diff options
26 files changed, 454 insertions, 31 deletions
diff --git a/Makefile.in b/Makefile.in index 65dd430b5..8cbba12e9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -89,7 +89,7 @@ distclean: clean | |||
89 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 89 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
90 | $(MAKE) -C $$dir distclean; \ | 90 | $(MAKE) -C $$dir distclean; \ |
91 | done | 91 | done |
92 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk | 92 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh |
93 | 93 | ||
94 | realinstall: | 94 | realinstall: |
95 | # firejail executable | 95 | # firejail executable |
@@ -176,7 +176,9 @@ DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcop | |||
176 | 176 | ||
177 | dist: | 177 | dist: |
178 | mv config.status config.status.old | 178 | mv config.status config.status.old |
179 | mv mkdeb.sh mkdeb.sh.old | ||
179 | make distclean | 180 | make distclean |
181 | mv mkdeb.sh.old mkdeb.sh | ||
180 | mv config.status.old config.status | 182 | mv config.status.old config.status |
181 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz | 183 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz |
182 | mkdir -p $(NAME)-$(VERSION)/test | 184 | mkdir -p $(NAME)-$(VERSION)/test |
@@ -269,7 +271,7 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy | |||
269 | 271 | ||
270 | ########################################## | 272 | ########################################## |
271 | # Individual tests, some of them require root access | 273 | # Individual tests, some of them require root access |
272 | # The tests are very intrussive, by the time you are done | 274 | # The tests are very intrusive, by the time you are done |
273 | # with them you will need to restart your computer. | 275 | # with them you will need to restart your computer. |
274 | ########################################## | 276 | ########################################## |
275 | 277 | ||
@@ -294,7 +296,7 @@ test-network: | |||
294 | test-stress: | 296 | test-stress: |
295 | cd test/stress; ./stress.sh | grep TESTING | 297 | cd test/stress; ./stress.sh | grep TESTING |
296 | 298 | ||
297 | # Tesets running a root user | 299 | # Tests running a root user |
298 | test-root: | 300 | test-root: |
299 | cd test/root; su -c ./root.sh | grep TESTING | 301 | cd test/root; su -c ./root.sh | grep TESTING |
300 | 302 | ||
@@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom | |||
196 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, | 196 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, |
197 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, | 197 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, |
198 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, | 198 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, |
199 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded | 199 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop |
@@ -37,7 +37,8 @@ firejail (0.9.63) baseline; urgency=low | |||
37 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop | 37 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop |
38 | * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry | 38 | * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry |
39 | * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper | 39 | * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper |
40 | * new profiles: gapplication, openarena_ded, element-desktop | 40 | * new profiles: gapplication, openarena_ded, element-desktop, cawbird, freetube |
41 | * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash | ||
41 | -- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500 | 42 | -- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500 |
42 | 43 | ||
43 | firejail (0.9.62) baseline; urgency=low | 44 | firejail (0.9.62) baseline; urgency=low |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 865eefb18..433699918 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -87,6 +87,7 @@ blacklist ${HOME}/.config/Enox | |||
