From 9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Mon, 25 Sep 2017 15:57:50 +0200 Subject: various profile enhancements * okular needs kdeinit4 for open file dialog since recently * memory-deny-write-execute should be a safe addition for desktop use of dnscrypt and unbound * cleanup works --- etc/baloo_file.profile | 4 ++++ etc/disable-programs.inc | 1 + etc/dnscrypt-proxy.profile | 3 +-- etc/dnsmasq.profile | 1 - etc/evince.profile | 2 +- etc/ffmpeg.profile | 12 +++++++----- etc/okular.profile | 2 +- etc/unbound.profile | 3 +-- 8 files changed, 16 insertions(+), 12 deletions(-) diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile @@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nodvd @@ -29,8 +31,10 @@ novideo protocol unix # Baloo makes ioprio_set system calls, which are blacklisted by default. seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice +shell none x11 xorg +private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 private-dev private-tmp diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ad589890c..4779b0aae 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig blacklist ${HOME}/.tconn blacklist ${HOME}/.thunderbird blacklist ${HOME}/.tooling +blacklist ${HOME}/.tor-browser-en blacklist ${HOME}/.ts3client blacklist ${HOME}/.tuxguitar* blacklist ${HOME}/.unknow-horizons diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 86af9c7b3..6d4f6349a 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix noblacklist /sbin noblacklist /usr/sbin -noblacklist /var/log include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -31,4 +30,4 @@ private private-dev # mdwe can break modules/plugins -# memory-deny-write-execute +memory-deny-write-execute diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d4cd0530e..2a1302adb 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix noblacklist /sbin noblacklist /usr/sbin -noblacklist /var/log include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/evince.profile b/etc/evince.profile index 2c7c754d8..466260c49 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc caps.drop all +# net none breaks AppArmor on Ubuntu systems netfilter no3d nodvd @@ -28,7 +29,6 @@ protocol unix seccomp shell none tracelog -# net none breaks AppArmor on Ubuntu systems private-bin evince,evince-previewer,evince-thumbnailer private-dev diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index e098c95e3..5db39cf61 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile @@ -1,4 +1,4 @@ -# Firejail profile for default +# Firejail profile for ffmpeg # This file is overwritten after every install/update quiet # Persistent local customizations @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d @@ -23,11 +25,11 @@ noroot # protocol none - needs to be implemented! seccomp # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom -# memory-deny-write-execute - it breaks old versions of ffmpeg shell none tracelog -private-tmp -private-dev private-bin ffmpeg -include /etc/firejail/whitelist-var-common.inc +private-dev +private-tmp + +# memory-deny-write-execute - it breaks old versions of ffmpeg diff --git a/etc/okular.profile b/etc/okular.profile index 94736fbae..60390e4d8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -36,7 +36,7 @@ seccomp shell none tracelog -# private-bin okular,kbuildsycoca4,lpr +# private-bin okular,kbuildsycoca4,kdeinit4,lpr private-dev # private-etc fonts,X11 private-tmp diff --git a/etc/unbound.profile b/etc/unbound.profile index 2a38aa7c6..d380b5698 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix noblacklist /sbin noblacklist /usr/sbin -noblacklist /var/log include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -31,4 +30,4 @@ private private-dev # mdwe can break modules/plugins -# memory-deny-write-execute +memory-deny-write-execute -- cgit v1.2.3-54-g00ecf From e5a8cfc3a13eca9ffa0c3b6e583d21c82d564aee Mon Sep 17 00:00:00 2001 From: smitsohu Date: Mon, 25 Sep 2017 16:05:39 +0200 Subject: add whitelist-var-common to some profiles --- etc/ark.profile | 2 ++ etc/atril.profile | 2 ++ etc/audacious.profile | 2 ++ etc/audacity.profile | 2 ++ etc/engrampa.profile | 2 ++ etc/eog.profile | 2 ++ etc/eom.profile | 2 ++ etc/file-roller.profile | 2 ++ etc/gwenview.profile | 2 ++ etc/konversation.profile | 2 ++ etc/ktorrent.profile | 1 + etc/mediathekview.profile | 2 ++ etc/musescore.profile | 2 ++ etc/scribus.profile | 2 ++ etc/tuxguitar.profile | 2 ++ etc/xreader.profile | 2 ++ etc/xviewer.profile | 2 ++ 17 files changed, 33 insertions(+) diff --git a/etc/ark.profile b/etc/ark.profile index 38bd5246e..ba9cb1134 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/atril.profile b/etc/atril.profile index 2e4af9086..052b41655 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nodvd diff --git a/etc/audacious.profile b/etc/audacious.profile index 52e701821..7e2b91773 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nogroups diff --git a/etc/audacity.profile b/etc/audacity.profile index 9fbc2b16d..88aea243e 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 7bc5e7481..c198adba9 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all # net none - makes settings immutable no3d diff --git a/etc/eog.profile b/etc/eog.profile index e5161b313..5ff926371 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all # net none - makes settings immutable no3d diff --git a/etc/eom.profile b/etc/eom.profile index 3fb1fcaf4..802578959 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all # net none - makes settings immutable no3d diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 8484aa162..01e689b9d 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all # net none - makes settings immutable no3d diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 7f1577afe..2b025e56c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all nodvd nogroups diff --git a/etc/konversation.profile b/etc/konversation.profile index 8ffc43487..7d09857ba 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c0b37df3c..e95bc23ca 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile @@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent whitelist ~/.kde4/share/config/ktorrentrc whitelist ~/.local/share/ktorrent include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 1cda5022d..dc9946794 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile @@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/musescore.profile b/etc/musescore.profile index b039d07b2..b3d04c08f 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/scribus.profile b/etc/scribus.profile index 38f1e5b3c..1b2d0c0b8 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -26,6 +26,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none nodvd diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index fbc198cc3..30e2a619d 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/xreader.profile b/etc/xreader.profile index c02b9a014..bebcb262f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nodvd diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b9ff3948a..53f2a0c82 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all # net none - makes settings immutable no3d -- cgit v1.2.3-54-g00ecf