23 files changed, 95 insertions, 41 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index bf58e1dff..86baecf2f 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -25,7 +25,7 @@ Steps to reproduce the behavior:
 **Environment**
 - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
- - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) 
+ - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
 **Additional context**
 Other context about the problem like related errors to understand the problem.
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 1468ef898..d026b9356 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -1,6 +1,6 @@
 name: Build-extra CI
-on:   
+on:
  push:
    branches: [ master ]
    paths-ignore:
@@ -19,7 +19,7 @@ on:
      - RELNOTES
      - SECURITY.md
      - 'etc/**'
-        
 jobs:
  build-clang:
    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 301c7fad2..d974d650e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,7 +11,7 @@ on:
    paths-ignore:
      - CONTRIBUTING.md
      - README
-      - README.md  
+      - README.md
      - RELNOTES
      - SECURITY.md
      - 'etc/**'
@@ -21,7 +21,7 @@ on:
    paths-ignore:
      - CONTRIBUTING.md
      - README
-      - README.md  
+      - README.md
      - RELNOTES
      - SECURITY.md
      - 'etc/**'
@@ -61,7 +61,7 @@ jobs:
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index 55ac065b6..878a5eb82 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -1,7 +1,7 @@
 name: sort.py
-on:    
+on:
-  push: 
+  push:
    branches: [ master ]
    paths:
      - 'etc/**'
diff --git a/README.md b/README.md
index 973c4dcbd..1d58fdce4 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,35 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
+`````
+Security Adivsory - Feb 8, 2021
+Summary: A vulnerability resulting in root privilege escalation was discovered in
+Firejail's OverlayFS code,
+Versions affected: Firejail software versions starting with 0.9.30.
+Long Term Support (LTS) Firejail branch is not affected by this bug.
+Workaround: Disable overlayfs feature at runtime.
+In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
+      $ grep overlayfs /etc/firejail/firejail.config
+      # Enable or disable overlayfs features, default enabled.
+      overlayfs no
+Fix: The bug is fixed in Firejail version 0.9.64.4
+GitHub commit: (file configure.ac)
+https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
+Credit:  Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
+Functional PoC exploit code was provided to Firejail development team.
+A description of the problem is here on Roman's blog:
+https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
+https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
+`````
 ## Installing
 Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
diff --git a/RELNOTES b/RELNOTES
index 0e07e2d61..ce0bbeabb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,10 @@
 firejail (0.9.65) baseline; urgency=low
  * new profiles: vmware-view
- -- netblue30 <netblue30@yahoo.com>  Sat, 6 Feb 2021 09:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
+firejail (0.9.64.4) baseline; urgency=low
+  * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
+ -- netblue30 <netblue30@yahoo.com>  Sun, 7 Feb 2021 09:00:00 -0500
 firejail (0.9.64.2) baseline; urgency=low
  * allow --tmpfs inside $HOME for unprivileged users
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
index 9812e3ebb..74b0b6ef6 100644
--- a/etc/inc/archiver-common.inc
+++ b/etc/inc/archiver-common.inc
@@ -6,20 +6,24 @@ include archiver-common.local
 blacklist ${RUNUSER}
-# WARNING:
+# WARNING: Users can (un)restrict file access for **all** archivers by
-# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed
+# commenting/uncommenting the needed include file(s) here or by putting those
-# include file(s) here or by putting those into archiver-common.local.
+# into archiver-common.local.
-# Another option is to do this **per archiver** in the relevant <archiver>.local.
+#
-# Just beware that things tend to break when overtightening profiles. For example, because you only
+# Another option is to do this **per archiver** in the relevant
-# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# <archiver>.local. Just beware that things tend to break when overtightening
+# profiles. For example, because you only need to (un)compress files in
-# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.
+# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Uncomment the next line (or put it into your archiver-common.local) if you
+# don't need to compress files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.
+# Uncomment the next line (or put it into your archiver-common.local) if you
+# don't need to compress files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 76492c339..b2294c070 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,5 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local
+# Included in archiver-common.inc
 ignore include disable-shell.inc
+# Redirect
 include archiver-common.inc
