diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/allow-ssh.inc | 2 | ||||
| -rw-r--r-- | etc/inc/disable-common.inc | 41 | ||||
| -rw-r--r-- | etc/inc/disable-devel.inc | 36 | ||||
| -rw-r--r-- | etc/profile-a-l/default.profile | 4 |
4 files changed, 74 insertions, 9 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 024d87be7..6b2c5846e 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc | |||
| @@ -6,7 +6,7 @@ noblacklist ${HOME}/.ssh | |||
| 6 | noblacklist /etc/ssh | 6 | noblacklist /etc/ssh |
| 7 | noblacklist /etc/ssh/ssh_config | 7 | noblacklist /etc/ssh/ssh_config |
| 8 | noblacklist /etc/ssh/ssh_config.d | 8 | noblacklist /etc/ssh/ssh_config.d |
| 9 | noblacklist ${PATH}/ssh | 9 | noblacklist ${PATH}/ssh* |
| 10 | noblacklist /tmp/ssh-* | 10 | noblacklist /tmp/ssh-* |
| 11 | # Arch Linux and derivatives | 11 | # Arch Linux and derivatives |
| 12 | noblacklist /usr/lib/ssh | 12 | noblacklist /usr/lib/ssh |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index ce4f08958..bcf90e9ed 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -170,7 +170,7 @@ blacklist ${RUNUSER}/gsconnect | |||
| 170 | blacklist ${HOME}/.config/systemd | 170 | blacklist ${HOME}/.config/systemd |
| 171 | blacklist ${HOME}/.local/share/systemd | 171 | blacklist ${HOME}/.local/share/systemd |
| 172 | blacklist ${PATH}/systemctl | 172 | blacklist ${PATH}/systemctl |
| 173 | blacklist ${PATH}/systemd-run | 173 | blacklist ${PATH}/systemd* |
| 174 | blacklist ${RUNUSER}/systemd | 174 | blacklist ${RUNUSER}/systemd |
| 175 | blacklist /etc/credstore* | 175 | blacklist /etc/credstore* |
| 176 | blacklist /etc/systemd/network | 176 | blacklist /etc/systemd/network |
| @@ -319,7 +319,7 @@ read-only ${HOME}/.zshenv | |||
| 319 | read-only ${HOME}/.zshrc | 319 | read-only ${HOME}/.zshrc |
| 320 | read-only ${HOME}/.zshrc.local | 320 | read-only ${HOME}/.zshrc.local |
| 321 | 321 | ||
| 322 | # Remote access | 322 | # Remote access (used only by sshd; should always be blacklisted) |
| 323 | blacklist ${HOME}/.rhosts | 323 | blacklist ${HOME}/.rhosts |
| 324 | blacklist ${HOME}/.shosts | 324 | blacklist ${HOME}/.shosts |
| 325 | blacklist ${HOME}/.ssh/authorized_keys | 325 | blacklist ${HOME}/.ssh/authorized_keys |
| @@ -327,8 +327,6 @@ blacklist ${HOME}/.ssh/authorized_keys2 | |||
| 327 | blacklist ${HOME}/.ssh/environment | 327 | blacklist ${HOME}/.ssh/environment |
| 328 | blacklist ${HOME}/.ssh/rc | 328 | blacklist ${HOME}/.ssh/rc |
| 329 | blacklist /etc/hosts.equiv | 329 | blacklist /etc/hosts.equiv |
| 330 | read-only ${HOME}/.ssh/config | ||
| 331 | read-only ${HOME}/.ssh/config.d | ||
| 332 | 330 | ||
| 333 | # Initialization files that allow arbitrary command execution | 331 | # Initialization files that allow arbitrary command execution |
| 334 | read-only ${HOME}/.caffrc | 332 | read-only ${HOME}/.caffrc |
| @@ -360,6 +358,8 @@ read-only ${HOME}/.nanorc | |||
| 360 | read-only ${HOME}/.npmrc | 358 | read-only ${HOME}/.npmrc |
| 361 | read-only ${HOME}/.pythonrc.py | 359 | read-only ${HOME}/.pythonrc.py |
| 362 | read-only ${HOME}/.reportbugrc | 360 | read-only ${HOME}/.reportbugrc |
| 361 | read-only ${HOME}/.ssh/config | ||
| 362 | read-only ${HOME}/.ssh/config.d | ||
| 363 | read-only ${HOME}/.tmux.conf | 363 | read-only ${HOME}/.tmux.conf |
| 364 | read-only ${HOME}/.vim | 364 | read-only ${HOME}/.vim |
| 365 | read-only ${HOME}/.viminfo | 365 | read-only ${HOME}/.viminfo |
| @@ -518,7 +518,10 @@ blacklist ${PATH}/kdesudo | |||
| 518 | blacklist ${PATH}/ksu | 518 | blacklist ${PATH}/ksu |
| 519 | blacklist ${PATH}/mount | 519 | blacklist ${PATH}/mount |
| 520 | blacklist ${PATH}/mount.ecryptfs_private | 520 | blacklist ${PATH}/mount.ecryptfs_private |
