From 7ed7d6dafdcbfc8e0362d5497836cebe62c6bbda Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 23 Feb 2023 12:28:41 +0000 Subject: New profiles: qpdf and redirects (#5675) * Create qpdf.profile and redirects qpdf (CLI) provides PDF metadata cleaning. See privacy-handbuch.de[1] for details. The site offers pdf-meta-clean.sh[2], which works very well with firejailed qpdf. [1] https://www.privacy-handbuch.de/handbuch_43a.htm [2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh * RELNOTES: add qpdf and redirects to new profiles section * firecfg.config: add qpdf and redirects * qpdf: use 'seccomp socket' instead of 'protocol unix' See https://github.com/netblue30/firejail/issues/639. Thanks @rusty-snake in code review. --- RELNOTES | 1 + etc/profile-a-l/fix-qdf.profile | 13 ++++++++ etc/profile-m-z/qpdf.profile | 68 ++++++++++++++++++++++++++++++++++++++ etc/profile-m-z/zlib-flate.profile | 13 ++++++++ src/firecfg/firecfg.config | 3 ++ 5 files changed, 98 insertions(+) create mode 100644 etc/profile-a-l/fix-qdf.profile create mode 100644 etc/profile-m-z/qpdf.profile create mode 100644 etc/profile-m-z/zlib-flate.profile diff --git a/RELNOTES b/RELNOTES index 91d814b3f..3309e4438 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low support (#5589) * docs: selinux.c: Split Copyright notice & use same license as upstream (#5667) + * new profiles: fix-qdf, qpdf, zlib-flate -- netblue30 Mon, 16 Jan 2023 09:00:00 -0500 firejail (0.9.72) baseline; urgency=low diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile new file mode 100644 index 000000000..2dbb44e1d --- /dev/null +++ b/etc/profile-a-l/fix-qdf.profile @@ -0,0 +1,13 @@ +# Firejail profile for fix-qdf +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include fix-qdf.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin fix-qdf + +# Redirect +include qpdf.profile diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile new file mode 100644 index 000000000..0c1e09e92 --- /dev/null +++ b/etc/profile-m-z/qpdf.profile @@ -0,0 +1,68 @@ +# Firejail profile for qpdf +# Description: A Content-Preserving PDF Transformation System +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include qpdf.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* + +noblacklist ${DOCUMENTS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname qpdf +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +# block the socket syscall to simulate an be empty protocol line, see #639 +seccomp socket +tracelog +x11 none + +private-bin qpdf +private-cache +private-dev +private-etc +private-lib libqpdf.so.* +#private-tmp # breaks on Arch Linux + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces +read-only ${HOME} +read-write ${DOCUMENTS} +read-write ${DOWNLOADS} diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile new file mode 100644 index 000000000..48a2c9845 --- /dev/null +++ b/etc/profile-m-z/zlib-flate.profile @@ -0,0 +1,13 @@ +# Firejail profile for zlib-flate +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zlib-flate.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin zlib-flate + +# Redirect +include qpdf.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index db73dd1f6..45457fb47 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -260,6 +260,7 @@ firefox-nightly firefox-wayland firefox-x11 five-or-more +fix-qdf flacsplt flameshot flashpeak-slimjet @@ -694,6 +695,7 @@ qgis qlipper qmmp qnapi +qpdf qpdfview qq qt-faststart @@ -957,6 +959,7 @@ zart zathura zeal zim +zlib-flate zoom # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -- cgit v1.2.3-54-g00ecf