diff options
393 files changed, 3415 insertions, 734 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 47e099cde..86baecf2f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -25,15 +25,15 @@ Steps to reproduce the behavior: | |||
25 | 25 | ||
26 | **Environment** | 26 | **Environment** |
27 | - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) | 27 | - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) |
28 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) | 28 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) |
29 | 29 | ||
30 | **Additional context** | 30 | **Additional context** |
31 | Other context about the problem like related errors to understand the problem. | 31 | Other context about the problem like related errors to understand the problem. |
32 | 32 | ||
33 | **Checklist** | 33 | **Checklist** |
34 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. | 34 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). |
35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) | 35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
36 | - [ ] A short search for duplicates was performed. | 36 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). |
37 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | 37 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. |
38 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | 38 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. |
39 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. | 39 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. |
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 1468ef898..40ba00db6 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -1,6 +1,6 @@ | |||
1 | name: Build-extra CI | 1 | name: Build-extra CI |
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths-ignore: | 6 | paths-ignore: |
@@ -19,10 +19,9 @@ on: | |||
19 | - RELNOTES | 19 | - RELNOTES |
20 | - SECURITY.md | 20 | - SECURITY.md |
21 | - 'etc/**' | 21 | - 'etc/**' |
22 | 22 | ||
23 | jobs: | 23 | jobs: |
24 | build-clang: | 24 | build-clang: |
25 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
26 | runs-on: ubuntu-20.04 | 25 | runs-on: ubuntu-20.04 |
27 | steps: | 26 | steps: |
28 | - uses: actions/checkout@v2 | 27 | - uses: actions/checkout@v2 |
@@ -31,7 +30,6 @@ jobs: | |||
31 | - name: make | 30 | - name: make |
32 | run: make | 31 | run: make |
33 | scan-build: | 32 | scan-build: |
34 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
35 | runs-on: ubuntu-20.04 | 33 | runs-on: ubuntu-20.04 |
36 | steps: | 34 | steps: |
37 | - uses: actions/checkout@v2 | 35 | - uses: actions/checkout@v2 |
@@ -42,7 +40,6 @@ jobs: | |||
42 | - name: scan-build | 40 | - name: scan-build |
43 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make | 41 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make |
44 | cppcheck: | 42 | cppcheck: |
45 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
46 | runs-on: ubuntu-20.04 | 43 | runs-on: ubuntu-20.04 |
47 | steps: | 44 | steps: |
48 | - uses: actions/checkout@v2 | 45 | - uses: actions/checkout@v2 |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 99b8a3be5..07ab1431e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -20,7 +20,6 @@ on: | |||
20 | 20 | ||
21 | jobs: | 21 | jobs: |
22 | build_and_test: | 22 | build_and_test: |
23 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
24 | runs-on: ubuntu-20.04 | 23 | runs-on: ubuntu-20.04 |
25 | steps: | 24 | steps: |
26 | - uses: actions/checkout@v2 | 25 | - uses: actions/checkout@v2 |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 301c7fad2..d974d650e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -11,7 +11,7 @@ on: | |||
11 | paths-ignore: | 11 | paths-ignore: |
12 | - CONTRIBUTING.md | 12 | - CONTRIBUTING.md |
13 | - README | 13 | - README |
14 | - README.md | 14 | - README.md |
15 | - RELNOTES | 15 | - RELNOTES |
16 | - SECURITY.md | 16 | - SECURITY.md |
17 | - 'etc/**' | 17 | - 'etc/**' |
@@ -21,7 +21,7 @@ on: | |||
21 | paths-ignore: | 21 | paths-ignore: |
22 | - CONTRIBUTING.md | 22 | - CONTRIBUTING.md |
23 | - README | 23 | - README |
24 | - README.md | 24 | - README.md |
25 | - RELNOTES | 25 | - RELNOTES |
26 | - SECURITY.md | 26 | - SECURITY.md |
27 | - 'etc/**' | 27 | - 'etc/**' |
@@ -61,7 +61,7 @@ jobs: | |||
61 | with: | 61 | with: |
62 | languages: ${{ matrix.language }} | 62 | languages: ${{ matrix.language }} |
63 | # If you wish to specify custom queries, you can do so here or in a config file. | 63 | # If you wish to specify custom queries, you can do so here or in a config file. |
64 | # By default, queries listed here will override any specified in a config file. | 64 | # By default, queries listed here will override any specified in a config file. |
65 | # Prefix the list here with "+" to use these queries and those in the config file. | 65 | # Prefix the list here with "+" to use these queries and those in the config file. |
66 | # queries: ./path/to/local/query, your-org/your-repo/queries@main | 66 | # queries: ./path/to/local/query, your-org/your-repo/queries@main |
67 | 67 | ||
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index 55ac065b6..3e717f162 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml | |||
@@ -1,7 +1,7 @@ | |||
1 | name: sort.py | 1 | name: sort.py |
2 | 2 | ||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths: | 6 | paths: |
7 | - 'etc/**' | 7 | - 'etc/**' |
@@ -12,7 +12,6 @@ on: | |||
12 | 12 | ||
13 | jobs: | 13 | jobs: |
14 | profile-sort: | 14 | profile-sort: |
15 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
16 | runs-on: ubuntu-20.04 | 15 | runs-on: ubuntu-20.04 |
17 | steps: | 16 | steps: |
18 | - uses: actions/checkout@v2 | 17 | - uses: actions/checkout@v2 |
diff --git a/Makefile.in b/Makefile.in index 8d4dbc430..593afdacf 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -95,6 +95,7 @@ distclean: clean | |||
95 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 95 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
96 | $(MAKE) -C $$dir distclean; \ | 96 | $(MAKE) -C $$dir distclean; \ |
97 | done | 97 | done |
98 | $(MAKE) -C test distclean | ||
98 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh | 99 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh |
99 | 100 | ||
100 | realinstall: | 101 | realinstall: |
@@ -112,9 +113,9 @@ endif | |||
112 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 113 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
113 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 114 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 115 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
115 | # non-dumpable plugins | 116 | # plugins w/o read permission (non-dumpable) |
116 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 117 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
117 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | 118 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh |
118 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 119 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
119 | # contrib scripts | 120 | # contrib scripts |
120 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 121 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
@@ -12,6 +12,8 @@ Linux namespace support. It supports sandboxing specific users upon login. | |||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 12 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 13 | Build and install: ./configure && make && sudo make install |
14 | Documentation and support: https://firejail.wordpress.com/ | 14 | Documentation and support: https://firejail.wordpress.com/ |
15 | Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA | ||
16 | Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | ||
15 | Development: https://github.com/netblue30/firejail | 17 | Development: https://github.com/netblue30/firejail |
16 | License: GPL v2 | 18 | License: GPL v2 |
17 | 19 | ||
@@ -40,6 +42,7 @@ Committers | |||
40 | - curiosityseeker (https://github.com/curiosityseeker) | 42 | - curiosityseeker (https://github.com/curiosityseeker) |
41 | - glitsj16 (https://github.com/glitsj16) | 43 | - glitsj16 (https://github.com/glitsj16) |
42 | - Fred-Barclay (https://github.com/Fred-Barclay) | 44 | - Fred-Barclay (https://github.com/Fred-Barclay) |
45 | - Kelvin M. Klann (https://github.com/kmk3) | ||
43 | - Kristóf Marussy (https://github.com/kris7t) | 46 | - Kristóf Marussy (https://github.com/kris7t) |
44 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 47 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
45 | - rusty-snake (https://github.com/rusty-snake) | 48 | - rusty-snake (https://github.com/rusty-snake) |
@@ -69,7 +72,8 @@ Adrian L. Shaw (https://github.com/adrianlshaw) | |||
69 | - add profanity profile | 72 | - add profanity profile |
70 | - add barrirer profile | 73 | - add barrirer profile |
71 | Aidan Gauland (https://github.com/aidalgol) | 74 | Aidan Gauland (https://github.com/aidalgol) |
72 | - added electron and riot-web profiles | 75 | - added electron, riot-web and npm profiles |
76 | - whitelist Bohemia Interactive config dir for Steam | ||
73 | Akhil Hans Maulloo (https://github.com/kouul) | 77 | Akhil Hans Maulloo (https://github.com/kouul) |
74 | - xz profile | 78 | - xz profile |
75 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 79 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
@@ -159,6 +163,11 @@ Bandie (https://github.com/Bandie) | |||
159 | - fixed riot-desktop | 163 | - fixed riot-desktop |
160 | Barış Ekin Yıldırım (https://github.com/circuitshaker) | 164 | Barış Ekin Yıldırım (https://github.com/circuitshaker) |
161 | - removing net none from code.profile | 165 | - removing net none from code.profile |
166 | bbhtt (https://github.com/bbhtt) | ||
167 | - improvements to balsa,fractal,gajim,trojita profiles | ||
168 | - improvements to nheko, spectral, feh, links, lynx profiles | ||
169 | - added alacartem com.github.bleakgrey.tootle, photoflare profiles | ||
170 | - add profiles for MS Edge dev build for Linux and Librewolf | ||
162 | Benjamin Kampmann (https://github.com/ligthyear) | 171 | Benjamin Kampmann (https://github.com/ligthyear) |
163 | - Forward exit code from child process | 172 | - Forward exit code from child process |
164 | bitfreak25 (https://github.com/bitfreak25) | 173 | bitfreak25 (https://github.com/bitfreak25) |
@@ -178,6 +187,8 @@ Brad Ackerman | |||
178 | - blacklist Bitwarden config in disable-passwdmgr.inc | 187 | - blacklist Bitwarden config in disable-passwdmgr.inc |
179 | briaeros (https://github.com/briaeros) | 188 | briaeros (https://github.com/briaeros) |
180 | - fix command test in jail_prober.py | 189 | - fix command test in jail_prober.py |
190 | botherer (https://github.com/botherder) | ||
191 | - add CoyIM profile | ||
181 | Bruno Nova (https://github.com/brunonova) | 192 | Bruno Nova (https://github.com/brunonova) |
182 | - whitelist fix | 193 | - whitelist fix |
183 | - bash arguments fix | 194 | - bash arguments fix |
@@ -301,6 +312,8 @@ Fabian Würfl (https://github.com/BafDyce) | |||
301 | - Liferea profile | 312 | - Liferea profile |
302 | Felipe Barriga Richards (https://github.com/fbarriga) | 313 | Felipe Barriga Richards (https://github.com/fbarriga) |
303 | - --private-etc fix | 314 | - --private-etc fix |
315 | fenuks (https://github.com/fenuks) | ||
316 | - fix sound in games using FMOD | ||
304 | Florian Begusch (https://github.com/florianbegusch) | 317 | Florian Begusch (https://github.com/florianbegusch) |
305 | - (la)tex profiles | 318 | - (la)tex profiles |
306 | - fixed transmission-common.profile | 319 | - fixed transmission-common.profile |
@@ -420,6 +433,8 @@ hawkey116477 (https://github.com/hawkeye116477) | |||
420 | - updated Waterfox profile | 433 | - updated Waterfox profile |
421 | Helmut Grohne (https://github.com/helmutg) | 434 | Helmut Grohne (https://github.com/helmutg) |
422 | - compiler support in the build system - Debian bug #869707 | 435 | - compiler support in the build system - Debian bug #869707 |
436 | hhzek0014 (https://github.com/hhzek0014) | ||
437 | - updated bibletime.profile | ||
423 | hlein (https://github.com/hlein) | 438 | hlein (https://github.com/hlein) |
424 | - strip out \r's from jail prober | 439 | - strip out \r's from jail prober |
425 | Holger Heinz (https://github.com/hheinz) | 440 | Holger Heinz (https://github.com/hheinz) |
@@ -518,7 +533,11 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
518 | - fixed Cryptocat profile | 533 | - fixed Cryptocat profile |
519 | - make ~/.local read-only | 534 | - make ~/.local read-only |
520 | Kelvin (https://github.com/kmk3) | 535 | Kelvin (https://github.com/kmk3) |
521 | - disable ldns utilities | 536 | - disable ldns utilities, dnssec-*, khost, unbound-host |
537 | - sort DNS / RUNUSER paths | ||
538 | - improve bug_report.md | ||
539 | - fix keypassxc | ||
540 | - blacklist oksh shell in disable-shell.inc | ||
522 | Kishore96in (https://github.com/Kishore96in) | 541 | Kishore96in (https://github.com/Kishore96in) |
523 | - added falkon profile | 542 | - added falkon profile |
524 | - kxmlgui fixes | 543 | - kxmlgui fixes |
@@ -610,6 +629,7 @@ Neo00001 (https://github.com/Neo00001) | |||
610 | - update virtualbox profile | 629 | - update virtualbox profile |
611 | - update telegram profile | 630 | - update telegram profile |
612 | - add spectacle profile | 631 | - add spectacle profile |
632 | - add kdiff3 profile | ||
613 | Nick Fox (https://github.com/njfox) | 633 | Nick Fox (https://github.com/njfox) |
614 | - add a profile alias for code-oss | 634 | - add a profile alias for code-oss |
615 | - add code-oss config directory | 635 | - add code-oss config directory |
@@ -620,6 +640,8 @@ Niklas Haas (https://github.com/haasn) | |||
620 | - blacklisting for keybase.io's client | 640 | - blacklisting for keybase.io's client |
621 | Niklas Goerke (https://github.com/Niklas974) | 641 | Niklas Goerke (https://github.com/Niklas974) |
622 | - update QOwnNotes profile | 642 | - update QOwnNotes profile |
643 | Nikos Chantziaras (https://github.com/realnc) | ||
644 | - fix audio support for Discord | ||
623 | nyancat18 (https://github.com/nyancat18) | 645 | nyancat18 (https://github.com/nyancat18) |
624 | - added ardour4, dooble, karbon, krita profiles | 646 | - added ardour4, dooble, karbon, krita profiles |
625 | Ondra Nekola (https://github.com/satai) | 647 | Ondra Nekola (https://github.com/satai) |
@@ -711,6 +733,8 @@ RandomVoid (https://github.com/RandomVoid) | |||
711 | - fix building C# projects in Godot | 733 | - fix building C# projects in Godot |
712 | Raphaël Droz (https://github.com/drzraf) | 734 | Raphaël Droz (https://github.com/drzraf) |
713 | - zoom profile fixes | 735 | - zoom profile fixes |
736 | realaltffour (https://github.com/realaltffour) | ||
737 | - add lynx support to newsboat profile | ||
714 | Reiner Herrmann (https://github.com/reinerh) | 738 | Reiner Herrmann (https://github.com/reinerh) |
715 | - a number of build patches | 739 | - a number of build patches |
716 | - man page fixes | 740 | - man page fixes |
@@ -730,6 +754,8 @@ RD PROJEKT (https://github.com/RDProjekt) | |||
730 | - support AMD GPU by OpenCL in Blender | 754 | - support AMD GPU by OpenCL in Blender |
731 | rogshdo (https://github.com/rogshdo) | 755 | rogshdo (https://github.com/rogshdo) |
732 | - BitlBee profile | 756 | - BitlBee profile |
757 | rootalc (https://github.com/rootalc) | ||
758 | - add nolocal6.net filter | ||
733 | Ruan (https://github.com/ruany) | 759 | Ruan (https://github.com/ruany) |
734 | - fixed hexchat profile | 760 | - fixed hexchat profile |
735 | rusty-snake (https://github.com/rusty-snake) | 761 | rusty-snake (https://github.com/rusty-snake) |
@@ -1,5 +1,7 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) |
3 | [![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) | ||
4 | [![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) | ||
3 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 5 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) |
4 | 6 | ||
5 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting | 7 | Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting |
@@ -22,19 +24,19 @@ implemented directly in Linux kernel and available on any Linux computer. | |||
22 | <td> | 24 | <td> |
23 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98 | 25 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98 |
24 | " target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg" | 26 | " target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg" |
25 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Intro</a> | 27 | alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a> |
26 | </td> | 28 | </td> |
27 | 29 | ||
28 | <td> | 30 | <td> |
29 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU | 31 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU |
30 | " target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" | 32 | " target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" |
31 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Demo</a> | 33 | alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a> |
32 | </td> | 34 | </td> |
33 | 35 | ||
34 | <td> | 36 | <td> |
35 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 | 37 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 |
36 | " target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" | 38 | " target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" |
37 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian Install</a> | 39 | alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a> |
38 | </td> | 40 | </td> |
39 | 41 | ||
40 | 42 | ||
@@ -42,13 +44,19 @@ alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian In | |||
42 | <td> | 44 | <td> |
43 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w | 45 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w |
44 | " target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" | 46 | " target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" |
45 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Arch Linux Install</a> | 47 | alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a> |
46 | 48 | ||
47 | </td> | 49 | </td> |
48 | <td> | 50 | <td> |
49 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ | 51 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ |
50 | " target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" | 52 | " target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" |
51 | alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Disable Network Access</a> | 53 | alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a> |
54 | |||
55 | </td> | ||
56 | <td> | ||
57 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o | ||
58 | " target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg" | ||
59 | alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a> | ||
52 | 60 | ||
53 | </td> | 61 | </td> |
54 | </tr></table> | 62 | </tr></table> |
@@ -67,11 +75,43 @@ Wiki: https://github.com/netblue30/firejail/wiki | |||
67 | 75 | ||
68 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 76 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ |
69 | 77 | ||
78 | Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA | ||
79 | |||
80 | Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ | ||
70 | 81 | ||
71 | ## Security vulnerabilities | 82 | ## Security vulnerabilities |
72 | 83 | ||
73 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com | 84 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com |
74 | 85 | ||
86 | ````` | ||
87 | Security Adivsory - Feb 8, 2021 | ||
88 | |||
89 | Summary: A vulnerability resulting in root privilege escalation was discovered in | ||
90 | Firejail's OverlayFS code, | ||
91 | |||
92 | Versions affected: Firejail software versions starting with 0.9.30. | ||
93 | Long Term Support (LTS) Firejail branch is not affected by this bug. | ||
94 | |||
95 | Workaround: Disable overlayfs feature at runtime. | ||
96 | In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no". | ||
97 | |||
98 | $ grep overlayfs /etc/firejail/firejail.config | ||
99 | # Enable or disable overlayfs features, default enabled. | ||
100 | overlayfs no | ||
101 | |||
102 | Fix: The bug is fixed in Firejail version 0.9.64.4 | ||
103 | |||
104 | GitHub commit: (file configure.ac) | ||
105 | https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b | ||
106 | |||
107 | Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability. | ||
108 | Functional PoC exploit code was provided to Firejail development team. | ||
109 | A description of the problem is here on Roman's blog: | ||
110 | |||
111 | https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt | ||
112 | https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ | ||
113 | ````` | ||
114 | |||
75 | ## Installing | 115 | ## Installing |
76 | 116 | ||
77 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. | 117 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. |
@@ -170,29 +210,31 @@ $ ./profstats *.profile | |||
170 | Warning: multiple caps in transmission-daemon.profile | 210 | Warning: multiple caps in transmission-daemon.profile |
171 | 211 | ||
172 | Stats: | 212 | Stats: |
173 | profiles 1031 | 213 | profiles 1064 |
174 | include local profile 1031 (include profile-name.local) | 214 | include local profile 1064 (include profile-name.local) |
175 | include globals 1031 (include globals.local) | 215 | include globals 1064 (include globals.local) |
176 | blacklist ~/.ssh 1007 (include disable-common.inc) | 216 | blacklist ~/.ssh 959 (include disable-common.inc) |
177 | seccomp 976 | 217 | seccomp 975 |
178 | capabilities 1030 | 218 | capabilities 1063 |
179 | noexec 901 (include disable-exec.inc) | 219 | noexec 944 (include disable-exec.inc) |
180 | memory-deny-write-execute 221 | 220 | memory-deny-write-execute 229 |
181 | apparmor 555 | 221 | apparmor 605 |
182 | private-bin 544 | 222 | private-bin 564 |
183 | private-dev 897 | 223 | private-dev 932 |
184 | private-etc 435 | 224 | private-etc 462 |
185 | private-tmp 785 | 225 | private-tmp 823 |
186 | whitelist home directory 474 | 226 | whitelist home directory 502 |
187 | whitelist var 699 (include whitelist-var-common.inc) | 227 | whitelist var 744 (include whitelist-var-common.inc) |
188 | whitelist run/user 336 (include whitelist-runuser-common.inc | 228 | whitelist run/user 461 (include whitelist-runuser-common.inc |
189 | or blacklist ${RUNUSER}) | 229 | or blacklist ${RUNUSER}) |
190 | whitelist usr/share 359 (include whitelist-usr-share-common.inc | 230 | whitelist usr/share 451 (include whitelist-usr-share-common.inc |
191 | net none 333 | 231 | net none 345 |
192 | dbus-user none 523 | 232 | dbus-user none 564 |
193 | dbus-system none 632 | 233 | dbus-user filter 85 |
234 | dbus-system none 696 | ||
235 | dbus-system filter 7 | ||
194 | ``` | 236 | ``` |
195 | 237 | ||
196 | ### New profiles: | 238 | ### New profiles: |
197 | 239 | ||
198 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo | 240 | vmware-view, display-im6.q16 |
@@ -1,13 +1,25 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * filtering environment variables | ||
3 | * new profiles: vmware-view, display-im6.q16 | ||
4 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | ||
5 | |||
6 | firejail (0.9.64.4) baseline; urgency=low | ||
7 | * disabled overlayfs, pending multiple fixes (CVE-2021-26910) | ||
8 | -- netblue30 <netblue30@yahoo.com> Sun, 7 Feb 2021 09:00:00 -0500 | ||
9 | |||
10 | firejail (0.9.64.2) baseline; urgency=low | ||
2 | * allow --tmpfs inside $HOME for unprivileged users | 11 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 12 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 13 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * Setup guide for new users: contrib/firejail-welcome.sh | 14 | * Setup guide for new users: contrib/firejail-welcome.sh |
15 | * implement netns in profiles | ||
16 | * added nolocal6.net IPv6 network filter | ||
6 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | 17 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer |
7 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | 18 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer |
8 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo | 19 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo |
9 | 20 | * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi | |
10 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 | 21 | * new profiles: guvcview, pkglog, kdiff3, CoyIM |
22 | -- netblue30 <netblue30@yahoo.com> Tue, 26 Jan 2021 09:00:00 -0500 | ||
11 | 23 | ||
12 | firejail (0.9.64) baseline; urgency=low | 24 | firejail (0.9.64) baseline; urgency=low |
13 | * replaced --nowrap option with --wrap in firemon | 25 | * replaced --nowrap option with --wrap in firemon |
diff --git a/SECURITY.md b/SECURITY.md index 6df34685b..92204da0a 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -4,9 +4,10 @@ | |||
4 | 4 | ||
5 | | Version | Supported by us | EOL | Supported by distribution | | 5 | | Version | Supported by us | EOL | Supported by distribution | |
6 | | ------- | ------------------ | ---- | --------------------------- | 6 | | ------- | ------------------ | ---- | --------------------------- |
7 | | 0.9.62 | :heavy_check_mark: | | :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 20.04 | 7 | | 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) |
8 | | 0.9.60 | :x: | | :white_check_mark: Ubuntu 19.10 | 8 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
9 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, 10 | 9 | | 0.9.60 | :x: | 29 Dec 2019 | |
10 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | ||
10 | | 0.9.56 | :x: | 27 Jan 2019 | | 11 | | 0.9.56 | :x: | 27 Jan 2019 | |
11 | | 0.9.54 | :x: | 18 Sep 2018 | | 12 | | 0.9.54 | :x: | 18 Sep 2018 | |
12 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | 13 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS |
@@ -711,7 +711,6 @@ enable_option_checking | |||
711 | enable_analyzer | 711 | enable_analyzer |
712 | enable_apparmor | 712 | enable_apparmor |
713 | enable_dbusproxy | 713 | enable_dbusproxy |
714 | enable_overlayfs | ||
715 | enable_usertmpfs | 714 | enable_usertmpfs |
716 | enable_man | 715 | enable_man |
717 | enable_firetunnel | 716 | enable_firetunnel |
@@ -1367,7 +1366,6 @@ Optional Features: | |||
1367 | --enable-analyzer enable GCC 10 static analyzer | 1366 | --enable-analyzer enable GCC 10 static analyzer |
1368 | --enable-apparmor enable apparmor | 1367 | --enable-apparmor enable apparmor |
1369 | --disable-dbusproxy disable dbus proxy | 1368 | --disable-dbusproxy disable dbus proxy |
1370 | --disable-overlayfs disable overlayfs | ||
1371 | --disable-usertmpfs disable tmpfs as regular user | 1369 | --disable-usertmpfs disable tmpfs as regular user |
1372 | --disable-man disable man pages | 1370 | --disable-man disable man pages |
1373 | --disable-firetunnel disable firetunnel | 1371 | --disable-firetunnel disable firetunnel |
@@ -3530,20 +3528,18 @@ if test "x$enable_dbusproxy" != "xno"; then : | |||
3530 | 3528 | ||
3531 | fi | 3529 | fi |
3532 | 3530 | ||
3531 | # overlayfs features temporarely disabled pending fixes | ||
3533 | HAVE_OVERLAYFS="" | 3532 | HAVE_OVERLAYFS="" |
3534 | # Check whether --enable-overlayfs was given. | ||
3535 | if test "${enable_overlayfs+set}" = set; then : | ||
3536 | enableval=$enable_overlayfs; | ||
3537 | fi | ||
3538 | |||
3539 | if test "x$enable_overlayfs" != "xno"; then : | ||
3540 | |||
3541 | HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
3542 | |||
3543 | 3533 | ||
3544 | fi | 3534 | # |
3545 | 3535 | #AC_ARG_ENABLE([overlayfs], | |
3546 | HAVE_USERTMPS="" | 3536 | # AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) |
3537 | #AS_IF([test "x$enable_overlayfs" != "xno"], [ | ||
3538 | # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | ||
3539 | # AC_SUBST(HAVE_OVERLAYFS) | ||
3540 | #]) | ||
3541 | |||
3542 | HAVE_USERTMPFS="" | ||
3547 | # Check whether --enable-usertmpfs was given. | 3543 | # Check whether --enable-usertmpfs was given. |
3548 | if test "${enable_usertmpfs+set}" = set; then : | 3544 | if test "${enable_usertmpfs+set}" = set; then : |
3549 | enableval=$enable_usertmpfs; | 3545 | enableval=$enable_usertmpfs; |
diff --git a/configure.ac b/configure.ac index 5c2456a6a..aa2d0fb6b 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -66,15 +66,18 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [ | |||
66 | AC_SUBST(HAVE_DBUSPROXY) | 66 | AC_SUBST(HAVE_DBUSPROXY) |
67 | ]) | 67 | ]) |
68 | 68 | ||
69 | # overlayfs features temporarely disabled pending fixes | ||
69 | HAVE_OVERLAYFS="" | 70 | HAVE_OVERLAYFS="" |
70 | AC_ARG_ENABLE([overlayfs], | 71 | AC_SUBST(HAVE_OVERLAYFS) |
71 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) | 72 | # |
72 | AS_IF([test "x$enable_overlayfs" != "xno"], [ | 73 | #AC_ARG_ENABLE([overlayfs], |
73 | HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" | 74 | # AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) |
74 | AC_SUBST(HAVE_OVERLAYFS) | 75 | #AS_IF([test "x$enable_overlayfs" != "xno"], [ |
75 | ]) | 76 | # HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" |
76 | 77 | # AC_SUBST(HAVE_OVERLAYFS) | |
77 | HAVE_USERTMPS="" | 78 | #]) |
79 | |||
80 | HAVE_USERTMPFS="" | ||
78 | AC_ARG_ENABLE([usertmpfs], | 81 | AC_ARG_ENABLE([usertmpfs], |
79 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) | 82 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) |
80 | AS_IF([test "x$enable_usertmpfs" != "xno"], [ | 83 | AS_IF([test "x$enable_usertmpfs" != "xno"], [ |
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 9563e62ef..65eb690ac 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -22,7 +22,7 @@ syn match fjProtocolList /,/ nextgroup=fjProtocol contained | |||
22 | 22 | ||
23 | " Syscalls grabbed from: src/include/syscall.h | 23 | " Syscalls grabbed from: src/include/syscall.h |
24 | " Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' ' | 24 | " Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' ' |
25 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained | 25 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained |
26 | " Syscall groups grabbed from: src/fseccomp/syscall.c | 26 | " Syscall groups grabbed from: src/fseccomp/syscall.c |
27 | " Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|' | 27 | " Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|' |
28 | syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained | 28 | syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained |
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc new file mode 100644 index 000000000..d6c295414 --- /dev/null +++ b/etc/inc/allow-bin-sh.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-bin-sh.local | ||
4 | |||
5 | noblacklist ${PATH}/bash | ||
6 | noblacklist ${PATH}/dash | ||
7 | noblacklist ${PATH}/sh | ||
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 7cd087b14..41643657d 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials | |||
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
13 | 13 | ||
14 | # Node.js | ||
15 | noblacklist ${HOME}/.node-gyp | ||
16 | noblacklist ${HOME}/.npm | ||
17 | noblacklist ${HOME}/.npmrc | ||
18 | noblacklist ${HOME}/.yarn | ||
19 | noblacklist ${HOME}/.yarn-config | ||
20 | noblacklist ${HOME}/.yarncache | ||
21 | noblacklist ${HOME}/.yarnrc | ||
22 | |||
14 | # Python | 23 | # Python |
15 | noblacklist ${HOME}/.pylint.d | 24 | noblacklist ${HOME}/.pylint.d |
16 | noblacklist ${HOME}/.python-history | 25 | noblacklist ${HOME}/.python-history |
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc index f4f9926cd..c1366e093 100644 --- a/etc/inc/allow-gjs.inc +++ b/etc/inc/allow-gjs.inc | |||
@@ -5,7 +5,8 @@ include allow-gjs.local | |||
5 | noblacklist ${PATH}/gjs | 5 | noblacklist ${PATH}/gjs |
6 | noblacklist ${PATH}/gjs-console | 6 | noblacklist ${PATH}/gjs-console |
7 | noblacklist /usr/lib/gjs | 7 | noblacklist /usr/lib/gjs |
8 | noblacklist /usr/lib64/gjs | ||
9 | noblacklist /usr/lib/libgjs* | 8 | noblacklist /usr/lib/libgjs* |
9 | noblacklist /usr/lib/libmozjs-* | ||
10 | noblacklist /usr/lib64/gjs | ||
10 | noblacklist /usr/lib64/libgjs* | 11 | noblacklist /usr/lib64/libgjs* |
11 | noblacklist /usr/lib64/libmozjs-* | 12 | noblacklist /usr/lib64/libmozjs-* |
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc new file mode 100644 index 000000000..78a4bed80 --- /dev/null +++ b/etc/inc/allow-nodejs.inc | |||
@@ -0,0 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-nodejs.local | ||
4 | |||
5 | noblacklist ${PATH}/node | ||
6 | noblacklist /usr/include/node | ||
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc new file mode 100644 index 000000000..67c78a483 --- /dev/null +++ b/etc/inc/allow-ssh.inc | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-ssh.local | ||
4 | |||
5 | noblacklist ${HOME}/.ssh | ||
6 | noblacklist /etc/ssh | ||
7 | noblacklist /etc/ssh/ssh_config | ||
8 | noblacklist /tmp/ssh-* | ||
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc index 9812e3ebb..74b0b6ef6 100644 --- a/etc/inc/archiver-common.inc +++ b/etc/inc/archiver-common.inc | |||
@@ -6,20 +6,24 @@ include archiver-common.local | |||
6 | 6 | ||
7 | blacklist ${RUNUSER} | 7 | blacklist ${RUNUSER} |
8 | 8 | ||
9 | # WARNING: | 9 | # WARNING: Users can (un)restrict file access for **all** archivers by |
10 | # Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed | 10 | # commenting/uncommenting the needed include file(s) here or by putting those |
11 | # include file(s) here or by putting those into archiver-common.local. | 11 | # into archiver-common.local. |
12 | # Another option is to do this **per archiver** in the relevant <archiver>.local. | 12 | # |
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | 13 | # Another option is to do this **per archiver** in the relevant |
14 | # need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | 14 | # <archiver>.local. Just beware that things tend to break when overtightening |
15 | 15 | # profiles. For example, because you only need to (un)compress files in | |
16 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. | 16 | # ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. |
17 | |||
18 | # Uncomment the next line (or put it into your archiver-common.local) if you | ||
19 | # don't need to compress files in disable-common.inc. | ||
17 | #include disable-common.inc | 20 | #include disable-common.inc |
18 | include disable-devel.inc | 21 | include disable-devel.inc |
19 | include disable-exec.inc | 22 | include disable-exec.inc |
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. | 25 | # Uncomment the next line (or put it into your archiver-common.local) if you |
26 | # don't need to compress files in disable-programs.inc. | ||
23 | #include disable-programs.inc | 27 | #include disable-programs.inc |
24 | include disable-shell.inc | 28 | include disable-shell.inc |
25 | 29 | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d88506d90..d724e3b52 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc | |||
291 | read-only ${HOME}/.zshrc.local | 291 | read-only ${HOME}/.zshrc.local |
292 | 292 | ||
293 | # Remote access | 293 | # Remote access |
294 | read-only ${HOME}/.ssh/authorized_keys | 294 | blacklist ${HOME}/.rhosts |
295 | blacklist ${HOME}/.shosts | ||
296 | blacklist ${HOME}/.ssh/authorized_keys | ||
297 | blacklist ${HOME}/.ssh/authorized_keys2 | ||
298 | blacklist ${HOME}/.ssh/environment | ||
299 | blacklist ${HOME}/.ssh/rc | ||
300 | blacklist /etc/hosts.equiv | ||
301 | read-only ${HOME}/.ssh/config | ||
302 | read-only ${HOME}/.ssh/config.d | ||
295 | 303 | ||
296 | # Initialization files that allow arbitrary command execution | 304 | # Initialization files that allow arbitrary command execution |
297 | read-only ${HOME}/.caffrc | 305 | read-only ${HOME}/.caffrc |
@@ -310,6 +318,7 @@ read-only ${HOME}/.msmtprc | |||
310 | read-only ${HOME}/.mutt/muttrc | 318 | read-only ${HOME}/.mutt/muttrc |
311 | read-only ${HOME}/.muttrc | 319 | read-only ${HOME}/.muttrc |
312 | read-only ${HOME}/.nano | 320 | read-only ${HOME}/.nano |
321 | read-only ${HOME}/.npmrc | ||
313 | read-only ${HOME}/.pythonrc.py | 322 | read-only ${HOME}/.pythonrc.py |
314 | read-only ${HOME}/.reportbugrc | 323 | read-only ${HOME}/.reportbugrc |
315 | read-only ${HOME}/.tmux.conf | 324 | read-only ${HOME}/.tmux.conf |
@@ -318,6 +327,7 @@ read-only ${HOME}/.viminfo | |||
318 | read-only ${HOME}/.vimrc | 327 | read-only ${HOME}/.vimrc |
319 | read-only ${HOME}/.xmonad | 328 | read-only ${HOME}/.xmonad |
320 | read-only ${HOME}/.xscreensaver | 329 | read-only ${HOME}/.xscreensaver |
330 | read-only ${HOME}/.yarnrc | ||
321 | read-only ${HOME}/_exrc | 331 | read-only ${HOME}/_exrc |
322 | read-only ${HOME}/_gvimrc | 332 | read-only ${HOME}/_gvimrc |
323 | read-only ${HOME}/_vimrc | 333 | read-only ${HOME}/_vimrc |
@@ -345,6 +355,9 @@ read-only ${HOME}/.local/share/mime | |||
345 | # Write-protection for thumbnailer dir | 355 | # Write-protection for thumbnailer dir |
346 | read-only ${HOME}/.local/share/thumbnailers | 356 | read-only ${HOME}/.local/share/thumbnailers |
347 | 357 | ||
358 | # prevent access to ssh-agent | ||
359 | blacklist /tmp/ssh-* | ||
360 | |||
348 | # top secret | 361 | # top secret |
349 | blacklist ${HOME}/*.kdb | 362 | blacklist ${HOME}/*.kdb |
350 | blacklist ${HOME}/*.kdbx | 363 | blacklist ${HOME}/*.kdbx |
@@ -391,6 +404,7 @@ blacklist /etc/shadow | |||
391 | blacklist /etc/shadow+ | 404 | blacklist /etc/shadow+ |
392 | blacklist /etc/shadow- | 405 | blacklist /etc/shadow- |
393 | blacklist /etc/ssh | 406 | blacklist /etc/ssh |
407 | blacklist /etc/ssh/* | ||
394 | blacklist /home/.ecryptfs | 408 | blacklist /home/.ecryptfs |
395 | blacklist /home/.fscrypt | 409 | blacklist /home/.fscrypt |
396 | blacklist /var/backup | 410 | blacklist /var/backup |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 4f6f71098..5d8a236fb 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -6,8 +6,8 @@ include disable-interpreters.local | |||
6 | blacklist ${PATH}/gjs | 6 | blacklist ${PATH}/gjs |
7 | blacklist ${PATH}/gjs-console | 7 | blacklist ${PATH}/gjs-console |
8 | blacklist /usr/lib/gjs | 8 | blacklist /usr/lib/gjs |
9 | blacklist /usr/lib64/gjs | ||
10 | blacklist /usr/lib/libgjs* | 9 | blacklist /usr/lib/libgjs* |
10 | blacklist /usr/lib64/gjs | ||
11 | blacklist /usr/lib64/libgjs* | 11 | blacklist /usr/lib64/libgjs* |
12 | 12 | ||
13 | # Lua | 13 | # Lua |
@@ -20,6 +20,7 @@ blacklist /usr/lib64/lua | |||
20 | blacklist /usr/share/lua* | 20 | blacklist /usr/share/lua* |
21 | 21 | ||
22 | # mozjs | 22 | # mozjs |
23 | blacklist /usr/lib/libmozjs-* | ||
23 | blacklist /usr/lib64/libmozjs-* | 24 | blacklist /usr/lib64/libmozjs-* |
24 | 25 | ||
25 | # Node.js | 26 | # Node.js |
@@ -30,8 +31,8 @@ blacklist /usr/include/node | |||
30 | blacklist ${HOME}/.nvm | 31 | blacklist ${HOME}/.nvm |
31 | 32 | ||
32 | # Perl | 33 | # Perl |
33 | blacklist ${PATH}/cpan* | ||
34 | blacklist ${PATH}/core_perl | 34 | blacklist ${PATH}/core_perl |
35 | blacklist ${PATH}/cpan* | ||
35 | blacklist ${PATH}/perl | 36 | blacklist ${PATH}/perl |
36 | blacklist ${PATH}/site_perl | 37 | blacklist ${PATH}/site_perl |
37 | blacklist ${PATH}/vendor_perl | 38 | blacklist ${PATH}/vendor_perl |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 7ab11e620..05f82170d 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -50,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title | |||
50 | blacklist ${HOME}/.atom | 50 | blacklist ${HOME}/.atom |
51 | blacklist ${HOME}/.attic | 51 | blacklist ${HOME}/.attic |
52 | blacklist ${HOME}/.audacity-data | 52 | blacklist ${HOME}/.audacity-data |
53 | blacklist ${HOME}/.avidemux6 | ||
53 | blacklist ${HOME}/.balsa | 54 | blacklist ${HOME}/.balsa |
54 | blacklist ${HOME}/.bcast5 | 55 | blacklist ${HOME}/.bcast5 |
55 | blacklist ${HOME}/.bibletime | 56 | blacklist ${HOME}/.bibletime |
@@ -158,6 +159,7 @@ blacklist ${HOME}/.config/asunder | |||
158 | blacklist ${HOME}/.config/atril | 159 | blacklist ${HOME}/.config/atril |
159 | blacklist ${HOME}/.config/audacious | 160 | blacklist ${HOME}/.config/audacious |
160 | blacklist ${HOME}/.config/autokey | 161 | blacklist ${HOME}/.config/autokey |
162 | blacklist ${HOME}/.config/avidemux3_qt5rc | ||
161 | blacklist ${HOME}/.config/aweather | 163 | blacklist ${HOME}/.config/aweather |
162 | blacklist ${HOME}/.config/backintime | 164 | blacklist ${HOME}/.config/backintime |
163 | blacklist ${HOME}/.config/baloofilerc | 165 | blacklist ${HOME}/.config/baloofilerc |
@@ -191,6 +193,7 @@ blacklist ${HOME}/.config/cmus | |||
191 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 193 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
192 | blacklist ${HOME}/.config/corebird | 194 | blacklist ${HOME}/.config/corebird |
193 | blacklist ${HOME}/.config/cower | 195 | blacklist ${HOME}/.config/cower |
196 | blacklist ${HOME}/.config/coyim | ||
194 | blacklist ${HOME}/.config/darktable | 197 | blacklist ${HOME}/.config/darktable |
195 | blacklist ${HOME}/.config/deadbeef | 198 | blacklist ${HOME}/.config/deadbeef |
196 | blacklist ${HOME}/.config/deluge | 199 | blacklist ${HOME}/.config/deluge |
@@ -253,6 +256,7 @@ blacklist ${HOME}/.config/google-chrome-unstable | |||
253 | blacklist ${HOME}/.config/gpicview | 256 | blacklist ${HOME}/.config/gpicview |
254 | blacklist ${HOME}/.config/gthumb | 257 | blacklist ${HOME}/.config/gthumb |
255 | blacklist ${HOME}/.config/gummi | 258 | blacklist ${HOME}/.config/gummi |
259 | blacklist ${HOME}/.config/guvcview2 | ||
256 | blacklist ${HOME}/.config/gwenviewrc | 260 | blacklist ${HOME}/.config/gwenviewrc |
257 | blacklist ${HOME}/.config/hexchat | 261 | blacklist ${HOME}/.config/hexchat |
258 | blacklist ${HOME}/.config/homebank | 262 | blacklist ${HOME}/.config/homebank |
@@ -274,6 +278,8 @@ blacklist ${HOME}/.config/katevirc | |||
274 | blacklist ${HOME}/.config/kazam | 278 | blacklist ${HOME}/.config/kazam |
275 | blacklist ${HOME}/.config/kdeconnect | 279 | blacklist ${HOME}/.config/kdeconnect |
276 | blacklist ${HOME}/.config/kdenliverc | 280 | blacklist ${HOME}/.config/kdenliverc |
281 | blacklist ${HOME}/.config/kdiff3fileitemactionrc | ||
282 | blacklist ${HOME}/.config/kdiff3rc | ||
277 | blacklist ${HOME}/.config/kfindrc | 283 | blacklist ${HOME}/.config/kfindrc |
278 | blacklist ${HOME}/.config/kgetrc | 284 | blacklist ${HOME}/.config/kgetrc |
279 | blacklist ${HOME}/.config/kid3rc | 285 | blacklist ${HOME}/.config/kid3rc |
@@ -318,11 +324,13 @@ blacklist ${HOME}/.config/mpd | |||
318 | blacklist ${HOME}/.config/mps-youtube | 324 | blacklist ${HOME}/.config/mps-youtube |
319 | blacklist ${HOME}/.config/mpv | 325 | blacklist ${HOME}/.config/mpv |
320 | blacklist ${HOME}/.config/mupen64plus | 326 | blacklist ${HOME}/.config/mupen64plus |
327 | blacklist ${HOME}/.config/mutt | ||
321 | blacklist ${HOME}/.config/mutter | 328 | blacklist ${HOME}/.config/mutter |
322 | blacklist ${HOME}/.config/mypaint | 329 | blacklist ${HOME}/.config/mypaint |
323 | blacklist ${HOME}/.config/nano | 330 | blacklist ${HOME}/.config/nano |
324 | blacklist ${HOME}/.config/nautilus | 331 | blacklist ${HOME}/.config/nautilus |
325 | blacklist ${HOME}/.config/nemo | 332 | blacklist ${HOME}/.config/nemo |
333 | blacklist ${HOME}/.config/neomutt | ||
326 | blacklist ${HOME}/.config/netsurf | 334 | blacklist ${HOME}/.config/netsurf |
327 | blacklist ${HOME}/.config/newsbeuter | 335 | blacklist ${HOME}/.config/newsbeuter |
328 | blacklist ${HOME}/.config/newsflash | 336 | blacklist ${HOME}/.config/newsflash |
@@ -340,6 +348,7 @@ blacklist ${HOME}/.config/opera | |||
340 | blacklist ${HOME}/.config/opera-beta | 348 | blacklist ${HOME}/.config/opera-beta |
341 | blacklist ${HOME}/.config/orage | 349 | blacklist ${HOME}/.config/orage |
342 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json | 350 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json |
