From 406db5b92304620b8cf3bbb90d25d418f6a432fc Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 26 Jul 2021 03:05:32 +0000 Subject: ordering and additions --- etc/inc/disable-common.inc | 98 +++++++++++++++++++++++----------------------- 1 file changed, 50 insertions(+), 48 deletions(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 6df0c4990..be3d0657c 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -159,23 +159,23 @@ blacklist ${RUNUSER}/gsconnect # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd -blacklist /var/lib/systemd +blacklist ${PATH}/systemctl blacklist ${PATH}/systemd-run blacklist ${RUNUSER}/systemd -blacklist ${PATH}/systemctl -blacklist /etc/systemd/system blacklist /etc/systemd/network +blacklist /etc/systemd/system +blacklist /var/lib/systemd # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf #blacklist /var/run/systemd # openrc -blacklist /etc/runlevels/ blacklist /etc/init.d/ blacklist /etc/rc.conf +blacklist /etc/runlevels/ # VirtualBox -blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.VirtualBox blacklist ${HOME}/VirtualBox VMs # GNOME Boxes @@ -245,32 +245,34 @@ blacklist /var/spool/cron blacklist /var/spool/mail # etc +blacklist /etc/adduser.conf blacklist /etc/anacrontab +blacklist /etc/apparmor* blacklist /etc/cron* +blacklist /etc/default +blacklist /etc/dkms +blacklist /etc/grub* +blacklist /etc/kernel* +blacklist /etc/logrotate* +blacklist /etc/modules* blacklist /etc/profile.d blacklist /etc/rc.local # rc1.d, rc2.d, ... blacklist /etc/rc?.d -blacklist /etc/kernel* -blacklist /etc/grub* -blacklist /etc/dkms -blacklist /etc/apparmor* -blacklist /etc/selinux -blacklist /etc/modules* -blacklist /etc/logrotate* -blacklist /etc/adduser.conf +blacklist /etc/sysconfig # hide config for various intrusion detection systems -blacklist /etc/rkhunter.conf -blacklist /var/lib/rkhunter -blacklist /etc/chkrootkit.conf -blacklist /etc/lynis blacklist /etc/aide +blacklist /etc/aide.conf +blacklist /etc/chkrootkit.conf +blacklist /etc/fail2ban.conf blacklist /etc/logcheck -blacklist /etc/tripwire +blacklist /etc/lynis +blacklist /etc/rkhunter.* blacklist /etc/snort -blacklist /etc/fail2ban.conf blacklist /etc/suricata +blacklist /etc/tripwire +blacklist /var/lib/rkhunter # Startup files read-only ${HOME}/.antigen @@ -350,15 +352,15 @@ read-only ${HOME}/_vimrc read-only ${HOME}/dotfiles # Make directories commonly found in $PATH read-only +read-only ${HOME}/.bin +read-only ${HOME}/.cargo/bin read-only ${HOME}/.gem +read-only ${HOME}/.local/bin read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages read-only ${HOME}/.nvm -read-only ${HOME}/bin -read-only ${HOME}/.bin -read-only ${HOME}/.local/bin -read-only ${HOME}/.cargo/bin read-only ${HOME}/.rustup +read-only ${HOME}/bin # Write-protection for desktop entries read-only ${HOME}/.config/menus @@ -377,6 +379,22 @@ read-only ${HOME}/.local/share/thumbnailers blacklist /tmp/ssh-* # top secret +blacklist /.fscrypt +blacklist /etc/davfs2/secrets +blacklist /etc/group+ +blacklist /etc/group- +blacklist /etc/gshadow +blacklist /etc/gshadow+ +blacklist /etc/gshadow- +blacklist /etc/passwd+ +blacklist /etc/passwd- +blacklist /etc/shadow +blacklist /etc/shadow+ +blacklist /etc/shadow- +blacklist /etc/ssh +blacklist /etc/ssh/* +blacklist /home/.ecryptfs +blacklist /home/.fscrypt blacklist ${HOME}/*.kdb blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.key @@ -385,6 +403,7 @@ blacklist ${HOME}/.caff blacklist ${HOME}/.cargo/credentials blacklist ${HOME}/.cargo/credentials.toml blacklist ${HOME}/.cert +blacklist ${HOME}/.config/hub blacklist ${HOME}/.config/keybase blacklist ${HOME}/.davfs2/secrets blacklist ${HOME}/.ecryptfs @@ -394,11 +413,11 @@ blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.git-credentials blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg -blacklist ${HOME}/.config/hub blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.local/share/keyrings blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.local/share/plasma-vault blacklist ${HOME}/.msmtprc blacklist ${HOME}/.mutt @@ -406,26 +425,9 @@ blacklist ${HOME}/.muttrc blacklist ${HOME}/.netrc blacklist ${HOME}/.nyx blacklist ${HOME}/.pki -blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.smbcredentials blacklist ${HOME}/.ssh blacklist ${HOME}/.vaults -blacklist /.fscrypt -blacklist /etc/davfs2/secrets -blacklist /etc/group+ -blacklist /etc/group- -blacklist /etc/gshadow -blacklist /etc/gshadow+ -blacklist /etc/gshadow- -blacklist /etc/passwd+ -blacklist /etc/passwd- -blacklist /etc/shadow -blacklist /etc/shadow+ -blacklist /etc/shadow- -blacklist /etc/ssh -blacklist /etc/ssh/* -blacklist /home/.ecryptfs -blacklist /home/.fscrypt blacklist /var/backup # cloud provider configuration @@ -488,10 +490,12 @@ blacklist /tmp/.lxterminal-socket* blacklist /tmp/tmux-* # disable terminals running as server resulting in sandbox escape -blacklist ${PATH}/lxterminal blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper +# blacklist ${PATH}/konsole +# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 blacklist ${PATH}/lilyterm +blacklist ${PATH}/lxterminal blacklist ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal.wrapper blacklist ${PATH}/pantheon-terminal @@ -503,8 +507,6 @@ blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper -# blacklist ${PATH}/konsole -# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 # kernel files blacklist /initrd* @@ -520,17 +522,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports read-only ${HOME}/.local/share/flatpak/exports blacklist ${HOME}/.local/share/flatpak/* blacklist ${HOME}/.var -blacklist ${RUNUSER}/app -blacklist ${RUNUSER}/doc +# most of the time bwrap is SUID binary +blacklist ${PATH}/bwrap blacklist ${RUNUSER}/.dbus-proxy blacklist ${RUNUSER}/.flatpak blacklist ${RUNUSER}/.flatpak-cache blacklist ${RUNUSER}/.flatpak-helper +blacklist ${RUNUSER}/app +blacklist ${RUNUSER}/doc blacklist /usr/share/flatpak noblacklist /var/lib/flatpak/exports blacklist /var/lib/flatpak/* -# most of the time bwrap is SUID binary -blacklist ${PATH}/bwrap # snap blacklist ${RUNUSER}/snapd-session-agent.socket -- cgit v1.2.3-54-g00ecf From 426136018bb9076404961a172a8c71b5d2cb494b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 26 Jul 2021 23:09:04 +0000 Subject: drop trailing slashes from openrc items As suggested in https://github.com/netblue30/firejail/pull/4420#discussion_r676929867. --- etc/inc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index be3d0657c..05349d52d 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -169,9 +169,9 @@ blacklist /var/lib/systemd #blacklist /var/run/systemd # openrc -blacklist /etc/init.d/ +blacklist /etc/init.d blacklist /etc/rc.conf -blacklist /etc/runlevels/ +blacklist /etc/runlevels # VirtualBox blacklist ${HOME}/.config/VirtualBox -- cgit v1.2.3-54-g00ecf