diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/allow-ssh.inc | 2 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 41 | ||||
-rw-r--r-- | etc/inc/disable-devel.inc | 36 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 4 |
4 files changed, 74 insertions, 9 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 024d87be7..6b2c5846e 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc | |||
@@ -6,7 +6,7 @@ noblacklist ${HOME}/.ssh | |||
6 | noblacklist /etc/ssh | 6 | noblacklist /etc/ssh |
7 | noblacklist /etc/ssh/ssh_config | 7 | noblacklist /etc/ssh/ssh_config |
8 | noblacklist /etc/ssh/ssh_config.d | 8 | noblacklist /etc/ssh/ssh_config.d |
9 | noblacklist ${PATH}/ssh | 9 | noblacklist ${PATH}/ssh* |
10 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
11 | # Arch Linux and derivatives | 11 | # Arch Linux and derivatives |
12 | noblacklist /usr/lib/ssh | 12 | noblacklist /usr/lib/ssh |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index ce4f08958..bcf90e9ed 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -170,7 +170,7 @@ blacklist ${RUNUSER}/gsconnect | |||
170 | blacklist ${HOME}/.config/systemd | 170 | blacklist ${HOME}/.config/systemd |
171 | blacklist ${HOME}/.local/share/systemd | 171 | blacklist ${HOME}/.local/share/systemd |
172 | blacklist ${PATH}/systemctl | 172 | blacklist ${PATH}/systemctl |
173 | blacklist ${PATH}/systemd-run | 173 | blacklist ${PATH}/systemd* |
174 | blacklist ${RUNUSER}/systemd | 174 | blacklist ${RUNUSER}/systemd |
175 | blacklist /etc/credstore* | 175 | blacklist /etc/credstore* |
176 | blacklist /etc/systemd/network | 176 | blacklist /etc/systemd/network |
@@ -319,7 +319,7 @@ read-only ${HOME}/.zshenv | |||
319 | read-only ${HOME}/.zshrc | 319 | read-only ${HOME}/.zshrc |
320 | read-only ${HOME}/.zshrc.local | 320 | read-only ${HOME}/.zshrc.local |
321 | 321 | ||
322 | # Remote access | 322 | # Remote access (used only by sshd; should always be blacklisted) |
323 | blacklist ${HOME}/.rhosts | 323 | blacklist ${HOME}/.rhosts |
324 | blacklist ${HOME}/.shosts | 324 | blacklist ${HOME}/.shosts |
325 | blacklist ${HOME}/.ssh/authorized_keys | 325 | blacklist ${HOME}/.ssh/authorized_keys |
@@ -327,8 +327,6 @@ blacklist ${HOME}/.ssh/authorized_keys2 | |||
327 | blacklist ${HOME}/.ssh/environment | 327 | blacklist ${HOME}/.ssh/environment |
328 | blacklist ${HOME}/.ssh/rc | 328 | blacklist ${HOME}/.ssh/rc |
329 | blacklist /etc/hosts.equiv | 329 | blacklist /etc/hosts.equiv |
330 | read-only ${HOME}/.ssh/config | ||
331 | read-only ${HOME}/.ssh/config.d | ||
332 | 330 | ||
333 | # Initialization files that allow arbitrary command execution | 331 | # Initialization files that allow arbitrary command execution |
334 | read-only ${HOME}/.caffrc | 332 | read-only ${HOME}/.caffrc |
@@ -360,6 +358,8 @@ read-only ${HOME}/.nanorc | |||
360 | read-only ${HOME}/.npmrc | 358 | read-only ${HOME}/.npmrc |
361 | read-only ${HOME}/.pythonrc.py | 359 | read-only ${HOME}/.pythonrc.py |
362 | read-only ${HOME}/.reportbugrc | 360 | read-only ${HOME}/.reportbugrc |
361 | read-only ${HOME}/.ssh/config | ||
362 | read-only ${HOME}/.ssh/config.d | ||
363 | read-only ${HOME}/.tmux.conf | 363 | read-only ${HOME}/.tmux.conf |
364 | read-only ${HOME}/.vim | 364 | read-only ${HOME}/.vim |
365 | read-only ${HOME}/.viminfo | 365 | read-only ${HOME}/.viminfo |
@@ -518,7 +518,10 @@ blacklist ${PATH}/kdesudo | |||
518 | blacklist ${PATH}/ksu | 518 | blacklist ${PATH}/ksu |
519 | blacklist ${PATH}/mount | 519 | blacklist ${PATH}/mount |
