From e91e7b2b8165450e695c7f45492cca2ae6927678 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 4 Jul 2018 15:48:02 -0400 Subject: Merges + misc fixes - Change some links in README to HTTPS - Fixup some typos in firejail-profile manpage - Cleanup dash from private-etc - Fixup gradio - Synchronize server profile with default profile --- README | 11 +++++++---- README.md | 2 +- RELNOTES | 2 +- etc/ark.profile | 2 +- etc/bsdtar.profile | 2 +- etc/disable-common.inc | 2 +- etc/disable-programs.inc | 2 ++ etc/gradio.profile | 8 +++++--- etc/server.profile | 10 ++++++++-- src/firecfg/firecfg.config | 1 + src/man/firejail-profile.txt | 4 ++-- 11 files changed, 30 insertions(+), 16 deletions(-) diff --git a/README b/README index b7687b494..77fa231b1 100644 --- a/README +++ b/README @@ -9,7 +9,7 @@ Pidgin, Quassel, and XChat. Firejail also expands the restricted shell facility found in bash by adding Linux namespace support. It supports sandboxing specific users upon login. -Download: http://sourceforge.net/projects/firejail/files/ +Download: https://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install Documentation and support: https://firejail.wordpress.com/ Development: https://github.com/netblue30/firejail @@ -123,6 +123,9 @@ BogDan Vatra (https://github.com/bog-dan-ro) Bruno Nova (https://github.com/brunonova) - whitelist fix - bash arguments fix +Bundy01 (https://github.com/Bundy01) + - fixup geary + - add gradio profile BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile caoliver (https://github.com/caoliver) @@ -242,7 +245,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Catfish profile g3ngr33n (https://github.com/g3ngr33n) - fix musl compilation -G4JC (http://sourceforge.net/u/gaming4jc/profile/) +G4JC (https://sourceforge.net/u/gaming4jc/profile/) - ARM support - profile fixes Gaman Gabriel (https://github.com/stelariusinfinitek) @@ -409,7 +412,7 @@ Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes Panzerfather (https://github.com/Panzerfather) - allow eog to access user's trash -Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) +Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) - user namespace implementation Paul Moore -src/fsec-print/print.c extracted from libseccomp software package @@ -549,7 +552,7 @@ SkewedZeppelin (https://github.com/SkewedZeppelin) - hardern /var - profile standard layout - Spotify and itch.io profile fixes -sshirokov (http://sourceforge.net/u/yshirokov/profile/) +sshirokov (https://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout SYN-cook (https://github.com/SYN-cook) - keepass/keepassx browser fixes diff --git a/README.md b/README.md index cf1384249..15234f80f 100644 --- a/README.md +++ b/README.md @@ -134,4 +134,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ````` ## New profiles -Microsoft Office Online, riot-desktop, gnome-mpv, snox, +Microsoft Office Online, riot-desktop, gnome-mpv, snox, gradio diff --git a/RELNOTES b/RELNOTES index 0cb390192..979633aef 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,7 +5,7 @@ firejail (0.9.55) baseline; urgency=low * support full paths in private-lib * globbing support in private-lib * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint - * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox + * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio -- netblue30 Fri, 25 May 2018 08:00:00 -0500 firejail (0.9.54) baseline; urgency=low diff --git a/etc/ark.profile b/etc/ark.profile index 0c7ef3dae..12675b30b 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -31,7 +31,7 @@ protocol unix seccomp shell none -private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh +private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg private-dev diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index a49fc023a..d3bc76ba5 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile @@ -34,7 +34,7 @@ shell none tracelog # support compressed archives -private-bin sh,bash,dash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive +private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive private-dev private-etc passwd,group,localtime diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 56121809a..b2357716a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -391,4 +391,4 @@ blacklist ${HOME}/*.local/share/flatpak blacklist /var/lib/flatpak blacklist /usr/share/flatpak # most of the time bwrap is SUID binary -blacklist /usr/bin/bwrap \ No newline at end of file +blacklist ${PATH}/bwrap diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f72b5a5c3..1dee73078 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -393,6 +393,7 @@ blacklist ${HOME}/.local/share/gnome-photos blacklist ${HOME}/.local/share/gnome-recipes blacklist ${HOME}/.local/share/gnome-ring blacklist ${HOME}/.local/share/gnome-twitch +blacklist ${HOME}/.local/share/gradio blacklist ${HOME}/.local/share/gwenview blacklist ${HOME}/.local/share/kaffeine blacklist ${HOME}/.local/share/kate @@ -550,6 +551,7 @@ blacklist ${HOME}/.cache/google-chrome blacklist ${HOME}/.cache/google-chrome-beta blacklist ${HOME}/.cache/google-chrome-unstable blacklist ${HOME}/.cache/gnome-twitch +blacklist ${HOME}/.cache/gradio blacklist ${HOME}/.cache/icedove blacklist ${HOME}/.cache/INRIA/Natron blacklist ${HOME}/.cache/inkscape diff --git a/etc/gradio.profile b/etc/gradio.profile index 1a7ff60ed..bba92a0bc 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile @@ -5,10 +5,8 @@ include /etc/firejail/gradio.local # Persistent global definitions include /etc/firejail/globals.local +noblacklist ${HOME}/.cache/gradio noblacklist ${HOME}/.local/share/gradio -mkdir ${HOME}/.local/share/gradio -whitelist ${HOME}/.local/share/gradio -whitelist ${HOME}/.cache/gradio include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -16,6 +14,10 @@ include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +mkdir ${HOME}/.cache/gradio +mkdir ${HOME}/.local/share/gradio +whitelist ${HOME}/.cache/gradio +whitelist ${HOME}/.local/share/gradio include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc diff --git a/etc/server.profile b/etc/server.profile index 9cc906e55..94e2d5da9 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -22,18 +22,24 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps +# ipc-namespace +# netfilter /etc/firejail/webserver.net no3d +# nodbus nodvd +# nogroups +# nonewprivs +# noroot nosound notv novideo seccomp - -# netfilter /etc/firejail/webserver.net +# shell none # disable-mnt private # private-bin program +# private-cache private-dev # private-etc none # private-lib diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 718c2f973..5e5a5a967 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -188,6 +188,7 @@ google-play-music-desktop-player gpa gpicview gpredict +gradio gthumb guayadeque gucharmap diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 851eb1026..59f15f75c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -391,10 +391,10 @@ Examples: .TP \fBrlimit-as 123456789012 -Set he maximum size of the process's virtual memory to 123456789012 bytes. +Set the maximum size of the process's virtual memory to 123456789012 bytes. .TP \fBrlimit-cpu 123 -Set he maximum CPU time in seconds. +Set the maximum CPU time in seconds. .TP \fBrlimit-fsize 1024 Set the maximum file size that can be created by a process to 1024 bytes. -- cgit v1.2.3-54-g00ecf