diff options
66 files changed, 199 insertions, 230 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile index 6a58da8c9..cb9d01e03 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -32,7 +32,7 @@ shell none | |||
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin sh,bash,dig,awk,Viber | 34 | private-bin sh,bash,dig,awk,Viber |
35 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies | 35 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
diff --git a/etc/amarok.profile b/etc/amarok.profile index aff78e210..c728ce4ab 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -29,5 +29,5 @@ shell none | |||
29 | 29 | ||
30 | # private-bin amarok | 30 | # private-bin amarok |
31 | private-dev | 31 | private-dev |
32 | # private-etc none | 32 | # private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index aaac62bc8..99649cc3f 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 35 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm |
36 | private-cache | 36 | private-cache |
37 | private-dev | 37 | private-dev |
38 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | 38 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/arm.profile b/etc/arm.profile index a89ee86cc..bebf05366 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig | 43 | private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig |
44 | private-dev | 44 | private-dev |
45 | private-etc tor,passwd | 45 | private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | noexec ${HOME} | 48 | noexec ${HOME} |
diff --git a/etc/beaker.profile b/etc/beaker.profile new file mode 100644 index 000000000..9215576c7 --- /dev/null +++ b/etc/beaker.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for beaker | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/beaker.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Beaker Browser | ||
9 | |||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-interpreters.inc | ||
12 | |||
13 | mkdir ${HOME}/.config/Beaker Browser | ||
14 | whitelist ${HOME}/.config/Beaker Browser | ||
15 | whitelist ${DOWNLOADS} | ||
16 | include /etc/firejail/whitelist-common.inc | ||
17 | |||
18 | # Redirect | ||
19 | include /etc/firejail/electron.profile | ||
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index b84e8186b..fef7474a9 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -38,5 +38,5 @@ tracelog | |||
38 | 38 | ||
39 | # private-bin bibletime,qt5ct | 39 | # private-bin bibletime,qt5ct |
40 | private-dev | 40 | private-dev |
41 | private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id | 41 | private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 84c2c77de..efc11cc9c 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | private-bin bitcoin-qt | 40 | private-bin bitcoin-qt |
41 | private-dev | 41 | private-dev |
42 | # Causes problem with loading of libGL.so | 42 | # Causes problem with loading of libGL.so |
43 | #private-etc fonts | 43 | #private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
44 | # Works, but QT complains about OpenSSL a bit. | 44 | # Works, but QT complains about OpenSSL a bit. |
45 | #private-lib | 45 | #private-lib |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 3331bde22..a9f76ec80 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -26,4 +26,4 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin cmus | 28 | private-bin cmus |
29 | private-etc group | 29 | private-etc group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
diff --git a/etc/curl.profile b/etc/curl.profile index 1d2515f51..d1a682e60 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -31,7 +31,7 @@ shell none | |||
31 | # private-bin curl | 31 | # private-bin curl |
32 | private-cache | 32 | private-cache |
33 | private-dev | 33 | private-dev |
34 | # private-etc resolv.conf | 34 | # private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies |
35 | private-tmp | 35 | private-tmp |
36 | 36 | ||
37 | noexec ${HOME} | 37 | noexec ${HOME} |
diff --git a/etc/digikam.profile b/etc/digikam.profile index 2e1947419..b3b0de1bc 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | 36 | ||
37 | # private-bin program | 37 | # private-bin program |
38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
39 | # private-etc none | 39 | # private-etc ca-certificates,ssl,pki,crypto-policies |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | noexec ${HOME} | 42 | noexec ${HOME} |
diff --git a/etc/dino.profile b/etc/dino.profile index 5c9d44140..a39ec8931 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin dino | 36 | private-bin dino |
37 | private-dev | 37 | private-dev |
38 | # private-etc fonts # breaks server connection | 38 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6d5b45da8..d685fceed 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -46,6 +46,7 @@ blacklist ${HOME}/.config/0ad | |||
