From 28c099bdc32710fc40e16aa53549a53222eef931 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 27 May 2020 12:07:09 +0200 Subject: ${RUNUSER} blacklisting + typo --- etc/inc/disable-common.inc | 20 ++++++++++++++++++++ platform/rpm/firejail.spec | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 8f1350a60..ce3b24584 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -144,12 +144,16 @@ blacklist ${RUNUSER}/kdesud_* blacklist ${HOME}/.local/share/gnome-shell # no direct modification of dconf database read-only ${HOME}/.config/dconf +blacklist ${RUNUSER}/gnome-session-leader-fifo +blacklist ${RUNUSER}/gnome-shell +blacklist ${RUNUSER}/gsconnect # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd blacklist /var/lib/systemd blacklist ${PATH}/systemd-run +blacklist ${RUNUSER}/systemd # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf #blacklist /var/run/systemd @@ -175,6 +179,13 @@ blacklist /var/cache/libvirt blacklist /var/lib/libvirt blacklist /var/log/libvirt +# OCI-Containers / Podman +blacklist ${RUNUSER}/containers +blacklist ${RUNUSER}/crun +blacklist ${RUNUSER}/libpod +blacklist ${RUNUSER}/runc +blacklist ${RUNUSER}/toolbox + # VeraCrypt blacklist ${HOME}/.VeraCrypt blacklist ${PATH}/veracrypt @@ -478,6 +489,9 @@ blacklist /var/lib/flatpak # most of the time bwrap is SUID binary blacklist ${PATH}/bwrap +# snap +blacklist ${RUNUSER}/snapd-session-agent.socket + # mail directories used by mutt blacklist ${HOME}/.Mail blacklist ${HOME}/.mail @@ -502,3 +516,9 @@ blacklist ${PATH}/dns2tcp blacklist ${PATH}/iodine blacklist ${PATH}/knsupdate blacklist ${PATH}/resolvectl + +# rest of ${RUNUSER} +blacklist ${RUNUSER}/*.lock +blacklist ${RUNUSER}/inaccessible +blacklist ${RUNUSER}/update-notifier.pid +blacklist ${RUNUSER}/pk-debconf-socket diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index bce160f04..da91f5a4f 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec @@ -1,7 +1,7 @@ Name: __NAME__ Version: __VERSION__ Release: 1 -Summary: Linux namepaces sandbox program +Summary: Linux namespaces sandbox program License: GPLv2+ Group: Development/Tools -- cgit v1.2.3-54-g00ecf