diff options
83 files changed, 229 insertions, 39 deletions
@@ -54,6 +54,9 @@ Committers | |||
54 | 54 | ||
55 | Firejail Authors (alphabetical order) | 55 | Firejail Authors (alphabetical order) |
56 | 56 | ||
57 | 0x7969 (https://github.com/0x7969) | ||
58 | - fix wire-desktop.profile | ||
59 | - add ferdi.profile | ||
57 | 7twin (https://github.com/7twin_) | 60 | 7twin (https://github.com/7twin_) |
58 | - fix typos | 61 | - fix typos |
59 | - fix flameshot raw screenshots | 62 | - fix flameshot raw screenshots |
@@ -90,6 +93,8 @@ Alexander Gerasiov (https://github.com/gerasiov) | |||
90 | - profile updates | 93 | - profile updates |
91 | Alexander Stein (https://github.com/ajstein) | 94 | Alexander Stein (https://github.com/ajstein) |
92 | - added profile for qutebrowser | 95 | - added profile for qutebrowser |
96 | Amin Vakil (https://github.com/aminvakil) | ||
97 | - whois profile fix | ||
93 | Andreas Hunkeler (https://github.com/Karneades) | 98 | Andreas Hunkeler (https://github.com/Karneades) |
94 | - Add profile for offical Linux Teams application | 99 | - Add profile for offical Linux Teams application |
95 | Andrey Alekseenko (https://github.com/al42and) | 100 | Andrey Alekseenko (https://github.com/al42and) |
@@ -107,6 +112,8 @@ Antonio Russo (https://github.com/aerusso) | |||
107 | - wusc fixes | 112 | - wusc fixes |
108 | aoand (https://github.com/aoand) | 113 | aoand (https://github.com/aoand) |
109 | - seccomp fix: allow numeric syscalls | 114 | - seccomp fix: allow numeric syscalls |
115 | Atrate (https://github.com/Atrate) | ||
116 | - BetterDiscord support | ||
110 | Austin Morton (https://github.com/apmorton) | 117 | Austin Morton (https://github.com/apmorton) |
111 | - deterministic-exit-code option | 118 | - deterministic-exit-code option |
112 | - private-cwd options | 119 | - private-cwd options |
@@ -160,6 +167,8 @@ BytesTuner (https://github.com/BytesTuner) | |||
160 | - provided keepassxc profile | 167 | - provided keepassxc profile |
161 | caoliver (https://github.com/caoliver) | 168 | caoliver (https://github.com/caoliver) |
162 | - network system fixes | 169 | - network system fixes |
170 | Carlo Abelli (https://github.com/carloabelli) | ||
171 | - fixed udiskie profile | ||
163 | Cat (https://github.com/ecat3) | 172 | Cat (https://github.com/ecat3) |
164 | - prevent tmux connecting to an existing session | 173 | - prevent tmux connecting to an existing session |
165 | creideiki (https://github.com/creideiki) | 174 | creideiki (https://github.com/creideiki) |
@@ -200,6 +209,7 @@ curiosity-seeker (https://github.com/curiosity-seeker) | |||
200 | - added cantata profile | 209 | - added cantata profile |
201 | - updated keypassxc profile | 210 | - updated keypassxc profile |
202 | - added syscalls.sh, which determine the necessary syscalls for a program | 211 | - added syscalls.sh, which determine the necessary syscalls for a program |
212 | - fixed conky profile | ||
203 | da2x (https://github.com/da2x) | 213 | da2x (https://github.com/da2x) |
204 | - matched RPM license tag | 214 | - matched RPM license tag |
205 | Daan Bakker (https://github.com/dbakker) | 215 | Daan Bakker (https://github.com/dbakker) |
@@ -227,6 +237,8 @@ DiGitHubCap (https://github.com/DiGitHubCap) | |||
227 | - deluge profile fix | 237 | - deluge profile fix |
228 | Disconnect3d (https://github.com/disconnect3d) | 238 | Disconnect3d (https://github.com/disconnect3d) |
229 | - code cleanup | 239 | - code cleanup |
240 | dmfreemon (https://github.com/dmfreemon) | ||
241 | - add sandbox name or name of private directory to the window title when xpra is used | ||
230 | dshmgh (https://github.com/dshmgh) | 242 | dshmgh (https://github.com/dshmgh) |
231 | - overlayfs fix for systems with /home mounted on a separate partition | 243 | - overlayfs fix for systems with /home mounted on a separate partition |
232 | Duncan Overbruck (https://github.com/Duncaen) | 244 | Duncan Overbruck (https://github.com/Duncaen) |
@@ -250,6 +262,7 @@ Felipe Barriga Richards (https://github.com/fbarriga) | |||
250 | Florian Begusch (https://github.com/florianbegusch) | 262 | Florian Begusch (https://github.com/florianbegusch) |
251 | - (la)tex profiles | 263 | - (la)tex profiles |
252 | - fixed transmission-common.profile | 264 | - fixed transmission-common.profile |
265 | - fixed standardnotes-desktop.profile | ||
253 | floxo (https://github.com/floxo) | 266 | floxo (https://github.com/floxo) |
254 | - fixed qml disk cache issue | 267 | - fixed qml disk cache issue |
255 | Franco (nextime) Lanza (https://github.com/nextime) | 268 | Franco (nextime) Lanza (https://github.com/nextime) |
@@ -357,6 +370,8 @@ haarp (https://github.com/haarp) | |||
357 | - Allow sound for hexchat | 370 | - Allow sound for hexchat |
358 | hamzadis (https://github.com/hamzadis) | 371 | hamzadis (https://github.com/hamzadis) |
359 | - added --overlay-named=name and --overlay-path=path | 372 | - added --overlay-named=name and --overlay-path=path |
373 | Hans-Christoph Steiner (https://github.com/eighthave) | ||
374 | - added xournal profile | ||
360 | hawkey116477 (https://github.com/hawkeye116477) | 375 | hawkey116477 (https://github.com/hawkeye116477) |
361 | - added Waterfox profile | 376 | - added Waterfox profile |
362 | - updated Cyberfox profile | 377 | - updated Cyberfox profile |
@@ -564,6 +579,8 @@ Peter Hogg (https://github.com/pigmonkey) | |||
564 | - bitlbee profile fixes | 579 | - bitlbee profile fixes |
565 | - mutt profile fixes | 580 | - mutt profile fixes |
566 | - fixes for youtube-dl in mpv profile | 581 | - fixes for youtube-dl in mpv profile |
582 | Peter Sanford (https://github.com/psanford) | ||
583 | - fix QtWebEngine in zoom | ||
567 | Petter Reinholdtsen (pere@hungry.com) | 584 | Petter Reinholdtsen (pere@hungry.com) |
568 | - Opera profile patch | 585 | - Opera profile patch |
569 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) | 586 | PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) |
@@ -760,6 +777,7 @@ StelFux (https://github.com/StelFux) | |||
