diff options
190 files changed, 1081 insertions, 705 deletions
diff --git a/.gitignore b/.gitignore index eeaa0bb03..1285dea92 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -38,3 +38,5 @@ seccomp.32 | |||
38 | seccomp.64 | 38 | seccomp.64 |
39 | seccomp.block_secondary | 39 | seccomp.block_secondary |
40 | seccomp.mdwx | 40 | seccomp.mdwx |
41 | src/common.mk | ||
42 | |||
diff --git a/Makefile.in b/Makefile.in index 27187f53a..134e7bd66 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -75,7 +75,7 @@ distclean: clean | |||
75 | for dir in $(APPS) $(MYLIBS); do \ | 75 | for dir in $(APPS) $(MYLIBS); do \ |
76 | $(MAKE) -C $$dir distclean; \ | 76 | $(MAKE) -C $$dir distclean; \ |
77 | done | 77 | done |
78 | rm -fr Makefile autom4te.cache config.log config.status config.h uids.h | 78 | rm -fr Makefile autom4te.cache config.log config.status config.h uids.h dummy.o src/common.mk |
79 | 79 | ||
80 | realinstall: | 80 | realinstall: |
81 | # firejail executable | 81 | # firejail executable |
@@ -107,6 +107,7 @@ endif | |||
107 | install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. | 107 | install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. |
108 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 108 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
109 | install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/. |
110 | install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/. | ||
110 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. | 111 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. |
111 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 112 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
112 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 113 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
@@ -176,6 +177,7 @@ install-strip: all | |||
176 | strip src/fnetfilter/fnetfilter | 177 | strip src/fnetfilter/fnetfilter |
177 | strip src/fseccomp/fseccomp | 178 | strip src/fseccomp/fseccomp |
178 | strip src/fsec-print/fsec-print | 179 | strip src/fsec-print/fsec-print |
180 | strip src/fsec-optimize/fsec-optimize | ||
179 | strip src/fcopy/fcopy | 181 | strip src/fcopy/fcopy |
180 | strip src/fldd/fldd | 182 | strip src/fldd/fldd |
181 | strip src/fbuilder/fbuilder | 183 | strip src/fbuilder/fbuilder |
@@ -195,7 +197,7 @@ uninstall: | |||
195 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 197 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
196 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 198 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
197 | 199 | ||
198 | DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" | 200 | DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
199 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 201 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
200 | 202 | ||
201 | dist: | 203 | dist: |
@@ -244,6 +244,10 @@ Gaman Gabriel (https://github.com/stelariusinfinitek) | |||
244 | - inox profile | 244 | - inox profile |
245 | geg2048 (https://github.com/geg2048) | 245 | geg2048 (https://github.com/geg2048) |
246 | - kwallet profile fixes | 246 | - kwallet profile fixes |
247 | glitsj16 (https://github.com/glitsj16) | ||
248 | - evince-previewer, evince-thumbnailer profiles | ||
249 | - gnome-recipes, gnome-logs profiles | ||
250 | - fixed private-lib for gnome-calculator | ||
247 | graywolf (https://github.com/graywolf) | 251 | graywolf (https://github.com/graywolf) |
248 | - spelling fix | 252 | - spelling fix |
249 | greigdp (https://github.com/greigdp) | 253 | greigdp (https://github.com/greigdp) |
@@ -284,6 +288,8 @@ Jaykishan Mutkawoa (https://github.com/jmutkawoa) | |||
284 | James Elford (https://github.com/jelford) | 288 | James Elford (https://github.com/jelford) |
285 | - pass password manager support | 289 | - pass password manager support |
286 | - removed shell none from ssh-agent configuration, fixing the infinit loop | 290 | - removed shell none from ssh-agent configuration, fixing the infinit loop |
291 | - added gcloud profile | ||
292 | - blacklist sensitive cloud provider files in disable-common | ||
287 | Jericho (https://github.com/attritionorg) | 293 | Jericho (https://github.com/attritionorg) |
288 | - spelling | 294 | - spelling |
289 | Jesse Smith (https://github.com/slicer69) | 295 | Jesse Smith (https://github.com/slicer69) |
@@ -98,6 +98,65 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.53 | 99 | # Current development version: 0.9.53 |
100 | 100 | ||
101 | ## Spectre mitigation | ||
102 | |||
103 | If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. | ||
104 | The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it | ||
105 | on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it: | ||
106 | ````` | ||
107 | $ ./configure --prefix=/usr | ||
108 | checking for gcc... gcc | ||
109 | checking whether the C compiler works... yes | ||
110 | checking for C compiler default output file name... a.out | ||
111 | checking for suffix of executables... | ||
112 | checking whether we are cross compiling... no | ||
113 | checking for suffix of object files... o | ||
114 | checking whether we are using the GNU C compiler... yes | ||
115 | checking whether gcc accepts -g... yes | ||
116 | checking for gcc option to accept ISO C89... none needed | ||
117 | checking for a BSD-compatible install... /usr/bin/install -c | ||
118 | checking for ranlib... ranlib | ||
119 | checking for Spectre mitigation support in gcc compiler... yes | ||
120 | [...] | ||
121 | Configuration options: | ||
122 | prefix: /usr | ||
123 | sysconfdir: /etc | ||
124 | seccomp: -DHAVE_SECCOMP | ||
125 | <linux/seccomp.h>: -DHAVE_SECCOMP_H | ||
126 | apparmor: | ||
127 | global config: -DHAVE_GLOBALCFG | ||
128 | chroot: -DHAVE_CHROOT | ||
129 | bind: -DHAVE_BIND | ||
130 | network: -DHAVE_NETWORK | ||
131 | user namespace: -DHAVE_USERNS | ||
132 | X11 sandboxing support: -DHAVE_X11 | ||
133 | whitelisting: -DHAVE_WHITELIST | ||
134 | private home support: -DHAVE_PRIVATE_HOME | ||
135 | file transfer support: -DHAVE_FILE_TRANSFER | ||
136 | overlayfs support: -DHAVE_OVERLAYFS | ||
137 | git install support: | ||
138 | busybox workaround: no | ||
139 | Spectre compiler patch: yes | ||
140 | EXTRA_LDFLAGS: | ||
141 | EXTRA_CFLAGS: -mindirect-branch=thunk | ||
142 | fatal warnings: | ||
143 | Gcov instrumentation: | ||
144 | Install contrib scripts: yes | ||
145 | ````` | ||
146 | This feature is also supported for LLVM/clang compiler | ||
147 | |||
148 | ## New command line options | ||
149 | ````` | ||
150 | --nodbus | ||
151 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
152 | this command. To disable the abstract socket you would need to | ||
153 | request a new network namespace using --net command. Another | ||
154 | option is to remove unix from --protocol set. | ||
155 | |||
156 | Example: | ||
157 | $ firejail --nodbus --net=none | ||
158 | ````` | ||
159 | |||
101 | ## AppImage development | 160 | ## AppImage development |
102 | 161 | ||
103 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. | 162 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. |
@@ -213,9 +272,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled. | |||
213 | AppArmor deployment: we are starting apparmor by default for the following programs: | 272 | AppArmor deployment: we are starting apparmor by default for the following programs: |
214 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) | 273 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) |
215 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent | 274 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent |
216 | - media players: vlc, mpv, audacious, totem, rhythmbox | 275 | - media players: vlc, mpv, audacious, kodi, smplayer |
217 | - media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot | 276 | - media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot |
218 | - etc.: atril, gnome-calculator, galculator, eom, eog | 277 | - archive managers: ark, engrampa, file-roller |
278 | - etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc | ||
219 | 279 | ||
220 | Checking apparmor status: | 280 | Checking apparmor status: |
221 | ````` | 281 | ````` |
@@ -246,4 +306,6 @@ firefox-common-addons.inc in firefox-common.profile. | |||
246 | 306 | ||
247 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, | 307 | Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, |
248 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 308 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
249 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder | 309 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
310 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | ||
311 | thunderbird-beta, ncdu, gnome-logs, gcloud | ||
@@ -9,10 +9,11 @@ firejail (0.9.53) baseline; urgency=low | |||
9 | All users of Firefox-based browsers who use addons and plugins | 9 | All users of Firefox-based browsers who use addons and plugins |
10 | that read/write from ${HOME} will need to uncomment the includes for | 10 | that read/write from ${HOME} will need to uncomment the includes for |
11 | firefox-common-addons.inc in firefox-common.profile. | 11 | firefox-common-addons.inc in firefox-common.profile. |
12 | * Spectre mitigation patch for gcc and clang compiler | ||
13 | * D-Bus handling (--nodbus) | ||
12 | * AppArmor support for overlayfs and chroot sandboxes | 14 | * AppArmor support for overlayfs and chroot sandboxes |
13 | * AppArmor support for AppImages | 15 | * AppArmor support for AppImages |
14 | * Enable AppArmor by default for Firefox, Chromium, Transmission | 16 | * Enable AppArmor by default for a large number of programs |
15 | VLC and mpv | ||
16 | * firejail --apparmor.print option | 17 | * firejail --apparmor.print option |
17 | * firemon --apparmor option | 18 | * firemon --apparmor option |
18 | * apparmor yes/no flag in /etc/firejail/firejail.config | 19 | * apparmor yes/no flag in /etc/firejail/firejail.config |
@@ -26,8 +27,10 @@ firejail (0.9.53) baseline; urgency=low | |||
26 | * added sandbox name support in firemon | 27 | * added sandbox name support in firemon |
27 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, | 28 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, |
28 | * new profiles: discord-canary, pycharm-community, pycharm-professional, | 29 | * new profiles: discord-canary, pycharm-community, pycharm-professional, |
29 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code, | 30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
30 | * new profiles: falkon, gnome-builder, asunder | 31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, | ||
33 | * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud | ||
31 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
32 | 35 | ||
33 | firejail (0.9.52) baseline; urgency=low | 36 | firejail (0.9.52) baseline; urgency=low |
@@ -646,6 +646,7 @@ EGREP | |||
646 | GREP | 646 | GREP |
647 | CPP | 647 | CPP |
648 | HAVE_APPARMOR | 648 | HAVE_APPARMOR |
649 | EXTRA_CFLAGS | ||
649 | RANLIB | 650 | RANLIB |
650 | INSTALL_DATA | 651 | INSTALL_DATA |
651 | INSTALL_SCRIPT | 652 | INSTALL_SCRIPT |
@@ -2099,7 +2100,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu | |||
2099 | 2100 | ||
2100 | #AC_CONFIG_HEADERS([config.h]) | 2101 | #AC_CONFIG_HEADERS([config.h]) |
2101 | 2102 | ||
2102 | |||
2103 | ac_ext=c | 2103 | ac_ext=c |
2104 | ac_cpp='$CPP $CPPFLAGS' | 2104 | ac_cpp='$CPP $CPPFLAGS' |
2105 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | 2105 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' |
@@ -3105,6 +3105,47 @@ else | |||
3105 | fi | 3105 | fi |
3106 | 3106 | ||
3107 | 3107 | ||
3108 | HAVE_SPECTRE="no" | ||
3109 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5 | ||
3110 | $as_echo_n "checking for Spectre mitigation support in gcc or clang compiler... " >&6; } | ||
3111 | if test "$CC" = "gcc"; then : | ||
3112 | |||
3113 | HAVE_SPECTRE="yes" | ||
3114 | $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" | ||
3115 | rm -f dummy.o | ||
3116 | if test "$HAVE_SPECTRE" = "yes"; then : | ||
3117 | |||
3118 | EXTRA_CFLAGS+=" -mindirect-branch=thunk " | ||
3119 | |||
3120 | fi | ||
3121 | |||
3122 | fi | ||
3123 | if test "$CC" = "clang"; then : | ||
3124 | |||
3125 | HAVE_SPECTRE="yes" | ||
3126 | $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no" | ||
3127 | rm -f dummy.o | ||
3128 | if test "$HAVE_SPECTRE" = "yes"; then : | ||
3129 | |||
3130 | EXTRA_CFLAGS+=" -mretpoline " | ||
3131 | |||
3132 | fi | ||
3133 | |||
3134 | fi | ||
3135 | if test "$HAVE_SPECTRE" = "yes"; then : | ||
3136 | |||
3137 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
3138 | $as_echo "yes" >&6; } | ||
3139 | |||
3140 | fi | ||
3141 | if test "$HAVE_SPECTRE" = "no"; then : | ||
3142 | |||
3143 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: ... not available" >&5 | ||
3144 | $as_echo "... not available" >&6; } | ||
3145 | |||
3146 | fi | ||
3147 | |||
3148 | |||
3108 | HAVE_APPARMOR="" | 3149 | HAVE_APPARMOR="" |
3109 | # Check whether --enable-apparmor was given. | 3150 | # Check whether --enable-apparmor was given. |
3110 | if test "${enable_apparmor+set}" = set; then : | 3151 | if test "${enable_apparmor+set}" = set; then : |
@@ -3119,7 +3160,6 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3119 | fi | 3160 | fi |
3120 | 3161 | ||
3121 | 3162 | ||
3122 | |||
3123 | ac_ext=c | 3163 | ac_ext=c |
3124 | ac_cpp='$CPP $CPPFLAGS' | 3164 | ac_cpp='$CPP $CPPFLAGS' |
3125 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | 3165 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' |
@@ -3531,7 +3571,7 @@ fi | |||
3531 | fi | 3571 | fi |
3532 | if test "x$enable_apparmor" = "xyes"; then : | 3572 | if test "x$enable_apparmor" = "xyes"; then : |
3533 | 3573 | ||
3534 | EXTRA_LDFLAGS+="-lapparmor " | 3574 | EXTRA_LDFLAGS+=" -lapparmor " |
3535 | 3575 | ||
3536 | fi | 3576 | fi |
3537 | 3577 | ||
@@ -3725,7 +3765,7 @@ fi | |||
3725 | if test "x$enable_gcov" = "xyes"; then : | 3765 | if test "x$enable_gcov" = "xyes"; then : |
3726 | 3766 | ||
3727 | HAVE_GCOV="--coverage -DHAVE_GCOV " | 3767 | HAVE_GCOV="--coverage -DHAVE_GCOV " |
3728 | EXTRA_LDFLAGS+="-lgcov --coverage " | 3768 | EXTRA_LDFLAGS+=" -lgcov --coverage " |
3729 | 3769 | ||
3730 | 3770 | ||
3731 | fi | 3771 | fi |
@@ -3823,7 +3863,7 @@ if test "$prefix" = /usr; then | |||
3823 | sysconfdir="/etc" | 3863 | sysconfdir="/etc" |
3824 | fi | 3864 | fi |
3825 | 3865 | ||
3826 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" | 3866 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" |
3827 | 3867 | ||
3828 | cat >confcache <<\_ACEOF | 3868 | cat >confcache <<\_ACEOF |
3829 | # This file is a shell script that caches the results of configure | 3869 | # This file is a shell script that caches the results of configure |
@@ -4533,6 +4573,7 @@ for ac_config_target in $ac_config_targets | |||
4533 | do | 4573 | do |
4534 | case $ac_config_target in | 4574 | case $ac_config_target in |
4535 | "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; | 4575 | "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; |
4576 | "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;; | ||
4536 | "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; | 4577 | "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; |
4537 | "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; | 4578 | "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; |
4538 | "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; | 4579 | "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; |
@@ -5024,7 +5065,9 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
5024 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5065 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5025 | echo " git install support: $HAVE_GIT_INSTALL" | 5066 | echo " git install support: $HAVE_GIT_INSTALL" |
5026 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5067 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
5068 | echo " Spectre compiler patch: $HAVE_SPECTRE" | ||
5027 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 5069 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
5070 | echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | ||
5028 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 5071 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
5029 | echo " Gcov instrumentation: $HAVE_GCOV" | 5072 | echo " Gcov instrumentation: $HAVE_GCOV" |
5030 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5073 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
diff --git a/configure.ac b/configure.ac index 952dec3b8..460c93d50 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -3,12 +3,37 @@ AC_INIT(firejail, 0.9.53, netblue30@yahoo.com, , http://firejail.wordpress.com) | |||
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
6 | |||
7 | AC_PROG_CC | 6 | AC_PROG_CC |
8 | #AC_PROG_CXX | 7 | #AC_PROG_CXX |
9 | AC_PROG_INSTALL | 8 | AC_PROG_INSTALL |
10 | AC_PROG_RANLIB | 9 | AC_PROG_RANLIB |
11 | 10 | ||
11 | HAVE_SPECTRE="no" | ||
12 | AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler) | ||
13 | AS_IF([test "$CC" = "gcc"], [ | ||
14 | HAVE_SPECTRE="yes" | ||
15 | $CC -mindirect-branch=thunk -c dummy.c || HAVE_SPECTRE="no" | ||
16 | rm -f dummy.o | ||
17 | AS_IF([test "$HAVE_SPECTRE" = "yes"], [ | ||
18 | EXTRA_CFLAGS+=" -mindirect-branch=thunk " | ||
19 | ]) | ||
20 | ]) | ||
21 | AS_IF([test "$CC" = "clang"], [ | ||
22 | HAVE_SPECTRE="yes" | ||
23 | $CC -mretpoline -c dummy.c || HAVE_SPECTRE="no" | ||
24 | rm -f dummy.o | ||
25 | AS_IF([test "$HAVE_SPECTRE" = "yes"], [ | ||
26 | EXTRA_CFLAGS+=" -mretpoline " | ||
27 | ]) | ||
28 | ]) | ||
29 | AS_IF([test "$HAVE_SPECTRE" = "yes"], [ | ||
30 | AC_MSG_RESULT(yes) | ||
31 | ]) | ||
32 | AS_IF([test "$HAVE_SPECTRE" = "no"], [ | ||
33 | AC_MSG_RESULT(... not available) | ||
