From 1265803f63a2f7e5fcb778dac34efe7436eba8c1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 16 Sep 2015 07:33:08 -0400 Subject: Default profiles work --- Makefile.in | 1 + RELNOTES | 9 ++++++++- configure | 18 +++++++++--------- configure.ac | 2 +- etc/disable-common.inc | 20 ++++++++++++++++++++ etc/fbreader.profile | 11 +++++++++++ 6 files changed, 50 insertions(+), 11 deletions(-) create mode 100644 etc/fbreader.profile diff --git a/Makefile.in b/Makefile.in index 10b057997..bb00a7911 100644 --- a/Makefile.in +++ b/Makefile.in @@ -100,6 +100,7 @@ realinstall: install -c -m 0644 etc/quassel.profile $(DESTDIR)/etc/firejail/. install -c -m 0644 etc/deadbeef.profile $(DESTDIR)/etc/firejail/. install -c -m 0644 etc/filezilla.profile $(DESTDIR)/etc/firejail/. + install -c -m 0644 etc/fbreader.profile $(DESTDIR)/etc/firejail/. bash -c "if [ ! -f /etc/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/etc/firejail/.; fi;" # man pages rm -f firejail.1.gz diff --git a/RELNOTES b/RELNOTES index 3c7b2dcdf..87497e538 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,11 @@ -firejail (0.9.30) baseline; urgency=low +ffirejail (0.9.31) baseline; urgency=low + * disable X11 autostart folders in default profiles + * disable subversion and git config files in home directory + * added FBReader default profile + -- netblue30 current development + + +irejail (0.9.30) baseline; urgency=low * added a disable-history.inc profile as a result of Firefox PDF.js exploit; disable-history.inc included in all default profiles * Firefox PDF.js exploit (CVE-2015-4495) fixes diff --git a/configure b/configure index 2e95be9d2..56a08d0e7 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.30. +# Generated by GNU Autoconf 2.69 for firejail 0.9.31. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.30' -PACKAGE_STRING='firejail 0.9.30' +PACKAGE_VERSION='0.9.31' +PACKAGE_STRING='firejail 0.9.31' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.sourceforge.net' @@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.30 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.31 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1299,7 +1299,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.30:";; + short | recursive ) echo "Configuration of firejail 0.9.31:";; esac cat <<\_ACEOF @@ -1389,7 +1389,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.30 +firejail configure 0.9.31 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.30, which was +It was created by firejail $as_me 0.9.31, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4102,7 +4102,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.30, which was +This file was extended by firejail $as_me 0.9.31, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4156,7 +4156,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.30 +firejail config.status 0.9.31 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index ff11d95b6..0ccba0a13 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.30, netblue30@yahoo.com, , http://firejail.sourceforge.net) +AC_INIT(firejail, 0.9.31, netblue30@yahoo.com, , http://firejail.sourceforge.net) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f4aea1b6a..984bbe628 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -20,3 +20,23 @@ blacklist ${HOME}/.remmina # Other blacklist ${HOME}/.tconn +blacklist ${HOME}/.FBReader + +# X11 session autostart +blacklist ${HOME}/.xinitrc +blacklist ${HOME}/.xprofile +blacklist ${HOME}/.config/autostart +blacklist /etc/xdg/autostart +blacklist ${HOME}/.kde4/Autostart +blacklist ${HOME}/.kde/Autostart +blacklist ${HOME}/.config/plasma-workspace/shutdown +blacklist ${HOME}/.config/plasma-workspace/env +blacklist ${HOME}/.config/lxsession/LXDE/autostart +blacklist ${HOME}/.fluxbox/startup +blacklist ${HOME}/.config/openbox/autostart +blacklist ${HOME}/.config/openbox/environment + +# git, subversion +blacklist ${HOME}/.subversion +blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.git-credential-cache diff --git a/etc/fbreader.profile b/etc/fbreader.profile new file mode 100644 index 000000000..97baa2a3e --- /dev/null +++ b/etc/fbreader.profile @@ -0,0 +1,11 @@ +# fbreader profile +noblacklist ${HOME}/.FBReader +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-history.inc +caps.drop all +seccomp +netfilter +noroot + -- cgit v1.2.3-54-g00ecf