87 | blacklist ${HOME}/.config/Ferdi | 87 | blacklist ${HOME}/.config/Ferdi |
88 | blacklist ${HOME}/.config/Franz | 88 | blacklist ${HOME}/.config/Franz |
89 | blacklist ${HOME}/.config/FreeCAD | 89 | blacklist ${HOME}/.config/FreeCAD |
90 | blacklist ${HOME}/.config/FreeTube | ||
90 | blacklist ${HOME}/.config/Fritzing | 91 | blacklist ${HOME}/.config/Fritzing |
91 | blacklist ${HOME}/.config/GIMP | 92 | blacklist ${HOME}/.config/GIMP |
92 | blacklist ${HOME}/.config/GitHub Desktop | 93 | blacklist ${HOME}/.config/GitHub Desktop |
@@ -100,6 +101,7 @@ blacklist ${HOME}/.config/Jitsi Meet | |||
100 | blacklist ${HOME}/.config/Kid3 | 101 | blacklist ${HOME}/.config/Kid3 |
101 | blacklist ${HOME}/.config/Kingsoft | 102 | blacklist ${HOME}/.config/Kingsoft |
102 | blacklist ${HOME}/.config/Luminance | 103 | blacklist ${HOME}/.config/Luminance |
104 | blacklist ${HOME}/.config/Mattermost | ||
103 | blacklist ${HOME}/.config/Meltytech | 105 | blacklist ${HOME}/.config/Meltytech |
104 | blacklist ${HOME}/.config/Mendeley Ltd. | 106 | blacklist ${HOME}/.config/Mendeley Ltd. |
105 | blacklist ${HOME}/.config/Min | 107 | blacklist ${HOME}/.config/Min |
@@ -162,6 +164,7 @@ blacklist ${HOME}/.config/caja | |||
162 | blacklist ${HOME}/.config/calibre | 164 | blacklist ${HOME}/.config/calibre |
163 | blacklist ${HOME}/.config/cantata | 165 | blacklist ${HOME}/.config/cantata |
164 | blacklist ${HOME}/.config/catfish | 166 | blacklist ${HOME}/.config/catfish |
167 | blacklist ${HOME}/.config/cawbird | ||
165 | blacklist ${HOME}/.config/celluloid | 168 | blacklist ${HOME}/.config/celluloid |
166 | blacklist ${HOME}/.config/cherrytree | 169 | blacklist ${HOME}/.config/cherrytree |
167 | blacklist ${HOME}/.config/chrome-beta-flags.conf | 170 | blacklist ${HOME}/.config/chrome-beta-flags.conf |
@@ -236,6 +239,7 @@ blacklist ${HOME}/.config/gthumb | |||
236 | blacklist ${HOME}/.config/gummi | 239 | blacklist ${HOME}/.config/gummi |
237 | blacklist ${HOME}/.config/gwenviewrc | 240 | blacklist ${HOME}/.config/gwenviewrc |
238 | blacklist ${HOME}/.config/hexchat | 241 | blacklist ${HOME}/.config/hexchat |
242 | blacklist ${HOME}/.config/homebank | ||
239 | blacklist ${HOME}/.config/i2p | 243 | blacklist ${HOME}/.config/i2p |
240 | blacklist ${HOME}/.config/inkscape | 244 | blacklist ${HOME}/.config/inkscape |
241 | blacklist ${HOME}/.config/inox | 245 | blacklist ${HOME}/.config/inox |
@@ -297,6 +301,7 @@ blacklist ${HOME}/.config/nautilus | |||
297 | blacklist ${HOME}/.config/nemo | 301 | blacklist ${HOME}/.config/nemo |
298 | blacklist ${HOME}/.config/netsurf | 302 | blacklist ${HOME}/.config/netsurf |
299 | blacklist ${HOME}/.config/newsbeuter | 303 | blacklist ${HOME}/.config/newsbeuter |
304 | blacklist ${HOME}/.config/newsflash | ||
300 | blacklist ${HOME}/.config/nheko | 305 | blacklist ${HOME}/.config/nheko |
301 | blacklist ${HOME}/.config/NitroShare | 306 | blacklist ${HOME}/.config/NitroShare |
302 | blacklist ${HOME}/.config/nomacs | 307 | blacklist ${HOME}/.config/nomacs |
@@ -633,6 +638,7 @@ blacklist ${HOME}/.local/share/nautilus | |||
633 | blacklist ${HOME}/.local/share/nautilus-python | 638 | blacklist ${HOME}/.local/share/nautilus-python |
634 | blacklist ${HOME}/.local/share/nemo | 639 | blacklist ${HOME}/.local/share/nemo |
635 | blacklist ${HOME}/.local/share/nemo-python | 640 | blacklist ${HOME}/.local/share/nemo-python |
641 | blacklist ${HOME}/.local/share/news-flash | ||
636 | blacklist ${HOME}/.local/share/nomacs | 642 | blacklist ${HOME}/.local/share/nomacs |
637 | blacklist ${HOME}/.local/share/notes | 643 | blacklist ${HOME}/.local/share/notes |
638 | blacklist ${HOME}/.local/share/ocenaudio | 644 | blacklist ${HOME}/.local/share/ocenaudio |
@@ -681,6 +687,7 @@ blacklist ${HOME}/.mcabber | |||
681 | blacklist ${HOME}/.mcabberrc | 687 | blacklist ${HOME}/.mcabberrc |
682 | blacklist ${HOME}/.mediathek3 | 688 | blacklist ${HOME}/.mediathek3 |
683 | blacklist ${HOME}/.megaglest | 689 | blacklist ${HOME}/.megaglest |
