diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/dig.profile | 3 | ||||
| -rw-r--r-- | etc/disable-common.inc | 3 | ||||
| -rw-r--r-- | etc/firejail-default | 18 | ||||
| -rw-r--r-- | etc/k3b.profile | 13 | ||||
| -rw-r--r-- | etc/wine.profile | 7 |
5 files changed, 26 insertions, 18 deletions
diff --git a/etc/dig.profile b/etc/dig.profile index e609105b4..af71ff17f 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
| @@ -46,7 +46,8 @@ private | |||
| 46 | private-bin bash,dig,sh | 46 | private-bin bash,dig,sh |
| 47 | private-cache | 47 | private-cache |
| 48 | private-dev | 48 | private-dev |
| 49 | private-lib | 49 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
| 50 | #private-lib | ||
| 50 | private-tmp | 51 | private-tmp |
| 51 | 52 | ||
| 52 | memory-deny-write-execute | 53 | memory-deny-write-execute |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 96957eeaf..b2837b443 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -315,6 +315,7 @@ blacklist ${HOME}/.config/keybase | |||
| 315 | blacklist ${HOME}/.davfs2/secrets | 315 | blacklist ${HOME}/.davfs2/secrets |
| 316 | blacklist ${HOME}/.ecryptfs | 316 | blacklist ${HOME}/.ecryptfs |
| 317 | blacklist ${HOME}/.fetchmailrc | 317 | blacklist ${HOME}/.fetchmailrc |
| 318 | blacklist ${HOME}/.fscrypt | ||
| 318 | blacklist ${HOME}/.git-credential-cache | 319 | blacklist ${HOME}/.git-credential-cache |
| 319 | blacklist ${HOME}/.git-credentials | 320 | blacklist ${HOME}/.git-credentials |
| 320 | blacklist ${HOME}/.gnome2/keyrings | 321 | blacklist ${HOME}/.gnome2/keyrings |
| @@ -335,6 +336,7 @@ blacklist ${HOME}/.local/share/pki | |||
| 335 | blacklist ${HOME}/.smbcredentials | 336 | blacklist ${HOME}/.smbcredentials |
| 336 | blacklist ${HOME}/.ssh | 337 | blacklist ${HOME}/.ssh |
| 337 | blacklist ${HOME}/.vaults | 338 | blacklist ${HOME}/.vaults |
| 339 | blacklist /.fscrypt | ||
| 338 | blacklist /etc/davfs2/secrets | 340 | blacklist /etc/davfs2/secrets |
| 339 | blacklist /etc/group+ | 341 | blacklist /etc/group+ |
| 340 | blacklist /etc/group- | 342 | blacklist /etc/group- |
| @@ -348,6 +350,7 @@ blacklist /etc/shadow+ | |||
| 348 | blacklist /etc/shadow- | 350 | blacklist /etc/shadow- |
| 349 | blacklist /etc/ssh | 351 | blacklist /etc/ssh |
| 350 | blacklist /home/.ecryptfs | 352 | blacklist /home/.ecryptfs |
| 353 | blacklist /home/.fscrypt | ||
| 351 | blacklist /var/backup | 354 | blacklist /var/backup |
| 352 | 355 | ||
| 353 | # cloud provider configuration | 356 | # cloud provider configuration |
diff --git a/etc/firejail-default b/etc/firejail-default index e7831e145..a012f5440 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -22,12 +22,11 @@ dbus, | |||
| 22 | 22 | ||
| 23 | ########## | 23 | ########## |
| 24 | # With ptrace it is possible to inspect and hijack running programs. | 24 | # With ptrace it is possible to inspect and hijack running programs. |
| 25 | # Some browsers are also using ptrace for their sandboxing. | ||
| 26 | ########## | 25 | ########## |
| 27 | # Uncomment this line to allow all ptrace access | 26 | # Uncomment this line to allow all ptrace access |
| 28 | #ptrace, | 27 | #ptrace, |
| 29 | # Allow obtaining some process information, but not ptrace(2) | 28 | # Allow obtaining some process information, but not ptrace(2) |
| 30 | ptrace (read,readby) peer=firejail-default, | 29 | ptrace (read,readby) peer=@{profile_name}, |
| 31 | 30 | ||
| 32 | ########## | 31 | ########## |
| 33 | # Allow read access to whole filesystem and control it from firejail. | 32 | # Allow read access to whole filesystem and control it from firejail. |
| @@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default, | |||
| 46 | ########## | 45 | ########## |
| 47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, |
| 48 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, | 47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
