From 217d0e259470ed004db45b3508b03688556dc44a Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sun, 2 Jun 2019 14:09:20 +0200 Subject: many profile cleanups --- etc/Xephyr.profile | 4 +--- etc/Xvfb.profile | 3 +-- etc/bitwarden.profile | 9 +++++---- etc/brave-browser.profile | 1 - etc/brave.profile | 6 +++--- etc/disable-programs.inc | 18 ++++++++---------- etc/geary.profile | 12 +++++------- etc/gzip.profile | 13 +++++++++---- etc/less.profile | 17 ++++++++++++----- etc/meld.profile | 1 + etc/midori.profile | 6 +++--- etc/ms-skype.profile | 7 +++++-- etc/pidgin.profile | 4 ++-- etc/strings.profile | 23 ++++++++++++++++++----- etc/templates/redirect_alias-profile.template | 2 -- etc/templates/syscalls.txt | 10 +++++----- etc/xlinks.profile | 2 +- etc/xpra.profile | 3 +-- etc/youtube-dl.profile | 6 +++--- etc/zpaq.profile | 1 - 20 files changed, 83 insertions(+), 65 deletions(-) diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index b4325cd74..230a88472 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile @@ -14,9 +14,6 @@ include globals.local # or run "sudo firecfg" # - -blacklist /media - whitelist /var/lib/xkb include whitelist-common.inc @@ -34,6 +31,7 @@ protocol unix seccomp shell none +disable-mnt # using a private home directory private # private-bin Xephyr,sh,xkbcomp diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index b2413ac73..3580f8336 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile @@ -17,8 +17,6 @@ include globals.local # some Linux distributions. Also, older versions of Xpra use Xvfb. # -blacklist /media - whitelist /var/lib/xkb include whitelist-common.inc @@ -36,6 +34,7 @@ protocol unix seccomp shell none +disable-mnt # using a private home directory private # private-bin Xvfb,sh,xkbcomp diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile index 2a6fe9d42..609543e14 100644 --- a/etc/bitwarden.profile +++ b/etc/bitwarden.profile @@ -6,9 +6,10 @@ include bitwarden.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.config/Bitwarden ignore noexec /tmp +noblacklist ${HOME}/.config/Bitwarden + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -17,11 +18,11 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc -include whitelist-var-common.inc - +mkdir ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-var-common.inc apparmor caps.drop all diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile index 6d9d162fd..e223ecf87 100644 --- a/etc/brave-browser.profile +++ b/etc/brave-browser.profile @@ -1,6 +1,5 @@ # Firejail profile alias for brave # This file is overwritten after every install/update - # Redirect include brave.profile diff --git a/etc/brave.profile b/etc/brave.profile index cc003d49a..984fab5a8 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -6,6 +6,9 @@ include brave.local # Persistent global definitions include globals.local +# noexec /tmp is included in chromium-common.profile and breaks Brave +ignore noexec /tmp + noblacklist ${HOME}/.config/brave noblacklist ${HOME}/.config/BraveSoftware # brave uses gpg for built-in password manager @@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave whitelist ${HOME}/.config/BraveSoftware whitelist ${HOME}/.gnupg -# noexec /tmp is included in chromium-common.profile and breaks Brave -ignore noexec /tmp - # Redirect include chromium-common.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c8e85cf1f..d03a709ca 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -197,6 +197,7 @@ blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/kateschemarc blacklist ${HOME}/.config/katesyntaxhighlightingrc blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/kdeconnect blacklist ${HOME}/.config/kdenliverc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/kid3rc @@ -204,13 +205,12 @@ blacklist ${HOME}/.config/klavaro blacklist ${HOME}/.config/klipperrc blacklist ${HOME}/.config/kmail2rc blacklist ${HOME}/.config/kmailsearchindexingrc -blacklist ${HOME}/.config/kritarc -blacklist ${HOME}/.config/kwriterc -blacklist ${HOME}/.config/kdeconnect blacklist ${HOME}/.config/knotesrc blacklist ${HOME}/.config/konversationrc +blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/ktorrentrc blacklist ${HOME}/.config/ktouch2rc +blacklist ${HOME}/.config/kwriterc blacklist ${HOME}/.config/leafpad blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/liferea @@ -275,17 +275,17 @@ blacklist ${HOME}/.config/smtube blacklist ${HOME}/.config/snox blacklist ${HOME}/.config/specialmailcollectionsrc blacklist ${HOME}/.config/spotify -blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/sqlitebrowser blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/synfig