760 | - Fix youtube video in totem | 777 | - Fix youtube video in totem |
761 | the-antz (https://github.com/the-antz) | 778 | the-antz (https://github.com/the-antz) |
762 | - Fix libx265 encoding in ffmpeg profile | 779 | - Fix libx265 encoding in ffmpeg profile |
780 | - Fix Firefox profile | ||
763 | - Profile tweaks | 781 | - Profile tweaks |
764 | thewisenerd (https://github.com/thewisenerd) | 782 | thewisenerd (https://github.com/thewisenerd) |
765 | - allow multiple private-home commands | 783 | - allow multiple private-home commands |
@@ -157,18 +157,20 @@ $ make | |||
157 | $ cd etc | 157 | $ cd etc |
158 | $ ./profstats *.profile | 158 | $ ./profstats *.profile |
159 | Stats: | 159 | Stats: |
160 | profiles 925 | 160 | profiles 949 |
161 | include local profile 925 (include profile-name.local) | 161 | include local profile 949 (include profile-name.local) |
162 | include globals 925 (include globals.local) | 162 | include globals 949 (include globals.local) |
163 | blacklist ~/.ssh 910 (include disable-common.inc) | 163 | blacklist ~/.ssh 934 (include disable-common.inc) |
164 | seccomp 868 | 164 | seccomp 892 |
165 | capabilities 924 | 165 | capabilities 948 |
166 | noexec 785 (include disable-exec.inc) | 166 | noexec 813 (include disable-exec.inc) |
167 | apparmor 426 | 167 | apparmor 471 |
168 | private-dev 788 | 168 | private-dev 812 |
169 | private-tmp 687 | 169 | private-tmp 711 |
170 | whitelist var directory 595 (include whitelist-var-common.inc) | 170 | whitelist var 621 (include whitelist-var-common.inc) |
171 | net none 274 | 171 | whitelist run/user 105 (include whitelist-runuser-common.inc) |
172 | whitelist usr/share 257 (include whitelist-usr-share-common.inc) | ||
173 | net none 297 | ||
172 | ````` | 174 | ````` |
173 | 175 | ||
174 | Run ./profstats -h for help. | 176 | Run ./profstats -h for help. |
@@ -3,6 +3,7 @@ firejail (0.9.63) baseline; urgency=low | |||
3 | * DHCP client support | 3 | * DHCP client support |
4 | * SELinux labeling support | 4 | * SELinux labeling support |
5 | * 32-bit seccomp filter | 5 | * 32-bit seccomp filter |
6 | * restrict ${RUNUSER} in serveral profiles | ||
6 | * new condition: HAS_NOSOUND | 7 | * new condition: HAS_NOSOUND |
7 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 8 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
8 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 9 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
diff --git a/etc/baobab.profile b/etc/baobab.profile index d87de9d66..a2cfa6d67 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc | |||
14 | # include disable-programs.inc | 14 | # include disable-programs.inc |
15 | # include disable-xdg.inc | 15 | # include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-runuser-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | net none | 20 | net none |
19 | no3d | 21 | no3d |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index d099ba11e..daed19634 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/curl.profile b/etc/curl.profile index a720aca9b..a33d084ce 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -10,6 +10,8 @@ include globals.local | |||
10 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 897bf5f5d..51df7b455 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet | |||
24 | whitelist ${HOME}/.config/d-feet | 24 | whitelist ${HOME}/.config/d-feet |
25 | whitelist /usr/share/d-feet | 25 | whitelist /usr/share/d-feet |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index a9d25128f..e7cc66e32 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist ${HOME}/.local/share/glib-2.0 | 17 | whitelist ${HOME}/.local/share/glib-2.0 |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/dig.profile b/etc/dig.profile index e6b7e46d9..270a95c05 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc | |||
11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | # include disable-devel.inc | 18 | # include disable-devel.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 82d1ba528..2a306d704 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
22 | |||
21 | caps.drop all | 23 | caps.drop all |
22 | netfilter | 24 | netfilter |
23 | no3d | 25 | no3d |
diff --git a/etc/enchant.profile b/etc/enchant.profile index fa556c7d2..69e8b1e44 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -21,6 +21,7 @@ include disable-xdg.inc | |||
21 | mkdir ${HOME}/.config/enchant | 21 | mkdir ${HOME}/.config/enchant |
22 | whitelist ${HOME}/.config/enchant | 22 | whitelist ${HOME}/.config/enchant |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/eo-common.profile b/etc/eo-common.profile index 13f498c03..80c704c6b 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile | |||
@@ -18,6 +18,7 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 143a347e6..68ef5eb9a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -21,6 +21,7 @@ whitelist /usr/share/doc | |||
21 | whitelist /usr/share/evince | 21 | whitelist /usr/share/evince |
22 | whitelist /usr/share/poppler | 22 | whitelist /usr/share/poppler |
23 | whitelist /usr/share/tracker | 23 | whitelist /usr/share/tracker |
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index 71a7a5600..4740bf935 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | include whitelist-runuser-common.inc | ||
27 | |||
26 | caps.drop all | 28 | caps.drop all |
27 | netfilter | 29 | netfilter |
28 | # no3d breaks under wayland | 30 | # no3d breaks under wayland |
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index 5a72b60ea..7d3c7a8f4 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader | |||
23 | whitelist ${HOME}/.local/share/feedreader | 23 | whitelist ${HOME}/.local/share/feedreader |
24 | whitelist /usr/share/feedreader | 24 | whitelist /usr/share/feedreader |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 9d84f07de..70dd030ee 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /usr/share/file-roller | 16 | whitelist /usr/share/file-roller |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-usr-share-common.inc | 18 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