351 | blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
343 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 352 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
344 | blacklist ${HOME}/.config/otter | 353 | blacklist ${HOME}/.config/otter |
345 | blacklist ${HOME}/.config/pavucontrol-qt | 354 | blacklist ${HOME}/.config/pavucontrol-qt |
@@ -357,6 +366,7 @@ blacklist ${HOME}/.config/psi | |||
357 | blacklist ${HOME}/.config/psi+ | 366 | blacklist ${HOME}/.config/psi+ |
358 | blacklist ${HOME}/.config/qBittorrent | 367 | blacklist ${HOME}/.config/qBittorrent |
359 | blacklist ${HOME}/.config/qBittorrentrc | 368 | blacklist ${HOME}/.config/qBittorrentrc |
369 | blacklist ${HOME}/.config/qnapi.ini | ||
360 | blacklist ${HOME}/.config/qpdfview | 370 | blacklist ${HOME}/.config/qpdfview |
361 | blacklist ${HOME}/.config/qupzilla | 371 | blacklist ${HOME}/.config/qupzilla |
362 | blacklist ${HOME}/.config/qutebrowser | 372 | blacklist ${HOME}/.config/qutebrowser |
@@ -395,6 +405,8 @@ blacklist ${HOME}/.config/tox | |||
395 | blacklist ${HOME}/.config/transgui | 405 | blacklist ${HOME}/.config/transgui |
396 | blacklist ${HOME}/.config/transmission | 406 | blacklist ${HOME}/.config/transmission |
397 | blacklist ${HOME}/.config/truecraft | 407 | blacklist ${HOME}/.config/truecraft |
408 | blacklist ${HOME}/.config/tuta_integration | ||
409 | blacklist ${HOME}/.config/tutanota-desktop | ||
398 | blacklist ${HOME}/.config/tvbrowser | 410 | blacklist ${HOME}/.config/tvbrowser |
399 | blacklist ${HOME}/.config/uGet | 411 | blacklist ${HOME}/.config/uGet |
400 | blacklist ${HOME}/.config/ungoogled-chromium | 412 | blacklist ${HOME}/.config/ungoogled-chromium |
@@ -465,10 +477,7 @@ blacklist ${HOME}/.gimp* | |||
465 | blacklist ${HOME}/.gist | 477 | blacklist ${HOME}/.gist |
466 | blacklist ${HOME}/.gitconfig | 478 | blacklist ${HOME}/.gitconfig |
467 | blacklist ${HOME}/.gnome/gnome-schedule | 479 | blacklist ${HOME}/.gnome/gnome-schedule |
468 | blacklist ${HOME}/.googleearth/Cache | 480 | blacklist ${HOME}/.googleearth |
469 | blacklist ${HOME}/.googleearth/Temp | ||
470 | blacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
471 | blacklist ${HOME}/.googleearth/myplaces.kml | ||
472 | blacklist ${HOME}/.gradle | 481 | blacklist ${HOME}/.gradle |
473 | blacklist ${HOME}/.gramps | 482 | blacklist ${HOME}/.gramps |
474 | blacklist ${HOME}/.guayadeque | 483 | blacklist ${HOME}/.guayadeque |
@@ -598,7 +607,9 @@ blacklist ${HOME}/.local/share/baloo | |||
598 | blacklist ${HOME}/.local/share/barrier | 607 | blacklist ${HOME}/.local/share/barrier |
599 | blacklist ${HOME}/.local/share/bibletime | 608 | blacklist ${HOME}/.local/share/bibletime |
600 | blacklist ${HOME}/.local/share/bijiben | 609 | blacklist ${HOME}/.local/share/bijiben |
610 | blacklist ${HOME}/.local/share/bohemiainteractive | ||
601 | blacklist ${HOME}/.local/share/caja-python | 611 | blacklist ${HOME}/.local/share/caja-python |
612 | blacklist ${HOME}/.local/share/calligragemini | ||
602 | blacklist ${HOME}/.local/share/cantata | 613 | blacklist ${HOME}/.local/share/cantata |
603 | blacklist ${HOME}/.local/share/cdprojektred | 614 | blacklist ${HOME}/.local/share/cdprojektred |
604 | blacklist ${HOME}/.local/share/clipit | 615 | blacklist ${HOME}/.local/share/clipit |
@@ -707,6 +718,7 @@ blacklist ${HOME}/.local/share/remmina | |||
707 | blacklist ${HOME}/.local/share/rhythmbox | 718 | blacklist ${HOME}/.local/share/rhythmbox |
708 | blacklist ${HOME}/.local/share/rtv | 719 | blacklist ${HOME}/.local/share/rtv |
709 | blacklist ${HOME}/.local/share/scribus | 720 | blacklist ${HOME}/.local/share/scribus |
721 | blacklist ${HOME}/.local/share/shotwell | ||
710 | blacklist ${HOME}/.local/share/signal-cli | 722 | blacklist ${HOME}/.local/share/signal-cli |
711 | blacklist ${HOME}/.local/share/sink | 723 | blacklist ${HOME}/.local/share/sink |
712 | blacklist ${HOME}/.local/share/smuxi | 724 | blacklist ${HOME}/.local/share/smuxi |
@@ -758,6 +770,9 @@ blacklist ${HOME}/.neverball | |||
758 | blacklist ${HOME}/.newsbeuter | 770 | blacklist ${HOME}/.newsbeuter |
759 | blacklist ${HOME}/.newsboat | 771 | blacklist ${HOME}/.newsboat |
760 | blacklist ${HOME}/.nicotine | 772 | blacklist ${HOME}/.nicotine |
773 | blacklist ${HOME}/.node-gyp | ||
774 | blacklist ${HOME}/.npm | ||
775 | blacklist ${HOME}/.npmrc | ||
761 | blacklist ${HOME}/.nv | 776 | blacklist ${HOME}/.nv |
762 | blacklist ${HOME}/.nylas-mail | 777 | blacklist ${HOME}/.nylas-mail |
763 | blacklist ${HOME}/.openarena | 778 | blacklist ${HOME}/.openarena |
@@ -844,9 +859,12 @@ blacklist ${HOME}/.xmr-stak | |||
844 | blacklist ${HOME}/.xonotic | 859 | blacklist ${HOME}/.xonotic |
845 | blacklist ${HOME}/.xournalpp | 860 | blacklist ${HOME}/.xournalpp |
846 | blacklist ${HOME}/.xpdfrc | 861 | blacklist ${HOME}/.xpdfrc |
862 | blacklist ${HOME}/.yarn | ||
863 | blacklist ${HOME}/.yarn-config | ||
864 | blacklist ${HOME}/.yarncache | ||
865 | blacklist ${HOME}/.yarnrc | ||
847 | blacklist ${HOME}/.zoom | 866 | blacklist ${HOME}/.zoom |
848 | blacklist /tmp/akonadi-* | 867 | blacklist /tmp/akonadi-* |
849 | blacklist /tmp/ssh-* | ||
850 | blacklist /tmp/.wine-* | 868 | blacklist /tmp/.wine-* |
851 | blacklist /var/games/nethack | 869 | blacklist /var/games/nethack |
852 | blacklist /var/games/slashem | 870 | blacklist /var/games/slashem |
@@ -902,6 +920,7 @@ blacklist ${HOME}/.cache/evolution | |||
902 | blacklist ${HOME}/.cache/falkon | 920 | blacklist ${HOME}/.cache/falkon |
903 | blacklist ${HOME}/.cache/feedreader | 921 | blacklist ${HOME}/.cache/feedreader |
904 | blacklist ${HOME}/.cache/flaska.net/trojita | 922 | blacklist ${HOME}/.cache/flaska.net/trojita |
923 | blacklist ${HOME}/.cache/folks | ||
905 | blacklist ${HOME}/.cache/font-manager | 924 | blacklist ${HOME}/.cache/font-manager |
906 | blacklist ${HOME}/.cache/fossamail | 925 | blacklist ${HOME}/.cache/fossamail |
907 | blacklist ${HOME}/.cache/fractal | 926 | blacklist ${HOME}/.cache/fractal |
@@ -948,6 +967,7 @@ blacklist ${HOME}/.cache/librewolf | |||
948 | blacklist ${HOME}/.cache/liferea | 967 | blacklist ${HOME}/.cache/liferea |
949 | blacklist ${HOME}/.cache/lutris | 968 | blacklist ${HOME}/.cache/lutris |
950 | blacklist ${HOME}/.cache/Mendeley Ltd. | 969 | blacklist ${HOME}/.cache/Mendeley Ltd. |
970 | blacklist ${HOME}/.cache/marker | ||
951 | blacklist ${HOME}/.cache/matrix-mirage | 971 | blacklist ${HOME}/.cache/matrix-mirage |
952 | blacklist ${HOME}/.cache/microsoft-edge-dev | 972 | blacklist ${HOME}/.cache/microsoft-edge-dev |
953 | blacklist ${HOME}/.cache/midori | 973 | blacklist ${HOME}/.cache/midori |
@@ -983,6 +1003,7 @@ blacklist ${HOME}/.cache/qBittorrent | |||
983 | blacklist ${HOME}/.cache/qupzilla | 1003 | blacklist ${HOME}/.cache/qupzilla |
984 | blacklist ${HOME}/.cache/qutebrowser | 1004 | blacklist ${HOME}/.cache/qutebrowser |
985 | blacklist ${HOME}/.cache/rhythmbox | 1005 | blacklist ${HOME}/.cache/rhythmbox |
1006 | blacklist ${HOME}/.cache/shotwell | ||
986 | blacklist ${HOME}/.cache/simple-scan | 1007 | blacklist ${HOME}/.cache/simple-scan |
987 | blacklist ${HOME}/.cache/slimjet | 1008 | blacklist ${HOME}/.cache/slimjet |
988 | blacklist ${HOME}/.cache/smuxi | 1009 | blacklist ${HOME}/.cache/smuxi |
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc index 03f09fece..ca7731442 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/inc/firefox-common-addons.inc | |||
@@ -58,11 +58,12 @@ whitelist ${HOME}/.wine-pipelight64 | |||
58 | whitelist ${HOME}/.zotero | 58 | whitelist ${HOME}/.zotero |
59 | whitelist ${HOME}/dwhelper | 59 | whitelist ${HOME}/dwhelper |
60 | 60 | ||
61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | 61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
62 | noblacklist ${HOME}/.local/share/gnome-shell | 62 | noblacklist ${HOME}/.local/share/gnome-shell |
63 | whitelist ${HOME}/.local/share/gnome-shell | 63 | whitelist ${HOME}/.local/share/gnome-shell |
64 | ignore dbus-user none | 64 | ignore dbus-user none |
65 | ignore dbus-system none | 65 | ignore dbus-system none |
66 | # Allow python (blacklisted by disable-interpreters.inc) | ||
66 | include allow-python3.inc | 67 | include allow-python3.inc |
67 | 68 | ||
68 | # KeePassXC Browser Integration | 69 | # KeePassXC Browser Integration |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index 45e988602..fe0097934 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -61,6 +61,7 @@ whitelist /usr/share/texlive | |||
61 | whitelist /usr/share/texmf | 61 | whitelist /usr/share/texmf |
62 | whitelist /usr/share/themes | 62 | whitelist /usr/share/themes |
63 | whitelist /usr/share/thumbnail.so | 63 | whitelist /usr/share/thumbnail.so |
64 | whitelist /usr/share/uim | ||
64 | whitelist /usr/share/vulkan | 65 | whitelist /usr/share/vulkan |
65 | whitelist /usr/share/X11 | 66 | whitelist /usr/share/X11 |
66 | whitelist /usr/share/xml | 67 | whitelist /usr/share/xml |
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 000000000..5a6678d03 --- /dev/null +++ b/etc/net/nolocal6.net | |||
@@ -0,0 +1,41 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of | ||
8 | # DNS traffic | ||
9 | # | ||
10 | # Usage: | ||
11 | # firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | #allow all loopback traffic | ||
16 | -A INPUT -i lo -j ACCEPT | ||
17 | |||
18 | # no incoming connections | ||
19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow ping etc. | ||
22 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | ||
23 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | ||
24 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | ||
25 | # required for ipv6 | ||
26 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT | ||
27 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT | ||
28 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT | ||
29 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT | ||
30 | |||
31 | # accept dns requests going out to a server on the local network | ||
32 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
33 | |||
34 | # drop all local network traffic | ||
35 | -A OUTPUT -d FC00::/7 -j DROP | ||
36 | |||
37 | # drop multicast traffic | ||
38 | # required for ipv6 | ||
39 | -A OUTPUT -d ff02::2 -j ACCEPT | ||
40 | -A OUTPUT -d ff00::/8 -j DROP | ||
41 | COMMIT | ||
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index 76492c339..b2294c070 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile | |||
@@ -7,5 +7,8 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Included in archiver-common.inc | ||
10 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
12 | |||
13 | # Redirect | ||
11 | include archiver-common.inc | 14 | include archiver-common.inc |
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile index 54b437441..e97267bbc 100644 --- a/etc/profile-a-l/Builder.profile +++ b/etc/profile-a-l/Builder.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-builder | 1 | # Firejail profile for gnome-builder |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Builder.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile index 5bb5064f0..32aeb4f69 100644 --- a/etc/profile-a-l/Cheese.profile +++ b/etc/profile-a-l/Cheese.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for cheese | 1 | # Firejail profile for cheese |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Cheese.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile index 26a4348c9..5564207fc 100644 --- a/etc/profile-a-l/Cyberfox.profile +++ b/etc/profile-a-l/Cyberfox.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for cyberfox | 1 | # Firejail profile alias for cyberfox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Cyberfox.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include cyberfox.profile | 10 | include cyberfox.profile |
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile index 171ab4357..780416d7f 100644 --- a/etc/profile-a-l/Documents.profile +++ b/etc/profile-a-l/Documents.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-documents | 1 | # Firejail profile for gnome-documents |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Documents.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile index 9e1f61421..3a584ed4e 100644 --- a/etc/profile-a-l/FossaMail.profile +++ b/etc/profile-a-l/FossaMail.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for fossamail | 1 | # Firejail profile alias for fossamail |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include FossaMail.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include fossamail.profile | 10 | include fossamail.profile |
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile index a8bcb6a54..96b91430c 100644 --- a/etc/profile-a-l/Gitter.profile +++ b/etc/profile-a-l/Gitter.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for Gitter | 1 | # Firejail profile alias for Gitter |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Gitter.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include gitter.profile | 10 | include gitter.profile |
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile index 431439f17..1a78b86c9 100644 --- a/etc/profile-a-l/Logs.profile +++ b/etc/profile-a-l/Logs.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-logs | 1 | # Firejail profile for gnome-logs |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Logs.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile new file mode 100644 index 000000000..6d5dab41a --- /dev/null +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for agetpkg | ||
2 | # Description: CLI tool to list/get/install packages from the Arch Linux Archive | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include agetpkg.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | #include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | whitelist ${DOWNLOADS} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | hostname agetpkg | ||
33 | ipc-namespace | ||
34 | machine-id | ||
35 | noautopulse | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | private-bin agetpkg,python3 | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
59 | |||
60 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 98188d2a7..57b5e5d95 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -6,6 +6,7 @@ include alacarte.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | include allow-python2.inc | 10 | include allow-python2.inc |
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2e4e564dd..2cdd3a90c 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android | |||
10 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | 13 | noblacklist ${HOME}/.tooling |
15 | 14 | ||
16 | # Allows files commonly used by IDEs | 15 | # Allows files commonly used by IDEs |
17 | include allow-common-devel.inc | 16 | include allow-common-devel.inc |
18 | 17 | ||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | include allow-ssh.inc | ||
20 | |||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 23 | include disable-programs.inc |
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile index a5b1ba9f1..e7b09283e 100644 --- a/etc/profile-a-l/aosp.profile +++ b/etc/profile-a-l/aosp.profile | |||
@@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-server | |||
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.repo_.gitconfig.json | 12 | noblacklist ${HOME}/.repo_.gitconfig.json |
13 | noblacklist ${HOME}/.repoconfig | 13 | noblacklist ${HOME}/.repoconfig |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
16 | 15 | ||
17 | # Allows files commonly used by IDEs | 16 | # Allows files commonly used by IDEs |
18 | include allow-common-devel.inc | 17 | include allow-common-devel.inc |
19 | 18 | ||
19 | # Allow ssh (blacklisted by disable-common.inc) | ||
20 | include allow-ssh.inc | ||
21 | |||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 24 | include disable-programs.inc |
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 9c0b92598..4986ac63a 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -9,6 +9,9 @@ include globals.local | |||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | ||
14 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | include allow-python3.inc | 16 | include allow-python3.inc |
14 | 17 | ||
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index c2b215807..f99934e66 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile | |||
@@ -7,4 +7,5 @@ include ar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | ||
10 | include archiver-common.inc | 11 | include archiver-common.inc |
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile index 4ad8dd456..5c62c94be 100644 --- a/etc/profile-a-l/ardour4.profile +++ b/etc/profile-a-l/ardour4.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for ardour5 | 1 | # Firejail profile alias for ardour5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include ardur4.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include ardour5.profile | 10 | include ardour5.profile |
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index f21a5febf..5f237ac59 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -25,7 +25,6 @@ noblacklist ${HOME}/.config/Atom | |||
25 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
26 | 26 | ||
27 | # net none | 27 | # net none |
28 | netfilter | ||
29 | nosound | 28 | nosound |
30 | 29 | ||
31 | # Redirect | 30 | # Redirect |
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 34af47df2..6e0ecb012 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -9,10 +9,12 @@ include globals.local | |||
9 | 9 | ||
10 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
11 | include allow-perl.inc | 11 | include allow-perl.inc |
12 | include archiver-common.inc | ||
13 | 12 | ||
14 | noroot | 13 | noroot |
15 | 14 | ||
16 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
17 | private-etc alternatives,group,login.defs,passwd | 16 | private-etc alternatives,group,login.defs,passwd |
18 | private-tmp | 17 | private-tmp |
18 | |||
19 | # Redirect | ||
20 | include archiver-common.inc | ||
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile new file mode 100644 index 000000000..b5d662d60 --- /dev/null +++ b/etc/profile-a-l/avidemux.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for Avidemux | ||
2 | # Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. | ||
3 | # Persistent local customizations | ||
4 | include avidemux.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.avidemux6 | ||
9 | noblacklist ${HOME}/.config/avidemux3_qt5rc | ||
10 | noblacklist ${VIDEOS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.avidemux6 | ||
22 | mkdir ${HOME}/.config/avidemux3_qt5rc | ||
23 | whitelist ${HOME}/.avidemux6 | ||
24 | whitelist ${HOME}/.config/avidemux3_qt5rc | ||
25 | whitelist ${VIDEOS} | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | net none | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | seccomp.block-secondary | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5 | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index cda6b1aa0..573776a71 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.balsa | 9 | noblacklist ${HOME}/.balsa |
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.mozilla | 11 | noblacklist ${HOME}/.mozilla |
12 | noblacklist ${HOME}/.signature | ||
12 | noblacklist ${HOME}/mail | 13 | noblacklist ${HOME}/mail |
13 | noblacklist /var/mail | 14 | noblacklist /var/mail |
14 | noblacklist /var/spool/mail | 15 | noblacklist /var/spool/mail |
@@ -24,10 +25,12 @@ include disable-xdg.inc | |||
24 | 25 | ||
25 | mkdir ${HOME}/.balsa | 26 | mkdir ${HOME}/.balsa |
26 | mkdir ${HOME}/.gnupg | 27 | mkdir ${HOME}/.gnupg |
28 | mkfile ${HOME}/.signature | ||
27 | mkdir ${HOME}/mail | 29 | mkdir ${HOME}/mail |
28 | whitelist ${HOME}/.balsa | 30 | whitelist ${HOME}/.balsa |
29 | whitelist ${HOME}/.gnupg | 31 | whitelist ${HOME}/.gnupg |
30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 32 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
33 | whitelist ${HOME}/.signature | ||
31 | whitelist ${HOME}/mail | 34 | whitelist ${HOME}/mail |
32 | whitelist ${RUNUSER}/gnupg | 35 | whitelist ${RUNUSER}/gnupg |
33 | whitelist /usr/share/balsa | 36 | whitelist /usr/share/balsa |
@@ -58,9 +61,9 @@ shell none | |||
58 | tracelog | 61 | tracelog |
59 | 62 | ||
60 | # disable-mnt | 63 | # disable-mnt |
61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 64 | # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | 65 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. |
63 | private-bin balsa,balsa-ab | 66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
64 | private-cache | 67 | private-cache |
65 | private-dev | 68 | private-dev |
66 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg |
@@ -71,8 +74,9 @@ writable-var | |||
71 | dbus-user filter | 74 | dbus-user filter |
72 | dbus-user.own org.desktop.Balsa | 75 | dbus-user.own org.desktop.Balsa |
73 | dbus-user.talk ca.desrt.dconf | 76 | dbus-user.talk ca.desrt.dconf |
74 | dbus-user.talk org.freedesktop.secrets | ||
75 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-user.talk org.freedesktop.secrets | ||
79 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
76 | dbus-system none | 80 | dbus-system none |
77 | 81 | ||
78 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 99e2802eb..235b84be3 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -26,6 +26,7 @@ whitelist ${HOME}/.bibletime | |||
26 | whitelist ${HOME}/.sword | 26 | whitelist ${HOME}/.sword |
27 | whitelist ${HOME}/.local/share/bibletime | 27 | whitelist ${HOME}/.local/share/bibletime |
28 | whitelist /usr/share/bibletime | 28 | whitelist /usr/share/bibletime |
29 | whitelist /usr/share/doc/bibletime | ||
29 | whitelist /usr/share/sword | 30 | whitelist /usr/share/sword |
30 | include whitelist-common.inc | 31 | include whitelist-common.inc |
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index dbde3e4de..b074cc0b0 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -57,3 +57,5 @@ dbus-user.own org.gnome.Notes | |||
57 | dbus-user.talk ca.desrt.dconf | 57 | dbus-user.talk ca.desrt.dconf |
58 | dbus-user.talk org.freedesktop.Tracker1 | 58 | dbus-user.talk org.freedesktop.Tracker1 |
59 | dbus-system none | 59 | dbus-system none |
60 | |||
61 | env WEBKIT_FORCE_SANDBOX=0 | ||
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile index 13e83493d..233f9a96f 100644 --- a/etc/profile-a-l/blackbox.profile +++ b/etc/profile-a-l/blackbox.profile | |||
@@ -6,7 +6,7 @@ include blackbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in blackbox will run in this profile |
10 | noblacklist ${HOME}/.blackbox | 10 | noblacklist ${HOME}/.blackbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile index b7242c443..55d8fdcf2 100644 --- a/etc/profile-a-l/blender-2.8.profile +++ b/etc/profile-a-l/blender-2.8.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for blender | 1 | # Firejail profile alias for blender |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include blender-2.8.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include blender.profile | 10 | include blender.profile |
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile index 528a6402d..bbe23056f 100644 --- a/etc/profile-a-l/brave-browser-beta.profile +++ b/etc/profile-a-l/brave-browser-beta.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for brave (beta channel) | 1 | # Firejail profile alias for brave (beta channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include brave-browser-beta.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include brave.profile | 10 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile index 4601de119..b3fcc22ee 100644 --- a/etc/profile-a-l/brave-browser-dev.profile +++ b/etc/profile-a-l/brave-browser-dev.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for brave (development channel) | 1 | # Firejail profile alias for brave (development channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include brave-browser-dev.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include brave.profile | 10 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile index 43d3cc724..796c90deb 100644 --- a/etc/profile-a-l/brave-browser-nightly.profile +++ b/etc/profile-a-l/brave-browser-nightly.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for brave (nightly channel) | 1 | # Firejail profile alias for brave (nightly channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include brave-browser-nightly.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include brave.profile | 10 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile index 06d33dea4..fab7f5f14 100644 --- a/etc/profile-a-l/brave-browser-stable.profile +++ b/etc/profile-a-l/brave-browser-stable.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for brave (release channel) | 1 | # Firejail profile alias for brave (release channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include brave-browser-stable.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include brave.profile | 10 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile index e223ecf87..fda337725 100644 --- a/etc/profile-a-l/brave-browser.profile +++ b/etc/profile-a-l/brave-browser.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include brave-browser.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include brave.profile | 10 | include brave.profile |
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile index 5271ee5d6..ff7d83dad 100644 --- a/etc/profile-a-l/bsdcat.profile +++ b/etc/profile-a-l/bsdcat.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for bsdtar | 1 | # Firejail profile alias for bsdtar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include bsdcat.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include bsdtar.profile | 10 | include bsdtar.profile |
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile index 5271ee5d6..eb35ef79f 100644 --- a/etc/profile-a-l/bsdcpio.profile +++ b/etc/profile-a-l/bsdcpio.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for bsdtar | 1 | # Firejail profile alias for bsdtar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include bsdcpio.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include bsdtar.profile | 10 | include bsdtar.profile |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index c37f4071e..fb4f643c8 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,6 +6,7 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include archiver-common.inc | ||
10 | |||
11 | private-etc alternatives,group,localtime,passwd | 9 | private-etc alternatives,group,localtime,passwd |
10 | |||
11 | # Redirect | ||
12 | include archiver-common.inc | ||
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile index f4ce47018..a14433369 100644 --- a/etc/profile-a-l/calligra.profile +++ b/etc/profile-a-l/calligra.profile | |||
@@ -27,9 +27,10 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix | 28 | protocol unix |
29 | seccomp | 29 | seccomp |
30 | seccomp.block-secondary | ||
30 | shell none | 31 | shell none |
31 | 32 | ||
32 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 | 33 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 |
33 | private-dev | 34 | private-dev |
34 | 35 | ||
35 | # dbus-user none | 36 | # dbus-user none |
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile index 7804a3b97..ace6c05f8 100644 --- a/etc/profile-a-l/calligraauthor.profile +++ b/etc/profile-a-l/calligraauthor.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligraauthor.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include calligra.profile | 10 | include calligra.profile |
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile index 7804a3b97..b2c23a57b 100644 --- a/etc/profile-a-l/calligraconverter.profile +++ b/etc/profile-a-l/calligraconverter.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligraconverter.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include calligra.profile | 10 | include calligra.profile |
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile index 7804a3b97..ca654b3f3 100644 --- a/etc/profile-a-l/calligraflow.profile +++ b/etc/profile-a-l/calligraflow.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligraflow.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include calligra.profile | 10 | include calligra.profile |
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile new file mode 100644 index 000000000..006c307ab --- /dev/null +++ b/etc/profile-a-l/calligragemini.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include calligragemini.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/calligragemini | ||
10 | |||
11 | # Redirect | ||
12 | include calligra.profile | ||
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile index 23dd61175..81dbd4dcd 100644 --- a/etc/profile-a-l/calligraplan.profile +++ b/etc/profile-a-l/calligraplan.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligraplan.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan |
5 | 10 | ||
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile index 1c283a3cb..bba91b66b 100644 --- a/etc/profile-a-l/calligraplanwork.profile +++ b/etc/profile-a-l/calligraplanwork.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligraplanwork.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork |
5 | 10 | ||
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile index 8ef75be71..7bc296047 100644 --- a/etc/profile-a-l/calligrasheets.profile +++ b/etc/profile-a-l/calligrasheets.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligrasheets.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets |
5 | 10 | ||
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile index d5c960248..7694abbe4 100644 --- a/etc/profile-a-l/calligrastage.profile +++ b/etc/profile-a-l/calligrastage.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligrastage.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage |
5 | 10 | ||
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile index 5985b4250..d69d56a95 100644 --- a/etc/profile-a-l/calligrawords.profile +++ b/etc/profile-a-l/calligrawords.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include calligrawords.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords |
5 | 10 | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index d379651c7..6a76dc129 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/celluloid | |||
10 | noblacklist ${HOME}/.config/gnome-mpv | 10 | noblacklist ${HOME}/.config/gnome-mpv |
11 | noblacklist ${HOME}/.config/youtube-dl | 11 | noblacklist ${HOME}/.config/youtube-dl |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | ||
15 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
17 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
18 | include allow-lua.inc | ||
19 | |||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | 22 | include disable-exec.inc |
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 337117c4a..aca1f5876 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -19,7 +19,10 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | whitelist ${VIDEOS} | 20 | whitelist ${VIDEOS} |
21 | whitelist ${PICTURES} | 21 | whitelist ${PICTURES} |
22 | whitelist /usr/share/gnome-video-effects | ||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
24 | 27 | ||
25 | apparmor | 28 | apparmor |
@@ -43,5 +46,6 @@ private-cache | |||
43 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 | 46 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 |
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | dbus-user none | 49 | dbus-user filter |
50 | dbus-user.talk ca.desrt.dconf | ||
47 | dbus-system none | 51 | dbus-system none |
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile index f83052d9a..7ad806f5b 100644 --- a/etc/profile-a-l/chromium-browser.profile +++ b/etc/profile-a-l/chromium-browser.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for chromium | 1 | # Firejail profile alias for chromium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include chromium-browser.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include chromium.profile | 10 | include chromium.profile |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index ce9c652c6..1afb2c6e1 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -34,6 +34,10 @@ include whitelist-var-common.inc | |||
34 | # if your kernel allows unprivileged userns clone. | 34 | # if your kernel allows unprivileged userns clone. |
35 | #include chromium-common-hardened.inc | 35 | #include chromium-common-hardened.inc |
36 | 36 | ||
37 | # Uncomment or put in your chromium-common.local to allow screen sharing under | ||
38 | # wayland. | ||
39 | #whitelist ${RUNUSER}/pipewire-0 | ||
40 | |||
37 | apparmor | 41 | apparmor |
38 | caps.keep sys_admin,sys_chroot | 42 | caps.keep sys_admin,sys_chroot |
39 | netfilter | 43 | netfilter |
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile index a1de85afa..dadedfbcf 100644 --- a/etc/profile-a-l/chromium-freeworld.profile +++ b/etc/profile-a-l/chromium-freeworld.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for chromium-freeworld | 1 | # Firejail profile for chromium-freeworld |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include chromium-freeworld.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include chromium.profile | 10 | include chromium.profile |
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile index 88a65037e..38297bbae 100644 --- a/etc/profile-a-l/cinelerra.profile +++ b/etc/profile-a-l/cinelerra.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for cin | 1 | # Firejail profile alias for cin |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include cinelerra.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include cin.profile | 10 | include cin.profile |
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile index 4c6c56c5f..b25b46a27 100644 --- a/etc/profile-a-l/clamdscan.profile +++ b/etc/profile-a-l/clamdscan.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include clamdscan.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include clamav.profile | 10 | include clamav.profile |
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile index 4c6c56c5f..8c8cb3880 100644 --- a/etc/profile-a-l/clamdtop.profile +++ b/etc/profile-a-l/clamdtop.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include clamdtop.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include clamav.profile | 10 | include clamav.profile |
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile index 4c6c56c5f..0bc95e515 100644 --- a/etc/profile-a-l/clamscan.profile +++ b/etc/profile-a-l/clamscan.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include clamscan.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include clamav.profile | 10 | include clamav.profile |
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 69196c578..b4a8303a2 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -18,10 +18,13 @@ whitelist ${HOME}/.claws-mail | |||
18 | 18 | ||
19 | whitelist /usr/share/doc/claws-mail | 19 | whitelist /usr/share/doc/claws-mail |
20 | 20 | ||
21 | # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 | ||
22 | |||
23 | dbus-user filter | ||
24 | dbus-user.talk ca.desrt.dconf | ||
25 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
21 | # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) | 26 | # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) |
22 | #ignore dbus-user none | 27 | # dbus-user.talk org.freedesktop.Notifications |
23 | #dbus-user filter | ||
24 | #dbus-user.talk org.freedesktop.Notifications | ||
25 | 28 | ||
26 | # Redirect | 29 | # Redirect |
27 | include email-common.profile | 30 | include email-common.profile |
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index b27d93684..09246ccbc 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile | |||
@@ -11,9 +11,11 @@ noblacklist ${HOME}/.gitconfig | |||
11 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 13 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.tooling | 14 | noblacklist ${HOME}/.tooling |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 21 | include disable-programs.inc |
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile index da50e7d49..3b3efb9f3 100644 --- a/etc/profile-a-l/clocks.profile +++ b/etc/profile-a-l/clocks.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-clocks | 1 | # Firejail profile for gnome-clocks |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include clocks.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile index 0628d3d01..1e37da602 100644 --- a/etc/profile-a-l/com.gitlab.newsflash.profile +++ b/etc/profile-a-l/com.gitlab.newsflash.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for newsflash | 1 | # Firejail profile alias for newsflash |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include com.gitlab.newsflash.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include newsflash.profile | 10 | include newsflash.profile |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile new file mode 100644 index 000000000..75813c494 --- /dev/null +++ b/etc/profile-a-l/coyim.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for coyim | ||
2 | # Description: GTK Jabber client written in Go | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include coyim.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/coyim | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/coyim | ||
21 | whitelist ${HOME}/.config/coyim | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | #memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 785308ffd..0e0299655 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile | |||
@@ -10,4 +10,5 @@ include globals.local | |||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | 12 | ||
13 | # Redirect | ||
13 | include archiver-common.inc | 14 | include archiver-common.inc |
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile index 39151865e..2e24429fd 100644 --- a/etc/profile-a-l/crawl-tiles.profile +++ b/etc/profile-a-l/crawl-tiles.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for crawl | 1 | # Firejail profile alias for crawl |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include crawl-titles.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | ignore no3d | 9 | ignore no3d |
5 | 10 | ||
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile index 69aa39de2..5362e7a6a 100644 --- a/etc/profile-a-l/cryptocat.profile +++ b/etc/profile-a-l/cryptocat.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for Cryptocat | 1 | # Firejail profile alias for Cryptocat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include cryptocat.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include Cryptocat.profile | 10 | include Cryptocat.profile |
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index e409eb044..31031edeb 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.dia | 9 | noblacklist ${HOME}/.dia |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | 13 | include allow-python2.inc |
13 | include allow-python3.inc | 14 | include allow-python3.inc |
14 | 15 | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index e6edbd7eb..b583f1a1d 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -23,7 +23,7 @@ whitelist ${HOME}/.config/BetterDiscord | |||
23 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
24 | 24 | ||
25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl |
27 | 27 | ||
28 | # Redirect | 28 | # Redirect |
29 | include electron.profile | 29 | include electron.profile |
diff --git a/etc/profile-a-l/display-im6.q16.profile b/etc/profile-a-l/display-im6.q16.profile new file mode 100644 index 000000000..b80afc3fa --- /dev/null +++ b/etc/profile-a-l/display-im6.q16.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for display-im6.q16 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include display-im6.q16.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include display.profile | ||
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile index 70a21e11c..99cf0f7f8 100644 --- a/etc/profile-a-l/dooble-qt4.profile +++ b/etc/profile-a-l/dooble-qt4.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for dooble | 1 | # Firejail profile alias for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include dooble-qt4.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include dooble.profile | 10 | include dooble.profile |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index df47f478d..6b55c2126 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -8,6 +8,7 @@ include email-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.signature | 12 | noblacklist ${HOME}/.signature |
12 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 13 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
13 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 14 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
@@ -17,28 +18,34 @@ noblacklist ${DOCUMENTS} | |||
17 | 18 | ||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 24 | include disable-programs.inc |
23 | include disable-xdg.inc | 25 | include disable-xdg.inc |
24 | 26 | ||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${DOWNLOADS} | ||
27 | mkfile ${HOME}/.config/mimeapps.list | ||
28 | mkdir ${HOME}/.gnupg | 27 | mkdir ${HOME}/.gnupg |
28 | mkfile ${HOME}/.config/mimeapps.list | ||
29 | mkfile ${HOME}/.signature | 29 | mkfile ${HOME}/.signature |
30 | whitelist ${HOME}/.config/mimeapps.list | 30 | whitelist ${HOME}/.config/mimeapps.list |
31 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
31 | whitelist ${HOME}/.gnupg | 32 | whitelist ${HOME}/.gnupg |
32 | whitelist ${HOME}/.signature | 33 | whitelist ${HOME}/.signature |
34 | whitelist ${DOCUMENTS} | ||
35 | whitelist ${DOWNLOADS} | ||
33 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | 36 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local |
34 | whitelist ${HOME}/Mail | 37 | whitelist ${HOME}/Mail |
38 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist /usr/share/gnupg | 39 | whitelist /usr/share/gnupg |
36 | whitelist /usr/share/gnupg2 | 40 | whitelist /usr/share/gnupg2 |
37 | include whitelist-common.inc | 41 | include whitelist-common.inc |
42 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
40 | 45 | ||
46 | apparmor | ||
41 | caps.drop all | 47 | caps.drop all |
48 | machine-id | ||
42 | netfilter | 49 | netfilter |
43 | no3d | 50 | no3d |
44 | nodvd | 51 | nodvd |
@@ -51,22 +58,26 @@ nou2f | |||
51 | novideo | 58 | novideo |
52 | protocol unix,inet,inet6 | 59 | protocol unix,inet,inet6 |
53 | seccomp | 60 | seccomp |
61 | seccomp.block-secondary | ||
54 | shell none | 62 | shell none |
55 | tracelog | 63 | tracelog |
56 | 64 | ||
65 | # disable-mnt | ||
57 | private-cache | 66 | private-cache |
58 | private-dev | 67 | private-dev |
68 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
59 | private-tmp | 69 | private-tmp |
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
63 | |||
64 | # encrypting and signing email | 70 | # encrypting and signing email |
65 | writable-run-user | 71 | writable-run-user |
66 | 72 | ||
73 | dbus-system none | ||
74 | |||
67 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | 75 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: |
68 | #noblacklist /var/mail | 76 | #noblacklist /var/mail |
69 | #noblacklist /var/spool/mail | 77 | #noblacklist /var/spool/mail |
70 | #whitelist /var/mail | 78 | #whitelist /var/mail |
71 | #whitelist /var/spool/mail | 79 | #whitelist /var/spool/mail |
72 | #writable-var | 80 | #writable-var |
81 | |||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
83 | read-only ${HOME}/.signature | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index c0c16e929..25d5196fc 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -6,6 +6,10 @@ include evince.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment this line and the bottom ones to use bookmarks | ||
10 | # NOTE: This possibly exposes information, including file history from other programs. | ||
11 | #noblacklist ${HOME}/.local/share/gvfs-metadata | ||
