diff options
-rw-r--r-- | etc/inc/disable-passwdmgr.inc | 8 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/darktable.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/email-common.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/xournalpp.profile | 10 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 2 |
6 files changed, 22 insertions, 3 deletions
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc index 3ed9a1b14..5876e2763 100644 --- a/etc/inc/disable-passwdmgr.inc +++ b/etc/inc/disable-passwdmgr.inc | |||
@@ -17,3 +17,11 @@ blacklist ${HOME}/.lastpass | |||
17 | blacklist ${HOME}/.local/share/KeePass | 17 | blacklist ${HOME}/.local/share/KeePass |
18 | blacklist ${HOME}/.local/share/keepass | 18 | blacklist ${HOME}/.local/share/keepass |
19 | blacklist ${HOME}/.password-store | 19 | blacklist ${HOME}/.password-store |
20 | |||
21 | # Remove environment variables with auth tokens. | ||
22 | # Note however that the sandbox might still have access to the | ||
23 | # files where these variables are set. | ||
24 | rmenv GH_TOKEN | ||
25 | rmenv GITHUB_TOKEN | ||
26 | rmenv GH_ENTERPRISE_TOKEN | ||
27 | rmenv GITHUB_ENTERPRISE_TOKEN | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cdc5f622c..f8a94e498 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -438,6 +438,7 @@ blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | |||
438 | blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 438 | blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
439 | blacklist ${HOME}/.config/xiaoyong | 439 | blacklist ${HOME}/.config/xiaoyong |
440 | blacklist ${HOME}/.config/xmms2 | 440 | blacklist ${HOME}/.config/xmms2 |
441 | blacklist ${HOME}/.config/xournalpp | ||
441 | blacklist ${HOME}/.config/xplayer | 442 | blacklist ${HOME}/.config/xplayer |
442 | blacklist ${HOME}/.config/xreader | 443 | blacklist ${HOME}/.config/xreader |
443 | blacklist ${HOME}/.config/xviewer | 444 | blacklist ${HOME}/.config/xviewer |
@@ -1099,6 +1100,7 @@ blacklist ${HOME}/.cache/waterfox | |||
1099 | blacklist ${HOME}/.cache/wesnoth | 1100 | blacklist ${HOME}/.cache/wesnoth |
1100 | blacklist ${HOME}/.cache/winetricks | 1101 | blacklist ${HOME}/.cache/winetricks |
1101 | blacklist ${HOME}/.cache/xmms2 | 1102 | blacklist ${HOME}/.cache/xmms2 |
1103 | blacklist ${HOME}/.cache/xournalpp | ||
1102 | blacklist ${HOME}/.cache/xreader | 1104 | blacklist ${HOME}/.cache/xreader |
1103 | blacklist ${HOME}/.cache/yandex-browser | 1105 | blacklist ${HOME}/.cache/yandex-browser |
1104 | blacklist ${HOME}/.cache/yandex-browser-beta | 1106 | blacklist ${HOME}/.cache/yandex-browser-beta |
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 61fa52928..bc388c913 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile | |||
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/darktable | |||
10 | noblacklist ${HOME}/.config/darktable | 10 | noblacklist ${HOME}/.config/darktable |
11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
12 | 12 | ||
13 | include allow-lua.inc | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 6c9a8a6ea..5c4a4d3ac 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -7,6 +7,7 @@ include email-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.bogofilter | ||
10 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.mozilla | 12 | noblacklist ${HOME}/.mozilla |
12 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 988b878b9..1ef789689 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -7,23 +7,29 @@ include xournalpp.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/xournalpp | ||
11 | noblacklist ${HOME}/.config/xournalpp | ||
10 | noblacklist ${HOME}/.xournalpp | 12 | noblacklist ${HOME}/.xournalpp |
11 | 13 | ||
12 | include allow-lua.inc | 14 | include allow-lua.inc |
13 | 15 | ||
16 | whitelist /usr/share/pipewire | ||
14 | whitelist /usr/share/texlive | 17 | whitelist /usr/share/texlive |
15 | whitelist /usr/share/xournalpp | 18 | whitelist /usr/share/xournalpp |
16 | whitelist /var/lib/texmf | 19 | whitelist /var/lib/texmf |
17 | include whitelist-runuser-common.inc | 20 | include whitelist-runuser-common.inc |
18 | 21 | ||
19 | #mkdir ${HOME}/.xournalpp | 22 | #mkdir ${HOME}/.cache/xournalpp |
23 | #mkdir ${HOME}/.config/xournalpp | ||
24 | #whitelist ${HOME}/.cache/xournalpp | ||
25 | #whitelist ${HOME}/.config/xournalpp | ||
20 | #whitelist ${HOME}/.xournalpp | 26 | #whitelist ${HOME}/.xournalpp |
21 | #whitelist ${HOME}/.texlive20* | 27 | #whitelist ${HOME}/.texlive20* |
22 | #whitelist ${DOCUMENTS} | 28 | #whitelist ${DOCUMENTS} |
23 | #include whitelist-common.inc | 29 | #include whitelist-common.inc |
24 | 30 | ||
25 | private-bin kpsewhich,pdflatex,xournalpp | 31 | private-bin kpsewhich,pdflatex,xournalpp |
26 | private-etc latexmk.conf,texlive | 32 | private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive |
27 | 33 | ||
28 | # Redirect | 34 | # Redirect |
29 | include xournal.profile | 35 | include xournal.profile |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 38f789923..827b075e5 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -95,7 +95,7 @@ Now switch back to the first terminal (where `journalctl` is running) and look | |||
95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | 95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you |
96 | have found them, you can stop `journalctl` (^C) and execute | 96 | have found them, you can stop `journalctl` (^C) and execute |
97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | 97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. |
98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | 98 | In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`. |
99 | Now you can add a seccomp exception using `seccomp !NAME`. | 99 | Now you can add a seccomp exception using `seccomp !NAME`. |
100 | 100 | ||
101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | 101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. |