From 20fbc19e57da1c409b139ffb1b211ceb5f8c6050 Mon Sep 17 00:00:00 2001 From: Vladimir Schowalter Date: Sun, 6 Aug 2017 22:42:24 +0100 Subject: various profile fixes (#1433) * calibre: add netlink protocol (FB note: removed before merge) calibre started without netlink protocol throws following error in console: Exception in thread Thread-8: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/calibre/calibre/utils/mdns.py", line 43, in run _all_ip_addresses = self.get_all_ips() File "/usr/lib/calibre/calibre/utils/mdns.py", line 27, in get_all_ips for x in netifaces.interfaces(): OSError: [Errno 95] Operation not supported * mpv: add nogroups, tracelog, ipc-namespace, private-dev I used testes all above options and didn't noticed any breakage. * qbittorrent: add netlink protocol, private-etc Netlink protocol is needed if user select to bind specific network interface in config. Otherwise it throws an error in qbittorent log: The network interface defined is invalid: tun0 Example private-etc is added but commented out by default. It's tested but as there are many different system configurations users should enable it manually. * vlc: disable memory-deny-write-execute With memory-deny-write-execute vlc freezes after loading video file. According to https://github.com/VladimirSchowalter20/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca memory-deny-write-execute is similar to PAX mprotect feature and linked github project explicitly disables that feature for vlc binary, see https://github.com/copperhead/paxd-archive/commit/deb39e0b91996e2e9c7917b3543030880cd476f4 * Update vlc.profile * wine: add nogroups Nogroups should be safe addition for wine * wireshark: allow users to run wireshark as non-root Wireshark can be run unprivileged when user is part of wireshark group. Unfortunately enabling nogroups,nonewprivs and seccomp will break it with permissions errors. Also added example private-etc option which is commented out by default for now. * cosmetic fix * mpv: comment out ipc-namespace for now As requested in review https://github.com/netblue30/firejail/pull/1433#discussion_r131550515 * calibre: disable netlink protocol It throws an error but actual breakage isn't observed for now. --- etc/wireshark.profile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'etc/wireshark.profile') diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 98a4f3a9d..d5f3b8c4b 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -23,14 +23,15 @@ include /etc/firejail/disable-passwdmgr.inc #ipc-namespace netfilter no3d -nogroups -nonewprivs +# nogroups - breaks unprivileged wireshark usage +# nonewprivs - breaks unprivileged wireshark usage nosound -seccomp +# seccomp - breaks unprivileged wireshark usage shell none tracelog #private-bin wireshark +# private-etc fonts,group,hosts,machine-id,passwd private-dev private-tmp -- cgit v1.2.3-54-g00ecf