12 | |||
9 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
10 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
11 | 15 | ||
@@ -54,5 +58,8 @@ private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf | |||
54 | private-tmp | 58 | private-tmp |
55 | 59 | ||
56 | # might break two-page-view on some systems | 60 | # might break two-page-view on some systems |
57 | dbus-user none | 61 | dbus-user filter |
62 | # Also uncomment these two lines if you want to use bookmarks | ||
63 | #dbus-user.talk org.gtk.vfs.Daemon | ||
64 | #dbus-user.talk org.gtk.vfs.Metadata | ||
58 | dbus-system none | 65 | dbus-system none |
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 1355c4337..422200ffe 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,16 +6,15 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
9 | noblacklist ${HOME}/.bogofilter | 11 | noblacklist ${HOME}/.bogofilter |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.pki | ||
13 | noblacklist ${HOME}/.cache/evolution | 12 | noblacklist ${HOME}/.cache/evolution |
14 | noblacklist ${HOME}/.config/evolution | 13 | noblacklist ${HOME}/.config/evolution |
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | ||
16 | noblacklist ${HOME}/.local/share/pki | 17 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
19 | 18 | ||
20 | include disable-common.inc | 19 | include disable-common.inc |
21 | include disable-devel.inc | 20 | include disable-devel.inc |
@@ -23,42 +22,13 @@ include disable-exec.inc | |||
23 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 24 | include disable-programs.inc |
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
28 | 25 | ||
29 | mkdir ${HOME}/.bogofilter | ||
30 | mkdir ${HOME}/.gnupg | ||
31 | mkdir ${HOME}/.pki | ||
32 | mkdir ${HOME}/.cache/evolution | ||
33 | mkdir ${HOME}/.config/evolution | ||
34 | mkdir ${HOME}/.local/share/evolution | ||
35 | mkdir ${HOME}/.local/share/pki | ||
36 | whitelist ${HOME}/.bogofilter | ||
37 | whitelist ${HOME}/.gnupg | ||
38 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
39 | whitelist ${HOME}/.pki | ||
40 | whitelist ${HOME}/.cache/evolution | ||
41 | whitelist ${HOME}/.config/evolution | ||
42 | whitelist ${HOME}/.local/share/evolution | ||
43 | whitelist ${HOME}/.local/share/pki | ||
44 | whitelist ${DOCUMENTS} | ||
45 | whitelist ${DOWNLOADS} | ||
46 | whitelist ${RUNUSER}/gnupg | ||
47 | whitelist /usr/share/evolution | ||
48 | whitelist /usr/share/gnupg | ||
49 | whitelist /usr/share/gnupg2 | ||
50 | whitelist /var/mail | ||
51 | whitelist /var/spool/mail | ||
52 | include whitelist-common.inc | ||
53 | include whitelist-runuser-common.inc | 26 | include whitelist-runuser-common.inc |
54 | include whitelist-usr-share-common.inc | ||
55 | include whitelist-var-common.inc | ||
56 | 27 | ||
57 | apparmor | ||
58 | caps.drop all | 28 | caps.drop all |
59 | netfilter | 29 | netfilter |
60 | # no3d breaks under wayland | 30 | # no3d breaks under wayland |
61 | # no3d | 31 | #no3d |
62 | nodvd | 32 | nodvd |
63 | nogroups | 33 | nogroups |
64 | nonewprivs | 34 | nonewprivs |
@@ -70,27 +40,7 @@ novideo | |||
70 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
71 | seccomp | 41 | seccomp |
72 | shell none | 42 | shell none |
73 | tracelog | ||
74 | 43 | ||
75 | # disable-mnt | ||
76 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
77 | # To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support | ||
78 | # private-bin evolution | ||
79 | private-cache | ||
80 | private-dev | 44 | private-dev |
81 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
82 | private-tmp | 45 | private-tmp |
83 | writable-run-user | ||
84 | writable-var | 46 | writable-var |
85 | |||
86 | dbus-user filter | ||
87 | dbus-user.own org.gnome.Evolution | ||
88 | dbus-user.talk ca.desrt.dconf | ||
89 | # Uncomment to have keyring access | ||
90 | # dbus-user.talk org.freedesktop.secrets | ||
91 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
92 | dbus-user.talk org.gnome.OnlineAccounts | ||
93 | dbus-user.talk org.freedesktop.Notifications | ||
94 | dbus-system none | ||
95 | |||
96 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index 24339953b..face34c40 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile | |||
@@ -15,7 +15,7 @@ ignore noexec ${HOME} | |||
15 | # Allow lua (blacklisted by disable-interpreters.inc) | 15 | # Allow lua (blacklisted by disable-interpreters.inc) |
16 | include allow-lua.inc | 16 | include allow-lua.inc |
17 | 17 | ||
18 | # Allow perl | 18 | # Allow perl (blacklisted by disable-interpreters.inc) |
19 | include allow-perl.inc | 19 | include allow-perl.inc |
20 | 20 | ||
21 | # Allow python (blacklisted by disable-interpreters.inc) | 21 | # Allow python (blacklisted by disable-interpreters.inc) |
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 43e877fd0..728929638 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -8,12 +8,14 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/filezilla | 9 | noblacklist ${HOME}/.config/filezilla |
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | noblacklist ${HOME}/.ssh | ||
12 | 11 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 13 | include allow-python2.inc |
15 | include allow-python3.inc | 14 | include allow-python3.inc |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 772aad7da..20bd9824c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -41,6 +41,13 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
41 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 41 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
42 | #dbus-user.talk org.kde.JobViewServer | 42 | #dbus-user.talk org.kde.JobViewServer |
43 | #dbus-user.talk org.kde.kuiserver | 43 | #dbus-user.talk org.kde.kuiserver |
44 | # Uncomment or put in your firefox.local to allow screen sharing under wayland. | ||
45 | #whitelist ${RUNUSER}/pipewire-0 | ||
46 | #dbus-user.talk org.freedesktop.portal.* | ||
47 | # Also uncomment or put in your firefox.local if screen sharing sharing still | ||
48 | # does not work with the above lines (might depend on the portal | ||
49 | # implementation) | ||
50 | #ignore noroot | ||
44 | ignore dbus-user none | 51 | ignore dbus-user none |
45 | 52 | ||
46 | # Redirect | 53 | # Redirect |
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile index c296c0491..1210f365c 100644 --- a/etc/profile-a-l/fluxbox.profile +++ b/etc/profile-a-l/fluxbox.profile | |||
@@ -6,7 +6,7 @@ include fluxbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in fluxbox will run in this profile |
10 | noblacklist ${HOME}/.fluxbox | 10 | noblacklist ${HOME}/.fluxbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index c3af29e15..dede61b71 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/fractal | 9 | noblacklist ${HOME}/.cache/fractal |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
11 | include disable-common.inc | 15 | include disable-common.inc |
12 | include disable-devel.inc | 16 | include disable-devel.inc |
13 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -49,6 +53,6 @@ private-tmp | |||
49 | dbus-user filter | 53 | dbus-user filter |
50 | dbus-user.own org.gnome.Fractal | 54 | dbus-user.own org.gnome.Fractal |
51 | dbus-user.talk ca.desrt.dconf | 55 | dbus-user.talk ca.desrt.dconf |
52 | dbus-user.talk org.freedesktop.secrets | ||
53 | dbus-user.talk org.freedesktop.Notifications | 56 | dbus-user.talk org.freedesktop.Notifications |
57 | dbus-user.talk org.freedesktop.secrets | ||
54 | dbus-system none | 58 | dbus-system none |
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile index 44bf62cfe..2b2cdae29 100644 --- a/etc/profile-a-l/freecadcmd.profile +++ b/etc/profile-a-l/freecadcmd.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for freecad | 1 | # Firejail profile alias for freecad |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include freecadcms.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include freecad.profile | 10 | include freecad.profile |
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile index fa36459e7..bf034a709 100644 --- a/etc/profile-a-l/freeciv-gtk3.profile +++ b/etc/profile-a-l/freeciv-gtk3.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for freeciv | 1 | # Firejail profile alias for freeciv |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include freeciv-gtk3.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include freeciv.profile | 10 | include freeciv.profile |
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile index fa36459e7..942058fa6 100644 --- a/etc/profile-a-l/freeciv-mp-gtk3.profile +++ b/etc/profile-a-l/freeciv-mp-gtk3.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for freeciv | 1 | # Firejail profile alias for freeciv |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include freeciv-mp-gtk3.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include freeciv.profile | 10 | include freeciv.profile |
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile index 2ae6dd9d8..945dea146 100644 --- a/etc/profile-a-l/gajim-history-manager.profile +++ b/etc/profile-a-l/gajim-history-manager.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for gajim-history-manager | 1 | # Firejail profile alias for gajim-history-manager |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include gajim-history-manager.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include gajim.profile | 10 | include gajim.profile |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 85d9b9bd9..125ddf79c 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -6,6 +6,7 @@ include gajim.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.gnupg | ||
9 | noblacklist ${HOME}/.cache/gajim | 10 | noblacklist ${HOME}/.cache/gajim |
10 | noblacklist ${HOME}/.config/gajim | 11 | noblacklist ${HOME}/.config/gajim |
11 | noblacklist ${HOME}/.local/share/gajim | 12 | noblacklist ${HOME}/.local/share/gajim |
@@ -20,19 +21,27 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | # Comment the following line if you need to whitelist other folders than ~/Downloads | 24 | # Comment the following line if you need to whitelist folders other than ~/Downloads |
24 | include disable-xdg.inc | 25 | include disable-xdg.inc |
25 | 26 | ||
27 | mkdir ${HOME}/.gnupg | ||
26 | mkdir ${HOME}/.cache/gajim | 28 | mkdir ${HOME}/.cache/gajim |
27 | mkdir ${HOME}/.config/gajim | 29 | mkdir ${HOME}/.config/gajim |
28 | mkdir ${HOME}/.local/share/gajim | 30 | mkdir ${HOME}/.local/share/gajim |
31 | whitelist ${HOME}/.gnupg | ||
29 | whitelist ${HOME}/.cache/gajim | 32 | whitelist ${HOME}/.cache/gajim |
30 | whitelist ${HOME}/.config/gajim | 33 | whitelist ${HOME}/.config/gajim |
31 | whitelist ${HOME}/.local/share/gajim | 34 | whitelist ${HOME}/.local/share/gajim |
32 | whitelist ${DOWNLOADS} | 35 | whitelist ${DOWNLOADS} |
36 | whitelist ${RUNUSER}/gnupg | ||
37 | whitelist /usr/share/gnupg | ||
38 | whitelist /usr/share/gnupg2 | ||
33 | include whitelist-common.inc | 39 | include whitelist-common.inc |
40 | include whitelist-runuser-common.inc | ||
41 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
35 | 43 | ||
44 | apparmor | ||
36 | caps.drop all | 45 | caps.drop all |
37 | netfilter | 46 | netfilter |
38 | nodvd | 47 | nodvd |
@@ -47,9 +56,24 @@ shell none | |||
47 | tracelog | 56 | tracelog |
48 | 57 | ||
49 | disable-mnt | 58 | disable-mnt |
50 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh | 59 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh |
60 | private-cache | ||
51 | private-dev | 61 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl | 62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg |
53 | private-tmp | 63 | private-tmp |
64 | writable-run-user | ||
65 | |||
66 | dbus-user filter | ||
67 | dbus-user.own org.gajim.Gajim | ||
68 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
69 | dbus-user.talk ca.desrt.dconf | ||
70 | dbus-user.talk org.freedesktop.Notifications | ||
71 | dbus-user.talk org.freedesktop.secrets | ||
72 | dbus-user.talk org.kde.kwalletd5 | ||
73 | dbus-user.talk org.mpris.MediaPlayer2.* | ||
74 | dbus-system filter | ||
75 | dbus-system.talk org.freedesktop.login1 | ||
76 | # Uncomment for location plugin support | ||
77 | #dbus-system.talk org.freedesktop.GeoClue2 | ||
54 | 78 | ||
55 | join-or-start gajim | 79 | join-or-start gajim |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index f4e5a392f..b11863c6a 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -4,28 +4,83 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | |||
10 | # Users have Geary set to open a browser by clicking a link in an email | ||
11 | # We are not allowed to blacklist browser-specific directories | ||
12 | |||
13 | ignore dbus-user filter | ||
14 | ignore dbus-system none | ||
15 | ignore private-tmp | ||
16 | 8 | ||
9 | noblacklist ${HOME}/.cache/evolution | ||
10 | noblacklist ${HOME}/.cache/folks | ||
17 | noblacklist ${HOME}/.cache/geary | 11 | noblacklist ${HOME}/.cache/geary |
12 | noblacklist ${HOME}/.config/evolution | ||
18 | noblacklist ${HOME}/.config/geary | 13 | noblacklist ${HOME}/.config/geary |
14 | noblacklist ${HOME}/.local/share/evolution | ||
19 | noblacklist ${HOME}/.local/share/geary | 15 | noblacklist ${HOME}/.local/share/geary |
16 | noblacklist ${HOME}/.mozilla | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-xdg.inc | ||
20 | 26 | ||
27 | mkdir ${HOME}/.cache/evolution | ||
28 | mkdir ${HOME}/.cache/folks | ||
21 | mkdir ${HOME}/.cache/geary | 29 | mkdir ${HOME}/.cache/geary |
30 | mkdir ${HOME}/.config/evolution | ||
22 | mkdir ${HOME}/.config/geary | 31 | mkdir ${HOME}/.config/geary |
32 | mkdir ${HOME}/.local/share/evolution | ||
23 | mkdir ${HOME}/.local/share/geary | 33 | mkdir ${HOME}/.local/share/geary |
34 | whitelist ${DOWNLOADS} | ||
35 | whitelist ${HOME}/.cache/evolution | ||
36 | whitelist ${HOME}/.cache/folks | ||
24 | whitelist ${HOME}/.cache/geary | 37 | whitelist ${HOME}/.cache/geary |
38 | whitelist ${HOME}/.config/evolution | ||
25 | whitelist ${HOME}/.config/geary | 39 | whitelist ${HOME}/.config/geary |
40 | whitelist ${HOME}/.local/share/evolution | ||
26 | whitelist ${HOME}/.local/share/geary | 41 | whitelist ${HOME}/.local/share/geary |
42 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | whitelist /usr/share/geary | 43 | whitelist /usr/share/geary |
44 | include whitelist-common.inc | ||
45 | include whitelist-runuser-common.inc | ||
46 | include whitelist-usr-share-common.inc | ||
47 | include whitelist-var-common.inc | ||
48 | |||
49 | apparmor | ||
50 | caps.drop all | ||
51 | machine-id | ||
52 | netfilter | ||
53 | no3d | ||
54 | nodvd | ||
55 | nogroups | ||
56 | nonewprivs | ||
57 | noroot | ||
58 | nosound | ||
59 | notv | ||
60 | nou2f | ||
61 | novideo | ||
62 | protocol unix,inet,inet6 | ||
63 | seccomp | ||
64 | seccomp.block-secondary | ||
65 | shell none | ||
66 | tracelog | ||
67 | |||
68 | # disable-mnt | ||
69 | # Add 'ignore private-bin' to geary.local for hyperlink support | ||
70 | private-bin geary | ||
71 | private-cache | ||
72 | private-dev | ||
73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg | ||
74 | private-tmp | ||
75 | |||
76 | dbus-user filter | ||
77 | dbus-user.own org.gnome.Geary | ||
78 | dbus-user.talk ca.desrt.dconf | ||
79 | dbus-user.talk org.freedesktop.secrets | ||
80 | dbus-user.talk org.gnome.Contacts | ||
81 | dbus-user.talk org.gnome.OnlineAccounts | ||
82 | dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 | ||
83 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 | ||
84 | dbus-system none | ||
28 | 85 | ||
29 | # allow Mozilla browsers | 86 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
30 | # Redirect | ||
31 | include firefox.profile | ||
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index b8d1b9608..caeb3ce51 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/gfeeds | 9 | noblacklist ${HOME}/.cache/gfeeds |
10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | 10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds |
11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | 11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json |
12 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
12 | 13 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python3.inc | 15 | include allow-python3.inc |
@@ -25,9 +26,11 @@ include disable-xdg.inc | |||
25 | mkdir ${HOME}/.cache/gfeeds | 26 | mkdir ${HOME}/.cache/gfeeds |
26 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | 27 | mkdir ${HOME}/.cache/org.gabmus.gfeeds |
27 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | 28 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json |
29 | mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
28 | whitelist ${HOME}/.cache/gfeeds | 30 | whitelist ${HOME}/.cache/gfeeds |
29 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | 31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds |
30 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
31 | whitelist /usr/share/gfeeds | 34 | whitelist /usr/share/gfeeds |
32 | include whitelist-common.inc | 35 | include whitelist-common.inc |
33 | include whitelist-runuser-common.inc | 36 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile index 1e7ce2350..c65d7e709 100644 --- a/etc/profile-a-l/ghb.profile +++ b/etc/profile-a-l/ghb.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for handbrake | 1 | # Firejail profile alias for handbrake |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include ghb.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include handbrake.profile | 10 | include handbrake.profile |
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile index dbf49ac22..ea099b0a5 100644 --- a/etc/profile-a-l/gimp-2.10.profile +++ b/etc/profile-a-l/gimp-2.10.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for gimp | 1 | # Firejail profile alias for gimp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include gimp-2.10.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include gimp.profile | 10 | include gimp.profile |
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile index dbf49ac22..af0793c58 100644 --- a/etc/profile-a-l/gimp-2.8.profile +++ b/etc/profile-a-l/gimp-2.8.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for gimp | 1 | # Firejail profile alias for gimp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include gimp-2.8.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include gimp.profile | 10 | include gimp.profile |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 4708078dd..312655b9b 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -11,16 +11,19 @@ ignore noexec ${HOME} | |||
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gnupg | 13 | noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.ssh | ||
15 | noblacklist ${HOME}/.subversion | 14 | noblacklist ${HOME}/.subversion |
16 | noblacklist ${HOME}/.config/git | 15 | noblacklist ${HOME}/.config/git |
17 | noblacklist ${HOME}/.config/git-cola | 16 | noblacklist ${HOME}/.config/git-cola |
18 | # Put your editor,diff viewer config path below and uncomment to load settings | 17 | # Put your editor,diff viewer config path below and uncomment to load settings |
19 | # noblacklist ${HOME}/ | 18 | # noblacklist ${HOME}/ |
20 | 19 | ||
20 | # Allow python (blacklisted by disable-interpreters.inc) | ||
21 | include allow-python2.inc | 21 | include allow-python2.inc |
22 | include allow-python3.inc | 22 | include allow-python3.inc |
23 | 23 | ||
24 | # Allow ssh (blacklisted by disable-common.inc) | ||
25 | include allow-ssh.inc | ||
26 | |||
24 | include disable-common.inc | 27 | include disable-common.inc |
25 | include disable-devel.inc | 28 | include disable-devel.inc |
26 | include disable-exec.inc | 29 | include disable-exec.inc |
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index e5a2f3985..aefb2917d 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile | |||
@@ -15,10 +15,12 @@ noblacklist ${HOME}/.gitconfig | |||
15 | noblacklist ${HOME}/.git-credentials | 15 | noblacklist ${HOME}/.git-credentials |
16 | noblacklist ${HOME}/.gnupg | 16 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.nanorc | 17 | noblacklist ${HOME}/.nanorc |
18 | noblacklist ${HOME}/.ssh | ||
19 | noblacklist ${HOME}/.vim | 18 | noblacklist ${HOME}/.vim |
20 | noblacklist ${HOME}/.viminfo | 19 | noblacklist ${HOME}/.viminfo |
21 | 20 | ||
21 | # Allow ssh (blacklisted by disable-common.inc) | ||
22 | include allow-ssh.inc | ||
23 | |||
22 | blacklist /tmp/.X11-unix | 24 | blacklist /tmp/.X11-unix |
23 | blacklist ${RUNUSER}/wayland-* | 25 | blacklist ${RUNUSER}/wayland-* |
24 | 26 | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 3d80c1ed2..93b90eb9e 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.config/git | |||
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.git-credentials | 11 | noblacklist ${HOME}/.git-credentials |
12 | noblacklist ${HOME}/.local/share/gitg | 12 | noblacklist ${HOME}/.local/share/gitg |
13 | noblacklist ${HOME}/.ssh | 13 | |
14 | # Allow ssh (blacklisted by disable-common.inc) | ||
15 | include allow-ssh.inc | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile index f5d652732..dfb95d27b 100644 --- a/etc/profile-a-l/gnome-mpv.profile +++ b/etc/profile-a-l/gnome-mpv.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for celluloid (formerly GNOME MPV) | 1 | # Firejail profile alias for celluloid (formerly GNOME MPV) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include gnome-mpv.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include celluloid.profile | 10 | include celluloid.profile |
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile index a456e8d61..88cd43490 100644 --- a/etc/profile-a-l/google-chrome-stable.profile +++ b/etc/profile-a-l/google-chrome-stable.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for google-chrome | 1 | # Firejail profile alias for google-chrome |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include google-chrome-stable.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include google-chrome.profile | 10 | include google-chrome.profile |
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index c1f919769..1240dc3b7 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile | |||
@@ -1,7 +1,30 @@ | |||
1 | # Firejail profile alias for google-earth | 1 | # Firejail profile for google-earth-pro |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include google-earth-pro.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | private-bin google-earth-pro | 9 | # Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed. |
10 | # See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details. | ||
11 | # Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906). | ||
12 | # As an alternative one could use the web version: https://earth.google.com/web/. | ||
13 | # The desktop version from the AUR can be made to work with firejail by appending the below snippet | ||
14 | # to /usr/bin/googleearth-pro: | ||
15 | # <--- snippet ---> | ||
16 | # Post-shutdown cleaning | ||
17 | #_lock_app_running="${HOME}/.googleearth/instance-running-lock" | ||
18 | #[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}" | ||
19 | #_lock_collada_cache="/tmp/geColladaModelCacheLock" | ||
20 | #[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}" | ||
21 | #_lock_icon_cache="/tmp/geIconCacheLock" | ||
22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" | ||
23 | # <--- end of snippet ---> | ||
24 | |||
25 | # If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local | ||
26 | #ignore private-bin | ||
27 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings | ||
5 | 28 | ||
6 | # Redirect | 29 | # Redirect |
7 | include google-earth.profile | 30 | include google-earth.profile |
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index a331ef8d2..12b1cbafd 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile | |||
@@ -6,10 +6,7 @@ include google-earth.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google | 8 | noblacklist ${HOME}/.config/Google |
9 | noblacklist ${HOME}/.googleearth/Cache | 9 | noblacklist ${HOME}/.googleearth |
10 | noblacklist ${HOME}/.googleearth/Temp | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | 10 | ||
14 | include disable-common.inc | 11 | include disable-common.inc |
15 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -19,15 +16,9 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 16 | include disable-programs.inc |
20 | 17 | ||
21 | mkdir ${HOME}/.config/Google | 18 | mkdir ${HOME}/.config/Google |
22 | mkdir ${HOME}/.googleearth/Cache | 19 | mkdir ${HOME}/.googleearth |
23 | mkdir ${HOME}/.googleearth/Temp | ||
24 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
25 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
26 | whitelist ${HOME}/.config/Google | 20 | whitelist ${HOME}/.config/Google |
27 | whitelist ${HOME}/.googleearth/Cache | 21 | whitelist ${HOME}/.googleearth |
28 | whitelist ${HOME}/.googleearth/Temp | ||
29 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
30 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
31 | include whitelist-common.inc | 22 | include whitelist-common.inc |
32 | 23 | ||
33 | caps.drop all | 24 | caps.drop all |
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile index 2391c121b..e3a02e7bc 100644 --- a/etc/profile-a-l/gtar.profile +++ b/etc/profile-a-l/gtar.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for tar | 1 | # Firejail profile alias for tar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include gtar.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include tar.profile | 10 | include tar.profile |
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile index 40c268c46..2223c37a1 100644 --- a/etc/profile-a-l/gummi.profile +++ b/etc/profile-a-l/gummi.profile | |||
@@ -8,8 +8,13 @@ include globals.local | |||
8 | noblacklist ${HOME}/.cache/gummi | 8 | noblacklist ${HOME}/.cache/gummi |
9 | noblacklist ${HOME}/.config/gummi | 9 | noblacklist ${HOME}/.config/gummi |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
11 | include allow-lua.inc | 12 | include allow-lua.inc |
13 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | 15 | include allow-perl.inc |
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | 18 | include allow-python3.inc |
14 | 19 | ||
15 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex | 20 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile new file mode 100644 index 000000000..46fc06940 --- /dev/null +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for guvcview | ||
2 | # Description: GTK+ base UVC Viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include guvcview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/guvcview2 | ||
10 | |||
11 | noblacklist ${PICTURES} | ||
12 | noblacklist ${VIDEOS} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/guvcview2 | ||
24 | whitelist ${HOME}/.config/guvcview2 | ||
25 | whitelist ${PICTURES} | ||
26 | whitelist ${VIDEOS} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | net none | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | protocol unix,netlink | ||
42 | seccomp | ||
43 | seccomp.block-secondary | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin guvcview | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11 | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 9b59e57e7..035c6459c 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile | |||
@@ -7,7 +7,9 @@ include gzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop |
11 | # all capabilities this is automatically read-only. | ||
11 | noblacklist /var/lib/pacman | 12 | noblacklist /var/lib/pacman |
12 | 13 | ||
14 | # Redirect | ||
13 | include archiver-common.inc | 15 | include archiver-common.inc |
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile index 1e7ce2350..42371a853 100644 --- a/etc/profile-a-l/handbrake-gtk.profile +++ b/etc/profile-a-l/handbrake-gtk.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for handbrake | 1 | # Firejail profile alias for handbrake |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include handbrake-gtk.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include handbrake.profile | 10 | include handbrake.profile |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index 86527aa1f..c60510260 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -8,13 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | ||
13 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python2.inc | 15 | include allow-python2.inc |
13 | include allow-python3.inc | 16 | include allow-python3.inc |
14 | 17 | ||
15 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
16 | include allow-perl.inc | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index c1ca0e413..e96b1843c 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
@@ -6,7 +6,7 @@ include i3.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in i3 will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index a7d0d531f..0a048a38a 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android | |||
10 | noblacklist ${HOME}/.jack-server | 10 | noblacklist ${HOME}/.jack-server |
11 | noblacklist ${HOME}/.jack-settings | 11 | noblacklist ${HOME}/.jack-settings |
12 | noblacklist ${HOME}/.local/share/JetBrains | 12 | noblacklist ${HOME}/.local/share/JetBrains |
13 | noblacklist ${HOME}/.ssh | ||
14 | noblacklist ${HOME}/.tooling | 13 | noblacklist ${HOME}/.tooling |
15 | 14 | ||
16 | # Allows files commonly used by IDEs | 15 | # Allows files commonly used by IDEs |
17 | include allow-common-devel.inc | 16 | include allow-common-devel.inc |
18 | 17 | ||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | include allow-ssh.inc | ||
20 | |||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 23 | include disable-programs.inc |
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile index c7ee64d56..20b24cedf 100644 --- a/etc/profile-a-l/iridium-browser.profile +++ b/etc/profile-a-l/iridium-browser.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for iridium | 1 | # Firejail profile alias for iridium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include iridium-browser.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include iridium.profile | 10 | include iridium.profile |
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index b1852b015..8d391b90f 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile | |||
@@ -7,6 +7,7 @@ include jumpnbump-menu.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
12 | private-bin jumpnbump-menu,python3* | 13 | private-bin jumpnbump-menu,python3* |
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile index d2394fe20..3768d277e 100644 --- a/etc/profile-a-l/kalgebramobile.profile +++ b/etc/profile-a-l/kalgebramobile.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for kalgebramobile | 1 | # Firejail profile for kalgebramobile |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include kalgebramobile.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include kalgebra.profile | 10 | include kalgebra.profile |
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile index d54d6d3d0..231299a2f 100644 --- a/etc/profile-a-l/karbon.profile +++ b/etc/profile-a-l/karbon.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for krita | 1 | # Firejail profile alias for krita |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include karbon.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/karbon | 9 | noblacklist ${HOME}/.local/share/kxmlgui5/karbon |
5 | 10 | ||
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 9c095e106..7d9f4c22f 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | noblacklist ${HOME}/.config/kazam | 13 | noblacklist ${HOME}/.config/kazam |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 16 | include allow-python2.inc |
16 | include allow-python3.inc | 17 | include allow-python3.inc |
17 | 18 | ||
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile new file mode 100644 index 000000000..41840e3b0 --- /dev/null +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for kdiff3 | ||
2 | # Description: KDiff3 is a file and folder diff and merge tool. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kdiff3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc | ||
10 | noblacklist ${HOME}/.config/kdiff3rc | ||
11 | |||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | ||
13 | #include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. | ||
19 | #include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-runuser-common.inc | ||
24 | # Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. | ||
25 | #include whitelist-usr-share-common.inc | ||
26 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. | ||
27 | #include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | net none | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | seccomp | ||
42 | seccomp.block-secondary | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin kdiff3 | ||
48 | private-cache | ||
49 | private-dev | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile index aef236ccc..72f79bef7 100644 --- a/etc/profile-a-l/keepass2.profile +++ b/etc/profile-a-l/keepass2.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for keepass | 1 | # Firejail profile alias for keepass |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include keepass2.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include keepass.profile | 10 | include keepass.profile |
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile index fdd27e9f9..f2704d67f 100644 --- a/etc/profile-a-l/keepassx2.profile +++ b/etc/profile-a-l/keepassx2.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile for keepassx2 | 1 | # Firejail profile for keepassx2 |
2 | # Description: Cross platform password manager | 2 | # Description: Cross platform password manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include keepassx2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirects | 10 | # Redirects |
6 | include keepassx.profile | 11 | include keepassx.profile |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index a3a1b500a..3ad779a12 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -11,10 +11,16 @@ noblacklist ${HOME}/*.kdbx | |||
11 | noblacklist ${HOME}/.cache/keepassxc | 11 | noblacklist ${HOME}/.cache/keepassxc |
12 | noblacklist ${HOME}/.config/keepassxc | 12 | noblacklist ${HOME}/.config/keepassxc |
13 | noblacklist ${HOME}/.keepassxc | 13 | noblacklist ${HOME}/.keepassxc |
14 | # 2.2.4 needs this path when compiled with "Native messaging browser extension" | ||
15 | noblacklist ${HOME}/.mozilla | ||
16 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
17 | 15 | ||
16 | # Allow browser profiles, required for browser integration. | ||
17 | noblacklist ${HOME}/.config/BraveSoftware | ||
18 | noblacklist ${HOME}/.config/chromium | ||
19 | noblacklist ${HOME}/.config/google-chrome | ||
20 | noblacklist ${HOME}/.config/vivaldi | ||
21 | noblacklist ${HOME}/.local/share/torbrowser | ||
22 | noblacklist ${HOME}/.mozilla | ||
23 | |||
18 | include disable-common.inc | 24 | include disable-common.inc |
19 | include disable-devel.inc | 25 | include disable-devel.inc |
20 | include disable-exec.inc | 26 | include disable-exec.inc |
@@ -29,6 +35,16 @@ include disable-xdg.inc | |||
29 | #mkdir ${HOME}/Documents/KeePassXC | 35 | #mkdir ${HOME}/Documents/KeePassXC |
30 | #whitelist ${HOME}/Documents/KeePassXC | 36 | #whitelist ${HOME}/Documents/KeePassXC |
31 | # Needed for KeePassXC-Browser | 37 | # Needed for KeePassXC-Browser |
38 | #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
39 | #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
40 | #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
41 | #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
42 | #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
43 | #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
44 | #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
45 | #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json | ||
46 | #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json | ||
47 | #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json | ||
32 | #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json | 48 | #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json |
33 | #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json | 49 | #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json |
34 | #mkdir ${HOME}/.cache/keepassxc | 50 | #mkdir ${HOME}/.cache/keepassxc |
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile index 9137963c4..3142cbca6 100644 --- a/etc/profile-a-l/klatexformula_cmdl.profile +++ b/etc/profile-a-l/klatexformula_cmdl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | 1 | # Firejail profile alias for klatexformula_cmdl |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include klatexformula_cmdl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include klatexformula.profile | 10 | include klatexformula.profile |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 8d99da3cf..ab4ff10b9 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -9,10 +9,6 @@ include globals.local | |||
9 | # kmail has problems launching akonadi in debian and ubuntu. | 9 | # kmail has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when kmail is started | 10 | # one solution is to have akonadi already running when kmail is started |
11 | 11 | ||
12 | noblacklist ${HOME}/.gnupg | ||
13 | # noblacklist ${HOME}/.kde/ | ||
14 | # noblacklist ${HOME}/.kde4/ | ||
15 | noblacklist ${HOME}/.mozilla | ||
16 | noblacklist ${HOME}/.cache/akonadi* | 12 | noblacklist ${HOME}/.cache/akonadi* |
17 | noblacklist ${HOME}/.cache/kmail2 | 13 | noblacklist ${HOME}/.cache/kmail2 |
18 | noblacklist ${HOME}/.config/akonadi* | 14 | noblacklist ${HOME}/.config/akonadi* |
@@ -23,6 +19,7 @@ noblacklist ${HOME}/.config/kmail2rc | |||
23 | noblacklist ${HOME}/.config/kmailsearchindexingrc | 19 | noblacklist ${HOME}/.config/kmailsearchindexingrc |
24 | noblacklist ${HOME}/.config/mailtransports | 20 | noblacklist ${HOME}/.config/mailtransports |
25 | noblacklist ${HOME}/.config/specialmailcollectionsrc | 21 | noblacklist ${HOME}/.config/specialmailcollectionsrc |
22 | noblacklist ${HOME}/.gnupg | ||
26 | noblacklist ${HOME}/.local/share/akonadi* | 23 | noblacklist ${HOME}/.local/share/akonadi* |
27 | noblacklist ${HOME}/.local/share/apps/korganizer | 24 | noblacklist ${HOME}/.local/share/apps/korganizer |
28 | noblacklist ${HOME}/.local/share/contacts | 25 | noblacklist ${HOME}/.local/share/contacts |
@@ -33,8 +30,6 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 | |||
33 | noblacklist ${HOME}/.local/share/local-mail | 30 | noblacklist ${HOME}/.local/share/local-mail |
34 | noblacklist ${HOME}/.local/share/notes | 31 | noblacklist ${HOME}/.local/share/notes |
35 | noblacklist /tmp/akonadi-* | 32 | noblacklist /tmp/akonadi-* |
36 | noblacklist /var/mail | ||
37 | noblacklist /var/spool/mail | ||
38 | 33 | ||
39 | include disable-common.inc | 34 | include disable-common.inc |
40 | include disable-devel.inc | 35 | include disable-devel.inc |
@@ -42,73 +37,10 @@ include disable-exec.inc | |||
42 | include disable-interpreters.inc | 37 | include disable-interpreters.inc |
43 | include disable-passwdmgr.inc | 38 | include disable-passwdmgr.inc |
44 | include disable-programs.inc | 39 | include disable-programs.inc |
45 | include disable-xdg.inc | ||
46 | 40 | ||
47 | mkdir ${HOME}/.gnupg | ||
48 | # mkdir ${HOME}/.kde/ | ||
49 | # mkdir ${HOME}/.kde4/ | ||
50 | mkdir ${HOME}/.cache/akonadi* | ||
51 | mkdir ${HOME}/.cache/kmail2 | ||
52 | mkdir ${HOME}/.config/akonadi* | ||
53 | mkdir ${HOME}/.config/baloorc | ||
54 | mkdir ${HOME}/.config/emaildefaults | ||
55 | mkdir ${HOME}/.config/emailidentities | ||
56 | mkdir ${HOME}/.config/kmail2rc | ||
57 | mkdir ${HOME}/.config/kmailsearchindexingrc | ||
58 | mkdir ${HOME}/.config/mailtransports | ||
59 | mkdir ${HOME}/.config/specialmailcollectionsrc | ||
60 | mkdir ${HOME}/.local/share/akonadi* | ||
61 | mkdir ${HOME}/.local/share/apps/korganizer | ||
62 | mkdir ${HOME}/.local/share/contacts | ||
63 | mkdir ${HOME}/.local/share/emailidentities | ||
64 | mkdir ${HOME}/.local/share/kmail2 | ||
65 | mkdir ${HOME}/.local/share/kxmlgui5/kmail | ||
66 | mkdir ${HOME}/.local/share/kxmlgui5/kmail2 | ||
67 | mkdir ${HOME}/.local/share/local-mail | ||
68 | mkdir ${HOME}/.local/share/notes | ||
69 | mkdir /tmp/akonadi-* | ||
70 | whitelist ${HOME}/.gnupg | ||
71 | # whitelist ${HOME}/.kde/ | ||
72 | # whitelist ${HOME}/.kde4/ | ||
73 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
74 | whitelist ${HOME}/.cache/akonadi* | ||
75 | whitelist ${HOME}/.cache/kmail2 | ||
76 | whitelist ${HOME}/.config/akonadi* | ||
77 | whitelist ${HOME}/.config/baloorc | ||
78 | whitelist ${HOME}/.config/emaildefaults | ||
79 | whitelist ${HOME}/.config/emailidentities | ||
80 | whitelist ${HOME}/.config/kmail2rc | ||
81 | whitelist ${HOME}/.config/kmailsearchindexingrc | ||
82 | whitelist ${HOME}/.config/mailtransports | ||
83 | whitelist ${HOME}/.config/specialmailcollectionsrc | ||
84 | whitelist ${HOME}/.local/share/akonadi* | ||
85 | whitelist ${HOME}/.local/share/apps/korganizer | ||
86 | whitelist ${HOME}/.local/share/contacts | ||
87 | whitelist ${HOME}/.local/share/emailidentities | ||
88 | whitelist ${HOME}/.local/share/kmail2 | ||
89 | whitelist ${HOME}/.local/share/kxmlgui5/kmail | ||
90 | whitelist ${HOME}/.local/share/kxmlgui5/kmail2 | ||
91 | whitelist ${HOME}/.local/share/local-mail | ||
92 | whitelist ${HOME}/.local/share/notes | ||
93 | whitelist ${DOWNLOADS} | ||
94 | whitelist ${DOCUMENTS} | ||
95 | whitelist ${RUNUSER}/gnupg | ||
96 | whitelist /tmp/akonadi-* | ||
97 | whitelist /usr/share/akonadi | ||
98 | whitelist /usr/share/gnupg | ||
99 | whitelist /usr/share/gnupg2 | ||
100 | whitelist /usr/share/kconf_update | ||
101 | whitelist /usr/share/kf5 | ||
102 | whitelist /usr/share/kservices5 | ||
103 | whitelist /usr/share/qlogging-categories5 | ||
104 | whitelist /var/mail | ||
105 | whitelist /var/spool/mail | ||
106 | include whitelist-common.inc | ||
107 | include whitelist-runuser-common.inc | ||
108 | include whitelist-usr-share-common.inc | ||
109 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
110 | 42 | ||
111 | apparmor | 43 | # apparmor |
112 | caps.drop all | 44 | caps.drop all |
113 | netfilter | 45 | netfilter |
114 | nodvd | 46 | nodvd |
@@ -124,14 +56,7 @@ protocol unix,inet,inet6,netlink | |||
124 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | 56 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
125 | # tracelog | 57 | # tracelog |
126 | 58 | ||
127 | private-cache | ||
128 | private-dev | 59 | private-dev |
129 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
130 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | # writable-run-user is needed for signing and encrypting emails | ||
131 | writable-run-user | 62 | writable-run-user |
132 | writable-var | ||
133 | |||
134 | # dbus-user none | ||
135 | dbus-system none | ||
136 | |||
137 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | ||
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index c64113c15..9cb5eff87 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile | |||
@@ -6,9 +6,9 @@ include krunner.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # - programs started in krunner run with this generic profile. | 9 | # - programs started in krunner run with this generic profile |
10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox | 10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
11 | # with its own profile, if it is sandboxed automatically. | 11 | # with its own profile, if it is sandboxed automatically |
12 | 12 | ||
13 | # noblacklist ${HOME}/.cache/krunner | 13 | # noblacklist ${HOME}/.cache/krunner |
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile index 338d8c8bb..3b5b98493 100644 --- a/etc/profile-a-l/lbunzip2.profile +++ b/etc/profile-a-l/lbunzip2.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for gzip | 1 | # Firejail profile alias for gzip |
