix | ||
43 | whitelist /usr/share/qt | 45 | whitelist /usr/share/qt |
44 | whitelist /usr/share/qt4 | 46 | whitelist /usr/share/qt4 |
45 | whitelist /usr/share/qt5 | 47 | whitelist /usr/share/qt5 |
diff --git a/etc/wine.profile b/etc/wine.profile index 29e79c3f5..67e3952e1 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -18,8 +18,9 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | # uncomment next line if seccomp breaks a program | 21 | # some applications don't need allow-debuggers, comment the next line |
22 | # allow-debuggers | 22 | # if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) |
23 | allow-debuggers | ||
23 | caps.drop all | 24 | caps.drop all |
24 | # net none | 25 | # net none |
25 | netfilter | 26 | netfilter |
diff --git a/etc/zcat.profile b/etc/zcat.profile new file mode 100644 index 000000000..12932ea92 --- /dev/null +++ b/etc/zcat.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcat | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zcmp.profile b/etc/zcmp.profile new file mode 100644 index 000000000..795cdae2a --- /dev/null +++ b/etc/zcmp.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcmp | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcmp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zdiff.profile b/etc/zdiff.profile new file mode 100644 index 000000000..1e75e38fe --- /dev/null +++ b/etc/zdiff.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zdiff | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zdiff.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zegrep.profile b/etc/zegrep.profile new file mode 100644 index 000000000..54dc6b2a0 --- /dev/null +++ b/etc/zegrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zegrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zegrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zfgrep.profile b/etc/zfgrep.profile new file mode 100644 index 000000000..73b22f2e8 --- /dev/null +++ b/etc/zfgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zfgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zfgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zforce.profile b/etc/zforce.profile new file mode 100644 index 000000000..d62e57065 --- /dev/null +++ b/etc/zforce.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zforce | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zforce.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zgrep.profile b/etc/zgrep.profile new file mode 100644 index 000000000..b39a58420 --- /dev/null +++ b/etc/zgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zless.profile b/etc/zless.profile new file mode 100644 index 000000000..0a26cda1f --- /dev/null +++ b/etc/zless.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zless | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zless.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/zmore.profile b/etc/zmore.profile new file mode 100644 index 000000000..3a8f63562 --- /dev/null +++ b/etc/zmore.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zmore | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zmore.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/znew.profile b/etc/znew.profile new file mode 100644 index 000000000..a8593e58e --- /dev/null +++ b/etc/znew.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for znew | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include znew.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e997598af..e8ec20273 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -57,6 +57,7 @@ atril-previewer | |||
57 | atril-thumbnailer | 57 | atril-thumbnailer |
58 | audacious | 58 | audacious |
59 | audacity | 59 | audacity |
60 | audio-recorder | ||
60 | authenticator | 61 | authenticator |
61 | autokey-gtk | 62 | autokey-gtk |
62 | autokey-qt | 63 | autokey-qt |
@@ -82,6 +83,10 @@ brackets | |||
82 | brasero | 83 | brasero |
83 | brave | 84 | brave |
