diff options
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
| -rw-r--r-- | etc/inc/allow-common-devel.inc | 5 | ||||
| -rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
| -rw-r--r-- | etc/profile-a-l/cmake.profile | 9 | ||||
| -rw-r--r-- | etc/profile-m-z/ocenaudio.profile | 33 | ||||
| -rw-r--r-- | etc/profile-m-z/pip.profile | 5 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
| -rw-r--r-- | src/man/firejail.txt | 1 |
8 files changed, 41 insertions, 21 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 98b713e9e..e1d972d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
| @@ -47,7 +47,7 @@ jobs: | |||
| 47 | 47 | ||
| 48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
| 49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
| 50 | uses: github/codeql-action/init@f5d822707ee6e8fb81b04a5c0040b736da22e587 | 50 | uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c |
| 51 | with: | 51 | with: |
| 52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
| 53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
| @@ -58,7 +58,7 @@ jobs: | |||
| 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
| 59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
| 60 | - name: Autobuild | 60 | - name: Autobuild |
| 61 | uses: github/codeql-action/autobuild@f5d822707ee6e8fb81b04a5c0040b736da22e587 | 61 | uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c |
| 62 | 62 | ||
| 63 | # âšī¸ Command-line programs to run using the OS shell. | 63 | # âšī¸ Command-line programs to run using the OS shell. |
| 64 | # đ https://git.io/JvXDl | 64 | # đ https://git.io/JvXDl |
| @@ -72,4 +72,4 @@ jobs: | |||
| 72 | # make release | 72 | # make release |
| 73 | 73 | ||
| 74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
| 75 | uses: github/codeql-action/analyze@f5d822707ee6e8fb81b04a5c0040b736da22e587 | 75 | uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c |
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 4e460fc10..9576239f3 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
| @@ -8,8 +8,13 @@ noblacklist ${HOME}/.gitconfig | |||
| 8 | noblacklist ${HOME}/.git-credentials | 8 | noblacklist ${HOME}/.git-credentials |
| 9 | 9 | ||
| 10 | # Java | 10 | # Java |
| 11 | noblacklist ${HOME}/.ammonite | ||
| 12 | noblacklist ${HOME}/.config/jgit | ||
| 13 | noblacklist ${HOME}/.g8 | ||
| 11 | noblacklist ${HOME}/.gradle | 14 | noblacklist ${HOME}/.gradle |
| 15 | noblacklist ${HOME}/.ivy2 | ||
| 12 | noblacklist ${HOME}/.java | 16 | noblacklist ${HOME}/.java |
| 17 | noblacklist ${HOME}/.sbt | ||
| 13 | 18 | ||
| 14 | # Node.js | 19 | # Node.js |
| 15 | noblacklist ${HOME}/.node-gyp | 20 | noblacklist ${HOME}/.node-gyp |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index fcd385cae..efe1b2572 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -175,6 +175,7 @@ blacklist ${HOME}/.cache/mypaint | |||
| 175 | blacklist ${HOME}/.cache/netsurf | 175 | blacklist ${HOME}/.cache/netsurf |
| 176 | blacklist ${HOME}/.cache/nheko | 176 | blacklist ${HOME}/.cache/nheko |
| 177 | blacklist ${HOME}/.cache/nvim | 177 | blacklist ${HOME}/.cache/nvim |
| 178 | blacklist ${HOME}/.cache/ocenaudio | ||
| 178 | blacklist ${HOME}/.cache/okular | 179 | blacklist ${HOME}/.cache/okular |
| 179 | blacklist ${HOME}/.cache/opera | 180 | blacklist ${HOME}/.cache/opera |
| 180 | blacklist ${HOME}/.cache/opera-beta | 181 | blacklist ${HOME}/.cache/opera-beta |
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile index 26cc2a00a..acc03e93f 100644 --- a/etc/profile-a-l/cmake.profile +++ b/etc/profile-a-l/cmake.profile | |||
| @@ -1,12 +1,15 @@ | |||
| 1 | # Firejail profile for cargo | 1 | # Firejail profile for cmake |
| 2 | # Description: The Rust package manager | 2 | # Description: A cross-platform open-source make system |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | 4 | quiet |
| 5 | # Persistent local customizations | 5 | # Persistent local customizations |
| 6 | include cargo.local | 6 | include cmake.local |
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | whitelist /usr/share/cmake | ||
| 11 | whitelist /usr/share/cmake-* | ||
| 12 | |||
| 10 | memory-deny-write-execute | 13 | memory-deny-write-execute |
| 11 | 14 | ||
| 12 | # Redirect | 15 | # Redirect |
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 0bfb35333..080b4c92b 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
| @@ -6,8 +6,9 @@ include ocenaudio.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.cache/ocenaudio | ||
| 9 | noblacklist ${HOME}/.local/share/ocenaudio | 10 | noblacklist ${HOME}/.local/share/ocenaudio |
| 10 | noblacklist ${DOCUMENTS} | 11 | |
| 11 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
