diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | RELNOTES | 2 | ||||
| -rw-r--r-- | etc/inc/disable-common.inc | 9 | ||||
| -rw-r--r-- | etc/profile-a-l/ftp.profile | 54 | ||||
| -rw-r--r-- | etc/profile-m-z/telnet.profile | 54 | ||||
| -rw-r--r-- | src/firecfg/firecfg.config | 2 |
6 files changed, 118 insertions, 5 deletions
| @@ -248,4 +248,4 @@ $ ./profstats *.profile | |||
| 248 | ### New profiles: | 248 | ### New profiles: |
| 249 | 249 | ||
| 250 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, | 250 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, |
| 251 | cmake, make, meson, pip, codium | 251 | cmake, make, meson, pip, codium, telnet, ftp |
| @@ -10,7 +10,7 @@ firejail (0.9.67) baseline; urgency=low | |||
| 10 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim | 10 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
| 11 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl | 11 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl |
| 12 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake | 12 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake |
| 13 | * new profiles: make, meson, pip, codium | 13 | * new profiles: make, meson, pip, codium, telnet, ftp |
| 14 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 | 14 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 |
| 15 | 15 | ||
| 16 | firejail (0.9.66) baseline; urgency=low | 16 | firejail (0.9.66) baseline; urgency=low |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index bdc5ff6b2..3f4c69dfe 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -494,7 +494,6 @@ blacklist ${PATH}/unix_chkpwd | |||
| 494 | blacklist ${PATH}/xev | 494 | blacklist ${PATH}/xev |
| 495 | blacklist ${PATH}/xinput | 495 | blacklist ${PATH}/xinput |
| 496 | # from 0.9.67 | 496 | # from 0.9.67 |
| 497 | blacklist ${PATH}/ssh | ||
| 498 | blacklist /usr/lib/openssh | 497 | blacklist /usr/lib/openssh |
| 499 | blacklist /usr/lib/ssh | 498 | blacklist /usr/lib/ssh |
| 500 | blacklist /usr/libexec/openssh | 499 | blacklist /usr/libexec/openssh |
| @@ -583,8 +582,7 @@ blacklist ${HOME}/sent | |||
| 583 | # kernel configuration | 582 | # kernel configuration |
| 584 | blacklist /proc/config.gz | 583 | blacklist /proc/config.gz |
| 585 | 584 | ||
| 586 | # prevent DNS malware attempting to communicate with the server | 585 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
| 587 | # using regular DNS tools | ||
| 588 | blacklist ${PATH}/dig | 586 | blacklist ${PATH}/dig |
| 589 | blacklist ${PATH}/dlint | 587 | blacklist ${PATH}/dlint |
| 590 | blacklist ${PATH}/dns2tcp | 588 | blacklist ${PATH}/dns2tcp |
| @@ -602,6 +600,11 @@ blacklist ${PATH}/nslookup | |||
| 602 | blacklist ${PATH}/resolvectl | 600 | blacklist ${PATH}/resolvectl |
| 603 | blacklist ${PATH}/unbound-host | 601 | blacklist ${PATH}/unbound-host |
| 604 | 602 | ||
| 603 | # prevent an intruder to guess passwords using regular network tools | ||
| 604 | blacklist ${PATH}/ftp | ||
| 605 | blacklist ${PATH}/ssh | ||
| 606 | blacklist ${PATH}/telnet | ||
| 607 | |||
| 605 | # rest of ${RUNUSER} | 608 | # rest of ${RUNUSER} |
| 606 | blacklist ${RUNUSER}/*.lock | 609 | blacklist ${RUNUSER}/*.lock |
| 607 | blacklist ${RUNUSER}/inaccessible | 610 | blacklist ${RUNUSER}/inaccessible |
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile new file mode 100644 index 000000000..29470360c --- /dev/null +++ b/etc/profile-a-l/ftp.profile | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | # Firejail profile for ftp | ||
