diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/atool.profile | 12 | ||||
-rw-r--r-- | etc/bsdtar.profile | 7 | ||||
-rw-r--r-- | etc/bunzip2.profile | 1 | ||||
-rw-r--r-- | etc/bzip2.profile | 11 | ||||
-rw-r--r-- | etc/cpio.profile | 10 | ||||
-rw-r--r-- | etc/gzip.profile | 12 | ||||
-rw-r--r-- | etc/tar.profile | 13 |
7 files changed, 63 insertions, 3 deletions
diff --git a/etc/atool.profile b/etc/atool.profile index c82108cef..b17498e9d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl* | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | # include disable-devel.inc | 20 | # include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
24 | 25 | ||
26 | apparmor | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | hostname atool |
29 | ipc-namespace | ||
30 | machine-id | ||
27 | net none | 31 | net none |
32 | netfilter | ||
28 | no3d | 33 | no3d |
29 | nodvd | 34 | nodvd |
35 | nodbus | ||
30 | nogroups | 36 | nogroups |
31 | nonewprivs | 37 | nonewprivs |
32 | noroot | 38 | noroot |
@@ -39,9 +45,11 @@ seccomp | |||
39 | shell none | 45 | shell none |
40 | tracelog | 46 | tracelog |
41 | 47 | ||
48 | # private-bin atool,perl | ||
42 | private-cache | 49 | private-cache |
43 | # private-bin atool | ||
44 | private-dev | 50 | private-dev |
45 | # without login.defs atool complains and uses UID/GID 1000 by default | 51 | # without login.defs atool complains and uses UID/GID 1000 by default |
46 | private-etc alternatives,passwd,group,login.defs | 52 | private-etc alternatives,passwd,group,login.defs |
47 | private-tmp | 53 | private-tmp |
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index b6b673976..f964438bc 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | # include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | 17 | ||
18 | apparmor | ||
17 | caps.drop all | 19 | caps.drop all |
18 | hostname bsdtar | 20 | hostname bsdtar |
19 | ipc-namespace | 21 | ipc-namespace |
22 | machine-id | ||
20 | netfilter | 23 | netfilter |
21 | no3d | 24 | no3d |
22 | nodvd | 25 | nodvd |
26 | nodbus | ||
23 | nogroups | 27 | nogroups |
24 | nonewprivs | 28 | nonewprivs |
25 | # noroot | 29 | # noroot |
@@ -34,5 +38,8 @@ tracelog | |||
34 | 38 | ||
35 | # support compressed archives | 39 | # support compressed archives |
36 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 40 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
41 | private-cache | ||
37 | private-dev | 42 | private-dev |
38 | private-etc alternatives,passwd,group,localtime | 43 | private-etc alternatives,passwd,group,localtime |
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index 82c0f6ed6..ff86cbdfc 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # Description: A high-quality data compression program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include bunzip2.local | 5 | include bunzip2.local |
diff --git a/etc/bzip2.profile b/etc/bzip2.profile new file mode 100644 index 000000000..0f2fdd35a --- /dev/null +++ b/etc/bzip2.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for bzip2 | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzip2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index f63e0a552..b6f7e7f9f 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -13,14 +13,21 @@ noblacklist /sbin | |||
13 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | 20 | ||
21 | apparmor | ||
19 | caps.drop all | 22 | caps.drop all |
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
20 | net none | 26 | net none |
21 | no3d | 27 | no3d |
22 | nodbus | 28 | nodbus |
23 | nodvd | 29 | nodvd |
30 | nogroups | ||
24 | nonewprivs | 31 | nonewprivs |
25 | nosound | 32 | nosound |
26 | notv | 33 | notv |
@@ -30,4 +37,7 @@ seccomp | |||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
40 | private-cache | ||
33 | private-dev | 41 | private-dev |
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 49c43a49c..27e262f87 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -9,11 +9,20 @@ include globals.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | |||
12 | ignore noroot | 15 | ignore noroot |
16 | |||
17 | apparmor | ||
18 | hostname gzip | ||
19 | ipc-namespace | ||
20 | machine-id | ||
13 | net none | 21 | net none |
14 | no3d | 22 | no3d |
15 | nodbus | 23 | nodbus |
16 | nodvd | 24 | nodvd |
25 | nogroups | ||
17 | nosound | 26 | nosound |
18 | notv | 27 | notv |
19 | nou2f | 28 | nou2f |
@@ -21,6 +30,9 @@ novideo | |||
21 | shell none | 30 | shell none |
22 | tracelog | 31 | tracelog |
23 | 32 | ||
33 | private-cache | ||
24 | private-dev | 34 | private-dev |
25 | 35 | ||
36 | memory-deny-write-execute | ||
37 | |||
26 | include default.profile | 38 | include default.profile |
diff --git a/etc/tar.profile b/etc/tar.profile index e1cfe9c80..14fc00d21 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -10,12 +10,20 @@ include tar.local | |||
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
13 | hostname tar | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | |||
14 | ignore noroot | 16 | ignore noroot |
17 | |||
18 | apparmor | ||
19 | hostname tar | ||
20 | ipc-namespace | ||
21 | machine-id | ||
15 | net none | 22 | net none |
16 | no3d | 23 | no3d |
17 | nodbus | 24 | nodbus |
18 | nodvd | 25 | nodvd |
26 | nogroups | ||
19 | nosound | 27 | nosound |
20 | notv | 28 | notv |
21 | nou2f | 29 | nou2f |
@@ -25,10 +33,13 @@ tracelog | |||
25 | 33 | ||
26 | # support compressed archives | 34 | # support compressed archives |
27 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 35 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
36 | private-cache | ||
28 | private-dev | 37 | private-dev |
29 | private-etc alternatives,passwd,group,localtime | 38 | private-etc alternatives,passwd,group,localtime |
30 | private-lib libfakeroot | 39 | private-lib libfakeroot |
31 | 40 | ||
41 | memory-deny-write-execute | ||
42 | |||
32 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
33 | writable-var | 44 | writable-var |
34 | 45 | ||