46 | blacklist ${HOME}/.config/2048-qt | 46 | blacklist ${HOME}/.config/2048-qt |
47 | blacklist ${HOME}/.config/Atom | 47 | blacklist ${HOME}/.config/Atom |
48 | blacklist ${HOME}/.config/Audaciousrc | 48 | blacklist ${HOME}/.config/Audaciousrc |
49 | blacklist ${HOME}/.config/Beaker Browser | ||
49 | blacklist ${HOME}/.config/Brackets | 50 | blacklist ${HOME}/.config/Brackets |
50 | blacklist ${HOME}/.config/Clementine | 51 | blacklist ${HOME}/.config/Clementine |
51 | blacklist ${HOME}/.config/Code | 52 | blacklist ${HOME}/.config/Code |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index 9f0e02525..b835ce401 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -24,9 +24,9 @@ novideo | |||
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | seccomp | 25 | seccomp |
26 | 26 | ||
27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep | 27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh |
28 | private-dev | 28 | private-dev |
29 | private-etc fonts,machine-id,localtime,ld.so.cache | 29 | private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/electrum.profile b/etc/electrum.profile new file mode 100644 index 000000000..d611f3e61 --- /dev/null +++ b/etc/electrum.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for electrum | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/electrum.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.electrum | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | include /etc/firejail/disable-common.inc | ||
17 | include /etc/firejail/disable-devel.inc | ||
18 | include /etc/firejail/disable-interpreters.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | include /etc/firejail/disable-programs.inc | ||
21 | include /etc/firejail/disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.electrum | ||
24 | whitelist ${HOME}/.electrum | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | no3d | ||
32 | #nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin electrum,python* | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id | ||
49 | private-tmp | ||
50 | |||
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile index 61fbab3cc..1da0360c7 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -34,5 +34,5 @@ tracelog | |||
34 | # private-bin elinks | 34 | # private-bin elinks |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | # private-etc none | 37 | # private-etc ca-certificates,ssl,pki,crypto-policies |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 7c2bc8c11..8dbd74cc1 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -33,7 +33,7 @@ shell none | |||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin flameshot | 34 | private-bin flameshot |
35 | private-cache | 35 | private-cache |
36 | private-etc fonts,ca-certificates,ld.so.conf,resolv.conf,ssl | 36 | private-etc fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
37 | private-dev | 37 | private-dev |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/gitter.profile b/etc/gitter.profile index 2edbf8a4e..b5bedb66d 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | 34 | ||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin bash,env,gitter | 36 | private-bin bash,env,gitter |
37 | private-etc fonts,pulse,resolv.conf | 37 | private-etc fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
38 | private-opt Gitter | 38 | private-opt Gitter |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/gjs.profile b/etc/gjs.profile index 9d439782c..6110cb71e 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -32,5 +32,5 @@ tracelog | |||
32 | 32 | ||
33 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | 33 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather |
34 | private-dev | 34 | private-dev |
35 | # private-etc fonts | 35 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
36 | private-tmp | 36 | private-tmp |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 4251f70ed..b0a6cf80e 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -32,7 +32,7 @@ tracelog | |||
32 | disable-mnt | 32 | disable-mnt |
33 | # private-bin gnome-clocks | 33 | # private-bin gnome-clocks |
34 | private-dev | 34 | private-dev |
35 | # private-etc fonts | 35 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index da73d9450..b747743fc 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -35,7 +35,7 @@ tracelog | |||
35 | disable-mnt | 35 | disable-mnt |
36 | # private-bin gjs gnome-maps | 36 | # private-bin gjs gnome-maps |
37 | private-dev | 37 | private-dev |
38 | # private-etc fonts | 38 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 90fb9814f..15710b363 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | 38 | ||
