diff options
| -rw-r--r-- | etc/inc/disable-passwdmgr.inc | 8 | ||||
| -rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/darktable.profile | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/email-common.profile | 1 | ||||
| -rw-r--r-- | etc/profile-m-z/xournalpp.profile | 10 | ||||
| -rw-r--r-- | etc/templates/syscalls.txt | 2 |
6 files changed, 22 insertions, 3 deletions
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc index 3ed9a1b14..5876e2763 100644 --- a/etc/inc/disable-passwdmgr.inc +++ b/etc/inc/disable-passwdmgr.inc | |||
| @@ -17,3 +17,11 @@ blacklist ${HOME}/.lastpass | |||
| 17 | blacklist ${HOME}/.local/share/KeePass | 17 | blacklist ${HOME}/.local/share/KeePass |
| 18 | blacklist ${HOME}/.local/share/keepass | 18 | blacklist ${HOME}/.local/share/keepass |
| 19 | blacklist ${HOME}/.password-store | 19 | blacklist ${HOME}/.password-store |
| 20 | |||
| 21 | # Remove environment variables with auth tokens. | ||
| 22 | # Note however that the sandbox might still have access to the | ||
| 23 | # files where these variables are set. | ||
| 24 | rmenv GH_TOKEN | ||
| 25 | rmenv GITHUB_TOKEN | ||
| 26 | rmenv GH_ENTERPRISE_TOKEN | ||
| 27 | rmenv GITHUB_ENTERPRISE_TOKEN | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cdc5f622c..f8a94e498 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -438,6 +438,7 @@ blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | |||
| 438 | blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 438 | blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
| 439 | blacklist ${HOME}/.config/xiaoyong | 439 | blacklist ${HOME}/.config/xiaoyong |
| 440 | blacklist ${HOME}/.config/xmms2 | 440 | blacklist ${HOME}/.config/xmms2 |
| 441 | blacklist ${HOME}/.config/xournalpp | ||
| 441 | blacklist ${HOME}/.config/xplayer | 442 | blacklist ${HOME}/.config/xplayer |
| 442 | blacklist ${HOME}/.config/xreader | 443 | blacklist ${HOME}/.config/xreader |
| 443 | blacklist ${HOME}/.config/xviewer | 444 | blacklist ${HOME}/.config/xviewer |
| @@ -1099,6 +1100,7 @@ blacklist ${HOME}/.cache/waterfox | |||
| 1099 | blacklist ${HOME}/.cache/wesnoth | 1100 | blacklist ${HOME}/.cache/wesnoth |
| 1100 | blacklist ${HOME}/.cache/winetricks | 1101 | blacklist ${HOME}/.cache/winetricks |
| 1101 | blacklist ${HOME}/.cache/xmms2 | 1102 | blacklist ${HOME}/.cache/xmms2 |
| 1103 | blacklist ${HOME}/.cache/xournalpp | ||
| 1102 | blacklist ${HOME}/.cache/xreader | 1104 | blacklist ${HOME}/.cache/xreader |
| 1103 | blacklist ${HOME}/.cache/yandex-browser | 1105 | blacklist ${HOME}/.cache/yandex-browser |
| 1104 | blacklist ${HOME}/.cache/yandex-browser-beta | 1106 | blacklist ${HOME}/.cache/yandex-browser-beta |
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 61fa52928..bc388c913 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile | |||
| @@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/darktable | |||
| 10 | noblacklist ${HOME}/.config/darktable | 10 | noblacklist ${HOME}/.config/darktable |
| 11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
| 12 | 12 | ||
| 13 | include allow-lua.inc | ||
| 14 | |||
| 13 | include disable-common.inc | 15 | include disable-common.inc |
| 14 | include disable-devel.inc | 16 | include disable-devel.inc |
| 15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 6c9a8a6ea..5c4a4d3ac 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
| @@ -7,6 +7,7 @@ include email-common.local | |||
| 7 | # added by caller profile | 7 | # added by caller profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.bogofilter | ||
| 10 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
| 11 | noblacklist ${HOME}/.mozilla | 12 | noblacklist ${HOME}/.mozilla |
| 12 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 988b878b9..1ef789689 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
| @@ -7,23 +7,29 @@ include xournalpp.local | |||
| 7 | # added by included profile | 7 | # added by included profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.cache/xournalpp | ||
| 11 | noblacklist ${HOME}/.config/xournalpp | ||
| 10 | noblacklist ${HOME}/.xournalpp | 12 | noblacklist ${HOME}/.xournalpp |
| 11 | 13 | ||
| 12 | include allow-lua.inc | 14 | include allow-lua.inc |
| 13 | 15 | ||
| 16 | whitelist /usr/share/pipewire | ||
| 14 | whitelist /usr/share/texlive | 17 | whitelist /usr/share/texlive |
| 15 | whitelist /usr/share/xournalpp | 18 | whitelist /usr/share/xournalpp |
| 16 | whitelist /var/lib/texmf | 19 | whitelist /var/lib/texmf |
| 17 | include whitelist-runuser-common.inc | 20 | include whitelist-runuser-common.inc |
| 18 | 21 | ||
| 19 | #mkdir ${HOME}/.xournalpp | 22 | #mkdir ${HOME}/.cache/xournalpp |
| 23 | #mkdir ${HOME}/.config/xournalpp | ||
| 24 | #whitelist ${HOME}/.cache/xournalpp | ||
| 25 | #whitelist ${HOME}/.config/xournalpp | ||
| 20 | #whitelist ${HOME}/.xournalpp | 26 | #whitelist ${HOME}/.xournalpp |
| 21 | #whitelist ${HOME}/.texlive20* | 27 | #whitelist ${HOME}/.texlive20* |
| 22 | #whitelist ${DOCUMENTS} | 28 | #whitelist ${DOCUMENTS} |
| 23 | #include whitelist-common.inc | 29 | #include whitelist-common.inc |
| 24 | 30 | ||
| 25 | private-bin kpsewhich,pdflatex,xournalpp | 31 | private-bin kpsewhich,pdflatex,xournalpp |
| 26 | private-etc latexmk.conf,texlive | 32 | private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive |
| 27 | 33 | ||
| 28 | # Redirect | 34 | # Redirect |
| 29 | include xournal.profile | 35 | include xournal.profile |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 38f789923..827b075e5 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
| @@ -95,7 +95,7 @@ Now switch back to the first terminal (where `journalctl` is running) and look | |||
| 95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | 95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you |
| 96 | have found them, you can stop `journalctl` (^C) and execute | 96 | have found them, you can stop `journalctl` (^C) and execute |
| 97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | 97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. |
| 98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | 98 | In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`. |
| 99 | Now you can add a seccomp exception using `seccomp !NAME`. | 99 | Now you can add a seccomp exception using `seccomp !NAME`. |
| 100 | 100 | ||
| 101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | 101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. |