34 | ]) | ||
35 | AC_SUBST([EXTRA_CFLAGS]) | ||
36 | |||
12 | HAVE_APPARMOR="" | 37 | HAVE_APPARMOR="" |
13 | AC_ARG_ENABLE([apparmor], | 38 | AC_ARG_ENABLE([apparmor], |
14 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) | 39 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) |
@@ -17,13 +42,12 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
17 | AC_SUBST(HAVE_APPARMOR) | 42 | AC_SUBST(HAVE_APPARMOR) |
18 | ]) | 43 | ]) |
19 | 44 | ||
20 | |||
21 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | 45 | AS_IF([test "x$enable_apparmor" = "xyes"], [ |
22 | AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( | 46 | AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( |
23 | [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) | 47 | [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) |
24 | ]) | 48 | ]) |
25 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | 49 | AS_IF([test "x$enable_apparmor" = "xyes"], [ |
26 | EXTRA_LDFLAGS+="-lapparmor " | 50 | EXTRA_LDFLAGS+=" -lapparmor " |
27 | ]) | 51 | ]) |
28 | AC_SUBST([EXTRA_LDFLAGS]) | 52 | AC_SUBST([EXTRA_LDFLAGS]) |
29 | 53 | ||
@@ -142,7 +166,7 @@ AC_ARG_ENABLE([gcov], | |||
142 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) | 166 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) |
143 | AS_IF([test "x$enable_gcov" = "xyes"], [ | 167 | AS_IF([test "x$enable_gcov" = "xyes"], [ |
144 | HAVE_GCOV="--coverage -DHAVE_GCOV " | 168 | HAVE_GCOV="--coverage -DHAVE_GCOV " |
145 | EXTRA_LDFLAGS+="-lgcov --coverage " | 169 | EXTRA_LDFLAGS+=" -lgcov --coverage " |
146 | AC_SUBST(HAVE_GCOV) | 170 | AC_SUBST(HAVE_GCOV) |
147 | ]) | 171 | ]) |
148 | 172 | ||
@@ -175,7 +199,7 @@ if test "$prefix" = /usr; then | |||
175 | sysconfdir="/etc" | 199 | sysconfdir="/etc" |
176 | fi | 200 | fi |
177 | 201 | ||
178 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 202 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
179 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 203 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
180 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) | 204 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) |
181 | 205 | ||
@@ -198,7 +222,9 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" | |||
198 | echo " overlayfs support: $HAVE_OVERLAYFS" | 222 | echo " overlayfs support: $HAVE_OVERLAYFS" |
199 | echo " git install support: $HAVE_GIT_INSTALL" | 223 | echo " git install support: $HAVE_GIT_INSTALL" |
200 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 224 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
225 | echo " Spectre compiler patch: $HAVE_SPECTRE" | ||
201 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 226 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
227 | echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | ||
202 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 228 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
203 | echo " Gcov instrumentation: $HAVE_GCOV" | 229 | echo " Gcov instrumentation: $HAVE_GCOV" |
204 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 230 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
diff --git a/dummy.c b/dummy.c new file mode 100644 index 000000000..061ed7eef --- /dev/null +++ b/dummy.c | |||
@@ -0,0 +1,3 @@ | |||
1 | int main(void) { | ||
2 | return 0; | ||
3 | } | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 057dcf49e..766783997 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc | |||
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
27 | nodbus | ||
27 | nodvd | 28 | nodvd |
28 | nogroups | 29 | nogroups |
29 | nonewprivs | 30 | nonewprivs |
diff --git a/etc/7z.profile b/etc/7z.profile index ededacbbe..0330e4dbf 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/7z.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | ignore noroot |
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
14 | nodbus | ||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile new file mode 100644 index 000000000..3a4404b28 --- /dev/null +++ b/etc/akonadi_control.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for akonadi_control | ||
2 | # Persistent local customizations | ||
3 | include /etc/firejail/akonadi_control.local | ||
4 | # Persistent global definitions | ||
5 | include /etc/firejail/globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/akonadi* | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
9 | noblacklist ${HOME}/.config/baloorc | ||
10 | noblacklist ${HOME}/.config/emailidentities | ||
11 | noblacklist ${HOME}/.config/kmail2rc | ||
12 | noblacklist ${HOME}/.local/share/akonadi* | ||
13 | noblacklist ${HOME}/.local/share/contacts | ||
14 | noblacklist ${HOME}/.local/share/local-mail | ||
15 | noblacklist ${HOME}/.local/share/notes | ||
16 | noblacklist /tmp/akonadi-* | ||
17 | noblacklist /usr/sbin | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | ||
27 | # this affects ubuntu and debian currently | ||
28 | |||
29 | # apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | no3d | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | # nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | novideo | ||
41 | # protocol unix,inet,inet6 | ||
42 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
43 | tracelog | ||
44 | |||
45 | private-dev | ||
46 | # private-tmp - breaks programs that depend on akonadi | ||
47 | |||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/apktool.profile b/etc/apktool.profile index bbf91c264..d5063d79b 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -6,8 +6,6 @@ include /etc/firejail/apktool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | net none | 14 | net none |
17 | no3d | 15 | no3d |
16 | nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 1f2228544..cf72561da 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/ardour4 | 8 | noblacklist ${HOME}/.config/ardour4 |
11 | noblacklist ${HOME}/.config/ardour5 | 9 | noblacklist ${HOME}/.config/ardour5 |
12 | noblacklist ${HOME}/.lv2 | 10 | noblacklist ${HOME}/.lv2 |
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc | |||
20 | caps.drop all | 18 | caps.drop all |
21 | ipc-namespace | 19 | ipc-namespace |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/ark.profile b/etc/ark.profile index beeb652cf..8e156df0f 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/ark.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/arkrc | 8 | noblacklist ${HOME}/.config/arkrc |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ apparmor | |||
20 | caps.drop all | 18 | caps.drop all |
21 | # net none | 19 | # net none |
22 | netfilter | 20 | netfilter |
21 | # nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/asunder.profile b/etc/asunder.profile index 0fbc3a158..7d643877f 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
20 | apparmor | 20 | apparmor |
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | nodbus | ||
23 | # nogroups | 24 | # nogroups |
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
diff --git a/etc/atom.profile b/etc/atom.profile index de09275cc..c513c7531 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/atom.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.atom | 8 | noblacklist ${HOME}/.atom |
11 | noblacklist ${HOME}/.config/Atom | 9 | noblacklist ${HOME}/.config/Atom |
12 | 10 | ||
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | # net none | 16 | # net none |
19 | netfilter | 17 | netfilter |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/atril-previewer.profile b/etc/atril-previewer.profile new file mode 100644 index 000000000..5d841bc0e --- /dev/null +++ b/etc/atril-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for atril-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/atril-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/atril.profile | ||
diff --git a/etc/atril-thumbnailer.profile b/etc/atril-thumbnailer.profile new file mode 100644 index 000000000..88c74735d --- /dev/null +++ b/etc/atril-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for atril-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/atril-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/atril.profile | ||
diff --git a/etc/atril.profile b/etc/atril.profile index a05f11076..e08b70ac6 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/atril.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/atril | ||
8 | noblacklist ${HOME}/.config/atril | 9 | noblacklist ${HOME}/.config/atril |
9 | 10 | ||
10 | #noblacklist ${HOME}/.local/share | 11 | #noblacklist ${HOME}/.local/share |
@@ -17,7 +18,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | 18 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 19 | include /etc/firejail/whitelist-var-common.inc |
19 | 20 | ||
20 | apparmor | 21 | # apparmor |
21 | caps.drop all | 22 | caps.drop all |
22 | machine-id | 23 | machine-id |
23 | no3d | 24 | no3d |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 93ba5a45d..71003f156 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | nodbus | ||
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 8c85dd6be..907dbeb55 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/audacity.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.audacity-data | 8 | noblacklist ${HOME}/.audacity-data |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | 16 | ||
19 | apparmor | 17 | apparmor |
20 | caps.drop all | 18 | caps.drop all |
21 | #net none | 19 | net none |
22 | no3d | 20 | no3d |
21 | # nodbus - problems on Fedora 27 | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/baobab.profile b/etc/baobab.profile index e47e31bb1..5c1675611 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/baobab.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | net none | 14 | net none |
17 | no3d | 15 | no3d |
16 | nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 018569603..f23a29052 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-common.inc | |||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
24 | nodbus | ||
24 | nodvd | 25 | nodvd |
25 | nogroups | 26 | nogroups |
26 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index dce7892a4..ae40c3ec7 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | net none | 14 | net none |
17 | no3d | 15 | no3d |
16 | nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
@@ -29,6 +28,7 @@ shell none | |||
29 | private-dev | 28 | private-dev |
30 | # private-tmp | 29 | # private-tmp |
31 | 30 | ||
32 | memory-deny-write-execute | 31 | # memory-deny-write-execute breaks some systems, see issue #1850 |
32 | # memory-deny-write-execute | ||
33 | noexec ${HOME} | 33 | noexec ${HOME} |
34 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile new file mode 100644 index 000000000..4b907018e --- /dev/null +++ b/etc/blender-2.8.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for blender | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/blender.profile | ||
diff --git a/etc/bless.profile b/etc/bless.profile index 37d1e856f..10b471582 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/bless.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/bless | 8 | noblacklist ${HOME}/.config/bless |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 66ba0168b..6eb1d753f 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/calligra.profile b/etc/calligra.profile index f09716bc3..f7df8ce85 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/calligra.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | ipc-namespace | 14 | ipc-namespace |
17 | # net none | 15 | # net none |
16 | # nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 6d5ec1c52..6a608c673 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -8,8 +8,6 @@ include /etc/firejail/globals.local | |||
8 | # We can't blacklist much since catfish | 8 | # We can't blacklist much since catfish |
9 | # is for finding files/content | 9 | # is for finding files/content |
10 | 10 | ||
11 | blacklist /run/user/*/bus | ||
12 | |||
13 | noblacklist ${HOME}/.config/catfish | 11 | noblacklist ${HOME}/.config/catfish |
14 | 12 | ||
15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
@@ -23,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
23 | caps.drop all | 21 | caps.drop all |
24 | net none | 22 | net none |
25 | no3d | 23 | no3d |
24 | nodbus | ||
26 | nodvd | 25 | nodvd |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index a11947334..7f07c5b26 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
20 | apparmor | 20 | apparmor |
21 | caps.keep sys_chroot,sys_admin | 21 | caps.keep sys_chroot,sys_admin |
22 | netfilter | 22 | netfilter |
23 | nodbus | ||
23 | nodvd | 24 | nodvd |
24 | nogroups | 25 | nogroups |
25 | notv | 26 | notv |
@@ -31,3 +32,6 @@ private-dev | |||
31 | 32 | ||
32 | noexec ${HOME} | 33 | noexec ${HOME} |
33 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # the file dialog needs to work without d-bus | ||
37 | env NO_CHROME_KDE_FILE_DIALOG=1 | ||
diff --git a/etc/cin.profile b/etc/cin.profile index d114e50b1..e86a4d9b4 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/cin.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.bcast5 | 8 | noblacklist ${HOME}/.bcast5 |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/clamav.profile b/etc/clamav.profile index c3a0132d0..41bd3b679 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -6,12 +6,11 @@ include /etc/firejail/clamav.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | caps.drop all | 9 | caps.drop all |
12 | ipc-namespace | 10 | ipc-namespace |
13 | net none | 11 | net none |
14 | no3d | 12 | no3d |
13 | nodbus | ||
15 | nodvd | 14 | nodvd |
16 | nogroups | 15 | nogroups |
17 | nonewprivs | 16 | nonewprivs |
diff --git a/etc/cpio.profile b/etc/cpio.profile index caee6570e..445e1cec7 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/cpio.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | noblacklist /sbin | 11 | noblacklist /sbin |
@@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc | |||
19 | caps.drop all | 18 | caps.drop all |
20 | net none | 19 | net none |
21 | no3d | 20 | no3d |
21 | nodbus | ||
22 | nodvd | 22 | nodvd |
23 | nonewprivs | 23 | nonewprivs |
24 | nosound | 24 | nosound |
diff --git a/etc/default.profile b/etc/default.profile index 82eded802..1af7ceba4 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | # ipc-namespace | 17 | # ipc-namespace |
18 | netfilter | 18 | netfilter |
19 | # no3d | 19 | # no3d |
20 | # nodbus | ||
20 | # nodvd | 21 | # nodvd |
21 | # nogroups | 22 | # nogroups |
22 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index f89e17239..ed73b8b8c 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 14 | caps.drop all |
17 | net none | 15 | net none |
18 | no3d | 16 | no3d |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/dia.profile b/etc/dia.profile index b1a723da0..fb3506955 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/dia.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.dia | 8 | noblacklist ${HOME}/.dia |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/digikam.profile b/etc/digikam.profile index 516876c6b..4df344cbc 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
20 | apparmor | 20 | apparmor |
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | # nodbus | ||
23 | nodvd | 24 | nodvd |
24 | nogroups | 25 | nogroups |
25 | nonewprivs | 26 | nonewprivs |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19be56f86..0f605b933 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | |||
75 | blacklist ${HOME}/.local/share/kglobalaccel | 75 | blacklist ${HOME}/.local/share/kglobalaccel |
76 | blacklist ${HOME}/.local/share/kwin | 76 | blacklist ${HOME}/.local/share/kwin |
77 | blacklist ${HOME}/.local/share/plasma | 77 | blacklist ${HOME}/.local/share/plasma |
78 | blacklist ${HOME}/.local/share/plasmashell | ||
78 | blacklist ${HOME}/.local/share/solid | 79 | blacklist ${HOME}/.local/share/solid |
79 | read-only ${HOME}/.cache/ksycoca5_* | 80 | read-only ${HOME}/.cache/ksycoca5_* |
80 | read-only ${HOME}/.config/*notifyrc | 81 | read-only ${HOME}/.config/*notifyrc |
@@ -296,6 +297,13 @@ blacklist /etc/ssh | |||
296 | blacklist /home/.ecryptfs | 297 | blacklist /home/.ecryptfs |
297 | blacklist /var/backup | 298 | blacklist /var/backup |
298 | 299 | ||
300 | # cloud provider configuration | ||
301 | blacklist ${HOME}/.aws | ||
302 | blacklist ${HOME}/.boto | ||
303 | blacklist /etc/boto.cfg | ||
304 | blacklist ${HOME}/.config/gcloud | ||
305 | blacklist ${HOME}/.kube | ||
306 | |||
299 | # system directories | 307 | # system directories |
300 | blacklist /sbin | 308 | blacklist /sbin |
301 | blacklist /usr/local/sbin | 309 | blacklist /usr/local/sbin |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d542c6d8..a6f12f3db 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack | |||
73 | blacklist ${HOME}/.config/Thunar | 73 | blacklist ${HOME}/.config/Thunar |
74 | blacklist ${HOME}/.config/VirtualBox | 74 | blacklist ${HOME}/.config/VirtualBox |
75 | blacklist ${HOME}/.config/Wire | 75 | blacklist ${HOME}/.config/Wire |
76 | blacklist ${HOME}/.config/akonadi* | ||
76 | blacklist ${HOME}/.config/akregatorrc | 77 | blacklist ${HOME}/.config/akregatorrc |
77 | blacklist ${HOME}/.config/ardour4 | 78 | blacklist ${HOME}/.config/ardour4 |
78 | blacklist ${HOME}/.config/ardour5 | 79 | blacklist ${HOME}/.config/ardour5 |
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam | |||
106 | blacklist ${HOME}/.config/digikamrc | 107 | blacklist ${HOME}/.config/digikamrc |
107 | blacklist ${HOME}/.config/dolphinrc | 108 | blacklist ${HOME}/.config/dolphinrc |
108 | blacklist ${HOME}/.config/dragonplayerrc | 109 | blacklist ${HOME}/.config/dragonplayerrc |
110 | blacklist ${HOME}/.config/emailidentities | ||
109 | blacklist ${HOME}/.config/enchant | 111 | blacklist ${HOME}/.config/enchant |
110 | blacklist ${HOME}/.config/eog | 112 | blacklist ${HOME}/.config/eog |
