From 9e3469e1cffffa9d0e50f284c9b46a773138a1a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 6 Jun 2016 11:54:53 -0400 Subject: added gThumb and mpv profiles --- etc/gthumb.profile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/gthumb.profile (limited to 'etc/gthumb.profile') diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..55041b5cc --- /dev/null +++ b/etc/gthumb.profile @@ -0,0 +1,17 @@ +# gthumb profile +noblacklist ${HOME}/.config/gthumb + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-bin gthumb +shell none -- cgit v1.2.3-70-g09d2 From e3abab47dcda4dba4a1412261e35cb1608ffd900 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 10:41:57 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/cherrytree.profile | 9 +++++ etc/disable-devel.inc | 2 +- etc/evince.profile | 3 ++ etc/fbreader.profile | 3 ++ etc/gnome-mplayer.profile | 3 ++ etc/gthumb.profile | 2 +- etc/vlc.profile | 2 +- src/firejail/main.c | 1 - test/apps/apps.sh | 10 ++++++ test/apps/gthumb.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 118 insertions(+), 4 deletions(-) create mode 100755 test/apps/gthumb.exp (limited to 'etc/gthumb.profile') diff --git a/README.md b/README.md index 36fb99f3d..db0625d43 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra File transfer: filezilla +Media: vlc, mpv, gnome-mplayer + +Office: evince, gthumb, fbreader + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink tracelog include /etc/firejail/whitelist-common.inc + +# no private-bin support for various reasons: +#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree +#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" +#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree +#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null +#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc +# it requires acces to browser to show the online help +# it doesn't play nicely with expect diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons, filezilla +# Programs using python: deluge, firefox addons, filezilla, cherrytree # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -10,3 +10,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin evince,evince-previewer,evince-thumbnailer diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin fbreader,FBReader \ No newline at end of file diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -9,3 +9,6 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +shell none +private-bin gnome-mplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -13,5 +13,5 @@ noroot protocol unix,inet,inet6 seccomp -private-bin gthumb shell none +private-bin gthumb diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -16,4 +16,4 @@ seccomp # to test shell none -private-bin vlc +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -135,7 +135,6 @@ static void myexit(int rv) { } static void my_handler(int s){ -printf("**************************\n"); EUID_ROOT(); if (!arg_quiet) { printf("\nParent received signal %d, shutting down the child process...\n", s); diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -87,6 +87,16 @@ else echo "TESTING SKIP: evince not found" fi + +which gthumb +if [ "$?" -eq 0 ]; +then + echo "TESTING: gthumb" + ./gthumb.exp +else + echo "TESTING SKIP: gthumb not found" +fi + which icedove if [ "$?" -eq 0 ]; then diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gthumb\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gthumb.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gthumb" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From f5b452bc4276ff2abecae522d9598441899293f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 11:22:24 -0400 Subject: private-bin conversion --- README.md | 2 +- etc/deluge.profile | 1 + etc/disable-devel.inc | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 3 +- etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/hexchat.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 4 +++ etc/weechat.profile | 4 +++ etc/xchat.profile | 2 ++ test/apps/apps.sh | 9 +++++ test/apps/uget-gtk.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 17 files changed, 116 insertions(+), 3 deletions(-) create mode 100755 test/apps/uget-gtk.exp (limited to 'etc/gthumb.profile') diff --git a/README.md b/README.md index db0625d43..69890ffaf 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress! -BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk File transfer: filezilla diff --git a/etc/deluge.profile b/etc/deluge.profile index 87a17423b..96df13a73 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin deluge,sh,python,uname +whitelist /tmp/.X11-unix diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 071a82f76..4e401055a 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8671c1251..320d55fad 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,3 +13,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer +whitelist /tmp/.X11-unix diff --git a/etc/fbreader.profile b/etc/fbreader.profile index df359e50a..f155b02af 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -15,4 +15,5 @@ protocol unix,inet,inet6 seccomp shell none -private-bin fbreader,FBReader \ No newline at end of file +private-bin fbreader,FBReader +whitelist /tmp/.X11-unix diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 35663f2fa..c146dba13 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +whitelist /tmp/.X11-unix diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 68d6a52d9..2d6cd160c 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin gthumb +whitelist /tmp/.X11-unix diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a584d25c5..