39 | private-bin gnome-music,python* | 39 | private-bin gnome-music,python* |
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts | 41 | # private-etc fonts,machine-id,pulse,asound.conf |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | noexec ${HOME} | 44 | noexec ${HOME} |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 28c9e6d86..f2c6acac5 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -36,7 +36,7 @@ tracelog | |||
36 | disable-mnt | 36 | disable-mnt |
37 | # private-bin gjs gnome-weather | 37 | # private-bin gjs gnome-weather |
38 | private-dev | 38 | private-dev |
39 | # private-etc fonts | 39 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | noexec ${HOME} | 42 | noexec ${HOME} |
diff --git a/etc/goobox.profile b/etc/goobox.profile index 5e5aad95b..ca92b1540 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -29,5 +29,5 @@ tracelog | |||
29 | 29 | ||
30 | # private-bin goobox | 30 | # private-bin goobox |
31 | private-dev | 31 | private-dev |
32 | # private-etc fonts | 32 | # private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
33 | # private-tmp | 33 | # private-tmp |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 51f384751..58f79ac14 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -31,7 +31,7 @@ tracelog | |||
31 | 31 | ||
32 | private-bin gpredict | 32 | private-bin gpredict |
33 | private-dev | 33 | private-dev |
34 | private-etc fonts,resolv.conf | 34 | private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
35 | private-tmp | 35 | private-tmp |
36 | 36 | ||
37 | noexec ${HOME} | 37 | noexec ${HOME} |
diff --git a/etc/lynx.profile b/etc/lynx.profile index 0f4de2fee..3c70800be 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -32,5 +32,5 @@ tracelog | |||
32 | # private-bin lynx | 32 | # private-bin lynx |
33 | private-cache | 33 | private-cache |
34 | private-dev | 34 | private-dev |
35 | # private-etc none | 35 | # private-etc ca-certificates,ssl,pki,crypto-policies |
36 | private-tmp | 36 | private-tmp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 6c9ed4499..b0bd99519 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin mate-dictionary | 37 | private-bin mate-dictionary |
38 | private-etc fonts,resolv.conf | 38 | private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
39 | private-opt mate-dictionary | 39 | private-opt mate-dictionary |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 860de3f0a..aee153110 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -28,4 +28,4 @@ shell none | |||
28 | 28 | ||
29 | private-bin mcabber | 29 | private-bin mcabber |
30 | private-dev | 30 | private-dev |
31 | private-etc null | 31 | private-etc ca-certificates,ssl,pki,crypto-policies |
diff --git a/etc/minetest.profile b/etc/minetest.profile index cdbf21935..6497fa9ba 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -34,7 +34,7 @@ disable-mnt | |||
34 | private-bin minetest | 34 | private-bin minetest |
35 | private-dev | 35 | private-dev |
36 | # private-etc needs to be updated, see #1702 | 36 | # private-etc needs to be updated, see #1702 |
37 | #private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies | 37 | #private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index 49bc4ad37..cedc5eff4 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -36,7 +36,7 @@ tracelog | |||
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin bash,fonts,env,jak,ms-office,python*,sh | 38 | private-bin bash,fonts,env,jak,ms-office,python*,sh |
39 | private-etc ca-certificates,resolv.conf,ssl | 39 | private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index bc8965431..ba010d6a3 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile | |||
@@ -30,7 +30,7 @@ seccomp | |||
30 | 30 | ||
31 | disable-mnt | 31 | disable-mnt |
32 | private-dev | 32 | private-dev |
33 | private-etc none | 33 | private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
34 | 34 | ||
35 | noexec ${HOME} | 35 | noexec ${HOME} |
36 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/parole.profile b/etc/parole.profile index f98703bd6..df8f8e194 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -26,4 +26,4 @@ shell none | |||
26 | 26 | ||
27 | private-bin parole,dbus-launch | 27 | private-bin parole,dbus-launch |
28 | private-cache | 28 | private-cache |
29 | private-etc passwd,group,fonts | 29 | private-etc passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
diff --git a/etc/ping.profile b/etc/ping.profile index db5390a41..2b20bf8c9 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -40,7 +40,7 @@ private | |||
40 | #private-bin has mammoth problems with execvp: "No such file or directory" | 40 | #private-bin has mammoth problems with execvp: "No such file or directory" |