84 | brave-browser | 85 | brave-browser |
86 | brave-browser-beta | ||
87 | brave-browser-dev | ||
88 | brave-browser-nightly | ||
89 | brave-browser-stable | ||
85 | bunzip2 | 90 | bunzip2 |
86 | bzcat | 91 | bzcat |
87 | bzflag | 92 | bzflag |
@@ -96,6 +101,7 @@ calligraplanwork | |||
96 | calligrasheets | 101 | calligrasheets |
97 | calligrastage | 102 | calligrastage |
98 | calligrawords | 103 | calligrawords |
104 | cameramonitor | ||
99 | cantata | 105 | cantata |
100 | catfish | 106 | catfish |
101 | celluloid | 107 | celluloid |
@@ -132,6 +138,7 @@ cvlc | |||
132 | cyberfox | 138 | cyberfox |
133 | darktable | 139 | darktable |
134 | dconf-editor | 140 | dconf-editor |
141 | ddgtk | ||
135 | deadbeef | 142 | deadbeef |
136 | deluge | 143 | deluge |
137 | devhelp | 144 | devhelp |
@@ -151,10 +158,12 @@ dooble | |||
151 | dooble-qt4 | 158 | dooble-qt4 |
152 | dosbox | 159 | dosbox |
153 | dragon | 160 | dragon |
161 | drawio | ||
154 | dropbox | 162 | dropbox |
155 | d-feet | 163 | d-feet |
156 | easystroke | 164 | easystroke |
157 | ebook-viewer | 165 | ebook-viewer |
166 | electron-mail | ||
158 | electrum | 167 | electrum |
159 | elinks | 168 | elinks |
160 | empathy | 169 | empathy |
@@ -167,6 +176,7 @@ enox | |||
167 | enpass | 176 | enpass |
168 | eog | 177 | eog |
169 | eom | 178 | eom |
179 | ephemeral | ||
170 | #epiphany | 180 | #epiphany |
171 | etr | 181 | etr |
172 | evince | 182 | evince |
@@ -222,16 +232,20 @@ geary | |||
222 | gedit | 232 | gedit |
223 | geekbench | 233 | geekbench |
224 | geeqie | 234 | geeqie |
235 | gfeeds | ||
225 | ghb | 236 | ghb |
226 | ghostwriter | 237 | ghostwriter |
227 | gimp | 238 | gimp |
228 | gimp-2.10 | 239 | gimp-2.10 |
229 | gimp-2.8 | 240 | gimp-2.8 |
241 | gist | ||
242 | gist-paste | ||
230 | gitg | 243 | gitg |
231 | github-desktop | 244 | github-desktop |
232 | gitter | 245 | gitter |
233 | gjs | 246 | gjs |
234 | globaltime | 247 | globaltime |
248 | gmpc | ||
235 | gnome-2048 | 249 | gnome-2048 |
236 | gnome-books | 250 | gnome-books |
237 | gnome-builder | 251 | gnome-builder |
@@ -445,9 +459,12 @@ odt2txt | |||
445 | oggsplt | 459 | oggsplt |
446 | okular | 460 | okular |
447 | onionshare-gui | 461 | onionshare-gui |
462 | ooffice | ||
463 | ooviewdoc | ||
448 | open-invaders | 464 | open-invaders |
449 | openarena | 465 | openarena |
450 | opencity | 466 | opencity |
467 | openoffice.org | ||
451 | openshot | 468 | openshot |
452 | openshot-qt | 469 | openshot-qt |
453 | openttd | 470 | openttd |
@@ -482,6 +499,7 @@ pngquant | |||
482 | polari | 499 | polari |
483 | ppsspp | 500 | ppsspp |
484 | pragha | 501 | pragha |
502 | profanity | ||
485 | psi-plus | 503 | psi-plus |
486 | pybitmessage | 504 | pybitmessage |
487 | # pycharm-community - FB note: may enable later | 505 | # pycharm-community - FB note: may enable later |
@@ -627,6 +645,7 @@ udiskie | |||
627 | uefitool | 645 | uefitool |
628 | uget-gtk | 646 | uget-gtk |
629 | unbound | 647 | unbound |
648 | unf | ||
630 | unknown-horizons | 649 | unknown-horizons |
631 | unzstd | 650 | unzstd |
632 | utox | 651 | utox |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 3f5921322..9a2efebd2 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -443,15 +443,33 @@ int main(int argc, char **argv) { | |||
443 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg | 443 | // set new symlinks based on /usr/lib/firejail/firecfg.cfg |
444 | set_links_firecfg(); | 444 | set_links_firecfg(); |
445 | 445 | ||
446 | // add user to firejail access database - only for root | ||
447 | if (getuid() == 0) { | 446 | if (getuid() == 0) { |
447 | // add user to firejail access database - only for root | ||
448 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 448 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
