From f4b36e80321379c4917c7ab9c9b3bbcfad05899f Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 4 Aug 2021 16:29:41 +0200 Subject: Profile fixes - Fix #4157 -- [Feature] Should rmenv GitHub auth tokens There are still more token variables from other program that should be added. - Fix #4093 -- darktable needs read access to liblua* - Fix #4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers) - Fix xournalpp.profile - syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32 --- etc/inc/disable-passwdmgr.inc | 8 ++++++++ etc/inc/disable-programs.inc | 2 ++ etc/profile-a-l/darktable.profile | 2 ++ etc/profile-a-l/email-common.profile | 1 + etc/profile-m-z/xournalpp.profile | 10 ++++++++-- etc/templates/syscalls.txt | 2 +- 6 files changed, 22 insertions(+), 3 deletions(-) diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc index 3ed9a1b14..5876e2763 100644 --- a/etc/inc/disable-passwdmgr.inc +++ b/etc/inc/disable-passwdmgr.inc @@ -17,3 +17,11 @@ blacklist ${HOME}/.lastpass blacklist ${HOME}/.local/share/KeePass blacklist ${HOME}/.local/share/keepass blacklist ${HOME}/.password-store + +# Remove environment variables with auth tokens. +# Note however that the sandbox might still have access to the +# files where these variables are set. +rmenv GH_TOKEN +rmenv GITHUB_TOKEN +rmenv GH_ENTERPRISE_TOKEN +rmenv GITHUB_ENTERPRISE_TOKEN diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cdc5f622c..f8a94e498 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -438,6 +438,7 @@ blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml blacklist ${HOME}/.config/xiaoyong blacklist ${HOME}/.config/xmms2 +blacklist ${HOME}/.config/xournalpp blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer @@ -1099,6 +1100,7 @@ blacklist ${HOME}/.cache/waterfox blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/winetricks blacklist ${HOME}/.cache/xmms2 +blacklist ${HOME}/.cache/xournalpp blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/yandex-browser blacklist ${HOME}/.cache/yandex-browser-beta diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 61fa52928..bc388c913 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile @@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/darktable noblacklist ${HOME}/.config/darktable noblacklist ${PICTURES} +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 6c9a8a6ea..5c4a4d3ac 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -7,6 +7,7 @@ include email-common.local # added by caller profile #include globals.local +noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.signature diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 988b878b9..1ef789689 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile @@ -7,23 +7,29 @@ include xournalpp.local # added by included profile #include globals.local +noblacklist ${HOME}/.cache/xournalpp +noblacklist ${HOME}/.config/xournalpp noblacklist ${HOME}/.xournalpp include allow-lua.inc +whitelist /usr/share/pipewire whitelist /usr/share/texlive whitelist /usr/share/xournalpp whitelist /var/lib/texmf include whitelist-runuser-common.inc -#mkdir ${HOME}/.xournalpp +#mkdir ${HOME}/.cache/xournalpp +#mkdir ${HOME}/.config/xournalpp +#whitelist ${HOME}/.cache/xournalpp +#whitelist ${HOME}/.config/xournalpp #whitelist ${HOME}/.xournalpp #whitelist ${HOME}/.texlive20* #whitelist ${DOCUMENTS} #include whitelist-common.inc private-bin kpsewhich,pdflatex,xournalpp -private-etc latexmk.conf,texlive +private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive # Redirect include xournal.profile diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 38f789923..827b075e5 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -95,7 +95,7 @@ Now switch back to the first terminal (where `journalctl` is running) and look for the numbers of the blocked syscall(s) (`syscall=`). As soon as you have found them, you can stop `journalctl` (^C) and execute `firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. -In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`. +In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`. Now you can add a seccomp exception using `seccomp !NAME`. If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. -- cgit v1.2.3-70-g09d2