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include lbunzip2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include gzip.profile | 11 | include gzip.profile |
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile index 338d8c8bb..e628ceaae 100644 --- a/etc/profile-a-l/lbzcat.profile +++ b/etc/profile-a-l/lbzcat.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for gzip | 1 | # Firejail profile alias for gzip |
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include lbzcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include gzip.profile | 11 | include gzip.profile |
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile index 338d8c8bb..5d7935780 100644 --- a/etc/profile-a-l/lbzip2.profile +++ b/etc/profile-a-l/lbzip2.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for gzip | 1 | # Firejail profile alias for gzip |
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include lbzip2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include gzip.profile | 11 | include gzip.profile |
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index 7cfd4fc10..a122e9bbc 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile | |||
@@ -42,7 +42,7 @@ noroot | |||
42 | # nosound | 42 | # nosound |
43 | notv | 43 | notv |
44 | nou2f | 44 | nou2f |
45 | # novideo | 45 | novideo |
46 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
47 | seccomp | 47 | seccomp |
48 | shell none | 48 | shell none |
@@ -51,3 +51,12 @@ tracelog | |||
51 | disable-mnt | 51 | disable-mnt |
52 | private-dev | 52 | private-dev |
53 | private-tmp | 53 | private-tmp |
54 | |||
55 | dbus-user filter | ||
56 | dbus-user.own net.sourceforge.liferea | ||
57 | dbus-user.talk ca.desrt.dconf | ||
58 | # Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local | ||
59 | #dbus-user.talk org.freedesktop.Notifications | ||
60 | # Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local | ||
61 | #dbus-user.talk org.freedesktop.secrets | ||
62 | dbus-system none | ||
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile index 8348a57fe..b248d38f7 100644 --- a/etc/profile-a-l/lobase.profile +++ b/etc/profile-a-l/lobase.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include lobase.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile index 8348a57fe..a467ef3db 100644 --- a/etc/profile-a-l/localc.profile +++ b/etc/profile-a-l/localc.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include localc.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile index 8348a57fe..f1db590ed 100644 --- a/etc/profile-a-l/lodraw.profile +++ b/etc/profile-a-l/lodraw.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include lodraw.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile index 8348a57fe..aa291017a 100644 --- a/etc/profile-a-l/loffice.profile +++ b/etc/profile-a-l/loffice.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include loffice.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile index 8348a57fe..534dc5d14 100644 --- a/etc/profile-a-l/lofromtemplate.profile +++ b/etc/profile-a-l/lofromtemplate.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include lofromtemplate.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile index 8348a57fe..a9473d1a6 100644 --- a/etc/profile-a-l/loimpress.profile +++ b/etc/profile-a-l/loimpress.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include loimpress.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile index 8348a57fe..8bc388be7 100644 --- a/etc/profile-a-l/lomath.profile +++ b/etc/profile-a-l/lomath.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include lomath.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile index 8348a57fe..34b9dcad0 100644 --- a/etc/profile-a-l/loweb.profile +++ b/etc/profile-a-l/loweb.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include loweb.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile index 8348a57fe..054ce3a48 100644 --- a/etc/profile-a-l/lowriter.profile +++ b/etc/profile-a-l/lowriter.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include lowriter.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile new file mode 100644 index 000000000..faf5bb7f9 --- /dev/null +++ b/etc/profile-a-l/lsar.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for lsar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include lsar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin lsar | ||
11 | |||
12 | # Redirect | ||
13 | include ar.profile | ||
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 652f571bb..5d05631ec 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
@@ -35,7 +35,7 @@ mkdir ${HOME}/.cache/winetricks | |||
35 | mkdir ${HOME}/.config/lutris | 35 | mkdir ${HOME}/.config/lutris |
36 | mkdir ${HOME}/.local/share/lutris | 36 | mkdir ${HOME}/.local/share/lutris |
37 | # mkdir ${HOME}/.wine | 37 | # mkdir ${HOME}/.wine |
38 | whitelist ${HOME}/Downloads | 38 | whitelist ${DOWNLOADS} |
39 | whitelist ${HOME}/Games | 39 | whitelist ${HOME}/Games |
40 | whitelist ${HOME}/.cache/lutris | 40 | whitelist ${HOME}/.cache/lutris |
41 | whitelist ${HOME}/.cache/winetricks | 41 | whitelist ${HOME}/.cache/winetricks |
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index ffde057d5..fa69463d1 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -11,8 +11,13 @@ ignore private-tmp | |||
11 | noblacklist ${HOME}/.config/LyX | 11 | noblacklist ${HOME}/.config/LyX |
12 | noblacklist ${HOME}/.lyx | 12 | noblacklist ${HOME}/.lyx |
13 | 13 | ||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | 15 | include allow-lua.inc |
16 | |||
17 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
15 | include allow-perl.inc | 18 | include allow-perl.inc |
19 | |||
20 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | 21 | include allow-python2.inc |
17 | include allow-python3.inc | 22 | include allow-python3.inc |
18 | 23 | ||
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile index d9c72407f..693a1e167 100644 --- a/etc/profile-a-l/lzcat.profile +++ b/etc/profile-a-l/lzcat.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile index d9c72407f..f2e49fde0 100644 --- a/etc/profile-a-l/lzcmp.profile +++ b/etc/profile-a-l/lzcmp.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzcmp.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile index f7410b928..1e2e17eee 100644 --- a/etc/profile-a-l/lzdiff.profile +++ b/etc/profile-a-l/lzdiff.profile | |||
@@ -1,6 +1,12 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lzdiff.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
4 | 10 | ||
5 | # Redirect | 11 | # Redirect |
6 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile index d9c72407f..ca93f2a8b 100644 --- a/etc/profile-a-l/lzegrep.profile +++ b/etc/profile-a-l/lzegrep.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzegrep.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile index d9c72407f..97138e9a0 100644 --- a/etc/profile-a-l/lzfgrep.profile +++ b/etc/profile-a-l/lzfgrep.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzfgrep.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile index d9c72407f..fca9a39df 100644 --- a/etc/profile-a-l/lzgrep.profile +++ b/etc/profile-a-l/lzgrep.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzgrep.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile index d9c72407f..806375b05 100644 --- a/etc/profile-a-l/lzip.profile +++ b/etc/profile-a-l/lzip.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzip.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile index d9c72407f..20cae4a87 100644 --- a/etc/profile-a-l/lzless.profile +++ b/etc/profile-a-l/lzless.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzless.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile index d9c72407f..776550bf9 100644 --- a/etc/profile-a-l/lzma.profile +++ b/etc/profile-a-l/lzma.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzma.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile index 0c5ec1b09..9dac75927 100644 --- a/etc/profile-a-l/lzmadec.profile +++ b/etc/profile-a-l/lzmadec.profile | |||
@@ -1,6 +1,12 @@ | |||
1 | # Firejail profile alias for xzdec | 1 | # Firejail profile alias for xzdec |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lzmadec.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
4 | 10 | ||
5 | # Redirect | 11 | # Redirect |
6 | include xzdec.profile | 12 | include xzdec.profile |
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile index d9c72407f..25b65c48f 100644 --- a/etc/profile-a-l/lzmainfo.profile +++ b/etc/profile-a-l/lzmainfo.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzmainfo.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile index d9c72407f..aa4350ad5 100644 --- a/etc/profile-a-l/lzmore.profile +++ b/etc/profile-a-l/lzmore.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include lzmore.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile index c52d2f2da..493a740d7 100644 --- a/etc/profile-m-z/Maps.profile +++ b/etc/profile-m-z/Maps.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-maps | 1 | # Firejail profile for gnome-maps |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Maps.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile index 42c22bf67..061e5d83b 100644 --- a/etc/profile-m-z/Natron.profile +++ b/etc/profile-m-z/Natron.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for natron | 1 | # Firejail profile alias for natron |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Natron.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include natron.profile | 10 | include natron.profile |
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile index d4b083736..cfc53c077 100644 --- a/etc/profile-m-z/Screenshot.profile +++ b/etc/profile-m-z/Screenshot.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-screenshot | 1 | # Firejail profile for gnome-screenshot |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Screenshot.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 9 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 10 | # Redirect |
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile index 310e0237e..6877e1578 100644 --- a/etc/profile-m-z/Telegram.profile +++ b/etc/profile-m-z/Telegram.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for telegram | 1 | # Firejail profile alias for telegram |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Telegram.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include telegram.profile | 10 | include telegram.profile |
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile index 4c99ae9a3..4f88a26c0 100644 --- a/etc/profile-m-z/VirtualBox.profile +++ b/etc/profile-m-z/VirtualBox.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for virtualbox | 1 | # Firejail profile alias for virtualbox |
2 | # Description: x86 virtualization solution | 2 | # Description: x86 virtualization solution |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include VirtualBox.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include virtualbox.profile | 11 | include virtualbox.profile |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile new file mode 100644 index 000000000..55865fe72 --- /dev/null +++ b/etc/profile-m-z/marker.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for marker | ||
2 | # Description: Marker is a markdown editor for Linux made with Gtk+-3.0 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include marker.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Uncomment (or add to your marker.local) if you need internet access. | ||
10 | #ignore net none | ||
11 | #protocol unix,inet,inet6 | ||
12 | #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf | ||
13 | |||
14 | noblacklist ${HOME}/.cache/marker | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist /usr/share/com.github.fabiocolacio.marker | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | net none | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | seccomp.block-secondary | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | private-bin marker | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user filter | ||
57 | dbus-user.own com.github.fabiocolacio.marker | ||
58 | dbus-user.talk ca.desrt.dconf | ||
59 | dbus-system none | ||
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile index bb438f5f0..5c8200ec5 100644 --- a/etc/profile-m-z/mate-calculator.profile +++ b/etc/profile-m-z/mate-calculator.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for mate-calc | 1 | # Firejail profile alias for mate-calc |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include mate-calculator.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include mate-calc.profile | 10 | include mate-calc.profile |
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile index 964060350..cc73f9d80 100644 --- a/etc/profile-m-z/mathematica.profile +++ b/etc/profile-m-z/mathematica.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for Mathematica | 1 | # Firejail profile alias for Mathematica |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include mathematica.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include Mathematica.profile | 10 | include Mathematica.profile |
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile index e4487c8aa..3c2bf4fa3 100644 --- a/etc/profile-m-z/mattermost-desktop.profile +++ b/etc/profile-m-z/mattermost-desktop.profile | |||
@@ -5,42 +5,25 @@ include mattermost-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore apparmor | ||
10 | ignore dbus-user none | ||
11 | ignore dbus-system none | ||
12 | |||
8 | noblacklist ${HOME}/.config/Mattermost | 13 | noblacklist ${HOME}/.config/Mattermost |
9 | 14 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-shell.inc | 15 | include disable-shell.inc |
17 | include disable-xdg.inc | ||
18 | 16 | ||
19 | mkdir ${HOME}/.config/Mattermost | 17 | mkdir ${HOME}/.config/Mattermost |
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/Mattermost | 18 | whitelist ${HOME}/.config/Mattermost |
22 | include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.keep sys_admin,sys_chroot | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | shell none | ||
35 | 19 | ||
36 | disable-mnt | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-tmp | ||
41 | 21 | ||
42 | # Not tested | 22 | # Not tested |
43 | #dbus-user filter | 23 | #dbus-user filter |
44 | #dbus-user.own com.mattermost.Desktop | 24 | #dbus-user.own com.mattermost.Desktop |
45 | #dbus-user.talk org.freedesktop.Notifications | 25 | #dbus-user.talk org.freedesktop.Notifications |
46 | #dbus-system none | 26 | #dbus-system none |
27 | |||
28 | # Redirect | ||
29 | include electron.profile | ||
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile new file mode 100644 index 000000000..fb97daa27 --- /dev/null +++ b/etc/profile-m-z/mdr.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for mdr | ||
2 | # Description: A standalone Markdown renderer for the terminal | ||
3 | # Persistent local customizations | ||
4 | include mdr.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | blacklist ${RUNUSER}/wayland-* | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | hostname mdr | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin mdr | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc none | ||
49 | private-lib | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile index 02aad8084..4635573e6 100644 --- a/etc/profile-m-z/megaglest_editor.profile +++ b/etc/profile-m-z/megaglest_editor.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for megaglest | 1 | # Firejail profile alias for megaglest |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include megaglest_editor.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include megaglest.profile | 10 | include megaglest.profile |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 6ceeb867f..d76522fce 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -6,11 +6,11 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need | 9 | # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need |
10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path | 10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path |
11 | # Removing the symlink: | 11 | # Removing the symlink: |
12 | # sudo rm /usr/local/bin/meld | 12 | # sudo rm /usr/local/bin/meld |
13 | # Calling by its absolute path (example for git-mergetool): | 13 | # Calling it by its absolute path (example for git mergetool): |
14 | # git config --global mergetool.meld.cmd /usr/bin/meld | 14 | # git config --global mergetool.meld.cmd /usr/bin/meld |
15 | 15 | ||
16 | noblacklist ${HOME}/.config/meld | 16 | noblacklist ${HOME}/.config/meld |
@@ -18,14 +18,15 @@ noblacklist ${HOME}/.config/git | |||
18 | noblacklist ${HOME}/.gitconfig | 18 | noblacklist ${HOME}/.gitconfig |
19 | noblacklist ${HOME}/.git-credentials | 19 | noblacklist ${HOME}/.git-credentials |
20 | noblacklist ${HOME}/.local/share/meld | 20 | noblacklist ${HOME}/.local/share/meld |
21 | noblacklist ${HOME}/.ssh | ||
22 | noblacklist ${HOME}/.subversion | 21 | noblacklist ${HOME}/.subversion |
23 | 22 | ||
24 | # Allow python (blacklisted by disable-interpreters.inc) | 23 | # Allow python (blacklisted by disable-interpreters.inc) |
25 | include allow-python3.inc | ||
26 | |||
27 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. | 24 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. |
28 | #include allow-python2.inc | 25 | #include allow-python2.inc |
26 | include allow-python3.inc | ||
27 | |||
28 | # Allow ssh (blacklisted by disable-common.inc) | ||
29 | include allow-ssh.inc | ||
29 | 30 | ||
30 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 31 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
31 | #include disable-common.inc | 32 | #include disable-common.inc |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 8a98209a2..e29e4bc70 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -6,6 +6,7 @@ include menulibre.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | include allow-python2.inc | 10 | include allow-python2.inc |
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index 7130267e8..e0ebb4895 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/mirage | |||
11 | noblacklist ${HOME}/.local/share/mirage | 11 | noblacklist ${HOME}/.local/share/mirage |
12 | noblacklist /sbin | 12 | noblacklist /sbin |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | 15 | include allow-python2.inc |
15 | include allow-python3.inc | 16 | include allow-python3.inc |
16 | 17 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 1d87eeb48..1804389c3 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -21,7 +21,7 @@ include globals.local | |||
21 | # - ... | 21 | # - ... |
22 | # | 22 | # |
23 | # Often these scripts require a shell: | 23 | # Often these scripts require a shell: |
24 | #noblacklist ${PATH}/sh | 24 | #include allow-bin-sh.inc |
25 | #private-bin sh | 25 | #private-bin sh |
26 | 26 | ||
27 | noblacklist ${HOME}/.config/mpv | 27 | noblacklist ${HOME}/.config/mpv |
@@ -30,6 +30,7 @@ noblacklist ${HOME}/.netrc | |||
30 | 30 | ||
31 | # Allow lua (blacklisted by disable-interpreters.inc) | 31 | # Allow lua (blacklisted by disable-interpreters.inc) |
32 | include allow-lua.inc | 32 | include allow-lua.inc |
33 | |||
33 | # Allow python (blacklisted by disable-interpreters.inc) | 34 | # Allow python (blacklisted by disable-interpreters.inc) |
34 | include allow-python2.inc | 35 | include allow-python2.inc |
35 | include allow-python3.inc | 36 | include allow-python3.inc |
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile index 338f494c9..2c8b95a26 100644 --- a/etc/profile-m-z/multimc.profile +++ b/etc/profile-m-z/multimc.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for multimc5 | 1 | # Firejail profile alias for multimc5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include multimc.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include multimc5.profile | 10 | include multimc5.profile |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 1ce12f54f..24782c033 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for mutt | 1 | # Firejail profile for mutt |
2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading | 2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include mutt.local | 6 | include mutt.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -8,15 +9,18 @@ include globals.local | |||
8 | 9 | ||
9 | noblacklist /var/mail | 10 | noblacklist /var/mail |
10 | noblacklist /var/spool/mail | 11 | noblacklist /var/spool/mail |
12 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${HOME}/.Mail | 13 | noblacklist ${HOME}/.Mail |
12 | noblacklist ${HOME}/.bogofilter | 14 | noblacklist ${HOME}/.bogofilter |
13 | noblacklist ${HOME}/.cache/mutt | 15 | noblacklist ${HOME}/.cache/mutt |
16 | noblacklist ${HOME}/.config/mutt | ||
14 | noblacklist ${HOME}/.config/nano | 17 | noblacklist ${HOME}/.config/nano |
15 | noblacklist ${HOME}/.elinks | 18 | noblacklist ${HOME}/.elinks |
16 | noblacklist ${HOME}/.emacs | 19 | noblacklist ${HOME}/.emacs |
17 | noblacklist ${HOME}/.emacs.d | 20 | noblacklist ${HOME}/.emacs.d |
18 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
19 | noblacklist ${HOME}/.mail | 22 | noblacklist ${HOME}/.mail |
23 | noblacklist ${HOME}/.mailcap | ||
20 | noblacklist ${HOME}/.msmtprc | 24 | noblacklist ${HOME}/.msmtprc |
21 | noblacklist ${HOME}/.mutt | 25 | noblacklist ${HOME}/.mutt |
22 | noblacklist ${HOME}/.muttrc | 26 | noblacklist ${HOME}/.muttrc |
@@ -34,15 +38,84 @@ noblacklist ${HOME}/sent | |||
34 | blacklist /tmp/.X11-unix | 38 | blacklist /tmp/.X11-unix |
35 | blacklist ${RUNUSER}/wayland-* | 39 | blacklist ${RUNUSER}/wayland-* |
36 | 40 | ||
41 | # Uncomment or put them in mutt.local for oauth.py,S/MIME | ||
42 | |||
43 | #include allow-perl.inc | ||
44 | #include allow-python2.inc | ||
45 | #include allow-python3.inc | ||
46 | |||
37 | include disable-common.inc | 47 | include disable-common.inc |
38 | include disable-devel.inc | 48 | include disable-devel.inc |
49 | include disable-exec.inc | ||
39 | include disable-interpreters.inc | 50 | include disable-interpreters.inc |
40 | include disable-passwdmgr.inc | 51 | include disable-passwdmgr.inc |
41 | include disable-programs.inc | 52 | include disable-programs.inc |
53 | include disable-xdg.inc | ||
42 | 54 | ||
55 | mkdir ${HOME}/.Mail | ||
56 | mkdir ${HOME}/.bogofilter | ||
57 | mkdir ${HOME}/.cache/mutt | ||
58 | mkdir ${HOME}/.config/mutt | ||
59 | mkdir ${HOME}/.config/nano | ||
60 | mkdir ${HOME}/.elinks | ||
61 | mkdir ${HOME}/.emacs.d | ||
62 | mkdir ${HOME}/.gnupg | ||
63 | mkdir ${HOME}/.mail | ||
64 | mkdir ${HOME}/.mutt | ||
65 | mkdir ${HOME}/.vim | ||
66 | mkdir ${HOME}/.w3m | ||
67 | mkdir ${HOME}/Mail | ||
68 | mkdir ${HOME}/mail | ||
69 | mkdir ${HOME}/postponed | ||
70 | mkdir ${HOME}/sent | ||
71 | mkfile ${HOME}/.emacs | ||
72 | mkfile ${HOME}/.mailcap | ||
73 | mkfile ${HOME}/.msmtprc | ||
74 | mkfile ${HOME}/.muttrc | ||
75 | mkfile ${HOME}/.nanorc | ||
76 | mkfile ${HOME}/.signature | ||
77 | mkfile ${HOME}/.viminfo | ||
78 | mkfile ${HOME}/.vimrc | ||
79 | whitelist ${DOCUMENTS} | ||
80 | whitelist ${DOWNLOADS} | ||
81 | whitelist ${HOME}/.Mail | ||
82 | whitelist ${HOME}/.bogofilter | ||
83 | whitelist ${HOME}/.cache/mutt | ||
84 | whitelist ${HOME}/.config/mutt | ||
85 | whitelist ${HOME}/.config/nano | ||
86 | whitelist ${HOME}/.elinks | ||
87 | whitelist ${HOME}/.emacs | ||
88 | whitelist ${HOME}/.emacs.d | ||
89 | whitelist ${HOME}/.gnupg | ||
90 | whitelist ${HOME}/.mail | ||
91 | whitelist ${HOME}/.mailcap | ||
92 | whitelist ${HOME}/.msmtprc | ||
93 | whitelist ${HOME}/.mutt | ||
94 | whitelist ${HOME}/.muttrc | ||
95 | whitelist ${HOME}/.nanorc | ||
96 | whitelist ${HOME}/.signature | ||
97 | whitelist ${HOME}/.vim | ||
98 | whitelist ${HOME}/.viminfo | ||
99 | whitelist ${HOME}/.vimrc | ||
100 | whitelist ${HOME}/.w3m | ||
101 | whitelist ${HOME}/Mail | ||
102 | whitelist ${HOME}/mail | ||
103 | whitelist ${HOME}/postponed | ||
104 | whitelist ${HOME}/sent | ||
105 | whitelist /usr/share/gnupg | ||
106 | whitelist /usr/share/gnupg2 | ||
107 | whitelist /usr/share/mutt | ||
108 | whitelist /var/mail | ||
109 | whitelist /var/spool/mail | ||
110 | include whitelist-common.inc | ||
43 | include whitelist-runuser-common.inc | 111 | include whitelist-runuser-common.inc |
112 | include whitelist-usr-share-common.inc | ||
113 | include whitelist-var-common.inc | ||
44 | 114 | ||
115 | apparmor | ||
45 | caps.drop all | 116 | caps.drop all |
117 | ipc-namespace | ||
118 | machine-id | ||
46 | netfilter | 119 | netfilter |
47 | no3d | 120 | no3d |
48 | nodvd | 121 | nodvd |
@@ -55,8 +128,23 @@ nou2f | |||
55 | novideo | 128 | novideo |
56 | protocol unix,inet,inet6 | 129 | protocol unix,inet,inet6 |
57 | seccomp | 130 | seccomp |
131 | seccomp.block-secondary | ||
58 | shell none | 132 | shell none |
133 | tracelog | ||
59 | 134 | ||
135 | # disable-mnt | ||
136 | private-cache | ||
60 | private-dev | 137 | private-dev |
138 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg | ||
139 | private-tmp | ||
61 | writable-run-user | 140 | writable-run-user |
62 | writable-var | 141 | writable-var |
142 | |||
143 | dbus-user none | ||
144 | dbus-system none | ||
145 | |||
146 | memory-deny-write-execute | ||
147 | read-only ${HOME}/.elinks | ||
148 | read-only ${HOME}/.nanorc | ||
149 | read-only ${HOME}/.signature | ||
150 | read-only ${HOME}/.w3m | ||
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile index 59b3024ed..4b4745918 100644 --- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile +++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for mypaint-ora-thumbnailer | 1 | # Firejail profile alias for mypaint-ora-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include mypaint-ora-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include mypaint.profile | 10 | include mypaint.profile |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile new file mode 100644 index 000000000..26865b90a --- /dev/null +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -0,0 +1,152 @@ | |||
1 | # Firejail profile for neomutt | ||
2 | # Description: Mutt fork with advanced features and better documentation | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include neomutt.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${HOME}/.Mail | ||
12 | noblacklist ${HOME}/.bogofilter | ||
13 | noblacklist ${HOME}/.config/mutt | ||
14 | noblacklist ${HOME}/.config/nano | ||
15 | noblacklist ${HOME}/.config/neomutt | ||
16 | noblacklist ${HOME}/.elinks | ||
17 | noblacklist ${HOME}/.emacs | ||
18 | noblacklist ${HOME}/.emacs.d | ||
19 | noblacklist ${HOME}/.gnupg | ||
20 | noblacklist ${HOME}/.mail | ||
21 | noblacklist ${HOME}/.mailcap | ||
22 | noblacklist ${HOME}/.msmtprc | ||
23 | noblacklist ${HOME}/.mutt | ||
24 | noblacklist ${HOME}/.muttrc | ||
25 | noblacklist ${HOME}/.nanorc | ||
26 | noblacklist ${HOME}/.neomutt | ||
27 | noblacklist ${HOME}/.neomuttrc | ||
28 | noblacklist ${HOME}/.signature | ||
29 | noblacklist ${HOME}/.vim | ||
30 | noblacklist ${HOME}/.viminfo | ||
31 | noblacklist ${HOME}/.vimrc | ||
32 | noblacklist ${HOME}/.w3m | ||
33 | noblacklist ${HOME}/Mail | ||
34 | noblacklist ${HOME}/mail | ||
35 | noblacklist ${HOME}/postponed | ||
36 | noblacklist ${HOME}/sent | ||
37 | noblacklist /var/mail | ||
38 | noblacklist /var/spool/mail | ||
39 | |||
40 | blacklist /tmp/.X11-unix | ||
41 | blacklist ${RUNUSER}/wayland-* | ||
42 | |||
43 | include allow-lua.inc | ||
44 | |||
45 | include disable-common.inc | ||
46 | include disable-devel.inc | ||
47 | include disable-exec.inc | ||
48 | include disable-interpreters.inc | ||
49 | include disable-passwdmgr.inc | ||
50 | include disable-programs.inc | ||
51 | include disable-xdg.inc | ||
52 | |||
53 | mkdir ${HOME}/.Mail | ||
54 | mkdir ${HOME}/.bogofilter | ||
55 | mkdir ${HOME}/.config/mutt | ||
56 | mkdir ${HOME}/.config/nano | ||
57 | mkdir ${HOME}/.config/neomutt | ||
58 | mkdir ${HOME}/.elinks | ||
59 | mkdir ${HOME}/.emacs.d | ||
60 | mkdir ${HOME}/.gnupg | ||
61 | mkdir ${HOME}/.mail | ||
62 | mkdir ${HOME}/.mutt | ||
63 | mkdir ${HOME}/.neomutt | ||
64 | mkdir ${HOME}/.vim | ||
65 | mkdir ${HOME}/.w3m | ||
66 | mkdir ${HOME}/Mail | ||
67 | mkdir ${HOME}/mail | ||
68 | mkdir ${HOME}/postponed | ||
69 | mkdir ${HOME}/sent | ||
70 | mkfile ${HOME}/.emacs | ||
71 | mkfile ${HOME}/.mailcap | ||
72 | mkfile ${HOME}/.msmtprc | ||
73 | mkfile ${HOME}/.muttrc | ||
74 | mkfile ${HOME}/.nanorc | ||
75 | mkfile ${HOME}/.neomuttrc | ||
76 | mkfile ${HOME}/.signature | ||
77 | mkfile ${HOME}/.viminfo | ||
78 | mkfile ${HOME}/.vimrc | ||
79 | whitelist ${DOCUMENTS} | ||
80 | whitelist ${DOWNLOADS} | ||
81 | whitelist ${HOME}/.Mail | ||
82 | whitelist ${HOME}/.bogofilter | ||
83 | whitelist ${HOME}/.config/mutt | ||
84 | whitelist ${HOME}/.config/nano | ||
85 | whitelist ${HOME}/.config/neomutt | ||
86 | whitelist ${HOME}/.elinks | ||
87 | whitelist ${HOME}/.emacs | ||
88 | whitelist ${HOME}/.emacs.d | ||
89 | whitelist ${HOME}/.gnupg | ||
90 | whitelist ${HOME}/.mail | ||
91 | whitelist ${HOME}/.mailcap | ||
92 | whitelist ${HOME}/.msmtprc | ||
93 | whitelist ${HOME}/.mutt | ||
94 | whitelist ${HOME}/.muttrc | ||
95 | whitelist ${HOME}/.nanorc | ||
96 | whitelist ${HOME}/.neomutt | ||
97 | whitelist ${HOME}/.neomuttrc | ||
98 | whitelist ${HOME}/.signature | ||
99 | whitelist ${HOME}/.vim | ||
100 | whitelist ${HOME}/.viminfo | ||
101 | whitelist ${HOME}/.vimrc | ||
102 | whitelist ${HOME}/.w3m | ||
103 | whitelist ${HOME}/Mail | ||
104 | whitelist ${HOME}/mail | ||
105 | whitelist ${HOME}/postponed | ||
106 | whitelist ${HOME}/sent | ||
107 | whitelist /usr/share/gnupg | ||
108 | whitelist /usr/share/gnupg2 | ||
109 | whitelist /usr/share/neomutt | ||
110 | whitelist /var/mail | ||
111 | whitelist /var/spool/mail | ||
112 | include whitelist-common.inc | ||
113 | include whitelist-runuser-common.inc | ||
114 | include whitelist-usr-share-common.inc | ||
115 | include whitelist-var-common.inc | ||
116 | |||
117 | apparmor | ||
118 | caps.drop all | ||
119 | ipc-namespace | ||
120 | machine-id | ||
121 | netfilter | ||
122 | no3d | ||
123 | nodvd | ||
124 | nogroups | ||
125 | nonewprivs | ||
126 | noroot | ||
127 | nosound | ||
128 | notv | ||
129 | nou2f | ||
130 | novideo | ||
131 | protocol unix,inet,inet6 | ||
132 | seccomp | ||
133 | seccomp.block-secondary | ||
134 | shell none | ||
135 | tracelog | ||
136 | |||
137 | # disable-mnt | ||
138 | private-cache | ||
139 | private-dev | ||
140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg | ||
141 | private-tmp | ||
142 | writable-run-user | ||
143 | writable-var | ||
144 | |||
145 | dbus-user none | ||
146 | dbus-system none | ||
147 | |||
148 | memory-deny-write-execute | ||
149 | read-only ${HOME}/.elinks | ||
150 | read-only ${HOME}/.nanorc | ||
151 | read-only ${HOME}/.signature | ||
152 | read-only ${HOME}/.w3m | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index a7bac6286..85b780ced 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -38,10 +38,10 @@ seccomp | |||
38 | shell none | 38 | shell none |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin newsboat | 41 | private-bin gzip,lynx,newsboat,sh |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo | 44 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index 6c363345e..3bf32a3db 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.nicotine | 9 | noblacklist ${HOME}/.nicotine |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | 12 | include allow-python2.inc |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile index d9cb2edc5..13c6b59ae 100644 --- a/etc/profile-m-z/nitroshare-cli.profile +++ b/etc/profile-m-z/nitroshare-cli.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for nitroshare | 1 | # Firejail profile alias for nitroshare |
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include nitroshare-cli.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include nitroshare.profile | 11 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile index d9cb2edc5..513d26703 100644 --- a/etc/profile-m-z/nitroshare-nmh.profile +++ b/etc/profile-m-z/nitroshare-nmh.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for nitroshare | 1 | # Firejail profile alias for nitroshare |
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include nitroshare-nmh.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include nitroshare.profile | 11 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile index d9cb2edc5..6edff3cce 100644 --- a/etc/profile-m-z/nitroshare-send.profile +++ b/etc/profile-m-z/nitroshare-send.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for nitroshare | 1 | # Firejail profile alias for nitroshare |
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include nitroshare-send.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include nitroshare.profile | 11 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile index d9cb2edc5..ba5f8edf5 100644 --- a/etc/profile-m-z/nitroshare-ui.profile +++ b/etc/profile-m-z/nitroshare-ui.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for nitroshare | 1 | # Firejail profile alias for nitroshare |
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include nitroshare-ui.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include nitroshare.profile | 11 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile new file mode 100644 index 000000000..c12fc9a78 --- /dev/null +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for Node.js | ||
2 | # Description: Common profile for npm/yarn | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nodejs-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | ignore noexec ${HOME} | ||
14 | |||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-shell.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp | ||
43 | seccomp.block-secondary | ||
44 | shell none | ||
45 | |||
46 | disable-mnt | ||
47 | private-dev | ||
48 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile new file mode 100644 index 000000000..e95e875be --- /dev/null +++ b/etc/profile-m-z/npm.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for npm | ||
2 | # Description: The Node.js Package Manager | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include npm.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore read-only ${HOME}/.npm-packages | ||
11 | ignore read-only ${HOME}/.npmrc | ||
12 | |||
13 | noblacklist ${HOME}/.node-gyp | ||
14 | noblacklist ${HOME}/.npm | ||
15 | noblacklist ${HOME}/.npmrc | ||
16 | |||
17 | # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory | ||
18 | # and uncomment the lines below. | ||
19 | #mkdir ${HOME}/.node-gyp | ||
20 | #mkdir ${HOME}/.npm | ||
21 | #mkfile ${HOME}/.npmrc | ||
22 | #whitelist ${HOME}/.node-gyp | ||
23 | #whitelist ${HOME}/.npm | ||
24 | #whitelist ${HOME}/.npmrc | ||
25 | #whitelist ${HOME}/Projects | ||
26 | #include whitelist-common.inc | ||
27 | |||
28 | # Redirect | ||
29 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index f7cb8790b..152bd7ac5 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/onboard | 9 | noblacklist ${HOME}/.config/onboard |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | 12 | include allow-python2.inc |
12 | include allow-python3.inc | 13 | include allow-python3.inc |
13 | 14 | ||
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile index 8348a57fe..8df7b502b 100644 --- a/etc/profile-m-z/ooffice.profile +++ b/etc/profile-m-z/ooffice.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include ooffice.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile index 8348a57fe..c55d58ba7 100644 --- a/etc/profile-m-z/ooviewdoc.profile +++ b/etc/profile-m-z/ooviewdoc.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include ooviewdoc.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile index c529e7e11..d70fbc101 100644 --- a/etc/profile-m-z/openarena_ded.profile +++ b/etc/profile-m-z/openarena_ded.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for openarena | 1 | # Firejail profile alias for openarena |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include openarena_ded.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include openarena.profile | 10 | include openarena.profile |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 1fb93c79c..b49fd9932 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -6,7 +6,7 @@ include openbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in OpenBox will run in this profile | 9 | # all applications started in openbox will run in this profile |
10 | noblacklist ${HOME}/.config/openbox | 10 | noblacklist ${HOME}/.config/openbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile index 8348a57fe..4221db409 100644 --- a/etc/profile-m-z/openoffice.org.profile +++ b/etc/profile-m-z/openoffice.org.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include openoffice.org.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile index 2f886d2ac..c1a030556 100644 --- a/etc/profile-m-z/openshot-qt.profile +++ b/etc/profile-m-z/openshot-qt.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for openshot | 1 | # Firejail profile alias for openshot |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include openshot-qt.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include openshot.profile | 10 | include openshot.profile |
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile index e1839c724..ac960345a 100644 --- a/etc/profile-m-z/openshot.profile +++ b/etc/profile-m-z/openshot.profile | |||
@@ -19,6 +19,10 @@ include disable-interpreters.inc | |||
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | whitelist /usr/share/blender | ||
23 | whitelist /usr/share/inkscape | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
23 | 27 | ||
24 | apparmor | 28 | apparmor |
@@ -32,11 +36,14 @@ notv | |||
32 | nou2f | 36 | nou2f |
33 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
34 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
35 | shell none | 40 | shell none |
36 | tracelog | 41 | tracelog |
37 | 42 | ||
43 | private-bin blender,inkscape,openshot,openshot-qt,python3* | ||
44 | private-cache | ||
38 | private-dev | 45 | private-dev |
39 | private-tmp | 46 | private-tmp |
40 | 47 | ||
41 | dbus-user none | 48 | dbus-user filter |
42 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile new file mode 100644 index 000000000..cc4f016c5 --- /dev/null +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for pklog | ||
2 | # Description: Reports log of package updates | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pkglog.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /var/log/apt/history.log | ||
21 | whitelist /var/log/dnf.rpm.log | ||
22 | whitelist /var/log/pacman.log | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin pkglog,python* | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives | ||
48 | private-opt none | ||
49 | private-tmp | ||
50 | writable-var-log | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
56 | read-only ${HOME} | ||
57 | read-only /var/log/apt/history.log | ||
58 | read-only /var/log/dnf.rpm.log | ||
59 | read-only /var/log/pacman.log | ||
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile index 0ebef226a..8e98905b5 100644 --- a/etc/profile-m-z/playonlinux.profile +++ b/etc/profile-m-z/playonlinux.profile | |||
@@ -12,9 +12,12 @@ noblacklist ${HOME}/.PlayOnLinux | |||
12 | # nc is needed to run playonlinux | 12 | # nc is needed to run playonlinux |
13 | noblacklist ${PATH}/nc | 13 | noblacklist ${PATH}/nc |
14 | 14 | ||
15 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
16 | include allow-perl.inc | ||
17 | |||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 19 | include allow-python2.inc |
16 | include allow-python3.inc | 20 | include allow-python3.inc |
17 | include allow-perl.inc | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include wine.profile | 23 | include wine.profile |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 7ff59ea77..7f7ae4204 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -18,7 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/PacmanLogViewer | 19 | mkdir ${HOME}/.config/PacmanLogViewer |
20 | whitelist ${HOME}/.config/PacmanLogViewer | 20 | whitelist ${HOME}/.config/PacmanLogViewer |
21 | whitelist /var/log/pacman* | 21 | whitelist /var/log/pacman.log |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
@@ -57,3 +57,4 @@ dbus-system none | |||
57 | #memory-deny-write-execute - breaks opening file-chooser | 57 | #memory-deny-write-execute - breaks opening file-chooser |
58 | read-only ${HOME} | 58 | read-only ${HOME} |
59 | read-write ${HOME}/.config/PacmanLogViewer | 59 | read-write ${HOME}/.config/PacmanLogViewer |
60 | read-only /var/log/pacman.log | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index a14d0268b..b754a18c9 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profilen alias for pycharm-professional | 1 | # Firejail profilen alias for pycharm-professional |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include pyucharm-professional.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.PyCharm* | 9 | noblacklist ${HOME}/.PyCharm* |
5 | 10 | ||
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile index ce9af3286..b0a4c6be8 100644 --- a/etc/profile-m-z/pzstd.profile +++ b/etc/profile-m-z/pzstd.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include pzstd.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile new file mode 100644 index 000000000..0d1f9c3de --- /dev/null +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for qnapi | ||
2 | # Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qnapi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/qnapi.ini | ||
10 | |||
11 | ignore noexec /tmp | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkfile ${HOME}/.config/qnapi.ini | ||
23 | whitelist ${HOME}/.config/qnapi.ini | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6,netlink | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | private-bin 7z,qnapi | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,fonts | ||
51 | private-opt none | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6311c91df..d4c7bdf31 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -9,7 +9,9 @@ include globals.local | |||
9 | noblacklist ${HOME}/.remmina | 9 | noblacklist ${HOME}/.remmina |
10 | noblacklist ${HOME}/.config/remmina | 10 | noblacklist ${HOME}/.config/remmina |
11 | noblacklist ${HOME}/.local/share/remmina | 11 | noblacklist ${HOME}/.local/share/remmina |
12 | noblacklist ${HOME}/.ssh | 12 | |
13 | # Allow ssh (blacklisted by disable-common.inc) | ||
14 | include allow-ssh.inc | ||
13 | 15 | ||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile index 64432c171..304bda87b 100644 --- a/etc/profile-m-z/runenpass.sh.profile +++ b/etc/profile-m-z/runenpass.sh.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail alias profile for enpass | 1 | # Firejail alias profile for enpass |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include runenpass.sh.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include enpass.profile | 10 | include enpass.profile |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 8bb1f53a7..065409e78 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -9,8 +9,9 @@ include globals.local | |||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
12 | noblacklist ${HOME}/.ssh | 12 | |
13 | noblacklist /tmp/ssh-* | 13 | # Allow ssh (blacklisted by disable-common.inc) |
14 | include allow-ssh.inc | ||
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