| 12 | 13 | ||
| 13 | include disable-common.inc | 14 | include disable-common.inc |
| @@ -18,38 +19,44 @@ include disable-programs.inc | |||
| 18 | include disable-shell.inc | 19 | include disable-shell.inc |
| 19 | include disable-xdg.inc | 20 | include disable-xdg.inc |
| 20 | 21 | ||
| 22 | mkdir ${HOME}/.cache/ocenaudio | ||
| 23 | mkdir ${HOME}/.local/share/ocenaudio | ||
| 24 | whitelist ${HOME}/.cache/ocenaudio | ||
| 25 | whitelist ${HOME}/.local/share/ocenaudio | ||
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ${MUSIC} | ||
| 28 | include whitelist-common.inc | ||
| 29 | include whitelist-run-common.inc | ||
| 30 | include whitelist-runuser-common.inc | ||
| 21 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
| 22 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
| 23 | 33 | ||
| 24 | apparmor | 34 | apparmor |
| 25 | caps.drop all | 35 | caps.drop all |
| 26 | ipc-namespace | 36 | #ipc-namespace |
| 27 | # net none - breaks update functionality and AppArmor on Ubuntu systems | ||
| 28 | # Add 'net none' to your ocenaudio.local when you want that functionality. | ||
| 29 | #net none | ||
| 30 | netfilter | 37 | netfilter |
| 31 | no3d | 38 | no3d |
| 32 | nodvd | 39 | nodvd |
| 33 | nogroups | 40 | nogroups |
| 34 | noinput | 41 | noinput |
| 35 | nonewprivs | 42 | nonewprivs |
| 43 | noprinters | ||
| 36 | noroot | 44 | noroot |
| 37 | notv | 45 | notv |
| 38 | nou2f | 46 | nou2f |
| 39 | novideo | 47 | novideo |
| 40 | protocol unix | 48 | # Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking. |
| 49 | protocol unix,inet,inet6 | ||
| 41 | seccomp | 50 | seccomp |
| 42 | shell none | 51 | shell none |
| 43 | tracelog | 52 | tracelog |
| 44 | 53 | ||
| 45 | private-bin ocenaudio | 54 | private-bin ocenaudio,ocenvst |
| 46 | private-cache | 55 | private-cache |
| 47 | private-dev | 56 | private-dev |
| 48 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse | 57 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
| 58 | private-opt ocenaudio | ||
| 49 | private-tmp | 59 | private-tmp |
| 50 | 60 | ||
| 51 | # breaks preferences | 61 | dbus-user none |
| 52 | # dbus-user none | 62 | dbus-system none |
| 53 | # dbus-system none | ||
| 54 | |||
| 55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index a0926371f..560957d47 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | 4 | quiet |
| 5 | # Persistent local customizations | 5 | # Persistent local customizations |
| 6 | include meson.local | 6 | include pip.local |
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| @@ -12,6 +12,9 @@ ignore read-only ${HOME}/.local/lib | |||
| 12 | # Allow python3 (blacklisted by disable-interpreters.inc) | 12 | # Allow python3 (blacklisted by disable-interpreters.inc) |
| 13 | include allow-python3.inc | 13 | include allow-python3.inc |
| 14 | 14 | ||
| 15 | noblacklist ${HOME}/.cache/pip | ||
| 16 | |||
| 17 | #whitelist ${HOME}/.cache/pip | ||
| 15 | #whitelist ${HOME}/.local/lib/python* | 18 | #whitelist ${HOME}/.local/lib/python* |
| 16 | 19 | ||
| 17 | # Redirect | 20 | # Redirect |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7d8fe273a..3dd339d94 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -517,7 +517,7 @@ There is no root account (uid 0) defined in the namespace. | |||
| 517 | Enable protocol filter. The filter is based on seccomp and checks the | 517 | Enable protocol filter. The filter is based on seccomp and checks the |
| 518 | first argument to socket system call. Recognized values: \fBunix\fR, | 518 | first argument to socket system call. Recognized values: \fBunix\fR, |
| 519 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. | 519 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. |
| 520 | Multiple protocol commands are allowed. | 520 | Multiple protocol commands are allowed and they accumulate. |
| 521 | .TP | 521 | .TP |
| 522 | \fBseccomp | 522 | \fBseccomp |
| 523 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 523 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index af71fe5cc..41171a4e7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2182,6 +2182,7 @@ $ firejail \-\-profile.print=browser | |||
| 2182 | \fB\-\-protocol=protocol,protocol,protocol | 2182 | \fB\-\-protocol=protocol,protocol,protocol |
| 2183 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 2183 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
| 2184 | Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture. | 2184 | Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture. |
| 2185 | Multiple protocol commands are allowed and they accumulate. | ||
| 2185 | .br | 2186 | .br |
| 2186 | 2187 | ||
| 2187 | .br | 2188 | .br |