690 | blacklist ${HOME}/.minecraft | ||
684 | blacklist ${HOME}/.minetest | 691 | blacklist ${HOME}/.minetest |
685 | blacklist ${HOME}/.mirrormagic | 692 | blacklist ${HOME}/.mirrormagic |
686 | blacklist ${HOME}/.moc | 693 | blacklist ${HOME}/.moc |
@@ -805,6 +812,7 @@ blacklist ${HOME}/.cache/Ferdi | |||
805 | blacklist ${HOME}/.cache/Franz | 812 | blacklist ${HOME}/.cache/Franz |
806 | blacklist ${HOME}/.cache/INRIA | 813 | blacklist ${HOME}/.cache/INRIA |
807 | blacklist ${HOME}/.cache/MusicBrainz | 814 | blacklist ${HOME}/.cache/MusicBrainz |
815 | blacklist ${HOME}/.cache/NewsFlashGTK | ||
808 | blacklist ${HOME}/.cache/QuiteRss | 816 | blacklist ${HOME}/.cache/QuiteRss |
809 | blacklist ${HOME}/.cache/Shortwave | 817 | blacklist ${HOME}/.cache/Shortwave |
810 | blacklist ${HOME}/.cache/Tox | 818 | blacklist ${HOME}/.cache/Tox |
diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net index 8955f740d..0eb9f9784 100644 --- a/etc/net/nolocal.net +++ b/etc/net/nolocal.net | |||
@@ -32,5 +32,5 @@ | |||
32 | -A OUTPUT -d 172.16.0.0/12 -j DROP | 32 | -A OUTPUT -d 172.16.0.0/12 -j DROP |
33 | 33 | ||
34 | # drop multicast traffic | 34 | # drop multicast traffic |
35 | -A OUTPUT -d 244.0.0.0/4 -j DROP | 35 | -A OUTPUT -d 224.0.0.0/4 -j DROP |
36 | COMMIT | 36 | COMMIT |
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile new file mode 100644 index 000000000..3d29c3817 --- /dev/null +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for cawbird | ||
2 | # Description: Open-source Twitter client for Linux | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cawbird.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/cawbird | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | machine-id | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin cawbird | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg | ||
43 | private-tmp | ||
44 | |||
45 | # dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile new file mode 100644 index 000000000..0628d3d01 --- /dev/null +++ b/etc/profile-a-l/com.gitlab.newsflash.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for newsflash | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include newsflash.profile | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index cbeef798f..35bea4aaa 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -32,7 +32,7 @@ novideo | |||
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp !chroot | 33 | seccomp !chroot |
34 | 34 | ||
35 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile new file mode 100644 index 000000000..91f0caf87 --- /dev/null +++ b/etc/profile-a-l/freetube.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for freetube | ||
2 | # Description: Youtube client with local subscription feature | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freetube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/FreeTube | ||
10 | |||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/FreeTube | ||
18 | whitelist ${HOME}/.config/FreeTube | ||
19 | |||
20 | seccomp !chroot | ||
21 | shell none | ||
22 | |||
23 | disable-mnt | ||
24 | private-bin freetube | ||
25 | private-cache | ||
26 | private-dev | ||
27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | ||
28 | private-tmp | ||
29 | |||
30 | # Redirect | ||
31 | include electron.profile | ||
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index b25b138ad..152396553 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -30,7 +30,7 @@ notv | |||
30 | nou2f | 30 | nou2f |
31 | novideo | 31 | novideo |
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp | 33 | seccomp !chroot |
34 | 34 | ||
35 | # Note: On debian-based distributions the binary might be located in | 35 | # Note: On debian-based distributions the binary might be located in |
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | 36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. |
