diff options
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | RELNOTES | 6 | ||||
-rw-r--r-- | etc/chromium.profile | 13 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 16 | ||||
-rw-r--r-- | etc/google-chrome-stable.profile | 6 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 16 | ||||
-rw-r--r-- | etc/google-chrome.profile | 15 | ||||
-rw-r--r-- | etc/opera-beta.profile (renamed from etc/chromium-common.profile) | 13 | ||||
-rw-r--r-- | etc/opera.profile | 7 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | todo | 13 |
13 files changed, 80 insertions, 31 deletions
diff --git a/Makefile.in b/Makefile.in index 143ac5975..b7629a9e5 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -93,6 +93,7 @@ realinstall: | |||
93 | install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 93 | install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
94 | install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 94 | install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
95 | install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 95 | install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
96 | install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
96 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 97 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
97 | install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 98 | install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
98 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 99 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
@@ -27,6 +27,7 @@ avoidr (https://github.com/avoidr) | |||
27 | - whitelist fix | 27 | - whitelist fix |
28 | - blacklist ncat, manpage fixes, | 28 | - blacklist ncat, manpage fixes, |
29 | - hostname support in profile file | 29 | - hostname support in profile file |
30 | - Google Chrome profile rework | ||
30 | Bruno Nova (https://github.com/brunonova) | 31 | Bruno Nova (https://github.com/brunonova) |
31 | - whitelist fix | 32 | - whitelist fix |
32 | - bash arguments fix | 33 | - bash arguments fix |
@@ -1,6 +1,12 @@ | |||
1 | firejail (0.9.35) baseline; urgency=low | 1 | firejail (0.9.35) baseline; urgency=low |
2 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat | 2 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat |
3 | and rtorrent profiles | 3 | and rtorrent profiles |
4 | * Google Chrome profile rework | ||
5 | * added google-chrome-stable profile | ||
6 | * added google-chrome-beta profile | ||
7 | * added google-chrome-unstable profile | ||
8 | * Opera profile rework | ||
9 | * added opera-beta profile | ||
4 | * added --noblacklist option | 10 | * added --noblacklist option |
5 | * whitelist command enhancements | 11 | * whitelist command enhancements |
6 | * prevent leaking user information by modifying /home directory, | 12 | * prevent leaking user information by modifying /home directory, |
diff --git a/etc/chromium.profile b/etc/chromium.profile index c3a7a186c..76dc6b234 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,4 +1,15 @@ | |||
1 | # Chromium browser profile | 1 | # Chromium browser profile |
2 | noblacklist ${HOME}/.config/chromium | 2 | noblacklist ${HOME}/.config/chromium |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | # chromium is distributed with a perl script on Arch | ||
8 | # include /etc/firejail/disable-devel.inc | ||
9 | # | ||
10 | |||
11 | netfilter | ||
12 | whitelist ${DOWNLOADS} | ||
3 | whitelist ~/.config/chromium | 13 | whitelist ~/.config/chromium |
4 | include /etc/firejail/chromium-common.profile | 14 | whitelist ~/.cache/chromium |
15 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 177588f5b..fdb3e552b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -11,8 +11,11 @@ blacklist ${HOME}/.thunderbird | |||
11 | blacklist ${HOME}/.sylpheed-2.0 | 11 | blacklist ${HOME}/.sylpheed-2.0 |
12 | blacklist ${HOME}/.config/midori | 12 | blacklist ${HOME}/.config/midori |
13 | blacklist ${HOME}/.config/opera | 13 | blacklist ${HOME}/.config/opera |
14 | blacklist ${HOME}/.config/opera-beta | ||
14 | blacklist ${HOME}/.config/chromium | 15 | blacklist ${HOME}/.config/chromium |
15 | blacklist ${HOME}/.config/google-chrome | 16 | blacklist ${HOME}/.config/google-chrome |
17 | blacklist ${HOME}/.config/google-chrome-beta | ||
18 | blacklist ${HOME}/.config/google-chrome-unstable | ||
16 | blacklist ${HOME}/.filezilla | 19 | blacklist ${HOME}/.filezilla |
17 | blacklist ${HOME}/.config/filezilla | 20 | blacklist ${HOME}/.config/filezilla |
18 | blacklist ${HOME}/.local/share/systemd | 21 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 0f7078adc..6122876bf 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,4 +1,16 @@ | |||
1 | # Chromium browser profile | 1 | # Google Chrome beta browser profile |
2 | noblacklist ${HOME}/.config/google-chrome-beta | 2 | noblacklist ${HOME}/.config/google-chrome-beta |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | # chromium is distributed with a perl script on Arch | ||
8 | # include /etc/firejail/disable-devel.inc | ||
9 | # | ||
10 | |||
11 | netfilter | ||
12 | whitelist ${DOWNLOADS} | ||
