From f57bacc8c72c3f120b33b1516da965431dc543a4 Mon Sep 17 00:00:00 2001 From: Jean Lucas Date: Thu, 14 Jun 2018 04:30:58 -0400 Subject: Amend Wire profiles --- etc/Wire.profile | 6 ------ etc/disable-programs.inc | 1 - etc/wire-desktop.profile | 33 +++++++++++++++++++++++++++++++++ etc/wire.profile | 33 --------------------------------- 4 files changed, 33 insertions(+), 40 deletions(-) delete mode 100644 etc/Wire.profile create mode 100644 etc/wire-desktop.profile delete mode 100644 etc/wire.profile diff --git a/etc/Wire.profile b/etc/Wire.profile deleted file mode 100644 index 26b683f84..000000000 --- a/etc/Wire.profile +++ /dev/null @@ -1,6 +0,0 @@ -# Firejail profile alias for wire -# This file is overwritten after every install/update - - -# Redirect -include /etc/firejail/wire.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 020d493c7..7eaa1c2ba 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -228,7 +228,6 @@ blacklist ${HOME}/.config/vivaldi blacklist ${HOME}/.config/vivaldi-snapshot blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth -blacklist ${HOME}/.config/wire blacklist ${HOME}/.config/wireshark blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile new file mode 100644 index 000000000..c0e0b3c4b --- /dev/null +++ b/etc/wire-desktop.profile @@ -0,0 +1,33 @@ +# Firejail profile for wire-desktop +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/wire-desktop.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.config/Wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none + +# Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore +# it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" + +private-bin wire-desktop +disable-mnt +private-dev +private-tmp diff --git a/etc/wire.profile b/etc/wire.profile deleted file mode 100644 index e43ba792e..000000000 --- a/etc/wire.profile +++ /dev/null @@ -1,33 +0,0 @@ -# Firejail profile for wire -# This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/wire.local -# Persistent global definitions -include /etc/firejail/globals.local - -# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. -# To use wire with firejail run "firejail /opt/Wire/wire" - -noblacklist ${HOME}/.config/Wire -noblacklist ${HOME}/.config/wire - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6,netlink -seccomp -shell none - -disable-mnt -private-dev -private-tmp -- cgit v1.2.3-54-g00ecf From 325aad5dead4e42ae893ce1a9a3cbdda4c5c8f8e Mon Sep 17 00:00:00 2001 From: Jean Lucas Date: Fri, 22 Jun 2018 14:29:11 -0400 Subject: Further restrict Wire --- etc/wire-desktop.profile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index c0e0b3c4b..74d44efe3 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile @@ -13,6 +13,12 @@ include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +mkdir ${HOME}/.config/Wire +whitelist ${HOME}/.config/Wire +whitelist ${DOWNLOADS} + +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nodvd @@ -28,6 +34,7 @@ shell none # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" private-bin wire-desktop -disable-mnt private-dev +private-etc fonts,machine-id +disable-mnt private-tmp -- cgit v1.2.3-54-g00ecf