111 | blacklist ${HOME}/.config/epiphany | 113 | blacklist ${HOME}/.config/epiphany |
@@ -136,6 +138,7 @@ blacklist ${HOME}/.config/itch | |||
136 | blacklist ${HOME}/.config/jd-gui.cfg | 138 | blacklist ${HOME}/.config/jd-gui.cfg |
137 | blacklist ${HOME}/.config/k3brc | 139 | blacklist ${HOME}/.config/k3brc |
138 | blacklist ${HOME}/.config/kaffeinerc | 140 | blacklist ${HOME}/.config/kaffeinerc |
141 | blacklist ${HOME}/.config/katemetainfos | ||
139 | blacklist ${HOME}/.config/katepartrc | 142 | blacklist ${HOME}/.config/katepartrc |
140 | blacklist ${HOME}/.config/katerc | 143 | blacklist ${HOME}/.config/katerc |
141 | blacklist ${HOME}/.config/kateschemarc | 144 | blacklist ${HOME}/.config/kateschemarc |
@@ -144,6 +147,7 @@ blacklist ${HOME}/.config/katevirc | |||
144 | blacklist ${HOME}/.config/kdenliverc | 147 | blacklist ${HOME}/.config/kdenliverc |
145 | blacklist ${HOME}/.config/kgetrc | 148 | blacklist ${HOME}/.config/kgetrc |
146 | blacklist ${HOME}/.config/klipperrc | 149 | blacklist ${HOME}/.config/klipperrc |
150 | blacklist ${HOME}/.config/kmail2rc | ||
147 | blacklist ${HOME}/.config/kritarc | 151 | blacklist ${HOME}/.config/kritarc |
148 | blacklist ${HOME}/.config/kwriterc | 152 | blacklist ${HOME}/.config/kwriterc |
149 | blacklist ${HOME}/.config/kdeconnect | 153 | blacklist ${HOME}/.config/kdeconnect |
@@ -346,18 +350,21 @@ blacklist ${HOME}/.local/share/SuperHexagon | |||
346 | blacklist ${HOME}/.local/share/TelegramDesktop | 350 | blacklist ${HOME}/.local/share/TelegramDesktop |
347 | blacklist ${HOME}/.local/share/Terraria | 351 | blacklist ${HOME}/.local/share/Terraria |
348 | blacklist ${HOME}/.local/share/TpLogger | 352 | blacklist ${HOME}/.local/share/TpLogger |
353 | blacklist ${HOME}/.local/share/akonadi* | ||
349 | blacklist ${HOME}/.local/share/akregator | 354 | blacklist ${HOME}/.local/share/akregator |
350 | blacklist ${HOME}/.local/share/aspyr-media | 355 | blacklist ${HOME}/.local/share/aspyr-media |
351 | blacklist ${HOME}/.local/share/baloo | 356 | blacklist ${HOME}/.local/share/baloo |
352 | blacklist ${HOME}/.local/share/caja-python | 357 | blacklist ${HOME}/.local/share/caja-python |
353 | blacklist ${HOME}/.local/share/cdprojektred | 358 | blacklist ${HOME}/.local/share/cdprojektred |
354 | blacklist ${HOME}/.local/share/clipit | 359 | blacklist ${HOME}/.local/share/clipit |
360 | blacklist ${HOME}/.local/share/contacts | ||
355 | blacklist ${HOME}/.local/share/data/Mumble | 361 | blacklist ${HOME}/.local/share/data/Mumble |
356 | blacklist ${HOME}/.local/share/data/MusE | 362 | blacklist ${HOME}/.local/share/data/MusE |
357 | blacklist ${HOME}/.local/share/data/MuseScore | 363 | blacklist ${HOME}/.local/share/data/MuseScore |
358 | blacklist ${HOME}/.local/share/data/qBittorrent | 364 | blacklist ${HOME}/.local/share/data/qBittorrent |
359 | blacklist ${HOME}/.local/share/dino | 365 | blacklist ${HOME}/.local/share/dino |
360 | blacklist ${HOME}/.local/share/dolphin | 366 | blacklist ${HOME}/.local/share/dolphin |
367 | blacklist ${HOME}/.local/share/emailidentities | ||
361 | blacklist ${HOME}/.local/share/epiphany | 368 | blacklist ${HOME}/.local/share/epiphany |
362 | blacklist ${HOME}/.local/share/evolution | 369 | blacklist ${HOME}/.local/share/evolution |
363 | blacklist ${HOME}/.local/share/feral-interactive | 370 | blacklist ${HOME}/.local/share/feral-interactive |
@@ -369,6 +376,7 @@ blacklist ${HOME}/.local/share/gnome-2048 | |||
369 | blacklist ${HOME}/.local/share/gnome-chess | 376 | blacklist ${HOME}/.local/share/gnome-chess |
370 | blacklist ${HOME}/.local/share/gnome-music | 377 | blacklist ${HOME}/.local/share/gnome-music |
371 | blacklist ${HOME}/.local/share/gnome-photos | 378 | blacklist ${HOME}/.local/share/gnome-photos |
379 | blacklist ${HOME}/.local/share/gnome-recipes | ||
372 | blacklist ${HOME}/.local/share/gnome-ring | 380 | blacklist ${HOME}/.local/share/gnome-ring |
373 | blacklist ${HOME}/.local/share/gnome-twitch | 381 | blacklist ${HOME}/.local/share/gnome-twitch |
374 | blacklist ${HOME}/.local/share/gwenview | 382 | blacklist ${HOME}/.local/share/gwenview |
@@ -376,11 +384,14 @@ blacklist ${HOME}/.local/share/kaffeine | |||
376 | blacklist ${HOME}/.local/share/kate | 384 | blacklist ${HOME}/.local/share/kate |
377 | blacklist ${HOME}/.local/share/kdenlive | 385 | blacklist ${HOME}/.local/share/kdenlive |
378 | blacklist ${HOME}/.local/share/kget | 386 | blacklist ${HOME}/.local/share/kget |
387 | blacklist ${HOME}/.local/share/kmail2 | ||
388 | blacklist ${HOME}/.local/share/knotes | ||
379 | blacklist ${HOME}/.local/share/krita | 389 | blacklist ${HOME}/.local/share/krita |
380 | blacklist ${HOME}/.local/share/ktorrentrc | 390 | blacklist ${HOME}/.local/share/ktorrentrc |
381 | blacklist ${HOME}/.local/share/ktorrent | 391 | blacklist ${HOME}/.local/share/ktorrent |
382 | blacklist ${HOME}/.local/share/kwrite | 392 | blacklist ${HOME}/.local/share/kwrite |
383 | blacklist ${HOME}/.local/share/liferea | 393 | blacklist ${HOME}/.local/share/liferea |
394 | blacklist ${HOME}/.local/share/local-mail | ||
384 | blacklist ${HOME}/.local/share/lollypop | 395 | blacklist ${HOME}/.local/share/lollypop |
385 | blacklist ${HOME}/.local/share/maps-places.json | 396 | blacklist ${HOME}/.local/share/maps-places.json |
386 | blacklist ${HOME}/.local/share/meld | 397 | blacklist ${HOME}/.local/share/meld |
@@ -397,6 +408,7 @@ blacklist ${HOME}/.local/share/okular | |||
397 | blacklist ${HOME}/.local/share/orage | 408 | blacklist ${HOME}/.local/share/orage |
398 | blacklist ${HOME}/.local/share/org.kde.gwenview | 409 | blacklist ${HOME}/.local/share/org.kde.gwenview |
399 | blacklist ${HOME}/.local/share/pix | 410 | blacklist ${HOME}/.local/share/pix |
411 | blacklist ${HOME}/.local/share/plasma_notes | ||
400 | blacklist ${HOME}/.local/share/psi+ | 412 | blacklist ${HOME}/.local/share/psi+ |
401 | blacklist ${HOME}/.local/share/qpdfview | 413 | blacklist ${HOME}/.local/share/qpdfview |
402 | blacklist ${HOME}/.local/share/qutebrowser | 414 | blacklist ${HOME}/.local/share/qutebrowser |
@@ -485,6 +497,7 @@ blacklist ${HOME}/.xpdfrc | |||
485 | blacklist ${HOME}/.zoom | 497 | blacklist ${HOME}/.zoom |
486 | blacklist ${HOME}/Arduino | 498 | blacklist ${HOME}/Arduino |
487 | blacklist ${HOME}/wallet.dat | 499 | blacklist ${HOME}/wallet.dat |
500 | blacklist /tmp/akonadi-* | ||
488 | blacklist /tmp/ssh-* | 501 | blacklist /tmp/ssh-* |
489 | 502 | ||
490 | # ~/.cache directory | 503 | # ~/.cache directory |
@@ -495,6 +508,8 @@ blacklist ${HOME}/.cache/Franz | |||
495 | blacklist ${HOME}/.cache/INRIA | 508 | blacklist ${HOME}/.cache/INRIA |
496 | blacklist ${HOME}/.cache/MusicBrainz | 509 | blacklist ${HOME}/.cache/MusicBrainz |
497 | blacklist ${HOME}/.cache/QuiteRss | 510 | blacklist ${HOME}/.cache/QuiteRss |
511 | blacklist ${HOME}/.cache/akonadi* | ||
512 | blacklist ${HOME}/.cache/atril | ||
498 | blacklist ${HOME}/.cache/attic | 513 | blacklist ${HOME}/.cache/attic |
499 | blacklist ${HOME}/.cache/borg | 514 | blacklist ${HOME}/.cache/borg |
500 | blacklist ${HOME}/.cache/calibre | 515 | blacklist ${HOME}/.cache/calibre |
@@ -517,11 +532,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable | |||
517 | blacklist ${HOME}/.cache/gnome-twitch | 532 | blacklist ${HOME}/.cache/gnome-twitch |
518 | blacklist ${HOME}/.cache/icedove | 533 | blacklist ${HOME}/.cache/icedove |
519 | blacklist ${HOME}/.cache/INRIA/Natron | 534 | blacklist ${HOME}/.cache/INRIA/Natron |
535 | blacklist ${HOME}/.cache/inkscape | ||
520 | blacklist ${HOME}/.cache/inox | 536 | blacklist ${HOME}/.cache/inox |
521 | blacklist ${HOME}/.cache/iridium | 537 | blacklist ${HOME}/.cache/iridium |
522 | blacklist ${HOME}/.cache/kdenlive | 538 | blacklist ${HOME}/.cache/kdenlive |
523 | blacklist ${HOME}/.cache/kinfocenter | 539 | blacklist ${HOME}/.cache/kinfocenter |
540 | blacklist ${HOME}/.cache/kmail2 | ||
524 | blacklist ${HOME}/.cache/krunner | 541 | blacklist ${HOME}/.cache/krunner |
542 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | ||
525 | blacklist ${HOME}/.cache/kscreenlocker_greet | 543 | blacklist ${HOME}/.cache/kscreenlocker_greet |
526 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | 544 | blacklist ${HOME}/.cache/ksmserver-logout-greeter |
527 | blacklist ${HOME}/.cache/ksplashqml | 545 | blacklist ${HOME}/.cache/ksplashqml |
@@ -554,6 +572,7 @@ blacklist ${HOME}/.cache/torbrowser | |||
554 | blacklist ${HOME}/.cache/transmission | 572 | blacklist ${HOME}/.cache/transmission |
555 | blacklist ${HOME}/.cache/vivaldi | 573 | blacklist ${HOME}/.cache/vivaldi |
556 | blacklist ${HOME}/.cache/vivaldi-snapshot | 574 | blacklist ${HOME}/.cache/vivaldi-snapshot |
575 | blacklist ${HOME}/.cache/vlc | ||
557 | blacklist ${HOME}/.cache/waterfox | 576 | blacklist ${HOME}/.cache/waterfox |
558 | blacklist ${HOME}/.cache/wesnoth | 577 | blacklist ${HOME}/.cache/wesnoth |
559 | blacklist ${HOME}/.cache/xmms2 | 578 | blacklist ${HOME}/.cache/xmms2 |
diff --git a/etc/display.profile b/etc/display.profile index 41512a0cb..69183f4ca 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/display.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index 9f7e1382b..1e28b854a 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile | |||
@@ -1,9 +1,8 @@ | |||
1 | # Firejail profile alias for calibre | 1 | # Firejail profile alias for calibre |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | blacklist /run/user/*/bus | ||
5 | |||
6 | net none | 4 | net none |
5 | nodbus | ||
7 | 6 | ||
8 | # Redirect | 7 | # Redirect |
9 | include /etc/firejail/calibre.profile | 8 | include /etc/firejail/calibre.profile |
diff --git a/etc/electron.profile b/etc/electron.profile index 222beada0..52d45b3f8 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -14,6 +14,7 @@ whitelist ${DOWNLOADS} | |||
14 | apparmor | 14 | apparmor |
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nodbus | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index ae61f1d93..cf32d579e 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/engrampa.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc | |||
14 | 12 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 13 | include /etc/firejail/whitelist-var-common.inc |
16 | 14 | ||
15 | apparmor | ||
17 | caps.drop all | 16 | caps.drop all |
18 | # net none - makes settings immutable | 17 | net none |
19 | no3d | 18 | no3d |
19 | nodbus | ||
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/eog.profile b/etc/eog.profile index 545a6e432..66434ae05 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/eog.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.config/eog | 9 | noblacklist ${HOME}/.config/eog |
12 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc | |||
19 | 17 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 18 | include /etc/firejail/whitelist-var-common.inc |
21 | 19 | ||
22 | apparmor | 20 | # apparmor - makes settings immutable |
23 | caps.drop all | 21 | caps.drop all |
24 | # net none - makes settings immutable | 22 | # net none - makes settings immutable |
25 | no3d | 23 | no3d |
24 | # nodbus - makes settings immutable | ||
26 | nodvd | 25 | nodvd |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
@@ -37,7 +36,7 @@ shell none | |||
37 | private-bin eog | 36 | private-bin eog |
38 | private-dev | 37 | private-dev |
39 | private-etc fonts | 38 | private-etc fonts |
40 | private-lib | 39 | private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4 |
41 | private-tmp | 40 | private-tmp |
42 | 41 | ||
43 | #memory-deny-write-execute - breaks on Arch | 42 | #memory-deny-write-execute - breaks on Arch |
diff --git a/etc/eom.profile b/etc/eom.profile index c7c92db0e..48965bcb9 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/eom.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.config/mate/eom | 9 | noblacklist ${HOME}/.config/mate/eom |
12 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc | |||
19 | 17 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 18 | include /etc/firejail/whitelist-var-common.inc |
21 | 19 | ||
22 | apparmor | 20 | # apparmor - makes settings immutable |
23 | caps.drop all | 21 | caps.drop all |
24 | # net none - makes settings immutable | 22 | # net none - makes settings immutable |
25 | no3d | 23 | no3d |
24 | # nodbus - makes settings immutable | ||
26 | nodvd | 25 | nodvd |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/etr.profile b/etc/etr.profile index ad2e5be5d..5c01636cc 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/etr.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.etr | 8 | noblacklist ${HOME}/.etr |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
20 | 18 | ||
21 | caps.drop all | 19 | caps.drop all |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile new file mode 100644 index 000000000..d5bc6db33 --- /dev/null +++ b/etc/evince-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile new file mode 100644 index 000000000..abc21632d --- /dev/null +++ b/etc/evince-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 72c1ffc97..38c9ee9a9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/evince.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/evince | 8 | noblacklist ${HOME}/.config/evince |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -21,6 +19,7 @@ machine-id | |||
21 | # net none breaks AppArmor on Ubuntu systems | 19 | # net none breaks AppArmor on Ubuntu systems |
22 | netfilter | 20 | netfilter |
23 | no3d | 21 | no3d |
22 | # nodbus | ||
24 | nodvd | 23 | nodvd |
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
@@ -38,7 +37,7 @@ private-dev | |||
38 | private-etc fonts | 37 | private-etc fonts |
39 | 38 | ||
40 | #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 | 39 | #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 |
41 | #private-lib evince,libpoppler-glib.so.8 | 40 | private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2 |
42 | 41 | ||
43 | private-tmp | 42 | private-tmp |
44 | 43 | ||
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 18d1e3c81..8ab6012f5 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | noblacklist /usr/bin/perl | 11 | noblacklist /usr/bin/perl |
@@ -21,6 +20,7 @@ include /etc/firejail/disable-programs.inc | |||
21 | caps.drop all | 20 | caps.drop all |
22 | net none | 21 | net none |
23 | no3d | 22 | no3d |
23 | nodbus | ||
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
diff --git a/etc/feh.profile b/etc/feh.profile index 1320434f1..ba7a76c49 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/feh.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | net none | 14 | net none |
17 | no3d | 15 | no3d |
16 | nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index acea1e834..538179107 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -6,8 +6,6 @@ include /etc/firejail/ffmpeg.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | caps.drop all | 16 | caps.drop all |
19 | net none | 17 | net none |
20 | no3d | 18 | no3d |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nosound | 21 | nosound |
23 | notv | 22 | notv |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index bc4e70da4..eb76d1dbb 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/file-roller.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc | |||
14 | 12 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 13 | include /etc/firejail/whitelist-var-common.inc |
16 | 14 | ||
15 | apparmor | ||
17 | caps.drop all | 16 | caps.drop all |
18 | # net none - makes settings immutable | 17 | net none |
19 | no3d | 18 | no3d |
19 | nodbus | ||
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/file.profile b/etc/file.profile index 041bf5ae5..2bdbaaaa8 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/file.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
@@ -17,6 +16,7 @@ caps.drop all | |||
17 | hostname file | 16 | hostname file |
18 | net none | 17 | net none |
19 | no3d | 18 | no3d |
19 | nodbus | ||
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 12d160155..1f531c1b7 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -25,6 +25,7 @@ caps.drop all | |||
25 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | 25 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required |
26 | #machine-id | 26 | #machine-id |
27 | netfilter | 27 | netfilter |
28 | nodbus | ||
28 | nodvd | 29 | nodvd |
29 | nogroups | 30 | nogroups |
30 | nonewprivs | 31 | nonewprivs |
diff --git a/etc/firejail.config b/etc/firejail.config index ade3e3c84..0cd4dca3a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -23,6 +23,9 @@ | |||
23 | # and it will harden the rest of the chroot tree. | 23 | # and it will harden the rest of the chroot tree. |
24 | # chroot-desktop yes | 24 | # chroot-desktop yes |
25 | 25 | ||
26 | # Enable or disable dbus handling by --nodbus flag, default enabled. | ||
27 | # dbus yes | ||
28 | |||
26 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 29 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
27 | # to these directories is enabled. | 30 | # to these directories is enabled. |
28 | # disable-mnt no | 31 | # disable-mnt no |
diff --git a/etc/freecad.profile b/etc/freecad.profile index bac502a5f..c51d88f7a 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/freecad.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/FreeCAD | 8 | noblacklist ${HOME}/.config/FreeCAD |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index ca38ed1b8..8acd32bdd 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/frozen-bubble.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.frozen-bubble | 8 | noblacklist ${HOME}/.frozen-bubble |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
21 | 19 | ||
22 | caps.drop all | 20 | caps.drop all |
23 | net none | 21 | net none |
22 | nodbus | ||
24 | nodvd | 23 | nodvd |
