aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README10
-rw-r--r--etc/inc/disable-common.inc13
-rw-r--r--etc/inc/disable-programs.inc1
-rw-r--r--etc/profile-a-l/curl.profile6
-rw-r--r--etc/profile-a-l/drill.profile56
-rw-r--r--etc/profile-m-z/playonlinux.profile25
-rw-r--r--etc/profile-m-z/server.profile20
-rw-r--r--src/firecfg/firecfg.config1
8 files changed, 103 insertions, 29 deletions
diff --git a/README b/README
index 81f5fd5e8..6c86dcc5a 100644
--- a/README
+++ b/README
@@ -252,12 +252,14 @@ Danil Semelenov (https://github.com/sgtpep)
252Dara Adib (https://github.com/daradib) 252Dara Adib (https://github.com/daradib)
253 - ssh profile fix 253 - ssh profile fix
254 - evince profile fix 254 - evince profile fix
255 - linphone profile fix
255Dario Pellegrini (https://github.com/dpellegr) 256Dario Pellegrini (https://github.com/dpellegr)
256 - allowing links in netns 257 - allowing links in netns
257David Thole (https://github.com/TheDarkTrumpet) 258David Thole (https://github.com/TheDarkTrumpet)
258 - added profile for teams-for-linux 259 - added profile for teams-for-linux
259Davide Beatrici (https://github.com/davidebeatrici) 260Davide Beatrici (https://github.com/davidebeatrici)
260 - steam.profile: correctly blacklist unneeded directories in user's home 261 - steam.profile: correctly blacklist unneeded directories in user's home
262 - minetest fixes
261David Hyrule (https://github.com/Svaag) 263David Hyrule (https://github.com/Svaag)
262 - remove nou2f in ssh profile 264 - remove nou2f in ssh profile
263Deelvesh Bunjun (https://github.com/DeelveshBunjun) 265Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -515,6 +517,8 @@ KellerFuchs (https://github.com/KellerFuchs)
515 - added support for .local profile files in /etc/firejail 517 - added support for .local profile files in /etc/firejail
516 - fixed Cryptocat profile 518 - fixed Cryptocat profile
517 - make ~/.local read-only 519 - make ~/.local read-only
520Kelvin (https://github.com/kmk3)
521 - disable ldns utilities
518Kishore96in (https://github.com/Kishore96in) 522Kishore96in (https://github.com/Kishore96in)
519 - added falkon profile 523 - added falkon profile
520 - kxmlgui fixes 524 - kxmlgui fixes
@@ -546,6 +550,7 @@ Liorst4 (https://github.com/Liorst4)
546 - Preserve CFLAGS given to configure in common.mk.in 550 - Preserve CFLAGS given to configure in common.mk.in
547 - fix emacs config to load as read-write 551 - fix emacs config to load as read-write
548 - disable browser drm by default 552 - disable browser drm by default
553 - minetest fixes
549Lockdis (https://github.com/Lockdis) 554Lockdis (https://github.com/Lockdis)
550 - Added crow, nyx, and google-earth-pro profiles 555 - Added crow, nyx, and google-earth-pro profiles
551Lukáš Krejčí (https://github.com/lskrejci) 556Lukáš Krejčí (https://github.com/lskrejci)
@@ -604,6 +609,7 @@ Neo00001 (https://github.com/Neo00001)
604 - add vmware profile 609 - add vmware profile
605 - update virtualbox profile 610 - update virtualbox profile
606 - update telegram profile 611 - update telegram profile
612 - add spectacle profile
607Nick Fox (https://github.com/njfox) 613Nick Fox (https://github.com/njfox)
608 - add a profile alias for code-oss 614 - add a profile alias for code-oss
609 - add code-oss config directory 615 - add code-oss config directory
@@ -701,6 +707,8 @@ Rahiel Kasim (https://github.com/rahiel)
701 - added telegram-desktop profile 707 - added telegram-desktop profile
702Rahul Golam (https://github.com/technoLord) 708Rahul Golam (https://github.com/technoLord)
703 - strings profile 709 - strings profile
710RandomVoid (https://github.com/RandomVoid)
711 - fix building C# projects in Godot
704Raphaël Droz (https://github.com/drzraf) 712Raphaël Droz (https://github.com/drzraf)