19 | 20 | ||
diff --git a/etc/file.profile b/etc/file.profile index 82b161d48..854586354 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -8,6 +8,7 @@ include file.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index d8d4c1746..6c7ab8f0d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | |||
21 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
21 | 23 | ||
22 | caps.drop all | 24 | caps.drop all |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 3aad9723b..9a3df98f4 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/gedit.profile b/etc/gedit.profile index a4471077a..148b98c99 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -19,6 +19,7 @@ include disable-exec.inc | |||
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | # apparmor - makes settings immutable | 25 | # apparmor - makes settings immutable |
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile index d332c1bbe..7de762e0d 100644 --- a/etc/gfeeds.profile +++ b/etc/gfeeds.profile | |||
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds | |||
29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
30 | whitelist /usr/share/gfeeds | 30 | whitelist /usr/share/gfeeds |
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
34 | 35 | ||
diff --git a/etc/gitg.profile b/etc/gitg.profile index 3c6f9d72f..68f38c3ce 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -28,6 +28,7 @@ include disable-programs.inc | |||
28 | #include whitelist-common.inc | 28 | #include whitelist-common.inc |
29 | 29 | ||
30 | whitelist /usr/share/gitg | 30 | whitelist /usr/share/gitg |
31 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index 85dd57f29..9c8848b8a 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index eaf48931d..7a684dd59 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | netfilter | 24 | netfilter |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6709a331e..627ae368a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,6 +16,7 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile index f02fe13f6..77b0c3c15 100644 --- a/etc/gnome-characters.profile +++ b/etc/gnome-characters.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | whitelist /usr/share/org.gnome.Characters | 20 | whitelist /usr/share/org.gnome.Characters |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 025335a23..b865423c5 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -17,6 +17,7 @@ include disable-xdg.inc | |||
17 | whitelist /usr/share/gnome-clocks | 17 | whitelist /usr/share/gnome-clocks |
18 | whitelist /usr/share/libgweather | 18 | whitelist /usr/share/libgweather |
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
21 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
22 | 23 | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index ac6d82451..7c1e4bb58 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -17,6 +17,7 @@ include disable-programs.inc | |||
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile index 386c33d7f..a06ccc9c1 100644 --- a/etc/gnome-hexgl.profile +++ b/etc/gnome-hexgl.profile | |||
@@ -15,9 +15,8 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/mesa_shader_cache | 17 | mkdir ${HOME}/.cache/mesa_shader_cache |
18 | whitelist ${RUNUSER}/pulse | ||
19 | whitelist ${RUNUSER}/wayland-0 | ||
20 | whitelist /usr/share/gnome-hexgl | 18 | whitelist /usr/share/gnome-hexgl |
19 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile index 1bf48c6ab..ea4151137 100644 --- a/etc/gnome-latex.profile +++ b/etc/gnome-latex.profile | |||
@@ -22,6 +22,7 @@ include disable-programs.inc | |||
22 | whitelist /usr/share/gnome-latex | 22 | whitelist /usr/share/gnome-latex |
23 | whitelist /usr/share/perl5 | 23 | whitelist /usr/share/perl5 |
24 | whitelist /usr/share/texlive | 24 | whitelist /usr/share/texlive |
25 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
26 | # May cause issues. | 27 | # May cause issues. |
27 | #include whitelist-var-common.inc | 28 | #include whitelist-var-common.inc |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 0c5bec144..31b7cfb4f 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | whitelist /var/log/journal | 17 | whitelist /var/log/journal |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 12415a937..bf263efa9 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -35,6 +35,7 @@ whitelist ${PICTURES} | |||
35 | whitelist /usr/share/gnome-maps | 35 | whitelist /usr/share/gnome-maps |
36 | whitelist /usr/share/libgweather | 36 | whitelist /usr/share/libgweather |
37 | include whitelist-common.inc | 37 | include whitelist-common.inc |
38 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
40 | 41 | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 9c3131162..36b46897c 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | apparmor | 27 | apparmor |
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index d15299890..649473679 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/gnome-nettool | 17 | whitelist /usr/share/gnome-nettool |
18 | #include whitelist-common.inc -- see #903 | 18 | #include whitelist-common.inc -- see #903 |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile index de8f6ad7d..555a59d93 100644 --- a/etc/gnome-passwordsafe.profile +++ b/etc/gnome-passwordsafe.profile | |||
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | whitelist ${RUNUSER}/bus | ||
25 | # If you have a second wayland compositor, whitelist its socket here. | ||
26 | whitelist ${RUNUSER}/wayland-0 | ||
27 | whitelist ${RUNUSER}/gdm/Xauthority | ||
28 | |||
29 | whitelist /usr/share/cracklib | 24 | whitelist /usr/share/cracklib |
30 | whitelist /usr/share/passwordsafe | 25 | whitelist /usr/share/passwordsafe |
26 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
33 | 29 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index c28217efb..2af406af9 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index c8dd8ead7..55913a2d7 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule | |||
