From 33d538bbe551580d771a30417f3c103394ee9a4b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 27 Jan 2023 19:38:54 -0300 Subject: mutt.profile: add ~/.mutthistory From the manual of mutt 2.2.9: > 3.125. history_file > > Type: path > Default: "~/.mutthistory" > > The file in which Mutt will save its history. --- etc/profile-m-z/mutt.profile | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc/profile-m-z') diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 52d30669f..a26a25573 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.msmtprc noblacklist ${HOME}/.mutt +noblacklist ${HOME}/.mutthistory noblacklist ${HOME}/.muttrc noblacklist ${HOME}/.nanorc noblacklist ${HOME}/.signature @@ -89,6 +90,7 @@ whitelist ${HOME}/.mail whitelist ${HOME}/.mailcap whitelist ${HOME}/.msmtprc whitelist ${HOME}/.mutt +whitelist ${HOME}/.mutthistory whitelist ${HOME}/.muttrc whitelist ${HOME}/.nanorc whitelist ${HOME}/.signature -- cgit v1.2.3-54-g00ecf From 3d82b71a48c8e5013c4aeed3cd00c7979060c298 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 27 Jan 2023 18:35:15 -0300 Subject: mutt.profile: stop creating editor/browser paths To reduce the amount of spam created in the user home directory. It's unlikely that these paths are going to be both: * Created only after mutt is first opened through firejail and * Created from within mutt Also, no other profile does that: $ git grep -El '(mkdir|mkfile) \$\{HOME\}/\.(emacs|nano|vim)' -- etc etc/profile-m-z/mutt.profile So just whitelist them if they already exist. Added on commit a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for neomutt", 2020-12-28) / PR #3849. --- etc/profile-m-z/mutt.profile | 9 --------- 1 file changed, 9 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index a26a25573..7e1849079 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -55,26 +55,17 @@ mkdir ${HOME}/.Mail mkdir ${HOME}/.bogofilter mkdir ${HOME}/.cache/mutt mkdir ${HOME}/.config/mutt -mkdir ${HOME}/.config/nano -mkdir ${HOME}/.elinks -mkdir ${HOME}/.emacs.d mkdir ${HOME}/.gnupg mkdir ${HOME}/.mail mkdir ${HOME}/.mutt -mkdir ${HOME}/.vim -mkdir ${HOME}/.w3m mkdir ${HOME}/Mail mkdir ${HOME}/mail mkdir ${HOME}/postponed mkdir ${HOME}/sent -mkfile ${HOME}/.emacs mkfile ${HOME}/.mailcap mkfile ${HOME}/.msmtprc mkfile ${HOME}/.muttrc -mkfile ${HOME}/.nanorc mkfile ${HOME}/.signature -mkfile ${HOME}/.viminfo -mkfile ${HOME}/.vimrc whitelist ${DOCUMENTS} whitelist ${DOWNLOADS} whitelist ${HOME}/.Mail -- cgit v1.2.3-54-g00ecf From 4a3e0d8789edd0cfd26c66f5ba85138e7fea06e7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 27 Jan 2023 19:45:03 -0300 Subject: mutt.profile: stop creating config files for other programs Let either the respective program or the user create the file. * ~/.bogofilter: Used by the bogofilter program * ~/.msmtprc: Used by the msmtp program Added on commit a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for neomutt", 2020-12-28) / PR #3849. --- etc/profile-m-z/mutt.profile | 2 -- 1 file changed, 2 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 7e1849079..bce56743a 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -52,7 +52,6 @@ include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.Mail -mkdir ${HOME}/.bogofilter mkdir ${HOME}/.cache/mutt mkdir ${HOME}/.config/mutt mkdir ${HOME}/.gnupg @@ -63,7 +62,6 @@ mkdir ${HOME}/mail mkdir ${HOME}/postponed mkdir ${HOME}/sent mkfile ${HOME}/.mailcap -mkfile ${HOME}/.msmtprc mkfile ${HOME}/.muttrc mkfile ${HOME}/.signature whitelist ${DOCUMENTS} -- cgit v1.2.3-54-g00ecf From 5d5f554ab133bb56d22a58000d58e5a957ee37c5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 Jan 2023 08:14:13 -0500 Subject: private-etc: moved group names to @group syntax; GUI group renamed as @x11 group; added nvidia and X11 directories to @x11 group. --- README.md | 25 ++++++++++++------------- etc/profile-a-l/curl.profile | 2 +- etc/profile-a-l/firefox-common.profile | 2 +- etc/profile-a-l/gimp.profile | 2 +- etc/profile-a-l/inkscape.profile | 2 +- etc/profile-m-z/warzone2100.profile | 2 +- src/firejail/fs_etc.c | 12 ++++++------ src/include/etc_groups.h | 16 +++++++++------- src/man/firejail.txt | 18 +++++++++--------- 9 files changed, 41 insertions(+), 40 deletions(-) (limited to 'etc/profile-m-z') diff --git a/README.md b/README.md index f261da2a3..7d1c88c65 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ### private-etc rework ````` - --private-etc, --private-etc=file,directory + --private-etc, --private-etc=file,directory,@group The files installed by --private-etc are copies of the original system files from /etc directory. By default, the command brings in a skeleton of files and directories used by most con‐ @@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe $ firejail --private-etc dig debian.org - For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. - Example: + For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame‐ + ter. Example: - $ firejail --private-etc=GUI,python* gimp + $ firejail --private-etc=@x11,gcrypt,python* gimp - /etc/python* directories are not part of the generic GUI group. - These directories are reuqired by Gimp plugin system. File glob‐ - bing is supported. + gcrypt and /etc/python* directories are not part of the generic + @x11 group. File globbing is supported. - For games, add GAMES group: + For games, add @games group: - $ firejail --private-etc=GUI,GAMES warzone2100 + $ firejail --private-etc=@games,@x11 warzone2100 - Sound and networking files are included automatically, unless - --nosound or --net=none are specified. Files