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -17,3 +17,5 @@ mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc + +# private-bin requires perl, python, etc. diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bb97a880b..bc87ad5c8 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin qbittorrent +whitelist /tmp/.X11-unix diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c196370a2..97c2335a8 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin rtorrent +whitelist /tmp/.X11-unix diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e8d0e25e7..80d71d615 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-gtk +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index fd3a98aad..dfb600871 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-qt +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 02c7f56bf..591a82af4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -17,3 +17,7 @@ mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc + +shell none +private-bin uget-gtk +whitelist /tmp/.X11-unix diff --git a/etc/weechat.profile b/etc/weechat.profile index 6cfe58420..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -9,3 +9,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file diff --git a/etc/xchat.profile b/etc/xchat.profile index 061c4f3da..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -10,3 +10,5 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# private-bin requires perl, python, etc. diff --git a/test/apps/apps.sh b/test/apps/apps.sh index bbfe2a606..c329c57e5 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which uget-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: uget" + ./uget-gtk.exp +else + echo "TESTING SKIP: uget-gtk not found" +fi + which filezilla if [ "$?" -eq 0 ]; then diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..47fa5849b --- /dev/null +++ b/test/apps/uget-gtk.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail uget-gtk\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/uget-gtk.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "uget-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 66e7bdf16731a225fdd260f4b1bfb8d73fe9ce22 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 23 Jun 2016 10:52:43 -0400 Subject: profile update --- etc/deluge.profile | 2 ++ etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/pix.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 2 ++ etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 2 ++ 11 files changed, 15 insertions(+) (limited to 'etc/gthumb.profile') diff --git a/etc/deluge.profile b/etc/deluge.profile index 96df13a73..61bc80bd5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -16,3 +16,5 @@ seccomp shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/evince.profile b/etc/evince.profile index 320d55fad..9899da84d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer whitelist /tmp/.X11-unix +private-dev diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f155b02af..24b35df9a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix +private-dev diff --git a/etc/filezilla.profile b/etc/filezilla.profile index c146dba13..390769382 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix +private-dev diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 2d6cd160c..44e7051a5 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin gthumb whitelist /tmp/.X11-unix +private-dev diff --git a/etc/pix.profile b/etc/pix.profile index ccf0c0381..4e53de00b 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -17,3 +17,5 @@ seccomp shell none private-bin pix whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b2bfe49ca..c5b9a72e6 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,3 +16,4 @@ seccomp #shell none #private-bin qbittorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 97c2335a8..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin rtorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 80d71d615..fa5c3b22b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,3 +19,5 @@ tracelog shell none private-bin transmission-gtk whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index dfb600871..754211a63 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,3 +19,4 @@ tracelog shell none private-bin transmission-qt whitelist /tmp/.X11-unix +private-dev diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 591a82af4..2c3c62c5f 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -21,3 +21,5 @@ include /etc/firejail/whitelist-common.inc shell none private-bin uget-gtk whitelist /tmp/.X11-unix +private-dev + -- cgit v1.2.3-70-g09d2 From 442655366ff4f32139cad216390eae8e9d12eda7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 09:00:27 -0400 Subject: nosound --- etc/atom-beta.profile | 2 ++ etc/atom.profile | 1 + etc/bitlbee.profile | 2 ++ etc/cpio.profile | 1 + etc/deluge.profile | 1 + etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 2 ++ etc/gthumb.profile | 1 + etc/gwenview.profile | 1 + etc/gzip.profile | 1 + etc/hedgewars.profile | 1 + etc/less.profile | 1 + etc/libreoffice.profile | 1 + etc/mcabber.profile | 1 + etc/okular.profile | 1 + etc/pix.profile | 1 + etc/qbittorrent.profile | 1 + etc/quiterss.profile | 1 + etc/rtorrent.profile | 1 + etc/server.profile | 1 + etc/strings.profile | 1 + etc/uget-gtk.profile | 1 + etc/unbound.profile | 1 + etc/wesnoth.profile | 1 + etc/xzdec.profile | 1 + 27 files changed, 30 insertions(+) (limited to 'etc/gthumb.profile') diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index e2c3000c9..3c753e86c 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -15,3 +15,5 @@ seccomp shell none private-dev +nosound + diff --git a/etc/atom.profile b/etc/atom.profile index f996ea79e..8304cd379 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -15,3 +15,4 @@ seccomp shell none private-dev +nosound diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index e63802c8a..4666d2fe7 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -10,3 +10,5 @@ private private-dev protocol unix,inet,inet6 seccomp +nosound + diff --git a/etc/cpio.profile b/etc/cpio.profile index b0e59c106..b4d232496 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -16,6 +16,7 @@ net none shell none tracelog net none +nosound diff --git a/etc/deluge.profile b/etc/deluge.profile index 61bc80bd5..8fde9acf9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -17,4 +17,5 @@ shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index bd7e19dc2..90c244e03 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 6b199c34b..1c01d44e4 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -11,5 +11,6 @@ netfilter nonewprivs private private-dev +nosound protocol unix,inet,inet6,netlink seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 24b35df9a..de31ce8de 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -18,3 +18,4 @@ shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 390769382..551c17a78 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -18,3 +18,5 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix private-dev +nosound + diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 44e7051a5..c673a1297 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,3 +17,4 @@ shell none private-bin gthumb whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 65cc084e6..67f10c4e1 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -13,6 +13,7 @@ nogroups private-dev protocol unix seccomp +nosound #Experimental: #shell none diff --git a/etc/gzip.profile b/etc/gzip.profile index 8d35c9f66..cc19e7608 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..11cd844ce 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -12,6 +12,7 @@ noroot private-dev seccomp tracelog +nosound mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/less.profile b/etc/less.profile index 9cad7ceb6..0c43111d7 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6cbdbfd66..77a00ebef 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -15,4 +15,5 @@ tracelog private-dev whitelist /tmp/.X11-unix/ +nosound diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 6b236a9a7..48b46dba0 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -18,3 +18,4 @@ private-bin mcabber private-etc null private-dev shell none +nosound diff --git a/etc/okular.profile b/etc/okular.profile index b1efc4753..c9c342b15 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -14,6 +14,7 @@ noroot private-dev protocol unix seccomp +nosound #Experimental: #net none diff --git a/etc/pix.profile b/etc/pix.profile index 87056e32c..81ab7486f 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,4 +18,5 @@ shell none private-bin pix whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index c5b9a72e6..138b6db55 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -17,3 +17,4 @@ seccomp #private-bin qbittorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 3e5dde36e..f2b9959f6 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -22,6 +22,7 @@ nogroups noroot private-bin quiterss private-dev +nosound #private-etc X11,ssl protocol unix,inet,inet6 seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..15df2c374 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,3 +16,4 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/server.profile b/etc/server.profile index 1b3cb7207..88331d951 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound private-tmp seccomp diff --git a/etc/strings.profile b/etc/strings.profile index 9bc67cfb8..881edf4ad 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 2c3c62c5f..269f8f0fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -22,4 +22,5 @@ shell none private-bin uget-gtk whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/unbound.profile b/etc/unbound.profile index 4365e4fee..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..8bd6ef8e1 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,6 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev +nosound whitelist /tmp/.X11-unix diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 1bff66965..ddf2061bf 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound -- cgit v1.2.3-70-g09d2 From 741bd754b70c5020b2c21681879ead4d1910e4ff Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:29:23 +1000 Subject: ...he'll probably want to hack Firejail profiles. --- etc/gthumb.profile | 9 +++++---- etc/pix.profile | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'etc/gthumb.profile') diff --git a/etc/gthumb.profile b/etc/gthumb.profile index c673a1297..3c02576aa 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin gthumb whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/pix.profile b/etc/pix.profile index 81ab7486f..80c05fd09 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,15 +8,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin pix whitelist /tmp/.X11-unix private-dev -nosound -- cgit v1.2.3-70-g09d2 From 0773b2791af79418572373ac8297bea6060d65a9 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Wed, 17 Aug 2016 09:18:20 +1000 Subject: tightened profiles --- etc/gnome-mplayer.profile | 5 ++++- etc/gpredict.profile | 3 ++- etc/gthumb.profile | 3 ++- etc/hedgewars.profile | 6 +++++- etc/hexchat.profile | 6 +++++- etc/jitsi.profile | 1 + etc/kmail.profile | 4 ++++ etc/konversation.profile | 3 +++ 8 files changed, 26 insertions(+), 5 deletions(-) (limited to 'etc/gthumb.profile') diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1caea177d..1b0fc9807 