diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ids.config | 142 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common-hardened.inc.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/code.profile | 39 | ||||
-rw-r--r-- | etc/profile-a-l/kodi.profile | 6 | ||||
-rw-r--r-- | etc/profile-m-z/minitube.profile | 2 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 30 |
6 files changed, 186 insertions, 36 deletions
diff --git a/etc/ids.config b/etc/ids.config new file mode 100644 index 000000000..09b0ae912 --- /dev/null +++ b/etc/ids.config | |||
@@ -0,0 +1,142 @@ | |||
1 | # /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System | ||
2 | # This config file is overwritten when a new version of Firejail is installed. | ||
3 | # For global customization use /etc/firejail/ids.config.local. | ||
4 | include ids.config.local | ||
5 | # | ||
6 | # Each line is a file or directory name such as | ||
7 | # /usr/bin | ||
8 | # or | ||
9 | # ${HOME}/Desktop/*.desktop | ||
10 | # | ||
11 | # ${HOME} is expanded to the user's home directory, and * is the regular | ||
12 | # globbing match for zero or more characters. | ||
13 | # | ||
14 | # File or directory names starting with ! are not scanned. For example | ||
15 | # !${HOME}/.ssh/known_hosts | ||
16 | # ${HOME}/.ssh | ||
17 | # will scan all files in ~/.ssh directory with the exception of known_hosts | ||
18 | |||
19 | ### system executables ### | ||
20 | /bin | ||
21 | /sbin | ||
22 | /usr/bin | ||
23 | /usr/games | ||
24 | /usr/libexec | ||
25 | /usr/sbin | ||
26 | |||
27 | ### user executables ### | ||
28 | #/opt | ||
29 | #/usr/local | ||
30 | |||
31 | ### system libraries ### | ||
32 | #/lib | ||
33 | #/usr/lib | ||
34 | #/usr/lib32 | ||
35 | #/usr/lib64 | ||
36 | #/usr/libx32 | ||
37 | |||
38 | ### shells local ### | ||
39 | # bash | ||
40 | ${HOME}/.bash_login | ||
41 | ${HOME}/.bash_logout | ||
42 | ${HOME}/.bash_profile | ||
43 | ${HOME}/.bashrc | ||
44 | # fish | ||
45 | ${HOME}/.config/fish/config.fish | ||
46 | # others | ||
47 | ${HOME}/.cshrc | ||
48 | ${HOME}/.kshrc | ||
49 | ${HOME}/.login | ||
50 | ${HOME}/.logout | ||
51 | ${HOME}/.profile | ||
52 | ${HOME}/.tcshrc | ||
53 | # zsh | ||
54 | ${HOME}/.zlogin | ||
55 | ${HOME}/.zlogout | ||
56 | ${HOME}/.zshenv | ||
57 | ${HOME}/.zshprofile | ||
58 | ${HOME}/.zshrc | ||
59 | |||
60 | ### shells global ### | ||
61 | # all | ||
62 | /etc/dircolors | ||
63 | /etc/environment | ||
64 | /etc/profile | ||
65 | /etc/profile.d | ||
66 | /etc/shells | ||
67 | /etc/skel | ||
68 | # bash | ||
69 | /etc/bash_completion* | ||
70 | /etc/bash.bashrc | ||
71 | /etc/bashrc | ||
72 | # fish | ||
73 | /etc/fish | ||
74 | # ksh | ||
75 | /etc/ksh.kshrc | ||
76 | # tcsh | ||
77 | /etc/complete.tcsh | ||
78 | /etc/csh.cshrc | ||
79 | /etc/csh.login | ||
80 | /etc/csh.logout | ||
81 | # zsh | ||
82 | /etc/zlogin | ||
83 | /etc/zlogout | ||
84 | /etc/zprofile | ||
85 | /etc/zshenv | ||
86 | /etc/zshrc | ||
87 | |||
88 | ### X11 ### | ||
89 | /etc/X11 | ||
90 | ${HOME}/.xinitrc | ||
91 | ${HOME}/.xmodmaprc | ||
92 | ${HOME}/.xprofile | ||
93 | ${HOME}/.Xresources | ||
94 | ${HOME}/.xserverrc | ||
95 | ${HOME}/.Xsession | ||
96 | ${HOME}/.xsession | ||
97 | ${HOME}/.xsessionrc | ||
98 | |||
99 | ### window/desktop manager ### | ||
100 | ${HOME}/Desktop/*.desktop | ||
101 | ${HOME}/.config/autostart | ||
102 | ${HOME}/.config/lxsession/LXDE/autostart | ||
103 | ${HOME}/.gnomerc | ||
104 | ${HOME}/.gtkrc | ||
105 | ${HOME}/.kderc | ||
106 | |||
107 | ### security ### | ||
108 | /etc/aide | ||
109 | /etc/apparmor* | ||
110 | /etc/chkrootkit.conf | ||
111 | /etc/cracklib | ||
112 | /etc/libaudit.conf | ||
113 | /etc/group* | ||
114 | /etc/gshadow* | ||
115 | /etc/pam.* | ||
116 | /etc/passwd* | ||
117 | /etc/rkhunter* | ||
118 | /etc/securetty | ||
119 | /etc/security | ||
120 | /etc/selinux | ||
121 | /etc/shadow* | ||
122 | /etc/sudoers* | ||
123 | /etc/tripwire | ||
124 | ${HOME}/.config/firejail | ||
125 | ${HOME}/.gnupg | ||
126 | |||
127 | ### network security ### | ||
128 | /etc/ca-certificates* | ||
129 | /etc/hosts.* | ||
130 | /etc/services | ||
131 | /etc/snort | ||
132 | /etc/ssh | ||
133 | /etc/ssl | ||
134 | /etc/wireshark | ||
135 | !${HOME}/.ssh/known_hosts # excluding | ||
136 | ${HOME}/.ssh | ||
137 | /usr/share/ca-certificates | ||
138 | |||
139 | ### system config ### | ||
140 | /etc/cron.* | ||
141 | /etc/crontab | ||
142 | /etc/default | ||
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index 87a0a0994..19addd285 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -6,5 +6,4 @@ caps.drop all | |||
6 | nonewprivs | 6 | nonewprivs |
7 | noroot | 7 | noroot |
8 | protocol unix,inet,inet6,netlink | 8 | protocol unix,inet,inet6,netlink |