for encrypted - TLS/SSL protocol are in TLS-CA group. + Sound and networking files are included automatically, unless + --nosound or --net=none are specified. Files for encrypted + TLS/SSL protocol are in @tls-ca group. - $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org + $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 88b29cfbd..bfe8764d5 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -54,7 +54,7 @@ tracelog private-cache private-dev # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl -private-etc TLS-CA +private-etc @tls-ca private-tmp dbus-user none diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 3365c0829..57c9b5dfb 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -60,7 +60,7 @@ disable-mnt # private-etc below works fine on most distributions. There are some problems on CentOS. # Add it to your firefox-common.local if you want to enable it. #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg -private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA +private-etc @tls-ca,@x11,mailcap,mime.types,os-release private-tmp blacklist ${PATH}/curl diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index d9515c867..f29929a72 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile @@ -59,7 +59,7 @@ seccomp !mbind tracelog private-dev -private-etc gcrypt,GUI,python* +private-etc @x11,gcrypt,python* private-tmp dbus-user none diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 1e75781ab..abe75f2ae 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile @@ -54,7 +54,7 @@ tracelog # private-bin inkscape,potrace,python* - problems on Debian stretch private-cache private-dev -private-etc ImageMagick*,inkscape: GUI,python* +private-etc @x11,ImageMagick*,python* private-tmp dbus-user none diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 6000bd98f..b0eea4380 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile @@ -46,7 +46,7 @@ tracelog disable-mnt private-bin bash,dash,sh,warzone2100,which private-dev -private-etc GAMES,GUI +private-etc @games,@x11 private-tmp restrict-namespaces diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index ad5e8585d..83f140d80 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -77,15 +77,15 @@ char *fs_etc_build(char *str) { char* ptr = strtok(str, ","); while (ptr) { // look for standard groups - if (strcmp(ptr, "TLS-CA") == 0) + if (strcmp(ptr, "@tls-ca") == 0) etc_copy_group(&etc_group_tls_ca[0]); - if (strcmp(ptr, "GUI") == 0) - etc_copy_group(&etc_group_gui[0]); - if (strcmp(ptr, "SOUND") == 0) + if (strcmp(ptr, "@x11") == 0) + etc_copy_group(&etc_group_x11[0]); + if (strcmp(ptr, "@sound") == 0) etc_copy_group(&etc_group_sound[0]); - if (strcmp(ptr, "NETWORK") == 0) + if (strcmp(ptr, "@network") == 0) etc_copy_group(&etc_group_network[0]); - if (strcmp(ptr, "GAMES") == 0) + if (strcmp(ptr, "@games") == 0) etc_copy_group(&etc_group_games[0]); else etc_add(ptr); diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 421837fbb..fcb824778 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h @@ -23,7 +23,7 @@ #define ETC_MAX 256 -// DEFAULT +// @default static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer "alternatives", "fonts", @@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer NULL }; -// SOUND +// @sound static char *etc_group_sound[] = { "alsa", "asound.conf", @@ -51,7 +51,7 @@ static char *etc_group_sound[] = { NULL }; -// NETWORK +// @network static char*etc_group_network[] = { "hostname", "hosts", @@ -60,7 +60,7 @@ static char*etc_group_network[] = { NULL }; -// TLS-CA +// @tls-ca static char *etc_group_tls_ca[] = { "ca-certificates", "crypto-policies", @@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = { NULL }; -// GUI -static char *etc_group_gui[] = { +// @x11 +static char *etc_group_x11[] = { "xdg", "drirc", "dconf", @@ -80,10 +80,12 @@ static char *etc_group_gui[] = { "kde4rc", "kde5rc", "pango", // text rendering/internationalization + "nvidia", + "X11", NULL }; -// GAMES +// @games static char *etc_group_games[] = { "timidity", // MIDI "timidity.cfg", diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e60c139a5..a088d971a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2127,27 +2127,27 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 .br $ .TP -\fB\-\-private-etc, \-\-private-etc=file,directory +\fB\-\-private-etc, \-\-private-etc=file,directory,@group The files installed by \-\-private-etc are copies of the original system files from /etc directory. By default, the command brings in a skeleton of files and directories used by most console tools: $ firejail --private-etc dig debian.org -For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example: +For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example: -$ firejail --private-etc=GUI,python* gimp +$ firejail --private-etc=@x11,gcrypt,python* gimp -/etc/python* directories are not part of the generic GUI group. -These directories are reuqired by Gimp plugin system. File globbing is supported. +gcrypt and /etc/python* directories are not part of the generic @x11 group. +File globbing is supported. -For games, add GAMES group: +For games, add @games group: -$ firejail --private-etc=GUI,GAMES warzone2100 +$ firejail --private-etc=@games,@x11 warzone2100 Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. -Files for encrypted TLS/SSL protocol are in TLS-CA group. +Files for encrypted TLS/SSL protocol are in @tls-ca group. -$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org +$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: -- cgit v1.2.3-54-g00ecf