39 | whitelist /var/spool/atd | 39 | whitelist /var/spool/atd |
40 | whitelist /var/spool/cron | 40 | whitelist /var/spool/cron |
41 | include whitelist-common.inc | 41 | include whitelist-common.inc |
42 | include whitelist-runuser-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile index c00aefdb7..cc5efb161 100644 --- a/etc/gnome-screenshot.profile +++ b/etc/gnome-screenshot.profile | |||
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | whitelist ${RUNUSER}/bus | ||
21 | whitelist ${RUNUSER}/pulse | ||
22 | whitelist ${RUNUSER}/gdm/Xauthority | ||
23 | whitelist ${RUNUSER}/wayland-0 | ||
24 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
21 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
26 | 23 | ||
27 | apparmor | 24 | apparmor |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 10db6296b..a181f1b9e 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 16bda186e..adc8957e6 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -21,9 +21,12 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | mkdir ${HOME}/.gnupg | 22 | mkdir ${HOME}/.gnupg |
23 | whitelist ${HOME}/.gnupg | 23 | whitelist ${HOME}/.gnupg |
24 | whitelist ${RUNUSER}/gnupg | ||
25 | whitelist ${RUNUSER}/keyring | ||
24 | whitelist /usr/share/gnupg | 26 | whitelist /usr/share/gnupg |
25 | whitelist /usr/share/gnupg2 | 27 | whitelist /usr/share/gnupg2 |
26 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
29 | 32 | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile index b408a0123..787f35f9e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -18,9 +18,12 @@ include disable-interpreters.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/gnupg | ||
22 | whitelist ${RUNUSER}/keyring | ||
21 | whitelist /usr/share/gnupg | 23 | whitelist /usr/share/gnupg |
22 | whitelist /usr/share/gnupg2 | 24 | whitelist /usr/share/gnupg2 |
23 | whitelist /usr/share/pacman/keyrings | 25 | whitelist /usr/share/pacman/keyrings |
26 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
26 | 29 | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b3aa58d29..f3e3ab14d 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -15,6 +15,7 @@ include disable-programs.inc | |||
15 | include disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
20 | 21 | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile index 036de8d99..fc8b2f65a 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -7,6 +7,7 @@ include highlight.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/latex-common.profile b/etc/latex-common.profile index 712ada722..84901e8ef 100644 --- a/etc/latex-common.profile +++ b/etc/latex-common.profile | |||
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /var/lib | 16 | whitelist /var/lib |
17 | include whitelist-runuser-common.inc | ||
17 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/less.profile b/etc/less.profile index 00624e0f1..27e24c852 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -8,6 +8,7 @@ include less.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.lesshst | 13 | noblacklist ${HOME}/.lesshst |
13 | 14 | ||
diff --git a/etc/links.profile b/etc/links.profile index a31001c87..b2f94d3cf 100644 --- a/etc/links.profile +++ b/etc/links.profile | |||
@@ -24,6 +24,7 @@ include disable-xdg.inc | |||
24 | mkdir ${HOME}/.links | 24 | mkdir ${HOME}/.links |
25 | whitelist ${HOME}/.links | 25 | whitelist ${HOME}/.links |
26 | whitelist ${DOWNLOADS} | 26 | whitelist ${DOWNLOADS} |
27 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | caps.drop all | 30 | caps.drop all |
diff --git a/etc/lynx.profile b/etc/lynx.profile index fb6fe94ec..dbd0a61e5 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | |||
19 | caps.drop all | 21 | caps.drop all |
20 | netfilter | 22 | netfilter |
21 | no3d | 23 | no3d |
diff --git a/etc/meld.profile b/etc/meld.profile index 9a320c13d..be13e9643 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc | |||
36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | 36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. |
37 | #include disable-programs.inc | 37 | #include disable-programs.inc |
38 | 38 | ||
39 | include whitelist-runuser-common.inc | ||
40 | |||
39 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. | 41 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. |
40 | #whitelist /usr/share/meld | 42 | #whitelist /usr/share/meld |
41 | #include whitelist-usr-share-common.inc | 43 | #include whitelist-usr-share-common.inc |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 1fc412955..8ff547b52 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -40,6 +40,8 @@ include disable-interpreters.inc | |||
40 | include disable-passwdmgr.inc | 40 | include disable-passwdmgr.inc |
41 | include disable-programs.inc | 41 | include disable-programs.inc |
42 | 42 | ||
43 | include whitelist-runuser-common.inc | ||
44 | |||
43 | caps.drop all | 45 | caps.drop all |
44 | netfilter | 46 | netfilter |
45 | no3d | 47 | no3d |
diff --git a/etc/newsboat.profile b/etc/newsboat.profile index e063abe53..eabd17b4b 100644 --- a/etc/newsboat.profile +++ b/etc/newsboat.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.newsboat | 19 | mkdir ${HOME}/.newsboat |
20 | whitelist ${HOME}/.newsboat | 20 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 40cb3b6d8..4aa1cfcbf 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile | |||
@@ -7,6 +7,10 @@ include nslookup.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | noblacklist ${PATH}/nslookup | 14 | noblacklist ${PATH}/nslookup |
11 | 15 | ||
12 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile index 9a8d82a96..9117b0c07 100644 --- a/etc/pandoc.profile +++ b/etc/pandoc.profile | |||
@@ -8,6 +8,7 @@ include pandoc.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/patch.profile b/etc/patch.profile index 4a3365378..95c92a3f5 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -8,6 +8,7 @@ include patch.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 73ebf4615..a7112f1e8 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -7,6 +7,7 @@ include pdftotext.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist ${RUNUSER} | ||