41 | private-dev | 41 | private-dev |
42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 42 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
43 | #private-etc resolv.conf,hosts | 43 | #private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 46 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 073108464..3a40b6260 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | 36 | ||
37 | # private-dev is disabled to allow controller support | 37 | # private-dev is disabled to allow controller support |
38 | #private-dev | 38 | #private-dev |
39 | private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies | 39 | private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id |
40 | private-opt ppsspp | 40 | private-opt ppsspp |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 2017beee4..eb15ff445 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -51,7 +51,7 @@ shell none | |||
51 | 51 | ||
52 | private-bin qbittorrent,python* | 52 | private-bin qbittorrent,python* |
53 | private-dev | 53 | private-dev |
54 | # private-etc X11,fonts,xdg,resolv.conf | 54 | # private-etc X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
55 | # private-lib - problems on Arch | 55 | # private-lib - problems on Arch |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 26697eeaa..92a8bbf28 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | 34 | ||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin qtox | 36 | private-bin qtox |
37 | private-etc fonts,resolv.conf,ld.so.cache,localtime | 37 | private-etc fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies |
38 | private-dev | 38 | private-dev |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 947689d96..e73e8a5e1 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -33,7 +33,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res | |||
33 | # tracelog | 33 | # tracelog |
34 | 34 | ||
35 | private-dev | 35 | private-dev |
36 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse | 36 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies |
37 | # private-tmp - interferes with the opening of downloaded files | 37 | # private-tmp - interferes with the opening of downloaded files |
38 | 38 | ||
39 | noexec ${HOME} | 39 | noexec ${HOME} |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index e23e7c756..2e2143a54 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin ricochet,tor | 36 | private-bin ricochet,tor |
37 | private-dev | 37 | private-dev |
38 | #private-etc fonts,tor,X11,alternatives | 38 | #private-etc fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies |
39 | 39 | ||
40 | noexec ${HOME} | 40 | noexec ${HOME} |
41 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/rview.profile b/etc/rview.profile new file mode 100644 index 000000000..90481b019 --- /dev/null +++ b/etc/rview.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for rview | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rview.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/rvim.profile b/etc/rvim.profile new file mode 100644 index 000000000..1070e9376 --- /dev/null +++ b/etc/rvim.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for rvim | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rvim.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 423863cc2..365fd3a53 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -47,4 +47,4 @@ seccomp | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 50 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 3e8a4e41b..a15576478 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -32,5 +32,5 @@ tracelog | |||
32 | 32 | ||
33 | # private-bin simple-scan | 33 | # private-bin simple-scan |
34 | # private-dev | 34 | # private-dev |
35 | # private-etc fonts | 35 | # private-etc fonts,ca-certificates,ssl,pki,crypto-policies |
36 | # private-tmp | 36 | # private-tmp |
diff --git a/etc/slack.profile b/etc/slack.profile index 13106255b..91bf0a722 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -37,5 +37,5 @@ shell none | |||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin slack,locale | 38 | private-bin slack,locale |
39 | private-dev | 39 | private-dev |
40 | private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies | 40 | private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id |
41 | private-tmp | 41 | private-tmp |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 0688723c7..7f40d4399 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin spotify,bash,sh,zenity | 47 | private-bin spotify,bash,sh,zenity |
48 | private-dev | 48 | private-dev |
49 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf | 49 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