| 521 | blacklist ${PATH}/mountpoint | ||
| 521 | blacklist ${PATH}/nc | 522 | blacklist ${PATH}/nc |
| 523 | blacklist ${PATH}/nc.traditional | ||
| 524 | blacklist ${PATH}/nc.openbsd | ||
| 522 | blacklist ${PATH}/ncat | 525 | blacklist ${PATH}/ncat |
| 523 | blacklist ${PATH}/nmap | 526 | blacklist ${PATH}/nmap |
| 524 | blacklist ${PATH}/newgidmap | 527 | blacklist ${PATH}/newgidmap |
| @@ -536,7 +539,6 @@ blacklist ${PATH}/umount | |||
| 536 | blacklist ${PATH}/unix_chkpwd | 539 | blacklist ${PATH}/unix_chkpwd |
| 537 | blacklist ${PATH}/xev | 540 | blacklist ${PATH}/xev |
| 538 | blacklist ${PATH}/xinput | 541 | blacklist ${PATH}/xinput |
| 539 | # from 0.9.67 | ||
| 540 | blacklist /usr/lib/openssh | 542 | blacklist /usr/lib/openssh |
| 541 | blacklist /usr/lib/ssh | 543 | blacklist /usr/lib/ssh |
| 542 | blacklist /usr/libexec/openssh | 544 | blacklist /usr/libexec/openssh |
| @@ -573,6 +575,28 @@ blacklist ${PATH}/nmtui-hostname | |||
| 573 | blacklist ${PATH}/networkctl | 575 | blacklist ${PATH}/networkctl |
| 574 | blacklist ${PATH}/ss | 576 | blacklist ${PATH}/ss |
| 575 | blacklist ${PATH}/traceroute | 577 | blacklist ${PATH}/traceroute |
| 578 | # since firejail version 0.9.73 | ||
| 579 | blacklist ${PATH}/dpkg* | ||
| 580 | blacklist ${PATH}/fakeroot* | ||
| 581 | blacklist ${PATH}/apt* | ||
| 582 | blacklist ${PATH}/dumpcap | ||
| 583 | blacklist ${PATH}/efibootdump | ||
| 584 | blacklist ${PATH}/efibootmgr | ||
| 585 | blacklist ${PATH}/passmass | ||
| 586 | blacklist ${PATH}/proxy | ||
| 587 | blacklist ${PATH}/aa-* | ||
| 588 | blacklist ${PATH}/airscan-discover | ||
| 589 | blacklist ${PATH}/avahi* | ||
| 590 | blacklist ${PATH}/dbus-* | ||
| 591 | blacklist ${PATH}/debconf* | ||
| 592 | blacklist ${PATH}/grub-* | ||
| 593 | blacklist ${PATH}/kernel-install # from systemd package | ||
| 594 | |||
| 595 | # binaries installed by firejail | ||
| 596 | blacklist ${PATH}/firemon | ||
| 597 | blacklist ${PATH}/firecfg | ||
| 598 | blacklist ${PATH}/jailcheck | ||
| 599 | blacklist ${PATH}/firetools | ||
| 576 | 600 | ||
| 577 | # other SUID binaries | 601 | # other SUID binaries |
| 578 | blacklist /opt/microsoft/msedge*/msedge-sandbox | 602 | blacklist /opt/microsoft/msedge*/msedge-sandbox |
| @@ -653,10 +677,13 @@ blacklist ${HOME}/sent | |||
| 653 | blacklist /proc/config.gz | 677 | blacklist /proc/config.gz |
| 654 | 678 | ||
| 655 | # prevent DNS malware attempting to communicate with the server using regular DNS tools | 679 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
| 680 | blacklist ${PATH}/delv | ||
| 656 | blacklist ${PATH}/dig | 681 | blacklist ${PATH}/dig |
| 657 | blacklist ${PATH}/dlint | 682 | blacklist ${PATH}/dlint |
| 658 | blacklist ${PATH}/dns2tcp | 683 | blacklist ${PATH}/dns2tcp |
| 659 | blacklist ${PATH}/dnssec-* | 684 | blacklist ${PATH}/dnssec-* |
| 685 | blacklist ${PATH}/dnstap-read | ||
| 686 | blacklist ${PATH}/mdig | ||
| 660 | blacklist ${PATH}/dnswalk | 687 | blacklist ${PATH}/dnswalk |
| 661 | blacklist ${PATH}/drill | 688 | blacklist ${PATH}/drill |
| 662 | blacklist ${PATH}/host | 689 | blacklist ${PATH}/host |
| @@ -667,12 +694,14 @@ blacklist ${PATH}/knsupdate | |||
| 667 | blacklist ${PATH}/ldns-* | 694 | blacklist ${PATH}/ldns-* |
| 668 | blacklist ${PATH}/ldnsd | 695 | blacklist ${PATH}/ldnsd |
| 669 | blacklist ${PATH}/nslookup | 696 | blacklist ${PATH}/nslookup |
| 697 | blacklist ${PATH}/nsupdate | ||
| 698 | blacklist ${PATH}/nstat | ||
| 670 | blacklist ${PATH}/resolvectl | 699 | blacklist ${PATH}/resolvectl |
| 671 | blacklist ${PATH}/unbound-host | 700 | blacklist ${PATH}/unbound-host |
| 672 | 701 | ||