10 | 11 | ||
11 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
12 | 13 | ||
diff --git a/etc/ping.profile b/etc/ping.profile index 75ad0ee31..3ef8ad64a 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -7,6 +7,10 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
10 | include disable-common.inc | 14 | include disable-common.inc |
11 | include disable-devel.inc | 15 | include disable-devel.inc |
12 | include disable-exec.inc | 16 | include disable-exec.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 71032f2ee..c722e29b4 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -6,7 +6,6 @@ include pitivi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | noblacklist ${HOME}/.config/pitivi | 9 | noblacklist ${HOME}/.config/pitivi |
11 | 10 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -20,6 +19,7 @@ include disable-interpreters.inc | |||
20 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 20 | include disable-programs.inc |
22 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
diff --git a/etc/pngquant.profile b/etc/pngquant.profile index f9ce43c4c..4695eee71 100644 --- a/etc/pngquant.profile +++ b/etc/pngquant.profile | |||
@@ -16,6 +16,8 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
21 | apparmor | 23 | apparmor |
diff --git a/etc/polari.profile b/etc/polari.profile index 939e2537e..87a53775f 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger | |||
28 | whitelist ${HOME}/.local/share/telepathy | 28 | whitelist ${HOME}/.local/share/telepathy |
29 | whitelist ${HOME}/.purple | 29 | whitelist ${HOME}/.purple |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-runuser-common.inc | ||
31 | 32 | ||
32 | caps.drop all | 33 | caps.drop all |
33 | netfilter | 34 | netfilter |
diff --git a/etc/remmina.profile b/etc/remmina.profile index e85ceca13..6311c91df 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include whitelist-runuser-common.inc | ||
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index aff8b08e3..689fbe626 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -25,6 +25,7 @@ include disable-xdg.inc | |||
25 | whitelist /usr/share/rhythmbox | 25 | whitelist /usr/share/rhythmbox |
26 | whitelist /usr/share/lua | 26 | whitelist /usr/share/lua |
27 | whitelist /usr/share/libquvi-scripts | 27 | whitelist /usr/share/libquvi-scripts |
28 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
30 | 31 | ||
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile index 84147f0a5..500656a4b 100644 --- a/etc/rsync-download_only.profile +++ b/etc/rsync-download_only.profile | |||
@@ -14,6 +14,7 @@ include globals.local | |||
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | blacklist ${RUNUSER}/wayland-* | 16 | blacklist ${RUNUSER}/wayland-* |
17 | blacklist ${RUNUSER} | ||
17 | 18 | ||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 5a742d05f..3a69086b5 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg | |||
31 | whitelist /usr/share/gnupg2 | 31 | whitelist /usr/share/gnupg2 |
32 | whitelist /usr/share/seahorse | 32 | whitelist /usr/share/seahorse |
33 | whitelist /usr/share/seahorse-nautilus | 33 | whitelist /usr/share/seahorse-nautilus |
34 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist ${RUNUSER}/keyring | ||
34 | #include whitelist-common.inc | 36 | #include whitelist-common.inc |
37 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | 38 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 39 | include whitelist-var-common.inc |
37 | 40 | ||
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index 7b4041222..fb43c61e4 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -8,6 +8,7 @@ include shellcheck.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
13 | 14 | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 1551c3fb6..cbd59c6e0 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -18,7 +18,10 @@ include disable-exec.inc | |||
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | whitelist ${RUNUSER}/keyring/ssh | ||
22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | ||
21 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-runuser-common.inc | ||
22 | 25 | ||
23 | caps.drop all | 26 | caps.drop all |
24 | ipc-namespace | 27 | ipc-namespace |
diff --git a/etc/strings.profile b/etc/strings.profile index 7dc453b1f..7d2d035a4 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | blacklist ${RUNUSER}/wayland-* |
11 | blacklist ${RUNUSER} | ||
11 | 12 | ||
12 | #include disable-common.inc | 13 | #include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/teams.profile b/etc/teams.profile index 8b60a941e..0e5a42be7 100644 --- a/etc/teams.profile +++ b/etc/teams.profile | |||
@@ -9,6 +9,8 @@ include teams.local | |||
9 | # added by included profile | 9 | # added by included profile |
10 | #include globals.local | 10 | #include globals.local |
11 | 11 | ||
12 | ignore nodbus | ||
13 | |||
12 | noblacklist ${HOME}/.config/teams | 14 | noblacklist ${HOME}/.config/teams |
13 | noblacklist ${HOME}/.config/Microsoft | 15 | noblacklist ${HOME}/.config/Microsoft |
14 | 16 | ||
@@ -30,7 +32,6 @@ tracelog | |||
30 | disable-mnt | 32 | disable-mnt |
31 | private-cache | 33 | private-cache |
32 | private-dev | 34 | private-dev |
33 | private-tmp | ||
34 | 35 | ||
35 | # Redirect | 36 | # Redirect |
36 | include electron.profile | 37 | include electron.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0362b82af..4cb40027c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -27,6 +27,7 @@ | |||
27 | # ALLOW INCLUDES | 27 | # ALLOW INCLUDES |
28 | # BLACKLISTS | 28 | # BLACKLISTS |
29 | # DISABLE INCLUDES | 29 | # DISABLE INCLUDES |
30 | # NOWHITELISTS | ||
30 | # MKDIRS | 31 | # MKDIRS |
31 | # WHITELISTS | 32 | # WHITELISTS |
32 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
@@ -62,6 +63,8 @@ include globals.local | |||
62 | #blacklist /tmp/.X11-unix | 63 | #blacklist /tmp/.X11-unix |
63 | # Disable Wayland | 64 | # Disable Wayland |
