From cdc23478db1a3c4ae256dead1f837c36fc4032ef Mon Sep 17 00:00:00 2001 From: Jose Riha Date: Sun, 2 Jun 2019 13:13:58 +0200 Subject: Add profile for links and xlinks (#2734) * Add profile for links and xlinks * Add profile for links and xlinks * (X)links changes from review xlinks redirects to links Add basic private-etc line and a commented, extended private-etc * Add alternatives to private-etc --- etc/disable-programs.inc | 1 + etc/links.profile | 64 ++++++++++++++++++++++++++++++++++++++++++++++ etc/xlinks.profile | 18 +++++++++++++ src/firecfg/firecfg.config | 2 ++ 4 files changed, 85 insertions(+) create mode 100644 etc/links.profile create mode 100644 etc/xlinks.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 5481f976f..0153283f1 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -430,6 +430,7 @@ blacklist ${HOME}/.kodi blacklist ${HOME}/.lincity-ng blacklist ${HOME}/.linphone-history.db blacklist ${HOME}/.linphonerc +blacklist ${HOME}/.links blacklist ${HOME}/.lmmsrc.xml blacklist ${HOME}/.local/lib/vivaldi blacklist ${HOME}/.local/share/0ad diff --git a/etc/links.profile b/etc/links.profile new file mode 100644 index 000000000..99b445fe0 --- /dev/null +++ b/etc/links.profile @@ -0,0 +1,64 @@ +# Firejail profile for links +# Description: Text WWW browser +# This file is overwritten after every install/update +# Persistent local customizations +include links.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix + +noblacklist ${HOME}/.links + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# you may want to noblacklist files/directories blacklisted in +# disable-programs.inc and used as associated programs +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.links +whitelist ${HOME}/.links +whitelist ${DOWNLOADS} +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +# comment machine-id (or put 'ignore machine-id' in your links.local) if you want +# to allow access only to user-configured associated media player +machine-id +netfilter +# comment no3d (or put 'ignore no3d' in your links.local) if you want +# to allow access only to user-configured associated media player +no3d +nodvd +nogroups +nonewprivs +noroot +# comment nosound (or put 'ignore nosound' in your links.local) if you want +# to allow access only to user-configured associated media player +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local +# or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin links,sh +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +# Uncomment the following line (or put it in your links.local) allow external +# media players +# private-etc alsa,asound.conf,machine-id,openal,pulse +private-tmp + +memory-deny-write-execute diff --git a/etc/xlinks.profile b/etc/xlinks.profile new file mode 100644 index 000000000..775d6f8ed --- /dev/null +++ b/etc/xlinks.profile @@ -0,0 +1,18 @@ +# Firejail profile for xlinks +# Description: Text WWW browser (X11) +# This file is overwritten after every install/update +# Persistent local customizations +include xlinks.local + +noblacklist /tmp/.X11-unix +noblacklist ${HOME}/.links + +include whitelist-common.inc + +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' +# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin xlinks +private-etc fonts + +# Redirect +include links.profile \ No newline at end of file diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 48789359d..994487f5a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -322,6 +322,7 @@ less libreoffice liferea lincity-ng +links linphone lmms lobase @@ -622,6 +623,7 @@ xfce4-dict xfce4-mixer xfce4-notes xiphos +xlinks xmms xmr-stak xonotic -- cgit v1.2.3-70-g09d2