blacklist ${HOME}/.config/telepathy-account-widgets blacklist ${HOME}/.config/torbrowser blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/tox blacklist ${HOME}/.config/transgui -blacklist ${HOME}/.config/truecraft blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/truecraft blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/uzbl blacklist ${HOME}/.config/viewnior @@ -328,7 +328,6 @@ blacklist ${HOME}/.electron-cache blacklist ${HOME}/.electrum* blacklist ${HOME}/.elinks blacklist ${HOME}/.emacs -blacklist ${HOME}/.emacs blacklist ${HOME}/.emacs.d blacklist ${HOME}/.ethereum blacklist ${HOME}/.etr @@ -374,7 +373,6 @@ blacklist ${HOME}/.kde/share/apps/klatexformula blacklist ${HOME}/.kde/share/apps/konqsidebartng blacklist ${HOME}/.kde/share/apps/konqueror blacklist ${HOME}/.kde/share/apps/kopete -blacklist ${HOME}/.kde/share/apps/khtml blacklist ${HOME}/.kde/share/apps/ktorrent blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/baloofilerc @@ -499,8 +497,8 @@ blacklist ${HOME}/.local/share/klavaro blacklist ${HOME}/.local/share/kmail2 blacklist ${HOME}/.local/share/knotes blacklist ${HOME}/.local/share/krita -blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktorrent +blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktouch blacklist ${HOME}/.local/share/kwrite blacklist ${HOME}/.local/share/liferea @@ -525,13 +523,13 @@ blacklist ${HOME}/.local/share/ocenaudio blacklist ${HOME}/.local/share/okular blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview -blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/qutebrowser blacklist ${HOME}/.local/share/remmina +blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/scribus blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam @@ -632,8 +630,8 @@ blacklist ${HOME}/.wget-hsts blacklist ${HOME}/.wgetrc blacklist ${HOME}/.widelands blacklist ${HOME}/.wine -blacklist ${HOME}/.wireshark blacklist ${HOME}/.wine64 +blacklist ${HOME}/.wireshark blacklist ${HOME}/.xiphos blacklist ${HOME}/.xmind blacklist ${HOME}/.xmms diff --git a/etc/geary.profile b/etc/geary.profile index a21eed9f1..a446c81d0 100644 --- a/etc/geary.profile +++ b/etc/geary.profile @@ -4,27 +4,25 @@ # Persistent local customizations include geary.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local # Users have Geary set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories +ignore nodbus +ignore private-tmp + noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/geary mkdir ${HOME}/.gnupg mkdir ${HOME}/.config/geary mkdir ${HOME}/.local/share/geary - whitelist ${HOME}/.gnupg whitelist ${HOME}/.config/geary whitelist ${HOME}/.local/share/geary -include whitelist-common.inc - -ignore nodbus -ignore private-tmp - read-only ${HOME}/.config/mimeapps.list # allow browsers diff --git a/etc/gzip.profile b/etc/gzip.profile index 27e262f87..810684eae 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -9,12 +9,15 @@ include globals.local blacklist /tmp/.X11-unix +include disable-common.inc +include disable-devel.inc include disable-exec.inc include disable-interpreters.inc - -ignore noroot +include disable-passwdmgr.inc +include disable-programs.inc apparmor +caps.drop all hostname gzip ipc-namespace machine-id @@ -23,10 +26,14 @@ no3d nodbus nodvd nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog @@ -34,5 +41,3 @@ private-cache private-dev memory-deny-write-execute - -include default.profile diff --git a/etc/less.profile b/etc/less.profile index 5ad7cb959..bc85e5ad5 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,24 +5,33 @@ quiet # Persistent local customizations include less.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix + +include disable-common.inc +include disable-devel.inc include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc -ignore noroot apparmor +caps.drop all ipc-namespace machine-id net none no3d nodbus nodvd +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog writable-var-log @@ -35,5 +44,3 @@ private-cache private-dev memory-deny-write-execute - -include default.profile diff --git a/etc/meld.profile b/etc/meld.profile index 8aa30feff..34b1f22de 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -54,3 +54,4 @@ private-dev #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion private-tmp +read-only ${HOME}/.ssh diff --git a/etc/midori.profile b/etc/midori.profile index e4d39cd70..ffae4919f 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -6,6 +6,9 @@ include midori.local # Persistent global definitions include globals.local +# noexec ${HOME} breaks DRM binaries. +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} + noblacklist ${HOME}/.config/midori noblacklist ${HOME}/.local/share/midori # noblacklist ${HOME}/.local/share/webkit @@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki -# noexec ${HOME} breaks DRM binaries. -?BROWSER_ALLOW_DRM: ignore noexec ${HOME} - include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index 02084d923..df1618361 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile @@ -3,10 +3,13 @@ # Persistent local customizations include ms-skype.