64 | #blacklist ${RUNUSER}/wayland-* | 65 | #blacklist ${RUNUSER}/wayland-* |
66 | # Disable RUNUSER (cli only) | ||
67 | #blacklist ${RUNUSER} | ||
65 | 68 | ||
66 | # It is common practice to add files/dirs containing program-specific configuration | 69 | # It is common practice to add files/dirs containing program-specific configuration |
67 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 70 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
@@ -116,6 +119,7 @@ include globals.local | |||
116 | ##mkfile PATH | 119 | ##mkfile PATH |
117 | #whitelist PATH | 120 | #whitelist PATH |
118 | #include whitelist-common.inc | 121 | #include whitelist-common.inc |
122 | #GTK3 only: include whitelist-runuser-common.inc | ||
119 | #include whitelist-usr-share-common.inc | 123 | #include whitelist-usr-share-common.inc |
120 | #include whitelist-var-common.inc | 124 | #include whitelist-var-common.inc |
121 | 125 | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index d47185b1d..9030b1e01 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -17,6 +17,8 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | no3d | 24 | no3d |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 01bdeb4ef..baa970307 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -7,6 +7,8 @@ include transmission-gtk.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include whitelist-runuser-common.inc | ||
11 | |||
10 | private-bin transmission-gtk | 12 | private-bin transmission-gtk |
11 | 13 | ||
12 | ignore memory-deny-write-execute | 14 | ignore memory-deny-write-execute |
diff --git a/etc/tshark.profile b/etc/tshark.profile index 211f59f29..684a9491d 100644 --- a/etc/tshark.profile +++ b/etc/tshark.profile | |||
@@ -16,6 +16,7 @@ include disable-xdg.inc | |||
16 | 16 | ||
17 | whitelist /usr/share/wireshark | 17 | whitelist /usr/share/wireshark |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/vim.profile b/etc/vim.profile index d27a9a633..e9a474239 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -17,6 +17,8 @@ include disable-common.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 97465baa1..5215ee6f5 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-runuser-common.inc | ||
24 | |||
23 | caps.drop all | 25 | caps.drop all |
24 | netfilter | 26 | netfilter |
25 | no3d | 27 | no3d |
diff --git a/etc/wget.profile b/etc/wget.profile index d402316e9..ad7a14c41 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc | |||
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER}/wayland-* | 15 | blacklist ${RUNUSER}/wayland-* |
16 | blacklist ${RUNUSER} | ||
16 | 17 | ||
17 | include disable-common.inc | 18 | include disable-common.inc |
18 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc new file mode 100644 index 000000000..de59d03d3 --- /dev/null +++ b/etc/whitelist-runuser-common.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include whitelist-runuser-common.local | ||
3 | |||
4 | # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles | ||
5 | |||
6 | whitelist ${RUNUSER}/bus | ||
7 | whitelist ${RUNUSER}/dconf | ||
8 | whitelist ${RUNUSER}/gdm/Xauthority | ||
9 | whitelist ${RUNUSER}/pulse/native | ||
10 | whitelist ${RUNUSER}/wayland-0 | ||
diff --git a/etc/whois.profile b/etc/whois.profile index 9af6d6843..5fea610d8 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | 11 | blacklist ${RUNUSER}/wayland-* |
12 | blacklist ${RUNUSER} | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/yelp.profile b/etc/yelp.profile index acd483209..7053f98e8 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile | |||
@@ -23,6 +23,7 @@ whitelist /usr/share/help | |||
23 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
24 | whitelist /usr/share/yelp-xsl | 24 | whitelist /usr/share/yelp-xsl |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 19effef47..6066313a3 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -22,6 +22,7 @@ include allow-python3.inc | |||
22 | 22 | ||
23 | blacklist /tmp/.X11-unix | 23 | blacklist /tmp/.X11-unix |
24 | blacklist ${RUNUSER}/wayland-* | 24 | blacklist ${RUNUSER}/wayland-* |
25 | blacklist ${RUNUSER} | ||
25 | 26 | ||
26 | include disable-common.inc | 27 | include disable-common.inc |
27 | include disable-devel.inc | 28 | include disable-devel.inc |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bec22e5a6..dbc74bfff 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <linux/limits.h> | 22 | #include <linux/limits.h> |
23 | #include <glob.h> | ||
24 | #include <dirent.h> | 23 | #include <dirent.h> |
25 | #include <errno.h> | 24 | #include <errno.h> |
26 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c5b066b12..3f3075570 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -346,6 +346,39 @@ static void whitelist_home(int topdir) { | |||
346 | } | 346 | } |
347 | 347 | ||
348 | 348 | ||
349 | static void globbing(const char *pattern) { | ||
350 | assert(pattern); | ||
351 | |||
352 | // globbing | ||
353 | glob_t globbuf; | ||
354 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); | ||
355 | if (globerr) { | ||
356 | fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern); | ||
357 | exit(1); | ||
358 | } | ||
359 | |||
360 | size_t i; | ||
361 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
362 | assert(globbuf.gl_pathv[i]); | ||
363 | // testing for GLOB_NOCHECK - no pattern matched returns the original pattern | ||
364 | if (strcmp(globbuf.gl_pathv[i], pattern) == 0) | ||
365 | continue; | ||
366 | |||
367 | // build the new profile command | ||
368 | char *newcmd; | ||
369 | if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1) | ||
370 | errExit("asprintf"); | ||
371 | |||
372 | // add the new profile command at the end of the list | ||
373 | if (arg_debug || arg_debug_whitelists) | ||
374 | printf("Adding new profile command: %s\n", newcmd); | ||
375 | profile_add(newcmd); | ||
376 | } | ||
377 | |||
378 | globfree(&globbuf); | ||
379 | } | ||
380 | |||
381 | |||
349 | void fs_whitelist(void) { | 382 | void fs_whitelist(void) { |
350 | ProfileEntry *entry = cfg.profile; | 383 | ProfileEntry *entry = cfg.profile; |