| 2 | # Description: standard File Access Protocol utility | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | quiet | ||
| 5 | # Persistent local customizations | ||
| 6 | include ftp.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | noblacklist ${PATH}/ftp | ||
| 11 | |||
| 12 | include disable-common.inc | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-proc.inc | ||
| 17 | include disable-programs.inc | ||
| 18 | #include disable-shell.inc | ||
| 19 | include disable-write-mnt.inc | ||
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | ||
| 22 | |||
| 23 | apparmor | ||
| 24 | caps.drop all | ||
| 25 | ipc-namespace | ||
| 26 | machine-id | ||
| 27 | netfilter | ||
| 28 | no3d | ||
| 29 | nodvd | ||
| 30 | nogroups | ||
| 31 | noinput | ||
| 32 | nonewprivs | ||
| 33 | noroot | ||
| 34 | nosound | ||
| 35 | notv | ||
| 36 | nou2f | ||
| 37 | novideo | ||
| 38 | protocol inet,inet6 | ||
| 39 | seccomp | ||
| 40 | shell none | ||
| 41 | tracelog | ||
| 42 | |||
| 43 | #disable-mnt | ||
| 44 | #private-bin PROGRAMS | ||
| 45 | private-cache | ||
| 46 | private-dev | ||
| 47 | #private-etc FILES | ||
| 48 | private-tmp | ||
| 49 | |||
| 50 | dbus-user none | ||
| 51 | dbus-system none | ||
| 52 | |||
| 53 | memory-deny-write-execute | ||
| 54 | noexec ${HOME} | ||
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile new file mode 100644 index 000000000..0b0510460 --- /dev/null +++ b/etc/profile-m-z/telnet.profile | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | # Firejail profile for ftp | ||
| 2 | # Description: standard File Access Protocol utility | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | quiet | ||
| 5 | # Persistent local customizations | ||
| 6 | include telnet.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | noblacklist ${PATH}/telnet | ||
| 11 | |||
| 12 | include disable-common.inc | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-proc.inc | ||
| 17 | include disable-programs.inc | ||
| 18 | #include disable-shell.inc | ||
| 19 | include disable-write-mnt.inc | ||
| 20 | include disable-X11.inc | ||
| 21 | include disable-xdg.inc | ||
| 22 | |||
| 23 | apparmor | ||
| 24 | caps.drop all | ||
| 25 | ipc-namespace | ||
| 26 | machine-id | ||
| 27 | netfilter | ||
| 28 | no3d | ||
| 29 | nodvd | ||
| 30 | nogroups | ||
| 31 | noinput | ||
| 32 | nonewprivs | ||
| 33 | noroot | ||
| 34 | nosound | ||
| 35 | notv | ||
| 36 | nou2f | ||
| 37 | novideo | ||
| 38 | protocol inet,inet6 | ||
| 39 | seccomp | ||
| 40 | shell none | ||
| 41 | tracelog | ||
| 42 | |||
| 43 | #disable-mnt | ||
| 44 | #private-bin PROGRAMS | ||
| 45 | private-cache | ||
| 46 | private-dev | ||
| 47 | #private-etc FILES | ||
| 48 | private-tmp | ||
| 49 | |||
| 50 | dbus-user none | ||
| 51 | dbus-system none | ||
| 52 | |||
| 53 | memory-deny-write-execute | ||
| 54 | noexec ${HOME} | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3ec5f9660..740095ee7 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
| @@ -275,6 +275,7 @@ freetube | |||
| 275 | freshclam | 275 | freshclam |
| 276 | frogatto | 276 | frogatto |
| 277 | frozen-bubble | 277 | frozen-bubble |
| 278 | ftp | ||
| 278 | funnyboat | 279 | funnyboat |
| 279 | gajim | 280 | gajim |
| 280 | gajim-history-manager | 281 | gajim-history-manager |
| @@ -767,6 +768,7 @@ teamspeak3 | |||
| 767 | teeworlds | 768 | teeworlds |
| 768 | telegram | 769 | telegram |
| 769 | telegram-desktop | 770 | telegram-desktop |
| 771 | telnet | ||
| 770 | terasology | 772 | terasology |
| 771 | textmaker18 | 773 | textmaker18 |
| 772 | textmaker18free | 774 | textmaker18free |