16 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile index 532294950..f9cb08432 100644 --- a/etc/profile-m-z/seamonkey-bin.profile +++ b/etc/profile-m-z/seamonkey-bin.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for seamonkey | 1 | # Firejail profile alias for seamonkey |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include seamonkey-bin.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include seamonkey.profile | 10 | include seamonkey.profile |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile new file mode 100644 index 000000000..749029530 --- /dev/null +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for shotwell | ||
2 | # Description: A digital photo organizer designed for the GNOME desktop environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include shotwell.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/shotwell | ||
10 | noblacklist ${HOME}/.local/share/shotwell | ||
11 | |||
12 | noblacklist ${PICTURES} | ||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/shotwell | ||
23 | mkdir ${HOME}/.local/share/shotwell | ||
24 | whitelist ${HOME}/.cache/shotwell | ||
25 | whitelist ${HOME}/.local/share/shotwell | ||
26 | whitelist ${PICTURES} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | private-bin shotwell | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,fonts,machine-id | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user filter | ||
57 | dbus-user.own org.gnome.Shotwell | ||
58 | dbus-user.talk ca.desrt.dconf | ||
59 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
60 | dbus-system none | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 08e1c1f03..666a37def 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -21,8 +21,6 @@ noblacklist ${HOME}/.mozilla | |||
21 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 21 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
22 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 22 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
23 | 23 | ||
24 | include disable-exec.inc | ||
25 | |||
26 | mkdir ${HOME}/.config/Signal | 24 | mkdir ${HOME}/.config/Signal |
27 | whitelist ${HOME}/.config/Signal | 25 | whitelist ${HOME}/.config/Signal |
28 | 26 | ||
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 8ffc47ff6..9d6db4cdb 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -10,7 +10,10 @@ noblacklist ${HOME}/.config/smplayer | |||
10 | noblacklist ${HOME}/.config/youtube-dl | 10 | noblacklist ${HOME}/.config/youtube-dl |
11 | noblacklist ${HOME}/.mplayer | 11 | noblacklist ${HOME}/.mplayer |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile index 8348a57fe..f7f86c33c 100644 --- a/etc/profile-m-z/soffice.profile +++ b/etc/profile-m-z/soffice.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include soffice.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include libreoffice.profile | 10 | include libreoffice.profile |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index ad39f1071..73d2556ac 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -46,6 +46,7 @@ nou2f | |||
46 | novideo | 46 | novideo |
47 | protocol unix | 47 | protocol unix |
48 | seccomp | 48 | seccomp |
49 | seccomp.block-secondary | ||
49 | shell none | 50 | shell none |
50 | tracelog | 51 | tracelog |
51 | 52 | ||
@@ -53,7 +54,7 @@ disable-mnt | |||
53 | private-bin spectacle | 54 | private-bin spectacle |
54 | private-cache | 55 | private-cache |
55 | private-dev | 56 | private-dev |
56 | private-etc alternatives,fonts,ld.so.conf | 57 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d |
57 | private-tmp | 58 | private-tmp |
58 | 59 | ||
59 | dbus-user filter | 60 | dbus-user filter |
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3ce..5802299a3 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -6,9 +6,8 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /etc/ssh | 9 | # Allow ssh (blacklisted by disable-common.inc) |
10 | noblacklist /tmp/ssh-* | 10 | include allow-ssh.inc |
11 | noblacklist ${HOME}/.ssh | ||
12 | 11 | ||
13 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | 13 | blacklist ${RUNUSER}/wayland-* |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index d873a5672..641c3a79d 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -7,20 +7,20 @@ include ssh.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist /etc/ssh | ||
11 | noblacklist /tmp/ssh-* | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | # nc can be used as ProxyCommand, e.g. when using tor | 10 | # nc can be used as ProxyCommand, e.g. when using tor |
14 | noblacklist ${PATH}/nc | 11 | noblacklist ${PATH}/nc |
15 | noblacklist ${PATH}/ncat | 12 | noblacklist ${PATH}/ncat |
16 | 13 | ||
14 | # Allow ssh (blacklisted by disable-common.inc) | ||
15 | include allow-ssh.inc | ||
16 | |||
17 | include disable-common.inc | 17 | include disable-common.inc |
18 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | whitelist ${RUNUSER}/keyring/ssh | ||
23 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | 22 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh |
23 | whitelist ${RUNUSER}/keyring/ssh | ||
24 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
26 | 26 | ||
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile index 47608ad28..6b4281c5c 100644 --- a/etc/profile-m-z/steam-native.profile +++ b/etc/profile-m-z/steam-native.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for steam | 1 | # Firejail profile alias for steam |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include steam-native.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include steam.profile | 10 | include steam.profile |
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile index 47608ad28..a7e128d40 100644 --- a/etc/profile-m-z/steam-runtime.profile +++ b/etc/profile-m-z/steam-runtime.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for steam | 1 | # Firejail profile alias for steam |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include steam-runtime.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include steam.profile | 10 | include steam.profile |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 55078d993..758b37815 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.killingfloor | 9 | noblacklist ${HOME}/.killingfloor |
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
11 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
12 | noblacklist ${HOME}/.local/share/bohemiainteractive | ||
12 | noblacklist ${HOME}/.local/share/cdprojektred | 13 | noblacklist ${HOME}/.local/share/cdprojektred |
13 | noblacklist ${HOME}/.local/share/FasterThanLight | 14 | noblacklist ${HOME}/.local/share/FasterThanLight |
14 | noblacklist ${HOME}/.local/share/feral-interactive | 15 | noblacklist ${HOME}/.local/share/feral-interactive |
@@ -45,6 +46,7 @@ mkdir ${HOME}/.config/unity3d | |||
45 | mkdir ${HOME}/.killingfloor | 46 | mkdir ${HOME}/.killingfloor |
46 | mkdir ${HOME}/.local/share/3909/PapersPlease | 47 | mkdir ${HOME}/.local/share/3909/PapersPlease |
47 | mkdir ${HOME}/.local/share/aspyr-media | 48 | mkdir ${HOME}/.local/share/aspyr-media |
49 | mkdir ${HOME}/.local/share/bohemiainteractive | ||
48 | mkdir ${HOME}/.local/share/cdprojektred | 50 | mkdir ${HOME}/.local/share/cdprojektred |
49 | mkdir ${HOME}/.local/share/FasterThanLight | 51 | mkdir ${HOME}/.local/share/FasterThanLight |
50 | mkdir ${HOME}/.local/share/feral-interactive | 52 | mkdir ${HOME}/.local/share/feral-interactive |
@@ -64,6 +66,7 @@ whitelist ${HOME}/.config/unity3d | |||
64 | whitelist ${HOME}/.killingfloor | 66 | whitelist ${HOME}/.killingfloor |
65 | whitelist ${HOME}/.local/share/3909/PapersPlease | 67 | whitelist ${HOME}/.local/share/3909/PapersPlease |
66 | whitelist ${HOME}/.local/share/aspyr-media | 68 | whitelist ${HOME}/.local/share/aspyr-media |
69 | whitelist ${HOME}/.local/share/bohemiainteractive | ||
67 | whitelist ${HOME}/.local/share/cdprojektred | 70 | whitelist ${HOME}/.local/share/cdprojektred |
68 | whitelist ${HOME}/.local/share/FasterThanLight | 71 | whitelist ${HOME}/.local/share/FasterThanLight |
69 | whitelist ${HOME}/.local/share/feral-interactive | 72 | whitelist ${HOME}/.local/share/feral-interactive |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index 721ad38ee..2ae35d211 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -10,8 +10,13 @@ include globals.local | |||
10 | noblacklist ${HOME}/.cache/straw-viewer | 10 | noblacklist ${HOME}/.cache/straw-viewer |
11 | noblacklist ${HOME}/.config/straw-viewer | 11 | noblacklist ${HOME}/.config/straw-viewer |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | |||
16 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
14 | include allow-perl.inc | 17 | include allow-perl.inc |
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 20 | include allow-python2.inc |
16 | include allow-python3.inc | 21 | include allow-python3.inc |
17 | 22 | ||
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile index 79e879f36..8df11eef2 100644 --- a/etc/profile-m-z/studio.sh.profile +++ b/etc/profile-m-z/studio.sh.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for Android Studio | 1 | # Firejail profile alias for Android Studio |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include studio.sh.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include android-studio.profile | 10 | include android-studio.profile |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 4344fe73a..50506d100 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -13,5 +13,14 @@ whitelist ${HOME}/.sylpheed-2.0 | |||
13 | 13 | ||
14 | whitelist /usr/share/sylpheed | 14 | whitelist /usr/share/sylpheed |
15 | 15 | ||
16 | # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed | ||
17 | |||
18 | dbus-user filter | ||
19 | dbus-user.talk ca.desrt.dconf | ||
20 | dbus-user.talk org.freedesktop.secrets | ||
21 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
22 | # Uncomment below for notifications (or put them in your sylpheed.local) | ||
23 | # dbus-user.talk org.freedesktop.Notifications | ||
24 | |||
16 | # Redirect | 25 | # Redirect |
17 | include email-common.profile | 26 | include email-common.profile |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index f6efb0feb..9d7a23d43 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -7,13 +7,17 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 10 | # Included in archiver-common.inc |
11 | noblacklist /var/lib/pacman | ||
12 | |||
13 | ignore include disable-shell.inc | 11 | ignore include disable-shell.inc |
14 | include archiver-common.inc | 12 | |
13 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop | ||
14 | # all capabilities this is automatically read-only. | ||
15 | noblacklist /var/lib/pacman | ||
15 | 16 | ||
16 | private-etc alternatives,group,localtime,login.defs,passwd | 17 | private-etc alternatives,group,localtime,login.defs,passwd |
17 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* | 18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* |
18 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
19 | writable-var | 20 | writable-var |
21 | |||
22 | # Redirect | ||
23 | include archiver-common.inc | ||
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile index 0cfa7114b..e0c5aee9e 100644 --- a/etc/profile-m-z/telegram-desktop.profile +++ b/etc/profile-m-z/telegram-desktop.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for telegram | 1 | # Firejail profile alias for telegram |
2 | # Description: Official Telegram Desktop client | 2 | # Description: Official Telegram Desktop client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include tekegram-desktop.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include telegram.profile | 11 | include telegram.profile |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 0e7413fc9..fce7dc461 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -12,8 +12,22 @@ include disable-common.inc | |||
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
16 | 19 | ||
20 | mkdir ${HOME}/.TelegramDesktop | ||
21 | mkdir ${HOME}/.local/share/TelegramDesktop | ||
22 | whitelist ${HOME}/.TelegramDesktop | ||
23 | whitelist ${HOME}/.local/share/TelegramDesktop | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
17 | caps.drop all | 31 | caps.drop all |
18 | netfilter | 32 | netfilter |
19 | nodvd | 33 | nodvd |
@@ -22,8 +36,10 @@ noroot | |||
22 | notv | 36 | notv |
23 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
24 | seccomp | 38 | seccomp |
39 | shell none | ||
25 | 40 | ||
26 | disable-mnt | 41 | disable-mnt |
27 | private-cache | 42 | private-cache |
28 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg | 43 | private-dev |
44 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | ||
29 | private-tmp | 45 | private-tmp |
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile index 19993016a..984c5579f 100644 --- a/etc/profile-m-z/thunar.profile +++ b/etc/profile-m-z/thunar.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for Thunar | 1 | # Firejail profile alias for Thunar |
2 | # Description: Modern file manager for Xfce | 2 | # Description: Modern file manager for Xfce |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include thunar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include Thunar.profile | 11 | include Thunar.profile |
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile index 6450e40d6..46a1e57c8 100644 --- a/etc/profile-m-z/thunderbird-beta.profile +++ b/etc/profile-m-z/thunderbird-beta.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for thunderbird-beta | 1 | # Firejail profile alias for thunderbird-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include thunderbird-beta.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | private-opt thunderbird-beta | 9 | private-opt thunderbird-beta |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile index 612b2d01b..59f1bc3b1 100644 --- a/etc/profile-m-z/tor-browser-ar.profile +++ b/etc/profile-m-z/tor-browser-ar.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ar.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ar | 9 | noblacklist ${HOME}/.tor-browser-ar |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile index db70a7109..68577e352 100644 --- a/etc/profile-m-z/tor-browser-ca.profile +++ b/etc/profile-m-z/tor-browser-ca.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ca.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ca | 9 | noblacklist ${HOME}/.tor-browser-ca |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile index 77b271b68..33e51fcd0 100644 --- a/etc/profile-m-z/tor-browser-cs.profile +++ b/etc/profile-m-z/tor-browser-cs.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-cs.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-cs | 9 | noblacklist ${HOME}/.tor-browser-cs |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile index 3b9fff9a4..440bb7fc3 100644 --- a/etc/profile-m-z/tor-browser-da.profile +++ b/etc/profile-m-z/tor-browser-da.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-da.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-da | 9 | noblacklist ${HOME}/.tor-browser-da |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile index 3b4f7f94f..b2b98cf82 100644 --- a/etc/profile-m-z/tor-browser-de.profile +++ b/etc/profile-m-z/tor-browser-de.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-de.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-de | 9 | noblacklist ${HOME}/.tor-browser-de |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile index b978b6042..626757dd5 100644 --- a/etc/profile-m-z/tor-browser-el.profile +++ b/etc/profile-m-z/tor-browser-el.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-el.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-el | 9 | noblacklist ${HOME}/.tor-browser-el |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile index db56dda1b..15e690748 100644 --- a/etc/profile-m-z/tor-browser-en-us.profile +++ b/etc/profile-m-z/tor-browser-en-us.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-en-us.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-en-us | 9 | noblacklist ${HOME}/.tor-browser-en-us |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile index ad4110c0e..ef8c1eb8b 100644 --- a/etc/profile-m-z/tor-browser-en.profile +++ b/etc/profile-m-z/tor-browser-en.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-en.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-en | 9 | noblacklist ${HOME}/.tor-browser-en |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile index 1aa586658..ad734662e 100644 --- a/etc/profile-m-z/tor-browser-es-es.profile +++ b/etc/profile-m-z/tor-browser-es-es.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-es-es.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-es-es | 9 | noblacklist ${HOME}/.tor-browser-es-es |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile index a386e3387..97d8d8577 100644 --- a/etc/profile-m-z/tor-browser-es.profile +++ b/etc/profile-m-z/tor-browser-es.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-es.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-es | 9 | noblacklist ${HOME}/.tor-browser-es |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile index 7f847a7c2..095be69e4 100644 --- a/etc/profile-m-z/tor-browser-fa.profile +++ b/etc/profile-m-z/tor-browser-fa.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-fa.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-fa | 9 | noblacklist ${HOME}/.tor-browser-fa |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile index bce470ec8..37f61fc3a 100644 --- a/etc/profile-m-z/tor-browser-fr.profile +++ b/etc/profile-m-z/tor-browser-fr.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-fr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-fr | 9 | noblacklist ${HOME}/.tor-browser-fr |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile index 994897a87..ab7141fc4 100644 --- a/etc/profile-m-z/tor-browser-ga-ie.profile +++ b/etc/profile-m-z/tor-browser-ga-ie.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ga-ie.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | 9 | noblacklist ${HOME}/.tor-browser-ga-ie |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile index 6367b4c0a..ae56f3b7f 100644 --- a/etc/profile-m-z/tor-browser-he.profile +++ b/etc/profile-m-z/tor-browser-he.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-he.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-he | 9 | noblacklist ${HOME}/.tor-browser-he |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile index 68e79833e..65cd18ac8 100644 --- a/etc/profile-m-z/tor-browser-hu.profile +++ b/etc/profile-m-z/tor-browser-hu.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-hu.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-hu | 9 | noblacklist ${HOME}/.tor-browser-hu |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile index 85b455ba2..57fe09f47 100644 --- a/etc/profile-m-z/tor-browser-id.profile +++ b/etc/profile-m-z/tor-browser-id.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-id.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-id | 9 | noblacklist ${HOME}/.tor-browser-id |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile index 48e88db71..54f1df42d 100644 --- a/etc/profile-m-z/tor-browser-is.profile +++ b/etc/profile-m-z/tor-browser-is.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-is.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-is | 9 | noblacklist ${HOME}/.tor-browser-is |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile index 3c239ca29..a7d46e875 100644 --- a/etc/profile-m-z/tor-browser-it.profile +++ b/etc/profile-m-z/tor-browser-it.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-it.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-it | 9 | noblacklist ${HOME}/.tor-browser-it |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile index c52e0f64e..b89016141 100644 --- a/etc/profile-m-z/tor-browser-ja.profile +++ b/etc/profile-m-z/tor-browser-ja.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ja.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ja | 9 | noblacklist ${HOME}/.tor-browser-ja |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile index 173b85e5c..b57cf10de 100644 --- a/etc/profile-m-z/tor-browser-ka.profile +++ b/etc/profile-m-z/tor-browser-ka.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ka.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ka | 9 | noblacklist ${HOME}/.tor-browser-ka |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile index 8faa5afa1..a9bedb6fd 100644 --- a/etc/profile-m-z/tor-browser-ko.profile +++ b/etc/profile-m-z/tor-browser-ko.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ko.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ko | 9 | noblacklist ${HOME}/.tor-browser-ko |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile index d1352dd80..fbe9f92bd 100644 --- a/etc/profile-m-z/tor-browser-nb.profile +++ b/etc/profile-m-z/tor-browser-nb.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-nb.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-nb | 9 | noblacklist ${HOME}/.tor-browser-nb |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile index d4443cca2..678ac1713 100644 --- a/etc/profile-m-z/tor-browser-nl.profile +++ b/etc/profile-m-z/tor-browser-nl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-nl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-nl | 9 | noblacklist ${HOME}/.tor-browser-nl |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile index 08ddd4ae7..25d473b1a 100644 --- a/etc/profile-m-z/tor-browser-pl.profile +++ b/etc/profile-m-z/tor-browser-pl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-pl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-pl | 9 | noblacklist ${HOME}/.tor-browser-pl |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile index 9942a3fe8..55adbd5ea 100644 --- a/etc/profile-m-z/tor-browser-pt-br.profile +++ b/etc/profile-m-z/tor-browser-pt-br.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-pt-br.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-pt-br | 9 | noblacklist ${HOME}/.tor-browser-pt-br |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile index 6294f8ca0..aea13be9d 100644 --- a/etc/profile-m-z/tor-browser-ru.profile +++ b/etc/profile-m-z/tor-browser-ru.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-ru.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-ru | 9 | noblacklist ${HOME}/.tor-browser-ru |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile index c8544262f..b7882bd04 100644 --- a/etc/profile-m-z/tor-browser-sv-se.profile +++ b/etc/profile-m-z/tor-browser-sv-se.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-sv-se.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-sv-se | 9 | noblacklist ${HOME}/.tor-browser-sv-se |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile index 2343fa8de..c52e8c4c4 100644 --- a/etc/profile-m-z/tor-browser-tr.profile +++ b/etc/profile-m-z/tor-browser-tr.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-tr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-tr | 9 | noblacklist ${HOME}/.tor-browser-tr |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile index 734c38698..d5bf76655 100644 --- a/etc/profile-m-z/tor-browser-vi.profile +++ b/etc/profile-m-z/tor-browser-vi.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-vi.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-vi | 9 | noblacklist ${HOME}/.tor-browser-vi |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile index 21e813e45..6c8925a4a 100644 --- a/etc/profile-m-z/tor-browser-zh-cn.profile +++ b/etc/profile-m-z/tor-browser-zh-cn.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-zh-cn.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-zh-cn | 9 | noblacklist ${HOME}/.tor-browser-zh-cn |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile index 6fe09c6c1..141a6701e 100644 --- a/etc/profile-m-z/tor-browser-zh-tw.profile +++ b/etc/profile-m-z/tor-browser-zh-tw.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser-zh-tw.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | 9 | noblacklist ${HOME}/.tor-browser-zh-tw |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile index 0cd84abf5..76a0e1fa5 100644 --- a/etc/profile-m-z/tor-browser.profile +++ b/etc/profile-m-z/tor-browser.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser | 9 | noblacklist ${HOME}/.tor-browser |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile index 1e1f5ce35..d811b7549 100644 --- a/etc/profile-m-z/tor-browser_ar.profile +++ b/etc/profile-m-z/tor-browser_ar.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ar.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ar | 9 | noblacklist ${HOME}/.tor-browser_ar |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile index e114b6051..8bf1f7cd4 100644 --- a/etc/profile-m-z/tor-browser_ca.profile +++ b/etc/profile-m-z/tor-browser_ca.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ca.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ca | 9 | noblacklist ${HOME}/.tor-browser_ca |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile index 498068bc6..b41107bf1 100644 --- a/etc/profile-m-z/tor-browser_cs.profile +++ b/etc/profile-m-z/tor-browser_cs.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_cs.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_cs | 9 | noblacklist ${HOME}/.tor-browser_cs |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile index 5c25c03c8..cbec4ee2e 100644 --- a/etc/profile-m-z/tor-browser_da.profile +++ b/etc/profile-m-z/tor-browser_da.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_da.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_da | 9 | noblacklist ${HOME}/.tor-browser_da |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile index d530e7dbe..ea26765d3 100644 --- a/etc/profile-m-z/tor-browser_de.profile +++ b/etc/profile-m-z/tor-browser_de.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_de.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_de | 9 | noblacklist ${HOME}/.tor-browser_de |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile index 67d5ab440..ff57a8722 100644 --- a/etc/profile-m-z/tor-browser_el.profile +++ b/etc/profile-m-z/tor-browser_el.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_el.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_el | 9 | noblacklist ${HOME}/.tor-browser_el |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile index b298ab2b8..18c92b638 100644 --- a/etc/profile-m-z/tor-browser_en-US.profile +++ b/etc/profile-m-z/tor-browser_en-US.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_en-US.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_en-US | 9 | noblacklist ${HOME}/.tor-browser_en-US |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile index 6bb0616b1..ebba83cc4 100644 --- a/etc/profile-m-z/tor-browser_en.profile +++ b/etc/profile-m-z/tor-browser_en.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_en.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_en | 9 | noblacklist ${HOME}/.tor-browser_en |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile index 78f57ffe5..aecab38d5 100644 --- a/etc/profile-m-z/tor-browser_es-ES.profile +++ b/etc/profile-m-z/tor-browser_es-ES.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_es-ES.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_es-ES | 9 | noblacklist ${HOME}/.tor-browser_es-ES |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile index ea34a07c9..e19e9b5e6 100644 --- a/etc/profile-m-z/tor-browser_es.profile +++ b/etc/profile-m-z/tor-browser_es.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_es.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_es | 9 | noblacklist ${HOME}/.tor-browser_es |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile index fbc416ce5..68414c277 100644 --- a/etc/profile-m-z/tor-browser_fa.profile +++ b/etc/profile-m-z/tor-browser_fa.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_fa.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_fa | 9 | noblacklist ${HOME}/.tor-browser_fa |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile index caea6db5b..0a8bb30b7 100644 --- a/etc/profile-m-z/tor-browser_fr.profile +++ b/etc/profile-m-z/tor-browser_fr.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_fr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_fr | 9 | noblacklist ${HOME}/.tor-browser_fr |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile index 6342daebf..12354b900 100644 --- a/etc/profile-m-z/tor-browser_ga-IE.profile +++ b/etc/profile-m-z/tor-browser_ga-IE.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ga-IE.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | 9 | noblacklist ${HOME}/.tor-browser_ga-IE |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile index cc4150620..19cbb0809 100644 --- a/etc/profile-m-z/tor-browser_he.profile +++ b/etc/profile-m-z/tor-browser_he.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_he.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_he | 9 | noblacklist ${HOME}/.tor-browser_he |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile index 952a0b68a..62b55e170 100644 --- a/etc/profile-m-z/tor-browser_hu.profile +++ b/etc/profile-m-z/tor-browser_hu.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_hu.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_hu | 9 | noblacklist ${HOME}/.tor-browser_hu |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile index a006b27c0..2970a7747 100644 --- a/etc/profile-m-z/tor-browser_id.profile +++ b/etc/profile-m-z/tor-browser_id.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_id.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_id | 9 | noblacklist ${HOME}/.tor-browser_id |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile index 038e0fabb..f922c7644 100644 --- a/etc/profile-m-z/tor-browser_is.profile +++ b/etc/profile-m-z/tor-browser_is.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_is.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_is | 9 | noblacklist ${HOME}/.tor-browser_is |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile index 3d2566994..406901759 100644 --- a/etc/profile-m-z/tor-browser_it.profile +++ b/etc/profile-m-z/tor-browser_it.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_it.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_it | 9 | noblacklist ${HOME}/.tor-browser_it |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile index 08c942bcd..8f9d8d751 100644 --- a/etc/profile-m-z/tor-browser_ja.profile +++ b/etc/profile-m-z/tor-browser_ja.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ja.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ja | 9 | noblacklist ${HOME}/.tor-browser_ja |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile index 97664be4d..4de4135e1 100644 --- a/etc/profile-m-z/tor-browser_ka.profile +++ b/etc/profile-m-z/tor-browser_ka.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ka.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ka | 9 | noblacklist ${HOME}/.tor-browser_ka |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile index 98cf1e3e1..125c733ce 100644 --- a/etc/profile-m-z/tor-browser_ko.profile +++ b/etc/profile-m-z/tor-browser_ko.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ko.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ko | 9 | noblacklist ${HOME}/.tor-browser_ko |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile index 6df840573..dc6ac876b 100644 --- a/etc/profile-m-z/tor-browser_nb.profile +++ b/etc/profile-m-z/tor-browser_nb.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_nb.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_nb | 9 | noblacklist ${HOME}/.tor-browser_nb |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile index 3f545f888..2a3a5b519 100644 --- a/etc/profile-m-z/tor-browser_nl.profile +++ b/etc/profile-m-z/tor-browser_nl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_nl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_nl | 9 | noblacklist ${HOME}/.tor-browser_nl |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile index 4e04dc027..b7dec32db 100644 --- a/etc/profile-m-z/tor-browser_pl.profile +++ b/etc/profile-m-z/tor-browser_pl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_pl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_pl | 9 | noblacklist ${HOME}/.tor-browser_pl |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile index 7f864886c..7a7d4726c 100644 --- a/etc/profile-m-z/tor-browser_pt-BR.profile +++ b/etc/profile-m-z/tor-browser_pt-BR.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_pt-BR.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | 9 | noblacklist ${HOME}/.tor-browser_pt-BR |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile index 2fae6fbe7..7d2e6bc97 100644 --- a/etc/profile-m-z/tor-browser_ru.profile +++ b/etc/profile-m-z/tor-browser_ru.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_ru.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_ru | 9 | noblacklist ${HOME}/.tor-browser_ru |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile index 2157f8d2b..585925e81 100644 --- a/etc/profile-m-z/tor-browser_sv-SE.profile +++ b/etc/profile-m-z/tor-browser_sv-SE.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_sv-SE.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | 9 | noblacklist ${HOME}/.tor-browser_sv-SE |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile index 20ac246ca..4b0cc3821 100644 --- a/etc/profile-m-z/tor-browser_tr.profile +++ b/etc/profile-m-z/tor-browser_tr.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_tr.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_tr | 9 | noblacklist ${HOME}/.tor-browser_tr |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile index 4faa06ff6..4dcfbf56d 100644 --- a/etc/profile-m-z/tor-browser_vi.profile +++ b/etc/profile-m-z/tor-browser_vi.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_vi.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_vi | 9 | noblacklist ${HOME}/.tor-browser_vi |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile index e4d8215e6..1e03b8d6b 100644 --- a/etc/profile-m-z/tor-browser_zh-CN.profile +++ b/etc/profile-m-z/tor-browser_zh-CN.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_zh-CN.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | 9 | noblacklist ${HOME}/.tor-browser_zh-CN |
5 | 10 | ||
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile index 8a28015a6..a2dcf5cf1 100644 --- a/etc/profile-m-z/tor-browser_zh-TW.profile +++ b/etc/profile-m-z/tor-browser_zh-TW.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include tor-browser_zh-TW.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | 9 | noblacklist ${HOME}/.tor-browser_zh-TW |
5 | 10 | ||
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 36495064e..90c45c7d0 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -6,7 +6,8 @@ include totem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow lua (required for youtube video) | 9 | # Allow lua (blacklisted by disable-interpreters.inc) |
10 | # required for youtube video | ||
10 | include allow-lua.inc | 11 | include allow-lua.inc |
11 | 12 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index a8641af85..b82aadd13 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -57,7 +57,8 @@ private-dev | |||
57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | 57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user filter |
61 | dbus-user.talk org.freedesktop.secrets | ||
61 | dbus-system none | 62 | dbus-system none |
62 | 63 | ||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 64 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index a5cefb47a..3f5a9647e 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile for tshark | 1 | # Firejail profile for tshark |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include wireshark.profile | 11 | include wireshark.profile |
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile new file mode 100644 index 000000000..d2cb0cc8a --- /dev/null +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for tutanota-desktop | ||
2 | # Description: Encrypted email client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tutanota-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/tuta_integration | ||
10 | noblacklist ${HOME}/.config/tutanota-desktop | ||
11 | |||
12 | ignore noexec /tmp | ||
13 | |||
14 | include disable-shell.inc | ||
15 | |||
16 | mkdir ${HOME}/.config/tuta_integration | ||
17 | mkdir ${HOME}/.config/tutanota-desktop | ||
18 | whitelist ${HOME}/.config/tuta_integration | ||
19 | whitelist ${HOME}/.config/tutanota-desktop | ||
20 | |||
21 | # These lines are needed to allow Firefox to open links | ||
22 | noblacklist ${HOME}/.mozilla | ||
23 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
24 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
25 | |||
26 | ?HAS_APPIMAGE: ignore private-dev | ||
27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
28 | private-opt tutanota-desktop | ||
29 | |||
30 | # Redirect | ||
31 | include electron.profile | ||
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile new file mode 100644 index 000000000..0226a7de8 --- /dev/null +++ b/etc/profile-m-z/unar.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for unar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include unar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin unar | ||
11 | |||
12 | # Redirect | ||
13 | include ar.profile | ||
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile index d9c72407f..115d982e2 100644 --- a/etc/profile-m-z/unlzma.profile +++ b/etc/profile-m-z/unlzma.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include unlzma.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 9487f8e68..65f1a425a 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -7,8 +7,9 @@ include unrar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include archiver-common.inc | ||
11 | |||
12 | private-bin unrar | 10 | private-bin unrar |
13 | private-etc alternatives,group,localtime,passwd | 11 | private-etc alternatives,group,localtime,passwd |
14 | private-tmp | 12 | private-tmp |
13 | |||
14 | # Redirect | ||
15 | include archiver-common.inc | ||
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile index d9c72407f..d86313028 100644 --- a/etc/profile-m-z/unxz.profile +++ b/etc/profile-m-z/unxz.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include unxz.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 8da9ea820..c94416b87 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | # GNOME Shell integration (chrome-gnome-shell) | 10 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | 11 | noblacklist ${HOME}/.local/share/gnome-shell |
12 | 12 | ||
13 | include archiver-common.inc | ||
14 | |||
15 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,localtime,passwd |
14 | |||
15 | # Redirect | ||
16 | include archiver-common.inc | ||
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile index ce9af3286..0294aceff 100644 --- a/etc/profile-m-z/unzstd.profile +++ b/etc/profile-m-z/unzstd.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include unzstd.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile new file mode 100644 index 000000000..0117af376 --- /dev/null +++ b/etc/profile-m-z/vmware-view.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for vmware-view | ||
2 | # Description: VMware Horizon Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmware-view.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.vmware | ||
10 | |||
11 | noblacklist /sbin | ||
12 | noblacklist /usr/sbin | ||
13 | |||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.vmware | ||
26 | whitelist ${HOME}/.vmware | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | # Comment novideo (or add 'ignore novideo' to your vmware-view.local) if you need your webcam | ||
41 | novideo | ||
42 | # protocol produces a lot error messages but nothing seems to be broken | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp !iopl | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg | ||
53 | # Logs are "stored" in /tmp, comment (or add 'ignore private-tmp' to your vmware-view.local) | ||
54 | # if you need them without joining the sandbox. | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 493c53936..d841d50b7 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -26,7 +26,7 @@ include whitelist-runuser-common.inc | |||
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.keep chown,net_raw,sys_nice,sys_rawio | 29 | caps.keep chown,net_raw,sys_nice |
30 | netfilter | 30 | netfilter |
31 | nogroups | 31 | nogroups |
32 | notv | 32 | notv |
@@ -34,6 +34,7 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | #disable-mnt | 36 | #disable-mnt |
37 | #private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 37 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
38 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | ||
38 | dbus-user none | 39 | dbus-user none |
39 | dbus-system none | 40 | dbus-system none |
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index b4728fb72..a4a4fb7d8 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | 1 | # Firejail profile alias for Visual Studio Code |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vscodium.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist ${HOME}/.VSCodium | 9 | noblacklist ${HOME}/.VSCodium |
5 | 10 | ||
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile index 2e9078a7b..fa6ddf1fb 100644 --- a/etc/profile-m-z/vulturesclaw.profile +++ b/etc/profile-m-z/vulturesclaw.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for nethack-vultures | 1 | # Firejail profile alias for nethack-vultures |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vulturesclaw.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist /var/games/vulturesclaw | 9 | noblacklist /var/games/vulturesclaw |
5 | whitelist /var/games/vulturesclaw | 10 | whitelist /var/games/vulturesclaw |
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile index 44c263cfc..49d3fa94f 100644 --- a/etc/profile-m-z/vultureseye.profile +++ b/etc/profile-m-z/vultureseye.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for nethack-vultures | 1 | # Firejail profile alias for nethack-vultures |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vultureseye.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | noblacklist /var/games/vultureseye | 9 | noblacklist /var/games/vultureseye |
5 | whitelist /var/games/vultureseye | 10 | whitelist /var/games/vultureseye |
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 369c9cc1d..06a7c3412 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | 18 | ||
19 | # mkdir ${HOME}/.warzone2100-3.1 | 19 | mkdir ${HOME}/.warzone2100-3.1 |
20 | # mkdir ${HOME}/.warzone2100-3.2 | 20 | mkdir ${HOME}/.warzone2100-3.2 |
21 | whitelist ${HOME}/.warzone2100-3.1 | 21 | whitelist ${HOME}/.warzone2100-3.1 |
22 | whitelist ${HOME}/.warzone2100-3.2 | 22 | whitelist ${HOME}/.warzone2100-3.2 |
23 | whitelist /usr/share/games | 23 | whitelist /usr/share/games |
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index fc4e8e571..a4adf2896 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile | |||
@@ -8,12 +8,14 @@ include globals.local | |||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.local/share/JetBrains | 10 | noblacklist ${HOME}/.local/share/JetBrains |
11 | noblacklist ${HOME}/.ssh | ||
12 | noblacklist ${HOME}/.tooling | 11 | noblacklist ${HOME}/.tooling |
13 | 12 | ||
14 | # Allows files commonly used by IDEs | 13 | # Allows files commonly used by IDEs |
15 | include allow-common-devel.inc | 14 | include allow-common-devel.inc |
16 | 15 | ||
16 | # Allow ssh (blacklisted by disable-common.inc) | ||
17 | include allow-ssh.inc | ||
18 | |||
17 | noblacklist ${PATH}/node | 19 | noblacklist ${PATH}/node |
18 | noblacklist ${HOME}/.nvm | 20 | noblacklist ${HOME}/.nvm |
19 | 21 | ||
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile index 4719b9788..92c968fb6 100644 --- a/etc/profile-m-z/weechat-curses.profile +++ b/etc/profile-m-z/weechat-curses.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for weechat | 1 | # Firejail profile alias for weechat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include weechat-curses.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include weechat.profile | 10 | include weechat.profile |
