diff options
Diffstat (limited to 'etc-fixes')
-rw-r--r-- | etc-fixes/0.9.38/firefox.profile | 32 | ||||
-rw-r--r-- | etc-fixes/0.9.52/atom.profile | 31 | ||||
-rw-r--r-- | etc-fixes/0.9.52/firefox.profile | 99 | ||||
-rw-r--r-- | etc-fixes/0.9.52/gedit.profile | 44 | ||||
-rw-r--r-- | etc-fixes/0.9.52/libreoffice.profile | 36 | ||||
-rw-r--r-- | etc-fixes/0.9.56/brave-browser.profile | 6 | ||||
-rw-r--r-- | etc-fixes/0.9.56/brave.profile | 24 | ||||
-rw-r--r-- | etc-fixes/0.9.58/atom.profile | 36 | ||||
-rw-r--r-- | etc-fixes/0.9.60/atom.profile | 37 | ||||
-rw-r--r-- | etc-fixes/seccomp-join-bug/README | 11 | ||||
-rw-r--r-- | etc-fixes/seccomp-join-bug/eecf35c-backports.zip | bin | 0 -> 10472 bytes |
11 files changed, 356 insertions, 0 deletions
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile new file mode 100644 index 000000000..00244aaa4 --- /dev/null +++ b/etc-fixes/0.9.38/firefox.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | noblacklist ${HOME}/.mozilla | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | caps.drop all | ||
8 | |||
9 | #seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
10 | seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
11 | |||
12 | protocol unix,inet,inet6,netlink | ||
13 | netfilter | ||
14 | # tracelog | ||
15 | noroot | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.mozilla | ||
18 | whitelist ${HOME}/.cache/mozilla/firefox | ||
19 | whitelist ${HOME}/dwhelper | ||
20 | whitelist ${HOME}/.zotero | ||
21 | whitelist ${HOME}/.lastpass | ||
22 | whitelist ${HOME}/.vimperatorrc | ||
23 | whitelist ${HOME}/.vimperator | ||
24 | whitelist ${HOME}/.pentadactylrc | ||
25 | whitelist ${HOME}/.pentadactyl | ||
26 | whitelist ${HOME}/.keysnail.js | ||
27 | whitelist ${HOME}/.config/gnome-mplayer | ||
28 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | # experimental features | ||
32 | #private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile new file mode 100644 index 000000000..87ffdced9 --- /dev/null +++ b/etc-fixes/0.9.52/atom.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for atom | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/atom.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # blacklist /run/user/*/bus | ||
9 | |||
10 | noblacklist ${HOME}/.atom | ||
11 | noblacklist ${HOME}/.config/Atom | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.keep sys_admin,sys_chroot | ||
18 | # net none | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | shell none | ||
26 | |||
27 | private-dev | ||
28 | private-tmp | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile new file mode 100644 index 000000000..6a9ff977e --- /dev/null +++ b/etc-fixes/0.9.52/firefox.profile | |||
@@ -0,0 +1,99 @@ | |||
1 | # Firejail profile for firefox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/firefox.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/mozilla | ||
9 | noblacklist ${HOME}/.config/okularpartrc | ||
10 | noblacklist ${HOME}/.config/okularrc | ||
11 | noblacklist ${HOME}/.config/qpdfview | ||
12 | noblacklist ${HOME}/.kde/share/apps/kget | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
16 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
17 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
18 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
19 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
20 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
21 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
22 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
23 | noblacklist ${HOME}/.local/share/okular | ||
24 | noblacklist ${HOME}/.local/share/qpdfview | ||
25 | noblacklist ${HOME}/.mozilla | ||
26 | noblacklist ${HOME}/.pki | ||
27 | noblacklist ${HOME}/.local/share/pki | ||
28 | |||
29 | include /etc/firejail/disable-common.inc | ||
30 | include /etc/firejail/disable-devel.inc | ||
31 | include /etc/firejail/disable-programs.inc | ||
32 | |||
33 | mkdir ${HOME}/.cache/mozilla/firefox | ||
34 | mkdir ${HOME}/.mozilla | ||
35 | mkdir ${HOME}/.pki | ||
36 | mkdir ${HOME}/.local/share/pki | ||
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
39 | whitelist ${HOME}/.cache/mozilla/firefox | ||
40 | whitelist ${HOME}/.config/gnome-mplayer | ||
41 | whitelist ${HOME}/.config/okularpartrc | ||
42 | whitelist ${HOME}/.config/okularrc | ||
43 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
44 | whitelist ${HOME}/.config/pipelight-widevine | ||
45 | whitelist ${HOME}/.config/qpdfview | ||
46 | whitelist ${HOME}/.kde/share/apps/kget | ||
47 | whitelist ${HOME}/.kde/share/apps/okular | ||
48 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
49 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
50 | whitelist ${HOME}/.kde/share/config/okularrc | ||
51 | whitelist ${HOME}/.kde4/share/apps/kget | ||
52 | whitelist ${HOME}/.kde4/share/apps/okular | ||
53 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
54 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
55 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
56 | whitelist ${HOME}/.keysnail.js | ||
57 | whitelist ${HOME}/.lastpass | ||
58 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
59 | whitelist ${HOME}/.local/share/okular | ||
60 | whitelist ${HOME}/.local/share/qpdfview | ||
61 | whitelist ${HOME}/.mozilla | ||
62 | whitelist ${HOME}/.pentadactyl | ||
63 | whitelist ${HOME}/.pentadactylrc | ||
64 | whitelist ${HOME}/.pki | ||
65 | whitelist ${HOME}/.local/share/pki | ||
66 | whitelist ${HOME}/.vimperator | ||
67 | whitelist ${HOME}/.vimperatorrc | ||
68 | whitelist ${HOME}/.wine-pipelight | ||
69 | whitelist ${HOME}/.wine-pipelight64 | ||
70 | whitelist ${HOME}/.zotero | ||
71 | whitelist ${HOME}/dwhelper | ||
72 | include /etc/firejail/whitelist-common.inc | ||
73 | include /etc/firejail/whitelist-var-common.inc | ||
74 | |||
75 | caps.drop all | ||
76 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
77 | #machine-id | ||
78 | netfilter | ||
79 | nodvd | ||
80 | nogroups | ||
81 | nonewprivs | ||
82 | noroot | ||
83 | notv | ||
84 | protocol unix,inet,inet6,netlink | ||