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index c2b215807..f99934e66 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -7,4 +7,5 @@ include ar.local
 # Persistent global definitions
 include globals.local
+# Redirect
 include archiver-common.inc
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 34af47df2..6e0ecb012 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -9,10 +9,12 @@ include globals.local
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
-include archiver-common.inc
 noroot
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
+# Redirect
+include archiver-common.inc
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index d755fd803..573776a71 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -61,7 +61,7 @@ shell none
 tracelog
 # disable-mnt
-# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index c37f4071e..fb4f643c8 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,6 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
-include archiver-common.inc
 private-etc alternatives,group,localtime,passwd
+# Redirect
+include archiver-common.inc
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
index 48527363d..006c307ab 100644
--- a/etc/profile-a-l/calligragemini.profile
+++ b/etc/profile-a-l/calligragemini.profile
@@ -5,8 +5,8 @@ include calligragemini.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
-      
-noblacklist ${HOME}/.local/share/calligragemini      
+noblacklist ${HOME}/.local/share/calligragemini
-               
-# Redirect     
+# Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 785308ffd..0e0299655 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -10,4 +10,5 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
+# Redirect
 include archiver-common.inc
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 9b59e57e7..035c6459c 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -7,7 +7,9 @@ include gzip.local
 # Persistent global definitions
 include globals.local
-# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
+# all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
+# Redirect
 include archiver-common.inc
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 8290e07f2..41840e3b0 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 #include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-           
 include whitelist-runuser-common.inc
 # Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 3ad779a12..365db64aa 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -31,9 +31,9 @@ include disable-shell.inc
 include disable-xdg.inc
 # You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
-# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+# If you do so, you MUST store your database under ${DOCUMENTS}/KeePassXC/foo.kdbx
-#mkdir ${HOME}/Documents/KeePassXC
+#mkdir ${DOCUMENTS}/KeePassXC
-#whitelist ${HOME}/Documents/KeePassXC
+#whitelist ${DOCUMENTS}/KeePassXC
 # Needed for KeePassXC-Browser
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..0f79b6a97 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -16,10 +16,10 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
-mkdir ${HOME}/Documents/Wolfram Mathematica
+mkdir ${DOCUMENTS}/Wolfram Mathematica
 whitelist ${HOME}/.Mathematica
 whitelist ${HOME}/.Wolfram Research
-whitelist ${HOME}/Documents/Wolfram Mathematica
+whitelist ${DOCUMENTS}/Wolfram Mathematica
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index f6efb0feb..9d7a23d43 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,13 +7,17 @@ include tar.local
 # Persistent global definitions
 include globals.local
-# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+# Included in archiver-common.inc
-noblacklist /var/lib/pacman
 ignore include disable-shell.inc
-include archiver-common.inc
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
+# all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
 private-etc alternatives,group,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
+# Redirect
+include archiver-common.inc
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9487f8e68..65f1a425a 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -7,8 +7,9 @@ include unrar.local
 # Persistent global definitions
 include globals.local
-include archiver-common.inc
 private-bin unrar
 private-etc alternatives,group,localtime,passwd
 private-tmp
+# Redirect
+include archiver-common.inc
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 8da9ea820..c94416b87 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,6 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-include archiver-common.inc
 private-etc alternatives,group,localtime,passwd
+# Redirect
+include archiver-common.inc
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
index 082392a08..c5e8d1631 100644
--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -7,4 +7,5 @@ include xzdec.local
 # Persistent global definitions
 include globals.local
+# Redirect
 include archiver-common.inc
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
index 42749ba6d..07a75f97f 100644
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -7,4 +7,5 @@ include zstd.local
 # Persistent global definitions
 include globals.local
+# Redirect
 include archiver-common.inc