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/galculator.profile b/etc/galculator.profile index b28c7943f..8229f8250 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/galculator.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/galculator | 8 | noblacklist ${HOME}/.config/galculator |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -22,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
22 | apparmor | 20 | apparmor |
23 | caps.drop all | 21 | caps.drop all |
24 | net none | 22 | net none |
23 | nodbus | ||
25 | nodvd | 24 | nodvd |
26 | nogroups | 25 | nogroups |
27 | nonewprivs | 26 | nonewprivs |
diff --git a/etc/gcloud.profile b/etc/gcloud.profile new file mode 100644 index 000000000..195dc9302 --- /dev/null +++ b/etc/gcloud.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for gcloud | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gcloud.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.boto | ||
9 | noblacklist ${HOME}/.config/gcloud | ||
10 | noblacklist /var/run/docker.sock | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | apparmor | ||
17 | caps.drop all | ||
18 | machine-id | ||
19 | netfilter | ||
20 | nodbus | ||
21 | nodvd | ||
22 | # required for sudo-free docker | ||
23 | #nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | disable-mnt | ||
33 | private-dev | ||
34 | private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache | ||
35 | private-tmp | ||
36 | |||
37 | noexec /tmp | ||
38 | |||
39 | # will break user-local installs of gcloud tooling | ||
40 | # noexec ${HOME} | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 97eb692de..e78b8a708 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/gedit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.config/enchant | 8 | noblacklist ${HOME}/.config/enchant |
11 | noblacklist ${HOME}/.config/gedit | 9 | noblacklist ${HOME}/.config/gedit |
12 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
@@ -18,10 +16,12 @@ include /etc/firejail/disable-programs.inc | |||
18 | 16 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
20 | 18 | ||
19 | # apparmor - makes settings immutable | ||
21 | caps.drop all | 20 | caps.drop all |
22 | # net none - makes settings immutable | ||
23 | machine-id | 21 | machine-id |
22 | # net none - makes settings immutable | ||
24 | no3d | 23 | no3d |
24 | # nodbus - makes settings immutable | ||
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 3cc012a88..49df54d1f 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/gimp.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.gimp* | 8 | noblacklist ${HOME}/.gimp* |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 16 | apparmor |
19 | caps.drop all | 17 | caps.drop all |
20 | net none | 18 | net none |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index d13208a1e..dfb93c3b0 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -6,7 +6,6 @@ include /etc/firejail/gnome-calculator.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -14,10 +13,12 @@ include /etc/firejail/disable-programs.inc | |||
14 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
15 | include /etc/firejail/whitelist-var-common.inc | 14 | include /etc/firejail/whitelist-var-common.inc |
16 | 15 | ||
17 | apparmor | 16 | # apparmor - makes settings immutable |
18 | caps.drop all | 17 | caps.drop all |
18 | # net none | ||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | # nodbus - makes settings immutable | ||
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
23 | nonewprivs | 24 | nonewprivs |
@@ -32,7 +33,7 @@ shell none | |||
32 | disable-mnt | 33 | disable-mnt |
33 | private-bin gnome-calculator | 34 | private-bin gnome-calculator |
34 | private-dev | 35 | private-dev |
35 | private-lib | 36 | private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
38 | #memory-deny-write-execute - breaks on Arch | 39 | #memory-deny-write-execute - breaks on Arch |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile new file mode 100644 index 000000000..7e7902dff --- /dev/null +++ b/etc/gnome-logs.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for gnome-logs | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-logs.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | whitelist /var/log/journal | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | no3d | ||
19 | nodbus | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin gnome-logs | ||
33 | private-dev | ||
34 | #private-etc fonts | ||
35 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,librsvg-2.so.2 | ||
36 | private-tmp | ||
37 | writable-var-log | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile new file mode 100644 index 000000000..2f7657c0c --- /dev/null +++ b/etc/gnome-recipes.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for gnome-recipes | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-recipes.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-recipes | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/gnome-recipes | ||
17 | whitelist ${HOME}/.cache/gnome-recipes | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin gnome-recipes,tar | ||
37 | private-dev | ||
38 | private-etc ca-certificates,fonts,ssl,crypto-policies,pki | ||
39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) | ||
40 | # not widely tested though, leaving it to devs discretion to enable it later | ||
41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 | ||
42 | private-tmp | ||
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 8d47d9c31..c6453e972 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/gpicview.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/gpicview | 8 | noblacklist ${HOME}/.config/gpicview |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | 16 | ||
19 | caps.drop all | 17 | caps.drop all |
20 | net none | 18 | net none |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d79b72152..d17be41cc 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/gwenview.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/gwenviewrc | 8 | noblacklist ${HOME}/.config/gwenviewrc |
11 | noblacklist ${HOME}/.config/org.kde.gwenviewrc | 9 | noblacklist ${HOME}/.config/org.kde.gwenviewrc |
12 | noblacklist ${HOME}/.gimp* | 10 | noblacklist ${HOME}/.gimp* |
@@ -24,8 +22,10 @@ include /etc/firejail/disable-programs.inc | |||
24 | 22 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 23 | include /etc/firejail/whitelist-var-common.inc |
26 | 24 | ||
25 | apparmor | ||
27 | caps.drop all | 26 | caps.drop all |
28 | # net none | 27 | # net none |
28 | # nodbus | ||
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | nonewprivs | 31 | nonewprivs |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 5187bb9f0..779067770 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/gzip.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | ignore noroot |
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
14 | nodbus | ||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index b99842d60..ff9dd248f 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
17 | apparmor | 17 | apparmor |
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
20 | nodbus | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index ad1aae523..c8ab268c8 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -6,8 +6,6 @@ include /etc/firejail/hashcat.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | noblacklist ${HOME}/.hashcat | 9 | noblacklist ${HOME}/.hashcat |
12 | noblacklist /usr/include | 10 | noblacklist /usr/include |
13 | 11 | ||
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc | |||
18 | 16 | ||
19 | caps.drop all | 17 | caps.drop all |
20 | net none | 18 | net none |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/highlight.profile b/etc/highlight.profile index a7c667ce1..781866f3b 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/highlight.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | blacklist /tmp/.X11-unix | 8 | blacklist /tmp/.X11-unix |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
18 | no3d | 17 | no3d |
18 | nodbus | ||
19 | nodvd | 19 | nodvd |
20 | nogroups | 20 | nogroups |
21 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/hugin.profile b/etc/hugin.profile index bff074b74..3847a7daf 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/hugin.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.hugin | 8 | noblacklist ${HOME}/.hugin |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 058da2805..7396160af 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/imagej.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.imagej | 8 | noblacklist ${HOME}/.imagej |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 5a19a75f1..8c157bf2a 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/img2txt.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -14,6 +12,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 12 | ||
15 | caps.drop all | 13 | caps.drop all |
16 | net none | 14 | net none |
15 | nodbus | ||
17 | nodvd | 16 | nodvd |
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 6e669ea2c..af24bc3e9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -5,9 +5,9 @@ include /etc/firejail/inkscape.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.inkscape | 8 | noblacklist ${HOME}/.cache/inkscape |
9 | noblacklist ${HOME}/.config/inkscape | 9 | noblacklist ${HOME}/.config/inkscape |
10 | 10 | noblacklist ${HOME}/.inkscape | |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
@@ -18,7 +18,8 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | 18 | ||
19 | apparmor | 19 | apparmor |
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | net none |
22 | nodbus | ||
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index bf461b93d..f70eff3e4 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/jd-gui.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
11 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
12 | 10 | ||
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc | |||
18 | caps.drop all | 16 | caps.drop all |
19 | net none | 17 | net none |
20 | no3d | 18 | no3d |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/kate.profile b/etc/kate.profile index a3d2be6b2..b3c1e81d8 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -5,8 +5,7 @@ include /etc/firejail/kate.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | 8 | noblacklist ${HOME}/.config/katemetainfos |
9 | |||
10 | noblacklist ${HOME}/.config/katepartrc | 9 | noblacklist ${HOME}/.config/katepartrc |
11 | noblacklist ${HOME}/.config/katerc | 10 | noblacklist ${HOME}/.config/katerc |
12 | noblacklist ${HOME}/.config/kateschemarc | 11 | noblacklist ${HOME}/.config/kateschemarc |
@@ -21,9 +20,10 @@ include /etc/firejail/disable-programs.inc | |||
21 | 20 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 21 | include /etc/firejail/whitelist-var-common.inc |
23 | 22 | ||
24 | apparmor | 23 | # apparmor |
25 | caps.drop all | 24 | caps.drop all |
26 | # net none | 25 | # net none |
26 | # nodbus | ||
27 | netfilter | 27 | netfilter |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
@@ -42,4 +42,7 @@ private-dev | |||
42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
45 | join-or-start kate | 48 | join-or-start kate |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 3f024f3fa..86a3b1462 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -20,9 +20,11 @@ whitelist ${HOME}/.kde4/share/config/kcalcrc | |||
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include /etc/firejail/whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | net none |
25 | no3d | 26 | no3d |
27 | nodbus | ||
26 | nodvd | 28 | nodvd |
27 | nogroups | 29 | nogroups |
28 | nonewprivs | 30 | nonewprivs |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 5c770856a..819279b10 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/kdenlive.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | noblacklist ${HOME}/.cache/kdenlive | 8 | noblacklist ${HOME}/.cache/kdenlive |
10 | noblacklist ${HOME}/.config/kdenliverc | 9 | noblacklist ${HOME}/.config/kdenliverc |
11 | noblacklist ${HOME}/.local/share/kdenlive | 10 | noblacklist ${HOME}/.local/share/kdenlive |
@@ -18,6 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
18 | apparmor | 17 | apparmor |
19 | caps.drop all | 18 | caps.drop all |
20 | # net none | 19 | # net none |
20 | # nodbus | ||
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index f7b0bd5d1..14af2682c 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/keepassx.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/*.kdb | 8 | noblacklist ${HOME}/*.kdb |
11 | noblacklist ${HOME}/*.kdbx | 9 | noblacklist ${HOME}/*.kdbx |
12 | noblacklist ${HOME}/.config/keepassx | 10 | noblacklist ${HOME}/.config/keepassx |
@@ -23,6 +21,7 @@ caps.drop all | |||
23 | machine-id | 21 | machine-id |
24 | net none | 22 | net none |
25 | no3d | 23 | no3d |
24 | nodbus | ||
26 | nodvd | 25 | nodvd |
27 | nogroups | 26 | nogroups |
28 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 66b524d29..0e464cbe4 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/keepassxc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/*.kdb | 8 | noblacklist ${HOME}/*.kdb |
11 | noblacklist ${HOME}/*.kdbx | 9 | noblacklist ${HOME}/*.kdbx |
12 | noblacklist ${HOME}/.config/keepassxc | 10 | noblacklist ${HOME}/.config/keepassxc |
@@ -22,9 +20,11 @@ include /etc/firejail/disable-programs.inc | |||
22 | include /etc/firejail/whitelist-var-common.inc | 20 | include /etc/firejail/whitelist-var-common.inc |
23 | 21 | ||
24 | caps.drop all | 22 | caps.drop all |
23 | machine-id | ||
25 | net none | 24 | net none |
26 | no3d | 25 | no3d |
27 | nodvd | 26 | nodvd |
27 | nodbus | ||
28 | nogroups | 28 | nogroups |
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca774f4ec..3e425b62e 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,13 +5,32 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # kmail has problems launching akonadi in debian and ubuntu. | ||
9 | # one solution is to have akonadi already running when kmail is started | ||
10 | |||
11 | noblacklist ${HOME}/.cache/akonadi* | ||
12 | noblacklist ${HOME}/.cache/kmail2 | ||
13 | noblacklist ${HOME}/.config/akonadi* | ||
14 | noblacklist ${HOME}/.config/baloorc | ||
15 | noblacklist ${HOME}/.config/emailidentities | ||
16 | noblacklist ${HOME}/.config/kmail2rc | ||
8 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.gnupg |
18 | noblacklist ${HOME}/.local/share/akonadi* | ||
19 | noblacklist ${HOME}/.local/share/contacts | ||
20 | noblacklist ${HOME}/.local/share/emailidentities | ||
21 | noblacklist ${HOME}/.local/share/kmail2 | ||
22 | noblacklist ${HOME}/.local/share/local-mail | ||
23 | noblacklist ${HOME}/.local/share/notes | ||
24 | noblacklist /tmp/akonadi-* | ||
9 | 25 | ||
10 | include /etc/firejail/disable-common.inc | 26 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 27 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 28 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 29 | include /etc/firejail/disable-programs.inc |
14 | 30 | ||
31 | include /etc/firejail/whitelist-var-common.inc | ||
32 | |||
33 | # apparmor | ||
15 | caps.drop all | 34 | caps.drop all |
16 | netfilter | 35 | netfilter |
17 | nodvd | 36 | nodvd |
@@ -22,11 +41,14 @@ nosound | |||
22 | notv | 41 | notv |
23 | novideo | 42 | novideo |
24 | protocol unix,inet,inet6,netlink | 43 | protocol unix,inet,inet6,netlink |
25 | # blacklisting of chroot system calls breaks kmail | 44 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
27 | # tracelog | 46 | # tracelog |
28 | # writable-run-user is needed for signing and encrypting emails | 47 | # writable-run-user is needed for signing and encrypting emails |
29 | writable-run-user | 48 | writable-run-user |
30 | 49 | ||
31 | private-dev | 50 | private-dev |
32 | # private-tmp - breaks akonadi and opening of email attachments | 51 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
52 | |||
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/knotes.profile b/etc/knotes.profile index 94ada7855..4bbbd332d 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -5,27 +5,12 @@ include /etc/firejail/knotes.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/knotesrc | 8 | # knotes has problems launching akonadi in debian and ubuntu. |
9 | 9 | # one solution is to have akonadi already running when knotes is started | |
10 | include /etc/firejail/disable-common.inc | ||
11 | # include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 11 | noblacklist ${HOME}/.config/knotesrc |
12 | noblacklist ${HOME}/.local/share/knotes | ||
16 | 13 | ||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | 14 | ||
30 | private-dev | 15 | # Redirect |
31 | #private-tmp - problems on kubuntu 17.04 | 16 | include /etc/firejail/kmail.profile |
diff --git a/etc/krita.profile b/etc/krita.profile index 0f4c5210b..24948c584 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/krita.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | noblacklist ${HOME}/.config/kritarc | 8 | noblacklist ${HOME}/.config/kritarc |
10 | noblacklist ${HOME}/.local/share/krita | 9 | noblacklist ${HOME}/.local/share/krita |
11 | 10 | ||
@@ -18,6 +17,7 @@ apparmor | |||
18 | caps.drop all | 17 | caps.drop all |
19 | ipc-namespace | 18 | ipc-namespace |
20 | # net none | 19 | # net none |
20 | # nodbus | ||
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 1e97f4290..17526c4ea 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -10,10 +10,13 @@ include /etc/firejail/globals.local | |||
10 | # with its own profile, if it is sandboxed automatically. | 10 | # with its own profile, if it is sandboxed automatically. |
11 | 11 | ||
12 | # noblacklist ${HOME}/.cache/krunner | 12 | # noblacklist ${HOME}/.cache/krunner |
13 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | ||
14 | # noblacklist ${HOME}/.config/chromium | ||
13 | noblacklist ${HOME}/.config/krunnerrc | 15 | noblacklist ${HOME}/.config/krunnerrc |
14 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 16 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