9 | # kcmp is required for ozone-platform=wayland, see #3783. | 9 | seccomp !chroot |
10 | seccomp !chroot,!kcmp | ||
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index e19b78908..fdf94ec41 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile | |||
@@ -5,6 +5,21 @@ include code.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-devel.inc | ||
10 | ignore include disable-exec.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | ignore dbus-user none | ||
21 | ignore dbus-system none | ||
22 | |||
8 | noblacklist ${HOME}/.config/Code | 23 | noblacklist ${HOME}/.config/Code |
9 | noblacklist ${HOME}/.config/Code - OSS | 24 | noblacklist ${HOME}/.config/Code - OSS |
10 | noblacklist ${HOME}/.vscode | 25 | noblacklist ${HOME}/.vscode |
@@ -13,31 +28,13 @@ noblacklist ${HOME}/.vscode-oss | |||
13 | # Allows files commonly used by IDEs | 28 | # Allows files commonly used by IDEs |
14 | include allow-common-devel.inc | 29 | include allow-common-devel.inc |
15 | 30 | ||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | noinput | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | 31 | nosound |
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | 32 | ||
39 | # Disabling noexec ${HOME} for now since it will | 33 | # Disabling noexec ${HOME} for now since it will |
40 | # probably interfere with running some programmes | 34 | # probably interfere with running some programmes |
41 | # in VS Code | 35 | # in VS Code |
42 | # noexec ${HOME} | 36 | # noexec ${HOME} |
43 | noexec /tmp | 37 | noexec /tmp |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b7091f1fc..f909728a5 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
@@ -12,6 +12,12 @@ ignore noexec ${HOME} | |||
12 | #ignore nogroups | 12 | #ignore nogroups |
13 | #ignore noroot | 13 | #ignore noroot |
14 | #ignore private-dev | 14 | #ignore private-dev |
15 | # Add the following to your kodi.local if you use the Lutris Kodi Addon | ||
16 | #noblacklist /sbin | ||
17 | #noblacklist /usr/sbin | ||
18 | #noblacklist ${HOME}/.cache/lutris | ||
19 | #noblacklist ${HOME}/.config/lutris | ||
20 | #noblacklist ${HOME}/.local/share/lutris | ||
15 | 21 | ||
16 | noblacklist ${HOME}/.kodi | 22 | noblacklist ${HOME}/.kodi |
17 | noblacklist ${MUSIC} | 23 | noblacklist ${MUSIC} |
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 3fe3428d0..b8a551b6c 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
@@ -47,7 +47,7 @@ notv | |||
47 | nou2f | 47 | nou2f |
48 | novideo | 48 | novideo |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | seccomp !kcmp | 50 | seccomp |
51 | shell none | 51 | shell none |
52 | tracelog | 52 | tracelog |
53 | 53 | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 3992c984a..38f789923 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -89,18 +89,24 @@ Inheritance of groups | |||
89 | What to do if seccomp breaks a program | 89 | What to do if seccomp breaks a program |
90 | -------------------------------------- | 90 | -------------------------------------- |
91 | 91 | ||
92 | Start `journalctl --grep=SECCOMP --follow` in a terminal and run | ||
93 | `firejail --seccomp-error-action=log /path/to/program` in a second terminal. | ||
94 | Now switch back to the first terminal (where `journalctl` is running) and look | ||
95 | for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you | ||
96 | have found them, you can stop `journalctl` (^C) and execute | ||
97 | `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. | ||
98 | In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. | ||
99 | Now you can add a seccomp exception using `seccomp !NAME`. | ||
100 | |||
101 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||
102 | |||
92 | ``` | 103 | ``` |
93 | $ journalctl --grep=syscall --follow | 104 | term1$ journalctl --grep=SECCOMP --follow |
94 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 105 | term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop |
95 | $ firejail --debug-syscalls | grep 161 | 106 | term1$ (journalctl --grep=SECCOMP --follow) |
96 | 161 - chroot | 107 | audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... |
108 | ^C | ||
109 | term1$ firejail --debug-syscalls | grep "^161[[:space:]]" | ||
110 | 161 - chroot | ||
97 | ``` | 111 | ``` |
98 | Profile: `seccomp -> seccomp !chroot` | 112 | Profile: `seccomp -> seccomp !chroot` |
99 | |||
100 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken | ||
101 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. | ||
102 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | ||
103 | will see something like `NUMBER - NAME`, because you now know the name of the | ||
104 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. | ||
105 | |||
106 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. | ||