From 2314c1155d7d2cbae59885054b95c62f28f7842e Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Thu, 11 May 2017 01:49:20 +0200 Subject: add noexec folders (tmp/.X11-unix and .config/pulse) --- etc/disable-common.inc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 1c1b298a9..7ed99799d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -190,11 +190,9 @@ read-only ${HOME}/.npm-packages #read-only ${HOME}/.local #read-write ${HOME}/.local/share #noexec ${HOME}/.local/share -read-only ${HOME}/.local/share/applications +read-only ${HOME}/.local/share/applications blacklist ${HOME}/.local/share/Trash - - # top secret blacklist ${HOME}/.ecryptfs blacklist ${HOME}/.Private @@ -296,3 +294,7 @@ blacklist ${PATH}/urxvtcd # kernel files blacklist /vmlinuz* blacklist /initrd* + +# completing noexec ${HOME} and noexec /tmp +noexec ${HOME}/.config/pulse +noexec /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From fdf87add9ac0df0e8de6b95a1f42a73b2098adec Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Thu, 11 May 2017 01:53:04 +0200 Subject: fix noexec on .config/pulse --- src/firejail/sandbox.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ecc365895..d8880b924 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -789,7 +789,23 @@ int sandbox(void* sandbox_arg) { //**************************** if (checkcfg(CFG_DISABLE_MNT)) fs_mnt(); + + //**************************** + // nosound/no3d and fix for pulseaudio 7.0 + //**************************** + if (arg_nosound) { + // disable pulseaudio + pulseaudio_disable(); + // disable /dev/snd + fs_dev_disable_sound(); + } + else + pulseaudio_init(); + + if (arg_no3d) + fs_dev_disable_3d(); + //**************************** // apply the profile file //**************************** @@ -809,22 +825,6 @@ int sandbox(void* sandbox_arg) { //**************************** if (arg_trace || arg_tracelog) fs_trace(); - - //**************************** - // nosound/no3d and fix for pulseaudio 7.0 - //**************************** - if (arg_nosound) { - // disable pulseaudio - pulseaudio_disable(); - - // disable /dev/snd - fs_dev_disable_sound(); - } - else - pulseaudio_init(); - - if (arg_no3d) - fs_dev_disable_3d(); //**************************** // set dns -- cgit v1.2.3-70-g09d2 From 07080ba365988e6bfd8a0067aa73bfb1ab25469d Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Thu, 11 May 2017 02:46:41 +0200 Subject: layout --- etc/disable-common.inc | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 7ed99799d..96a92cd15 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -181,17 +181,14 @@ read-only ${HOME}/.gem read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages -########################### # The following block breaks trash functionality in file managers -########################## -# Make the contents of ~/.local read-only, -# except the commonly-used ~/.local/share, -# but including ~/.local/share/applications #read-only ${HOME}/.local #read-write ${HOME}/.local/share #noexec ${HOME}/.local/share +blacklist ${HOME}/.local/share/Trash + +# Write-protection for desktop entries read-only ${HOME}/.local/share/applications -blacklist ${HOME}/.local/share/Trash # top secret blacklist ${HOME}/.ecryptfs -- cgit v1.2.3-70-g09d2 From 5834098f6cadef9725067bc497ac73a50f9bbe2f Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Thu, 11 May 2017 17:02:11 +0200 Subject: rephrase --- etc/disable-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 96a92cd15..7a5e8bf5b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -292,6 +292,6 @@ blacklist ${PATH}/urxvtcd blacklist /vmlinuz* blacklist /initrd* -# completing noexec ${HOME} and noexec /tmp +# complement noexec ${HOME} and noexec /tmp noexec ${HOME}/.config/pulse noexec /tmp/.X11-unix -- cgit v1.2.3-70-g09d2