15 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 17 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
16 | # noblacklist ${HOME}/.local/share/baloo | 18 | # noblacklist ${HOME}/.local/share/baloo |
19 | # noblacklist ${HOME}/.mozilla | ||
17 | 20 | ||
18 | include /etc/firejail/disable-common.inc | 21 | include /etc/firejail/disable-common.inc |
19 | # include /etc/firejail/disable-devel.inc | 22 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index a785f3541..ac51259c0 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/kwrite.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/katepartrc | 8 | noblacklist ${HOME}/.config/katepartrc |
11 | noblacklist ${HOME}/.config/katerc | 9 | noblacklist ${HOME}/.config/katerc |
12 | noblacklist ${HOME}/.config/kateschemarc | 10 | noblacklist ${HOME}/.config/kateschemarc |
@@ -26,6 +24,7 @@ apparmor | |||
26 | caps.drop all | 24 | caps.drop all |
27 | # net none | 25 | # net none |
28 | netfilter | 26 | netfilter |
27 | # nodbus | ||
29 | nodvd | 28 | nodvd |
30 | nogroups | 29 | nogroups |
31 | nonewprivs | 30 | nonewprivs |
@@ -43,4 +42,7 @@ private-dev | |||
43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 42 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
44 | private-tmp | 43 | private-tmp |
45 | 44 | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
46 | join-or-start kwrite | 48 | join-or-start kwrite |
diff --git a/etc/less.profile b/etc/less.profile index 3b1c5d6bf..e2616ba4f 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/less.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | ignore noroot |
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
14 | nodbus | ||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index ceb680951..15961321e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -21,6 +21,7 @@ apparmor | |||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
23 | netfilter | 23 | netfilter |
24 | nodbus | ||
24 | nodvd | 25 | nodvd |
25 | nogroups | 26 | nogroups |
26 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/lmms.profile b/etc/lmms.profile index b2bacb246..a9fecf5be 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/lmms.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.lmmsrc.xml | 8 | noblacklist ${HOME}/.lmmsrc.xml |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -18,6 +16,7 @@ caps.drop all | |||
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
20 | no3d | 18 | no3d |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index f8c5c34ca..948c7226d 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/macrofusion.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/mfusion | 8 | noblacklist ${HOME}/.config/mfusion |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index be5dac206..f452b751a 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/mate-calc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/mate-calc | 8 | noblacklist ${HOME}/.config/mate-calc |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -24,6 +22,7 @@ whitelist ${HOME}/.themes | |||
24 | caps.drop all | 22 | caps.drop all |
25 | net none | 23 | net none |
26 | no3d | 24 | no3d |
25 | nodbus | ||
27 | nodvd | 26 | nodvd |
28 | nogroups | 27 | nogroups |
29 | nonewprivs | 28 | nonewprivs |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index de9297174..c3c84ed39 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/mediainfo.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | blacklist /tmp/.X11-unix | 8 | blacklist /tmp/.X11-unix |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
18 | no3d | 17 | no3d |
18 | nodbus | ||
19 | nodvd | 19 | nodvd |
20 | nogroups | 20 | nogroups |
21 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/meld.profile b/etc/meld.profile index 1a451ff57..78d9e0c76 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/meld.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/meld | 8 | noblacklist ${HOME}/.local/share/meld |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/mpv.profile b/etc/mpv.profile index a4dc679f4..dcd8b05e1 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | nodbus | ||
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 9e04c3a81..af5859dbc 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/mupdf.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | machine-id | 16 | machine-id |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index e05babc91..2e3d7cfb8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/mupen64plus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/mupen64plus | 8 | noblacklist ${HOME}/.config/mupen64plus |
11 | noblacklist ${HOME}/.local/share/mupen64plus | 9 | noblacklist ${HOME}/.local/share/mupen64plus |
12 | 10 | ||
@@ -24,6 +22,7 @@ include /etc/firejail/whitelist-common.inc | |||
24 | 22 | ||
25 | caps.drop all | 23 | caps.drop all |
26 | net none | 24 | net none |
25 | nodbus | ||
27 | nodvd | 26 | nodvd |
28 | nonewprivs | 27 | nonewprivs |
29 | noroot | 28 | noroot |
diff --git a/etc/natron.profile b/etc/natron.profile index 413ea53f9..cf01c862c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.Natron | 8 | noblacklist ${HOME}/.Natron |
11 | noblacklist ${HOME}/.cache/INRIA/Natron | 9 | noblacklist ${HOME}/.cache/INRIA/Natron |
12 | noblacklist ${HOME}/.config/INRIA | 10 | noblacklist ${HOME}/.config/INRIA |
@@ -19,6 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
19 | 17 | ||
20 | caps.drop all | 18 | caps.drop all |
21 | net none | 19 | net none |
20 | nodbus | ||
22 | nodvd | 21 | nodvd |
23 | nogroups | 22 | nogroups |
24 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile new file mode 100644 index 000000000..ab79a325e --- /dev/null +++ b/etc/ncdu.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for ncdu | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ncdu.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | caps.drop all | ||
9 | ipc-namespace | ||
10 | nodbus | ||
11 | net none | ||
12 | no3d | ||
13 | nodvd | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix | ||
21 | seccomp | ||
22 | shell none | ||
23 | |||
24 | private-dev | ||
25 | # private-tmp | ||
26 | |||
27 | memory-deny-write-execute | ||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index b6d4a63b5..c807a5399 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/odt2txt.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | blacklist /tmp/.X11-unix | 8 | blacklist /tmp/.X11-unix |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 15 | caps.drop all |
17 | net none | 16 | net none |
18 | no3d | 17 | no3d |
18 | nodbus | ||
19 | nodvd | 19 | nodvd |
20 | nogroups | 20 | nogroups |
21 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/okular.profile b/etc/okular.profile index ffe0d2bfb..f1f0b2c7e 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/okular.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.cache/okular | 8 | noblacklist ${HOME}/.cache/okular |
11 | noblacklist ${HOME}/.config/okularpartrc | 9 | noblacklist ${HOME}/.config/okularpartrc |
12 | noblacklist ${HOME}/.config/okularrc | 10 | noblacklist ${HOME}/.config/okularrc |
@@ -30,6 +28,7 @@ caps.drop all | |||
30 | machine-id | 28 | machine-id |
31 | # net none | 29 | # net none |
32 | netfilter | 30 | netfilter |
31 | # nodbus | ||
33 | nodvd | 32 | nodvd |
34 | nogroups | 33 | nogroups |
35 | nonewprivs | 34 | nonewprivs |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 191f8d87b..3c3609dae 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/open-invaders.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.openinvaders | 8 | noblacklist ${HOME}/.openinvaders |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc | |||
20 | 18 | ||
21 | caps.drop all | 19 | caps.drop all |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/openbox.profile b/etc/openbox.profile index 5bab7ce7d..ec4b47c29 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -14,3 +14,6 @@ netfilter | |||
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | |||
18 | read-only ${HOME}/.config/openbox/autostart | ||
19 | read-only ${HOME}/.config/openbox/environment | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile index ca9110be6..b9eb29590 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | nodbus | ||
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
23 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 08c607020..0dcd21549 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pcmanfm.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/Trash | 8 | noblacklist ${HOME}/.local/share/Trash |
11 | # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below | 9 | # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below |
12 | # noblacklist ${HOME}/.config/pcmanfm | 10 | # noblacklist ${HOME}/.config/pcmanfm |
@@ -19,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
19 | caps.drop all | 17 | caps.drop all |
20 | # net none - see issue #1467, computer:/// location broken | 18 | # net none - see issue #1467, computer:/// location broken |
21 | no3d | 19 | no3d |
20 | # nodbus | ||
22 | nodvd | 21 | nodvd |
23 | nonewprivs | 22 | nonewprivs |
24 | noroot | 23 | noroot |
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index d43c0911e..b4ccb6003 100755 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile | |||
@@ -5,9 +5,6 @@ include /etc/firejail/pdfchain.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | |||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 9 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
@@ -19,6 +16,7 @@ caps.drop all | |||
19 | ipc-namespace | 16 | ipc-namespace |
20 | net none | 17 | net none |
21 | no3d | 18 | no3d |
19 | nodbus | ||
22 | nogroups | 20 | nogroups |
23 | nonewprivs | 21 | nonewprivs |
24 | noroot | 22 | noroot |
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 8ac09dcdc..9b08dfd84 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pdfmod.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.cache/pdfmod | 8 | noblacklist ${HOME}/.cache/pdfmod |
11 | noblacklist ${HOME}/.config/pdfmod | 9 | noblacklist ${HOME}/.config/pdfmod |
12 | 10 | ||
@@ -22,6 +20,7 @@ ipc-namespace | |||
22 | machine-id | 20 | machine-id |
23 | net none | 21 | net none |
24 | no3d | 22 | no3d |
23 | nodbus | ||
25 | nodvd | 24 | nodvd |
26 | nogroups | 25 | nogroups |
27 | nonewprivs | 26 | nonewprivs |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index c1515ab73..465f68fd6 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pdfsam.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -18,6 +16,7 @@ caps.drop all | |||
18 | machine-id | 16 | machine-id |
19 | net none | 17 | net none |
20 | no3d | 18 | no3d |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 736faa5ea..a97063754 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/pdftotext.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | blacklist /tmp/.X11-unix | 8 | blacklist /tmp/.X11-unix |
10 | 9 | ||
11 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -19,6 +18,7 @@ caps.drop all | |||
19 | machine-id | 18 | machine-id |
20 | net none | 19 | net none |
21 | no3d | 20 | no3d |
21 | nodbus | ||
22 | nodvd | 22 | nodvd |
23 | nogroups | 23 | nogroups |
24 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/peek.profile b/etc/peek.profile index 01db4fa08..7b7ab9470 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/peek.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.cache/peek | 8 | noblacklist ${HOME}/.cache/peek |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/pingus.profile b/etc/pingus.profile index ec7eff632..b287e7ee8 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pingus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.pingus | 8 | noblacklist ${HOME}/.pingus |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc | |||
20 | 18 | ||
21 | caps.drop all | 19 | caps.drop all |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/pinta.profile b/etc/pinta.profile index 4a8815a73..b51521ef7 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pinta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/Pinta | 8 | noblacklist ${HOME}/.config/Pinta |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | ipc-namespace | 16 | ipc-namespace |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/pluma.profile b/etc/pluma.profile index b50e3cbaf..d0acfeb1a 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/pluma.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.config/pluma | 8 | noblacklist ${HOME}/.config/pluma |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc | |||
16 | 14 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
18 | 16 | ||
17 | # apparmor - makes settings immutable | ||
19 | caps.drop all | 18 | caps.drop all |
20 | # net none - makes settings immutable | ||
21 | machine-id | 19 | machine-id |
20 | # net none - makes settings immutable | ||
22 | no3d | 21 | no3d |
22 | # nodbus - makes settings immutable | ||
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 8df8177eb..14a9e8adc 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -30,6 +30,7 @@ apparmor | |||
30 | caps.drop all | 30 | caps.drop all |
31 | machine-id | 31 | machine-id |
32 | netfilter | 32 | netfilter |
33 | nodbus | ||
33 | nodvd | 34 | nodvd |
34 | nogroups | 35 | nogroups |
35 | nonewprivs | 36 | nonewprivs |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 211a1b2d5..fd5bbf89c 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | # noblacklist /usr/bin/cpan* | 8 | # noblacklist /usr/bin/cpan* |
11 | noblacklist /usr/bin/perl | 9 | noblacklist /usr/bin/perl |
12 | noblacklist /usr/lib/perl* | 10 | noblacklist /usr/lib/perl* |
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc | |||
20 | 18 | ||
21 | caps.drop all | 19 | caps.drop all |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index a20bdb883..6322f8217 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -13,10 +13,11 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | 14 | include /etc/firejail/whitelist-var-common.inc |
15 | 15 | ||
16 | apparmor | 16 | # apparmor - makes settings immutable |
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | # no3d | 19 | # no3d |
20 | # nodbus - makes settings immutable | ||
20 | nogroups | 21 | nogroups |
21 | nonewprivs | 22 | nonewprivs |
22 | noroot | 23 | noroot |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 8ce63fbf0..f9f585a20 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/scribus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | # Support for PDF readers comes with Scribus 1.5 and higher | 8 | # Support for PDF readers comes with Scribus 1.5 and higher |
11 | noblacklist ${HOME}/.cache/okular | 9 | noblacklist ${HOME}/.cache/okular |
12 | noblacklist ${HOME}/.config/okularpartrc | 10 | noblacklist ${HOME}/.config/okularpartrc |
@@ -33,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
33 | 31 | ||
34 | caps.drop all | 32 | caps.drop all |
35 | net none | 33 | net none |
34 | nodbus | ||
36 | nodvd | 35 | nodvd |
37 | nogroups | 36 | nogroups |
38 | nonewprivs | 37 | nonewprivs |
@@ -48,3 +47,6 @@ tracelog | |||
48 | # private-bin scribus,gs,gimp* | 47 | # private-bin scribus,gs,gimp* |
49 | private-dev | 48 | private-dev |
50 | private-tmp | 49 | private-tmp |
50 | |||
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index bc94ae2a0..2f3d94f01 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -6,8 +6,6 @@ include /etc/firejail/sdat2img.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 14 | caps.drop all |
17 | net none | 15 | net none |
18 | no3d | 16 | no3d |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 3f2cc3d33..293a89ba3 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/Meltytech | 8 | noblacklist ${HOME}/.config/Meltytech |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | 14 | ||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 8b4113d2f..adde3f8ce 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/simutrans.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.simutrans | 8 | noblacklist ${HOME}/.simutrans |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc | |||
20 | 18 | ||
21 | caps.drop all | 19 | caps.drop all |
22 | net none | 20 | net none |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 316cf5821..4fa649654 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/skanlite.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | # net none | 14 | # net none |
17 | netfilter | 15 | netfilter |
16 | # nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 64eff5670..187b0674a 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | # nodbus - problems with KDE | ||
21 | # nogroups | 22 | # nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
diff --git a/etc/spotify.profile b/etc/spotify.profile index c973783a9..dfd3bae7f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -31,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
31 | 31 | ||
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
34 | nodbus | ||
34 | nodvd | 35 | nodvd |
35 | nogroups | 36 | nogroups |
36 | nonewprivs | 37 | nonewprivs |
@@ -44,7 +45,7 @@ tracelog | |||
44 | disable-mnt | 45 | disable-mnt |
45 | private-bin spotify,bash,sh,zenity | 46 | private-bin spotify,bash,sh,zenity |
46 | private-dev | 47 | private-dev |
47 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf | 48 | private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf |
48 | private-opt spotify | 49 | private-opt spotify |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 933d55b79..22c37645d 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/sqlitebrowser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/sqlitebrowser | 8 | noblacklist ${HOME}/.config/sqlitebrowser |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | caps.drop all | 15 | caps.drop all |
18 | net none | 16 | net none |