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,10 +5,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp - shell none + private-bin gnome-mplayer +private-dev +private-tmp diff --git a/etc/gpredict.profile b/etc/gpredict.profile index a8378a66e..353ecceae 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin gpredict private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3c02576aa..e043c7229 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -19,3 +19,4 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev +private-tmp diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..7910b7eb0 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -7,12 +7,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot -private-dev seccomp tracelog +private-dev +private-tmp + mkdir ~/.hedgewars whitelist ~/.hedgewars include /etc/firejail/whitelist-common.inc diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0d7ee6594..0ff64aef5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,9 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all +netfilter +nogroups nonewprivs noroot -netfilter +nosound protocol unix,inet,inet6 seccomp @@ -18,3 +20,5 @@ whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc # private-bin requires perl, python, etc. +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 8baf1ad94..c61158f8b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -14,3 +14,4 @@ seccomp shell none tracelog +private-tmp diff --git a/etc/kmail.profile b/etc/kmail.profile index 44a53e258..8c8fd18c4 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -9,7 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp tracelog + +private-dev +private-tmp diff --git a/etc/konversation.profile b/etc/konversation.profile index 190061618..e9546fd1b 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -7,6 +7,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups noroot seccomp protocol unix,inet,inet6 + +private-tmp -- cgit v1.2.3-70-g09d2 From c26be70b30582400dc88a4bb213368a6d7250302 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 1 Sep 2016 03:42:44 +1000 Subject: tested and stable --- etc/0ad.profile | 4 ++-- etc/atom-beta.profile | 7 ++++--- etc/atom.profile | 6 ++++-- etc/atril.profile | 1 + etc/audacity.profile | 2 ++ etc/aweather.profile | 3 ++- etc/dosbox.profile | 21 +++++++++++++++++++++ etc/eom.profile | 1 + etc/gitter.profile | 4 +++- etc/gthumb.profile | 1 - etc/libreoffice.profile | 3 +-- etc/palemoon.profile | 1 + etc/pidgin.profile | 1 + etc/qtox.profile | 1 + etc/rhythmbox.profile | 1 + etc/stellarium.profile | 2 +- etc/transmission-gtk.profile | 2 +- etc/vlc.profile | 2 ++ etc/warzone2100.profile | 1 + etc/xplayer.profile | 1 + etc/xreader.profile | 1 + etc/xviewer.profile | 3 ++- 22 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 etc/dosbox.profile (limited to 'etc/gthumb.profile') diff --git a/etc/0ad.profile b/etc/0ad.profile index 217cdeee0..1e7c06879 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -19,8 +19,8 @@ whitelist ~/.local/share/0ad caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp @@ -28,4 +28,4 @@ shell none tracelog private-dev - +private-tmp diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 3c753e86c..9a8d93875 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom Beta. +# Firejail profile for Atom Beta. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,9 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound - +private-tmp diff --git a/etc/atom.profile b/etc/atom.profile index 8304cd379..3cb86847e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom. +# Firejail profile for Atom. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,8 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound +private-tmp diff --git a/etc/atril.profile b/etc/atril.profile index bfe731bec..d9e10b072 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -18,3 +18,4 @@ tracelog private-bin atril, atril-previewer, atril-thumbnailer private-dev +private-tmp diff --git a/etc/audacity.profile b/etc/audacity.profile index 162201cb8..be3fac9be 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs nogroups noroot @@ -17,3 +18,4 @@ tracelog private-bin audacity private-dev +private-tmp diff --git a/etc/aweather.profile b/etc/aweather.profile index da93e8ba3..4e5c36f50 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin aweather private-dev +private-tmp diff --git a/etc/dosbox.profile b/etc/dosbox.profile new file mode 100644 index 000000000..45fbb712a --- /dev/null +++ b/etc/dosbox.profile @@ -0,0 +1,21 @@ +# Firejail profile for dosbox +noblacklist ~/.dosbox + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin dosbox +private-dev +private-tmp diff --git a/etc/eom.profile b/etc/eom.profile index 81d993e96..dfcea82c1 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -18,3 +18,4 @@ tracelog private-bin eom private-dev +private-tmp diff --git a/etc/gitter.profile b/etc/gitter.profile index 2882c59a6..f43f5f199 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -7,12 +7,14 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp shell none private-bin gitter private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index e043c7229..3ffd10add 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -19,4 +19,3 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev -private-tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 77a00ebef..75a52e9ff 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -15,5 +16,3 @@ tracelog private-dev whitelist /tmp/.X11-unix/ -nosound - diff --git a/etc/palemoon.profile b/etc/palemoon.profile index acedaebb7..71deec6bc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -23,6 +23,7 @@ shell none tracelog