50 | private-opt spotify | 50 | private-opt spotify |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/tor.profile b/etc/tor.profile index cbe932104..6bfc1c9a6 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin tor,bash | 44 | private-bin tor,bash |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc tor,passwd | 47 | private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | noexec ${HOME} | 50 | noexec ${HOME} |
diff --git a/etc/totem.profile b/etc/totem.profile index 3ac25440b..0acbc5127 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -31,9 +31,10 @@ seccomp | |||
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | private-bin totem | 33 | private-bin totem |
34 | private-cache | 34 | # totem needs access to ~/.cache/tracker or it exits |
35 | #private-cache | ||
35 | private-dev | 36 | private-dev |
36 | # private-etc fonts | 37 | # private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 8b50859fc..849f9ed49 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -30,7 +30,7 @@ tracelog | |||
30 | 30 | ||
31 | # private-bin transmission-cli | 31 | # private-bin transmission-cli |
32 | private-dev | 32 | private-dev |
33 | private-etc none | 33 | private-etc ca-certificates,ssl,pki,crypto-policies |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
36 | memory-deny-write-execute | 36 | memory-deny-write-execute |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 34c148ee9..985998382 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -27,5 +27,5 @@ shell none | |||
27 | 27 | ||
28 | # private-bin unknown-horizons | 28 | # private-bin unknown-horizons |
29 | private-dev | 29 | private-dev |
30 | # private-etc none | 30 | # private-etc ca-certificates,ssl,pki,crypto-policies |
31 | private-tmp | 31 | private-tmp |
diff --git a/etc/vimcat.profile b/etc/vimcat.profile new file mode 100644 index 000000000..5067c2fd1 --- /dev/null +++ b/etc/vimcat.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimcat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/vimcat.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/vimdiff.profile b/etc/vimdiff.profile new file mode 100644 index 000000000..f89a2c112 --- /dev/null +++ b/etc/vimdiff.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimdiff | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/vimdiff.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/vimpager.profile b/etc/vimpager.profile new file mode 100644 index 000000000..8bc7cc26a --- /dev/null +++ b/etc/vimpager.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimpager | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/vimpager.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/vimtutor.profile b/etc/vimtutor.profile new file mode 100644 index 000000000..83851d37e --- /dev/null +++ b/etc/vimtutor.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimtutor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/vimtutor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/etc/wget.profile b/etc/wget.profile index a16d770f2..c509faecc 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -32,7 +32,7 @@ shell none | |||
32 | 32 | ||
33 | # private-bin wget | 33 | # private-bin wget |
34 | private-dev | 34 | private-dev |
35 | # private-etc resolv.conf | 35 | # private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies |
36 | # private-tmp | 36 | # private-tmp |
37 | 37 | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index e65cfc43c..64d2cefd5 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -33,8 +33,8 @@ shell none | |||
33 | # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore | 33 | # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore |
34 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" | 34 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" |
35 | 35 | ||
36 | disable-mnt | ||
36 | private-bin wire-desktop | 37 | private-bin wire-desktop |
37 | private-dev | 38 | private-dev |
38 | private-etc fonts,machine-id,resolv.conf | 39 | private-etc fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
39 | disable-mnt | ||
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 2b597ba35..d45198f6a 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | # private-bin wireshark | 43 | # private-bin wireshark |
44 | private-dev | 44 | private-dev |
45 | # private-etc fonts,group,hosts,machine-id,passwd | 45 | # private-etc fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | noexec ${HOME} | 48 | noexec ${HOME} |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 9358fe192..14aced0d9 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -36,5 +36,5 @@ tracelog | |||
36 | 36 | ||
37 | private-bin xiphos | 37 | private-bin xiphos |
38 | private-dev | 38 | private-dev |