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile index 3e2e1807e..4d54e986e 100644 --- a/etc/profile-m-z/wireshark-gtk.profile +++ b/etc/profile-m-z/wireshark-gtk.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for wireshark | 1 | # Firejail profile alias for wireshark |
2 | # Description: Network protocol analyzer | 2 | # Description: Network protocol analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include wireshark-gtk.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include wireshark.profile | 11 | include wireshark.profile |
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile index 3e2e1807e..4e0694f95 100644 --- a/etc/profile-m-z/wireshark-qt.profile +++ b/etc/profile-m-z/wireshark-qt.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for wireshark | 1 | # Firejail profile alias for wireshark |
2 | # Description: Network protocol analyzer | 2 | # Description: Network protocol analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include wireshark-qt.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include wireshark.profile | 11 | include wireshark.profile |
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index bc9603835..6146016b2 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile | |||
@@ -6,10 +6,12 @@ include x2goclient.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.ssh | ||
10 | noblacklist ${HOME}/.x2go | 9 | noblacklist ${HOME}/.x2go |
11 | noblacklist ${HOME}/.x2goclient | 10 | noblacklist ${HOME}/.x2goclient |
12 | 11 | ||
12 | # Allow ssh (blacklisted by disable-common.inc) | ||
13 | include allow-ssh.inc | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile index abb91e1ec..f1766fcf4 100644 --- a/etc/profile-m-z/xonotic-glx.profile +++ b/etc/profile-m-z/xonotic-glx.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for xonotic | 1 | # Firejail profile alias for xonotic |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include xonotic-glx.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include xonotic.profile | 10 | include xonotic.profile |
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile index abb91e1ec..4b680edb1 100644 --- a/etc/profile-m-z/xonotic-sdl.profile +++ b/etc/profile-m-z/xonotic-sdl.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for xonotic | 1 | # Firejail profile alias for xonotic |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include xonotic-sdl.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include xonotic.profile | 10 | include xonotic.profile |
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile index d9c72407f..7d6be2f49 100644 --- a/etc/profile-m-z/xz.profile +++ b/etc/profile-m-z/xz.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xz.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile index d9c72407f..8ba77eece 100644 --- a/etc/profile-m-z/xzcat.profile +++ b/etc/profile-m-z/xzcat.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzcat.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile index d9c72407f..9626048ba 100644 --- a/etc/profile-m-z/xzcmp.profile +++ b/etc/profile-m-z/xzcmp.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzcmp.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index 082392a08..c5e8d1631 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile | |||
@@ -7,4 +7,5 @@ include xzdec.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | ||
10 | include archiver-common.inc | 11 | include archiver-common.inc |
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile index d9c72407f..825fa9180 100644 --- a/etc/profile-m-z/xzdiff.profile +++ b/etc/profile-m-z/xzdiff.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzdiff.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile index d9c72407f..8d50a3bc6 100644 --- a/etc/profile-m-z/xzegrep.profile +++ b/etc/profile-m-z/xzegrep.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzegrep.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile index d9c72407f..a8aac86b7 100644 --- a/etc/profile-m-z/xzfgrep.profile +++ b/etc/profile-m-z/xzfgrep.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzfgrep.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile index f7410b928..ac4cc81c4 100644 --- a/etc/profile-m-z/xzgrep.profile +++ b/etc/profile-m-z/xzgrep.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include xzgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include cpio.profile | 11 | include cpio.profile |
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile index f7410b928..f17c5e1f6 100644 --- a/etc/profile-m-z/xzless.profile +++ b/etc/profile-m-z/xzless.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # Firejail profile alias for cpio | 1 | # Firejail profile alias for cpio |
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | ||
5 | include xzless.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
4 | 9 | ||
5 | # Redirect | 10 | # Redirect |
6 | include cpio.profile | 11 | include cpio.profile |
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile index d9c72407f..ef4106f66 100644 --- a/etc/profile-m-z/xzmore.profile +++ b/etc/profile-m-z/xzmore.profile | |||
@@ -2,6 +2,11 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | ||
6 | include xzmore.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
5 | 10 | ||
6 | # Redirect | 11 | # Redirect |
7 | include cpio.profile | 12 | include cpio.profile |
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile new file mode 100644 index 000000000..f20225050 --- /dev/null +++ b/etc/profile-m-z/yarn.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for yarn | ||
2 | # Description: Fast, reliable, and secure dependency management | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include yarn.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore read-only ${HOME}/.yarnrc | ||
10 | |||
11 | noblacklist ${HOME}/.yarn | ||
12 | noblacklist ${HOME}/.yarn-config | ||
13 | noblacklist ${HOME}/.yarncache | ||
14 | noblacklist ${HOME}/.yarnrc | ||
15 | |||
16 | # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. | ||
17 | #mkdir ${HOME}/.yarn | ||
18 | #mkdir ${HOME}/.yarn-config | ||
19 | #mkdir ${HOME}/.yarncache | ||
20 | #mkfile ${HOME}/.yarnrc | ||
21 | #whitelist ${HOME}/.yarn | ||
22 | #whitelist ${HOME}/.yarn-config | ||
23 | #whitelist ${HOME}/.yarncache | ||
24 | #whitelist ${HOME}/.yarnrc | ||
25 | #whitelist ${HOME}/Projects | ||
26 | #include whitelist-common.inc | ||
27 | |||
28 | # Redirect | ||
29 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index a3a2afa29..e8fe4a360 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -9,7 +9,10 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.config/youtube-viewer | 10 | noblacklist ${HOME}/.config/youtube-viewer |
11 | 11 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | 13 | include allow-perl.inc |
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | 16 | include allow-python2.inc |
14 | include allow-python3.inc | 17 | include allow-python3.inc |
15 | 18 | ||
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index 42749ba6d..07a75f97f 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile | |||
@@ -7,4 +7,5 @@ include zstd.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Redirect | ||
10 | include archiver-common.inc | 11 | include archiver-common.inc |
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile index ce9af3286..df4c493fd 100644 --- a/etc/profile-m-z/zstdcat.profile +++ b/etc/profile-m-z/zstdcat.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include zstdcat.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile index ce9af3286..8a2683119 100644 --- a/etc/profile-m-z/zstdgrep.profile +++ b/etc/profile-m-z/zstdgrep.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include zstdgrep.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile index ce9af3286..e5821e4c5 100644 --- a/etc/profile-m-z/zstdless.profile +++ b/etc/profile-m-z/zstdless.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include zstdless.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile index ce9af3286..0a43fd556 100644 --- a/etc/profile-m-z/zstdmt.profile +++ b/etc/profile-m-z/zstdmt.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include zstdmt.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | # Redirect | 9 | # Redirect |
5 | include zstd.profile | 10 | include zstd.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 3d37fc827..9e9fc3fe9 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -103,6 +103,9 @@ include globals.local | |||
103 | # Allows files commonly used by IDEs | 103 | # Allows files commonly used by IDEs |
104 | #include allow-common-devel.inc | 104 | #include allow-common-devel.inc |
105 | 105 | ||
106 | # Allow ssh (blacklisted by disable-common.inc) | ||
107 | #include allow-ssh.inc | ||
108 | |||
106 | #include disable-common.inc | 109 | #include disable-common.inc |
107 | #include disable-devel.inc | 110 | #include disable-devel.inc |
108 | #include disable-exec.inc | 111 | #include disable-exec.inc |
@@ -158,6 +161,7 @@ include globals.local | |||
158 | ##seccomp !chroot | 161 | ##seccomp !chroot |
159 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
160 | #seccomp.block-secondary | 163 | #seccomp.block-secondary |
164 | ##seccomp-error-action log (Only for debugging seccomp issues) | ||
161 | #shell none | 165 | #shell none |
162 | #tracelog | 166 | #tracelog |
163 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index c454887dd..0775f60ff 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -35,8 +35,8 @@ Definition of groups | |||
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execve,prctl | 38 | @default-keep=execveat,execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | 40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select |
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | 41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget |
42 | @keyring=add_key,keyctl,request_key | 42 | @keyring=add_key,keyctl,request_key |
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | echo "Calculationg SHA256 for all files in /transfer - firejail version $1" | 6 | echo "Calculating SHA256 for all files in /transfer - firejail version $1" |
7 | 7 | ||
8 | cd /transfer | 8 | cd /transfer |
9 | sha256sum * > firejail-$1-unsigned | 9 | sha256sum * > firejail-$1-unsigned |
diff --git a/mkdeb.sh.in b/mkdeb.sh.in index a19dee620..5b68175fd 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in | |||
@@ -64,7 +64,7 @@ chmod 644 $DEBIAN_CTRL_DIR/conffiles | |||
64 | find $INSTALL_DIR -type d | xargs chmod 755 | 64 | find $INSTALL_DIR -type d | xargs chmod 755 |
65 | cd $CODE_DIR | 65 | cd $CODE_DIR |
66 | fakeroot dpkg-deb --build debian | 66 | fakeroot dpkg-deb --build debian |
67 | lintian debian.deb | 67 | lintian --no-tag-display-limit debian.deb |
68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb | 68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb |
69 | cd .. | 69 | cd .. |
70 | rm -fr $CODE_DIR | 70 | rm -fr $CODE_DIR |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 1b8231033..0bc4a0ee2 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -217,6 +217,10 @@ void build_share(const char *fname, FILE *fp) { | |||
217 | //******************************************* | 217 | //******************************************* |
218 | static FileDB *tmp_out = NULL; | 218 | static FileDB *tmp_out = NULL; |
219 | static void tmp_callback(char *ptr) { | 219 | static void tmp_callback(char *ptr) { |
220 | // skip strace file | ||
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | ||
222 | return; | ||
223 | |||
220 | tmp_out = filedb_add(tmp_out, ptr); | 224 | tmp_out = filedb_add(tmp_out, ptr); |
221 | } | 225 | } |
222 | 226 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index fca3396c4..c0f4a3407 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -24,7 +24,7 @@ static FileDB *db_skip = NULL; | |||
24 | static FileDB *db_out = NULL; | 24 | static FileDB *db_out = NULL; |
25 | 25 | ||
26 | static void load_whitelist_common(void) { | 26 | static void load_whitelist_common(void) { |
27 | FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); | 27 | FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r"); |
28 | if (!fp) { | 28 | if (!fp) { |
29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); | 29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); |
30 | exit(1); | 30 | exit(1); |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index adc00e67b..09f41a838 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
80 | stroutput, | 80 | stroutput, |
81 | }; | 81 | }; |
82 | 82 | ||
83 | // detect strace | 83 | // detect strace and check if Yama LSM allows us to use it |
84 | int have_strace = 0; | 84 | int have_strace = 0; |
85 | if (access("/usr/bin/strace", X_OK) == 0) | 85 | int have_yama_permission = 1; |
86 | if (access("/usr/bin/strace", X_OK) == 0) { | ||
86 | have_strace = 1; | 87 | have_strace = 1; |
88 | FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | ||
89 | if (ps) { | ||
90 | unsigned val; | ||
91 | if (fscanf(ps, "%u", &val) == 1) | ||
92 | have_yama_permission = (val < 2); | ||
93 | fclose(ps); | ||
94 | } | ||
95 | } | ||
87 | 96 | ||
88 | // calculate command length | 97 | // calculate command length |
89 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 98 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
@@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
93 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 102 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
94 | 103 | ||
95 | // build command | 104 | // build command |
105 | // skip strace if not installed, or no permission to use it | ||
106 | int skip_strace = !(have_strace && have_yama_permission); | ||
96 | unsigned i = 0; | 107 | unsigned i = 0; |
97 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 108 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { |
98 | // skip strace if not installed | 109 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) |
99 | if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | ||
100 | break; | 110 | break; |
101 | cmd[i] = cmdlist[i]; | 111 | cmd[i] = cmdlist[i]; |
102 | } | 112 | } |
@@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
172 | fprintf(fp, "caps.drop all\n"); | 182 | fprintf(fp, "caps.drop all\n"); |
173 | fprintf(fp, "nonewprivs\n"); | 183 | fprintf(fp, "nonewprivs\n"); |
174 | fprintf(fp, "seccomp\n"); | 184 | fprintf(fp, "seccomp\n"); |
175 | if (have_strace) | 185 | if (!have_strace) { |
176 | build_seccomp(strace_output, fp); | ||
177 | else { | ||
178 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 186 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
179 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 187 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
180 | } | 188 | } |
189 | else if (!have_yama_permission) | ||
190 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | ||
191 | else | ||
192 | build_seccomp(strace_output, fp); | ||
181 | fprintf(fp, "\n"); | 193 | fprintf(fp, "\n"); |
182 | 194 | ||
183 | fprintf(fp, "### network\n"); | 195 | fprintf(fp, "### network\n"); |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 64e277e2d..85f84aa32 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fcopy: $(OBJS) | 8 | fcopy: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 67237b4ea..e65501d6d 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | #include <sys/prctl.h> | ||
27 | 26 | ||
28 | #if HAVE_SELINUX | 27 | #if HAVE_SELINUX |
29 | #include <sys/stat.h> | 28 | #include <sys/stat.h> |
@@ -112,7 +111,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui | |||
112 | } | 111 | } |
113 | 112 | ||
114 | // open destination | 113 | // open destination |
115 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); | 114 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR); |
116 | if (dst < 0) { | 115 | if (dst < 0) { |
117 | if (!arg_quiet) | 116 | if (!arg_quiet) |
118 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); | 117 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); |
@@ -133,7 +132,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui | |||
133 | done += rv; | 132 | done += rv; |
134 | } | 133 | } |
135 | } | 134 | } |
136 | fflush(0); | 135 | if (len < 0) |
136 | goto errexit; | ||
137 | 137 | ||
138 | if (fchown(dst, uid, gid) == -1) | 138 | if (fchown(dst, uid, gid) == -1) |
139 | goto errexit; | 139 | goto errexit; |
@@ -180,7 +180,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
180 | 180 | ||
181 | // if the link is already there, don't create it | 181 | // if the link is already there, don't create it |
182 | struct stat s; | 182 | struct stat s; |
183 | if (stat(linkpath, &s) == 0) | 183 | if (lstat(linkpath, &s) == 0) |
184 | return; | 184 | return; |
185 | 185 | ||
186 | char *rp = realpath(target, NULL); | 186 | char *rp = realpath(target, NULL); |
@@ -412,30 +412,21 @@ int main(int argc, char **argv) { | |||
412 | exit(1); | 412 | exit(1); |
413 | } | 413 | } |
414 | 414 | ||
415 | #ifdef WARN_DUMPABLE | 415 | warn_dumpable(); |
416 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
417 | fprintf(stderr, "Error fcopy: I am dumpable\n"); | ||
418 | #endif | ||
419 | |||
420 | // trim trailing chars | ||
421 | if (src[strlen(src) - 1] == '/') | ||
422 | src[strlen(src) - 1] = '\0'; | ||
423 | if (dest[strlen(dest) - 1] == '/') | ||
424 | dest[strlen(dest) - 1] = '\0'; | ||
425 | 416 | ||
426 | // check the two files; remove ending / | 417 | // check the two files; remove ending / |
427 | int len = strlen(src); | 418 | size_t len = strlen(src); |
428 | if (src[len - 1] == '/') | 419 | while (len > 1 && src[len - 1] == '/') |
429 | src[len - 1] = '\0'; | 420 | src[--len] = '\0'; |
430 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { | 421 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) { |
431 | fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); | 422 | fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); |
432 | exit(1); | 423 | exit(1); |
433 | } | 424 | } |
434 | 425 | ||
435 | len = strlen(dest); | 426 | len = strlen(dest); |
436 | if (dest[len - 1] == '/') | 427 | while (len > 1 && dest[len - 1] == '/') |
437 | dest[len - 1] = '\0'; | 428 | dest[--len] = '\0'; |
438 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { | 429 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) { |
439 | fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); | 430 | fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); |
440 | exit(1); | 431 | exit(1); |
441 | } | 432 | } |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 23b1e364a..d056d0654 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -69,6 +69,7 @@ autokey-gtk | |||
69 | autokey-qt | 69 | autokey-qt |
70 | autokey-run | 70 | autokey-run |
71 | autokey-shell | 71 | autokey-shell |
72 | avidemux3_qt5 | ||
72 | aweather | 73 | aweather |
73 | baloo_file | 74 | baloo_file |
74 | baloo_filemetadata_temp_extractor | 75 | baloo_filemetadata_temp_extractor |
@@ -106,6 +107,7 @@ calligra | |||
106 | calligraauthor | 107 | calligraauthor |
107 | calligraconverter | 108 | calligraconverter |
108 | calligraflow | 109 | calligraflow |
110 | calligragemini | ||
109 | calligraplan | 111 | calligraplan |
110 | calligraplanwork | 112 | calligraplanwork |
111 | calligrasheets | 113 | calligrasheets |
@@ -149,6 +151,7 @@ conkeror | |||
149 | conky | 151 | conky |
150 | conplay | 152 | conplay |
151 | corebird | 153 | corebird |
154 | coyim | ||
152 | crawl | 155 | crawl |
153 | crawl-tiles | 156 | crawl-tiles |
154 | crow | 157 | crow |
@@ -172,6 +175,7 @@ dino-im | |||
172 | discord | 175 | discord |
173 | discord-canary | 176 | discord-canary |
174 | display | 177 | display |
178 | display-im6.q16 | ||
175 | dnox | 179 | dnox |
176 | dnscrypt-proxy | 180 | dnscrypt-proxy |
177 | dnsmasq | 181 | dnsmasq |
@@ -390,6 +394,7 @@ kazam | |||
390 | kcalc | 394 | kcalc |
391 | # kdeinit4 | 395 | # kdeinit4 |
392 | kdenlive | 396 | kdenlive |
397 | kdiff3 | ||
393 | keepass | 398 | keepass |
394 | keepass2 | 399 | keepass2 |
395 | keepassx | 400 | keepassx |
@@ -455,6 +460,7 @@ macrofusion | |||
455 | magicor | 460 | magicor |
456 | # man | 461 | # man |
457 | manaplus | 462 | manaplus |
463 | marker | ||
458 | masterpdfeditor | 464 | masterpdfeditor |
459 | masterpdfeditor4 | 465 | masterpdfeditor4 |
460 | masterpdfeditor5 | 466 | masterpdfeditor5 |
@@ -532,6 +538,7 @@ mypaint | |||
532 | mypaint-ora-thumbnailer | 538 | mypaint-ora-thumbnailer |
533 | natron | 539 | natron |
534 | ncdu | 540 | ncdu |
541 | neomutt | ||
535 | netactview | 542 | netactview |
536 | nethack | 543 | nethack |
537 | netsurf | 544 | netsurf |
@@ -621,6 +628,7 @@ qemu-launcher | |||
621 | qgis | 628 | qgis |
622 | qlipper | 629 | qlipper |
623 | qmmp | 630 | qmmp |
631 | qnapi | ||
624 | qpdfview | 632 | qpdfview |
625 | qt-faststart | 633 | qt-faststart |
626 | qtox | 634 | qtox |
@@ -662,6 +670,7 @@ secret-tool | |||
662 | shellcheck | 670 | shellcheck |
663 | shortwave | 671 | shortwave |
664 | shotcut | 672 | shotcut |
673 | shotwell | ||
665 | signal-cli | 674 | signal-cli |
666 | signal-desktop | 675 | signal-desktop |
667 | silentarmy | 676 | silentarmy |
@@ -771,6 +780,7 @@ tremulous | |||
771 | trojita | 780 | trojita |
772 | truecraft | 781 | truecraft |
773 | tshark | 782 | tshark |
783 | tutanota-desktop | ||
774 | tuxguitar | 784 | tuxguitar |
775 | tvbrowser | 785 | tvbrowser |
776 | twitch | 786 | twitch |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 6190b6f01..dd94b9921 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -131,14 +131,16 @@ void appimage_set(const char *appimage) { | |||
131 | errExit("Failed to obtain absolute path"); | 131 | errExit("Failed to obtain absolute path"); |
132 | 132 | ||
133 | // set environment | 133 | // set environment |
134 | if (setenv("APPIMAGE", abspath, 1) < 0) | 134 | env_store_name_val("APPIMAGE", abspath, SETENV); |
135 | errExit("setenv"); | 135 | |
136 | if (mntdir && setenv("APPDIR", mntdir, 1) < 0) | 136 | if (mntdir) |
137 | errExit("setenv"); | 137 | env_store_name_val("APPDIR", mntdir, SETENV); |
138 | if (size != 0 && setenv("ARGV0", appimage, 1) < 0) | 138 | |
139 | errExit("setenv"); | 139 | if (size != 0) |
140 | if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) | 140 | env_store_name_val("ARGV0", appimage, SETENV); |
141 | errExit("setenv"); | 141 | |
142 | if (cfg.cwd) | ||
143 | env_store_name_val("OWD", cfg.cwd, SETENV); | ||
142 | 144 | ||
143 | // build new command line | 145 | // build new command line |
144 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) | 146 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 085221464..fb2171a55 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -215,10 +215,8 @@ int checkcfg(int val) { | |||
215 | } | 215 | } |
216 | 216 | ||
217 | // file copy limit | 217 | // file copy limit |
218 | else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { | 218 | else if (strncmp(ptr, "file-copy-limit ", 16) == 0) |
219 | if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) | 219 | env_store_name_val("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, SETENV); |
220 | errExit("setenv"); | ||
221 | } | ||
222 | 220 | ||
223 | // timeout for join option | 221 | // timeout for join option |
224 | else if (strncmp(ptr, "join-timeout ", 13) == 0) | 222 | else if (strncmp(ptr, "join-timeout ", 13) == 0) |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index cfa32d1d3..9253490ca 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -173,9 +173,21 @@ void fs_chroot(const char *rootdir) { | |||
173 | 173 | ||
174 | // x11 | 174 | // x11 |
175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 | 175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 |
176 | if (getenv("FIREJAIL_X11") || getenv("FIREJAIL_CHROOT_X11")) { | 176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { |
177 | if (arg_debug) | 177 | if (arg_debug) |
178 | printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); | 178 | printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); |
179 | struct stat s1, s2; | ||
180 | if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2)) | ||
181 | errExit("mounting /tmp/.X11-unix"); | ||
182 | if ((s1.st_mode & S_ISVTX) != S_ISVTX) { | ||
183 | fprintf(stderr, "Error: sticky bit not set on /tmp directory\n"); | ||
184 | exit(1); | ||
185 | } | ||
186 | if (s2.st_uid != 0) { | ||
187 | fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n"); | ||
188 | exit(1); | ||
189 | } | ||
190 | |||
179 | check_subdir(parentfd, "tmp/.X11-unix", 0); | 191 | check_subdir(parentfd, "tmp/.X11-unix", 0); |
180 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 192 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
181 | if (fd == -1) | 193 | if (fd == -1) |
@@ -194,7 +206,7 @@ void fs_chroot(const char *rootdir) { | |||
194 | check_subdir(parentfd, "run", 1); | 206 | check_subdir(parentfd, "run", 1); |
195 | 207 | ||
196 | // pulseaudio; only support for default directory /run/user/$UID/pulse | 208 | // pulseaudio; only support for default directory /run/user/$UID/pulse |
197 | if (getenv("FIREJAIL_CHROOT_PULSE")) { | 209 | if (env_get("FIREJAIL_CHROOT_PULSE")) { |
198 | char *pulse; | 210 | char *pulse; |
199 | if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) | 211 | if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) |
200 | errExit("asprintf"); | 212 | errExit("asprintf"); |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 3cf75ed84..1d0f07089 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -329,7 +329,7 @@ void dbus_proxy_start(void) { | |||
329 | errExit("close"); | 329 | errExit("close"); |
330 | 330 | ||
331 | if (arg_dbus_user == DBUS_POLICY_FILTER) { | 331 | if (arg_dbus_user == DBUS_POLICY_FILTER) { |
332 | char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); | 332 | const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV); |
333 | if (user_env == NULL) { | 333 | if (user_env == NULL) { |
334 | char *dbus_user_socket = find_user_socket(); | 334 | char *dbus_user_socket = find_user_socket(); |
335 | write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", | 335 | write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", |
@@ -350,7 +350,7 @@ void dbus_proxy_start(void) { | |||
350 | } | 350 | } |
351 | 351 | ||
352 | if (arg_dbus_system == DBUS_POLICY_FILTER) { | 352 | if (arg_dbus_system == DBUS_POLICY_FILTER) { |
353 | char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); | 353 | const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV); |
354 | if (system_env == NULL) { | 354 | if (system_env == NULL) { |
355 | write_arg(args_pipe[1], | 355 | write_arg(args_pipe[1], |
356 | DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); | 356 | DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); |
@@ -435,8 +435,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) { | |||
435 | close(fd); | 435 | close(fd); |
436 | } | 436 | } |
437 | 437 | ||
438 | static char *get_socket_env(const char *name) { | 438 | static const char *get_socket_env(const char *name) { |
439 | char *value = getenv(name); | 439 | const char *value = env_get(name); |
440 | if (value == NULL) | 440 | if (value == NULL) |
441 | return NULL; | 441 | return NULL; |
442 | if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, | 442 | if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, |
@@ -446,21 +446,13 @@ static char *get_socket_env(const char *name) { | |||
446 | } | 446 | } |
447 | 447 | ||
448 | void dbus_set_session_bus_env(void) { | 448 | void dbus_set_session_bus_env(void) { |
449 | if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, | 449 | env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV, |
450 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { | 450 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV); |
451 | fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV | ||
452 | " required by --dbus-user\n"); | ||
453 | exit(1); | ||
454 | } | ||
455 | } | 451 | } |
456 | 452 | ||
457 | void dbus_set_system_bus_env(void) { | 453 | void dbus_set_system_bus_env(void) { |
458 | if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, | 454 | env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV, |
459 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { | 455 | DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV); |
460 | fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV | ||
461 | " required by --dbus-system\n"); | ||
462 | exit(1); | ||
463 | } | ||
464 | } | 456 | } |
465 | 457 | ||
466 | static void disable_socket_dir(void) { | 458 | static void disable_socket_dir(void) { |
@@ -506,7 +498,7 @@ void dbus_apply_policy(void) { | |||
506 | errExit("asprintf"); | 498 | errExit("asprintf"); |
507 | disable_file_or_dir(dbus_user_socket2); | 499 | disable_file_or_dir(dbus_user_socket2); |
508 | 500 | ||
509 | char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); | 501 | const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); |
510 | if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && | 502 | if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && |
511 | strcmp(user_env, dbus_user_socket2) != 0) | 503 | strcmp(user_env, dbus_user_socket2) != 0) |
512 | disable_file_or_dir(user_env); | 504 | disable_file_or_dir(user_env); |
@@ -535,7 +527,7 @@ void dbus_apply_policy(void) { | |||
535 | 527 | ||
536 | disable_file_or_dir(DBUS_SYSTEM_SOCKET); | 528 | disable_file_or_dir(DBUS_SYSTEM_SOCKET); |
537 | 529 | ||
538 | char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); | 530 | const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); |
539 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) | 531 | if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) |
540 | disable_file_or_dir(system_env); | 532 | disable_file_or_dir(system_env); |
541 | 533 | ||
@@ -561,4 +553,4 @@ void dbus_apply_policy(void) { | |||
561 | 553 | ||
562 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 554 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
563 | } | 555 | } |
564 | #endif // HAVE_DBUSPROXY \ No newline at end of file | 556 | #endif // HAVE_DBUSPROXY |
diff --git a/src/firejail/env.c b/src/firejail/env.c index d74cebb39..9ee6c6bfb 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -25,8 +25,8 @@ | |||
25 | 25 | ||
26 | typedef struct env_t { | 26 | typedef struct env_t { |
27 | struct env_t *next; | 27 | struct env_t *next; |
28 | char *name; | 28 | const char *name; |
29 | char *value; | 29 | const char *value; |
30 | ENV_OP op; | 30 | ENV_OP op; |
31 | } Env; | 31 | } Env; |
32 | static Env *envlist = NULL; | 32 | static Env *envlist = NULL; |
@@ -117,45 +117,35 @@ void env_ibus_load(void) { | |||
117 | // default sandbox env variables | 117 | // default sandbox env variables |
118 | void env_defaults(void) { | 118 | void env_defaults(void) { |
119 | // Qt fixes | 119 | // Qt fixes |
120 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) | 120 | env_store_name_val("QT_X11_NO_MITSHM", "1", SETENV); |
121 | errExit("setenv"); | 121 | env_store_name_val("QML_DISABLE_DISK_CACHE", "1", SETENV); |
122 | if (setenv("QML_DISABLE_DISK_CACHE", "1", 1) < 0) | 122 | // env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); |
123 | errExit("setenv"); | 123 | // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); |
124 | // if (setenv("QTWEBENGINE_DISABLE_SANDBOX", "1", 1) < 0) | 124 | env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, |
125 | // errExit("setenv"); | ||
126 | // if (setenv("MOZ_NO_REMOTE, "1", 1) < 0) | ||
127 | // errExit("setenv"); | ||
128 | if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, | ||
129 | errExit("setenv"); | ||
130 | if (!cfg.shell) | 125 | if (!cfg.shell) |
131 | cfg.shell = guess_shell(); | 126 | cfg.shell = guess_shell(); |
132 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) | 127 | if (cfg.shell) |
133 | errExit("setenv"); | 128 | env_store_name_val("SHELL", cfg.shell, SETENV); |
134 | 129 | ||
135 | // spawn KIO slaves inside the sandbox | 130 | // spawn KIO slaves inside the sandbox |
136 | if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) | 131 | env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); |
137 | errExit("setenv"); | ||
138 | 132 | ||
139 | // set prompt color to green | 133 | // set prompt color to green |
140 | int set_prompt = 0; | 134 | int set_prompt = 0; |
141 | if (checkcfg(CFG_FIREJAIL_PROMPT)) | 135 | if (checkcfg(CFG_FIREJAIL_PROMPT)) |
142 | set_prompt = 1; | 136 | set_prompt = 1; |
143 | else { // check FIREJAIL_PROMPT="yes" environment variable | 137 | else { // check FIREJAIL_PROMPT="yes" environment variable |
144 | char *prompt = getenv("FIREJAIL_PROMPT"); | 138 | const char *prompt = env_get("FIREJAIL_PROMPT"); |
145 | if (prompt && strcmp(prompt, "yes") == 0) | 139 | if (prompt && strcmp(prompt, "yes") == 0) |
146 | set_prompt = 1; | 140 | set_prompt = 1; |
147 | } | 141 | } |
148 | 142 | ||
149 | if (set_prompt) { | 143 | if (set_prompt) |
150 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 144 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
151 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 145 | env_store_name_val("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", SETENV); |
152 | errExit("setenv"); | 146 | else |
153 | } | ||
154 | else { | ||
155 | // remove PROMPT_COMMAND | 147 | // remove PROMPT_COMMAND |
156 | if (setenv("PROMPT_COMMAND", ":", 1) < 0) // unsetenv() will not work here, bash still picks it up from somewhere | 148 | env_store_name_val("PROMPT_COMMAND", ":", SETENV); // unsetenv() will not work here, bash still picks it up from somewhere |
157 | errExit("setenv"); | ||
158 | } | ||
159 | 149 | ||
160 | // set the window title | 150 | // set the window title |
161 | if (!arg_quiet && isatty(STDOUT_FILENO)) | 151 | if (!arg_quiet && isatty(STDOUT_FILENO)) |
@@ -163,14 +153,13 @@ void env_defaults(void) { | |||
163 | 153 | ||
164 | // pass --quiet as an environment variable, in case the command calls further firejailed commands | 154 | // pass --quiet as an environment variable, in case the command calls further firejailed commands |
165 | if (arg_quiet) | 155 | if (arg_quiet) |
166 | setenv("FIREJAIL_QUIET", "yes", 1); | 156 | env_store_name_val("FIREJAIL_QUIET", "yes", SETENV); |
167 | 157 | ||
168 | fflush(0); | 158 | fflush(0); |
169 | } | 159 | } |
170 | 160 | ||
171 | // parse and store the environment setting | 161 | // parse and store the environment setting |
172 | void env_store(const char *str, ENV_OP op) { | 162 | void env_store(const char *str, ENV_OP op) { |
173 | EUID_ASSERT(); | ||
174 | assert(str); | 163 | assert(str); |
175 | 164 | ||
176 | // some basic checking | 165 | // some basic checking |
@@ -181,8 +170,7 @@ void env_store(const char *str, ENV_OP op) { | |||
181 | if (!ptr) | 170 | if (!ptr) |
182 | goto errexit; | 171 | goto errexit; |
183 | ptr++; | 172 | ptr++; |
184 | if (*ptr == '\0') | 173 | op = SETENV; |
185 | goto errexit; | ||
186 | } | 174 | } |
187 | 175 | ||
188 | // build list entry | 176 | // build list entry |
@@ -210,8 +198,40 @@ errexit: | |||
210 | exit(1); | 198 | exit(1); |
211 | } | 199 | } |
212 | 200 | ||
201 | void env_store_name_val(const char *name, const char *val, ENV_OP op) { | ||
202 | assert(name); | ||
203 | |||
204 | // some basic checking | ||
205 | if (*name == '\0') | ||
206 | goto errexit; | ||
207 | |||
208 | // build list entry | ||
209 | Env *env = calloc(1, sizeof(Env)); | ||
210 | if (!env) | ||
211 | errExit("calloc"); | ||
212 | |||
213 | env->name = strdup(name); | ||
214 | if (env->name == NULL) | ||
215 | errExit("strdup"); | ||
216 | |||
217 | if (op == SETENV) { | ||
218 | env->value = strdup(val); | ||
219 | if (env->value == NULL) | ||
220 | errExit("strdup"); | ||
221 | } | ||
222 | env->op = op; | ||
223 | |||
224 | // add entry to the list | ||
225 | env_add(env); | ||
226 | return; | ||
227 | |||
228 | errexit: | ||
229 | fprintf(stderr, "Error: invalid --env setting\n"); | ||
230 | exit(1); | ||
231 | } | ||
232 | |||
213 | // set env variables in the new sandbox process | 233 | // set env variables in the new sandbox process |
214 | void env_apply(void) { | 234 | void env_apply_all(void) { |
215 | Env *env = envlist; | 235 | Env *env = envlist; |
216 | 236 | ||
217 | while (env) { | 237 | while (env) { |
@@ -225,3 +245,81 @@ void env_apply(void) { | |||
225 | env = env->next; | 245 | env = env->next; |
226 | } | 246 | } |
227 | } | 247 | } |
248 | |||
249 | // get env variable | ||
250 | const char *env_get(const char *name) { | ||
251 | Env *env = envlist; | ||
252 | const char *r = NULL; | ||
253 | |||
254 | while (env) { | ||
255 | if (strcmp(env->name, name) == 0) { | ||
256 | if (env->op == SETENV) | ||
257 | r = env->value; | ||
258 | else if (env->op == RMENV) | ||
259 | r = NULL; | ||
260 | } | ||
261 | env = env->next; | ||
262 | } | ||
263 | return r; | ||
264 | } | ||
265 | |||
266 | static const char * const env_whitelist[] = { | ||
267 | "LANG", | ||
268 | "LANGUAGE", | ||
269 | "LC_MESSAGES", | ||
270 | "PATH", | ||
271 | "DISPLAY" // required by X11 | ||
272 | }; | ||
273 | |||
274 | static const char * const env_whitelist_sbox[] = { | ||
275 | "FIREJAIL_DEBUG", | ||
276 | "FIREJAIL_FILE_COPY_LIMIT", | ||
277 | "FIREJAIL_PLUGIN", | ||
278 | "FIREJAIL_QUIET", | ||
279 | "FIREJAIL_SECCOMP_ERROR_ACTION", | ||
280 | "FIREJAIL_TEST_ARGUMENTS", | ||
281 | "FIREJAIL_TRACEFILE" | ||
282 | }; | ||
283 | |||
284 | static void env_apply_list(const char * const *list, unsigned int num_items) { | ||
285 | Env *env = envlist; | ||
286 | |||
287 | while (env) { | ||
288 | if (env->op == SETENV) { | ||
289 | for (unsigned int i = 0; i < num_items; i++) | ||
290 | if (strcmp(env->name, list[i]) == 0) { | ||
291 | // sanity check for whitelisted environment variables | ||
292 | if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { | ||
293 | fprintf(stderr, "Error: too long environment variable %s, please use --rmenv\n", env->name); | ||
294 | exit(1); | ||
295 | } | ||
296 | |||
297 | //fprintf(stderr, "whitelisted env var %s=%s\n", env->name, env->value); | ||
298 | if (setenv(env->name, env->value, 1) < 0) | ||
299 | errExit("setenv"); | ||
300 | break; | ||
301 | } | ||
302 | } else if (env->op == RMENV) | ||
303 | unsetenv(env->name); | ||
304 | |||
305 | env = env->next; | ||
306 | } | ||
307 | } | ||
308 | |||
309 | // Filter env variables in main firejail process. All variables will | ||
310 | // be reapplied for the sandboxed app by env_apply_all(). | ||
311 | void env_apply_whitelist(void) { | ||
312 | int r; | ||
313 | |||
314 | r = clearenv(); | ||
315 | if (r != 0) | ||
316 | errExit("clearenv"); | ||
317 | |||
318 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | ||
319 | } | ||
320 | |||
321 | // Filter env variables for a sbox app | ||
322 | void env_apply_whitelist_sbox(void) { | ||
323 | env_apply_whitelist(); | ||
324 | env_apply_list(env_whitelist_sbox, ARRAY_SIZE(env_whitelist_sbox)); | ||
325 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 80987e494..e352dadc4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -81,6 +81,8 @@ | |||
81 | (void) rv;\ | 81 | (void) rv;\ |
82 | } while (0) | 82 | } while (0) |
83 | 83 | ||
84 | #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) | ||
85 | |||
84 | // main.c | 86 | // main.c |
85 | typedef struct bridge_t { | 87 | typedef struct bridge_t { |
86 | // on the host | 88 | // on the host |
@@ -513,7 +515,6 @@ void check_private_dir(void); | |||
513 | void update_map(char *mapping, char *map_file); | 515 | void update_map(char *mapping, char *map_file); |
514 | void wait_for_other(int fd); | 516 | void wait_for_other(int fd); |
515 | void notify_other(int fd); | 517 | void notify_other(int fd); |
516 | const char *gnu_basename(const char *path); | ||
517 | uid_t pid_get_uid(pid_t pid); | 518 | uid_t pid_get_uid(pid_t pid); |
518 | uid_t get_group_id(const char *group); | 519 | uid_t get_group_id(const char *group); |
519 | int remove_overlay_directory(void); | 520 | int remove_overlay_directory(void); |
@@ -656,7 +657,7 @@ int check_kernel_procs(void); | |||
656 | void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); | 657 | void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); |
657 | 658 | ||
658 | #define MAX_ENVS 256 // some sane maximum number of environment variables | 659 | #define MAX_ENVS 256 // some sane maximum number of environment variables |
659 | #define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH | 660 | #define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps |
660 | // env.c | 661 | // env.c |
661 | typedef enum { | 662 | typedef enum { |
662 | SETENV = 0, | 663 | SETENV = 0, |
@@ -664,8 +665,12 @@ typedef enum { | |||
664 | } ENV_OP; | 665 | } ENV_OP; |
665 | 666 | ||
666 | void env_store(const char *str, ENV_OP op); | 667 | void env_store(const char *str, ENV_OP op); |
667 | void env_apply(void); | 668 | void env_store_name_val(const char *name, const char *val, ENV_OP op); |
669 | void env_apply_all(void); | ||
670 | void env_apply_whitelist(void); | ||
671 | void env_apply_whitelist_sbox(void); | ||
668 | void env_defaults(void); | 672 | void env_defaults(void); |
673 | const char *env_get(const char *name); | ||
669 | void env_ibus_load(void); | 674 | void env_ibus_load(void); |
670 | 675 | ||
671 | // fs_whitelist.c | 676 | // fs_whitelist.c |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0d4e496e8..ef1f87f0c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -487,27 +487,26 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
487 | close(fd); | 487 | close(fd); |
488 | } | 488 | } |
489 | 489 | ||
490 | // remount path, but preserve existing mount flags; requires a resolved path | 490 | // remount path, preserving other mount flags; requires a resolved path |
491 | static void fs_remount_simple(const char *path, OPERATION op) { | 491 | static void fs_remount_simple(const char *path, OPERATION op) { |
492 | assert(path); | 492 | assert(path); |
493 | 493 | ||
494 | // open path without following symbolic links | 494 | // open path without following symbolic links |
495 | int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | 495 | int fd1 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); |
496 | if (fd == -1) | 496 | if (fd1 == -1) |
497 | goto out; | 497 | goto out; |
498 | // identify file owner | 498 | struct stat s1; |
499 | struct stat s; | 499 | if (fstat(fd1, &s1) == -1) { |
500 | if (fstat(fd, &s) == -1) { | ||
501 | // fstat can fail with EACCES if path is a FUSE mount, | 500 | // fstat can fail with EACCES if path is a FUSE mount, |
502 | // mounted without 'allow_root' or 'allow_other' | 501 | // mounted without 'allow_root' or 'allow_other' |
503 | if (errno != EACCES) | 502 | if (errno != EACCES) |
504 | errExit("fstat"); | 503 | errExit("fstat"); |
505 | close(fd); | 504 | close(fd1); |
506 | goto out; | 505 | goto out; |
507 | } | 506 | } |
508 | // get mount flags | 507 | // get mount flags |
509 | struct statvfs buf; | 508 | struct statvfs buf; |
510 | if (fstatvfs(fd, &buf) == -1) | 509 | if (fstatvfs(fd1, &buf) == -1) |
511 | errExit("fstatvfs"); | 510 | errExit("fstatvfs"); |
512 | unsigned long flags = buf.f_flag; | 511 | unsigned long flags = buf.f_flag; |
513 | 512 | ||
@@ -515,13 +514,13 @@ static void fs_remount_simple(const char *path, OPERATION op) { | |||
515 | if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { | 514 | if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { |
516 | // nothing to do if there is no read-only flag | 515 | // nothing to do if there is no read-only flag |
517 | if ((flags & MS_RDONLY) == 0) { | 516 | if ((flags & MS_RDONLY) == 0) { |
518 | close(fd); | 517 | close(fd1); |
519 | return; | 518 | return; |
520 | } | 519 | } |
521 | // allow only user owned directories, except the user is root | 520 | // allow only user owned directories, except the user is root |