19 | no3d | 17 | no3d |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/steam.profile b/etc/steam.profile index 4965d3a54..bcdea9bc7 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -32,7 +32,10 @@ include /etc/firejail/disable-programs.inc | |||
32 | include /etc/firejail/whitelist-var-common.inc | 32 | include /etc/firejail/whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | #ipc-namespace | ||
35 | netfilter | 36 | netfilter |
37 | # nodbus disabled as it breaks appindicator support | ||
38 | #nodbus | ||
36 | nodvd | 39 | nodvd |
37 | nogroups | 40 | nogroups |
38 | nonewprivs | 41 | nonewprivs |
@@ -44,10 +47,17 @@ protocol unix,inet,inet6,netlink | |||
44 | seccomp | 47 | seccomp |
45 | shell none | 48 | shell none |
46 | # tracelog disabled as it breaks integrated browser | 49 | # tracelog disabled as it breaks integrated browser |
47 | # tracelog | 50 | #tracelog |
51 | |||
52 | # private-bin is disabled while in testing, but has been tested working with multiple games | ||
53 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | ||
54 | # extra programs are available which might be needed for select games | ||
55 | #private-bin java,java-config,mono,python* | ||
56 | # picture viewers are are needed for viewing screenshots | ||
57 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | ||
48 | 58 | ||
49 | # private-dev should be commented for controllers | 59 | # private-dev should be commented for controllers |
50 | private-dev | 60 | private-dev |
51 | # private-etc breaks some games | 61 | # private-etc breaks a small selection of games on some systems, comment to support those |
52 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies | 62 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives |
53 | private-tmp | 63 | private-tmp |
diff --git a/etc/strings.profile b/etc/strings.profile index 09273f35d..8995ad2a6 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/strings.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | ignore noroot |
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
14 | nodbus | ||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index d60d7fa5f..24f42c276 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/supertux2.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/supertux2 | 8 | noblacklist ${HOME}/.local/share/supertux2 |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
21 | 19 | ||
22 | caps.drop all | 20 | caps.drop all |
23 | net none | 21 | net none |
22 | nodbus | ||
24 | nodvd | 23 | nodvd |
25 | nogroups | 24 | nogroups |
26 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 415a42cf5..be9c2aa64 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/synfigstudio.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/synfig | 8 | noblacklist ${HOME}/.config/synfig |
11 | noblacklist ${HOME}/.synfig | 9 | noblacklist ${HOME}/.synfig |
12 | 10 | ||
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | 15 | ||
18 | caps.drop all | 16 | caps.drop all |
19 | net none | 17 | net none |
18 | nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/tar.profile b/etc/tar.profile index bd7973abf..5f54bf02d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -6,13 +6,13 @@ include /etc/firejail/tar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | hostname tar | 11 | hostname tar |
13 | ignore noroot | 12 | ignore noroot |
14 | net none | 13 | net none |
15 | no3d | 14 | no3d |
15 | nodbus | ||
16 | nodvd | 16 | nodvd |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
diff --git a/etc/terasology.profile b/etc/terasology.profile index ea25938d3..e671c4dc3 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/terasology.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
11 | noblacklist ${HOME}/.local/share/terasology | 9 | noblacklist ${HOME}/.local/share/terasology |
12 | 10 | ||
@@ -25,6 +23,7 @@ caps.drop all | |||
25 | ipc-namespace | 23 | ipc-namespace |
26 | net none | 24 | net none |
27 | netfilter | 25 | netfilter |
26 | nodbus | ||
28 | nodvd | 27 | nodvd |
29 | nogroups | 28 | nogroups |
30 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile new file mode 100644 index 000000000..73d2419da --- /dev/null +++ b/etc/thunderbird-beta.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for thunderbird-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | whitelist /opt/thunderbird-beta | ||
6 | |||
7 | # Redirect | ||
8 | include /etc/firejail/thunderbird.profile | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 6dbc5f0c2..ad3845d90 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -15,9 +15,10 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include /etc/firejail/whitelist-var-common.inc |
17 | 17 | ||
18 | apparmor | 18 | # apparmor - makes settings immutable |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | # nodbus - makes settings immutable | ||
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 3d249748d..ee044aa0d 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -25,6 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | netfilter | 27 | netfilter |
28 | nodbus | ||
28 | nodvd | 29 | nodvd |
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 4f4d9bac1..a8fb80fd8 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -25,6 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
27 | netfilter | 27 | netfilter |
28 | nodbus | ||
28 | nodvd | 29 | nodvd |
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 135371747..575bf77dc 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/transmission-show.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
11 | noblacklist ${HOME}/.config/transmission | 9 | noblacklist ${HOME}/.config/transmission |
12 | 10 | ||
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc | |||
18 | caps.drop all | 16 | caps.drop all |
19 | machine-id | 17 | machine-id |
20 | net none | 18 | net none |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nonewprivs | 21 | nonewprivs |
23 | noroot | 22 | noroot |
diff --git a/etc/uefitool.profile b/etc/uefitool.profile index 6cff5249c..a10b44fb1 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/uefitool.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,6 +14,7 @@ caps.drop all | |||
16 | ipc-namespace | 14 | ipc-namespace |
17 | net none | 15 | net none |
18 | no3d | 16 | no3d |
17 | nodbus | ||
19 | nodvd | 18 | nodvd |
20 | nogroups | 19 | nogroups |
21 | nonewprivs | 20 | nonewprivs |
diff --git a/etc/unrar.profile b/etc/unrar.profile index f7e25d5d7..ba2a86f4c 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -6,13 +6,13 @@ include /etc/firejail/unrar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | hostname unrar | 11 | hostname unrar |
13 | ignore noroot | 12 | ignore noroot |
14 | net none | 13 | net none |
15 | no3d | 14 | no3d |
15 | nodbus | ||
16 | nodvd | 16 | nodvd |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
diff --git a/etc/unzip.profile b/etc/unzip.profile index fe16c670d..fddc79260 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -6,13 +6,13 @@ include /etc/firejail/unzip.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | hostname unzip | 11 | hostname unzip |
13 | ignore noroot | 12 | ignore noroot |
14 | net none | 13 | net none |
15 | no3d | 14 | no3d |
15 | nodbus | ||
16 | nodvd | 16 | nodvd |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index f7699552d..b64ecaa3e 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -6,11 +6,10 @@ include /etc/firejail/uudeview.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | |||
11 | hostname uudeview | 9 | hostname uudeview |
12 | ignore noroot | 10 | ignore noroot |
13 | net none | 11 | net none |
12 | nodbus | ||
14 | nodvd | 13 | nodvd |
15 | nosound | 14 | nosound |
16 | notv | 15 | notv |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 39bf3f7ce..135147266 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -5,7 +5,6 @@ include /etc/firejail/viewnior.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | blacklist ${HOME}/.bashrc | 8 | blacklist ${HOME}/.bashrc |
10 | 9 | ||
11 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
@@ -20,6 +19,7 @@ include /etc/firejail/disable-programs.inc | |||
20 | caps.drop all | 19 | caps.drop all |
21 | net none | 20 | net none |
22 | no3d | 21 | no3d |
22 | nodbus | ||
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/vlc.profile b/etc/vlc.profile index dad9a9ae1..c8c84b992 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/vlc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/vlc | ||
8 | noblacklist ${HOME}/.config/vlc | 9 | noblacklist ${HOME}/.config/vlc |
9 | noblacklist ${HOME}/.local/share/vlc | 10 | noblacklist ${HOME}/.local/share/vlc |
10 | 11 | ||
@@ -18,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
18 | apparmor | 19 | apparmor |
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
22 | # nodbus - problems with KDE | ||
21 | # nogroups | 23 | # nogroups |
22 | nonewprivs | 24 | nonewprivs |
23 | noroot | 25 | noroot |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index 67707ffb8..ac8f0fe2a 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile | |||
@@ -5,12 +5,11 @@ include /etc/firejail/x-terminal-emulator.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | caps.drop all | 8 | caps.drop all |
11 | ipc-namespace | 9 | ipc-namespace |
12 | net none | 10 | net none |
13 | netfilter | 11 | netfilter |
12 | nodbus | ||
14 | nogroups | 13 | nogroups |
15 | noroot | 14 | noroot |
16 | protocol unix | 15 | protocol unix |
diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 467f96003..8493fe658 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/xcalc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -18,6 +16,7 @@ caps.drop all | |||
18 | net none | 16 | net none |
19 | netfilter | 17 | netfilter |
20 | no3d | 18 | no3d |
19 | nodbus | ||
21 | nodvd | 20 | nodvd |
22 | nogroups | 21 | nogroups |
23 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/xed.profile b/etc/xed.profile index e4ab673e8..5d46560b7 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/xed.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.config/xed | 8 | noblacklist ${HOME}/.config/xed |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc | |||
16 | 14 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
18 | 16 | ||
17 | # apparmor - makes settings immutable | ||
19 | caps.drop all | 18 | caps.drop all |
20 | # net none - makes settings immutable | ||
21 | machine-id | 19 | machine-id |
20 | # net none - makes settings immutable | ||
22 | no3d | 21 | no3d |
22 | # nodbus - makes settings immutable | ||
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 7b8042e5c..9eeda4d29 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/xpdf.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.xpdfrc | 8 | noblacklist ${HOME}/.xpdfrc |
11 | 9 | ||
12 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
@@ -20,6 +18,7 @@ caps.drop all | |||
20 | machine-id | 18 | machine-id |
21 | net none | 19 | net none |
22 | no3d | 20 | no3d |
21 | nodbus | ||
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
25 | nonewprivs | 24 | nonewprivs |
diff --git a/etc/xplayer-audio-preview.profile b/etc/xplayer-audio-preview.profile new file mode 100644 index 000000000..a422b9989 --- /dev/null +++ b/etc/xplayer-audio-preview.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xplayer-audio-preview | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xplayer-audio-preview.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/xplayer.profile | ||
diff --git a/etc/xplayer-video-thumbnailer b/etc/xplayer-video-thumbnailer new file mode 100644 index 000000000..1ec5250bf --- /dev/null +++ b/etc/xplayer-video-thumbnailer | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xplayer-video-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xplayer-video-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/xplayer.profile | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 8ea361d79..7e475bd58 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include /etc/firejail/whitelist-var-common.inc |
17 | 17 | ||
18 | # apparmor - makes settings immutable | ||
18 | caps.drop all | 19 | caps.drop all |
19 | netfilter | 20 | netfilter |
21 | # nodbus - makes settings immutable | ||
20 | nogroups | 22 | nogroups |
21 | nonewprivs | 23 | nonewprivs |
22 | noroot | 24 | noroot |
diff --git a/etc/xreader-previewer.profile b/etc/xreader-previewer.profile new file mode 100644 index 000000000..4c42c147c --- /dev/null +++ b/etc/xreader-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xreader-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xreader-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/xreader.profile | ||
diff --git a/etc/xreader-thumbnailer.profile b/etc/xreader-thumbnailer.profile new file mode 100644 index 000000000..bc0bcbb67 --- /dev/null +++ b/etc/xreader-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xreader-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xreader-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/xreader.profile | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile index 00bd1ee2f..1ddfad26f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc | |||
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
18 | 18 | ||
19 | # apparmor | ||
19 | caps.drop all | 20 | caps.drop all |
20 | no3d | 21 | no3d |
21 | nodvd | 22 | nodvd |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7c4ede111..26f9f0238 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/xviewer.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.config/xviewer | 9 | noblacklist ${HOME}/.config/xviewer |
12 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
@@ -19,9 +17,11 @@ include /etc/firejail/disable-programs.inc | |||
19 | 17 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 18 | include /etc/firejail/whitelist-var-common.inc |
21 | 19 | ||
20 | # apparmor - makes settings immutable | ||
22 | caps.drop all | 21 | caps.drop all |
23 | # net none - makes settings immutable | 22 | # net none - makes settings immutable |
24 | no3d | 23 | no3d |
24 | # nodbus - makes settings immutable | ||
25 | nodvd | 25 | nodvd |
26 | nogroups | 26 | nogroups |
27 | nonewprivs | 27 | nonewprivs |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 1136a6535..5913fd07a 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/xzdec.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include /etc/firejail/globals.local |
8 | 8 | ||
9 | blacklist /run/user/*/bus | ||
10 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
11 | 10 | ||
12 | ignore noroot | 11 | ignore noroot |
13 | net none | 12 | net none |
14 | no3d | 13 | no3d |
14 | nodbus | ||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
diff --git a/etc/zart.profile b/etc/zart.profile index e9fd9b3bd..60eb09c71 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/zart.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /run/user/*/bus | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 13 | caps.drop all |
16 | ipc-namespace | 14 | ipc-namespace |
17 | net none | 15 | net none |
16 | nodbus | ||
18 | nodvd | 17 | nodvd |
19 | nogroups | 18 | nogroups |
20 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 288abb8ec..3edece779 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -5,8 +5,6 @@ include /etc/firejail/zathura.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.config/zathura | 8 | noblacklist ${HOME}/.config/zathura |
11 | noblacklist ${HOME}/.local/share/zathura | 9 | noblacklist ${HOME}/.local/share/zathura |
12 | 10 | ||
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | 15 | ||
18 | caps.drop all | 16 | caps.drop all |
19 | # net none | 17 | # net none |
18 | # nodbus | ||
20 | nodvd | 19 | nodvd |
21 | nogroups | 20 | nogroups |
22 | nonewprivs | 21 | nonewprivs |
@@ -31,5 +30,6 @@ private-bin zathura | |||
31 | private-dev | 30 | private-dev |
32 | private-etc fonts | 31 | private-etc fonts |
33 | private-tmp | 32 | private-tmp |
33 | |||
34 | read-only ${HOME}/ | 34 | read-only ${HOME}/ |
35 | read-write ${HOME}/.local/share/zathura/ | 35 | read-write ${HOME}/.local/share/zathura/ |
@@ -10,11 +10,18 @@ gcov_init() { | |||
10 | /usr/lib/firejail/fcopy --help > /dev/null | 10 | /usr/lib/firejail/fcopy --help > /dev/null |
11 | /usr/lib/firejail/fldd --help > /dev/null | 11 | /usr/lib/firejail/fldd --help > /dev/null |
12 | firecfg --help > /dev/null | 12 | firecfg --help > /dev/null |
13 | |||
14 | /usr/lib/firejail/fnetfilter --help > /dev/null | ||
15 | /usr/lib/firejail/fsec-print --help > /dev/null | ||
16 | /usr/lib/firejail/fsec-optimize --help > /dev/null | ||
17 | /usr/lib/firejail/faudit --help > /dev/null | ||
18 | /usr/lib/firejail/fbuilder --help > /dev/null | ||
19 | |||
13 | sudo chown $USER:$USER `find .` | 20 | sudo chown $USER:$USER `find .` |
14 | } | 21 | } |
15 | 22 | ||
16 | generate() { | 23 | generate() { |
17 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new | 24 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new |
18 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file | 25 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file |
19 | rm -fr gcov-dir | 26 | rm -fr gcov-dir |
20 | genhtml -q gcov-file --output-directory gcov-dir | 27 | genhtml -q gcov-file --output-directory gcov-dir |
@@ -25,7 +32,7 @@ generate() { | |||
25 | 32 | ||
26 | 33 | ||
27 | gcov_init | 34 | gcov_init |
28 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old | 35 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old |
29 | 36 | ||
30 | #make test-environment | 37 | #make test-environment |
31 | #generate | 38 | #generate |
diff --git a/src/common.mk.in b/src/common.mk.in new file mode 100644 index 000000000..1d4dbe304 --- /dev/null +++ b/src/common.mk.in | |||
@@ -0,0 +1,37 @@ | |||
1 | # common definitions for all makefiles | ||
2 | |||
3 | CC=@CC@ | ||
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | HAVE_GCOV=@HAVE_GCOV@ | ||