39 | private-etc fonts,resolv.conf,sword | 39 | private-etc fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 1d2493f36..a5cfa7513 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -33,8 +33,7 @@ shell none | |||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl | 34 | private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl |
35 | private-dev | 35 | private-dev |
36 | # private-etc breaks audio on some distros | 36 | private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id |
37 | #private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies | ||
38 | private-tmp | 37 | private-tmp |
39 | 38 | ||
40 | noexec ${HOME} | 39 | noexec ${HOME} |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 46579ead8..f51362b6b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 40 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
41 | private-dev | 41 | private-dev |
42 | # private-etc fonts | 42 | # private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | noexec ${HOME} | 45 | noexec ${HOME} |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index aa582a56a..7ecc1ca0b 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-bin xviewer | 38 | private-bin xviewer |
39 | private-dev | 39 | private-dev |
40 | private-etc fonts | 40 | #private-etc fonts |
41 | private-lib | 41 | private-lib |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
diff --git a/etc/xxd.profile b/etc/xxd.profile new file mode 100644 index 000000000..59dac5a91 --- /dev/null +++ b/etc/xxd.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xxd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xxd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/vim.profile | ||
diff --git a/platform/debian/control.amd64 b/platform/debian/control.amd64 index b8ea455f0..3d654acd0 100644 --- a/platform/debian/control.amd64 +++ b/platform/debian/control.amd64 | |||
@@ -7,7 +7,7 @@ Depends: libc6 | |||
7 | Suggests: python, python3 | 7 | Suggests: python, python3 |
8 | Section: admin | 8 | Section: admin |
9 | Priority: optional | 9 | Priority: optional |
10 | Homepage: http://github.com/netblue30/firejail | 10 | Homepage: https://github.com/netblue30/firejail |
11 | Description: Linux namepaces sandbox program. | 11 | Description: Linux namepaces sandbox program. |
12 | Firejail is a SUID sandbox program that reduces the risk of security | 12 | Firejail is a SUID sandbox program that reduces the risk of security |
13 | breaches by restricting the running environment of untrusted applications | 13 | breaches by restricting the running environment of untrusted applications |
diff --git a/platform/debian/control.i386 b/platform/debian/control.i386 index db6cb9b53..300c20db9 100644 --- a/platform/debian/control.i386 +++ b/platform/debian/control.i386 | |||
@@ -7,7 +7,7 @@ Depends: libc6 | |||
7 | Suggests: python, python3 | 7 | Suggests: python, python3 |
8 | Section: admin | 8 | Section: admin |
9 | Priority: optional | 9 | Priority: optional |
10 | Homepage: http://github.com/netblue30/firejail | 10 | Homepage: https://github.com/netblue30/firejail |
11 | Description: Linux namepaces sandbox program. | 11 | Description: Linux namepaces sandbox program. |
12 | Firejail is a SUID sandbox program that reduces the risk of security | 12 | Firejail is a SUID sandbox program that reduces the risk of security |
13 | breaches by restricting the running environment of untrusted applications | 13 | breaches by restricting the running environment of untrusted applications |
diff --git a/platform/debian/copyright b/platform/debian/copyright index 83952080f..e144ccd8b 100644 --- a/platform/debian/copyright +++ b/platform/debian/copyright | |||
@@ -26,4 +26,4 @@ This is the Debian/Ubuntu prepackaged version of firejail. | |||
26 | The complete text of the GNU General Public License can be found | 26 | The complete text of the GNU General Public License can be found |
27 | in /usr/share/common-licenses/GPL-2. | 27 | in /usr/share/common-licenses/GPL-2. |
28 | 28 | ||
29 | Homepage: http://github.com/netblue30/firejail. | 29 | Homepage: https://github.com/netblue30/firejail. |
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index 76d19ba17..166882f62 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -6,7 +6,7 @@ Summary: Linux namepaces sandbox program | |||
6 | License: GPLv2+ | 6 | License: GPLv2+ |
7 | Group: Development/Tools | 7 | Group: Development/Tools |
8 | Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz | 8 | Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz |
9 | URL: http://github.com/netblue30/firejail | 9 | URL: https://github.com/netblue30/firejail |
10 | 10 | ||
11 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | 11 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root |
12 | 12 | ||