522 | if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) { | 521 | if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) { |
523 | fwarning("you are not allowed to change %s to read-write\n", path); | 522 | fwarning("you are not allowed to change %s to read-write\n", path); |
524 | close(fd); | 523 | close(fd1); |
525 | return; | 524 | return; |
526 | } | 525 | } |
527 | flags &= ~MS_RDONLY; | 526 | flags &= ~MS_RDONLY; |
@@ -530,7 +529,7 @@ static void fs_remount_simple(const char *path, OPERATION op) { | |||
530 | else if (op == MOUNT_NOEXEC) { | 529 | else if (op == MOUNT_NOEXEC) { |
531 | // nothing to do if path is mounted noexec already | 530 | // nothing to do if path is mounted noexec already |
532 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) { | 531 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) { |
533 | close(fd); | 532 | close(fd1); |
534 | return; | 533 | return; |
535 | } | 534 | } |
536 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; | 535 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; |
@@ -539,7 +538,7 @@ static void fs_remount_simple(const char *path, OPERATION op) { | |||
539 | else if (op == MOUNT_READONLY) { | 538 | else if (op == MOUNT_READONLY) { |
540 | // nothing to do if path is mounted read-only already | 539 | // nothing to do if path is mounted read-only already |
541 | if ((flags & MS_RDONLY) == MS_RDONLY) { | 540 | if ((flags & MS_RDONLY) == MS_RDONLY) { |
542 | close(fd); | 541 | close(fd1); |
543 | return; | 542 | return; |
544 | } | 543 | } |
545 | flags |= MS_RDONLY; | 544 | flags |= MS_RDONLY; |
@@ -549,21 +548,26 @@ static void fs_remount_simple(const char *path, OPERATION op) { | |||
549 | 548 | ||
550 | if (arg_debug) | 549 | if (arg_debug) |
551 | printf("Mounting %s %s\n", opstr[op], path); | 550 | printf("Mounting %s %s\n", opstr[op], path); |
552 | // mount --bind /bin /bin | 551 | // mount --bind path path |
553 | char *proc; | 552 | char *proc; |
554 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 553 | if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1) |
555 | errExit("asprintf"); | 554 | errExit("asprintf"); |
556 | if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) | 555 | if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) |
557 | errExit("mount"); | 556 | errExit("mount"); |
558 | free(proc); | 557 | free(proc); |
559 | close(fd); | ||
560 | 558 | ||
561 | // mount --bind -o remount,ro /bin | 559 | // mount --bind -o remount,ro path |
562 | // we need to open path again | 560 | // need to open path again without following symbolic links |
563 | fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | 561 | int fd2 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); |
564 | if (fd == -1) | 562 | if (fd2 == -1) |
565 | errExit("open"); | 563 | errExit("open"); |
566 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 564 | struct stat s2; |
565 | if (fstat(fd2, &s2) == -1) | ||
566 | errExit("fstat"); | ||
567 | // device and inode number should be the same | ||
568 | if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino) | ||
569 | errLogExit("invalid %s mount", opstr[op]); | ||
570 | if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1) | ||
567 | errExit("asprintf"); | 571 | errExit("asprintf"); |
568 | if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | 572 | if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) |
569 | errExit("mount"); | 573 | errExit("mount"); |
@@ -579,7 +583,8 @@ static void fs_remount_simple(const char *path, OPERATION op) { | |||
579 | errLogExit("invalid %s mount", opstr[op]); | 583 | errLogExit("invalid %s mount", opstr[op]); |
580 | fs_logger2(opstr[op], path); | 584 | fs_logger2(opstr[op], path); |
581 | free(proc); | 585 | free(proc); |
582 | close(fd); | 586 | close(fd1); |
587 | close(fd2); | ||
583 | return; | 588 | return; |
584 | 589 | ||
585 | out: | 590 | out: |
@@ -795,6 +800,8 @@ void disable_config(void) { | |||
795 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); | 800 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); |
796 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | 801 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) |
797 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | 802 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); |
803 | if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0) | ||
804 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR); | ||
798 | } | 805 | } |
799 | 806 | ||
800 | 807 | ||
@@ -1219,7 +1226,7 @@ void fs_private_tmp(void) { | |||
1219 | printf("Generate private-tmp whitelist commands\n"); | 1226 | printf("Generate private-tmp whitelist commands\n"); |
1220 | 1227 | ||
1221 | // check XAUTHORITY file, KDE keeps it under /tmp | 1228 | // check XAUTHORITY file, KDE keeps it under /tmp |
1222 | char *xauth = getenv("XAUTHORITY"); | 1229 | const char *xauth = env_get("XAUTHORITY"); |
1223 | if (xauth) { | 1230 | if (xauth) { |
1224 | char *rp = realpath(xauth, NULL); | 1231 | char *rp = realpath(xauth, NULL); |
1225 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | 1232 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 5cfd33b42..b8c1b21b1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -33,6 +33,52 @@ extern void fslib_install_system(void); | |||
33 | static int lib_cnt = 0; | 33 | static int lib_cnt = 0; |
34 | static int dir_cnt = 0; | 34 | static int dir_cnt = 0; |
35 | 35 | ||
36 | char *find_in_path(const char *program) { | ||
37 | EUID_ASSERT(); | ||
38 | if (arg_debug) | ||
39 | printf("Searching $PATH for %s\n", program); | ||
40 | |||
41 | char self[MAXBUF]; | ||
42 | ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1); | ||
43 | if (len < 0) | ||
44 | errExit("readlink"); | ||
45 | self[len] = '\0'; | ||
46 | |||
47 | char *path = getenv("PATH"); | ||
48 | if (!path) | ||
49 | return NULL; | ||
50 | char *dup = strdup(path); | ||
51 | if (!dup) | ||
52 | errExit("strdup"); | ||
53 | char *tok = strtok(dup, ":"); | ||
54 | while (tok) { | ||
55 | char *fname; | ||
56 | if (asprintf(&fname, "%s/%s", tok, program) == -1) | ||
57 | errExit("asprintf"); | ||
58 | |||
59 | if (arg_debug) | ||
60 | printf("trying #%s#\n", fname); | ||
61 | struct stat s; | ||
62 | if (stat(fname, &s) == 0) { | ||
63 | // but skip links created by firecfg | ||
64 | char *rp = realpath(fname, NULL); | ||
65 | if (!rp) | ||
66 | errExit("realpath"); | ||
67 | if (strcmp(self, rp) != 0) { | ||
68 | free(rp); | ||
69 | free(dup); | ||
70 | return fname; | ||
71 | } | ||
72 | free(rp); | ||
73 | } | ||
74 | free(fname); | ||
75 | tok = strtok(NULL, ":"); | ||
76 | } | ||
77 | |||
78 | free(dup); | ||
79 | return NULL; | ||
80 | } | ||
81 | |||
36 | static void report_duplication(const char *full_path) { | 82 | static void report_duplication(const char *full_path) { |
37 | char *fname = strrchr(full_path, '/'); | 83 | char *fname = strrchr(full_path, '/'); |
38 | if (fname && *(++fname) != '\0') { | 84 | if (fname && *(++fname) != '\0') { |
@@ -165,7 +211,7 @@ void fslib_copy_dir(const char *full_path) { | |||
165 | mkdir_attr(dest, 0755, 0, 0); | 211 | mkdir_attr(dest, 0755, 0, 0); |
166 | 212 | ||
167 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | 213 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || |
168 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 214 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
169 | errExit("mount bind"); | 215 | errExit("mount bind"); |
170 | fs_logger2("clone", full_path); | 216 | fs_logger2("clone", full_path); |
171 | fs_logger2("mount", full_path); | 217 | fs_logger2("mount", full_path); |
@@ -336,11 +382,40 @@ void fs_private_lib(void) { | |||
336 | // start timetrace | 382 | // start timetrace |
337 | timetrace_start(); | 383 | timetrace_start(); |
338 | 384 | ||
385 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
386 | if (arg_debug || arg_debug_private_lib) | ||
387 | printf("Installing Firejail libraries\n"); | ||
388 | fslib_install_list(PATH_FIREJAIL); | ||
389 | |||
390 | // bring in firejail directory | ||
391 | fslib_install_list(LIBDIR "/firejail"); | ||
392 | |||
393 | // bring in dhclient libraries | ||
394 | if (any_dhcp()) { | ||
395 | if (arg_debug || arg_debug_private_lib) | ||
396 | printf("Installing dhclient libraries\n"); | ||
397 | fslib_install_list(RUN_MNT_DIR "/dhclient"); | ||
398 | } | ||
399 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
400 | |||
401 | timetrace_start(); | ||
402 | |||
339 | // copy the libs in the new lib directory for the main exe | 403 | // copy the libs in the new lib directory for the main exe |
340 | if (cfg.original_program_index > 0) { | 404 | if (cfg.original_program_index > 0) { |
341 | if (arg_debug || arg_debug_private_lib) | 405 | if (arg_debug || arg_debug_private_lib) |
342 | printf("Installing sandboxed program libraries\n"); | 406 | printf("Installing sandboxed program libraries\n"); |
343 | fslib_install_list(cfg.original_argv[cfg.original_program_index]); | 407 | |
408 | if (strchr(cfg.original_argv[cfg.original_program_index], '/')) | ||
409 | fslib_install_list(cfg.original_argv[cfg.original_program_index]); | ||
410 | else { // search executable in $PATH | ||
411 | EUID_USER(); | ||
412 | char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]); | ||
413 | EUID_ROOT(); | ||
414 | if (fname) { | ||
415 | fslib_install_list(fname); | ||
416 | free(fname); | ||
417 | } | ||
418 | } | ||
344 | } | 419 | } |
345 | 420 | ||
346 | // for the shell | 421 | // for the shell |
@@ -369,18 +444,11 @@ void fs_private_lib(void) { | |||
369 | } | 444 | } |
370 | fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); | 445 | fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); |
371 | 446 | ||
372 | // install the reset of the system libraries | 447 | // install the rest of the system libraries |
373 | if (arg_debug || arg_debug_private_lib) | 448 | if (arg_debug || arg_debug_private_lib) |
374 | printf("Installing system libraries\n"); | 449 | printf("Installing system libraries\n"); |
375 | fslib_install_system(); | 450 | fslib_install_system(); |
376 | 451 | ||
377 | // bring in firejail directory for --trace and seccomp post exec | ||
378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable | ||
380 | |||
381 | // install libraries needed by fcopy | ||
382 | fslib_install_list(PATH_FCOPY); | ||
383 | |||
384 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", | 452 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
385 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | 453 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); |
386 | 454 | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index b2ae07f3e..95e10ee05 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path); | |||
30 | //*************************************************************** | 30 | //*************************************************************** |
31 | // standard libc libraries based on Debian's libc6 package | 31 | // standard libc libraries based on Debian's libc6 package |
32 | // selinux seems to be linked in most command line utilities | 32 | // selinux seems to be linked in most command line utilities |
33 | // libpcre2 is a dependency of selinux | ||
33 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale | 34 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale |
34 | typedef struct liblist_t { | 35 | typedef struct liblist_t { |
35 | const char *name; | 36 | const char *name; |
@@ -38,6 +39,7 @@ typedef struct liblist_t { | |||
38 | 39 | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
42 | { "libpcre2-8.so.", 0 }, | ||
41 | { "libapparmor.so.", 0}, | 43 | { "libapparmor.so.", 0}, |
42 | { "ld-linux-x86-64.so.", 0 }, | 44 | { "ld-linux-x86-64.so.", 0 }, |
43 | { "libanl.so.", 0 }, | 45 | { "libanl.so.", 0 }, |
@@ -104,17 +106,15 @@ static void stdc(const char *dirname) { | |||
104 | 106 | ||
105 | void fslib_install_stdc(void) { | 107 | void fslib_install_stdc(void) { |
106 | // install standard C libraries | 108 | // install standard C libraries |
109 | timetrace_start(); | ||
107 | struct stat s; | 110 | struct stat s; |
108 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch | ||
109 | |||
110 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends | 111 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends |
111 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); | 112 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); |
112 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); | 113 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); |
113 | stdclib = "/lib/x86_64-linux-gnu"; | 114 | stdc("/lib/x86_64-linux-gnu"); |
114 | } | 115 | } |
115 | 116 | ||
116 | timetrace_start(); | 117 | stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends |
117 | stdc(stdclib); | ||
118 | 118 | ||
119 | // install locale | 119 | // install locale |
120 | if (stat("/usr/lib/locale", &s) == 0) | 120 | if (stat("/usr/lib/locale", &s) == 0) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 1d7552339..d60c57fec 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -778,7 +778,7 @@ void fs_whitelist(void) { | |||
778 | fs_logger("tmpfs /tmp"); | 778 | fs_logger("tmpfs /tmp"); |
779 | 779 | ||
780 | // pam-tmpdir - issue #2685 | 780 | // pam-tmpdir - issue #2685 |
781 | char *env = getenv("TMP"); | 781 | const char *env = env_get("TMP"); |
782 | if (env) { | 782 | if (env) { |
783 | char *pamtmpdir; | 783 | char *pamtmpdir; |
784 | if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) | 784 | if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) |
diff --git a/src/firejail/join.c b/src/firejail/join.c index d2f802add..bdd0f286c 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) { | |||
296 | fprintf(stderr, "Error: cannot open umask file\n"); | 296 | fprintf(stderr, "Error: cannot open umask file\n"); |
297 | exit(1); | 297 | exit(1); |
298 | } | 298 | } |
299 | if (fscanf(fp, "%o", &orig_umask) != 1) { | 299 | if (fscanf(fp, "%3o", &orig_umask) != 1) { |
300 | fprintf(stderr, "Error: cannot read umask\n"); | 300 | fprintf(stderr, "Error: cannot read umask\n"); |
301 | exit(1); | 301 | exit(1); |
302 | } | 302 | } |
@@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) { | |||
335 | struct stat s; | 335 | struct stat s; |
336 | if (fstat(fd, &s) == -1) | 336 | if (fstat(fd, &s) == -1) |
337 | errExit("fstat"); | 337 | errExit("fstat"); |
338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | 338 | if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) { |
339 | close(fd); | 339 | close(fd); |
340 | return false; | 340 | return false; |
341 | } | 341 | } |
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
412 | 412 | ||
413 | int shfd = -1; | 413 | int shfd = -1; |
414 | if (!arg_shell_none) | 414 | if (!arg_shell_none && !arg_audit) |
415 | shfd = open_shell(); | 415 | shfd = open_shell(); |
416 | 416 | ||
417 | EUID_ROOT(); | 417 | EUID_ROOT(); |
@@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
423 | extract_cgroup(pid); | 423 | extract_cgroup(pid); |
424 | extract_nogroups(pid); | 424 | extract_nogroups(pid); |
425 | extract_user_namespace(pid); | 425 | extract_user_namespace(pid); |
426 | extract_umask(pid); | ||
426 | #ifdef HAVE_APPARMOR | 427 | #ifdef HAVE_APPARMOR |
427 | extract_apparmor(pid); | 428 | extract_apparmor(pid); |
428 | #endif | 429 | #endif |
@@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
432 | if (cfg.cgroup) // not available for uid 0 | 433 | if (cfg.cgroup) // not available for uid 0 |
433 | set_cgroup(cfg.cgroup); | 434 | set_cgroup(cfg.cgroup); |
434 | 435 | ||
435 | // set umask, also uid 0 | ||
436 | extract_umask(pid); | ||
437 | |||
438 | // join namespaces | 436 | // join namespaces |
439 | if (arg_join_network) { | 437 | if (arg_join_network) { |
440 | if (join_namespace(pid, "net")) | 438 | if (join_namespace(pid, "net")) |
@@ -563,7 +561,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
563 | char *display_str; | 561 | char *display_str; |
564 | if (asprintf(&display_str, ":%d", display) == -1) | 562 | if (asprintf(&display_str, ":%d", display) == -1) |
565 | errExit("asprintf"); | 563 | errExit("asprintf"); |
566 | setenv("DISPLAY", display_str, 1); | 564 | env_store_name_val("DISPLAY", display_str, SETENV); |
567 | free(display_str); | 565 | free(display_str); |
568 | } | 566 | } |
569 | 567 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index e5d8a4720..982a4c7a6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -861,19 +861,20 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
861 | } | 861 | } |
862 | 862 | ||
863 | char *guess_shell(void) { | 863 | char *guess_shell(void) { |
864 | char *shell = NULL; | 864 | const char *shell; |
865 | char *retval; | ||
865 | struct stat s; | 866 | struct stat s; |
866 | 867 | ||
867 | shell = getenv("SHELL"); | 868 | shell = env_get("SHELL"); |
868 | if (shell) { | 869 | if (shell) { |
869 | invalid_filename(shell, 0); // no globbing | 870 | invalid_filename(shell, 0); // no globbing |
870 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 && | 871 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 && |
871 | strcmp(shell, PATH_FIREJAIL) != 0) | 872 | strcmp(shell, PATH_FIREJAIL) != 0) |
872 | return shell; | 873 | goto found; |
873 | } | 874 | } |
874 | 875 | ||
875 | // shells in order of preference | 876 | // shells in order of preference |
876 | char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; | 877 | static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; |
877 | 878 | ||
878 | int i = 0; | 879 | int i = 0; |
879 | while (shells[i] != NULL) { | 880 | while (shells[i] != NULL) { |
@@ -884,8 +885,11 @@ char *guess_shell(void) { | |||
884 | } | 885 | } |
885 | i++; | 886 | i++; |
886 | } | 887 | } |
887 | 888 | found: | |
888 | return shell; | 889 | retval = strdup(shell); |
890 | if (!retval) | ||
891 | errExit("strdup"); | ||
892 | return retval; | ||
889 | } | 893 | } |
890 | 894 | ||
891 | // return argument index | 895 | // return argument index |
@@ -926,9 +930,13 @@ static void run_builder(int argc, char **argv) { | |||
926 | if (setresuid(-1, getuid(), getuid()) != 0) | 930 | if (setresuid(-1, getuid(), getuid()) != 0) |
927 | errExit("setresuid"); | 931 | errExit("setresuid"); |
928 | 932 | ||
933 | assert(env_get("LD_PRELOAD") == NULL); | ||
929 | assert(getenv("LD_PRELOAD") == NULL); | 934 | assert(getenv("LD_PRELOAD") == NULL); |
930 | umask(orig_umask); | 935 | umask(orig_umask); |
931 | 936 | ||
937 | // restore some environment variables | ||
938 | env_apply_whitelist_sbox(); | ||
939 | |||
932 | argv[0] = LIBDIR "/firejail/fbuilder"; | 940 | argv[0] = LIBDIR "/firejail/fbuilder"; |
933 | execvp(argv[0], argv); | 941 | execvp(argv[0], argv); |
934 | 942 | ||
@@ -994,6 +1002,16 @@ int main(int argc, char **argv, char **envp) { | |||
994 | exit(1); | 1002 | exit(1); |
995 | } | 1003 | } |
996 | 1004 | ||
1005 | // Stash environment variables | ||
1006 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) | ||
1007 | env_store(*ptr, SETENV); | ||
1008 | |||
1009 | // sanity check for environment variables | ||
1010 | if (i >= MAX_ENVS) { | ||
1011 | fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); | ||
1012 | exit(1); | ||
1013 | } | ||
1014 | |||
997 | // sanity check for arguments | 1015 | // sanity check for arguments |
998 | for (i = 0; i < argc; i++) { | 1016 | for (i = 0; i < argc; i++) { |
999 | if (*argv[i] == 0) { | 1017 | if (*argv[i] == 0) { |
@@ -1005,29 +1023,19 @@ int main(int argc, char **argv, char **envp) { | |||
1005 | exit(1); | 1023 | exit(1); |
1006 | } | 1024 | } |
1007 | // Also remove requested environment variables | 1025 | // Also remove requested environment variables |
1008 | // entirely to avoid tripping the length check below | ||
1009 | if (strncmp(argv[i], "--rmenv=", 8) == 0) | 1026 | if (strncmp(argv[i], "--rmenv=", 8) == 0) |
1010 | unsetenv(argv[i] + 8); | 1027 | env_store(argv[i] + 8, RMENV); |
1011 | } | 1028 | } |
1012 | 1029 | ||
1013 | // sanity check for environment variables | 1030 | // Reapply a minimal set of environment variables |
1014 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { | 1031 | env_apply_whitelist(); |
1015 | if (strlen(*ptr) >= MAX_ENV_LEN) { | ||
1016 | fprintf(stderr, "Error: too long environment variables, please use --rmenv\n"); | ||
1017 | exit(1); | ||
1018 | } | ||
1019 | } | ||
1020 | if (i >= MAX_ENVS) { | ||
1021 | fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); | ||
1022 | exit(1); | ||
1023 | } | ||
1024 | 1032 | ||
1025 | // check if the user is allowed to use firejail | 1033 | // check if the user is allowed to use firejail |
1026 | init_cfg(argc, argv); | 1034 | init_cfg(argc, argv); |
1027 | 1035 | ||
1028 | // get starting timestamp, process --quiet | 1036 | // get starting timestamp, process --quiet |
1029 | timetrace_start(); | 1037 | timetrace_start(); |
1030 | char *env_quiet = getenv("FIREJAIL_QUIET"); | 1038 | const char *env_quiet = env_get("FIREJAIL_QUIET"); |
1031 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) | 1039 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) |
1032 | arg_quiet = 1; | 1040 | arg_quiet = 1; |
1033 | 1041 | ||
@@ -1037,7 +1045,7 @@ int main(int argc, char **argv, char **envp) { | |||
1037 | 1045 | ||
1038 | // build /run/firejail directory structure | 1046 | // build /run/firejail directory structure |
1039 | preproc_build_firejail_dir(); | 1047 | preproc_build_firejail_dir(); |
1040 | char *container_name = getenv("container"); | 1048 | const char *container_name = env_get("container"); |
1041 | if (!container_name || strcmp(container_name, "firejail")) { | 1049 | if (!container_name || strcmp(container_name, "firejail")) { |
1042 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 1050 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); |
1043 | if (lockfd_directory != -1) { | 1051 | if (lockfd_directory != -1) { |
@@ -1170,6 +1178,9 @@ int main(int argc, char **argv, char **envp) { | |||
1170 | 1178 | ||
1171 | drop_privs(1); | 1179 | drop_privs(1); |
1172 | umask(orig_umask); | 1180 | umask(orig_umask); |
1181 | |||
1182 | // restore original environment variables | ||
1183 | env_apply_all(); | ||
1173 | int rv = system(argv[2]); | 1184 | int rv = system(argv[2]); |
1174 | exit(rv); | 1185 | exit(rv); |
1175 | } | 1186 | } |
@@ -1231,11 +1242,6 @@ int main(int argc, char **argv, char **envp) { | |||
1231 | } | 1242 | } |
1232 | EUID_ASSERT(); | 1243 | EUID_ASSERT(); |
1233 | 1244 | ||
1234 | #ifdef WARN_DUMPABLE | ||
1235 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
1236 | fprintf(stderr, "Error: Firejail is dumpable\n"); | ||
1237 | #endif | ||
1238 | |||
1239 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1245 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1240 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1246 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1241 | arg_nonewprivs = 1; | 1247 | arg_nonewprivs = 1; |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 6c7803602..111d94333 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -41,7 +41,7 @@ int check_namespace_virt(void) { | |||
41 | EUID_ASSERT(); | 41 | EUID_ASSERT(); |
42 | 42 | ||
43 | // check container environment variable | 43 | // check container environment variable |
44 | char *str = getenv("container"); | 44 | const char *str = env_get("container"); |
45 | if (str && is_container(str)) | 45 | if (str && is_container(str)) |
46 | return 1; | 46 | return 1; |
47 | 47 | ||
diff --git a/src/firejail/output.c b/src/firejail/output.c index 36cb905cb..1682ee025 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -95,6 +95,9 @@ void check_output(int argc, char **argv) { | |||
95 | close(pipefd[0]); | 95 | close(pipefd[0]); |
96 | } | 96 | } |
97 | 97 | ||
98 | // restore some environment variables | ||
99 | env_apply_whitelist_sbox(); | ||
100 | |||
98 | char *args[3]; | 101 | char *args[3]; |
99 | args[0] = LIBDIR "/firejail/ftee"; | 102 | args[0] = LIBDIR "/firejail/ftee"; |
100 | args[1] = outfile; | 103 | args[1] = outfile; |
@@ -137,6 +140,10 @@ void check_output(int argc, char **argv) { | |||
137 | } | 140 | } |
138 | args[j++] = argv[i]; | 141 | args[j++] = argv[i]; |
139 | } | 142 | } |
143 | |||
144 | // restore original environment variables | ||
145 | env_apply_all(); | ||
146 | |||
140 | execvp(args[0], args); | 147 | execvp(args[0], args); |
141 | 148 | ||
142 | perror("execvp"); | 149 | perror("execvp"); |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 5de704bef..981a6bc71 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -26,13 +26,13 @@ static unsigned int longest_path_elt = 0; | |||
26 | 26 | ||
27 | static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning | 27 | static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning |
28 | static void init_paths(void) { | 28 | static void init_paths(void) { |
29 | char *path = getenv("PATH"); | 29 | const char *env_path = env_get("PATH"); |
30 | char *p; | 30 | char *p; |
31 | if (!path) { | 31 | if (!env_path) { |
32 | path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; | 32 | env_path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; |
33 | setenv("PATH", path, 1); | 33 | env_store_name_val("PATH", env_path, SETENV); |
34 | } | 34 | } |
35 | path = strdup(path); | 35 | char *path = strdup(env_path); |
36 | if (!path) | 36 | if (!path) |
37 | errExit("strdup"); | 37 | errExit("strdup"); |
38 | 38 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1ee8cdfcb..3766ba8f0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -158,7 +158,7 @@ static int check_nosound(void) { | |||
158 | } | 158 | } |
159 | 159 | ||
160 | static int check_x11(void) { | 160 | static int check_x11(void) { |
161 | return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); | 161 | return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); |
162 | } | 162 | } |
163 | 163 | ||
164 | static int check_disable_u2f(void) { | 164 | static int check_disable_u2f(void) { |
@@ -1181,7 +1181,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1181 | if (strcmp(ptr, "x11 xephyr") == 0) { | 1181 | if (strcmp(ptr, "x11 xephyr") == 0) { |
1182 | #ifdef HAVE_X11 | 1182 | #ifdef HAVE_X11 |
1183 | if (checkcfg(CFG_X11)) { | 1183 | if (checkcfg(CFG_X11)) { |
1184 | char *x11env = getenv("FIREJAIL_X11"); | 1184 | const char *x11env = env_get("FIREJAIL_X11"); |
1185 | if (x11env && strcmp(x11env, "yes") == 0) { | 1185 | if (x11env && strcmp(x11env, "yes") == 0) { |
1186 | return 0; | 1186 | return 0; |
1187 | } | 1187 | } |
@@ -1210,7 +1210,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1210 | if (strcmp(ptr, "x11 xpra") == 0) { | 1210 | if (strcmp(ptr, "x11 xpra") == 0) { |
1211 | #ifdef HAVE_X11 | 1211 | #ifdef HAVE_X11 |
1212 | if (checkcfg(CFG_X11)) { | 1212 | if (checkcfg(CFG_X11)) { |
1213 | char *x11env = getenv("FIREJAIL_X11"); | 1213 | const char *x11env = env_get("FIREJAIL_X11"); |
1214 | if (x11env && strcmp(x11env, "yes") == 0) { | 1214 | if (x11env && strcmp(x11env, "yes") == 0) { |
1215 | return 0; | 1215 | return 0; |
1216 | } | 1216 | } |
@@ -1229,7 +1229,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1229 | if (strcmp(ptr, "x11 xvfb") == 0) { | 1229 | if (strcmp(ptr, "x11 xvfb") == 0) { |
1230 | #ifdef HAVE_X11 | 1230 | #ifdef HAVE_X11 |
1231 | if (checkcfg(CFG_X11)) { | 1231 | if (checkcfg(CFG_X11)) { |
1232 | char *x11env = getenv("FIREJAIL_X11"); | 1232 | const char *x11env = env_get("FIREJAIL_X11"); |
1233 | if (x11env && strcmp(x11env, "yes") == 0) { | 1233 | if (x11env && strcmp(x11env, "yes") == 0) { |
1234 | return 0; | 1234 | return 0; |
1235 | } | 1235 | } |
@@ -1248,7 +1248,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1248 | if (strcmp(ptr, "x11") == 0) { | 1248 | if (strcmp(ptr, "x11") == 0) { |
1249 | #ifdef HAVE_X11 | 1249 | #ifdef HAVE_X11 |
1250 | if (checkcfg(CFG_X11)) { | 1250 | if (checkcfg(CFG_X11)) { |
1251 | char *x11env = getenv("FIREJAIL_X11"); | 1251 | const char *x11env = env_get("FIREJAIL_X11"); |
1252 | if (x11env && strcmp(x11env, "yes") == 0) { | 1252 | if (x11env && strcmp(x11env, "yes") == 0) { |
1253 | return 0; | 1253 | return 0; |
1254 | } | 1254 | } |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index a5c924a70..5df3d9cd3 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -42,7 +42,7 @@ void pulseaudio_disable(void) { | |||
42 | 42 | ||
43 | 43 | ||
44 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR | 44 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR |
45 | char *name = getenv("XDG_RUNTIME_DIR"); | 45 | const char *name = env_get("XDG_RUNTIME_DIR"); |
46 | if (name) | 46 | if (name) |
47 | disable_file_path(name, "pulse/native"); | 47 | disable_file_path(name, "pulse/native"); |
48 | 48 | ||
@@ -76,7 +76,10 @@ void pulseaudio_disable(void) { | |||
76 | } | 76 | } |
77 | 77 | ||
78 | static void pulseaudio_fallback(const char *path) { | 78 | static void pulseaudio_fallback(const char *path) { |
79 | assert(path); | ||
80 | |||
79 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); | 81 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); |
82 | env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV); | ||
80 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) | 83 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) |
81 | errExit("setenv"); | 84 | errExit("setenv"); |
82 | } | 85 | } |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index ea3889024..5bf27fc6d 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -22,6 +22,8 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | extern char *find_in_path(const char *program); | ||
26 | |||
25 | void run_symlink(int argc, char **argv, int run_as_is) { | 27 | void run_symlink(int argc, char **argv, int run_as_is) { |
26 | EUID_ASSERT(); | 28 | EUID_ASSERT(); |
27 | 29 | ||
@@ -40,58 +42,25 @@ void run_symlink(int argc, char **argv, int run_as_is) { | |||
40 | errExit("setresuid"); | 42 | errExit("setresuid"); |
41 | 43 | ||
42 | // find the real program by looking in PATH | 44 | // find the real program by looking in PATH |
43 | char *p = getenv("PATH"); | 45 | const char *path = env_get("PATH"); |
44 | if (!p) { | 46 | if (!path) { |
45 | fprintf(stderr, "Error: PATH environment variable not set\n"); | 47 | fprintf(stderr, "Error: PATH environment variable not set\n"); |
46 | exit(1); | 48 | exit(1); |
47 | } | 49 | } |
48 | 50 | ||
49 | char *path = strdup(p); | 51 | char *p = find_in_path(program); |
50 | if (!path) | 52 | if (!p) { |
51 | errExit("strdup"); | ||
52 | |||
53 | char *selfpath = realpath("/proc/self/exe", NULL); | ||
54 | if (!selfpath) | ||
55 | errExit("realpath"); | ||
56 | |||
57 | // look in path for our program | ||
58 | char *tok = strtok(path, ":"); | ||
59 | int found = 0; | ||
60 | while (tok) { | ||
61 | char *name; | ||
62 | if (asprintf(&name, "%s/%s", tok, program) == -1) | ||
63 | errExit("asprintf"); | ||
64 | |||
65 | struct stat s; | ||
66 | if (stat(name, &s) == 0) { | ||
67 | /* coverity[toctou] */ | ||
68 | char* rp = realpath(name, NULL); | ||
69 | if (!rp) | ||
70 | errExit("realpath"); | ||
71 | |||
72 | if (strcmp(selfpath, rp) != 0) { | ||
73 | program = strdup(name); | ||
74 | found = 1; | ||
75 | free(rp); | ||
76 | break; | ||
77 | } | ||
78 | |||
79 | free(rp); | ||
80 | } | ||
81 | |||
82 | free(name); | ||
83 | tok = strtok(NULL, ":"); | ||
84 | } | ||
85 | if (!found) { | ||
86 | fprintf(stderr, "Error: cannot find the program in the path\n"); | 53 | fprintf(stderr, "Error: cannot find the program in the path\n"); |
87 | exit(1); | 54 | exit(1); |
88 | } | 55 | } |
89 | 56 | program = p; | |
90 | free(selfpath); | ||
91 | 57 | ||
92 | // restore original umask | 58 | // restore original umask |
93 | umask(orig_umask); | 59 | umask(orig_umask); |
94 | 60 | ||
61 | // restore original environment variables | ||
62 | env_apply_all(); | ||
63 | |||
95 | // desktop integration is not supported for root user; instead, the original program is started | 64 | // desktop integration is not supported for root user; instead, the original program is started |
96 | if (getuid() == 0 || run_as_is) { | 65 | if (getuid() == 0 || run_as_is) { |
97 | argv[0] = program; | 66 | argv[0] = program; |
@@ -108,6 +77,7 @@ void run_symlink(int argc, char **argv, int run_as_is) { | |||
108 | a[i + 2] = argv[i + 1]; | 77 | a[i + 2] = argv[i + 1]; |
109 | } | 78 | } |
110 | a[i + 2] = NULL; | 79 | a[i + 2] = NULL; |
80 | assert(env_get("LD_PRELOAD") == NULL); | ||
111 | assert(getenv("LD_PRELOAD") == NULL); | 81 | assert(getenv("LD_PRELOAD") == NULL); |
112 | execvp(a[0], a); | 82 | execvp(a[0], a); |
113 | 83 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d811fe45a..1f94d86cd 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -268,8 +268,7 @@ static void sandbox_if_up(Bridge *br) { | |||
268 | 268 | ||
269 | static void chk_chroot(void) { | 269 | static void chk_chroot(void) { |
270 | // if we are starting firejail inside some other container technology, we don't care about this | 270 | // if we are starting firejail inside some other container technology, we don't care about this |
271 | char *mycont = getenv("container"); | 271 | if (env_get("container")) |
272 | if (mycont) | ||
273 | return; | 272 | return; |
274 | 273 | ||
275 | // check if this is a regular chroot | 274 | // check if this is a regular chroot |
@@ -419,7 +418,7 @@ static int ok_to_run(const char *program) { | |||
419 | return 1; | 418 | return 1; |
420 | } | 419 | } |
421 | else { // search $PATH | 420 | else { // search $PATH |
422 | char *path1 = getenv("PATH"); | 421 | const char *path1 = env_get("PATH"); |
423 | if (path1) { | 422 | if (path1) { |
424 | if (arg_debug) | 423 | if (arg_debug) |
425 | printf("Searching $PATH for %s\n", program); | 424 | printf("Searching $PATH for %s\n", program); |
@@ -465,7 +464,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
465 | // set environment | 464 | // set environment |
466 | if (no_sandbox == 0) { | 465 | if (no_sandbox == 0) { |
467 | env_defaults(); | 466 | env_defaults(); |
468 | env_apply(); | 467 | env_apply_all(); |
469 | } | 468 | } |
470 | // restore original umask | 469 | // restore original umask |
471 | umask(orig_umask); | 470 | umask(orig_umask); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a2aaa86eb..baf99c5b9 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -36,7 +36,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
36 | int env_index = 0; | 36 | int env_index = 0; |
37 | char *new_environment[256] = { NULL }; | 37 | char *new_environment[256] = { NULL }; |
38 | // preserve firejail-specific env vars | 38 | // preserve firejail-specific env vars |
39 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | 39 | const char *cl = env_get("FIREJAIL_FILE_COPY_LIMIT"); |
40 | if (cl) { | 40 | if (cl) { |
41 | if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1) | 41 | if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1) |
42 | errExit("asprintf"); | 42 | errExit("asprintf"); |
@@ -120,7 +120,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
120 | // handle X32 ABI | 120 | // handle X32 ABI |
121 | BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0), | 121 | BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0), |
122 | BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0), | 122 | BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0), |
123 | RETURN_ERRNO(EPERM), | 123 | KILL_OR_RETURN_ERRNO, |
124 | #endif | 124 | #endif |
125 | 125 | ||
126 | // syscall list | 126 | // syscall list |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index e47e6c910..808dd4c37 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -208,7 +208,7 @@ int seccomp_filter_drop(bool native) { | |||
208 | // - seccomp | 208 | // - seccomp |
209 | if (cfg.seccomp_list_drop == NULL) { | 209 | if (cfg.seccomp_list_drop == NULL) { |
210 | // default seccomp if error action is not changed | 210 | // default seccomp if error action is not changed |
211 | if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) { | 211 | if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { |
212 | if (arg_seccomp_block_secondary) | 212 | if (arg_seccomp_block_secondary) |
213 | seccomp_filter_block_secondary(); | 213 | seccomp_filter_block_secondary(); |
214 | else { | 214 | else { |
@@ -221,11 +221,29 @@ int seccomp_filter_drop(bool native) { | |||
221 | } | 221 | } |
222 | // default seccomp filter with additional drop list | 222 | // default seccomp filter with additional drop list |
223 | else { // cfg.seccomp_list != NULL | 223 | else { // cfg.seccomp_list != NULL |
224 | if (arg_seccomp_block_secondary) | 224 | int rv; |
225 | |||
226 | if (arg_seccomp_block_secondary) { | ||
227 | if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { | ||
228 | if (arg_debug) | ||
229 | printf("Rebuild secondary block seccomp filter\n"); | ||
230 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
231 | PATH_FSECCOMP, "secondary", "block", RUN_SECCOMP_BLOCK_SECONDARY); | ||
232 | if (rv) | ||
233 | exit(rv); | ||
234 | } | ||
225 | seccomp_filter_block_secondary(); | 235 | seccomp_filter_block_secondary(); |
226 | else { | 236 | } else { |
227 | #if defined(__x86_64__) | 237 | #if defined(__x86_64__) |
228 | #if defined(__LP64__) | 238 | #if defined(__LP64__) |
239 | if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { | ||
240 | if (arg_debug) | ||
241 | printf("Rebuild 32 bit seccomp filter\n"); | ||
242 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
243 | PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_32); | ||
244 | if (rv) | ||
245 | exit(rv); | ||
246 | } | ||
229 | seccomp_filter_32(); | 247 | seccomp_filter_32(); |
230 | #endif | 248 | #endif |
231 | #endif | 249 | #endif |
@@ -242,16 +260,22 @@ int seccomp_filter_drop(bool native) { | |||
242 | list = cfg.seccomp_list32; | 260 | list = cfg.seccomp_list32; |
243 | } | 261 | } |
244 | 262 | ||
245 | if (list == NULL) | ||
246 | list = ""; | ||
247 | // build the seccomp filter as a regular user | 263 | // build the seccomp filter as a regular user |
248 | int rv; | 264 | if (list) |
249 | if (arg_allow_debuggers) | 265 | if (arg_allow_debuggers) |
250 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, | 266 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, |
251 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); | 267 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); |
268 | else | ||
269 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | ||
270 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); | ||
252 | else | 271 | else |
253 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 272 | if (arg_allow_debuggers) |
254 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); | 273 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, |
274 | PATH_FSECCOMP, command, filter, "allow-debuggers"); | ||
275 | else | ||
276 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
277 | PATH_FSECCOMP, command, filter); | ||
278 | |||
255 | if (rv) | 279 | if (rv) |
256 | exit(rv); | 280 | exit(rv); |
257 | 281 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index a3927cc88..911c8bd94 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -565,27 +565,18 @@ char *clean_pathname(const char *path) { | |||
565 | if (!rv) | 565 | if (!rv) |
566 | errExit("malloc"); | 566 | errExit("malloc"); |
567 | 567 | ||
568 | if (len > 0) { | 568 | size_t i = 0; |
569 | size_t i = 0, j = 0, cnt = 0; | 569 | size_t j = 0; |
570 | for (; i < len; i++) { | 570 | while (path[i]) { |
571 | if (path[i] == '/') | 571 | while (path[i] == '/' && path[i+1] == '/') |
572 | cnt++; | 572 | i++; |
573 | else | 573 | rv[j++] = path[i++]; |
574 | cnt = 0; | ||
575 | |||
576 | if (cnt < 2) { | ||
577 | rv[j] = path[i]; | ||
578 | j++; | ||
579 | } | ||
580 | } | ||
581 | rv[j] = '\0'; | ||
582 | |||
583 | // remove a trailing slash | ||
584 | if (j > 1 && rv[j - 1] == '/') | ||
585 | rv[j - 1] = '\0'; | ||
586 | } | 574 | } |
587 | else | 575 | rv[j] = '\0'; |
588 | *rv = '\0'; | 576 | |
577 | // remove a trailing slash | ||
578 | if (j > 1 && rv[j - 1] == '/') | ||
579 | rv[j - 1] = '\0'; | ||
589 | 580 | ||
590 | return rv; | 581 | return rv; |
591 | } | 582 | } |
@@ -820,20 +811,6 @@ void notify_other(int fd) { | |||
820 | fclose(stream); | 811 | fclose(stream); |
821 | } | 812 | } |
822 | 813 | ||
823 | |||
824 | |||
825 | |||
826 | // Equivalent to the GNU version of basename, which is incompatible with | ||
827 | // the POSIX basename. A few lines of code saves any portability pain. | ||
828 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
829 | const char *gnu_basename(const char *path) { | ||
830 | const char *last_slash = strrchr(path, '/'); | ||
831 | if (!last_slash) | ||
832 | return path; | ||
833 | return last_slash+1; | ||
834 | } | ||
835 | |||
836 | |||
837 | uid_t pid_get_uid(pid_t pid) { | 814 | uid_t pid_get_uid(pid_t pid) { |
838 | EUID_ASSERT(); | 815 | EUID_ASSERT(); |
839 | uid_t rv = 0; | 816 | uid_t rv = 0; |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 4872a5207..1121ec84e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -41,7 +41,7 @@ | |||
41 | // Parse the DISPLAY environment variable and return a display number. | 41 | // Parse the DISPLAY environment variable and return a display number. |
42 | // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. | 42 | // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. |
43 | int x11_display(void) { | 43 | int x11_display(void) { |
44 | const char *display_str = getenv("DISPLAY"); | 44 | const char *display_str = env_get("DISPLAY"); |
45 | char *endp; | 45 | char *endp; |
46 | unsigned long display; | 46 | unsigned long display; |
47 | 47 | ||
@@ -208,7 +208,7 @@ void x11_start_xvfb(int argc, char **argv) { | |||
208 | pid_t jail = 0; | 208 | pid_t jail = 0; |
209 | pid_t server = 0; | 209 | pid_t server = 0; |
210 | 210 | ||
211 | setenv("FIREJAIL_X11", "yes", 1); | 211 | env_store_name_val("FIREJAIL_X11", "yes", SETENV); |
212 | 212 | ||
213 | // never try to run X servers as root!!! | 213 | // never try to run X servers as root!!! |
214 | if (getuid() == 0) { | 214 | if (getuid() == 0) { |
@@ -326,7 +326,11 @@ void x11_start_xvfb(int argc, char **argv) { | |||
326 | if (arg_debug) | 326 | if (arg_debug) |
327 | printf("Starting xvfb...\n"); | 327 | printf("Starting xvfb...\n"); |
328 | 328 | ||
329 | // restore original environment variables | ||
330 | env_apply_all(); | ||
331 | |||
329 | // running without privileges - see drop_privs call above | 332 | // running without privileges - see drop_privs call above |
333 | assert(env_get("LD_PRELOAD") == NULL); | ||
330 | assert(getenv("LD_PRELOAD") == NULL); | 334 | assert(getenv("LD_PRELOAD") == NULL); |
331 | execvp(server_argv[0], server_argv); | 335 | execvp(server_argv[0], server_argv); |
332 | perror("execvp"); | 336 | perror("execvp"); |
@@ -355,7 +359,7 @@ void x11_start_xvfb(int argc, char **argv) { | |||
355 | free(fname); | 359 | free(fname); |
356 | 360 | ||
357 | assert(display_str); | 361 | assert(display_str); |
358 | setenv("DISPLAY", display_str, 1); | 362 | env_store_name_val("DISPLAY", display_str, SETENV); |
359 | // run attach command | 363 | // run attach command |
360 | jail = fork(); | 364 | jail = fork(); |
361 | if (jail < 0) | 365 | if (jail < 0) |
@@ -363,7 +367,11 @@ void x11_start_xvfb(int argc, char **argv) { | |||
363 | if (jail == 0) { | 367 | if (jail == 0) { |
364 | fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); | 368 | fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); |
365 | 369 | ||
370 | // restore original environment variables | ||
371 | env_apply_all(); | ||
372 | |||
366 | // running without privileges - see drop_privs call above | 373 | // running without privileges - see drop_privs call above |
374 | assert(env_get("LD_PRELOAD") == NULL); | ||
367 | assert(getenv("LD_PRELOAD") == NULL); | 375 | assert(getenv("LD_PRELOAD") == NULL); |
368 | execvp(jail_argv[0], jail_argv); | 376 | execvp(jail_argv[0], jail_argv); |