520 | blacklist ${PATH}/mount.ecryptfs_private | 520 | blacklist ${PATH}/mount.ecryptfs_private |
521 | blacklist ${PATH}/mountpoint | ||
521 | blacklist ${PATH}/nc | 522 | blacklist ${PATH}/nc |
523 | blacklist ${PATH}/nc.traditional | ||
524 | blacklist ${PATH}/nc.openbsd | ||
522 | blacklist ${PATH}/ncat | 525 | blacklist ${PATH}/ncat |
523 | blacklist ${PATH}/nmap | 526 | blacklist ${PATH}/nmap |
524 | blacklist ${PATH}/newgidmap | 527 | blacklist ${PATH}/newgidmap |
@@ -536,7 +539,6 @@ blacklist ${PATH}/umount | |||
536 | blacklist ${PATH}/unix_chkpwd | 539 | blacklist ${PATH}/unix_chkpwd |
537 | blacklist ${PATH}/xev | 540 | blacklist ${PATH}/xev |
538 | blacklist ${PATH}/xinput | 541 | blacklist ${PATH}/xinput |
539 | # from 0.9.67 | ||
540 | blacklist /usr/lib/openssh | 542 | blacklist /usr/lib/openssh |
541 | blacklist /usr/lib/ssh | 543 | blacklist /usr/lib/ssh |
542 | blacklist /usr/libexec/openssh | 544 | blacklist /usr/libexec/openssh |
@@ -573,6 +575,28 @@ blacklist ${PATH}/nmtui-hostname | |||
573 | blacklist ${PATH}/networkctl | 575 | blacklist ${PATH}/networkctl |
574 | blacklist ${PATH}/ss | 576 | blacklist ${PATH}/ss |
575 | blacklist ${PATH}/traceroute | 577 | blacklist ${PATH}/traceroute |
578 | # since firejail version 0.9.73 | ||
579 | blacklist ${PATH}/dpkg* | ||
580 | blacklist ${PATH}/fakeroot* | ||
581 | blacklist ${PATH}/apt* | ||
582 | blacklist ${PATH}/dumpcap | ||
583 | blacklist ${PATH}/efibootdump | ||
584 | blacklist ${PATH}/efibootmgr | ||
585 | blacklist ${PATH}/passmass | ||
586 | blacklist ${PATH}/proxy | ||
587 | blacklist ${PATH}/aa-* | ||
588 | blacklist ${PATH}/airscan-discover | ||
589 | blacklist ${PATH}/avahi* | ||
590 | blacklist ${PATH}/dbus-* | ||
591 | blacklist ${PATH}/debconf* | ||
592 | blacklist ${PATH}/grub-* | ||
593 | blacklist ${PATH}/kernel-install # from systemd package | ||
594 | |||
595 | # binaries installed by firejail | ||
596 | blacklist ${PATH}/firemon | ||
597 | blacklist ${PATH}/firecfg | ||
598 | blacklist ${PATH}/jailcheck | ||
599 | blacklist ${PATH}/firetools | ||
576 | 600 | ||
577 | # other SUID binaries | 601 | # other SUID binaries |
578 | blacklist /opt/microsoft/msedge*/msedge-sandbox | 602 | blacklist /opt/microsoft/msedge*/msedge-sandbox |
@@ -653,10 +677,13 @@ blacklist ${HOME}/sent | |||
653 | blacklist /proc/config.gz | 677 | blacklist /proc/config.gz |
654 | 678 | ||
655 | # prevent DNS malware attempting to communicate with the server using regular DNS tools | 679 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
680 | blacklist ${PATH}/delv | ||
656 | blacklist ${PATH}/dig | 681 | blacklist ${PATH}/dig |
657 | blacklist ${PATH}/dlint | 682 | blacklist ${PATH}/dlint |
658 | blacklist ${PATH}/dns2tcp | 683 | blacklist ${PATH}/dns2tcp |
659 | blacklist ${PATH}/dnssec-* | 684 | blacklist ${PATH}/dnssec-* |
685 | blacklist ${PATH}/dnstap-read | ||
686 | blacklist ${PATH}/mdig | ||
660 | blacklist ${PATH}/dnswalk | 687 | blacklist ${PATH}/dnswalk |
661 | blacklist ${PATH}/drill | 688 | blacklist ${PATH}/drill |
662 | blacklist ${PATH}/host | 689 | blacklist ${PATH}/host |
@@ -667,12 +694,14 @@ blacklist ${PATH}/knsupdate | |||
667 | blacklist ${PATH}/ldns-* | 694 | blacklist ${PATH}/ldns-* |
668 | blacklist ${PATH}/ldnsd | 695 | blacklist ${PATH}/ldnsd |
669 | blacklist ${PATH}/nslookup | 696 | blacklist ${PATH}/nslookup |
697 | blacklist ${PATH}/nsupdate | ||
698 | blacklist ${PATH}/nstat | ||
670 | blacklist ${PATH}/resolvectl | 699 | blacklist ${PATH}/resolvectl |
671 | blacklist ${PATH}/unbound-host | 700 | blacklist ${PATH}/unbound-host |
672 | 701 | ||
