From 55906959a9cbf6a9d53273c5bd875174ab1a6d51 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sat, 13 Jun 2020 12:02:53 -0500 Subject: More fixes for #3464 Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60 Summary: - remove nonewprivs, noroot, protocol, and seccomp - update caps filter to keep sys_admin and sys_chroot Without these changes Atom 1.48 breaks and refuses to start (due to Electron sandboxing) --- etc-fixes/0.9.52/atom.profile | 31 +++++++++++++++++++++++++++++++ etc-fixes/0.9.58/atom.profile | 36 ++++++++++++++++++++++++++++++++++++ etc-fixes/0.9.60/atom.profile | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 etc-fixes/0.9.52/atom.profile create mode 100644 etc-fixes/0.9.58/atom.profile create mode 100644 etc-fixes/0.9.60/atom.profile (limited to 'etc-fixes') diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile new file mode 100644 index 000000000..87ffdced9 --- /dev/null +++ b/etc-fixes/0.9.52/atom.profile @@ -0,0 +1,31 @@ +# Firejail profile for atom +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/atom.local +# Persistent global definitions +include /etc/firejail/globals.local + +# blacklist /run/user/*/bus + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodvd +nogroups +nosound +notv +novideo +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile new file mode 100644 index 000000000..9bc35da5a --- /dev/null +++ b/etc-fixes/0.9.58/atom.profile @@ -0,0 +1,36 @@ + +# Firejail profile for atom +# Description: A hackable text editor for the 21st Century +# This file is overwritten after every install/update +# Persistent local customizations +include atom.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom +noblacklist ${HOME}/.cargo/config +noblacklist ${HOME}/.cargo/registry + +include disable-common.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodbus +nodvd +nogroups +nosound +notv +nou2f +novideo +shell none + +private-cache +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile new file mode 100644 index 000000000..c8929127b --- /dev/null +++ b/etc-fixes/0.9.60/atom.profile @@ -0,0 +1,37 @@ +# Firejail profile for atom +# Description: A hackable text editor for the 21st Century +# This file is overwritten after every install/update +# Persistent local customizations +include atom.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.cargo/config +noblacklist ${HOME}/.cargo/registry +noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.git-credentials +noblacklist ${HOME}/.pythonrc.py + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodbus +nodvd +nogroups +nosound +notv +nou2f +novideo +shell none + +private-cache +private-dev +private-tmp -- cgit v1.2.3-70-g09d2