369 | perror("execvp"); | 377 | perror("execvp"); |
@@ -428,7 +436,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
428 | if (newscreen) | 436 | if (newscreen) |
429 | xephyr_screen = newscreen; | 437 | xephyr_screen = newscreen; |
430 | 438 | ||
431 | setenv("FIREJAIL_X11", "yes", 1); | 439 | env_store_name_val("FIREJAIL_X11", "yes", SETENV); |
432 | 440 | ||
433 | // unfortunately, xephyr does a number of weird things when started by root user!!! | 441 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
434 | if (getuid() == 0) { | 442 | if (getuid() == 0) { |
@@ -556,7 +564,11 @@ void x11_start_xephyr(int argc, char **argv) { | |||
556 | if (arg_debug) | 564 | if (arg_debug) |
557 | printf("Starting xephyr...\n"); | 565 | printf("Starting xephyr...\n"); |
558 | 566 | ||
567 | // restore original environment variables | ||
568 | env_apply_all(); | ||
569 | |||
559 | // running without privileges - see drop_privs call above | 570 | // running without privileges - see drop_privs call above |
571 | assert(env_get("LD_PRELOAD") == NULL); | ||
560 | assert(getenv("LD_PRELOAD") == NULL); | 572 | assert(getenv("LD_PRELOAD") == NULL); |
561 | execvp(server_argv[0], server_argv); | 573 | execvp(server_argv[0], server_argv); |
562 | perror("execvp"); | 574 | perror("execvp"); |
@@ -585,7 +597,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
585 | free(fname); | 597 | free(fname); |
586 | 598 | ||
587 | assert(display_str); | 599 | assert(display_str); |
588 | setenv("DISPLAY", display_str, 1); | 600 | env_store_name_val("DISPLAY", display_str, SETENV); |
589 | // run attach command | 601 | // run attach command |
590 | jail = fork(); | 602 | jail = fork(); |
591 | if (jail < 0) | 603 | if (jail < 0) |
@@ -594,8 +606,12 @@ void x11_start_xephyr(int argc, char **argv) { | |||
594 | if (!arg_quiet) | 606 | if (!arg_quiet) |
595 | printf("\n*** Attaching to Xephyr display %d ***\n\n", display); | 607 | printf("\n*** Attaching to Xephyr display %d ***\n\n", display); |
596 | 608 | ||
609 | // restore original environment variables | ||
610 | env_apply_all(); | ||
611 | |||
597 | // running without privileges - see drop_privs call above | 612 | // running without privileges - see drop_privs call above |
598 | assert(getenv("LD_PRELOAD") == NULL); | 613 | assert(getenv("LD_PRELOAD") == NULL); |
614 | assert(env_get("LD_PRELOAD") == NULL); | ||
599 | execvp(jail_argv[0], jail_argv); | 615 | execvp(jail_argv[0], jail_argv); |
600 | perror("execvp"); | 616 | perror("execvp"); |
601 | _exit(1); | 617 | _exit(1); |
@@ -780,8 +796,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, | |||
780 | dup2(fd_null,2); | 796 | dup2(fd_null,2); |
781 | } | 797 | } |
782 | 798 | ||
799 | // restore original environment variables | ||
800 | env_apply_all(); | ||
801 | |||
783 | // running without privileges - see drop_privs call above | 802 | // running without privileges - see drop_privs call above |
784 | assert(getenv("LD_PRELOAD") == NULL); | 803 | assert(getenv("LD_PRELOAD") == NULL); |
804 | assert(env_get("LD_PRELOAD") == NULL); | ||
785 | execvp(server_argv[0], server_argv); | 805 | execvp(server_argv[0], server_argv); |
786 | perror("execvp"); | 806 | perror("execvp"); |
787 | _exit(1); | 807 | _exit(1); |
@@ -827,7 +847,11 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, | |||
827 | 847 | ||
828 | fmessage("\n*** Attaching to xpra display %d ***\n\n", display); | 848 | fmessage("\n*** Attaching to xpra display %d ***\n\n", display); |
829 | 849 | ||
850 | // restore original environment variables | ||
851 | env_apply_all(); | ||
852 | |||
830 | // running without privileges - see drop_privs call above | 853 | // running without privileges - see drop_privs call above |
854 | assert(env_get("LD_PRELOAD") == NULL); | ||
831 | assert(getenv("LD_PRELOAD") == NULL); | 855 | assert(getenv("LD_PRELOAD") == NULL); |
832 | execvp(attach_argv[0], attach_argv); | 856 | execvp(attach_argv[0], attach_argv); |
833 | perror("execvp"); | 857 | perror("execvp"); |
@@ -835,7 +859,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, | |||
835 | } | 859 | } |
836 | 860 | ||
837 | assert(display_str); | 861 | assert(display_str); |
838 | setenv("DISPLAY", display_str, 1); | 862 | env_store_name_val("DISPLAY", display_str, SETENV); |
839 | 863 | ||
840 | // build jail command | 864 | // build jail command |
841 | char *firejail_argv[argc+2]; | 865 | char *firejail_argv[argc+2]; |
@@ -857,7 +881,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, | |||
857 | errExit("fork"); | 881 | errExit("fork"); |
858 | if (jail == 0) { | 882 | if (jail == 0) { |
859 | // running without privileges - see drop_privs call above | 883 | // running without privileges - see drop_privs call above |
884 | assert(env_get("LD_PRELOAD") == NULL); | ||
860 | assert(getenv("LD_PRELOAD") == NULL); | 885 | assert(getenv("LD_PRELOAD") == NULL); |
886 | |||
887 | // restore original environment variables | ||
888 | env_apply_all(); | ||
889 | |||
861 | if (firejail_argv[0]) // shut up llvm scan-build | 890 | if (firejail_argv[0]) // shut up llvm scan-build |
862 | execvp(firejail_argv[0], firejail_argv); | 891 | execvp(firejail_argv[0], firejail_argv); |
863 | perror("execvp"); | 892 | perror("execvp"); |
@@ -883,7 +912,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, | |||
883 | dup2(fd_null,1); | 912 | dup2(fd_null,1); |
884 | dup2(fd_null,2); | 913 | dup2(fd_null,2); |
885 | } | 914 | } |
915 | |||
916 | // restore original environment variables | ||
917 | env_apply_all(); | ||
918 | |||
886 | // running without privileges - see drop_privs call above | 919 | // running without privileges - see drop_privs call above |
920 | assert(env_get("LD_PRELOAD") == NULL); | ||
887 | assert(getenv("LD_PRELOAD") == NULL); | 921 | assert(getenv("LD_PRELOAD") == NULL); |
888 | execvp(stop_argv[0], stop_argv); | 922 | execvp(stop_argv[0], stop_argv); |
889 | perror("execvp"); | 923 | perror("execvp"); |
@@ -1051,7 +1085,11 @@ static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, | |||
1051 | dup2(fd_null,2); | 1085 | dup2(fd_null,2); |
1052 | } | 1086 | } |
1053 | 1087 | ||
1088 | // restore original environment variables | ||
1089 | env_apply_all(); | ||
1090 | |||
1054 | // running without privileges - see drop_privs call above | 1091 | // running without privileges - see drop_privs call above |
1092 | assert(env_get("LD_PRELOAD") == NULL); | ||
1055 | assert(getenv("LD_PRELOAD") == NULL); | 1093 | assert(getenv("LD_PRELOAD") == NULL); |
1056 | execvp(server_argv[0], server_argv); | 1094 | execvp(server_argv[0], server_argv); |
1057 | perror("execvp"); | 1095 | perror("execvp"); |
@@ -1072,7 +1110,7 @@ static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, | |||
1072 | void x11_start_xpra(int argc, char **argv) { | 1110 | void x11_start_xpra(int argc, char **argv) { |
1073 | EUID_ASSERT(); | 1111 | EUID_ASSERT(); |
1074 | 1112 | ||
1075 | setenv("FIREJAIL_X11", "yes", 1); | 1113 | env_store_name_val("FIREJAIL_X11", "yes", SETENV); |
1076 | 1114 | ||
1077 | // unfortunately, xpra does a number of weird things when started by root user!!! | 1115 | // unfortunately, xpra does a number of weird things when started by root user!!! |
1078 | if (getuid() == 0) { | 1116 | if (getuid() == 0) { |
@@ -1134,7 +1172,7 @@ void x11_xorg(void) { | |||
1134 | #ifdef HAVE_X11 | 1172 | #ifdef HAVE_X11 |
1135 | 1173 | ||
1136 | // get DISPLAY env | 1174 | // get DISPLAY env |
1137 | char *display = getenv("DISPLAY"); | 1175 | const char *display = env_get("DISPLAY"); |
1138 | if (!display) { | 1176 | if (!display) { |
1139 | fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); | 1177 | fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); |
1140 | exit(1); | 1178 | exit(1); |
@@ -1259,7 +1297,7 @@ void x11_xorg(void) { | |||
1259 | ASSERT_PERMS(dest, getuid(), getgid(), 0600); | 1297 | ASSERT_PERMS(dest, getuid(), getgid(), 0600); |
1260 | 1298 | ||
1261 | // blacklist user .Xauthority file if it is not masked already | 1299 | // blacklist user .Xauthority file if it is not masked already |
1262 | char *envar = getenv("XAUTHORITY"); | 1300 | const char *envar = env_get("XAUTHORITY"); |
1263 | if (envar) { | 1301 | if (envar) { |
1264 | char *rp = realpath(envar, NULL); | 1302 | char *rp = realpath(envar, NULL); |
1265 | if (rp) { | 1303 | if (rp) { |
@@ -1269,8 +1307,7 @@ void x11_xorg(void) { | |||
1269 | } | 1307 | } |
1270 | } | 1308 | } |
1271 | // set environment variable | 1309 | // set environment variable |
1272 | if (setenv("XAUTHORITY", dest, 1) < 0) | 1310 | env_store_name_val("XAUTHORITY", dest, SETENV); |
1273 | errExit("setenv"); | ||
1274 | free(dest); | 1311 | free(dest); |
1275 | 1312 | ||
1276 | // mask RUN_XAUTHORITY_SEC_DIR | 1313 | // mask RUN_XAUTHORITY_SEC_DIR |
@@ -1391,7 +1428,7 @@ void x11_block(void) { | |||
1391 | errExit("strdup"); | 1428 | errExit("strdup"); |
1392 | profile_check_line(cmd, 0, NULL); | 1429 | profile_check_line(cmd, 0, NULL); |
1393 | profile_add(cmd); | 1430 | profile_add(cmd); |
1394 | char *xauthority = getenv("XAUTHORITY"); | 1431 | const char *xauthority = env_get("XAUTHORITY"); |
1395 | if (xauthority) { | 1432 | if (xauthority) { |
1396 | char *line; | 1433 | char *line; |
1397 | if (asprintf(&line, "blacklist %s", xauthority) == -1) | 1434 | if (asprintf(&line, "blacklist %s", xauthority) == -1) |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index f2513213c..9ee798fe9 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -2,7 +2,7 @@ all: firemon | |||
2 | 2 | ||
3 | include ../common.mk | 3 | include ../common.mk |
4 | 4 | ||
5 | %.o : %.c $(H_FILE_LIST) | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o | 8 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o |
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 53382c2df..37b139d38 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fldd: $(OBJS) ../lib/ldd_utils.o | 8 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fldd/main.c b/src/fldd/main.c index d68504f6b..55a0dfcce 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -24,7 +24,6 @@ | |||
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/mount.h> | 26 | #include <sys/mount.h> |
27 | #include <sys/prctl.h> | ||
28 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
29 | #include <sys/types.h> | 28 | #include <sys/types.h> |
30 | #include <unistd.h> | 29 | #include <unistd.h> |
@@ -303,10 +302,7 @@ printf("\n"); | |||
303 | return 0; | 302 | return 0; |
304 | } | 303 | } |
305 | 304 | ||
306 | #ifdef WARN_DUMPABLE | 305 | warn_dumpable(); |
307 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
308 | fprintf(stderr, "Error fldd: I am dumpable\n"); | ||
309 | #endif | ||
310 | 306 | ||
311 | // check program access | 307 | // check program access |
312 | if (access(argv[1], R_OK)) { | 308 | if (access(argv[1], R_OK)) { |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 37566db72..bd5fe9e7a 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fnet: $(OBJS) ../lib/libnetlink.o | 8 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fnet/main.c b/src/fnet/main.c index f6316a7fe..db090fb95 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -21,7 +21,6 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/utsname.h> | 23 | #include <sys/utsname.h> |
24 | #include <sys/prctl.h> | ||
25 | 24 | ||
26 | int arg_quiet = 0; | 25 | int arg_quiet = 0; |
27 | 26 | ||
@@ -69,10 +68,9 @@ printf("\n"); | |||
69 | usage(); | 68 | usage(); |
70 | return 0; | 69 | return 0; |
71 | } | 70 | } |
72 | #ifdef WARN_DUMPABLE | 71 | |
73 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | 72 | warn_dumpable(); |
74 | fprintf(stderr, "Error fnet: I am dumpable\n"); | 73 | |
75 | #endif | ||
76 | char *quiet = getenv("FIREJAIL_QUIET"); | 74 | char *quiet = getenv("FIREJAIL_QUIET"); |
77 | if (quiet && strcmp(quiet, "yes") == 0) | 75 | if (quiet && strcmp(quiet, "yes") == 0) |
78 | arg_quiet = 1; | 76 | arg_quiet = 1; |
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 055167192..6fe650a17 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fnetfilter: $(OBJS) | 8 | fnetfilter: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 1ca35ab56..381d0d36e 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "../include/common.h" | 20 | #include "../include/common.h" |
21 | #include <sys/prctl.h> | ||
22 | 21 | ||
23 | #define MAXBUF 4098 | 22 | #define MAXBUF 4098 |
24 | #define MAXARGS 16 | 23 | #define MAXARGS 16 |
@@ -181,10 +180,9 @@ printf("\n"); | |||
181 | usage(); | 180 | usage(); |
182 | return 1; | 181 | return 1; |
183 | } | 182 | } |
184 | #ifdef WARN_DUMPABLE | 183 | |
185 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | 184 | warn_dumpable(); |
186 | fprintf(stderr, "Error fnetfilter: I am dumpable\n"); | 185 | |
187 | #endif | ||
188 | char *destfile = (argc == 3)? argv[2]: argv[1]; | 186 | char *destfile = (argc == 3)? argv[2]: argv[1]; |
189 | char *command = (argc == 3)? argv[1]: NULL; | 187 | char *command = (argc == 3)? argv[1]: NULL; |
190 | //printf("command %s\n", command); | 188 | //printf("command %s\n", command); |
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index 0387f7ec7..cc5ac7e35 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-optimize: $(OBJS) ../lib/libnetlink.o | 8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 034fde2ac..211111641 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -22,7 +22,6 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | #include <sys/prctl.h> | ||
26 | 25 | ||
27 | // optimize.c | 26 | // optimize.c |
28 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); | 27 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index fb13eeca8..c64587068 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -18,6 +18,9 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "fsec_optimize.h" | 20 | #include "fsec_optimize.h" |
21 | #include "../include/syscall.h" | ||
22 | |||
23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill | ||
21 | 24 | ||
22 | static void usage(void) { | 25 | static void usage(void) { |
23 | printf("Usage:\n"); | 26 | printf("Usage:\n"); |
@@ -44,11 +47,21 @@ printf("\n"); | |||
44 | return 0; | 47 | return 0; |
45 | } | 48 | } |
46 | 49 | ||
47 | #ifdef WARN_DUMPABLE | 50 | warn_dumpable(); |
48 | // check FIREJAIL_PLUGIN in order to not print a warning during make | 51 | |
49 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | 52 | char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); |
50 | fprintf(stderr, "Error fsec-optimize: I am dumpable\n"); | 53 | if (error_action) { |
51 | #endif | 54 | if (strcmp(error_action, "kill") == 0) |
55 | arg_seccomp_error_action = SECCOMP_RET_KILL; | ||
56 | else if (strcmp(error_action, "log") == 0) | ||
57 | arg_seccomp_error_action = SECCOMP_RET_LOG; | ||
58 | else { | ||
59 | arg_seccomp_error_action = errno_find_name(error_action); | ||
60 | if (arg_seccomp_error_action == -1) | ||
61 | errExit("seccomp-error-action: unknown errno"); | ||
62 | arg_seccomp_error_action |= SECCOMP_RET_ERRNO; | ||
63 | } | ||
64 | } | ||
52 | 65 | ||
53 | char *fname = argv[1]; | 66 | char *fname = argv[1]; |
54 | 67 | ||
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index 776beaa75..eb777f13b 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c | |||
@@ -33,7 +33,7 @@ | |||
33 | static inline int is_blacklist(struct sock_filter *bpf) { | 33 | static inline int is_blacklist(struct sock_filter *bpf) { |
34 | if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && | 34 | if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && |
35 | (bpf + 1)->code == BPF_RET + BPF_K && | 35 | (bpf + 1)->code == BPF_RET + BPF_K && |
36 | (bpf + 1)->k == SECCOMP_RET_KILL ) | 36 | (bpf + 1)->k == (__u32)arg_seccomp_error_action) |
37 | return 1; | 37 | return 1; |
38 | return 0; | 38 | return 0; |
39 | } | 39 | } |
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) { | |||
89 | } | 89 | } |
90 | } | 90 | } |
91 | 91 | ||
92 | // step 3: add the new ret KILL, and recalculate entries | 92 | // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries |
93 | filter_step2[j].code = BPF_RET + BPF_K; | 93 | filter_step2[j].code = BPF_RET + BPF_K; |
94 | filter_step2[j].k = SECCOMP_RET_KILL; | 94 | filter_step2[j].k = arg_seccomp_error_action; |
95 | entries = j + 1; | 95 | entries = j + 1; |
96 | 96 | ||
97 | // step 4: recalculate jumps | 97 | // step 4: recalculate jumps |
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index a30ff4ba3..bf39a8c77 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o | 8 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 9d17e3f18..337199288 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h | |||
@@ -23,7 +23,6 @@ | |||
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/prctl.h> | ||
27 | 26 | ||
28 | // print.c | 27 | // print.c |
29 | void print(struct sock_filter *filter, int entries); | 28 | void print(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index d1f056e47..ed030db21 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -61,10 +61,7 @@ printf("\n"); | |||
61 | return 0; | 61 | return 0; |
62 | } | 62 | } |
63 | 63 | ||
64 | #ifdef WARN_DUMPABLE | 64 | warn_dumpable(); |
65 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
66 | fprintf(stderr, "Error fsec-print: I am dumpable\n"); | ||
67 | #endif | ||
68 | 65 | ||
69 | char *fname = argv[1]; | 66 | char *fname = argv[1]; |
70 | 67 | ||
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 8623db6f8..b776a73ce 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o | 8 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e40999938..e8dd083b6 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <stdlib.h> | 23 | #include <stdlib.h> |
24 | #include <string.h> | 24 | #include <string.h> |
25 | #include <assert.h> | 25 | #include <assert.h> |
26 | #include <sys/prctl.h> | ||
27 | #include "../include/common.h" | 26 | #include "../include/common.h" |
28 | #include "../include/syscall.h" | 27 | #include "../include/syscall.h" |
29 | 28 | ||
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index f505ca0f3..f47efb5e8 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -20,7 +20,7 @@ | |||
20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
21 | #include "../include/seccomp.h" | 21 | #include "../include/seccomp.h" |
22 | int arg_quiet = 0; | 22 | int arg_quiet = 0; |
23 | int arg_seccomp_error_action = EPERM; // error action: errno, log or kill | 23 | int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill |
24 | 24 | ||
25 | static void usage(void) { | 25 | static void usage(void) { |
26 | printf("Usage:\n"); | 26 | printf("Usage:\n"); |
@@ -69,11 +69,7 @@ printf("\n"); | |||
69 | return 0; | 69 | return 0; |
70 | } | 70 | } |
71 | 71 | ||
72 | #ifdef WARN_DUMPABLE | 72 | warn_dumpable(); |
73 | // check FIREJAIL_PLUGIN in order to not print a warning during make | ||
74 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
75 | fprintf(stderr, "Error fseccomp: I am dumpable\n"); | ||
76 | #endif | ||
77 | 73 | ||
78 | char *quiet = getenv("FIREJAIL_QUIET"); | 74 | char *quiet = getenv("FIREJAIL_QUIET"); |
79 | if (quiet && strcmp(quiet, "yes") == 0) | 75 | if (quiet && strcmp(quiet, "yes") == 0) |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index f024859d3..b8e8d0a89 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -126,7 +126,7 @@ void seccomp_secondary_block(const char *fname) { | |||
126 | EXAMINE_SYSCALL, | 126 | EXAMINE_SYSCALL, |
127 | #if defined(__x86_64__) | 127 | #if defined(__x86_64__) |
128 | // block x32 | 128 | // block x32 |
129 | HANDLE_X32_KILL, | 129 | HANDLE_X32, |
130 | #endif | 130 | #endif |
131 | // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality) | 131 | // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality) |
132 | // 0: if personality(2), continue to 1, else goto 7 (allow) | 132 | // 0: if personality(2), continue to 1, else goto 7 (allow) |
diff --git a/src/include/common.h b/src/include/common.h index 5df51c5a9..5497929c7 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -38,11 +38,6 @@ | |||
38 | 38 | ||
39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) |
40 | 40 | ||
41 | // check if processes run with dumpable flag set | ||
42 | // currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8, | ||
43 | // regardless what Debian version we run the build on | ||
44 | //#define WARN_DUMPABLE | ||
45 | |||
46 | // macro to print ip addresses in a printf statement | 41 | // macro to print ip addresses in a printf statement |
47 | #define PRINT_IP(A) \ | 42 | #define PRINT_IP(A) \ |
48 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) | 43 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) |
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid); | |||
126 | char *pid_proc_cmdline(const pid_t pid); | 121 | char *pid_proc_cmdline(const pid_t pid); |
127 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); | 122 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); |
128 | int pid_hidepid(void); | 123 | int pid_hidepid(void); |
124 | void warn_dumpable(void); | ||
125 | const char *gnu_basename(const char *path); | ||
129 | #endif | 126 | #endif |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 90db16d39..b3b75c2d1 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -201,7 +201,7 @@ | |||
201 | #define VALIDATE_ARCHITECTURE_KILL \ | 201 | #define VALIDATE_ARCHITECTURE_KILL \ |
202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
204 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 204 | KILL_OR_RETURN_ERRNO |
205 | 205 | ||
206 | #define VALIDATE_ARCHITECTURE_64 \ | 206 | #define VALIDATE_ARCHITECTURE_64 \ |
207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
@@ -222,11 +222,7 @@ | |||
222 | #define HANDLE_X32 \ | 222 | #define HANDLE_X32 \ |
223 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | 223 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ |
224 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | 224 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ |
225 | RETURN_ERRNO(EPERM) | 225 | KILL_OR_RETURN_ERRNO |
226 | #define HANDLE_X32_KILL \ | ||
227 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | ||
228 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | ||
229 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | ||
230 | #endif | 226 | #endif |
231 | 227 | ||
232 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 228 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
@@ -258,6 +254,8 @@ | |||
258 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 254 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
259 | 255 | ||
260 | extern int arg_seccomp_error_action; // error action: errno, log or kill | 256 | extern int arg_seccomp_error_action; // error action: errno, log or kill |
257 | #define DEFAULT_SECCOMP_ERROR_ACTION EPERM | ||
258 | |||
261 | #define KILL_OR_RETURN_ERRNO \ | 259 | #define KILL_OR_RETURN_ERRNO \ |
262 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) | 260 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) |
263 | 261 | ||
diff --git a/src/include/syscall_armeabi.h b/src/include/syscall_armeabi.h index cbdc67f37..3b574f875 100644 --- a/src/include/syscall_armeabi.h +++ b/src/include/syscall_armeabi.h | |||
@@ -42,6 +42,7 @@ | |||
42 | { "exit", 1 }, | 42 | { "exit", 1 }, |
43 | { "exit_group", 248 }, | 43 | { "exit_group", 248 }, |
44 | { "faccessat", 334 }, | 44 | { "faccessat", 334 }, |
45 | { "faccessat2", 439 }, | ||
45 | { "fallocate", 352 }, | 46 | { "fallocate", 352 }, |
46 | { "fanotify_init", 367 }, | 47 | { "fanotify_init", 367 }, |
47 | { "fanotify_mark", 368 }, | 48 | { "fanotify_mark", 368 }, |
diff --git a/src/include/syscall_i386.h b/src/include/syscall_i386.h index 4795e5b2a..752e11f24 100644 --- a/src/include/syscall_i386.h +++ b/src/include/syscall_i386.h | |||
@@ -54,6 +54,7 @@ | |||
54 | { "exit", 1 }, | 54 | { "exit", 1 }, |
55 | { "exit_group", 252 }, | 55 | { "exit_group", 252 }, |
56 | { "faccessat", 307 }, | 56 | { "faccessat", 307 }, |
57 | { "faccessat2", 439 }, | ||
57 | { "fadvise64", 250 }, | 58 | { "fadvise64", 250 }, |
58 | { "fadvise64_64", 272 }, | 59 | { "fadvise64_64", 272 }, |
59 | { "fallocate", 324 }, | 60 | { "fallocate", 324 }, |
diff --git a/src/include/syscall_x86_64.h b/src/include/syscall_x86_64.h index 539e874be..97f2762b1 100644 --- a/src/include/syscall_x86_64.h +++ b/src/include/syscall_x86_64.h | |||
@@ -47,6 +47,7 @@ | |||
47 | { "exit", 60 }, | 47 | { "exit", 60 }, |
48 | { "exit_group", 231 }, | 48 | { "exit_group", 231 }, |
49 | { "faccessat", 269 }, | 49 | { "faccessat", 269 }, |
50 | { "faccessat2", 439 }, | ||
50 | { "fadvise64", 221 }, | 51 | { "fadvise64", 221 }, |
51 | { "fallocate", 285 }, | 52 | { "fallocate", 285 }, |
52 | { "fanotify_init", 300 }, | 53 | { "fanotify_init", 300 }, |
diff --git a/src/lib/common.c b/src/lib/common.c index 823442835..ace5cb87e 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | |||
267 | } | 267 | } |
268 | 268 | ||
269 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied | 269 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied |
270 | #define BUFLEN 4096 | ||
271 | int pid_hidepid(void) { | 270 | int pid_hidepid(void) { |
272 | FILE *fp = fopen("/proc/mounts", "r"); | 271 | FILE *fp = fopen("/proc/mounts", "r"); |
273 | if (!fp) | 272 | if (!fp) |
@@ -288,6 +287,39 @@ int pid_hidepid(void) { | |||
288 | return 0; | 287 | return 0; |
289 | } | 288 | } |
290 | 289 | ||
290 | // print error if unprivileged users can trace the process | ||
291 | void warn_dumpable(void) { | ||
292 | if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) { | ||
293 | fprintf(stderr, "Error: dumpable process\n"); | ||
294 | |||
295 | // best effort to provide detailed debug information | ||
296 | // cannot use process name, it is just a file descriptor number | ||
297 | char path[BUFLEN]; | ||
298 | ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1); | ||
299 | if (len < 0) | ||
300 | return; | ||
301 | path[len] = '\0'; | ||
302 | // path can refer to a sandbox mount namespace, use basename only | ||
303 | const char *base = gnu_basename(path); | ||
304 | |||
305 | struct stat s; | ||
306 | if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0) | ||
307 | fprintf(stderr, "Change owner of %s executable to root\n", base); | ||
308 | else if (access("/proc/self/exe", R_OK) == 0) | ||
309 | fprintf(stderr, "Remove read permission on %s executable\n", base); | ||
310 | } | ||
311 | } | ||
312 | |||
313 | // Equivalent to the GNU version of basename, which is incompatible with | ||
314 | // the POSIX basename. A few lines of code saves any portability pain. | ||
315 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
316 | const char *gnu_basename(const char *path) { | ||
317 | const char *last_slash = strrchr(path, '/'); | ||
318 | if (!last_slash) | ||
319 | return path; | ||
320 | return last_slash+1; | ||
321 | } | ||
322 | |||
291 | //************************** | 323 | //************************** |
292 | // time trace based on getticks function | 324 | // time trace based on getticks function |
293 | //************************** | 325 | //************************** |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 4903971ad..758f1ce0b 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = { | |||
336 | #endif | 336 | #endif |
337 | }, | 337 | }, |
338 | { .name = "@default-keep", .list = | 338 | { .name = "@default-keep", .list = |
339 | "execveat," // commonly used by fexecve | ||
339 | "execve," | 340 | "execve," |
340 | "prctl" | 341 | "prctl" |
341 | }, | 342 | }, |
@@ -358,6 +359,9 @@ static const SyscallGroupList sysgroups[] = { | |||
358 | #ifdef SYS_faccessat | 359 | #ifdef SYS_faccessat |
359 | "faccessat," | 360 | "faccessat," |
360 | #endif | 361 | #endif |
362 | #ifdef SYS_faccessat2 | ||
363 | "faccessat2," | ||
364 | #endif | ||
361 | #ifdef SYS_fallocate | 365 | #ifdef SYS_fallocate |
362 | "fallocate," | 366 | "fallocate," |
363 | #endif | 367 | #endif |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index f3123356a..2c02aee47 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -61,7 +61,7 @@ $ sudo firecfg --add-users dustin lucas mike eleven | |||
61 | 61 | ||
62 | .TP | 62 | .TP |
63 | \fB\-\-bindir=directory | 63 | \fB\-\-bindir=directory |
64 | Create and search symbolic links in directory instead of the default location /user/local/bin. | 64 | Create and search symbolic links in directory instead of the default location /usr/local/bin. |
65 | Directory should precede /usr/bin and /bin in the PATH environment variable. | 65 | Directory should precede /usr/bin and /bin in the PATH environment variable. |
66 | 66 | ||
67 | .TP | 67 | .TP |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9524254c1..5e77b5f70 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -266,7 +266,7 @@ Mount new /root and /home/user directories in temporary | |||
266 | filesystems. All modifications are discarded when the sandbox is | 266 | filesystems. All modifications are discarded when the sandbox is |
267 | closed. | 267 | closed. |
268 | .TP | 268 | .TP |
269 | \fBprivate directory | 269 | \fBprivate=directory |
270 | Use directory as user home. | 270 | Use directory as user home. |
271 | .TP | 271 | .TP |
272 | \fBprivate-bin file,file | 272 | \fBprivate-bin file,file |
@@ -862,6 +862,11 @@ the parent interface specified by --net is not configured. An IP address and | |||
862 | a default gateway address also have to be added. | 862 | a default gateway address also have to be added. |
863 | 863 | ||
864 | .TP | 864 | .TP |
865 | \fBnetns namespace | ||
866 | Run the program in a named, persistent network namespace. These can | ||
867 | be created and configured using "ip netns". | ||
868 | |||
869 | .TP | ||
865 | \fBveth-name name | 870 | \fBveth-name name |
866 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 871 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
867 | instead of the default one. | 872 | instead of the default one. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 347e2b31b..e85a02ee8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -693,6 +693,10 @@ Example: | |||
693 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 693 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
694 | #endif | 694 | #endif |
695 | .TP | 695 | .TP |
696 | \fB\-\-deterministic-exit-code | ||
697 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
698 | .br | ||
699 | .TP | ||
696 | \fB\-\-disable-mnt | 700 | \fB\-\-disable-mnt |
697 | Blacklist /mnt, /media, /run/mount and /run/media access. | 701 | Blacklist /mnt, /media, /run/mount and /run/media access. |
698 | .br | 702 | .br |
@@ -703,10 +707,6 @@ Example: | |||
703 | $ firejail \-\-disable-mnt firefox | 707 | $ firejail \-\-disable-mnt firefox |
704 | 708 | ||
705 | .TP | 709 | .TP |
706 | \fB\-\-deterministic-exit-code | ||
707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
708 | |||
709 | .TP | ||
710 | \fB\-\-dns=address | 710 | \fB\-\-dns=address |
711 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 711 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
712 | Use this option if you don't trust the DNS setup on your network. | 712 | Use this option if you don't trust the DNS setup on your network. |
@@ -1317,7 +1317,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ | |||
1317 | .br | 1317 | .br |
1318 | 1318 | ||
1319 | .br | 1319 | .br |
1320 | .B nolocal.net | 1320 | .B nolocal.net/nolocal6.net |
1321 | is a desktop client firewall that disable access to local network. Example: | 1321 | is a desktop client firewall that disable access to local network. Example: |
1322 | .br | 1322 | .br |
1323 | 1323 | ||
@@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted | |||
2273 | .TP | 2273 | .TP |
2274 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 | 2274 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
2275 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". | 2275 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
2276 | The system calls needed by Firejail (group @default-keep: prctl, execve) | 2276 | The system calls needed by Firejail (group @default-keep: prctl, execve, execveat) |
2277 | are handled with the preload library. On a 64 bit architecture, an | 2277 | are handled with the preload library. On a 64 bit architecture, an |
2278 | additional filter for 32 bit system calls can be installed with | 2278 | additional filter for 32 bit system calls can be installed with |
2279 | \-\-seccomp.32.keep. | 2279 | \-\-seccomp.32.keep. |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 4c1221464..68f62831b 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0; | |||
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | 31 | static int cnt_dbus_system_none = 0; |
32 | static int cnt_dbus_user_none = 0; | 32 | static int cnt_dbus_user_none = 0; |
33 | static int cnt_dbus_system_filter = 0; | ||
34 | static int cnt_dbus_user_filter = 0; | ||
33 | static int cnt_dotlocal = 0; | 35 | static int cnt_dotlocal = 0; |
34 | static int cnt_globalsdotlocal = 0; | 36 | static int cnt_globalsdotlocal = 0; |
35 | static int cnt_netnone = 0; | 37 | static int cnt_netnone = 0; |
@@ -107,6 +109,7 @@ void process_file(const char *fname) { | |||
107 | return; | 109 | return; |
108 | } | 110 | } |
109 | 111 | ||
112 | int have_include_local = 0; | ||
110 | char buf[MAXBUF]; | 113 | char buf[MAXBUF]; |
111 | while (fgets(buf, MAXBUF, fp)) { | 114 | while (fgets(buf, MAXBUF, fp)) { |
112 | char *ptr = strchr(buf, '\n'); | 115 | char *ptr = strchr(buf, '\n'); |
@@ -152,11 +155,16 @@ void process_file(const char *fname) { | |||
152 | cnt_privateetc++; | 155 | cnt_privateetc++; |
153 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | 156 | else if (strncmp(ptr, "dbus-system none", 16) == 0) |
154 | cnt_dbus_system_none++; | 157 | cnt_dbus_system_none++; |
158 | else if (strncmp(ptr, "dbus-system", 11) == 0) | ||
159 | cnt_dbus_system_filter++; | ||
155 | else if (strncmp(ptr, "dbus-user none", 14) == 0) | 160 | else if (strncmp(ptr, "dbus-user none", 14) == 0) |
156 | cnt_dbus_user_none++; | 161 | cnt_dbus_user_none++; |
162 | else if (strncmp(ptr, "dbus-user", 9) == 0) | ||
163 | cnt_dbus_user_filter++; | ||
157 | else if (strncmp(ptr, "include ", 8) == 0) { | 164 | else if (strncmp(ptr, "include ", 8) == 0) { |
158 | // not processing .local files | 165 | // not processing .local files |
159 | if (strstr(ptr, ".local")) { | 166 | if (strstr(ptr, ".local")) { |
167 | have_include_local = 1; | ||
160 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); | 168 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); |
161 | if (strstr(ptr, "globals.local")) | 169 | if (strstr(ptr, "globals.local")) |
162 | cnt_globalsdotlocal++; | 170 | cnt_globalsdotlocal++; |
@@ -174,6 +182,8 @@ void process_file(const char *fname) { | |||
174 | } | 182 | } |
175 | 183 | ||
176 | fclose(fp); | 184 | fclose(fp); |
185 | if (!have_include_local) | ||
186 | printf("No include .local found in %s\n", fname); | ||
177 | level--; | 187 | level--; |
178 | } | 188 | } |
179 | 189 | ||
@@ -257,7 +267,9 @@ int main(int argc, char **argv) { | |||
257 | int whitelistrunuser = cnt_whitelistrunuser; | 267 | int whitelistrunuser = cnt_whitelistrunuser; |
258 | int whitelistusrshare = cnt_whitelistusrshare; | 268 | int whitelistusrshare = cnt_whitelistusrshare; |
259 | int dbussystemnone = cnt_dbus_system_none; | 269 | int dbussystemnone = cnt_dbus_system_none; |
270 | int dbussystemfilter = cnt_dbus_system_filter; | ||
260 | int dbususernone = cnt_dbus_user_none; | 271 | int dbususernone = cnt_dbus_user_none; |
272 | int dbususerfilter = cnt_dbus_user_filter; | ||
261 | int ssh = cnt_ssh; | 273 | int ssh = cnt_ssh; |
262 | int mdwx = cnt_mdwx; | 274 | int mdwx = cnt_mdwx; |
263 | 275 | ||
@@ -278,6 +290,16 @@ int main(int argc, char **argv) { | |||
278 | cnt_globalsdotlocal = globalsdotlocal + 1; | 290 | cnt_globalsdotlocal = globalsdotlocal + 1; |
279 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) | 291 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) |
280 | cnt_whitelistrunuser = whitelistrunuser + 1; | 292 | cnt_whitelistrunuser = whitelistrunuser + 1; |
293 | if (cnt_seccomp > (seccomp + 1)) | ||
294 | cnt_seccomp = seccomp + 1; | ||
295 | if (cnt_dbus_user_none > (dbususernone + 1)) | ||
296 | cnt_dbus_user_none = dbususernone + 1; | ||
297 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | ||
298 | cnt_dbus_user_filter = dbususerfilter + 1; | ||
299 | if (cnt_dbus_system_none > (dbussystemnone + 1)) | ||
300 | cnt_dbus_system_none = dbussystemnone + 1; | ||
301 | if (cnt_dbus_system_filter > (dbussystemfilter + 1)) | ||
302 | cnt_dbus_system_filter = dbussystemfilter + 1; | ||
281 | 303 | ||
282 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | 304 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) |
283 | printf("No dbus-system none found in %s\n", argv[i]); | 305 | printf("No dbus-system none found in %s\n", argv[i]); |
@@ -337,7 +359,9 @@ int main(int argc, char **argv) { | |||
337 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 359 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
338 | printf(" net none\t\t\t%d\n", cnt_netnone); | 360 | printf(" net none\t\t\t%d\n", cnt_netnone); |
339 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); | 361 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); |
362 | printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter); | ||
340 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | 363 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); |
364 | printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter); | ||
341 | printf("\n"); | 365 | printf("\n"); |
342 | return 0; | 366 | return 0; |
343 | } | 367 | } |
diff --git a/test/Makefile.in b/test/Makefile.in index ef1ca73bc..d41ab39d1 100644 --- a/test/Makefile.in +++ b/test/Makefile.in | |||
@@ -8,3 +8,6 @@ $(TESTS): | |||
8 | 8 | ||
9 | clean: | 9 | clean: |
10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | 10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done |
11 | |||
12 | distclean: clean | ||
13 | rm -f Makefile | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 91fcfb85d..04819d95d 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -3,6 +3,16 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # not currently covered | ||
7 | # --disable-suid install as a non-SUID executable | ||
8 | # --enable-fatal-warnings -W -Wall -Werror | ||
9 | # --enable-gcov Gcov instrumentation | ||
10 | # --enable-contrib-install | ||
11 | # install contrib scripts | ||
12 | # --enable-analyzer enable GCC 10 static analyzer | ||
13 | |||
14 | |||
15 | |||
6 | arr[1]="TEST 1: standard compilation" | 16 | arr[1]="TEST 1: standard compilation" |
7 | arr[2]="TEST 2: compile dbus proxy disabled" | 17 | arr[2]="TEST 2: compile dbus proxy disabled" |
8 | arr[3]="TEST 3: compile chroot disabled" | 18 | arr[3]="TEST 3: compile chroot disabled" |
@@ -18,7 +28,9 @@ arr[12]="TEST 12: compile apparmor" | |||
18 | arr[13]="TEST 13: compile busybox" | 28 | arr[13]="TEST 13: compile busybox" |
19 | arr[14]="TEST 14: compile overlayfs disabled" | 29 | arr[14]="TEST 14: compile overlayfs disabled" |
20 | arr[15]="TEST 15: compile private-home disabled" | 30 | arr[15]="TEST 15: compile private-home disabled" |
21 | arr[15]="TEST 16: compile disable manpages" | 31 | arr[16]="TEST 16: compile disable manpages" |
32 | arr[17]="TEST 17: disable tmpfs as regular user" | ||
33 | arr[18]="TEST 18: disable private home" | ||
22 | 34 | ||
23 | # remove previous reports and output file | 35 | # remove previous reports and output file |
24 | cleanup() { | 36 | cleanup() { |
@@ -334,6 +346,40 @@ cp output-make om16 | |||
334 | rm output-configure output-make | 346 | rm output-configure output-make |
335 | 347 | ||
336 | #***************************************************************** | 348 | #***************************************************************** |
349 | # TEST 17 | ||
350 | #***************************************************************** | ||
351 | # - disable tmpfs as regular user" | ||
352 | #***************************************************************** | ||
353 | print_title "${arr[17]}" | ||
354 | cd firejail | ||
355 | make distclean | ||
356 | ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
357 | make -j4 2>&1 | tee ../output-make | ||
358 | cd .. | ||
359 | grep Warning output-configure output-make > ./report-test17 | ||
360 | grep Error output-configure output-make >> ./report-test17 | ||
361 | cp output-configure oc17 | ||
362 | cp output-make om17 | ||
363 | rm output-configure output-make | ||
364 | |||
365 | #***************************************************************** | ||
366 | # TEST 18 | ||
367 | #***************************************************************** | ||
368 | # - disable private home feature | ||
369 | #***************************************************************** | ||
370 | print_title "${arr[18]}" | ||
371 | cd firejail | ||
372 | make distclean | ||
373 | ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
374 | make -j4 2>&1 | tee ../output-make | ||
375 | cd .. | ||
376 | grep Warning output-configure output-make > ./report-test18 | ||
377 | grep Error output-configure output-make >> ./report-test18 | ||
378 | cp output-configure oc18 | ||
379 | cp output-make om18 | ||
380 | rm output-configure output-make | ||
381 | |||
382 | #***************************************************************** | ||
337 | # PRINT REPORTS | 383 | # PRINT REPORTS |
338 | #***************************************************************** | 384 | #***************************************************************** |
339 | echo | 385 | echo |
@@ -363,3 +409,5 @@ echo ${arr[13]} | |||
363 | echo ${arr[14]} | 409 | echo ${arr[14]} |
364 | echo ${arr[15]} | 410 | echo ${arr[15]} |
365 | echo ${arr[16]} | 411 | echo ${arr[16]} |
412 | echo ${arr[17]} | ||
413 | echo ${arr[18]} | ||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index e88036d3d..0706cbd88 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -70,12 +70,12 @@ echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail- | |||
70 | ./firejail-in-firejail.exp | 70 | ./firejail-in-firejail.exp |
71 | 71 | ||
72 | which aplay 2>/dev/null | 72 | which aplay 2>/dev/null |
73 | if [ "$?" -eq 0 ]; | 73 | if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ]; |
74 | then | 74 | then |
75 | echo "TESTING: sound (test/environment/sound.exp)" | 75 | echo "TESTING: sound (test/environment/sound.exp)" |
76 | ./sound.exp | 76 | ./sound.exp |
77 | else | 77 | else |
78 | echo "TESTING SKIP: aplay not found" | 78 | echo "TESTING SKIP: no aplay or sound card found" |
79 | fi | 79 | fi |
80 | 80 | ||
81 | echo "TESTING: nice (test/environment/nice.exp)" | 81 | echo "TESTING: nice (test/environment/nice.exp)" |
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 0f6cab8bb..0867970a1 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp | |||
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 15 |
7 | cd /home | 7 | cd /home |
8 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
9 | match_max 100000 | 9 | match_max 100000 |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 7e8426f35..8453894a2 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -18,7 +18,7 @@ echo "TESTING: build (test/utils/build.exp)" | |||
18 | rm -f ~/firejail-test-file-7699 | 18 | rm -f ~/firejail-test-file-7699 |
19 | rm -f firejail-test-file-4388 | 19 | rm -f firejail-test-file-4388 |
20 | 20 | ||
21 | if [ $(readlink /proc/self) -lt 100 ]; then | 21 | if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then |
22 | echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" | 22 | echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" |
23 | else | 23 | else |
24 | echo "TESTING: audit (test/utils/audit.exp)" | 24 | echo "TESTING: audit (test/utils/audit.exp)" |