private-bin palemoon +private-tmp # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3df2cafa6..47be2b6ea 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -18,3 +18,4 @@ tracelog private-bin pidgin private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 0cac18573..927487037 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -20,3 +20,4 @@ shell none tracelog private-bin qtox +private-tmp diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f087ea1d..0e8527ae7 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -16,3 +16,4 @@ tracelog private-bin rhythmbox private-dev +private-tmp diff --git a/etc/stellarium.profile b/etc/stellarium.profile index adefa75ff..d57c9e5f7 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -25,4 +25,4 @@ tracelog private-bin stellarium private-dev - +private-tmp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa5c3b22b..0cfa4fcfc 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -14,9 +14,9 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-gtk whitelist /tmp/.X11-unix private-dev diff --git a/etc/vlc.profile b/etc/vlc.profile index c82247dd2..cdd098dd5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -17,3 +17,5 @@ shell none tracelog private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-dev +private-tmp diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ff37e2800..7c7efade8 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -23,3 +23,4 @@ tracelog private-bin warzone2100 private-dev +private-tmp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index a46b2fa06..54d5ed89b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -19,3 +19,4 @@ tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev +private-tmp diff --git a/etc/xreader.profile b/etc/xreader.profile index ac7d34022..d2a000bd0 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -20,3 +20,4 @@ tracelog private-bin xreader, xreader-previewer, xreader-thumbnailer private-dev +private-tmp diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7a4ae4858..cbb59d16e 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -17,3 +17,4 @@ tracelog private-dev private-bin xviewer +private-tmp -- cgit v1.2.3-70-g09d2 From 7165f68e3430ccce0bfa0618200310db19e69d30 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 3 Nov 2016 23:51:36 +0100 Subject: private-tmp changes --- etc/deluge.profile | 3 +-- etc/evince.profile | 4 ++++ etc/fbreader.profile | 3 +-- etc/feh.profile | 2 +- etc/filezilla.profile | 3 +-- etc/firefox.profile | 6 +++++- etc/gthumb.profile | 2 +- etc/mupdf.profile | 4 ++++ etc/pix.profile | 2 +- etc/qbittorrent.profile | 3 +-- etc/rtorrent.profile | 2 +- etc/transmission-gtk.profile | 3 +-- etc/transmission-qt.profile | 3 +-- etc/uget-gtk.profile | 2 +- etc/wesnoth.profile | 3 +-- etc/zathura.profile | 3 ++- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 18 files changed, 29 insertions(+), 23 deletions(-) (limited to 'etc/gthumb.profile') diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,7 +15,6 @@ seccomp shell none private-bin deluge,sh,python,uname -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +net none nogroups nonewprivs noroot @@ -16,3 +18,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev +private-etc fonts +private-tmp \ No newline at end of file diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -16,6 +16,5 @@ seccomp shell none private-bin fbreader,FBReader -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -16,6 +16,6 @@ seccomp shell none private-bin feh -whitelist /tmp/.X11-unix private-dev private-etc feh +private-tmp \ No newline at end of file diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,5 +17,4 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + +private-bin firefox,which,sh,dbus-launch,dbus-send,env +private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,5 +17,5 @@ shell none tracelog private-bin gthumb -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -12,12 +12,16 @@ nosound protocol unix seccomp netfilter +net none shell none tracelog +seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev + private-bin mupdf private-tmp private-dev +private-etc fonts # mupdf will never write anything read-only ${HOME} diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin pix -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,5 +16,4 @@ seccomp #shell none #private-bin qbittorrent private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,5 +14,5 @@ seccomp shell none private-bin rtorrent -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-gtk private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-qt private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -16,8 +16,8 @@ shell none private-bin uget-gtk private-dev +private-tmp -whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,8 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev - -whitelist /tmp/.X11-unix +private-tmp mkdir ${HOME}/.local/share/wesnoth mkdir ${HOME}/.config/wesnoth diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nogroups nonewprivs noroot @@ -19,7 +20,7 @@ protocol unix private-bin zathura private-dev private-etc fonts -whitelist /tmp/.X11-unix +private-tmp read-only ~/ read-write ~/.local/share/zathura/ diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 09dc46bbc..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP \fBprivate-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .TP \fBread-only file_or_directory Make directory or file read-only. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 666a6a8ef..74e8ef4fe 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-private-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .br .br -- cgit v1.2.3-70-g09d2