85 | #seccomp - replaced with seccomp.drop for Firefox 60 | ||
86 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
87 | shell none | ||
88 | #tracelog - disabled for Firefox 60 | ||
89 | |||
90 | disable-mnt | ||
91 | # firefox requires a shell to launch on Arch. | ||
92 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | ||
93 | private-dev | ||
94 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
95 | # private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
96 | private-tmp | ||
97 | |||
98 | noexec ${HOME} | ||
99 | noexec /tmp | ||
diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile new file mode 100644 index 000000000..8dd71a196 --- /dev/null +++ b/etc-fixes/0.9.52/gedit.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for gedit | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gedit.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # blacklist /run/user/*/bus - makes settings immutable | ||
9 | |||
10 | noblacklist ${HOME}/.config/enchant | ||
11 | noblacklist ${HOME}/.config/gedit | ||
12 | noblacklist ${HOME}/.gitconfig | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | # include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | # net none - makes settings immutable | ||
23 | machine-id | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin gedit | ||
38 | private-dev | ||
39 | # private-etc alternatives,fonts | ||
40 | #private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine | ||
41 | private-tmp | ||
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc-fixes/0.9.52/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile new file mode 100644 index 000000000..bbc52ff5e --- /dev/null +++ b/etc-fixes/0.9.52/libreoffice.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/libreoffice.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.java | ||
9 | noblacklist /usr/local/sbin | ||
10 | noblacklist ${HOME}/.config/libreoffice | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | machine-id | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | #nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | #protocol unix,inet,inet6 | ||
28 | #seccomp | ||
29 | shell none | ||
30 | #tracelog | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc-fixes/0.9.56/brave-browser.profile b/etc-fixes/0.9.56/brave-browser.profile new file mode 100644 index 000000000..6e3a5df28 --- /dev/null +++ b/etc-fixes/0.9.56/brave-browser.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for brave | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/brave.profile | ||
diff --git a/etc-fixes/0.9.56/brave.profile b/etc-fixes/0.9.56/brave.profile new file mode 100644 index 000000000..4c59c103f --- /dev/null +++ b/etc-fixes/0.9.56/brave.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # Firejail profile for brave | ||
2 | # This file is overwritten after every install/update | ||
3 | # Description: Web browser that blocks ads and trackers by default. | ||
4 | # Persistent local customizations | ||
5 | include brave.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/brave | ||
10 | noblacklist ${HOME}/.config/BraveSoftware | ||
11 | # brave uses gpg for built-in password manager | ||
12 | noblacklist ${HOME}/.gnupg | ||
13 | |||
14 | mkdir ${HOME}/.config/brave | ||
15 | mkdir ${HOME}/.config/BraveSoftware | ||
16 | whitelist ${HOME}/.config/brave | ||
17 | whitelist ${HOME}/.config/BraveSoftware | ||
18 | whitelist ${HOME}/.gnupg | ||
19 | |||
20 | # noexec /tmp is included in chromium-common.profile and breaks Brave | ||
21 | ignore noexec /tmp | ||
22 | |||
23 | # Redirect | ||
24 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile new file mode 100644 index 000000000..9bc35da5a --- /dev/null +++ b/etc-fixes/0.9.58/atom.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | |||
2 | # Firejail profile for atom | ||
3 | # Description: A hackable text editor for the 21st Century | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include atom.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.atom | ||
11 | noblacklist ${HOME}/.config/Atom | ||
12 | noblacklist ${HOME}/.cargo/config | ||
13 | noblacklist ${HOME}/.cargo/registry | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.keep sys_admin,sys_chroot | ||
20 | # net none | ||
21 | netfilter | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | |||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile new file mode 100644 index 000000000..c8929127b --- /dev/null +++ b/etc-fixes/0.9.60/atom.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for atom | ||
2 | # Description: A hackable text editor for the 21st Century | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include atom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.atom | ||
10 | noblacklist ${HOME}/.config/Atom | ||
11 | noblacklist ${HOME}/.config/git | ||
12 | noblacklist ${HOME}/.cargo/config | ||
13 | noblacklist ${HOME}/.cargo/registry | ||
14 | noblacklist ${HOME}/.gitconfig | ||
15 | noblacklist ${HOME}/.git-credentials | ||
16 | noblacklist ${HOME}/.pythonrc.py | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | caps.keep sys_admin,sys_chroot | ||
24 | # net none | ||
25 | netfilter | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README new file mode 100644 index 000000000..9f85a0e00 --- /dev/null +++ b/etc-fixes/seccomp-join-bug/README | |||
@@ -0,0 +1,11 @@ | |||
1 | These are patches for various Firejail versions for the security bug reported by Austin Morton | ||
2 | on May 21, 2019: | ||
3 | |||
4 | Seccomp filters are copied into /run/firejail/mnt, and are writable | ||
5 | within the jail. A malicious process can modify files from inside the | ||
6 | jail. Processes that are later joined to the jail will not have seccomp | ||
7 | filters applied. | ||
8 | |||
9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 | ||
10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 | ||
11 | |||
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip new file mode 100644 index 000000000..59782461e --- /dev/null +++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip | |||
Binary files differ | |||