aboutsummaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAge
* keepassxc: allow all browser, not just firefoxLibravatar rusty-snake2021-02-02
| | | | ungoogled-chromium won't work with keepassxc (#3941)
* Add profile for avidemux (#3935)Libravatar Neo000012021-01-31
| | | | | | | | | | | * Update disable-programs.inc * Update disable-programs.inc * Update firecfg.config * Create avidemux.profile * Update avidemux.profile
* Disable the webkit2gtk-4.0 sandbox in bijibenLibravatar rusty-snake2021-01-31
| | | | | | | | | | | | | webkit2gtk uses a bwrap based sandbox by default since 4.0, see #3647. This is good as it means more security by default on for linux system. Unfortunately is it not possible to run bwrap inside firejail if bwrap is started with --unshare-pid --proc /proc at all. In general we should exclude a program from firecfg until a final solution is found. But bijiben is special, while epiphany or evolution display random stuff from the internet is webkit2gtk in bijiben used to display local files create by the user. Bijiben has a thight profile (net none, whitelist, private-bin, ...) therefore my decision here was to disable the webkit2gtk sandbox rather then firejail.
* add quiet to lzdiff/lzmadec (#3932)Libravatar glitsj162021-01-30
| | | | | * add quiet to lzdiff * add quiet to lzmadec
* Merge pull request #3931 from glitsj16/follow-up-3914Libravatar glitsj162021-01-30
|\ | | | | follow-up fixes for #3914
| * follow-up fixes for ↵Libravatar glitsj162021-01-29
| | | | | | | | https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
* | Merge pull request #3885 from kmk3/fix-sshLibravatar glitsj162021-01-30
|\ \ | | | | | | ssh: Refactor, fix bugs & harden
| * | disable-common.inc: add missing openssh pathsLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The paths are taken from ssh(1) and sshd(8). $ pacman -Q openssh openssh 8.4p1-2 These are only used by sshd(8), so always blacklist them: * ~/.rhosts: controls remote access to the local machine * ~/.shosts: same as above * ~/.ssh/authorized_keys: same as above * ~/.ssh/authorized_keys2: same as above * ~/.ssh/environment: potentially allows arbitrary command execution on the local machine * ~/.ssh/rc: allows arbitrary command execution on the local machine * /etc/hosts.equiv: system-wide equivalent of ~/.rhosts Note: There are files in /etc/ssh that are equivalent to some of the above ones, but they are already blocked by `blacklist /etc/ssh/*`. Note2: From sshd(8): > If the file ~/.ssh/rc exists, sh(1) runs it after reading the > environment files but before starting the user's shell or command. So even if the user shell is set to /usr/bin/firejail and disable-common.inc is loaded, this patch shouldn't interfere with sshd. This file is actually used by ssh(1), so just mark it read-only: * ~/.ssh/config: allows arbitrary command execution on the remote machine (with e.g.: RemoteCommand) and also defines the connection strength Since version 7.3p1 (released on 2016-08-01), openssh supports including other config files on ssh_config(5)[1][2]. This is the conventional path for storing them[3], so mark it read-only: * ~/.ssh/config.d: same as above P.S. See also the explanation on the commit b5542fc94 ("disable-common.inc: read-only access to ~/.ssh/authorized_keys"), which last touched/added the "Remote access" section. [1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37 [2]: https://www.openssh.com/txt/release-7.3 [3]: https://superuser.com/a/1142813
| * | allow-ssh.inc: allow access to ssh-agent(1)Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh
| * | ssh: deny access to the rest of /etc/ssh/*Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that is used by ssh(1). The other paths are only used by sshd(8), so stop allowing them on ssh.profile and ssh-agent.profile. Path examples from sshd(8): * /etc/ssh/moduli * /etc/ssh/ssh_host_ecdsa_key * /etc/ssh/ssh_host_ecdsa_key.pub * /etc/ssh/ssh_known_hosts * /etc/ssh/sshd_config * /etc/ssh/sshrc $ pacman -Q openssh openssh 8.4p1-2
| * | allow-ssh.inc: allow /etc/ssh/ssh_configLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh.
| * | etc: add allow-ssh.incLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
| * | git-cola.profile: add missing python template commentLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | See etc/templates/profile.template.
| * | ssh: move auth socket blacklist to disable-common.incLibravatar Kelvin M. Klann2021-01-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That was added on the commit e93fbf3bd ("disable ssh-agent sockets in disable-programs.inc"). Currently, it's the only ssh-related entry on disable-programs.inc. Further, it seems that all the other socket blacklists live on disable-common.inc. Also, even though this socket does not necessarily allow arbitrary command execution on the local machine (like some paths on disable-common.inc do), it could still do so for remote systems. Put it above the "top secret" section, like the terminal sockets are above the terminal server section.