705 - zoom profile fixes 713 - zoom profile fixes
706Reiner Herrmann (https://github.com/reinerh) 714Reiner Herrmann (https://github.com/reinerh)
@@ -953,6 +961,8 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20)
953 read-only kde5 services directory 961 read-only kde5 services directory
954xee5ch (https://github.com/xee5ch) 962xee5ch (https://github.com/xee5ch)
955 - skypeforlinux profile 963 - skypeforlinux profile
964Ypnose (https://github.com/Ypnose)
965 - disable-shell.inc: add mksh shell
956yumkam (https://github.com/yumkam) 966yumkam (https://github.com/yumkam)
957 - add compile-time option to restrict --net= to root only 967 - add compile-time option to restrict --net= to root only
958 - man page fixes 968 - man page fixes
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index bf40457a2..2b56bb5be 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -515,18 +515,21 @@ blacklist /proc/config.gz
515# prevent DNS malware attempting to communicate with the server 515# prevent DNS malware attempting to communicate with the server
516# using regular DNS tools 516# using regular DNS tools
517blacklist ${PATH}/dig 517blacklist ${PATH}/dig
518blacklist ${PATH}/kdig
519blacklist ${PATH}/nslookup
520blacklist ${PATH}/host
521blacklist ${PATH}/dlint 518blacklist ${PATH}/dlint
522blacklist ${PATH}/dnswalk
523blacklist ${PATH}/dns2tcp 519blacklist ${PATH}/dns2tcp
520blacklist ${PATH}/dnswalk
521blacklist ${PATH}/drill
522blacklist ${PATH}/host
524blacklist ${PATH}/iodine 523blacklist ${PATH}/iodine
524blacklist ${PATH}/kdig
525blacklist ${PATH}/knsupdate 525blacklist ${PATH}/knsupdate
526blacklist ${PATH}/ldns-*
527blacklist ${PATH}/ldnsd
528blacklist ${PATH}/nslookup
526blacklist ${PATH}/resolvectl 529blacklist ${PATH}/resolvectl
527 530
528# rest of ${RUNUSER} 531# rest of ${RUNUSER}
529blacklist ${RUNUSER}/*.lock 532blacklist ${RUNUSER}/*.lock
530blacklist ${RUNUSER}/inaccessible 533blacklist ${RUNUSER}/inaccessible
531blacklist ${RUNUSER}/update-notifier.pid
532blacklist ${RUNUSER}/pk-debconf-socket 534blacklist ${RUNUSER}/pk-debconf-socket
535blacklist ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 25c7796da..9b098f43c 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -430,6 +430,7 @@ blacklist ${HOME}/.config/Zulip
430blacklist ${HOME}/.conkeror.mozdev.org 430blacklist ${HOME}/.conkeror.mozdev.org
431blacklist ${HOME}/.crawl 431blacklist ${HOME}/.crawl
432blacklist ${HOME}/.cups 432blacklist ${HOME}/.cups
433blacklist ${HOME}/.curl-hsts
433blacklist ${HOME}/.curlrc 434blacklist ${HOME}/.curlrc
434blacklist ${HOME}/.dashcore 435blacklist ${HOME}/.dashcore
435blacklist ${HOME}/.devilspie 436blacklist ${HOME}/.devilspie
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 996ff51d3..5a5a7496a 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -7,6 +7,12 @@ include curl.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# curl 7.74.0 introduces experimental support for HSTS cache
11# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
12# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
13# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
14# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
15noblacklist ${HOME}/.curl-hsts
10noblacklist ${HOME}/.curlrc 16noblacklist ${HOME}/.curlrc
11 17
12blacklist /tmp/.X11-unix 18blacklist /tmp/.X11-unix
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
new file mode 100644
index 000000000..8c59b0cb6
--- /dev/null
+++ b/etc/profile-a-l/drill.profile
@@ -0,0 +1,56 @@
1# Firejail profile for drill
2# Description: DNS lookup utility
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include drill.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${PATH}/drill
11
12blacklist /tmp/.X11-unix