diff --git a/src/floader/README.md b/src/floader/README.md deleted file mode 100644 index c1e14b2a6..000000000 --- a/src/floader/README.md +++ /dev/null | |||
@@ -1,7 +0,0 @@ | |||
1 | READ ME | ||
2 | ------- | ||
3 | |||
4 | * Run 'make' | ||
5 | * Add comma separated process names to ~/.loader.conf | ||
6 | * export LD_PRELOAD=<path>./loader.so (ideally to .bashrc) | ||
7 | * Run any application within shell | ||
diff --git a/src/floader/loader.c b/src/floader/loader.c deleted file mode 100644 index b9844fa9b..000000000 --- a/src/floader/loader.c +++ /dev/null | |||
@@ -1,161 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2017-2018 Madura A. (madura.x86@gmail.com) | ||
3 | * | ||
4 | */ | ||
5 | #include <sys/types.h> | ||
6 | #include <sys/stat.h> | ||
7 | #include <sys/mman.h> | ||
8 | #include <fcntl.h> | ||
9 | #include <unistd.h> | ||
10 | |||
11 | #include <string.h> | ||
12 | #include <stdio.h> | ||
13 | #include <stdlib.h> | ||
14 | #include <ctype.h> | ||
15 | |||
16 | #define MAX_MATCHES 32 | ||
17 | #define MAX_ARGS 1024 | ||
18 | #define MAX_ARGS_LEN 4096 | ||
19 | static void loader_main() __attribute__((constructor)); | ||
20 | |||
21 | char cmdline[MAX_ARGS_LEN]; | ||
22 | char *args[MAX_ARGS]; | ||
23 | char loader[] = "firejail"; | ||
24 | char confFile[256]; | ||
25 | char *names[MAX_MATCHES]; | ||
26 | |||
27 | #ifdef DEBUG | ||
28 | #define DBG printf | ||
29 | #else | ||
30 | #define DBG | ||
31 | #endif | ||
32 | void remove_trailing_spaces(char *str) | ||
33 | { | ||
34 | while (!isspace(*str)) | ||
35 | { | ||
36 | str++; | ||
37 | } | ||
38 | |||
39 | while (*str != '\0') | ||
40 | { | ||
41 | *str = '\0'; | ||
42 | str++; | ||
43 | } | ||
44 | } | ||
45 | |||
46 | void read_cmdline() | ||
47 | { | ||
48 | int fd = open("/proc/self/cmdline", O_RDONLY); | ||
49 | ssize_t ret = 0, total = 0; | ||
50 | char* wcmdbuf = cmdline; | ||
51 | while ((ret = read(fd, wcmdbuf, 1)) != 0) | ||
52 | { | ||
53 | wcmdbuf++; | ||
54 | total += ret; | ||
55 | if (total > MAX_ARGS_LEN) | ||
56 | { | ||
57 | printf("Not enough memory\n"); | ||
58 | close(fd); | ||
59 | return ; | ||
60 | } | ||
61 | } | ||
62 | close(fd); | ||
63 | } | ||
64 | |||
65 | void make_args() | ||
66 | { | ||
67 | int cI = 0, argI=0; | ||
68 | char* argstart = &cmdline[0]; | ||
69 | for (;cI<MAX_ARGS_LEN;cI++) | ||
70 | { | ||
71 | if (cmdline[cI] == '\0') | ||
72 | { | ||
73 | args[argI]= argstart; | ||
74 | argstart = &cmdline[cI+1]; | ||
75 | argI++; | ||
76 | if (*argstart == '\0') | ||
77 | { | ||
78 | break; | ||
79 | } | ||
80 | } | ||
81 | } | ||
82 | args[argI] = argstart; | ||
83 | argI++; | ||
84 | args[argI] = NULL; | ||
85 | } | ||
86 | |||
87 | void loader_main() | ||
88 | { | ||
89 | snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME")); | ||
90 | |||
91 | struct stat confFileStat; | ||
92 | |||
93 | stat(confFile, &confFileStat); | ||
94 | |||
95 | int confFd = open(confFile, O_RDONLY); | ||
96 | |||
97 | if (confFd == -1) | ||
98 | { | ||
99 | close(confFd); | ||
100 | return; | ||
101 | } | ||
102 | char* conf = (char*) malloc(confFileStat.st_size); | ||
103 | if (conf == NULL) | ||
104 | { | ||
105 | close(confFd); | ||
106 | return; | ||
107 | } | ||
108 | ssize_t ret = read(confFd, conf, confFileStat.st_size); | ||
109 | if (ret == -1) | ||
110 | { | ||
111 | close(confFd); | ||
112 | return; | ||
113 | } | ||
114 | |||
115 | close(confFd); | ||
116 | size_t fI = 0; | ||
117 | int matchId = 0; | ||
118 | names[matchId] = conf; | ||
119 | matchId++; | ||
120 | for (;fI < confFileStat.st_size-1;fI++) | ||
121 | { | ||
122 | if (conf[fI] == ',') | ||
123 | { | ||
124 | names[matchId] = &conf[fI+1]; | ||
125 | conf[fI] = '\0'; | ||
126 | |||
127 | matchId++; | ||
128 | } | ||
129 | } | ||
130 | |||
131 | remove_trailing_spaces(names[matchId-1]); | ||
132 | |||
133 | read_cmdline(); | ||
134 | |||
135 | make_args(); | ||
136 | |||
137 | #ifdef DEBUG | ||
138 | int xarg=0; | ||
139 | while (args[xarg] != NULL) | ||
140 | { | ||
141 | DBG(".%s\n", args[xarg]); | ||
142 | xarg++; | ||
143 | } | ||
144 | #endif | ||
145 | |||
146 | int x; | ||
147 | |||
148 | for (x = 0;x<matchId;x++) | ||
149 | { | ||
150 | DBG("%s\n",names[x]); | ||
151 | if (strstr(args[0], names[x]) != NULL) | ||
152 | { | ||
153 | DBG("highjack!\n"); | ||
154 | |||
155 | free(conf); | ||
156 | |||
157 | execvp(loader, args ); | ||
158 | } | ||
159 | } | ||
160 | |||
161 | } | ||
diff --git a/src/floader/makefile b/src/floader/makefile deleted file mode 100644 index eeb96571d..000000000 --- a/src/floader/makefile +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | all: | ||
2 | gcc -ggdb -shared -fPIC loader.c -o loader.so | ||
3 | |||
4 | debug: | ||
5 | gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so | ||