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index bc6626598..ceb01f2a0 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -25,7 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | ipc-namespace | 26 | ipc-namespace |
27 | machine-id | 27 | machine-id |
28 | # net none | 28 | #net none -- breaks currency conversion |
29 | netfilter | 29 | netfilter |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
@@ -39,6 +39,7 @@ novideo | |||
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
41 | shell none | 41 | shell none |
42 | tracelog | ||
42 | 43 | ||
43 | disable-mnt | 44 | disable-mnt |
44 | private-bin gnome-calculator | 45 | private-bin gnome-calculator |
@@ -47,8 +48,7 @@ private-dev | |||
47 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* | 48 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # makes settings immutable | 51 | dbus-user filter |
51 | # dbus-user none | 52 | dbus-user.own org.gnome.Calculator |
52 | # dbus-system none | 53 | dbus-user.talk ca.desrt.dconf |
53 | 54 | dbus-system none | |
54 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 2a5d2a231..a46e47759 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -50,7 +50,9 @@ private-tmp | |||
50 | dbus-user filter | 50 | dbus-user filter |
51 | dbus-user.own org.gnome.Pomodoro | 51 | dbus-user.own org.gnome.Pomodoro |
52 | dbus-user.talk ca.desrt.dconf | 52 | dbus-user.talk ca.desrt.dconf |
53 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
53 | dbus-user.talk org.gnome.Shell | 54 | dbus-user.talk org.gnome.Shell |
55 | dbus-user.talk org.freedesktop.Notifications | ||
54 | dbus-system none | 56 | dbus-system none |
55 | 57 | ||
56 | read-only ${HOME} | 58 | read-only ${HOME} |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile new file mode 100644 index 000000000..8e600a2d7 --- /dev/null +++ b/etc/profile-a-l/homebank.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for homebank | ||
2 | # Description: Personal finance manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include homebank.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/homebank | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/homebank | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/homebank | ||
23 | whitelist /usr/share/homebank | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | # net none | ||
33 | netfilter | ||
34 | nodvd | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin homebank | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11 | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile new file mode 100644 index 000000000..e4487c8aa --- /dev/null +++ b/etc/profile-m-z/mattermost-desktop.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for mattermost-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include mattermost-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Mattermost | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Mattermost | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/Mattermost | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.keep sys_admin,sys_chroot | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
40 | private-tmp | ||
41 | |||
42 | # Not tested | ||
43 | #dbus-user filter | ||
44 | #dbus-user.own com.mattermost.Desktop | ||
45 | #dbus-user.talk org.freedesktop.Notifications | ||
46 | #dbus-system none | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 84db8b785..385700648 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -70,6 +70,7 @@ private-cache | |||
70 | private-dev | 70 | private-dev |
71 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. | 71 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. |
72 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | 72 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion |
73 | # Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551) | ||
73 | private-tmp | 74 | private-tmp |
74 | 75 | ||
75 | read-only ${HOME}/.ssh | 76 | read-only ${HOME}/.ssh |
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile new file mode 100644 index 000000000..8c7d18c58 --- /dev/null +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for minecraft-launcher | ||