449 | // temporarily set the umask, access database must be world-readable | 449 | // temporarily set the umask, access database must be world-readable |
450 | mode_t orig_umask = umask(022); | 450 | mode_t orig_umask = umask(022); |
451 | firejail_user_add(user); | 451 | firejail_user_add(user); |
452 | umask(orig_umask); | 452 | umask(orig_umask); |
453 | |||
454 | #ifdef HAVE_APPARMOR | ||
455 | // enable firejail apparmor profile | ||
456 | struct stat s; | ||
457 | if (stat("/sbin/apparmor_parser", &s) == 0) { | ||
458 | char *cmd; | ||
459 | |||
460 | // SYSCONFDIR points to /etc/firejail, we have to go on level up (..) | ||
461 | printf("\nLoading AppArmor profile\n"); | ||
462 | if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1) | ||
463 | errExit("asprintf"); | ||
464 | int rv = system(cmd); | ||
465 | (void) rv; | ||
466 | free(cmd); | ||
467 | } | ||
468 | #endif | ||
453 | } | 469 | } |
454 | 470 | ||
471 | |||
472 | |||
455 | // set new symlinks based on ~/.config/firejail directory | 473 | // set new symlinks based on ~/.config/firejail directory |
456 | set_links_homedir(home); | 474 | set_links_homedir(home); |
457 | 475 | ||
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index e886e81da..520960db2 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -113,12 +113,12 @@ void appimage_set(const char *appimage) { | |||
113 | EUID_ROOT(); | 113 | EUID_ROOT(); |
114 | if (size == 0) { | 114 | if (size == 0) { |
115 | fmessage("Mounting appimage type 1\n"); | 115 | fmessage("Mounting appimage type 1\n"); |
116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) | 116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) |
117 | errExit("mounting appimage"); | 117 | errExit("mounting appimage"); |
118 | } | 118 | } |
119 | else { | 119 | else { |
120 | fmessage("Mounting appimage type 2\n"); | 120 | fmessage("Mounting appimage type 2\n"); |
121 | if (mount(devloop, mntdir, "squashfs", flags, mode) < 0) | 121 | if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) |
122 | errExit("mounting appimage"); | 122 | errExit("mounting appimage"); |
123 | } | 123 | } |
124 | 124 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 1f0ccac1a..316057ec5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -535,6 +535,14 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { | |||
535 | 535 | ||
536 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { | 536 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { |
537 | assert(dir); | 537 | assert(dir); |
538 | struct stat s; | ||
539 | if (stat(dir, &s) != 0) | ||
540 | return; | ||
541 | if (!S_ISDIR(s.st_mode)) { | ||
542 | // no need to search in /proc/self/mountinfo for submounts if not a directory | ||
543 | fs_remount(dir, op, check_mnt); | ||
544 | return; | ||
545 | } | ||
538 | // get mount point of the directory | 546 | // get mount point of the directory |
539 | int mountid = get_mount_id(dir); | 547 | int mountid = get_mount_id(dir); |
540 | if (mountid == -1) | 548 | if (mountid == -1) |
@@ -634,7 +642,8 @@ void fs_proc_sys_dev_boot(void) { | |||
634 | // various /proc files | 642 | // various /proc files |
635 | disable_file(BLACKLIST_FILE, "/proc/irq"); | 643 | disable_file(BLACKLIST_FILE, "/proc/irq"); |
636 | disable_file(BLACKLIST_FILE, "/proc/bus"); | 644 | disable_file(BLACKLIST_FILE, "/proc/bus"); |
637 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | 645 | // move /proc/config.gz to disable-common.inc |
646 | //disable_file(BLACKLIST_FILE, "/proc/config.gz"); | ||
638 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | 647 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); |
639 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | 648 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); |
640 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | 649 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); |
@@ -1139,6 +1148,9 @@ void fs_overlayfs(void) { | |||
