diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/dig.profile | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/firejail-default | 18 | ||||
-rw-r--r-- | etc/k3b.profile | 13 | ||||
-rw-r--r-- | etc/wine.profile | 7 |
5 files changed, 26 insertions, 18 deletions
diff --git a/etc/dig.profile b/etc/dig.profile index e609105b4..af71ff17f 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -46,7 +46,8 @@ private | |||
46 | private-bin bash,dig,sh | 46 | private-bin bash,dig,sh |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-lib | 49 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
50 | #private-lib | ||
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | memory-deny-write-execute | 53 | memory-deny-write-execute |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 96957eeaf..b2837b443 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -315,6 +315,7 @@ blacklist ${HOME}/.config/keybase | |||
315 | blacklist ${HOME}/.davfs2/secrets | 315 | blacklist ${HOME}/.davfs2/secrets |
316 | blacklist ${HOME}/.ecryptfs | 316 | blacklist ${HOME}/.ecryptfs |
317 | blacklist ${HOME}/.fetchmailrc | 317 | blacklist ${HOME}/.fetchmailrc |
318 | blacklist ${HOME}/.fscrypt | ||
318 | blacklist ${HOME}/.git-credential-cache | 319 | blacklist ${HOME}/.git-credential-cache |
319 | blacklist ${HOME}/.git-credentials | 320 | blacklist ${HOME}/.git-credentials |
320 | blacklist ${HOME}/.gnome2/keyrings | 321 | blacklist ${HOME}/.gnome2/keyrings |
@@ -335,6 +336,7 @@ blacklist ${HOME}/.local/share/pki | |||
335 | blacklist ${HOME}/.smbcredentials | 336 | blacklist ${HOME}/.smbcredentials |
336 | blacklist ${HOME}/.ssh | 337 | blacklist ${HOME}/.ssh |
337 | blacklist ${HOME}/.vaults | 338 | blacklist ${HOME}/.vaults |
339 | blacklist /.fscrypt | ||
338 | blacklist /etc/davfs2/secrets | 340 | blacklist /etc/davfs2/secrets |
339 | blacklist /etc/group+ | 341 | blacklist /etc/group+ |
340 | blacklist /etc/group- | 342 | blacklist /etc/group- |
@@ -348,6 +350,7 @@ blacklist /etc/shadow+ | |||
348 | blacklist /etc/shadow- | 350 | blacklist /etc/shadow- |
349 | blacklist /etc/ssh | 351 | blacklist /etc/ssh |
350 | blacklist /home/.ecryptfs | 352 | blacklist /home/.ecryptfs |
353 | blacklist /home/.fscrypt | ||
351 | blacklist /var/backup | 354 | blacklist /var/backup |
352 | 355 | ||
353 | # cloud provider configuration | 356 | # cloud provider configuration |
diff --git a/etc/firejail-default b/etc/firejail-default index e7831e145..a012f5440 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,12 +22,11 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. | 24 | # With ptrace it is possible to inspect and hijack running programs. |
25 | # Some browsers are also using ptrace for their sandboxing. | ||
26 | ########## | 25 | ########## |
27 | # Uncomment this line to allow all ptrace access | 26 | # Uncomment this line to allow all ptrace access |
28 | #ptrace, | 27 | #ptrace, |
29 | # Allow obtaining some process information, but not ptrace(2) | 28 | # Allow obtaining some process information, but not ptrace(2) |
30 | ptrace (read,readby) peer=firejail-default, | 29 | ptrace (read,readby) peer=@{profile_name}, |
31 | 30 | ||
32 | ########## | 31 | ########## |
33 | # Allow read access to whole filesystem and control it from firejail. | 32 | # Allow read access to whole filesystem and control it from firejail. |
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default, | |||
46 | ########## | 45 | ########## |
47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, |
48 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, | 47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
49 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, | ||
50 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, | ||
51 | |||
52 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
53 | 49 | ||
54 | # Allow writing to removable media | 50 | # Allow writing to removable media |
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w, | |||
58 | /{,var/}run/systemd/journal/socket w, | 54 | /{,var/}run/systemd/journal/socket w, |
59 | /{,var/}run/systemd/journal/dev-log w, | 55 | /{,var/}run/systemd/journal/dev-log w, |
60 | 56 | ||
61 | # Needed for wine | ||
62 | /{,var/}run/firejail/profile/@{PID} w, | ||
63 | |||
64 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
65 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
66 | 59 | ||
@@ -94,8 +87,10 @@ deny /proc/@{PID}/oom_score_adj w, | |||
94 | ########## | 87 | ########## |
95 | # Blacklist specific sensitive paths. | 88 | # Blacklist specific sensitive paths. |
96 | ########## | 89 | ########## |
97 | # Common backup directory | 90 | deny /**/.fscrypt/ rw, |
98 | deny /**/.snapshots/ rwx, | 91 | deny /**/.fscrypt/** rwklmx, |
92 | deny /**/.snapshots/ rw, | ||
93 | deny /**/.snapshots/** rwklmx, | ||
99 | 94 | ||
100 | ########## | 95 | ########## |
101 | # Allow all networking functionality, and control it from Firejail. | 96 | # Allow all networking functionality, and control it from Firejail. |
@@ -111,7 +106,8 @@ network packet, | |||
111 | ########## | 106 | ########## |
112 | # There is no equivalent in Firejail for filtering signals. | 107 | # There is no equivalent in Firejail for filtering signals. |
113 | ########## | 108 | ########## |
114 | signal, | 109 | signal (send) peer=@{profile_name}, |
110 | signal (receive), | ||
115 | 111 | ||
116 | ########## | 112 | ########## |
117 | # We let Firejail deal with capabilities, but ensure that | 113 | # We let Firejail deal with capabilities, but ensure that |
diff --git a/etc/k3b.profile b/etc/k3b.profile index 60da458ab..0c1da7ae1 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -20,17 +20,18 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource |
24 | # net none | ||
24 | netfilter | 25 | netfilter |
25 | no3d | 26 | no3d |
26 | nonewprivs | 27 | # nonewprivs - breaks privileged helpers |
27 | noroot | 28 | # noroot - breaks privileged helpers |
28 | nosound | 29 | nosound |
29 | notv | 30 | notv |
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | # protocol unix - breaks privileged helpers |
32 | seccomp | 33 | # seccomp - breaks privileged helpers |
33 | shell none | 34 | shell none |
34 | tracelog | ||
35 | 35 | ||
36 | private-dev | ||
36 | # private-tmp | 37 | # private-tmp |
diff --git a/etc/wine.profile b/etc/wine.profile index 192c375cd..29e79c3f5 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -15,13 +15,20 @@ noblacklist ${HOME}/.wine | |||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | 19 | include disable-programs.inc |
19 | 20 | ||
21 | # uncomment next line if seccomp breaks a program | ||
22 | # allow-debuggers | ||
20 | caps.drop all | 23 | caps.drop all |
24 | # net none | ||
21 | netfilter | 25 | netfilter |
22 | nodvd | 26 | nodvd |
23 | nogroups | 27 | nogroups |
24 | nonewprivs | 28 | nonewprivs |
25 | noroot | 29 | noroot |
26 | notv | 30 | notv |
31 | # novideo | ||
27 | seccomp | 32 | seccomp |
33 | |||
34 | private-dev | ||