2 | # Description: Official Minecraft launcher from Mojang | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include minecraft-launcher.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. | ||
10 | |||
11 | ignore noexec ${HOME} | ||
12 | |||
13 | noblacklist ${HOME}/.minecraft | ||
14 | |||
15 | include allow-java.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.minecraft | ||
27 | whitelist ${HOME}/.minecraft | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin java,java-config,minecraft-launcher | ||
50 | private-cache | ||
51 | private-dev | ||
52 | # If multiplayer or realms break add your own java folder from /etc or comment the line below. | ||
53 | private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg | ||
54 | private-opt minecraft-launcher | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index b0e493c5f..2fc027257 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -30,6 +30,8 @@ include disable-programs.inc | |||
30 | include disable-shell.inc | 30 | include disable-shell.inc |
31 | include disable-xdg.inc | 31 | include disable-xdg.inc |
32 | 32 | ||
33 | whitelist /usr/share/lua | ||
34 | whitelist /usr/share/lua* | ||
33 | whitelist /usr/share/vulkan | 35 | whitelist /usr/share/vulkan |
34 | include whitelist-usr-share-common.inc | 36 | include whitelist-usr-share-common.inc |
35 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
@@ -37,8 +39,7 @@ include whitelist-var-common.inc | |||
37 | apparmor | 39 | apparmor |
38 | caps.drop all | 40 | caps.drop all |
39 | netfilter | 41 | netfilter |
40 | 42 | # nogroups seems to cause issues with Nvidia drivers sometimes | |
41 | # Seems to cause issues with Nvidia drivers sometimes | ||
42 | nogroups | 43 | nogroups |
43 | nonewprivs | 44 | nonewprivs |
44 | noroot | 45 | noroot |
@@ -49,7 +50,7 @@ shell none | |||
49 | tracelog | 50 | tracelog |
50 | 51 | ||
51 | private-bin env,mpv,python*,youtube-dl | 52 | private-bin env,mpv,python*,youtube-dl |
52 | # Causes slow OSD, see #2838 | 53 | # private-cache causes slow OSD, see #2838 |
53 | #private-cache | 54 | #private-cache |
54 | private-dev | 55 | private-dev |
55 | 56 | ||
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile new file mode 100644 index 000000000..d0ac83baf --- /dev/null +++ b/etc/profile-m-z/newsflash.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for newsflash | ||
2 | # Description: Modern feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsflash.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/NewsFlashGTK | ||
10 | noblacklist ${HOME}/.config/news-flash | ||
11 | noblacklist ${HOME}/.local/share/news-flash | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/NewsFlashGTK | ||
23 | mkdir ${HOME}/.config/news-flash | ||
24 | mkdir ${HOME}/.local/share/news-flash | ||
25 | whitelist ${HOME}/.cache/NewsFlashGTK | ||
26 | whitelist ${HOME}/.config/news-flash | ||
27 | whitelist ${HOME}/.local/share/news-flash | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin com.gitlab.newsflash,newsflash | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | #dbus-user.own com.gitlab.newsflash | ||
59 | #dbus-user.talk org.freedesktop.Notifications | ||
60 | dbus-system none | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705..b51a86e7d 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -34,10 +34,12 @@ nodvd | |||
34 | nogroups | 34 | nogroups |
35 | notv | 35 | notv |
36 | nou2f | 36 | nou2f |
37 | novideo | ||
37 | shell none | 38 | shell none |
38 | 39 | ||
39 | disable-mnt | 40 | disable-mnt |
40 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
41 | private-tmp | 43 | private-tmp |
42 | 44 | ||
43 | dbus-user none | 45 | dbus-user none |
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b..bd7faa80a 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for teams | 1 | # Firejail profile for teams |