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index bf58e1dff..86baecf2f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -25,7 +25,7 @@ Steps to reproduce the behavior:
25		25
26	Environment	26	Environment
27	- Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)	27	- Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
28	- Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)	28	- Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
29		29
30	Additional context	30	Additional context
31	Other context about the problem like related errors to understand the problem.	31	Other context about the problem like related errors to understand the problem.


diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 1468ef898..d026b9356 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml
@@ -1,6 +1,6 @@
1	name: Build-extra CI	1	name: Build-extra CI
2		2
3	on:	3	on:
4	push:	4	push:
5	branches: [ master ]	5	branches: [ master ]
6	paths-ignore:	6	paths-ignore:
@@ -19,7 +19,7 @@ on:
19	- RELNOTES	19	- RELNOTES
20	- SECURITY.md	20	- SECURITY.md
21	- 'etc/**'	21	- 'etc/**'
22		22
23	jobs:	23	jobs:
24	build-clang:	24	build-clang:
25	if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}	25	if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}


diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 301c7fad2..d974d650e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml
@@ -11,7 +11,7 @@ on:
11	paths-ignore:	11	paths-ignore:
12	- CONTRIBUTING.md	12	- CONTRIBUTING.md
13	- README	13	- README
14	- README.md	14	- README.md
15	- RELNOTES	15	- RELNOTES
16	- SECURITY.md	16	- SECURITY.md
17	- 'etc/**'	17	- 'etc/**'
@@ -21,7 +21,7 @@ on:
21	paths-ignore:	21	paths-ignore:
22	- CONTRIBUTING.md	22	- CONTRIBUTING.md
23	- README	23	- README
24	- README.md	24	- README.md
25	- RELNOTES	25	- RELNOTES
26	- SECURITY.md	26	- SECURITY.md
27	- 'etc/**'	27	- 'etc/**'
@@ -61,7 +61,7 @@ jobs:
61	with:	61	with:
62	languages: ${{ matrix.language }}	62	languages: ${{ matrix.language }}
63	# If you wish to specify custom queries, you can do so here or in a config file.	63	# If you wish to specify custom queries, you can do so here or in a config file.
64	# By default, queries listed here will override any specified in a config file.	64	# By default, queries listed here will override any specified in a config file.
65	# Prefix the list here with "+" to use these queries and those in the config file.	65	# Prefix the list here with "+" to use these queries and those in the config file.
66	# queries: ./path/to/local/query, your-org/your-repo/queries@main	66	# queries: ./path/to/local/query, your-org/your-repo/queries@main
67		67


diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index 55ac065b6..878a5eb82 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml
@@ -1,7 +1,7 @@
1	name: sort.py	1	name: sort.py
2		2
3	on:	3	on:
4	push:	4	push:
5	branches: [ master ]	5	branches: [ master ]
6	paths:	6	paths:
7	- 'etc/**'	7	- 'etc/**'


diff --git a/README.md b/README.md index 973c4dcbd..1d58fdce4 100644 --- a/README.md +++ b/README.md
@@ -83,6 +83,35 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
83		83
84	We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com	84	We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
85		85
		86	`````
		87	Security Adivsory - Feb 8, 2021
		88
		89	Summary: A vulnerability resulting in root privilege escalation was discovered in
		90	Firejail's OverlayFS code,
		91
		92	Versions affected: Firejail software versions starting with 0.9.30.
		93	Long Term Support (LTS) Firejail branch is not affected by this bug.
		94
		95	Workaround: Disable overlayfs feature at runtime.
		96	In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
		97
		98	$ grep overlayfs /etc/firejail/firejail.config
		99	# Enable or disable overlayfs features, default enabled.
		100	overlayfs no
		101
		102	Fix: The bug is fixed in Firejail version 0.9.64.4
		103
		104	GitHub commit: (file configure.ac)
		105	https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
		106
		107	Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
		108	Functional PoC exploit code was provided to Firejail development team.
		109	A description of the problem is here on Roman's blog:
		110
		111	https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
		112	https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
		113	`````
		114
86	## Installing	115	## Installing
87		116
88	Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.	117	Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.


diff --git a/RELNOTES b/RELNOTES index 0e07e2d61..ce0bbeabb 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,7 +1,10 @@
1	firejail (0.9.65) baseline; urgency=low	1	firejail (0.9.65) baseline; urgency=low
2	* new profiles: vmware-view	2	* new profiles: vmware-view
3	-- netblue30 <netblue30@yahoo.com> Sat, 6 Feb 2021 09:00:00 -0500	3	-- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500
4		4
		5	firejail (0.9.64.4) baseline; urgency=low
		6	* disabled overlayfs, pending multiple fixes (CVE-2021-26910)
		7	-- netblue30 <netblue30@yahoo.com> Sun, 7 Feb 2021 09:00:00 -0500
5		8
6	firejail (0.9.64.2) baseline; urgency=low	9	firejail (0.9.64.2) baseline; urgency=low
7	* allow --tmpfs inside $HOME for unprivileged users	10	* allow --tmpfs inside $HOME for unprivileged users


diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc index 9812e3ebb..74b0b6ef6 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/inc/archiver-common.inc
@@ -6,20 +6,24 @@ include archiver-common.local
6		6
7	blacklist ${RUNUSER}	7	blacklist ${RUNUSER}
8		8
9	# WARNING:	9	# WARNING: Users can (un)restrict file access for all archivers by
10	# Users can (un)restrict file access for all archivers by commenting/uncommenting the needed	10	# commenting/uncommenting the needed include file(s) here or by putting those
11	# include file(s) here or by putting those into archiver-common.local.	11	# into archiver-common.local.
12	# Another option is to do this per archiver in the relevant <archiver>.local.	12	#
13	# Just beware that things tend to break when overtightening profiles. For example, because you only	13	# Another option is to do this per archiver in the relevant
14	# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.	14	# <archiver>.local. Just beware that things tend to break when overtightening
15		15	# profiles. For example, because you only need to (un)compress files in
16	# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.	16	# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
		17
		18	# Uncomment the next line (or put it into your archiver-common.local) if you
		19	# don't need to compress files in disable-common.inc.
17	#include disable-common.inc	20	#include disable-common.inc
18	include disable-devel.inc	21	include disable-devel.inc
19	include disable-exec.inc	22	include disable-exec.inc
20	include disable-interpreters.inc	23	include disable-interpreters.inc
21	include disable-passwdmgr.inc	24	include disable-passwdmgr.inc
22	# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.	25	# Uncomment the next line (or put it into your archiver-common.local) if you
		26	# don't need to compress files in disable-programs.inc.
23	#include disable-programs.inc	27	#include disable-programs.inc
24	include disable-shell.inc	28	include disable-shell.inc
25		29


diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index 76492c339..b2294c070 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile
@@ -7,5 +7,8 @@ include 7z.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# Included in archiver-common.inc
10	ignore include disable-shell.inc	11	ignore include disable-shell.inc
		12
		13	# Redirect
11	include archiver-common.inc	14	include archiver-common.inc


diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index c2b215807..f99934e66 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile
@@ -7,4 +7,5 @@ include ar.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# Redirect
10	include archiver-common.inc	11	include archiver-common.inc


diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 34af47df2..6e0ecb012 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile
@@ -9,10 +9,12 @@ include globals.local
9		9
10	# Allow perl (blacklisted by disable-interpreters.inc)	10	# Allow perl (blacklisted by disable-interpreters.inc)
11	include allow-perl.inc	11	include allow-perl.inc
12	include archiver-common.inc
13		12
14	noroot	13	noroot
15		14
16	# without login.defs atool complains and uses UID/GID 1000 by default	15	# without login.defs atool complains and uses UID/GID 1000 by default
17	private-etc alternatives,group,login.defs,passwd	16	private-etc alternatives,group,login.defs,passwd
18	private-tmp	17	private-tmp
		18
		19	# Redirect
		20	include archiver-common.inc


diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index d755fd803..573776a71 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile
@@ -61,7 +61,7 @@ shell none
61	tracelog	61	tracelog
62		62
63	# disable-mnt	63	# disable-mnt
64	# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg	64	# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
65	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.	65	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
66	private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm	66	private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
67	private-cache	67	private-cache


diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index c37f4071e..fb4f643c8 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile
@@ -6,6 +6,7 @@ include bsdtar.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include archiver-common.inc
10
11	private-etc alternatives,group,localtime,passwd	9	private-etc alternatives,group,localtime,passwd
		10
		11	# Redirect
		12	include archiver-common.inc


diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile index 48527363d..006c307ab 100644 --- a/etc/profile-a-l/calligragemini.profile +++ b/etc/profile-a-l/calligragemini.profile
@@ -5,8 +5,8 @@ include calligragemini.local
5	# Persistent global definitions	5	# Persistent global definitions
6	# added by included profile	6	# added by included profile
7	#include globals.local	7	#include globals.local
8		8
9	noblacklist ${HOME}/.local/share/calligragemini	9	noblacklist ${HOME}/.local/share/calligragemini
10		10
11	# Redirect	11	# Redirect
12	include calligra.profile	12	include calligra.profile


diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 785308ffd..0e0299655 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile
@@ -10,4 +10,5 @@ include globals.local
10	noblacklist /sbin	10	noblacklist /sbin
11	noblacklist /usr/sbin	11	noblacklist /usr/sbin
12		12
		13	# Redirect
13	include archiver-common.inc	14	include archiver-common.inc


diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 9b59e57e7..035c6459c 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile
@@ -7,7 +7,9 @@ include gzip.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.	10	# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
		11	# all capabilities this is automatically read-only.
11	noblacklist /var/lib/pacman	12	noblacklist /var/lib/pacman
12		13
		14	# Redirect
13	include archiver-common.inc	15	include archiver-common.inc


diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 8290e07f2..41840e3b0 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
19	#include disable-programs.inc	19	#include disable-programs.inc
20	include disable-shell.inc	20	include disable-shell.inc
21	include disable-xdg.inc	21	include disable-xdg.inc
22		22
23	include whitelist-runuser-common.inc	23	include whitelist-runuser-common.inc
24	# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.	24	# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
25	#include whitelist-usr-share-common.inc	25	#include whitelist-usr-share-common.inc


diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 3ad779a12..365db64aa 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile
@@ -31,9 +31,9 @@ include disable-shell.inc
31	include disable-xdg.inc	31	include disable-xdg.inc
32		32
33	# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.	33	# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
34	# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx	34	# If you do so, you MUST store your database under ${DOCUMENTS}/KeePassXC/foo.kdbx
35	#mkdir ${HOME}/Documents/KeePassXC	35	#mkdir ${DOCUMENTS}/KeePassXC
36	#whitelist ${HOME}/Documents/KeePassXC	36	#whitelist ${DOCUMENTS}/KeePassXC
37	# Needed for KeePassXC-Browser	37	# Needed for KeePassXC-Browser
38	#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json	38	#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
39	#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json	39	#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json


diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile index c2734b1c1..0f79b6a97 100644 --- a/etc/profile-m-z/Mathematica.profile +++ b/etc/profile-m-z/Mathematica.profile
@@ -16,10 +16,10 @@ include disable-programs.inc
16		16
17	mkdir ${HOME}/.Mathematica	17	mkdir ${HOME}/.Mathematica
18	mkdir ${HOME}/.Wolfram Research	18	mkdir ${HOME}/.Wolfram Research
19	mkdir ${HOME}/Documents/Wolfram Mathematica	19	mkdir ${DOCUMENTS}/Wolfram Mathematica
20	whitelist ${HOME}/.Mathematica	20	whitelist ${HOME}/.Mathematica
21	whitelist ${HOME}/.Wolfram Research	21	whitelist ${HOME}/.Wolfram Research
22	whitelist ${HOME}/Documents/Wolfram Mathematica	22	whitelist ${DOCUMENTS}/Wolfram Mathematica
23	include whitelist-common.inc	23	include whitelist-common.inc
24		24
25	caps.drop all	25	caps.drop all


diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index f6efb0feb..9d7a23d43 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile
@@ -7,13 +7,17 @@ include tar.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.	10	# Included in archiver-common.inc
11	noblacklist /var/lib/pacman
12
13	ignore include disable-shell.inc	11	ignore include disable-shell.inc
14	include archiver-common.inc	12
		13	# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
		14	# all capabilities this is automatically read-only.
		15	noblacklist /var/lib/pacman
15		16
16	private-etc alternatives,group,localtime,login.defs,passwd	17	private-etc alternatives,group,localtime,login.defs,passwd
17	#private-lib libfakeroot,liblzma.so.,libreadline.so.	18	#private-lib libfakeroot,liblzma.so.,libreadline.so.
18	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	19	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
19	writable-var	20	writable-var
		21
		22	# Redirect
		23	include archiver-common.inc


diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 9487f8e68..65f1a425a 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile
@@ -7,8 +7,9 @@ include unrar.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	include archiver-common.inc
11
12	private-bin unrar	10	private-bin unrar
13	private-etc alternatives,group,localtime,passwd	11	private-etc alternatives,group,localtime,passwd
14	private-tmp	12	private-tmp
		13
		14	# Redirect
		15	include archiver-common.inc


diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 8da9ea820..c94416b87 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile
@@ -10,6 +10,7 @@ include globals.local
10	# GNOME Shell integration (chrome-gnome-shell)	10	# GNOME Shell integration (chrome-gnome-shell)
11	noblacklist ${HOME}/.local/share/gnome-shell	11	noblacklist ${HOME}/.local/share/gnome-shell
12		12
13	include archiver-common.inc
14
15	private-etc alternatives,group,localtime,passwd	13	private-etc alternatives,group,localtime,passwd
		14
		15	# Redirect
		16	include archiver-common.inc


diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index 082392a08..c5e8d1631 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile
@@ -7,4 +7,5 @@ include xzdec.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# Redirect
10	include archiver-common.inc	11	include archiver-common.inc


diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index 42749ba6d..07a75f97f 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile
@@ -7,4 +7,5 @@ include zstd.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# Redirect
10	include archiver-common.inc	11	include archiver-common.inc