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -noblacklist ${HOME}/.cache/ms-skype-online ignore novideo + +noblacklist ${HOME}/.cache/ms-skype-online + private-bin ms-skype # Redirect diff --git a/etc/pidgin.profile b/etc/pidgin.profile index bdd5404f5..299f807af 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -6,11 +6,11 @@ include pidgin.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.purple - ignore noexec ${RUNUSER} ignore noexec /dev/shm +noblacklist ${HOME}/.purple + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/strings.profile b/etc/strings.profile index 0caecdf7b..ace0d9351 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -4,30 +4,43 @@ quiet # Persistent local customizations include strings.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local blacklist /tmp/.X11-unix + +include disable-common.inc +include disable-devel.inc include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc -ignore noroot +apparmor +caps.drop all +ipc-namespace +machine-id net none no3d nodbus nodvd +nogroups +nonewprivs +#noroot nosound notv nou2f novideo +protocol unix +seccomp shell none tracelog +#private private-bin strings private-cache private-dev private-etc alternatives private-lib libfakeroot +private-tmp memory-deny-write-execute - -include default.profile diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template index 5a00933a5..0a0788e96 100644 --- a/etc/templates/redirect_alias-profile.template +++ b/etc/templates/redirect_alias-profile.template @@ -31,8 +31,6 @@ include PROFILE.local # Additional options (if needed) - - # Additional private-options (if needed) # Add programs to private-bin (if needed) #private-bin PROGRAMS diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ec8247517..2464df9ee 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -4,19 +4,19 @@ Hints for writing seccomp.drop lines @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime @module=delete_module,finit_module,init_module @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write -@reboot=kexec_load,kexec_file_load,reboot, -@swap=swapon,swapoff +@reboot=kexec_file_load,kexec_load,reboot +@swap=swapoff,swapon @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver -@resources=set_mempolicy,migrate_pages,move_pages,mbind +@resources=mbind,migrate_pages,move_pages,set_mempolicy -@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore +@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice -@default-nodebuggers=@default,ptrace,personality,process_vm_readv +@default-nodebuggers=@default,personality,process_vm_readv,ptrace @default-keep=execve,prctl diff --git a/etc/xlinks.profile b/etc/xlinks.profile index 775d6f8ed..ad1511791 100644 --- a/etc/xlinks.profile +++ b/etc/xlinks.profile @@ -15,4 +15,4 @@ private-bin xlinks private-etc fonts # Redirect -include links.profile \ No newline at end of file +include links.profile diff --git a/etc/xpra.profile b/etc/xpra.profile index fc861176f..dc8d7a665 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -14,8 +14,6 @@ include globals.local # # or run "sudo firecfg" -blacklist /media - # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -45,6 +43,7 @@ protocol unix seccomp shell none +disable-mnt # private home directory doesn't work on some distros, so we go for a regular home # private # older Xpra versions also use Xvfb diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 237f24fd1..1c2bad51c 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -7,6 +7,9 @@ include youtube-dl.local # Persistent global definitions include globals.local +# breaks when installed via pip +ignore noexec ${HOME} + noblacklist ${HOME}/.netrc noblacklist ${MUSIC} noblacklist ${VIDEOS} @@ -15,9 +18,6 @@ noblacklist ${VIDEOS} include allow-python2.inc include allow-python3.inc -# breaks when installed via pip -ignore noexec ${HOME} - include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/zpaq.profile b/etc/zpaq.profile index 6d4501e4f..6bf3605eb 100644 --- a/etc/zpaq.profile +++ b/etc/zpaq.profile @@ -10,6 +10,5 @@ include zpaq.local # mdwx breaks 'list' functionality ignore memory-deny-write-execute - # Redirect include cpio.profile -- cgit v1.2.3-54-g00ecf