2 | # Description: Official Microsoft Teams client for Linux using Electron. | 2 | # Description: Official Microsoft Teams client for Linux using Electron. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Known issues: | ||
5 | # * if Teams crashes on startup try using "ignore apparmor" in your local config | ||
6 | # Persistent local customizations | 4 | # Persistent local customizations |
7 | include teams.local | 5 | include teams.local |
8 | # Persistent global definitions | 6 | # Persistent global definitions |
9 | # added by included profile | 7 | # added by included profile |
10 | #include globals.local | 8 | #include globals.local |
11 | 9 | ||
10 | # see #3404 | ||
11 | ignore apparmor | ||
12 | ignore dbus-user none | 12 | ignore dbus-user none |
13 | ignore dbus-system none | 13 | ignore dbus-system none |
14 | 14 | ||
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a..8e0741458 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -25,5 +25,5 @@ seccomp | |||
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | private-cache | 27 | private-cache |
28 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
28 | private-tmp | 29 | private-tmp |
29 | |||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index c0dbc9116..12bef5d1f 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox | |||
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | ||
17 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
20 | 23 | ||
21 | mkdir ${HOME}/.config/VirtualBox | 24 | mkdir ${HOME}/.config/VirtualBox |
22 | mkdir ${HOME}/VirtualBox VMs | 25 | mkdir ${HOME}/VirtualBox VMs |
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox | |||
24 | whitelist ${HOME}/VirtualBox VMs | 27 | whitelist ${HOME}/VirtualBox VMs |
25 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
28 | 33 | ||
29 | caps.keep net_raw,sys_admin,sys_nice | 34 | # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 |
35 | |||
36 | caps.keep net_raw,sys_nice | ||
30 | netfilter | 37 | netfilter |
31 | nodvd | 38 | nodvd |
39 | #nogroups | ||
32 | notv | 40 | notv |
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | #disable-mnt | ||
45 | private-cache | ||
46 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile new file mode 100644 index 000000000..b760b44dd --- /dev/null +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for xfce4-screenshooter | ||
2 | # Description: Xfce screenshot tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfce4-screenshooter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/xfce4 | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin xfce4-screenshooter,xfconf-query | ||
44 | private-dev | ||
45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 6eac10703..b3125ee50 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
15 | 18 | ||
16 | mkdir ${HOME}/.cache/zoom | 19 | mkdir ${HOME}/.cache/zoom |
17 | mkfile ${HOME}/.config/zoomus.conf | 20 | mkfile ${HOME}/.config/zoomus.conf |
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom | |||
20 | whitelist ${HOME}/.config/zoomus.conf | 23 | whitelist ${HOME}/.config/zoomus.conf |
21 | whitelist ${HOME}/.zoom | 24 | whitelist ${HOME}/.zoom |
22 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
23 | 29 | ||
24 | caps.drop all | 30 | caps.drop all |
25 | netfilter | 31 | netfilter |
26 | nodvd | 32 | nodvd |
33 | nogroups | ||
27 | nonewprivs | 34 | nonewprivs |
28 | noroot | 35 | noroot |
29 | notv | 36 | notv |
37 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | 38 | protocol unix,inet,inet6,netlink |
31 | seccomp !chroot | 39 | seccomp !chroot |
40 | shell none | ||
41 | tracelog | ||
32 | 42 | ||
43 | disable-mnt | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
33 | private-tmp | 47 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4cfbb5480..e9ecab925 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -111,6 +111,7 @@ calligrawords | |||
111 | cameramonitor | 111 | cameramonitor |
112 | cantata | 112 | cantata |
113 | catfish | 113 | catfish |
114 | cawbird | ||