1139 | 1148 | ||
1140 | // this function is called from sandbox.c before blacklist/whitelist functions | 1149 | // this function is called from sandbox.c before blacklist/whitelist functions |
1141 | void fs_private_tmp(void) { | 1150 | void fs_private_tmp(void) { |
1151 | if (arg_debug) | ||
1152 | printf("Generate private-tmp whitelist commands\n"); | ||
1153 | |||
1142 | // check XAUTHORITY file, KDE keeps it under /tmp | 1154 | // check XAUTHORITY file, KDE keeps it under /tmp |
1143 | char *xauth = getenv("XAUTHORITY"); | 1155 | char *xauth = getenv("XAUTHORITY"); |
1144 | if (xauth) { | 1156 | if (xauth) { |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index eb03eb35f..082f8b4a0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -189,5 +189,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
189 | errExit("mount bind"); | 189 | errExit("mount bind"); |
190 | fs_logger2("mount", private_dir); | 190 | fs_logger2("mount", private_dir); |
191 | 191 | ||
192 | // mask private_run_dir (who knows if there are writable paths, and it is mounted exec) | ||
193 | if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
194 | errExit("mounting tmpfs"); | ||
195 | fs_logger2("tmpfs", private_run_dir); | ||
196 | |||
192 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 197 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
193 | } | 198 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index d09f92697..cfa0af078 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -315,7 +315,7 @@ void fs_private_homedir(void) { | |||
315 | errExit("mounting /root directory"); | 315 | errExit("mounting /root directory"); |
316 | fs_logger("tmpfs /root"); | 316 | fs_logger("tmpfs /root"); |
317 | } | 317 | } |
318 | if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { | 318 | if (u == 0 && !arg_allusers) { |
319 | // mask /home | 319 | // mask /home |
320 | if (arg_debug) | 320 | if (arg_debug) |
321 | printf("Mounting a new /home directory\n"); | 321 | printf("Mounting a new /home directory\n"); |
@@ -606,7 +606,7 @@ void fs_private_home_list(void) { | |||
606 | errExit("mounting /root directory"); | 606 | errExit("mounting /root directory"); |
607 | fs_logger("tmpfs /root"); | 607 | fs_logger("tmpfs /root"); |
608 | } | 608 | } |
609 | if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { | 609 | if (uid == 0 && !arg_allusers) { |
610 | // mask /home | 610 | // mask /home |
611 | if (arg_debug) | 611 | if (arg_debug) |
612 | printf("Mounting a new /home directory\n"); | 612 | printf("Mounting a new /home directory\n"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1786cfac2..179f8ddf9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -55,7 +55,9 @@ uid_t firejail_uid = 0; | |||
55 | gid_t firejail_gid = 0; | 55 | gid_t firejail_gid = 0; |
56 | 56 | ||
57 | #define STACK_SIZE (1024 * 1024) | 57 | #define STACK_SIZE (1024 * 1024) |
58 | static char child_stack[STACK_SIZE] __attribute__((aligned(8))); // space for child's stack | 58 | #define STACK_ALIGNMENT 16 |
59 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack | ||
60 | |||
59 | Config cfg; // configuration | 61 | Config cfg; // configuration |
60 | int arg_private = 0; // mount private /home and /tmp directoryu | 62 | int arg_private = 0; // mount private /home and /tmp directoryu |
61 | int arg_private_cache = 0; // mount private home/.cache | 63 | int arg_private_cache = 0; // mount private home/.cache |
@@ -143,6 +145,14 @@ int arg_nou2f = 0; // --nou2f | |||
143 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 145 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
144 | int login_shell = 0; | 146 | int login_shell = 0; |
145 | 147 | ||
148 | //********************************************************************************** | ||
149 | // work in progress!!! | ||
150 | //********************************************************************************** | ||