26 | HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@ | ||
27 | |||
28 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
29 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
30 | OBJS = $(C_FILE_LIST:.c=.o) | ||
31 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
32 | |||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
36 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | ||
37 | |||
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in index a3b505c39..26df0fe51 100644 --- a/src/faudit/Makefile.in +++ b/src/faudit/Makefile.in | |||
@@ -1,25 +1,14 @@ | |||
1 | all: faudit | 1 | all: faudit |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | PREFIX=@prefix@ | ||
5 | VERSION=@PACKAGE_VERSION@ | ||
6 | NAME=@PACKAGE_NAME@ | ||
7 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
8 | |||
9 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
10 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
11 | OBJS = $(C_FILE_LIST:.c=.o) | ||
12 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
13 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
14 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
15 | 4 | ||
16 | %.o : %.c $(H_FILE_LIST) | 5 | %.o : %.c $(H_FILE_LIST) |
17 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
18 | 7 | ||
19 | faudit: $(OBJS) | 8 | faudit: $(OBJS) |
20 | $(CC) $(LDFLAGS) -o $@ $(OBJS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
21 | 10 | ||
22 | clean:; rm -f *.o faudit | 11 | clean:; rm -f *.o faudit *.gcov *.gcda *.gcno |
23 | 12 | ||
24 | distclean: clean | 13 | distclean: clean |
25 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in index dd8e2ce6e..7a606c872 100644 --- a/src/fbuilder/Makefile.in +++ b/src/fbuilder/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fbuilder | 1 | all: fbuilder |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fbuilder: $(OBJS) | 8 | fbuilder: $(OBJS) |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index ad08f543e..c9e7d87ab 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fcopy | 1 | all: fcopy |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fcopy: $(OBJS) | 8 | fcopy: $(OBJS) |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index 0b2b03275..b6dbb039d 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in | |||
@@ -1,40 +1,14 @@ | |||
1 | all: firecfg | 1 | all: firecfg |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_GCOV=@HAVE_GCOV@ | ||
21 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
22 | |||
23 | |||
24 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
25 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
26 | OBJS = $(C_FILE_LIST:.c=.o) | ||
27 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
30 | 4 | ||
31 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
32 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
33 | 7 | ||
34 | firecfg: $(OBJS) ../lib/common.o | 8 | firecfg: $(OBJS) ../lib/common.o |
35 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
36 | 10 | ||
37 | clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno | 11 | clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno |
38 | 12 | ||
39 | distclean: clean | 13 | distclean: clean |
40 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e29f95886..1f56e2532 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -16,6 +16,7 @@ VirtualBox | |||
16 | Wire | 16 | Wire |
17 | Xephyr | 17 | Xephyr |
18 | abrowser | 18 | abrowser |
19 | akonadi_control | ||
19 | akregator | 20 | akregator |
20 | amarok | 21 | amarok |
21 | amule | 22 | amule |
@@ -43,6 +44,7 @@ bibletime | |||
43 | bitlbee | 44 | bitlbee |
44 | bleachbit | 45 | bleachbit |
45 | blender | 46 | blender |
47 | blender-2.8 | ||
46 | bless | 48 | bless |
47 | bluefish | 49 | bluefish |
48 | bnox | 50 | bnox |
@@ -108,6 +110,8 @@ eom | |||
108 | epiphany | 110 | epiphany |
109 | etr | 111 | etr |
110 | evince | 112 | evince |
113 | evince-previewer | ||
114 | evince-thumbnailer | ||
111 | evolution | 115 | evolution |
112 | exiftool | 116 | exiftool |
113 | falkon | 117 | falkon |
@@ -130,6 +134,7 @@ freshclam | |||
130 | frozen-bubble | 134 | frozen-bubble |
131 | gajim | 135 | gajim |
132 | galculator | 136 | galculator |
137 | gcloud | ||
133 | geany | 138 | geany |
134 | geary | 139 | geary |
135 | gedit | 140 | gedit |
@@ -150,10 +155,12 @@ gnome-clocks | |||
150 | gnome-contacts | 155 | gnome-contacts |
151 | gnome-documents | 156 | gnome-documents |
152 | gnome-font-viewer | 157 | gnome-font-viewer |
158 | gnome-logs | ||
153 | gnome-maps | 159 | gnome-maps |
154 | gnome-mplayer | 160 | gnome-mplayer |
155 | gnome-music | 161 | gnome-music |
156 | gnome-photos | 162 | gnome-photos |
163 | gnome-recipes | ||
157 | gnome-twitch | 164 | gnome-twitch |
158 | gnome-weather | 165 | gnome-weather |
159 | goobox | 166 | goobox |
@@ -258,6 +265,7 @@ musescore | |||
258 | mutt | 265 | mutt |
259 | natron | 266 | natron |
260 | nautilus | 267 | nautilus |
268 | ncdu | ||
261 | netsurf | 269 | netsurf |
262 | neverball | 270 | neverball |
263 | nheko | 271 | nheko |
@@ -348,6 +356,7 @@ telegram | |||
348 | telegram-desktop | 356 | telegram-desktop |
349 | terasology | 357 | terasology |
350 | thunderbird | 358 | thunderbird |
359 | thunderbird-beta | ||
351 | tilp | 360 | tilp |
352 | tor-browser-ar | 361 | tor-browser-ar |
353 | tor-browser-en | 362 | tor-browser-en |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 01cb929e2..9bd2f9c22 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -1,45 +1,14 @@ | |||
1 | all: firejail | 1 | all: firejail |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | HAVE_GCOV=@HAVE_GCOV@ | ||
26 | HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o | 8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
41 | 10 | ||
42 | clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno | 11 | clean:; rm -f *.o firejail *.gcov *.gcda *.gcno |
43 | 12 | ||
44 | distclean: clean | 13 | distclean: clean |
45 | rm -fr Makefile | 14 | rm -fr Makefile |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0d77c199b..20845270e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -85,6 +85,15 @@ int checkcfg(int val) { | |||
85 | else | 85 | else |
86 | goto errout; | 86 | goto errout; |
87 | } | 87 | } |
88 | // dbus | ||
89 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
90 | if (strcmp(ptr + 5, "yes") == 0) | ||
91 | cfg_val[CFG_DBUS] = 1; | ||
92 | else if (strcmp(ptr + 5, "no") == 0) | ||
93 | cfg_val[CFG_DBUS] = 0; | ||
94 | else | ||
95 | goto errout; | ||
96 | } | ||
88 | // join | 97 | // join |
89 | else if (strncmp(ptr, "join ", 5) == 0) { | 98 | else if (strncmp(ptr, "join ", 5) == 0) { |
90 | if (strcmp(ptr + 5, "yes") == 0) | 99 | if (strcmp(ptr + 5, "yes") == 0) |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c new file mode 100644 index 000000000..6c122c6d0 --- /dev/null +++ b/src/firejail/dbus.c | |||
@@ -0,0 +1,63 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | |||
22 | void dbus_session_disable(void) { | ||
23 | if (!checkcfg(CFG_DBUS)) { | ||
24 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | ||
25 | return; | ||
26 | } | ||
27 | |||
28 | char *path; | ||
29 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) | ||
30 | errExit("asprintf"); | ||
31 | char *env_var; | ||
32 | if (asprintf(&env_var, "DBUS_SESSION_BUS_ADDRESS=unix:path=%s", path) == -1) | ||
33 | errExit("asprintf"); | ||
34 | |||
35 | // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus | ||
36 | if (setenv("DBUS_SESSION_BUS_ADDRESS", env_var, 1) == -1) { | ||
37 | fprintf(stderr, "Error: cannot modify DBUS_SESSION_BUS_ADDRESS required by --nodbus\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | |||
41 | // blacklist the path | ||
42 | disable_file_or_dir(path); | ||
43 | free(path); | ||
44 | free(env_var); | ||
45 | |||
46 | // look for a possible abstract unix socket | ||
47 | |||
48 | // --net=none | ||
49 | if (arg_nonetwork) | ||
50 | return; | ||
51 | |||
52 | // --net=eth0 | ||
53 | if (any_bridge_configured()) | ||
54 | return; | ||
55 | |||
56 | // --protocol=unix | ||
57 | #ifdef HAVE_SECCOMP | ||
58 | if (cfg.protocol && !strstr(cfg.protocol, "unix")) | ||
59 | return; | ||
60 | #endif | ||
61 | |||
62 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | ||
63 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5af141289..fdb5745cb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
382 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 382 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
383 | extern int arg_notv; // --notv | 383 | extern int arg_notv; // --notv |
384 | extern int arg_nodvd; // --nodvd | 384 | extern int arg_nodvd; // --nodvd |
385 | extern int arg_nodbus; // -nodbus | ||
385 | 386 | ||
386 | extern int login_shell; | 387 | extern int login_shell; |
387 | extern int parent_to_child_fds[2]; | 388 | extern int parent_to_child_fds[2]; |
@@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode); | |||
520 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 521 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
521 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); | 522 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); |
522 | unsigned extract_timeout(const char *str); | 523 | unsigned extract_timeout(const char *str); |
524 | void disable_file_or_dir(const char *fname); | ||
525 | void disable_file_path(const char *path, const char *file); | ||
523 | 526 | ||
524 | // fs_var.c | 527 | // fs_var.c |
525 | void fs_var_log(void); // mounting /var/log | 528 | void fs_var_log(void); // mounting /var/log |
@@ -741,6 +744,7 @@ enum { | |||
741 | CFG_XPRA_ATTACH, | 744 | CFG_XPRA_ATTACH, |
742 | CFG_PRIVATE_LIB, | 745 | CFG_PRIVATE_LIB, |
743 | CFG_APPARMOR, | 746 | CFG_APPARMOR, |
747 | CFG_DBUS, | ||
744 | CFG_MAX // this should always be the last entry | 748 | CFG_MAX // this should always be the last entry |
745 | }; | 749 | }; |
746 | extern char *xephyr_screen; | 750 | extern char *xephyr_screen; |
@@ -800,4 +804,7 @@ void set_name_run_file(pid_t pid); | |||
800 | void set_x11_run_file(pid_t pid, int display); | 804 | void set_x11_run_file(pid_t pid, int display); |
801 | void set_profile_run_file(pid_t pid, const char *fname); | 805 | void set_profile_run_file(pid_t pid, const char *fname); |
802 | 806 | ||
807 | // dbus.c | ||
808 | void dbus_session_disable(void); | ||
809 | |||
803 | #endif | 810 | #endif |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 6eac78d96..152ddf5f7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -297,26 +297,6 @@ void fs_private_dev(void){ | |||
297 | } | 297 | } |
298 | } | 298 | } |
299 | 299 | ||
300 | |||
301 | |||
302 | static void disable_file_or_dir(const char *fname) { | ||
303 | if (arg_debug) | ||
304 | printf("disable %s\n", fname); | ||
305 | struct stat s; | ||
306 | if (stat(fname, &s) != -1) { | ||
307 | if (is_dir(fname)) { | ||
308 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
309 | errExit("disable directory"); | ||
310 | } | ||
311 | else { | ||
312 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
313 | errExit("disable file"); | ||
314 | } | ||
315 | } | ||
316 | fs_logger2("blacklist", fname); | ||
317 | |||
318 | } | ||
319 | |||
320 | void fs_dev_disable_sound(void) { | 300 | void fs_dev_disable_sound(void) { |
321 | unsigned i = 0; | 301 | unsigned i = 0; |
322 | while (dev[i].dev_fname != NULL) { | 302 | while (dev[i].dev_fname != NULL) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 38db165e8..6dc19abdd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
120 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 120 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
121 | int arg_notv = 0; // --notv | 121 | int arg_notv = 0; // --notv |
122 | int arg_nodvd = 0; // --nodvd | 122 | int arg_nodvd = 0; // --nodvd |
123 | int arg_nodbus = 0; // -nodbus | ||
123 | int login_shell = 0; | 124 | int login_shell = 0; |
124 | 125 | ||
125 | 126 | ||
@@ -1111,7 +1112,7 @@ int main(int argc, char **argv) { | |||
1111 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1112 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1112 | if (checkcfg(CFG_SECCOMP)) { | 1113 | if (checkcfg(CFG_SECCOMP)) { |
1113 | if (cfg.protocol) { | 1114 | if (cfg.protocol) { |
1114 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); | 1115 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); |
1115 | } | 1116 | } |
1116 | else { | 1117 | else { |
1117 | // store list | 1118 | // store list |
@@ -1734,6 +1735,8 @@ int main(int argc, char **argv) { | |||
1734 | arg_notv = 1; | 1735 | arg_notv = 1; |
1735 | else if (strcmp(argv[i], "--nodvd") == 0) | 1736 | else if (strcmp(argv[i], "--nodvd") == 0) |
1736 | arg_nodvd = 1; | 1737 | arg_nodvd = 1; |
1738 | else if (strcmp(argv[i], "--nodbus") == 0) | ||
1739 | arg_nodbus = 1; | ||
1737 | 1740 | ||
1738 | //************************************* | 1741 | //************************************* |
1739 | // network | 1742 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5566b9860..2cb91964a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
249 | arg_no3d = 1; | 249 | arg_no3d = 1; |
250 | return 0; | 250 | return 0; |
251 | } | 251 | } |
252 | else if (strcmp(ptr, "nodbus") == 0) { | ||
253 | arg_nodbus = 1; | ||
254 | return 0; | ||
255 | } | ||
252 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | 256 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { |
253 | fmessage("--allow-private-blacklist was deprecated\n"); | 257 | fmessage("--allow-private-blacklist was deprecated\n"); |
254 | return 0; | 258 | return 0; |
@@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
549 | #ifdef HAVE_SECCOMP | 553 | #ifdef HAVE_SECCOMP |
550 | if (checkcfg(CFG_SECCOMP)) { | 554 | if (checkcfg(CFG_SECCOMP)) { |
551 | if (cfg.protocol) { | 555 | if (cfg.protocol) { |
552 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); | 556 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); |
553 | return 0; | 557 | return 0; |
554 | } | 558 | } |
555 | 559 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index ef674fb4a..9109a6865 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -24,52 +24,24 @@ | |||
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | 26 | ||
27 | static void disable_file(const char *path, const char *file) { | ||
28 | assert(file); | ||
29 | assert(path); | ||
30 | |||
31 | struct stat s; | ||
32 | char *fname; | ||
33 | if (asprintf(&fname, "%s/%s", path, file) == -1) | ||
34 | errExit("asprintf"); | ||
35 | if (stat(fname, &s) == -1) | ||
36 | goto doexit; | ||
37 | |||
38 | if (arg_debug) | ||
39 | printf("Disable%s\n", fname); | ||
40 | |||
41 | if (S_ISDIR(s.st_mode)) { | ||
42 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
43 | errExit("disable file"); | ||
44 | } | ||
45 | else { | ||
46 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
47 | errExit("disable file"); | ||
48 | } | ||
49 | fs_logger2("blacklist", fname); | ||
50 | |||
51 | doexit: | ||
52 | free(fname); | ||
53 | } | ||
54 | |||
55 | // disable pulseaudio socket | 27 | // disable pulseaudio socket |
56 | void pulseaudio_disable(void) { | 28 | void pulseaudio_disable(void) { |
57 | if (arg_debug) | 29 | if (arg_debug) |
58 | printf("disable pulseaudio\n"); | 30 | printf("disable pulseaudio\n"); |
59 | // blacklist user config directory | 31 | // blacklist user config directory |
60 | disable_file(cfg.homedir, ".config/pulse"); | 32 | disable_file_path(cfg.homedir, ".config/pulse"); |
61 | 33 | ||
62 | 34 | ||
63 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR | 35 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR |
64 | char *name = getenv("XDG_RUNTIME_DIR"); | 36 | char *name = getenv("XDG_RUNTIME_DIR"); |
65 | if (name) | 37 | if (name) |
66 | disable_file(name, "pulse/native"); | 38 | disable_file_path(name, "pulse/native"); |
67 | 39 | ||
68 | // try the default location anyway | 40 | // try the default location anyway |
69 | char *path; | 41 | char *path; |
70 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | 42 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) |
71 | errExit("asprintf"); | 43 | errExit("asprintf"); |
72 | disable_file(path, "pulse/native"); | 44 | disable_file_path(path, "pulse/native"); |
73 | free(path); | 45 | free(path); |
74 | 46 | ||
75 | 47 | ||
@@ -87,12 +59,11 @@ void pulseaudio_disable(void) { | |||
87 | struct dirent *entry; | 59 | struct dirent *entry; |
88 | while ((entry = readdir(dir))) { | 60 | while ((entry = readdir(dir))) { |
89 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { | 61 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { |
90 | disable_file("/tmp", entry->d_name); | 62 | disable_file_path("/tmp", entry->d_name); |
91 | } | 63 | } |
92 | } | 64 | } |
93 | 65 | ||
94 | closedir(dir); | 66 | closedir(dir); |
95 | |||
96 | } | 67 | } |
97 | 68 | ||
98 | 69 | ||
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 57a0e19df..361ad1414 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/pid.h" | 22 | #include "../include/pid.h" |
23 | #define BUFLEN 4096 | ||
23 | 24 | ||
24 | static void delete_x11_run_file(pid_t pid) { | 25 | static void delete_x11_run_file(pid_t pid) { |
25 | char *fname; | 26 | char *fname; |
@@ -74,7 +75,36 @@ void delete_run_files(pid_t pid) { | |||
74 | delete_profile_run_file(pid); | 75 | delete_profile_run_file(pid); |
75 | } | 76 | } |
76 | 77 | ||
78 | static char *newname(char *name) { | ||
79 | char *rv; | ||
80 | pid_t pid; | ||
81 | |||
82 | // try the name | ||
83 | if (name2pid(name, &pid)) | ||
84 | return name; | ||
85 | |||
86 | // try name-1 to 9 | ||
87 | int i; | ||
88 | for (i = 1; i < 10; i++) { | ||
89 | if (asprintf(&rv, "%s-%d", name, i) == -1) | ||
90 | errExit("asprintf"); | ||
91 | if (name2pid(rv, &pid)) { | ||
92 | fwarning("Sandbox name changed to %s\n", rv); | ||
93 | return rv; | ||
94 | } | ||
95 | free(rv); | ||
96 | } | ||
97 | |||