114 | celluloid | 115 | celluloid |
115 | checkbashisms | 116 | checkbashisms |
116 | cheese | 117 | cheese |
@@ -136,6 +137,7 @@ code | |||
136 | code-oss | 137 | code-oss |
137 | com.github.dahenson.agenda | 138 | com.github.dahenson.agenda |
138 | com.github.johnfactotum.Foliate | 139 | com.github.johnfactotum.Foliate |
140 | com.gitlab.newsflash | ||
139 | conkeror | 141 | conkeror |
140 | conky | 142 | conky |
141 | conplay | 143 | conplay |
@@ -238,6 +240,7 @@ freemind | |||
238 | freeoffice-planmaker | 240 | freeoffice-planmaker |
239 | freeoffice-presentations | 241 | freeoffice-presentations |
240 | freeoffice-textmaker | 242 | freeoffice-textmaker |
243 | freetube | ||
241 | freshclam | 244 | freshclam |
242 | frogatto | 245 | frogatto |
243 | frozen-bubble | 246 | frozen-bubble |
@@ -333,6 +336,7 @@ hedgewars | |||
333 | hexchat | 336 | hexchat |
334 | highlight | 337 | highlight |
335 | hitori | 338 | hitori |
339 | homebank | ||
336 | host | 340 | host |
337 | hugin | 341 | hugin |
338 | hyperrogue | 342 | hyperrogue |
@@ -436,6 +440,7 @@ mate-calculator | |||
436 | mate-color-select | 440 | mate-color-select |
437 | mate-dictionary | 441 | mate-dictionary |
438 | mathematica | 442 | mathematica |
443 | mattermost-desktop | ||
439 | mcabber | 444 | mcabber |
440 | mediainfo | 445 | mediainfo |
441 | mediathekview | 446 | mediathekview |
@@ -448,6 +453,7 @@ meteo-qt | |||
448 | midori | 453 | midori |
449 | min | 454 | min |
450 | mindless | 455 | mindless |
456 | minecraft-launcher | ||
451 | minetest | 457 | minetest |
452 | mirrormagic | 458 | mirrormagic |
453 | mocp | 459 | mocp |
@@ -502,6 +508,7 @@ neverball | |||
502 | neverputt | 508 | neverputt |
503 | newsbeuter | 509 | newsbeuter |
504 | newsboat | 510 | newsboat |
511 | newsflash | ||
505 | nheko | 512 | nheko |
506 | nicotine | 513 | nicotine |
507 | nitroshare | 514 | nitroshare |
@@ -536,7 +543,7 @@ orage | |||
536 | ostrichriders | 543 | ostrichriders |
537 | out123 | 544 | out123 |
538 | palemoon | 545 | palemoon |
539 | pandoc | 546 | #pandoc |
540 | parole | 547 | parole |
541 | patch | 548 | patch |
542 | pavucontrol | 549 | pavucontrol |
@@ -778,6 +785,7 @@ xfburn | |||
778 | xfce4-dict | 785 | xfce4-dict |
779 | xfce4-mixer | 786 | xfce4-mixer |
780 | xfce4-notes | 787 | xfce4-notes |
788 | xfce4-screenshooter | ||
781 | xiphos | 789 | xiphos |
782 | xlinks | 790 | xlinks |
783 | xmms | 791 | xmms |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 6bfc80903..3aa0584d6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -957,16 +957,27 @@ int remove_overlay_directory(void) { | |||
957 | return 0; | 957 | return 0; |
958 | } | 958 | } |
959 | 959 | ||
960 | // flush stdin if it is connected to a tty and has input | ||
960 | void flush_stdin(void) { | 961 | void flush_stdin(void) { |
961 | if (isatty(STDIN_FILENO)) { | 962 | if (!isatty(STDIN_FILENO)) |
962 | int cnt = 0; | 963 | return; |
963 | int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); | 964 | |
964 | if (rv == 0 && cnt) { | 965 | int cnt = 0; |
965 | fwarning("removing %d bytes from stdin\n", cnt); | 966 | int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); |
966 | rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); | 967 | if (rv != 0 || cnt == 0) |
967 | (void) rv; | 968 | return; |
968 | } | 969 | |
969 | } | 970 | fwarning("removing %d bytes from stdin\n", cnt); |
971 | |||
972 | // If this process is backgrounded, below ioctl() will trigger | ||
973 | // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for | ||
974 | // the duration of the ioctl. | ||
975 | sighandler_t hdlr = signal(SIGTTOU, SIG_IGN); | ||
976 | rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); | ||
977 | signal(SIGTTOU, hdlr); | ||
978 | |||
979 | if (rv) | ||
980 | fwarning("Flushing stdin failed: %s\n", strerror(errno)); | ||
970 | } | 981 | } |
971 | 982 | ||
972 | // return 1 if new directory was created, else return 0 | 983 | // return 1 if new directory was created, else return 0 |