| 673 | # prevent an intruder to guess passwords using regular network tools | 702 | # prevent an intruder to guess passwords using regular network tools |
| 674 | blacklist ${PATH}/ftp | 703 | blacklist ${PATH}/ftp |
| 675 | blacklist ${PATH}/ssh | 704 | blacklist ${PATH}/ssh* |
| 676 | blacklist ${PATH}/telnet | 705 | blacklist ${PATH}/telnet |
| 677 | 706 | ||
| 678 | # rest of ${RUNUSER} | 707 | # rest of ${RUNUSER} |
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index 360077936..fa10524f0 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
| @@ -4,12 +4,42 @@ include disable-devel.local | |||
| 4 | 4 | ||
| 5 | # development tools | 5 | # development tools |
| 6 | 6 | ||
| 7 | # autoconf/automake | ||
| 8 | blacklist ${PATH}/autoconf | ||
| 9 | blacklist ${PATH}/autoheader | ||
| 10 | blacklist ${PATH}/autom4te | ||
| 11 | blacklist ${PATH}/autoreconf | ||
| 12 | blacklist ${PATH}/autoscan | ||
| 13 | blacklist ${PATH}/autoupdate | ||
| 14 | blacklist ${PATH}/ifnames | ||
| 15 | blacklist ${PATH}/aclocal* | ||
| 16 | blacklist ${PATH}/automake* | ||
| 17 | blacklist ${PATH}/dh_* | ||
| 18 | blacklist ${PATH}/m4 | ||
| 19 | |||
| 20 | # patch | ||
| 21 | blacklist ${PATH}/patch | ||
| 22 | blacklist ${PATH}/patchview | ||
| 23 | blacklist ${PATH}/espdiff | ||
| 24 | blacklist ${PATH}/elfedit | ||
| 25 | |||
| 26 | # expect | ||
| 27 | blacklist ${PATH}/expect* | ||
| 28 | blacklist ${PATH}/autoexpect | ||
| 29 | |||
| 7 | # clang/llvm | 30 | # clang/llvm |
| 8 | blacklist ${PATH}/clang* | 31 | blacklist ${PATH}/clang* |
| 9 | blacklist ${PATH}/lldb* | 32 | blacklist ${PATH}/lldb* |
| 10 | blacklist ${PATH}/llvm* | 33 | blacklist ${PATH}/llvm* |
| 11 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | 34 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU |
| 12 | # blacklist /usr/lib/llvm* | 35 | # blacklist /usr/lib/llvm* |
| 36 | blacklist ${PATH}/scan-build | ||
| 37 | blacklist ${PATH}/analyze-build* | ||
| 38 | blacklist ${PATH}/asan_symbolize* | ||
| 39 | blacklist ${PATH}/bugpoint* | ||
| 40 | blacklist ${PATH}/c-index-test* | ||
| 41 | blacklist ${PATH}/llc* | ||
| 42 | blacklist ${PATH}/lli* | ||
| 13 | 43 | ||
| 14 | # GCC | 44 | # GCC |
| 15 | blacklist ${PATH}/as | 45 | blacklist ${PATH}/as |
| @@ -28,6 +58,12 @@ blacklist ${PATH}/*-gcc* | |||
| 28 | blacklist ${PATH}/*-g++* | 58 | blacklist ${PATH}/*-g++* |
| 29 | # seems to create problems on Gentoo | 59 | # seems to create problems on Gentoo |
| 30 | #blacklist /usr/lib/gcc | 60 | #blacklist /usr/lib/gcc |
| 61 | blacklist ${PATH}/elfedit | ||
| 62 | blacklist ${PATH}/gcov* | ||
| 63 | blacklist ${PATH}/gmake | ||
| 64 | blacklist ${PATH}/make | ||
| 65 | blacklist ${PATH}/make-first-existing-target | ||
| 66 | blacklist ${PATH}/x86_64-linux-gnu-* | ||
| 31 | 67 | ||
| 32 | #Go | 68 | #Go |
| 33 | blacklist ${PATH}/gccgo | 69 | blacklist ${PATH}/gccgo |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 41794d173..377c4e2e3 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
| @@ -46,12 +46,12 @@ seccomp | |||
| 46 | # private | 46 | # private |
| 47 | # private-bin program | 47 | # private-bin program |
| 48 | # private-cache | 48 | # private-cache |
| 49 | # private-dev | 49 | private-dev |
| 50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | 50 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. |
| 51 | # private-etc alternatives,fonts,machine-id | 51 | # private-etc alternatives,fonts,machine-id |
| 52 | # private-lib | 52 | # private-lib |
| 53 | # private-opt none | 53 | # private-opt none |
| 54 | # private-tmp | 54 | private-tmp |
| 55 | 55 | ||
| 56 | # dbus-user none | 56 | # dbus-user none |
| 57 | # dbus-system none | 57 | # dbus-system none |