13blacklist ${RUNUSER}/wayland-*
14blacklist ${RUNUSER}
15
16include disable-common.inc
17# include disable-devel.inc
18include disable-exec.inc
19# include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-xdg.inc
23
24include whitelist-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30ipc-namespace
31machine-id
32netfilter
33no3d
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix,inet,inet6
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private
49private-bin bash,drill,sh
50private-dev
51private-tmp
52
53dbus-user none
54dbus-system none
55
56memory-deny-write-execute
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 03091af6d..0ebef226a 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -4,34 +4,17 @@
4# Persistent local customizations 4# Persistent local customizations
5include playonlinux.local 5include playonlinux.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7# added by included profile
8#include globals.local
8 9
9noblacklist ${HOME}/.Steam
10noblacklist ${HOME}/.local/share/Steam
11noblacklist ${HOME}/.local/share/steam
12noblacklist ${HOME}/.steam
13noblacklist ${HOME}/.PlayOnLinux 10noblacklist ${HOME}/.PlayOnLinux
14 11
15# nc is needed to run playonlinux 12# nc is needed to run playonlinux
16noblacklist ${PATH}/nc 13noblacklist ${PATH}/nc
17 14
18# Allow python (blacklisted by disable-interpreters.inc)
19include allow-python2.inc 15include allow-python2.inc
20include allow-python3.inc 16include allow-python3.inc
21
22# Allow perl (blacklisted by disable-interpreters.inc)
23include allow-perl.inc 17include allow-perl.inc
24 18
25include disable-common.inc 19# Redirect
26include disable-devel.inc 20include wine.profile
27include disable-interpreters.inc
28include disable-programs.inc
29
30caps.drop all
31netfilter
32nodvd
33nogroups
34nonewprivs
35noroot
36notv
37seccomp
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 5bc4735ae..d47f1289a 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -45,10 +45,17 @@ include disable-common.inc
45# include disable-interpreters.inc 45# include disable-interpreters.inc
46include disable-passwdmgr.inc 46include disable-passwdmgr.inc
47include disable-programs.inc 47include disable-programs.inc
48# include disable-xdg.inc 48include disable-write-mnt.inc
49include disable-xdg.inc
49 50
51# include whitelist-runuser-common.inc
52# include whitelist-usr-share-common.inc
53# include whitelist-var-common.inc
54
55apparmor
50caps 56caps
51# ipc-namespace 57# ipc-namespace
58machine-id
52# netfilter /etc/firejail/webserver.net 59# netfilter /etc/firejail/webserver.net
53no3d 60no3d
54nodvd 61nodvd
@@ -59,19 +66,26 @@ nosound
59notv 66notv
60nou2f 67nou2f
61novideo 68novideo
69# protocol unix,inet,inet6,netlink
62seccomp 70seccomp
63# shell none 71# shell none
64 72
65# disable-mnt 73disable-mnt
66private 74private
67# private-bin program 75# private-bin program
68# private-cache 76# private-cache
69private-dev 77private-dev
78# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
70# private-etc alternatives 79# private-etc alternatives
71# private-lib 80# private-lib
81# private-opt none
72private-tmp 82private-tmp
73 83
74# dbus-user none 84dbus-user none
75# dbus-system none 85# dbus-system none
76 86
77# memory-deny-write-execute 87# memory-deny-write-execute
88# read-only ${HOME}
89# writable-run-user
90# writable-var
91# writable-var-log
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 000ed5258..fe6990229 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -180,6 +180,7 @@ dooble-qt4
180dosbox 180dosbox
181dragon 181dragon
182drawio 182drawio
183drill
183dropbox 184dropbox
184d-feet 185d-feet
185easystroke 186easystroke
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-02 01:19:24 +0000