diff options
| -rw-r--r-- | etc/chromium-common.profile | 2 | ||||
| -rw-r--r-- | etc/firefox-common.profile | 2 | ||||
| -rw-r--r-- | etc/firejail.config | 9 | ||||
| -rw-r--r-- | etc/midori.profile | 2 | ||||
| -rw-r--r-- | etc/min.profile | 2 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 1 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/profile.c | 5 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 2 |
9 files changed, 18 insertions, 8 deletions
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 3c7423316..63983d93b 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
| @@ -7,7 +7,7 @@ include chromium-common.local | |||
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
| 10 | ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 11 | 11 | ||
| 12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
| 13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index a2a34f33f..080d9e81a 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
| @@ -7,7 +7,7 @@ include firefox-common.local | |||
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
| 10 | ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 11 | 11 | ||
| 12 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line to allow access to common programs/addons/plugins. |
| 13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
diff --git a/etc/firejail.config b/etc/firejail.config index b37edf7a5..497d9633e 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -5,9 +5,6 @@ | |||
| 5 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
| 6 | # apparmor yes | 6 | # apparmor yes |
| 7 | 7 | ||
| 8 | # Disable U2F in browsers, default enabled. | ||
| 9 | # browser-disable-u2f yes | ||
| 10 | |||
| 11 | # Number of ARP probes sent when assigning an IP address for --net option, | 8 | # Number of ARP probes sent when assigning an IP address for --net option, |
| 12 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
| 13 | # timeout is implemented for each probe. Increase this number to 4 if your | 10 | # timeout is implemented for each probe. Increase this number to 4 if your |
| @@ -18,6 +15,12 @@ | |||
| 18 | # Enable or disable bind support, default enabled. | 15 | # Enable or disable bind support, default enabled. |
| 19 | # bind yes | 16 | # bind yes |
| 20 | 17 | ||
| 18 | # Allow (DRM) execution in browsers, default disabled. | ||
| 19 | # browser-allow-drm no | ||
| 20 | |||
| 21 | # Disable U2F in browsers, default enabled. | ||
| 22 | # browser-disable-u2f yes | ||
| 23 | |||
| 21 | # Enable or disable cgroup support, default enabled. | 24 | # Enable or disable cgroup support, default enabled. |
| 22 | # cgroup yes | 25 | # cgroup yes |
| 23 | 26 | ||
diff --git a/etc/midori.profile b/etc/midori.profile index d59a6a16b..e4d39cd70 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
| @@ -14,7 +14,7 @@ noblacklist ${HOME}/.pki | |||
| 14 | noblacklist ${HOME}/.local/share/pki | 14 | noblacklist ${HOME}/.local/share/pki |
| 15 | 15 | ||
| 16 | # noexec ${HOME} breaks DRM binaries. | 16 | # noexec ${HOME} breaks DRM binaries. |
| 17 | ignore noexec ${HOME} | 17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 18 | 18 | ||
| 19 | include disable-common.inc | 19 | include disable-common.inc |
| 20 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/min.profile b/etc/min.profile index eec81677d..c89df0a95 100644 --- a/etc/min.profile +++ b/etc/min.profile | |||
| @@ -12,7 +12,7 @@ noblacklist ${HOME}/.pki | |||
| 12 | noblacklist ${HOME}/.local/share/pki | 12 | noblacklist ${HOME}/.local/share/pki |
| 13 | 13 | ||
| 14 | # noexec ${HOME} breaks DRM binaries. | 14 | # noexec ${HOME} breaks DRM binaries. |
| 15 | ignore noexec ${HOME} | 15 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 16 | 16 | ||
| 17 | include disable-common.inc | 17 | include disable-common.inc |
| 18 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 54f6ea023..7ca72bf30 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -111,6 +111,7 @@ int checkcfg(int val) { | |||
| 111 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | 111 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") |
| 112 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | 112 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") |
| 113 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 113 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
| 114 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") | ||
| 114 | #undef PARSE_YESNO | 115 | #undef PARSE_YESNO |
| 115 | 116 | ||
| 116 | // netfilter | 117 | // netfilter |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b2c18d79f..2e04084e3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -702,6 +702,7 @@ enum { | |||
| 702 | CFG_ARP_PROBES, | 702 | CFG_ARP_PROBES, |
| 703 | CFG_XPRA_ATTACH, | 703 | CFG_XPRA_ATTACH, |
| 704 | CFG_BROWSER_DISABLE_U2F, | 704 | CFG_BROWSER_DISABLE_U2F, |
| 705 | CFG_BROWSER_ALLOW_DRM, | ||
| 705 | CFG_PRIVATE_LIB, | 706 | CFG_PRIVATE_LIB, |
| 706 | CFG_APPARMOR, | 707 | CFG_APPARMOR, |
| 707 | CFG_DBUS, | 708 | CFG_DBUS, |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 667b03652..c8619f7e2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -151,10 +151,15 @@ static int check_disable_u2f(void) { | |||
| 151 | return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; | 151 | return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; |
| 152 | } | 152 | } |
| 153 | 153 | ||
| 154 | static int check_allow_drm(void) { | ||
| 155 | return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; | ||
| 156 | } | ||
| 157 | |||
| 154 | Cond conditionals[] = { | 158 | Cond conditionals[] = { |
| 155 | {"HAS_APPIMAGE", check_appimage}, | 159 | {"HAS_APPIMAGE", check_appimage}, |
| 156 | {"HAS_NODBUS", check_nodbus}, | 160 | {"HAS_NODBUS", check_nodbus}, |
| 157 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 161 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
| 162 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | ||
| 158 | { NULL, NULL } | 163 | { NULL, NULL } |
| 159 | }; | 164 | }; |
| 160 | 165 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index dde815d05..20b547355 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
| 94 | 94 | ||
| 95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
| 96 | 96 | ||
| 97 | Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F. | 97 | Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM. |
| 98 | 98 | ||
| 99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
| 100 | 100 | ||