diff options
-rw-r--r-- | Makefile.in | 8 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/discord-common.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-calculator.profile | 12 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-pomodoro.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/homebank.profile | 59 | ||||
-rw-r--r-- | etc/profile-m-z/mattermost-desktop.profile | 46 | ||||
-rw-r--r-- | etc/profile-m-z/signal-desktop.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/teams.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/telegram.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 4 |
11 files changed, 129 insertions, 14 deletions
diff --git a/Makefile.in b/Makefile.in index 65dd430b5..8cbba12e9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -89,7 +89,7 @@ distclean: clean | |||
89 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 89 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
90 | $(MAKE) -C $$dir distclean; \ | 90 | $(MAKE) -C $$dir distclean; \ |
91 | done | 91 | done |
92 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk | 92 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh |
93 | 93 | ||
94 | realinstall: | 94 | realinstall: |
95 | # firejail executable | 95 | # firejail executable |
@@ -176,7 +176,9 @@ DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcop | |||
176 | 176 | ||
177 | dist: | 177 | dist: |
178 | mv config.status config.status.old | 178 | mv config.status config.status.old |
179 | mv mkdeb.sh mkdeb.sh.old | ||
179 | make distclean | 180 | make distclean |
181 | mv mkdeb.sh.old mkdeb.sh | ||
180 | mv config.status.old config.status | 182 | mv config.status.old config.status |
181 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz | 183 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz |
182 | mkdir -p $(NAME)-$(VERSION)/test | 184 | mkdir -p $(NAME)-$(VERSION)/test |
@@ -269,7 +271,7 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy | |||
269 | 271 | ||
270 | ########################################## | 272 | ########################################## |
271 | # Individual tests, some of them require root access | 273 | # Individual tests, some of them require root access |
272 | # The tests are very intrussive, by the time you are done | 274 | # The tests are very intrusive, by the time you are done |
273 | # with them you will need to restart your computer. | 275 | # with them you will need to restart your computer. |
274 | ########################################## | 276 | ########################################## |
275 | 277 | ||
@@ -294,7 +296,7 @@ test-network: | |||
294 | test-stress: | 296 | test-stress: |
295 | cd test/stress; ./stress.sh | grep TESTING | 297 | cd test/stress; ./stress.sh | grep TESTING |
296 | 298 | ||
297 | # Tesets running a root user | 299 | # Tests running a root user |
298 | test-root: | 300 | test-root: |
299 | cd test/root; su -c ./root.sh | grep TESTING | 301 | cd test/root; su -c ./root.sh | grep TESTING |
300 | 302 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 865eefb18..f033371f8 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -100,6 +100,7 @@ blacklist ${HOME}/.config/Jitsi Meet | |||
100 | blacklist ${HOME}/.config/Kid3 | 100 | blacklist ${HOME}/.config/Kid3 |
101 | blacklist ${HOME}/.config/Kingsoft | 101 | blacklist ${HOME}/.config/Kingsoft |
102 | blacklist ${HOME}/.config/Luminance | 102 | blacklist ${HOME}/.config/Luminance |
103 | blacklist ${HOME}/.config/Mattermost | ||
103 | blacklist ${HOME}/.config/Meltytech | 104 | blacklist ${HOME}/.config/Meltytech |
104 | blacklist ${HOME}/.config/Mendeley Ltd. | 105 | blacklist ${HOME}/.config/Mendeley Ltd. |
105 | blacklist ${HOME}/.config/Min | 106 | blacklist ${HOME}/.config/Min |
@@ -236,6 +237,7 @@ blacklist ${HOME}/.config/gthumb | |||
236 | blacklist ${HOME}/.config/gummi | 237 | blacklist ${HOME}/.config/gummi |
237 | blacklist ${HOME}/.config/gwenviewrc | 238 | blacklist ${HOME}/.config/gwenviewrc |
238 | blacklist ${HOME}/.config/hexchat | 239 | blacklist ${HOME}/.config/hexchat |
240 | blacklist ${HOME}/.config/homebank | ||
239 | blacklist ${HOME}/.config/i2p | 241 | blacklist ${HOME}/.config/i2p |
240 | blacklist ${HOME}/.config/inkscape | 242 | blacklist ${HOME}/.config/inkscape |
241 | blacklist ${HOME}/.config/inox | 243 | blacklist ${HOME}/.config/inox |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index cbeef798f..35bea4aaa 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -32,7 +32,7 @@ novideo | |||
32 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
33 | seccomp !chroot | 33 | seccomp !chroot |
34 | 34 | ||
35 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index bc6626598..ceb01f2a0 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -25,7 +25,7 @@ apparmor | |||
25 | caps.drop all | 25 | caps.drop all |
26 | ipc-namespace | 26 | ipc-namespace |
27 | machine-id | 27 | machine-id |
28 | # net none | 28 | #net none -- breaks currency conversion |
29 | netfilter | 29 | netfilter |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
@@ -39,6 +39,7 @@ novideo | |||
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
41 | shell none | 41 | shell none |
42 | tracelog | ||
42 | 43 | ||
43 | disable-mnt | 44 | disable-mnt |
44 | private-bin gnome-calculator | 45 | private-bin gnome-calculator |
@@ -47,8 +48,7 @@ private-dev | |||
