From 41f58083095f952c8b12aba80b9fb0c3a04b6a55 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 6 Jun 2019 12:50:31 +0200 Subject: merges & fixes --- README | 11 +++++++++-- README.md | 2 +- RELNOTES | 2 +- etc/rhythmbox.profile | 7 +++++-- etc/templates/profile.template | 3 ++- 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/README b/README index d6cf5389b..a8d57d324 100644 --- a/README +++ b/README @@ -97,7 +97,7 @@ announ (https://github.com/announ) Antonio Russo (https://github.com/aerusso) - enumerate root directories in apparmor profile - fix join-or-start -Austin Morton +Austin Morton (https://github.com/apmorton) - deterministic-exit-code option - private-cwd options Austin S. Hemmelgarn (https://github.com/Ferroin) @@ -193,6 +193,8 @@ Danil Semelenov (https://github.com/sgtpep) Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix +David Thole (https://github.com/TheDarkTrumpet) + - added profile for teams-for-linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile dewbasaur (https://github.com/dewbasaur) @@ -378,6 +380,9 @@ Jonas Heinrich (https://github.com/onny) - fixed franz profile Jose Riha (https://github.com/jose1711) - added meteo-qt profile + - created qgis, links, xlinks profiles + - extended profile.template with comments + - some typo and comment fixes in profile.template jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -565,7 +570,8 @@ rusty-snake (https://github.com/rusty-snake) - added profiles: gajim-history-manager, freemind, nomacs, kid3 - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk - - added profiles: ktouch, yelp + - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl + - added profiles: pandoc - many profile fixing and hardening - some typo fixes - added profile templates @@ -703,6 +709,7 @@ Topi Miettinen (https://github.com/topimiettinen) - seccomp default list update - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature + - make --nodbus block also system D-Bus socket user1024 (user1024@tut.by) - electron profile whitelisting - fixed Rocket.Chat profile diff --git a/README.md b/README.md index b1e867f84..e6c3ecaca 100644 --- a/README.md +++ b/README.md @@ -111,4 +111,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ## New profiles: -klatexformula, klatexformula_cmdl, links, pandoc, qgis, xlinks +klatexformula, klatexformula_cmdl, links, pandoc, qgis, teams-for-linux, xlinks diff --git a/RELNOTES b/RELNOTES index 167a1a60f..bab183bb1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,7 +2,7 @@ firejail (0.9.61) baseline; urgency=low * work in progress * profile templates * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks - * new profiles: pandoc + * new profiles: pandoc, teams-for-linux -- netblue30 Sat, 1 Jun 2019 08:00:00 -0500 firejail (0.9.60) baseline; urgency=low diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index df874f378..1c9f0e4d1 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -9,11 +9,14 @@ include globals.local noblacklist ${MUSIC} noblacklist ${HOME}/.local/share/rhythmbox +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc -# rhythmbox is using Python include disable-exec.inc -#include disable-interpreters.inc +include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 2c44ee3a9..f2b64ac5d 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -112,7 +112,7 @@ #novideo #protocol unix,inet,inet6,netlink #seccomp -##seccomp.drop SYSCALLS +##seccomp.drop SYSCALLS (see also syscalls.txt) #shell none #tracelog @@ -135,5 +135,6 @@ ##env VAR=VALUE #memory-deny-write-execute +##noexec PATH ##read-only ${HOME} ##join-or-start NAME -- cgit v1.2.3-70-g09d2