From 0ea4ed8408f6fc506f9e4bef0f9e94fe14ea8d9c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 16 Mar 2019 17:49:01 +0000 Subject: Seahorse revisited (#2600) * Refactor seahorse into a whitelist profile * Refactor seahorse-tool as a whitelist profile * Create seahorse-daemon.profile * Add seahorse-daemon to firecfg * Drop blacklist /tmp/.X11-unix from seahorse.profile Thanks to @rusty-snake for pointing out blacklisting /tmp/.X11-unix is ridiculous for GUI's. * Add non-GUI option to seahorse-daemon --- etc/seahorse-daemon.profile | 15 +++++++++++++++ etc/seahorse-tool.profile | 13 ++----------- etc/seahorse.profile | 45 ++++++++++++++++++++++++++++++++++++++++----- src/firecfg/firecfg.config | 1 + 4 files changed, 58 insertions(+), 16 deletions(-) create mode 100644 etc/seahorse-daemon.profile diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile new file mode 100644 index 000000000..1beb0edc6 --- /dev/null +++ b/etc/seahorse-daemon.profile @@ -0,0 +1,15 @@ +# Firejail profile for seahorse-daemon +# Description: PGP encryption and signing +# This file is overwritten after every install/update +# Persistent local customizations +include seahorse-daemon.local +# Persistent global definitions +# added by included profile +#include globals.local + +blacklist /tmp/.X11-unix + +memory-deny-write-execute + +# Redirect +include seahorse.profile diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index 2e792c8e0..96f365a4b 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile @@ -7,20 +7,11 @@ include seahorse-tool.local # added by included profile #include globals.local -# dconf -noblacklist ${HOME}/.config/dconf +noblacklist ${DOWNLOADS} -include disable-exec.inc -include disable-xdg.inc -include whitelist-var-common.inc - -apparmor -ipc-namespace - -disable-mnt private-tmp memory-deny-write-execute # Redirect -include gpg.profile +include seahorse.profile diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 83aeb6aec..cd9f6c767 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile @@ -4,22 +4,57 @@ # Persistent local customizations include seahorse.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local # dconf noblacklist ${HOME}/.config/dconf +whitelist ${HOME}/.config/dconf + +# gpg +mkdir ${HOME}/.gnupg +noblacklist ${HOME}/.gnupg +whitelist ${HOME}/.gnupg # ssh +whitelist /etc/ld.so.preload noblacklist /etc/ssh +whitelist /etc/ssh noblacklist /tmp/ssh-* +whitelist /tmp/ssh-* +mkdir ${HOME}/.ssh noblacklist ${HOME}/.ssh +whitelist ${HOME}/.ssh +include disable-common.inc +include disable-devel.inc include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc +include whitelist-common.inc include whitelist-var-common.inc apparmor -ipc-namespace +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +# shell none - causes gpg to hang +tracelog + +disable-mnt +private-cache +private-dev -# Redirect -include gpg.profile +writable-run-user diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f1be8bfd9..7531206f5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -432,6 +432,7 @@ scallion scribus sdat2img seahorse +seahorse-daemon seahorse-tool seamonkey seamonkey-bin -- cgit v1.2.3-70-g09d2