From 95ad89d24e8e75f2f52defbb80d0d4ee0f27d31e Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 15 Dec 2020 20:06:10 +0000 Subject: Refactor archivers ii (#3827) * harden 7z.profile * harden atool.profile * harden bsdtar.profile * harden cpio.profile * harden gzip.profile * harden tar.profile * harden unrar.profile * harden unzip.profile * harden xzdec.profile * harden zstd.profile --- etc/profile-a-l/7z.profile | 6 +++--- etc/profile-a-l/atool.profile | 3 --- etc/profile-a-l/bsdtar.profile | 2 -- etc/profile-a-l/cpio.profile | 3 --- etc/profile-a-l/gzip.profile | 3 ++- etc/profile-m-z/tar.profile | 5 +++-- etc/profile-m-z/unrar.profile | 2 -- etc/profile-m-z/unzip.profile | 1 - etc/profile-m-z/xzdec.profile | 2 -- etc/profile-m-z/zstd.profile | 1 - 10 files changed, 8 insertions(+), 20 deletions(-) diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index c7bed93ce..4f9e72a79 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile @@ -7,8 +7,8 @@ include 7z.local # Persistent global definitions include globals.local -ignore include disable-shell.inc -ignore nogroups +noblacklist ${PATH}/bash +noblacklist ${PATH}/sh include archiver-common.inc -#private-bin 7z,7z*,p7zip +private-bin 7z,7z*,bash,p7zip,sh diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index d8b6bbaaf..34af47df2 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile @@ -9,13 +9,10 @@ include globals.local # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc -ignore include disable-devel.inc -ignore include disable-shell.inc include archiver-common.inc noroot -# private-bin atool,perl # without login.defs atool complains and uses UID/GID 1000 by default private-etc alternatives,group,login.defs,passwd private-tmp diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index 75e13e7e8..f2116f4ab 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile @@ -6,8 +6,6 @@ include bsdtar.local # Persistent global definitions include globals.local -ignore include disable-devel.inc -ignore include disable-shell.inc include archiver-common.inc # support compressed archives diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 5e01952b4..785308ffd 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile @@ -10,7 +10,4 @@ include globals.local noblacklist /sbin noblacklist /usr/sbin -ignore include disable-devel.inc -ignore include disable-interpreters.inc -ignore include disable-shell.inc include archiver-common.inc diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 96c1743e3..78ecf5116 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile @@ -10,5 +10,6 @@ include globals.local # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. noblacklist /var/lib/pacman -ignore include disable-shell.inc include archiver-common.inc + +private-bin gunzip,gzexe,gzip,uncompress,zcat,zcmp,zdiff,zegrep,zfgrep,zforce,zgrep,zless,zmore,znew diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 2ddc82dbb..29fda7e45 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile @@ -10,12 +10,13 @@ include globals.local # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. noblacklist /var/lib/pacman -ignore include disable-shell.inc +noblacklist ${PATH}/bash +noblacklist ${PATH}/sh include archiver-common.inc # support compressed archives private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz private-etc alternatives,group,localtime,login.defs,passwd -private-lib libfakeroot +private-lib libfakeroot,liblzma.so.*,libreadline.so.* # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index cbf0e8679..9487f8e68 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile @@ -7,8 +7,6 @@ include unrar.local # Persistent global definitions include globals.local -ignore nogroups -ignore private-cache include archiver-common.inc private-bin unrar diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 30ee3ec12..be480923e 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile @@ -10,7 +10,6 @@ include globals.local # GNOME Shell integration (chrome-gnome-shell) noblacklist ${HOME}/.local/share/gnome-shell -ignore nogroups noroot include archiver-common.inc diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index c21fe16cf..082392a08 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile @@ -7,6 +7,4 @@ include xzdec.local # Persistent global definitions include globals.local -ignore include disable-shell.inc -ignore nogroups include archiver-common.inc diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index 5ae38e633..42749ba6d 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile @@ -7,5 +7,4 @@ include zstd.local # Persistent global definitions include globals.local -ignore include disable-shell.inc include archiver-common.inc -- cgit v1.2.3-70-g09d2