151 | //#define POSTMORTEM | ||
152 | #ifdef POSTMORTEM | ||
153 | #include <grp.h> | ||
154 | pid_t pm_child = 0; | ||
155 | #endif | ||
146 | 156 | ||
147 | int parent_to_child_fds[2]; | 157 | int parent_to_child_fds[2]; |
148 | int child_to_parent_fds[2]; | 158 | int child_to_parent_fds[2]; |
@@ -176,6 +186,20 @@ static void myexit(int rv) { | |||
176 | static void my_handler(int s) { | 186 | static void my_handler(int s) { |
177 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); | 187 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); |
178 | logsignal(s); | 188 | logsignal(s); |
189 | |||
190 | #ifdef POSTMORTEM | ||
191 | printf("attempt to kill %d\n", pm_child); | ||
192 | if (pm_child) { | ||
193 | if (waitpid(pm_child, NULL, WNOHANG) == 0) { | ||
194 | if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet | ||
195 | kill(pm_child, s); | ||
196 | else | ||
197 | kill(pm_child, SIGKILL); | ||
198 | waitpid(pm_child, NULL, 0); | ||
199 | } | ||
200 | } | ||
201 | #endif | ||
202 | |||
179 | if (waitpid(child, NULL, WNOHANG) == 0) { | 203 | if (waitpid(child, NULL, WNOHANG) == 0) { |
180 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet | 204 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet |
181 | kill(child, s); | 205 | kill(child, s); |
@@ -2726,6 +2750,44 @@ int main(int argc, char **argv) { | |||
2726 | } | 2750 | } |
2727 | EUID_USER(); | 2751 | EUID_USER(); |
2728 | 2752 | ||
2753 | |||
2754 | #ifdef POSTMORTEM | ||
2755 | pm_child = fork(); | ||
2756 | if (pm_child == -1) | ||
2757 | fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); | ||
2758 | else if (pm_child == 0) { | ||
2759 | // running --join as root | ||
2760 | EUID_ROOT(); | ||
2761 | int rv = setgroups(0, NULL); | ||
2762 | rv |= setuid(0); | ||
2763 | rv |= setgid(0); | ||
2764 | if (rv) { | ||
2765 | fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); | ||
2766 | exit(1); | ||
2767 | } | ||
2768 | |||
2769 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
2770 | /*problem???*/ sleep(1); // we need to give the sandbox some time to start the namespaces | ||
2771 | char *joincmd; | ||
2772 | if (asprintf(&joincmd, "--join-network=%d", child) == -1) | ||
2773 | errExit("asprintf"); | ||
2774 | |||
2775 | // we join only the network ns, the filesystem is intact so we can find tcpdump | ||
2776 | char *arg[] = { | ||
2777 | "/usr/bin/firejail", | ||
2778 | joincmd, | ||
2779 | "/usr/sbin/tcpdump", | ||
2780 | "-n", | ||
2781 | "-q", | ||
2782 | NULL | ||
2783 | }; | ||
2784 | execvp(arg[0], arg); | ||
2785 | assert(0); | ||
2786 | printf("**********************************\n"); | ||
2787 | exit(1); | ||
2788 | } | ||
2789 | #endif | ||
2790 | |||
2729 | int status = 0; | 2791 | int status = 0; |
2730 | //***************************** | 2792 | //***************************** |
2731 | // following code is signal-safe | 2793 | // following code is signal-safe |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 2a4353d8d..18d121ca9 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1111,10 +1111,10 @@ unsigned extract_timeout(const char *str) { | |||
1111 | } | 1111 | } |
1112 | 1112 | ||
1113 | void disable_file_or_dir(const char *fname) { | 1113 | void disable_file_or_dir(const char *fname) { |
1114 | if (arg_debug) | ||
1115 | printf("blacklist %s\n", fname); | ||
1116 | struct stat s; | 1114 | struct stat s; |
1117 | if (stat(fname, &s) != -1) { | 1115 | if (stat(fname, &s) != -1) { |
1116 | if (arg_debug) | ||
1117 | printf("blacklist %s\n", fname); | ||
1118 | if (is_dir(fname)) { | 1118 | if (is_dir(fname)) { |
1119 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 1119 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
1120 | errExit("disable directory"); | 1120 | errExit("disable directory"); |
@@ -1123,8 +1123,8 @@ void disable_file_or_dir(const char *fname) { | |||