3 | whitelist ~/.config/google-chrome-beta | 13 | whitelist ~/.config/google-chrome-beta |
4 | include /etc/firejail/chromium-common.profile | 14 | whitelist ~/.cache/google-chrome-beta |
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 3cc58c4d2..78c8ca6e5 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile | |||
@@ -1,4 +1,2 @@ | |||
1 | # Chromium browser profile | 1 | # Google Chrome browser profile |
2 | noblacklist ${HOME}/.config/google-chrome | 2 | include /etc/firejail/google-chrome.profile |
3 | whitelist ~/.config/google-chrome | ||
4 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index db184419d..7b8b12d04 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,4 +1,16 @@ | |||
1 | # Chromium browser profile | 1 | # Google Chrome unstable browser profile |
2 | noblacklist ${HOME}/.config/google-chrome-unstable | 2 | noblacklist ${HOME}/.config/google-chrome-unstable |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | # chromium is distributed with a perl script on Arch | ||
8 | # include /etc/firejail/disable-devel.inc | ||
9 | # | ||
10 | |||
11 | netfilter | ||
12 | whitelist ${DOWNLOADS} | ||
3 | whitelist ~/.config/google-chrome-unstable | 13 | whitelist ~/.config/google-chrome-unstable |
4 | include /etc/firejail/chromium-common.profile | 14 | whitelist ~/.cache/google-chrome-unstable |
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 3cc58c4d2..351490d7f 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,4 +1,15 @@ | |||
1 | # Chromium browser profile | 1 | # Google Chrome browser profile |
2 | noblacklist ${HOME}/.config/google-chrome | 2 | noblacklist ${HOME}/.config/google-chrome |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | # chromium is distributed with a perl script on Arch | ||
8 | # include /etc/firejail/disable-devel.inc | ||
9 | # | ||
10 | |||
11 | netfilter | ||
12 | whitelist ${DOWNLOADS} | ||
3 | whitelist ~/.config/google-chrome | 13 | whitelist ~/.config/google-chrome |
4 | include /etc/firejail/chromium-common.profile | 14 | whitelist ~/.cache/google-chrome |
15 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/chromium-common.profile b/etc/opera-beta.profile index 25eab0707..c1672abce 100644 --- a/etc/chromium-common.profile +++ b/etc/opera-beta.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # Chromium browser profile | 1 | # Opera-beta browser profile |
2 | noblacklist ${HOME}/.config/opera-beta | ||
2 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
5 | 6 | include /etc/firejail/disable-devel.inc | |
6 | # chromium is distributed with a perl script on Arch | ||
7 | # include /etc/firejail/disable-devel.inc | ||
8 | # | ||
9 | |||
10 | netfilter | 7 | netfilter |
8 | whitelist ~/.config/opera-beta | ||
11 | whitelist ${DOWNLOADS} | 9 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera-beta | ||
12 | include /etc/firejail/whitelist-common.inc | 11 | include /etc/firejail/whitelist-common.inc |
12 | |||
13 | |||
diff --git a/etc/opera.profile b/etc/opera.profile index 34a034a17..a76806ed0 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,10 +1,13 @@ | |||
1 | # Chromium browser profile | 1 | # Opera browser profile |
2 | noblacklist ${HOME}/.config/opera | 2 | noblacklist ${HOME}/.config/opera |
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | netfilter | 7 | netfilter |
8 | noroot | 8 | whitelist ~/.config/opera |
9 | whitelist ${DOWNLOADS} | ||
10 | whitelist ~/.cache/opera | ||
11 | include /etc/firejail/whitelist-common.inc | ||
9 | 12 | ||
10 | 13 | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ea17a121e..bda064f60 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -14,6 +14,7 @@ | |||
14 | /etc/firejail/disable-mgmt.inc | 14 | /etc/firejail/disable-mgmt.inc |
15 | /etc/firejail/firefox.profile | 15 | /etc/firejail/firefox.profile |
16 | /etc/firejail/opera.profile | 16 | /etc/firejail/opera.profile |
17 | /etc/firejail/opera-beta.profile | ||
17 | /etc/firejail/thunderbird.profile | 18 | /etc/firejail/thunderbird.profile |
18 | /etc/firejail/transmission-gtk.profile | 19 | /etc/firejail/transmission-gtk.profile |
19 | /etc/firejail/transmission-qt.profile | 20 | /etc/firejail/transmission-qt.profile |
@@ -143,15 +143,4 @@ dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla | |||
143 | 143 | ||
144 | 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 | 144 | 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 |
145 | 145 | ||
146 | 20. Check this out: | 146 | 20. blacklist ~/.cache in disable-common.inc??? |
147 | |||
148 | I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. | ||
149 | Here's what my fstab looks like now: | ||
150 | |||
151 | /dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2 | ||
152 | /dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2 | ||
153 | /dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2 | ||
154 | /dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2 | ||
155 | /dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2 | ||
156 | /dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2 | ||
157 | tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1 | ||