| 49 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, | ||
| 50 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, | ||
| 51 | |||
| 52 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
| 53 | 49 | ||
| 54 | # Allow writing to removable media | 50 | # Allow writing to removable media |
| @@ -58,9 +54,6 @@ owner /{,var/}run/media/** w, | |||
| 58 | /{,var/}run/systemd/journal/socket w, | 54 | /{,var/}run/systemd/journal/socket w, |
| 59 | /{,var/}run/systemd/journal/dev-log w, | 55 | /{,var/}run/systemd/journal/dev-log w, |
| 60 | 56 | ||
| 61 | # Needed for wine | ||
| 62 | /{,var/}run/firejail/profile/@{PID} w, | ||
| 63 | |||
| 64 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
| 65 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
| 66 | 59 | ||
| @@ -94,8 +87,10 @@ deny /proc/@{PID}/oom_score_adj w, | |||
| 94 | ########## | 87 | ########## |
| 95 | # Blacklist specific sensitive paths. | 88 | # Blacklist specific sensitive paths. |
| 96 | ########## | 89 | ########## |
| 97 | # Common backup directory | 90 | deny /**/.fscrypt/ rw, |
| 98 | deny /**/.snapshots/ rwx, | 91 | deny /**/.fscrypt/** rwklmx, |
| 92 | deny /**/.snapshots/ rw, | ||
| 93 | deny /**/.snapshots/** rwklmx, | ||
| 99 | 94 | ||
| 100 | ########## | 95 | ########## |
| 101 | # Allow all networking functionality, and control it from Firejail. | 96 | # Allow all networking functionality, and control it from Firejail. |
| @@ -111,7 +106,8 @@ network packet, | |||
| 111 | ########## | 106 | ########## |
| 112 | # There is no equivalent in Firejail for filtering signals. | 107 | # There is no equivalent in Firejail for filtering signals. |
| 113 | ########## | 108 | ########## |
| 114 | signal, | 109 | signal (send) peer=@{profile_name}, |
| 110 | signal (receive), | ||
| 115 | 111 | ||
| 116 | ########## | 112 | ########## |
| 117 | # We let Firejail deal with capabilities, but ensure that | 113 | # We let Firejail deal with capabilities, but ensure that |
diff --git a/etc/k3b.profile b/etc/k3b.profile index 60da458ab..0c1da7ae1 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
| @@ -20,17 +20,18 @@ include disable-xdg.inc | |||
| 20 | 20 | ||
| 21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
| 22 | 22 | ||
| 23 | caps.drop all | 23 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource |
| 24 | # net none | ||
| 24 | netfilter | 25 | netfilter |
| 25 | no3d | 26 | no3d |
| 26 | nonewprivs | 27 | # nonewprivs - breaks privileged helpers |
| 27 | noroot | 28 | # noroot - breaks privileged helpers |
| 28 | nosound | 29 | nosound |
| 29 | notv | 30 | notv |
| 30 | novideo | 31 | novideo |
| 31 | protocol unix | 32 | # protocol unix - breaks privileged helpers |
| 32 | seccomp | 33 | # seccomp - breaks privileged helpers |
| 33 | shell none | 34 | shell none |
| 34 | tracelog | ||
| 35 | 35 | ||
| 36 | private-dev | ||
| 36 | # private-tmp | 37 | # private-tmp |
diff --git a/etc/wine.profile b/etc/wine.profile index 192c375cd..29e79c3f5 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
| @@ -15,13 +15,20 @@ noblacklist ${HOME}/.wine | |||
| 15 | include disable-common.inc | 15 | include disable-common.inc |
| 16 | include disable-devel.inc | 16 | include disable-devel.inc |
| 17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
| 18 | include disable-passwdmgr.inc | ||
| 18 | include disable-programs.inc | 19 | include disable-programs.inc |
| 19 | 20 | ||
| 21 | # uncomment next line if seccomp breaks a program | ||
| 22 | # allow-debuggers | ||
| 20 | caps.drop all | 23 | caps.drop all |
| 24 | # net none | ||
| 21 | netfilter | 25 | netfilter |
| 22 | nodvd | 26 | nodvd |
| 23 | nogroups | 27 | nogroups |
| 24 | nonewprivs | 28 | nonewprivs |
| 25 | noroot | 29 | noroot |
| 26 | notv | 30 | notv |
| 31 | # novideo | ||
| 27 | seccomp | 32 | seccomp |
| 33 | |||
| 34 | private-dev | ||