6 files changed, 98 insertions, 3 deletions
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..4925e94f7 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -40,13 +43,13 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c5b3d5739..1ba70b0bd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2156,6 +2156,10 @@ int main(int argc, char **argv, char **envp) {
                        arg_novideo = 1;
                else if (strcmp(argv[i], "--no3d") == 0)
                        arg_no3d = 1;
+                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        profile_add("blacklist /dev/lp*");
+                        profile_add("blacklist /run/cups/cups.sock");
+                }
                else if (strcmp(argv[i], "--notv") == 0)
                        arg_notv = 1;
                else if (strcmp(argv[i], "--nodvd") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9d92b6199..babc3941e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -449,6 +449,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_no3d = 1;
                return 0;
        }
+        else if (strcmp(ptr, "noprinters") == 0) {
+                profile_add("blacklist /dev/lp*");
+                profile_add("blacklist /run/cups/cups.sock");
+                return 0;
+        }
        else if (strcmp(ptr, "noinput") == 0) {
                arg_noinput = 1;
                return 0;

diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc new file mode 100644 index 000000000..81a8883f3 --- /dev/null +++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include disable-proc.local
		4
		5	blacklist /proc/acpi
		6	blacklist /proc/asound
		7	blacklist /proc/bootconfig
		8	blacklist /proc/buddyinfo
		9	blacklist /proc/cgroups
		10	blacklist /proc/cmdline
		11	blacklist /proc/config.gz
		12	blacklist /proc/consoles
		13	#blacklist /proc/cpuinfo
		14	blacklist /proc/crypto
		15	blacklist /proc/devices
		16	blacklist /proc/diskstats
		17	blacklist /proc/dma
		18	#blacklist /proc/driver
		19	blacklist /proc/dynamic_debug
		20	blacklist /proc/execdomains
		21	blacklist /proc/fb
		22	#blacklist /proc/filesystems
		23	blacklist /proc/fs
		24	blacklist /proc/i8k
		25	blacklist /proc/interrupts
		26	blacklist /proc/iomem
		27	blacklist /proc/ioports
		28	blacklist /proc/irq
		29	blacklist /proc/kallsyms
		30	blacklist /proc/kcore
		31	blacklist /proc/keys
		32	blacklist /proc/key-users
		33	blacklist /proc/kmsg
		34	blacklist /proc/kpagecgroup
		35	blacklist /proc/kpagecount
		36	blacklist /proc/kpageflags
		37	blacklist /proc/latency_stats
		38	#blacklist /proc/loadavg
		39	blacklist /proc/locks
		40	blacklist /proc/mdstat
		41	#blacklist /proc/meminfo
		42	blacklist /proc/misc
		43	#blacklist /proc/modules
		44	#blacklist /proc/mounts
		45	blacklist /proc/mtrr
		46	#blacklist /proc/net
		47	blacklist /proc/partitions
		48	blacklist /proc/pressure
		49	blacklist /proc/sched_debug
		50	blacklist /proc/schedstat
		51	blacklist /proc/scsi
		52	#blacklist /proc/self
		53	blacklist /proc/slabinfo
		54	blacklist /proc/softirqs
		55	blacklist /proc/spl
		56	#blacklist /proc/stat
		57	blacklist /proc/swaps
		58	#blacklist /proc/sys
		59	blacklist /proc/sysrq-trigger
		60	blacklist /proc/sysvipc
		61	#blacklist /proc/thread-self
		62	blacklist /proc/timer_list
		63	blacklist /proc/tty
		64	#blacklist /proc/uptime
		65	#blacklist /proc/version
		66	blacklist /proc/version_signature
		67	blacklist /proc/vmallocinfo
		68	#blacklist /proc/vmstat
		69	#blacklist /proc/zoneinfo
		70
		71	blacklist /proc/sys/abi
		72	blacklist /proc/sys/crypto
		73	blacklist /proc/sys/debug
		74	blacklist /proc/sys/dev
		75	blacklist /proc/sys/fs
		76	blacklist /proc/sys/net
		77	blacklist /proc/sys/user
		78	blacklist /proc/sys/vm
		79
		80	noblacklist /proc/sys/kernel/osrelease
		81	noblacklist /proc/sys/kernel/yama
		82	blacklist /proc/sys//


diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index 8d391b90f..59d762f55 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
10	# Allow python (blacklisted by disable-interpreters.inc)	10	# Allow python (blacklisted by disable-interpreters.inc)
11	include allow-python3.inc	11	include allow-python3.inc
12		12
13	private-bin jumpnbump-menu,python3*	13	private-bin env,jumpnbump-menu,python3*
14		14
15	# Redirect	15	# Redirect
16	include jumpnbump.profile	16	include jumpnbump.profile


diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 5659ec69c..4925e94f7 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
11	noblacklist ${HOME}/.cache/warsow-2.1	11	noblacklist ${HOME}/.cache/warsow-2.1
12	noblacklist ${HOME}/.local/share/warsow-2.1	12	noblacklist ${HOME}/.local/share/warsow-2.1
13		13
		14	# Allow /bin/sh (blacklisted by disable-shell.inc)
		15	include allow-bin-sh.inc
		16
14	include disable-common.inc	17	include disable-common.inc
15	include disable-devel.inc	18	include disable-devel.inc
16	include disable-exec.inc	19	include disable-exec.inc
@@ -40,13 +43,13 @@ noroot
40	notv	43	notv
41	nou2f	44	nou2f
42	novideo	45	novideo
43	protocol unix,inet,inet6	46	protocol unix,inet,inet6,netlink
44	seccomp	47	seccomp
45	shell none	48	shell none
46	tracelog	49	tracelog
47		50
48	disable-mnt	51	disable-mnt
49	private-bin warsow	52	private-bin basename,bash,dirname,sed,sh,uname,warsow
50	private-cache	53	private-cache
51	private-dev	54	private-dev
52	private-tmp	55	private-tmp


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7628313e0..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
116	#include disable-devel.inc	116	#include disable-devel.inc
117	#include disable-exec.inc	117	#include disable-exec.inc
118	#include disable-interpreters.inc	118	#include disable-interpreters.inc
		119	#include disable-proc.inc
119	#include disable-programs.inc	120	#include disable-programs.inc
120	#include disable-shell.inc	121	#include disable-shell.inc
121	#include disable-write-mnt.inc	122	#include disable-write-mnt.inc


diff --git a/src/firejail/main.c b/src/firejail/main.c index c5b3d5739..1ba70b0bd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2156,6 +2156,10 @@ int main(int argc, char argv, char envp) {
2156	arg_novideo = 1;	2156	arg_novideo = 1;
2157	else if (strcmp(argv[i], "--no3d") == 0)	2157	else if (strcmp(argv[i], "--no3d") == 0)
2158	arg_no3d = 1;	2158	arg_no3d = 1;
		2159	else if (strcmp(argv[i], "--noprinters") == 0) {
		2160	profile_add("blacklist /dev/lp*");
		2161	profile_add("blacklist /run/cups/cups.sock");
		2162	}
2159	else if (strcmp(argv[i], "--notv") == 0)	2163	else if (strcmp(argv[i], "--notv") == 0)
2160	arg_notv = 1;	2164	arg_notv = 1;
2161	else if (strcmp(argv[i], "--nodvd") == 0)	2165	else if (strcmp(argv[i], "--nodvd") == 0)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9d92b6199..babc3941e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -449,6 +449,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
449	arg_no3d = 1;	449	arg_no3d = 1;
450	return 0;	450	return 0;
451	}	451	}
		452	else if (strcmp(ptr, "noprinters") == 0) {
		453	profile_add("blacklist /dev/lp*");
		454	profile_add("blacklist /run/cups/cups.sock");
		455	return 0;
		456	}
452	else if (strcmp(ptr, "noinput") == 0) {	457	else if (strcmp(ptr, "noinput") == 0) {
453	arg_noinput = 1;	458	arg_noinput = 1;
454	return 0;	459	return 0;