351 | if (!entry) | 384 | if (!entry) |
@@ -444,6 +477,13 @@ void fs_whitelist(void) { | |||
444 | else | 477 | else |
445 | fname = realpath(new_name, NULL); | 478 | fname = realpath(new_name, NULL); |
446 | 479 | ||
480 | // if this is not a real path, let's try globbing | ||
481 | // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list | ||
482 | // the new profile entries will be processed in this loop | ||
483 | // currently there is no globbing support for nowhitelist | ||
484 | if (!fname && !nowhitelist_flag) | ||
485 | globbing(new_name); | ||
486 | |||
447 | if (!fname) { | 487 | if (!fname) { |
448 | // file not found, blank the entry in the list and continue | 488 | // file not found, blank the entry in the list and continue |
449 | if (arg_debug || arg_debug_whitelists) { | 489 | if (arg_debug || arg_debug_whitelists) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c98ad3620..77bfea8c6 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -208,6 +208,7 @@ static char *usage_str = | |||
208 | "\twhitelist the syscalls specified by the command.\n" | 208 | "\twhitelist the syscalls specified by the command.\n" |
209 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 209 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
210 | "\tidentified by name or PID.\n" | 210 | "\tidentified by name or PID.\n" |
211 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | ||
211 | #endif | 212 | #endif |
212 | " --shell=none - run the program directly without a user shell.\n" | 213 | " --shell=none - run the program directly without a user shell.\n" |
213 | " --shell=program - set default user shell.\n" | 214 | " --shell=program - set default user shell.\n" |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 74de24b47..98ac184d9 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1235,16 +1235,15 @@ void x11_xorg(void) { | |||
1235 | 1235 | ||
1236 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 1236 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
1237 | // automatically when the sandbox is closed (rename doesn't work) | 1237 | // automatically when the sandbox is closed (rename doesn't work) |
1238 | // root needed | 1238 | if (arg_debug) |
1239 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { | 1239 | printf("Copying the new .Xauthority file\n"); |
1240 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 1240 | copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600); |
1241 | exit(1); | 1241 | |
1242 | } | ||
1243 | /* coverity[toctou] */ | 1242 | /* coverity[toctou] */ |
1244 | unlink(tmpfname); | 1243 | unlink(tmpfname); |
1245 | umount("/tmp"); | 1244 | umount("/tmp"); |
1246 | 1245 | ||
1247 | // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid | 1246 | // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid |
1248 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); | 1247 | fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); |
1249 | 1248 | ||
1250 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | 1249 | // Ensure there is already a file in the usual location, so that bind-mount below will work. |
@@ -1354,19 +1353,17 @@ void fs_x11(void) { | |||
1354 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) | 1353 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) |
1355 | errExit("mount bind"); | 1354 | errExit("mount bind"); |
1356 | 1355 | ||
1357 | // This directory must be mode 1777, or Xlib will barf. | 1356 | // This directory must be mode 1777 |
1358 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", | 1357 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", |
1359 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, | 1358 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, |
1360 | "mode=1777,uid=0,gid=0") < 0) | 1359 | "mode=1777,uid=0,gid=0") < 0) |
1361 | errExit("mounting tmpfs on /tmp/.X11-unix"); | 1360 | errExit("mounting tmpfs on /tmp/.X11-unix"); |
1362 | fs_logger("tmpfs /tmp/.X11-unix"); | 1361 | fs_logger("tmpfs /tmp/.X11-unix"); |
1363 | 1362 | ||
1364 | // create an empty file which will have the desired socket bind-mounted over it | 1363 | // create an empty root-owned file which will have the desired socket bind-mounted over it |
1365 | int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); | 1364 | int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); |
1366 | if (fd < 0) | 1365 | if (fd < 0) |
1367 | errExit(x11file); | 1366 | errExit(x11file); |
1368 | if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) | ||
1369 | errExit("fchown"); | ||
1370 | close(fd); | 1367 | close(fd); |
1371 | 1368 | ||
1372 | // the mount source is under control of the user, so be careful and | 1369 | // the mount source is under control of the user, so be careful and |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 13dcf09ee..1bed40015 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2346,6 +2346,10 @@ the same top directory. For user home, both the link and the real file should be | |||
2346 | .br | 2346 | .br |
2347 | 2347 | ||
2348 | .br | 2348 | .br |
2349 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2350 | .br | ||
2351 | |||
2352 | .br | ||
2349 | Example: | 2353 | Example: |
2350 | .br | 2354 | .br |
2351 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | 2355 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
@@ -2353,6 +2357,8 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | |||
2353 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 2357 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
2354 | .br | 2358 | .br |
2355 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 2359 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
2360 | .br | ||
2361 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2356 | 2362 | ||
2357 | .TP | 2363 | .TP |
2358 | \fB\-\-writable-etc | 2364 | \fB\-\-writable-etc |
@@ -2722,7 +2728,7 @@ The globbing feature is implemented using glibc glob command. For more informati | |||
2722 | 2728 | ||
2723 | .br | 2729 | .br |