47 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* | 48 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # makes settings immutable | 51 | dbus-user filter |
51 | # dbus-user none | 52 | dbus-user.own org.gnome.Calculator |
52 | # dbus-system none | 53 | dbus-user.talk ca.desrt.dconf |
53 | 54 | dbus-system none | |
54 | # memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 2a5d2a231..a46e47759 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -50,7 +50,9 @@ private-tmp | |||
50 | dbus-user filter | 50 | dbus-user filter |
51 | dbus-user.own org.gnome.Pomodoro | 51 | dbus-user.own org.gnome.Pomodoro |
52 | dbus-user.talk ca.desrt.dconf | 52 | dbus-user.talk ca.desrt.dconf |
53 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
53 | dbus-user.talk org.gnome.Shell | 54 | dbus-user.talk org.gnome.Shell |
55 | dbus-user.talk org.freedesktop.Notifications | ||
54 | dbus-system none | 56 | dbus-system none |
55 | 57 | ||
56 | read-only ${HOME} | 58 | read-only ${HOME} |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile new file mode 100644 index 000000000..8e600a2d7 --- /dev/null +++ b/etc/profile-a-l/homebank.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for homebank | ||
2 | # Description: Personal finance manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include homebank.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/homebank | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/homebank | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/homebank | ||
23 | whitelist /usr/share/homebank | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | # net none | ||
33 | netfilter | ||
34 | nodvd | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin homebank | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11 | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile new file mode 100644 index 000000000..e4487c8aa --- /dev/null +++ b/etc/profile-m-z/mattermost-desktop.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for mattermost-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include mattermost-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Mattermost | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Mattermost | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.config/Mattermost | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.keep sys_admin,sys_chroot | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
40 | private-tmp | ||
41 | |||
42 | # Not tested | ||
43 | #dbus-user filter | ||
44 | #dbus-user.own com.mattermost.Desktop | ||
45 | #dbus-user.talk org.freedesktop.Notifications | ||
46 | #dbus-system none | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705..b51a86e7d 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -34,10 +34,12 @@ nodvd | |||
34 | nogroups | 34 | nogroups |
35 | notv | 35 | notv |
36 | nou2f | 36 | nou2f |
37 | novideo | ||
37 | shell none | 38 | shell none |
38 | 39 | ||
39 | disable-mnt | 40 | disable-mnt |
40 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
41 | private-tmp | 43 | private-tmp |
42 | 44 | ||
43 | dbus-user none | 45 | dbus-user none |
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b..bd7faa80a 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for teams | 1 | # Firejail profile for teams |
2 | # Description: Official Microsoft Teams client for Linux using Electron. | 2 | # Description: Official Microsoft Teams client for Linux using Electron. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Known issues: | ||
5 | # * if Teams crashes on startup try using "ignore apparmor" in your local config | ||
6 | # Persistent local customizations | 4 | # Persistent local customizations |
7 | include teams.local | 5 | include teams.local |
8 | # Persistent global definitions | 6 | # Persistent global definitions |
9 | # added by included profile | 7 | # added by included profile |
10 | #include globals.local | 8 | #include globals.local |
11 | 9 | ||
10 | # see #3404 | ||
11 | ignore apparmor | ||
12 | ignore dbus-user none | 12 | ignore dbus-user none |
13 | ignore dbus-system none | 13 | ignore dbus-system none |
14 | 14 | ||
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a..8e0741458 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -25,5 +25,5 @@ seccomp | |||
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | private-cache | 27 | private-cache |
28 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
28 | private-tmp | 29 | private-tmp |
29 | |||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 4cfbb5480..3ae6e4729 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -333,6 +333,7 @@ hedgewars | |||
333 | hexchat | 333 | hexchat |
334 | highlight | 334 | highlight |
335 | hitori | 335 | hitori |
336 | homebank | ||
336 | host | 337 | host |
337 | hugin | 338 | hugin |
338 | hyperrogue | 339 | hyperrogue |
@@ -436,6 +437,7 @@ mate-calculator | |||
436 | mate-color-select | 437 | mate-color-select |
437 | mate-dictionary | 438 | mate-dictionary |
438 | mathematica | 439 | mathematica |
440 | mattermost-desktop | ||
439 | mcabber | 441 | mcabber |
440 | mediainfo | 442 | mediainfo |
441 | mediathekview | 443 | mediathekview |
@@ -536,7 +538,7 @@ orage | |||
536 | ostrichriders | 538 | ostrichriders |
537 | out123 | 539 | out123 |
538 | palemoon | 540 | palemoon |
539 | pandoc | 541 | #pandoc |
540 | parole | 542 | parole |
541 | patch | 543 | patch |
542 | pavucontrol | 544 | pavucontrol |