1123 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 1123 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
1124 | errExit("disable file"); | 1124 | errExit("disable file"); |
1125 | } | 1125 | } |
1126 | fs_logger2("blacklist", fname); | ||
1126 | } | 1127 | } |
1127 | fs_logger2("blacklist", fname); | ||
1128 | } | 1128 | } |
1129 | 1129 | ||
1130 | void disable_file_path(const char *path, const char *file) { | 1130 | void disable_file_path(const char *path, const char *file) { |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 944c24bc7..b390ad38e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1248,10 +1248,10 @@ void x11_xorg(void) { | |||
1248 | disable_file_or_dir(rp); | 1248 | disable_file_or_dir(rp); |
1249 | free(rp); | 1249 | free(rp); |
1250 | } | 1250 | } |
1251 | // update environment variable, so our new .Xauthority file is used | ||
1252 | if (setenv("XAUTHORITY", dest, 1) < 0) | ||
1253 | errExit("setenv"); | ||
1254 | } | 1251 | } |
1252 | // set environment variable | ||
1253 | if (setenv("XAUTHORITY", dest, 1) < 0) | ||
1254 | errExit("setenv"); | ||
1255 | free(dest); | 1255 | free(dest); |
1256 | #endif | 1256 | #endif |
1257 | } | 1257 | } |
diff --git a/src/lib/common.c b/src/lib/common.c index 1678a4092..3a7f910e1 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -53,7 +53,7 @@ int join_namespace(pid_t pid, char *type) { | |||
53 | 53 | ||
54 | errout: | 54 | errout: |
55 | free(path); | 55 | free(path); |
56 | fprintf(stderr, "Error: cannot join namespace %s\\n", type); | 56 | fprintf(stderr, "Error: cannot join namespace %s\n", type); |
57 | return -1; | 57 | return -1; |
58 | 58 | ||
59 | } | 59 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cabc4f619..47f5ecbdf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2768,6 +2768,15 @@ Sandbox running time in hours:minutes:seconds format. | |||
2768 | USER | 2768 | USER |
2769 | The owner of the sandbox. | 2769 | The owner of the sandbox. |
2770 | 2770 | ||
2771 | .SH RESTRICTED SHELL | ||
2772 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
2773 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
2774 | you can specify /usr/bin/firejail in adduser command: | ||
2775 | |||
2776 | adduser \-\-shell /usr/bin/firejail username | ||
2777 | |||
2778 | Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. | ||
2779 | |||
2771 | .SH SECURITY PROFILES | 2780 | .SH SECURITY PROFILES |
2772 | Several command line options can be passed to the program using | 2781 | Several command line options can be passed to the program using |
2773 | profile files. Firejail chooses the profile file as follows: | 2782 | profile files. Firejail chooses the profile file as follows: |
@@ -2836,15 +2845,6 @@ Child process initialized | |||
2836 | 2845 | ||
2837 | See \fBman 5 firejail-profile\fR for profile file syntax information. | 2846 | See \fBman 5 firejail-profile\fR for profile file syntax information. |
2838 | 2847 | ||
2839 | .SH RESTRICTED SHELL | ||
2840 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
2841 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
2842 | you can specify /usr/bin/firejail in adduser command: | ||
2843 | |||
2844 | adduser \-\-shell /usr/bin/firejail username | ||
2845 | |||
2846 | Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. | ||
2847 | |||
2848 | .SH TRAFFIC SHAPING | 2848 | .SH TRAFFIC SHAPING |
2849 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 2849 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
2850 | Traffic shaping allows the user to increase network performance by controlling | 2850 | Traffic shaping allows the user to increase network performance by controlling |
diff --git a/video.png b/video.png deleted file mode 100644 index bbebaa040..000000000 --- a/video.png +++ /dev/null | |||
Binary files differ | |||