2724 | .TP | 2730 | .TP |
2725 | The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs. | 2731 | The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, \-\-tmpfs, and \-\-whitelist. |
2726 | .br | 2732 | .br |
2727 | 2733 | ||
2728 | .br | 2734 | .br |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 76b90f01b..f8818982f 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -35,6 +35,8 @@ static int cnt_noexec = 0; // include disable-exec.inc | |||
35 | static int cnt_privatedev = 0; | 35 | static int cnt_privatedev = 0; |
36 | static int cnt_privatetmp = 0; | 36 | static int cnt_privatetmp = 0; |
37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | 37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc |
38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | ||
39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | ||
38 | static int cnt_ssh = 0; | 40 | static int cnt_ssh = 0; |
39 | 41 | ||
40 | static int level = 0; | 42 | static int level = 0; |
@@ -46,6 +48,8 @@ static int arg_noexec = 0; | |||
46 | static int arg_privatedev = 0; | 48 | static int arg_privatedev = 0; |
47 | static int arg_privatetmp = 0; | 49 | static int arg_privatetmp = 0; |
48 | static int arg_whitelistvar = 0; | 50 | static int arg_whitelistvar = 0; |
51 | static int arg_whitelistrunuser = 0; | ||
52 | static int arg_whitelistusrshare = 0; | ||
49 | static int arg_ssh = 0; | 53 | static int arg_ssh = 0; |
50 | 54 | ||
51 | static char *profile = NULL; | 55 | static char *profile = NULL; |
@@ -63,6 +67,8 @@ static void usage(void) { | |||
63 | printf(" --private-tmp - print profiles without private-tmp\n"); | 67 | printf(" --private-tmp - print profiles without private-tmp\n"); |
64 | printf(" --seccomp - print profiles without seccomp\n"); | 68 | printf(" --seccomp - print profiles without seccomp\n"); |
65 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 69 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
70 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); | ||
71 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | ||
66 | printf(" --debug\n"); | 72 | printf(" --debug\n"); |
67 | printf("\n"); | 73 | printf("\n"); |
68 | } | 74 | } |
@@ -102,6 +108,10 @@ void process_file(const char *fname) { | |||
102 | cnt_noexec++; | 108 | cnt_noexec++; |
103 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 109 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
104 | cnt_whitelistvar++; | 110 | cnt_whitelistvar++; |
111 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 32) == 0) | ||
112 | cnt_whitelistrunuser++; | ||
113 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 32) == 0) | ||
114 | cnt_whitelistusrshare++; | ||
105 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 115 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
106 | cnt_ssh++; | 116 | cnt_ssh++; |
107 | else if (strncmp(ptr, "net none", 8) == 0) | 117 | else if (strncmp(ptr, "net none", 8) == 0) |
@@ -159,6 +169,10 @@ int main(int argc, char **argv) { | |||
159 | arg_privatetmp = 1; | 169 | arg_privatetmp = 1; |
160 | else if (strcmp(argv[i], "--whitelist-var") == 0) | 170 | else if (strcmp(argv[i], "--whitelist-var") == 0) |
161 | arg_whitelistvar = 1; | 171 | arg_whitelistvar = 1; |
172 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) | ||
173 | arg_whitelistrunuser = 1; | ||
174 | else if (strcmp(argv[i], "--whitelist-usrshare") == 0) | ||
175 | arg_whitelistusrshare = 1; | ||
162 | else if (strcmp(argv[i], "--ssh") == 0) | 176 | else if (strcmp(argv[i], "--ssh") == 0) |
163 | arg_ssh = 1; | 177 | arg_ssh = 1; |
164 | else if (*argv[i] == '-') { | 178 | else if (*argv[i] == '-') { |
@@ -188,6 +202,8 @@ int main(int argc, char **argv) { | |||
188 | int dotlocal = cnt_dotlocal; | 202 | int dotlocal = cnt_dotlocal; |
189 | int globalsdotlocal = cnt_globalsdotlocal; | 203 | int globalsdotlocal = cnt_globalsdotlocal; |
190 | int whitelistvar = cnt_whitelistvar; | 204 | int whitelistvar = cnt_whitelistvar; |
205 | int whitelistrunuser = cnt_whitelistrunuser; | ||
206 | int whitelistusrshare = cnt_whitelistusrshare; | ||
191 | int ssh = cnt_ssh; | 207 | int ssh = cnt_ssh; |
192 | 208 | ||
193 | // process file | 209 | // process file |
@@ -220,6 +236,10 @@ int main(int argc, char **argv) { | |||
220 | printf("No private-tmp found in %s\n", argv[i]); | 236 | printf("No private-tmp found in %s\n", argv[i]); |
221 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 237 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
222 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | 238 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); |
239 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) | ||
240 | printf("No include whitelist-runuser-common.inc found in %s\n", argv[i]); | ||
241 | if (arg_whitelistusrshare && whitelistusrshare == cnt_whitelistusrshare) | ||
242 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); | ||
223 | if (arg_ssh && ssh == cnt_ssh) | 243 | if (arg_ssh && ssh == cnt_ssh) |
224 | printf("No include disable-common.inc found in %s\n", argv[i]); | 244 | printf("No include disable-common.inc found in %s\n", argv[i]); |
225 | 245 | ||
@@ -238,7 +258,9 @@ int main(int argc, char **argv) { | |||
238 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 258 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
239 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 259 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
240 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 260 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
241 | printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 261 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
262 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc)\n", cnt_whitelistrunuser); | ||
263 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc)\n", cnt_whitelistusrshare); | ||
242 | printf(" net none\t\t\t%d\n", cnt_netnone); | 264 | printf(" net none\t\t\t%d\n", cnt_netnone); |
243 | printf("\n"); | 265 | printf("\n"); |
244 | return 0; | 266 | return 0; |