* | | Fix #3925 -- telegram-desktop launch browser for …Libravatar rusty-snake2021-01-29
| | | | | | | | | | | | …open URL (after update to 0.9.64.2)
* | | Add gfeeds directory for saved articlesLibravatar rusty-snake2021-01-29
| |/ |/|
* | Merge pull request #3897 from nidamanx/patch-1Libravatar rusty-snake2021-01-28
|\ \ | | | | | | Update telegram.profile
| * | Profile ordering/sorting as in profile.templateLibravatar Nicola Davide Mannarelli2021-01-25
| | |
| * | Enhance securityLibravatar Nicola Davide Mannarelli2021-01-25
| | |
| * | Update telegram.profileLibravatar Nicola Davide Mannarelli2021-01-17
| | | | | | | | | Optimized "include whitelist-common.inc"
| * | Update telegram.profileLibravatar Nicola Davide Mannarelli2021-01-17
| | | | | | | | | Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads
* | | add extensive comment on sandboxing google-earth-pro (#3923)Libravatar glitsj162021-01-28
| | |
* | | streamline 'Allow xxx' comments (#3922)Libravatar glitsj162021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add comment: allow python * add comment: allow python * reorder allow comments * fix perl allow comment * add comment: allow python * add comment: allow lua, perl & python * reorder allow comments * add comment: allow python * add comment: allow python * add comment: allow lua, perl & python * fix allow comments * add comment: allow python * add comment: allow python * fix spacing in comments * add comment: allow python * add comment: allow python * fix comment * add comment: allow perl & python * add comment: allow lua & python * add comment: allow lua, perl & python * fix allow comments * add comment: allow perl & python * streamline allow python comments
* | | merge/readme updateLibravatar netblue302021-01-25
| | |
* | | Merge pull request #3853 from botherder/masterLibravatar netblue302021-01-25
|\ \ \ | | | | | | | | New profile for CoyIM
| * | | Added additional whitelistsLibravatar Nex2021-01-06
| | | |
| * | | Implementing some of the suggested changes from #3853Libravatar Nex2020-12-29
| | | |
| * | | Added some more restrictions to coyim profileLibravatar Nex2020-12-29
| | | |
| * | | Added first profile for coyimLibravatar Nex2020-12-29
| | | |
* | | | Merge pull request #3899 from rootalc/nolocal6Libravatar netblue302021-01-25
|\ \ \ \ | | | | | | | | | | Create nolocal6.net
| * | | | Create nolocal6.netLibravatar rootalc2021-01-18
| | |/ / | |/| |
* | | | Merge pull request #3918 from Neo00001/masterLibravatar netblue302021-01-25
|\ \ \ \ | | | | | | | | | | Add profile for kdiff3
| * | | | Update kdiff3.profileLibravatar Neo000012021-01-24
| | | | |
| * | | | Create kdiff3.profileLibravatar Neo000012021-01-24
| | | | |
| * | | | Update disable-programs.incLibravatar Neo000012021-01-24
| | | | |
* | | | | fix #3914Libravatar netblue302021-01-24
|/ / / /
* | | | Update vmware.profile (#3913)Libravatar Neo000012021-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Update vmware.profile `private-etc` can be uncommented. * Update vmware.profile
* | | | misc comment fixes (#3916)Libravatar glitsj162021-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix comment in blackbox.profile * fix comment in fluxbox.profile * fix comment in i3.profile * fix comment in krunner.profile * fix comment in openbox.profile
* | | | refactor google-earth{-pro} (#3915)Libravatar glitsj162021-01-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refactor google-earth{-pro} blacklisting * fix google-earth-pro.profile I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's. * unbreak google-earth.profile Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
* | | | Update bibletime.profile, add new whitelist (#3908)Libravatar hhzek00142021-01-22
| | | | | | | | | | | | | | | | | | | | | | | | To solve issue#3907, doc directory of the bibletime has to be whitelisted. Otherwise, it always fails to start. Co-authored-by: hhnb <hhnb@nanenient.cc>
* | | | add new profile: pkglog (#3902)Libravatar glitsj162021-01-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add pkglog to new profiles * Create pkglog.profile * Update README.md * fix ordering in pkglog.profile * drop extra whitespace in pkglog.profile
* | | | harden plv.profile (#3901)Libravatar glitsj162021-01-18
| | | |
* | | | Add 'seccomp-error-action log' to profile.templateLibravatar rusty-snake2021-01-18
| | | |
* | | | Add profile for guvcviewLibravatar rusty-snake2021-01-18
| | | |
* | | | harden and fix cheese.profileLibravatar rusty-snake2021-01-18
|/ / / | | | | | | | | | | | | hardening: wusc + wruc fix: settings was immutable
* | | Add new allow include allow-bin-sh.incLibravatar rusty-snake2021-01-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | /bin/sh is usually just a symlink to bash. However this is not the case for every distro, debian for example uses dash. bash,dash and sh have a blacklist command in disable-shell.inc. An own allow-*.inc for it enusres usage of all necessary nolacklists. For private-bin sh is enough because it follows symlinks.
* | | newsboat: add lynx support (#3895)Libravatar altf_four2021-01-15
| | | | | | | | | | | | | | | | | | | | | * newsboat: add lynx support * newsboat: fix using sort.py * newsboat: remove unneeded perms
* | | fix mdr.profileLibravatar glitsj162021-01-13
| | | | | | | | | Thanks @rusty-snake for [spotting](https://github.com/netblue30/firejail/commit/662ebd214b0a7874072381f5aaf3fbd322f0e460) this!
* | | new profile: qnapi (#3890)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add new profile: qnapi * add new profile: qnapi * Create qnapi.profile * add qnapi configs * Update README.md * Update README.md
* | | add new profile: shotwell (#3889)Libravatar glitsj162021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | * new profile: shotwell * Create shotwell.profile * new profile: shotwell * add shotwell blacklists
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 09:33:16 +0000