98 | // return name-pid | ||
99 | if (asprintf(&rv, "%s-%d", name, getpid()) == -1) | ||
100 | errExit("asprintf"); | ||
101 | return rv; | ||
102 | } | ||
103 | |||
104 | |||
77 | void set_name_run_file(pid_t pid) { | 105 | void set_name_run_file(pid_t pid) { |
106 | cfg.name = newname(cfg.name); | ||
107 | |||
78 | char *fname; | 108 | char *fname; |
79 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | 109 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) |
80 | errExit("asprintf"); | 110 | errExit("asprintf"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96b7b267b..75dbc976d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -838,6 +838,13 @@ int sandbox(void* sandbox_arg) { | |||
838 | } | 838 | } |
839 | 839 | ||
840 | //**************************** | 840 | //**************************** |
841 | // Session D-BUS | ||
842 | //**************************** | ||
843 | if (arg_nodbus) | ||
844 | dbus_session_disable(); | ||
845 | |||
846 | |||
847 | //**************************** | ||
841 | // hosts and hostname | 848 | // hosts and hostname |
842 | //**************************** | 849 | //**************************** |
843 | if (cfg.hostname) | 850 | if (cfg.hostname) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 15b548d20..d0292f524 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -132,7 +132,9 @@ void usage(void) { | |||
132 | #endif | 132 | #endif |
133 | printf(" --nice=value - set nice value.\n"); | 133 | printf(" --nice=value - set nice value.\n"); |
134 | printf(" --no3d - disable 3D hardware acceleration.\n"); | 134 | printf(" --no3d - disable 3D hardware acceleration.\n"); |
135 | printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); | 135 | printf(" --noblacklist=filename - disable blacklist for file or directory.\n"); |
136 | printf(" --nodbus - disable D-Bus access.\n"); | ||
137 | printf(" --nodvd - disable DVD and audio CD devices.\n"); | ||
136 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); | 138 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); |
137 | printf(" --nogroups - disable supplementary groups.\n"); | 139 | printf(" --nogroups - disable supplementary groups.\n"); |
138 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | 140 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 0adca5e33..c644f83a8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <ftw.h> | 22 | #include <ftw.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <sys/mount.h> | ||
24 | #include <fcntl.h> | 25 | #include <fcntl.h> |
25 | #include <syslog.h> | 26 | #include <syslog.h> |
26 | #include <errno.h> | 27 | #include <errno.h> |
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) { | |||
964 | 965 | ||
965 | return h * 3600 + m * 60 + s; | 966 | return h * 3600 + m * 60 + s; |
966 | } | 967 | } |
968 | |||
969 | void disable_file_or_dir(const char *fname) { | ||
970 | if (arg_debug) | ||
971 | printf("blacklist %s\n", fname); | ||
972 | struct stat s; | ||
973 | if (stat(fname, &s) != -1) { | ||
974 | if (is_dir(fname)) { | ||
975 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
976 | errExit("disable directory"); | ||
977 | } | ||
978 | else { | ||
979 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
980 | errExit("disable file"); | ||
981 | } | ||
982 | } | ||
983 | fs_logger2("blacklist", fname); | ||
984 | } | ||
985 | |||
986 | void disable_file_path(const char *path, const char *file) { | ||
987 | assert(file); | ||
988 | assert(path); | ||
989 | |||
990 | char *fname; | ||
991 | if (asprintf(&fname, "%s/%s", path, file) == -1) | ||
992 | errExit("asprintf"); | ||
993 | |||
994 | disable_file_or_dir(fname); | ||
995 | free(fname); | ||
996 | } | ||
997 | |||
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index 326c305d9..d3ffe5d3f 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -1,26 +1,9 @@ | |||
1 | all: firemon | 1 | all: firemon |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | VERSION=@PACKAGE_VERSION@ | ||
6 | NAME=@PACKAGE_NAME@ | ||
7 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
8 | HAVE_GCOV=@HAVE_GCOV@ | ||
9 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
10 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
11 | |||
12 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
13 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
14 | OBJS = $(C_FILE_LIST:.c=.o) | ||
15 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
16 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
17 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | ||
18 | HAVE_GCOV=@HAVE_GCOV@ | ||
19 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
20 | |||
21 | 4 | ||
22 | %.o : %.c $(H_FILE_LIST) | 5 | %.o : %.c $(H_FILE_LIST) |
23 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
24 | 7 | ||
25 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o | 8 | firemon: $(OBJS) ../lib/common.o ../lib/pid.o |
26 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index e2bf4b787..5af37cfbd 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fldd | 1 | all: fldd |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fldd: $(OBJS) ../lib/ldd_utils.o | 8 | fldd: $(OBJS) ../lib/ldd_utils.o |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 3288e6354..06b3981a9 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fnet | 1 | all: fnet |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fnet: $(OBJS) ../lib/libnetlink.o | 8 | fnet: $(OBJS) ../lib/libnetlink.o |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 1063737e1..2e263cc2b 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fnetfilter | 1 | all: fnetfilter |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fnetfilter: $(OBJS) | 8 | fnetfilter: $(OBJS) |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index 6ddbfc075..e5e14a6a6 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fsec-optimize | 1 | all: fsec-optimize |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fsec-optimize: $(OBJS) ../lib/libnetlink.o | 8 | fsec-optimize: $(OBJS) ../lib/libnetlink.o |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index 5d23382f7..3db4406f4 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fsec-print | 1 | all: fsec-print |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fsec-print: $(OBJS) ../lib/libnetlink.o | 8 | fsec-print: $(OBJS) ../lib/libnetlink.o |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index e3b53c44c..faf59aa35 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c | |||
@@ -269,7 +269,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) { | |||
269 | native_arch = (ARCH_NR == ARCH_64)? 1: 0; | 269 | native_arch = (ARCH_NR == ARCH_64)? 1: 0; |
270 | } | 270 | } |
271 | else if (bpf->k == X32_SYSCALL_BIT) | 271 | else if (bpf->k == X32_SYSCALL_BIT) |
272 | printf("X32_ABI true:%.4x (false %.4x)", | 272 | printf("X32_ABI %.4x (false %.4x)", |
273 | (line + 1) + bpf->jt, | 273 | (line + 1) + bpf->jt, |
274 | (line + 1) + bpf->jf); | 274 | (line + 1) + bpf->jf); |
275 | else if (name) | 275 | else if (name) |
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index df4343d36..2c99096bb 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -1,40 +1,9 @@ | |||
1 | all: fseccomp | 1 | all: fseccomp |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | 4 | ||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
38 | 7 | ||
39 | fseccomp: $(OBJS) | 8 | fseccomp: $(OBJS) |
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index fd39f0cb7..d3b92362c 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in | |||
@@ -1,25 +1,12 @@ | |||
1 | all: ftee | 1 | all: ftee |
2 | 2 | ||
3 | CC=@CC@ | 3 | include ../common.mk |
4 | PREFIX=@prefix@ | ||
5 | VERSION=@PACKAGE_VERSION@ | ||
6 | NAME=@PACKAGE_NAME@ | ||
7 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
8 | HAVE_GCOV=@HAVE_GCOV@ | ||
9 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
10 | |||
11 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
12 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
13 | OBJS = $(C_FILE_LIST:.c=.o) | ||
14 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
15 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
16 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
17 | 4 | ||
18 | %.o : %.c $(H_FILE_LIST) | 5 | %.o : %.c $(H_FILE_LIST) |
19 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
20 | 7 | ||
21 | ftee: $(OBJS) | 8 | ftee: $(OBJS) |
22 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) |
23 | 10 | ||
24 | clean:; rm -f *.o ftee *.gcov *.gcda *.gcno | 11 | clean:; rm -f *.o ftee *.gcov *.gcda *.gcno |
25 | 12 | ||
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index a49e56ad2..a744b8d80 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in | |||
@@ -1,22 +1,9 @@ | |||
1 | CC=@CC@ | 1 | include ../common.mk |
2 | PREFIX=@prefix@ | ||
3 | VERSION=@PACKAGE_VERSION@ | ||
4 | NAME=@PACKAGE_NAME@ | ||
5 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
6 | HAVE_GCOV=@HAVE_GCOV@ | ||
7 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
8 | |||
9 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
10 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
11 | OBJS = $(C_FILE_LIST:.c=.o) | ||
12 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
13 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DLIBDIR='"$(libdir)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
14 | LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now | ||
15 | 2 | ||
16 | all: $(OBJS) | 3 | all: $(OBJS) |
17 | 4 | ||
18 | %.o : %.c $(H_FILE_LIST) | 5 | %.o : %.c $(H_FILE_LIST) |
19 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
20 | 7 | ||
21 | clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno | 8 | clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno |
22 | 9 | ||
diff --git a/src/lib/pid.c b/src/lib/pid.c index f138efc8c..3c804716d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -188,10 +188,11 @@ static void print_elem(unsigned index, int nowrap) { | |||
188 | uid_t uid = pids[index].uid; | 188 | uid_t uid = pids[index].uid; |
189 | char *cmd = pid_proc_cmdline(index); | 189 | char *cmd = pid_proc_cmdline(index); |
190 | char *user = pid_get_user_name(uid); | 190 | char *user = pid_get_user_name(uid); |
191 | char *allocated = user; | 191 | char *user_allocated = user; |
192 | 192 | ||
193 | // extract sandbox name - pid == index | 193 | // extract sandbox name - pid == index |
194 | char *sandbox_name = ""; | 194 | char *sandbox_name = ""; |
195 | char *sandbox_name_allocated = NULL; | ||
195 | char *fname; | 196 | char *fname; |
196 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) | 197 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) |
197 | errExit("asprintf"); | 198 | errExit("asprintf"); |
@@ -202,6 +203,7 @@ static void print_elem(unsigned index, int nowrap) { | |||
202 | sandbox_name = malloc(s.st_size + 1); | 203 | sandbox_name = malloc(s.st_size + 1); |
203 | if (!sandbox_name) | 204 | if (!sandbox_name) |
204 | errExit("malloc"); | 205 | errExit("malloc"); |
206 | sandbox_name_allocated = sandbox_name; | ||
205 | char *rv = fgets(sandbox_name, s.st_size + 1, fp); | 207 | char *rv = fgets(sandbox_name, s.st_size + 1, fp); |
206 | if (!rv) | 208 | if (!rv) |
207 | *sandbox_name = '\0'; | 209 | *sandbox_name = '\0'; |
@@ -241,8 +243,10 @@ static void print_elem(unsigned index, int nowrap) { | |||
241 | else | 243 | else |
242 | printf("%s%u:\n", indent, index); | 244 | printf("%s%u:\n", indent, index); |
243 | } | 245 | } |
244 | if (allocated) | 246 | if (user_allocated) |
245 | free(allocated); | 247 | free(user_allocated); |
248 | if (sandbox_name_allocated) | ||
249 | free(sandbox_name_allocated); | ||
246 | } | 250 | } |
247 | 251 | ||
248 | // recursivity!!! | 252 | // recursivity!!! |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 34e4102f6..f080c8c7b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1064,6 +1064,17 @@ $ nc dict.org 2628 | |||
1064 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 1064 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
1065 | .br | 1065 | .br |
1066 | .TP | 1066 | .TP |
1067 | \fB\-\-nodbus | ||
1068 | Disable D-Bus access. Only the regular UNIX socket is handled by this command. To | ||
1069 | disable the abstract socket you would need to request a new network namespace using | ||
1070 | \-\-net command. Another option is to remove unix from \-\-protocol set. | ||
1071 | .br | ||
1072 | |||
1073 | .br | ||
1074 | Example: | ||
1075 | .br | ||
1076 | $ firejail \-\-nodbus \-\-net=none | ||
1077 | .TP | ||
1067 | \fB\-\-nodvd | 1078 | \fB\-\-nodvd |
1068 | Disable DVD and audio CD devices. | 1079 | Disable DVD and audio CD devices. |
1069 | .br | 1080 | .br |
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index 02f2323a0..656b8e215 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp | |||
@@ -13,7 +13,7 @@ sleep 1 | |||
13 | send -- "firecfg --clean\r" | 13 | send -- "firecfg --clean\r" |
14 | expect { | 14 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "/usr/local/bin/firefox removed" | 16 | "less removed" |
17 | } | 17 | } |
18 | sleep 1 | 18 | sleep 1 |
19 | 19 | ||
@@ -30,11 +30,11 @@ sleep 1 | |||
30 | send -- "firecfg\r" | 30 | send -- "firecfg\r" |
31 | expect { | 31 | expect { |
32 | timeout {puts "TESTING ERROR 3\n";exit} | 32 | timeout {puts "TESTING ERROR 3\n";exit} |
33 | "firefox created" | 33 | "less created" |
34 | } | 34 | } |
35 | sleep 1 | 35 | sleep 1 |
36 | 36 | ||
37 | send -- "file /usr/local/bin/firefox\r" | 37 | send -- "file /usr/local/bin/less\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 4\n";exit} | 39 | timeout {puts "TESTING ERROR 4\n";exit} |
40 | "symbolic link to /usr/bin/firejail" | 40 | "symbolic link to /usr/bin/firejail" |
@@ -44,7 +44,7 @@ sleep 1 | |||
44 | send -- "firecfg --list\r" | 44 | send -- "firecfg --list\r" |
45 | expect { | 45 | expect { |
46 | timeout {puts "TESTING ERROR 5\n";exit} | 46 | timeout {puts "TESTING ERROR 5\n";exit} |
47 | "/usr/local/bin/firefox" | 47 | "/usr/local/bin/less" |
48 | } | 48 | } |
49 | sleep 1 | 49 | sleep 1 |
50 | 50 | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 912ae23f0..22b12cf86 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -110,13 +110,13 @@ echo "TESTING: firemon events (test/root/firemon-events.exp)" | |||
110 | #******************************** | 110 | #******************************** |
111 | # firecfg | 111 | # firecfg |
112 | #******************************** | 112 | #******************************** |
113 | which firefox | 113 | which less |
114 | if [ "$?" -eq 0 ]; | 114 | if [ "$?" -eq 0 ]; |
115 | then | 115 | then |
116 | echo "TESTING: firecfg (test/root/firecfg.exp)" | 116 | echo "TESTING: firecfg (test/root/firecfg.exp)" |
117 | ./firecfg.exp | 117 | ./firecfg.exp |
118 | else | 118 | else |
119 | echo "TESTING SKIP: firecfg, firefox not found" | 119 | echo "TESTING SKIP: firecfg, less not found" |
120 | fi | 120 | fi |
121 | 121 | ||
122 | # restore the default config file | 122 | # restore the default config file |
diff --git a/test/utils/audit.exp b/test/utils/audit.exp index c68ee387c..684886af7 100755 --- a/test/utils/audit.exp +++ b/test/utils/audit.exp | |||
@@ -76,4 +76,24 @@ expect { | |||
76 | } | 76 | } |
77 | after 100 | 77 | after 100 |
78 | 78 | ||
79 | # run audit executable without a sandbox | ||
80 | send -- "faudit\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 13\n";exit} | ||
83 | "is not running in a PID namespace" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 14\n";exit} | ||
87 | "BAD: seccomp disabled" | ||
88 | } | ||
89 | expect { | ||
90 | timeout {puts "TESTING ERROR 15\n";exit} | ||
91 | "BAD: the capability map is" | ||
92 | } | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 16\n";exit} | ||
95 | "MAYBE: /dev directory seems to be fully populated" | ||
96 | } | ||
97 | after 100 | ||
98 | |||
79 | puts "\nall done\n" | 99 | puts "\nall done\n" |
diff --git a/test/utils/build.exp b/test/utils/build.exp new file mode 100755 index 000000000..de2a9b6ae --- /dev/null +++ b/test/utils/build.exp | |||
@@ -0,0 +1,58 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --build cat ~/firejail-test-file-7699\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "whitelist ~/firejail-test-file-7699" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
17 | "include /etc/firejail/whitelist-common.inc" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "private-tmp" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "private-dev" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "blacklist /var" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "private-bin cat," | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 5\n";exit} | ||
37 | "caps.drop all" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 6\n";exit} | ||
41 | "nonewprivs" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 7\n";exit} | ||
45 | "seccomp" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 8\n";exit} | ||
49 | "net none" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 9\n";exit} | ||
53 | "shell none" | ||
54 | } | ||
55 | after 100 | ||
56 | |||
57 | |||
58 | puts "all done\n" | ||
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9dd3b67a3..d72cc2269 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -6,6 +6,17 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | if [ -f /etc/debian_version ]; then | ||
10 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | ||
11 | export PATH="$PATH:$libdir" | ||
12 | fi | ||
13 | export PATH="$PATH:/usr/lib/firejail" | ||
14 | |||
15 | echo "testing" > ~/firejail-test-file-7699 | ||
16 | echo "TESTING: build (test/utils/build.exp)" | ||
17 | ./build.exp | ||
18 | rm -f ~/firejail-test-file-7699 | ||
19 | |||
9 | echo "TESTING: audit (test/utils/audit.exp)" | 20 | echo "TESTING: audit (test/utils/audit.exp)" |
10 | ./audit.exp | 21 | ./audit.exp |
11 | 22 | ||