673 | # prevent an intruder to guess passwords using regular network tools | 702 | # prevent an intruder to guess passwords using regular network tools |
674 | blacklist ${PATH}/ftp | 703 | blacklist ${PATH}/ftp |
675 | blacklist ${PATH}/ssh | 704 | blacklist ${PATH}/ssh* |
676 | blacklist ${PATH}/telnet | 705 | blacklist ${PATH}/telnet |
677 | 706 | ||
678 | # rest of ${RUNUSER} | 707 | # rest of ${RUNUSER} |
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index 360077936..fa10524f0 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
@@ -4,12 +4,42 @@ include disable-devel.local | |||
4 | 4 | ||
5 | # development tools | 5 | # development tools |
6 | 6 | ||
7 | # autoconf/automake | ||
8 | blacklist ${PATH}/autoconf | ||
9 | blacklist ${PATH}/autoheader | ||
10 | blacklist ${PATH}/autom4te | ||
11 | blacklist ${PATH}/autoreconf | ||
12 | blacklist ${PATH}/autoscan | ||
13 | blacklist ${PATH}/autoupdate | ||
14 | blacklist ${PATH}/ifnames | ||
15 | blacklist ${PATH}/aclocal* | ||
16 | blacklist ${PATH}/automake* | ||
17 | blacklist ${PATH}/dh_* | ||
18 | blacklist ${PATH}/m4 | ||
19 | |||
20 | # patch | ||
21 | blacklist ${PATH}/patch | ||
22 | blacklist ${PATH}/patchview | ||
23 | blacklist ${PATH}/espdiff | ||
24 | blacklist ${PATH}/elfedit | ||
25 | |||
26 | # expect | ||
27 | blacklist ${PATH}/expect* | ||
28 | blacklist ${PATH}/autoexpect | ||
29 | |||
7 | # clang/llvm | 30 | # clang/llvm |
8 | blacklist ${PATH}/clang* | 31 | blacklist ${PATH}/clang* |
9 | blacklist ${PATH}/lldb* | 32 | blacklist ${PATH}/lldb* |
10 | blacklist ${PATH}/llvm* | 33 | blacklist ${PATH}/llvm* |
11 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | 34 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU |
12 | # blacklist /usr/lib/llvm* | 35 | # blacklist /usr/lib/llvm* |
36 | blacklist ${PATH}/scan-build | ||
37 | blacklist ${PATH}/analyze-build* | ||
38 | blacklist ${PATH}/asan_symbolize* | ||
39 | blacklist ${PATH}/bugpoint* | ||
40 | blacklist ${PATH}/c-index-test* | ||
41 | blacklist ${PATH}/llc* | ||
42 | blacklist ${PATH}/lli* | ||
13 | 43 | ||
14 | # GCC | 44 | # GCC |
15 | blacklist ${PATH}/as | 45 | blacklist ${PATH}/as |
@@ -28,6 +58,12 @@ blacklist ${PATH}/*-gcc* | |||
28 | blacklist ${PATH}/*-g++* | 58 | blacklist ${PATH}/*-g++* |
29 | # seems to create problems on Gentoo | 59 | # seems to create problems on Gentoo |
30 | #blacklist /usr/lib/gcc | 60 | #blacklist /usr/lib/gcc |
61 | blacklist ${PATH}/elfedit | ||
62 | blacklist ${PATH}/gcov* | ||
63 | blacklist ${PATH}/gmake | ||
64 | blacklist ${PATH}/make | ||
65 | blacklist ${PATH}/make-first-existing-target | ||
66 | blacklist ${PATH}/x86_64-linux-gnu-* | ||
31 | 67 | ||
32 | #Go | 68 | #Go |
33 | blacklist ${PATH}/gccgo | 69 | blacklist ${PATH}/gccgo |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 41794d173..377c4e2e3 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -46,12 +46,12 @@ seccomp | |||
46 | # private | 46 | # private |
47 | # private-bin program | 47 | # private-bin program |
48 | # private-cache | 48 | # private-cache |
49 | # private-dev | 49 | private-dev |
50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | 50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
51 | # private-etc alternatives,fonts,machine-id | 51 | # private-etc alternatives,fonts,machine-id |
52 | # private-lib | 52 | # private-lib |
53 | # private-opt none | 53 | # private-opt none |
54 | # private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # dbus-user none | 56 | # dbus-user none |
57 | # dbus-system none | 57 | # dbus-system none |