From 34d004892fe00fd2009263b3682fd7a1f2c8edad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 28 Jan 2023 11:49:28 -0500 Subject: private-etc: corss-distro test for curl, gimp, inkscape, firefox, warzone2100 --- etc/profile-a-l/curl.profile | 1 + etc/profile-a-l/firefox-common.profile | 1 + etc/profile-a-l/gimp.profile | 1 + etc/profile-a-l/inkscape.profile | 1 + etc/profile-m-z/warzone2100.profile | 1 + src/include/etc_groups.h | 4 +++- 6 files changed, 8 insertions(+), 1 deletion(-) diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 3e5878574..88b29cfbd 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -54,6 +54,7 @@ tracelog private-cache private-dev # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc TLS-CA private-tmp dbus-user none diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 60d64736e..c1a8c9e28 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -60,6 +60,7 @@ disable-mnt # private-etc below works fine on most distributions. There are some problems on CentOS. # Add it to your firefox-common.local if you want to enable it. #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-etc GUI,NETWORK,TLS-CA,os-release,mime.types,mailcap private-tmp blacklist ${PATH}/curl diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 083b85a91..9635bb6e3 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile @@ -59,6 +59,7 @@ seccomp !mbind tracelog private-dev +private-etc GUI,gcrypt,python* private-tmp dbus-user none diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 1034c225f..c32536929 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile @@ -54,6 +54,7 @@ tracelog # private-bin inkscape,potrace,python* - problems on Debian stretch private-cache private-dev +private-etc inkscape: GUI,ImageMagick*,python* private-tmp dbus-user none diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 50c776412..d5a853fcd 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile @@ -46,6 +46,7 @@ tracelog disable-mnt private-bin bash,dash,sh,warzone2100,which private-dev +private-etc GUI,GAMES private-tmp restrict-namespaces diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 066c97570..421837fbb 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h @@ -35,8 +35,10 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer "locale.alias", "locale.conf", "localtime", + "login.defs", // firejail reading UID/GID MIN and MAX at startup "nsswitch.conf", "passwd", + "group", NULL }; @@ -77,6 +79,7 @@ static char *etc_group_gui[] = { "gtk-3.0", "kde4rc", "kde5rc", + "pango", // text rendering/internationalization NULL }; @@ -85,7 +88,6 @@ static char *etc_group_games[] = { "timidity", // MIDI "timidity.cfg", "openal", // 3D sound - "gcrypt", // GNU crypto library NULL }; -- cgit v1.2.3-70-g09d2