diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | etc/aweather.profile | 23 | ||||
-rw-r--r-- | etc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/stellarium.profile | 27 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 5 |
8 files changed, 67 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in index cb897c23d..c15ecd7dd 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -169,6 +169,8 @@ realinstall: | |||
169 | install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 169 | install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
170 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 170 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
171 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 171 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
172 | install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
173 | install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
172 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 174 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
173 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 175 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
174 | rm -fr .etc | 176 | rm -fr .etc |
@@ -19,9 +19,9 @@ Firejail Authors: | |||
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | curiosity-seeker (https://github.com/curiosity-seeker) | 21 | curiosity-seeker (https://github.com/curiosity-seeker) |
22 | - tightening unbound and dnscrypt-proxy profiles | 22 | - tightening unbound and dnscrypt-proxy profiles |
23 | - dnsmasq profile | 23 | - dnsmasq profile |
24 | - okular and gwenview profiles | 24 | - okular and gwenview profiles |
25 | Matthew Gyurgyik (https://github.com/pyther) | 25 | Matthew Gyurgyik (https://github.com/pyther) |
26 | - rpm spec and several fixes | 26 | - rpm spec and several fixes |
27 | Joan Figueras (https://github.com/figue) | 27 | Joan Figueras (https://github.com/figue) |
@@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
35 | - added Warzone2100 profile | 35 | - added Warzone2100 profile |
36 | - blacklisted VeraCrypt | 36 | - blacklisted VeraCrypt |
37 | - added Gpredict profile | 37 | - added Gpredict profile |
38 | - added Aweather, Stellarium profiles | ||
38 | avoidr (https://github.com/avoidr) | 39 | avoidr (https://github.com/avoidr) |
39 | - whitelist fix | 40 | - whitelist fix |
40 | - recently-used.xbel fix | 41 | - recently-used.xbel fix |
@@ -282,5 +282,5 @@ $ man firejail-profile | |||
282 | ## New security profiles | 282 | ## New security profiles |
283 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, | 283 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, |
284 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, | 284 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, |
285 | Warzone2100, okular, gwenview, Gpredict | 285 | Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium |
286 | 286 | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d7f510a7e --- /dev/null +++ b/etc/aweather.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for aweather. | ||
2 | |||
3 | # Noblacklist | ||
4 | noblacklist ~/.config/aweather | ||
5 | |||
6 | # Include | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | |||
12 | # Call these options | ||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | seccomp | ||
18 | tracelog | ||
19 | |||
20 | # Whitelist | ||
21 | mkdir ~/.config | ||
22 | mkdir ~/.config/aweather | ||
23 | whitelist ~/.config/aweather | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c5515894..317ac082f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -5,10 +5,13 @@ blacklist ${HOME}/.FBReader | |||
5 | blacklist ${HOME}/.wine | 5 | blacklist ${HOME}/.wine |
6 | blacklist ${HOME}/.Mathematica | 6 | blacklist ${HOME}/.Mathematica |
7 | blacklist ${HOME}/.Wolfram Research | 7 | blacklist ${HOME}/.Wolfram Research |
8 | blacklist ${HOME}/.stellarium | ||
8 | blacklist ${HOME}/.config/mupen64plus | 9 | blacklist ${HOME}/.config/mupen64plus |
9 | blacklist ${HOME}/.config/transmission | 10 | blacklist ${HOME}/.config/transmission |
10 | blacklist ${HOME}/.config/uGet | 11 | blacklist ${HOME}/.config/uGet |
11 | blacklist ${HOME}/.config/Gpredict | 12 | blacklist ${HOME}/.config/Gpredict |
13 | blacklist ${HOME}/.config/aweather | ||
14 | blacklist ${HOME}/.config/stellarium | ||
12 | blacklist ~/.kde/share/apps/okular | 15 | blacklist ~/.kde/share/apps/okular |
13 | blacklist ~/.kde/share/config/okularrc | 16 | blacklist ~/.kde/share/config/okularrc |
14 | blacklist ~/.kde/share/config/okularpartrc | 17 | blacklist ~/.kde/share/config/okularpartrc |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..7cb74eeaa --- /dev/null +++ b/etc/stellarium.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for Stellarium. | ||
2 | |||
3 | # Noblacklist | ||
4 | noblacklist ~/.stellarium | ||
5 | noblacklist ~/.config/stellarium | ||
6 | |||
7 | # Include | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | # Call these options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | noroot | ||
17 | protocol unix,inet,inet6,netlink | ||
18 | seccomp | ||
19 | tracelog | ||
20 | |||
21 | # Whitelist | ||
22 | mkdir ~/.stellarium | ||
23 | whitelist ~/.stellarium | ||
24 | |||
25 | mkdir ~/.config | ||
26 | mkdir ~/.config/stellarium | ||
27 | whitelist ~/.config/stellarium | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6f5b564a0..7ce729d6e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -88,3 +88,5 @@ | |||
88 | /etc/firejail/okular.profile | 88 | /etc/firejail/okular.profile |
89 | /etc/firejail/gwenview.profile | 89 | /etc/firejail/gwenview.profile |
90 | /etc/firejail/gpredict.profile | 90 | /etc/firejail/gpredict.profile |
91 | /etc/firejail/aweather.profile | ||
92 | /etc/firejail/stellarium.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8bebf76af..3812ee7d8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -4,6 +4,10 @@ | |||
4 | 4 | ||
5 | # astronomy | 5 | # astronomy |
6 | gpredict | 6 | gpredict |
7 | stellarium | ||
8 | |||
9 | # weather/climate | ||
10 | aweather | ||
7 | 11 | ||
8 | # browsers/email | 12 | # browsers/email |
9 | firefox | 13 | firefox |
@@ -78,6 +82,7 @@ quassel | |||
78 | xchat | 82 | xchat |
79 | 83 | ||
80 | # games | 84 | # games |
85 | 0ad | ||
81 | hedgewars | 86 | hedgewars |
82 | wesnot | 87 | wesnot |
83 | warzone2100 | 88 | warzone2100 |