From e800e4e8c65994b8ba13aa2dd86af3139281ebd2 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:37:17 -0400 Subject: Update disable-programs.inc --- etc/disable-programs.inc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'etc/disable-programs.inc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3007a51b3..e22fb6fa3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam blacklist ${HOME}/.Steampath blacklist ${HOME}/.Steampid blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.ViberPC blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.aMule blacklist ${HOME}/.android blacklist ${HOME}/.arduino15 blacklist ${HOME}/.atom @@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets blacklist ${HOME}/.config/Clementine blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.config/FreeCAD blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Google blacklist ${HOME}/.config/Gpredict @@ -124,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/mate/mate-dictionary +blacklist ${HOME}/.config/mfusion blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus @@ -188,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.curlrc blacklist ${HOME}/.dia blacklist ${HOME}/.dillo +blacklist ${HOME}/.dooble blacklist ${HOME}/.dosbox blacklist ${HOME}/.dropbox-dist blacklist ${HOME}/.electrum* @@ -203,15 +208,13 @@ blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig -blacklist ${HOME}/.googleearth/Cache/ -blacklist ${HOME}/.googleearth/Temp/ -blacklist ${HOME}/.googleearth/myplaces.backup.kml -blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.googleearth blacklist ${HOME}/.gradle blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hedgewars blacklist ${HOME}/.hugin blacklist ${HOME}/.icedove +blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape blacklist ${HOME}/.java blacklist ${HOME}/.jitsi @@ -410,6 +413,7 @@ blacklist ${HOME}/.cache/google-chrome blacklist ${HOME}/.cache/google-chrome-beta blacklist ${HOME}/.cache/google-chrome-unstable blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/INRIA/Natron blacklist ${HOME}/.cache/inox blacklist ${HOME}/.cache/libgweather blacklist ${HOME}/.cache/midori -- cgit v1.2.3-54-g00ecf From 78bb84ddf277dab653a08f97303894e35433402f Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 15:35:55 -0400 Subject: Misc fixes Thanks to @Fred-Barclay, @smitsohu and @reinerh for a bunch of these --- etc/Viber.profile | 3 ++- etc/amule.profile | 1 + etc/ardour5.profile | 3 ++- etc/cin.profile | 2 +- etc/disable-programs.inc | 5 ++++- etc/dooble.profile | 6 +++--- etc/fetchmail.profile | 2 +- etc/google-earth.profile | 17 +++++++++++++---- etc/kdenlive.profile | 3 +++ etc/krita.profile | 2 +- etc/mpd.profile | 1 - etc/natron.profile | 6 +++--- etc/teamspeak3.profile | 2 -- etc/tor-browser-en.profile | 35 +++-------------------------------- etc/torbrowser-launcher.profile | 11 +++++++---- etc/x-terminal-emulator.profile | 1 + etc/zart.profile | 1 - 17 files changed, 45 insertions(+), 56 deletions(-) (limited to 'etc/disable-programs.inc') diff --git a/etc/Viber.profile b/etc/Viber.profile index 468199dd8..03e5f1086 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -25,11 +25,12 @@ nogroups nonewprivs noroot notv +protocol unix,inet,inet6 seccomp shell none disable-mnt -private-bin sh,dig,awk +private-bin sh,bash,dash,dig,awk,Viber private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index c59377850..98ec52015 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -28,6 +28,7 @@ noroot nosound notv novideo +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 738b5990a..69b3dde46 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -24,10 +24,11 @@ nogroups nonewprivs noroot notv +protocol unix seccomp shell none -#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp diff --git a/etc/cin.profile b/etc/cin.profile index 93a94c910..eeeda476f 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -24,7 +24,7 @@ protocol unix seccomp shell none -private-bin cin +#private-bin cin private-dev noexec ${HOME} diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e22fb6fa3..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -208,7 +208,10 @@ blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig -blacklist ${HOME}/.googleearth +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml blacklist ${HOME}/.gradle blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hedgewars diff --git a/etc/dooble.profile b/etc/dooble.profile index aabfcd8bb..2a57b0ef3 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,4 +1,4 @@ -# Firejail profile for dooble-qt4 +# Firejail profile for dooble # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/dooble-qt4.local @@ -6,7 +6,7 @@ include /etc/firejail/dooble-qt4.local include /etc/firejail/globals.local -noblacklist ~/.dooble +noblacklist ${HOME}/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -15,7 +15,7 @@ include /etc/firejail/disable-programs.inc mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.dooble +whitelist ${HOME}/.dooble include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 9ee59f453..3fd7f3d75 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -25,5 +25,5 @@ protocol unix,inet,inet6 seccomp shell none -# private-bin fetchmail,procmail,bash,chmod +#private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 32da9a5a8..b60f5b3a5 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -6,7 +6,10 @@ include /etc/firejail/google-earth.local include /etc/firejail/globals.local noblacklist ${HOME}/.config/Google -noblacklist ${HOME}/.googleearth +noblacklist ${HOME}/.googleearth/Cache/ +noblacklist ${HOME}/.googleearth/Temp/ +noblacklist ${HOME}/.googleearth/myplaces.backup.kml +noblacklist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -14,9 +17,15 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/Google -mkdir ${HOME}/.googleearth +mkdir ${HOME}/.googleearth/Cache/ +mkdir ${HOME}/.googleearth/Temp/ +mkfile ${HOME}/.googleearth/myplaces.backup.kml +mkfile ${HOME}/.googleearth/myplaces.kml whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth +whitelist ${HOME}/.googleearth/Cache/ +whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/myplaces.backup.kml +whitelist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/whitelist-common.inc caps.drop all @@ -32,7 +41,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin google-earth,sh,grep,sed,ls,dirname +private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname private-dev noexec ${HOME} diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 56bb729e1..a1a5f957c 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -25,3 +25,6 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev #private-etc fonts,alternatives,X11,pulse,passwd + +noexec ${HOME} +noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile index 2dfd084ef..e91f5b242 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -28,5 +28,5 @@ shell none private-dev private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 601861083..7bfa47d77 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -17,7 +17,6 @@ caps.drop all netfilter no3d nodvd -nogroups nonewprivs noroot notv diff --git a/etc/natron.profile b/etc/natron.profile index 49eaf2f0d..d77539d83 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -7,9 +7,9 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.Natron -noblacklist ${HOME}/.cache/INRIA/Natron/ -noblacklist ${HOME}/.config/INRIA/ -noblacklist /opt/natron/ +noblacklist ${HOME}/.cache/INRIA/Natron +noblacklist ${HOME}/.config/INRIA +noblacklist /opt/natron include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index f8afff551..86f96ba50 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -5,7 +5,6 @@ include /etc/firejail/teamspeak3.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ${DOWNLOADS} noblacklist ${HOME}/.ts3client include /etc/firejail/disable-common.inc @@ -33,7 +32,6 @@ seccomp shell none disable-mnt -private private-dev private-tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 75a079a2e..bf3a80139 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -1,35 +1,6 @@ -# Firejail profile for tor-browser-en +# Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/tor-browser-en.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ${HOME}/.tor-browser-en - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -whitelist ${HOME}/.tor-browser-en -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -novideo -protocol unix,inet,inet6 -seccomp -shell none - -disable-mnt -private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -private-tmp - -noexec /tmp +# Redirect +include /etc/firejail/torbrowser-launcher.profile diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local # Persistent global definitions include /etc/firejail/globals.local - +noblacklist ~/.tor-browser-en noblacklist ~/.config/torbrowser -whitelist ~/.config/torbrowser noblacklist ~/.local/share/torbrowser -whitelist ~/.local/share/torbrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +whitelist ~/.tor-browser-en +whitelist ~/.config/torbrowser +whitelist ~/.local/share/torbrowser +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nodvd @@ -29,7 +32,7 @@ seccomp shell none tracelog -private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher private-dev private-etc fonts private-tmp diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index aca0d7144..1395b81c9 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -12,6 +12,7 @@ net none netfilter nogroups noroot +protocol unix seccomp private-dev diff --git a/etc/zart.profile b/etc/zart.profile index b5897f4a9..6e136d0c9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -19,7 +19,6 @@ nogroups nonewprivs noroot notv -novideo protocol unix seccomp shell none -- cgit v1.2.3-54-g00ecf