From 7a37dc31ab907d55eb88f2fa259f37046952a0c5 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 28 Mar 2018 01:20:21 +0200 Subject: recalibrate dbus access, deploy nodbus option see #1822 and #1825. also systematically replaces 'blacklist /run/user/*/bus' with 'nodbus'. with contributions from @Fred-Barclay --- etc/xed.profile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'etc/xed.profile') diff --git a/etc/xed.profile b/etc/xed.profile index e4ab673e8..2bc73693e 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -5,8 +5,6 @@ include /etc/firejail/xed.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.config/xed include /etc/firejail/disable-common.inc @@ -16,10 +14,14 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable machine-id +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs -- cgit v1.2.3-70-g09d2 From 02d290cacf92065c34c2fe5401024798f3b2fcb9 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 29 Mar 2018 16:20:49 +0200 Subject: comment nodbus where it interferes with dconf pending further discussion --- etc/engrampa.profile | 2 +- etc/eog.profile | 2 +- etc/eom.profile | 2 +- etc/file-roller.profile | 2 +- etc/gedit.profile | 2 +- etc/gimp.profile | 4 +++- etc/gnome-calculator.profile | 2 +- etc/kcalc.profile | 4 ++-- etc/pluma.profile | 2 +- etc/rhythmbox.profile | 2 +- etc/scribus.profile | 2 +- etc/totem.profile | 2 +- etc/xed.profile | 2 +- etc/xplayer.profile | 2 +- etc/xviewer.profile | 2 +- 15 files changed, 18 insertions(+), 16 deletions(-) (limited to 'etc/xed.profile') diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 1ecdbd1b8..25607d0a0 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -18,7 +18,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/eog.profile b/etc/eog.profile index 1ab78c345..cbb0dc3cf 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -23,7 +23,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/eom.profile b/etc/eom.profile index 978fa78a4..93acd7f28 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -23,7 +23,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 83e6a9957..f21f8af85 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -18,7 +18,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/gedit.profile b/etc/gedit.profile index 5b058ae28..49d99becf 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -23,7 +23,7 @@ machine-id net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index 49df54d1f..5685eb5c1 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -13,10 +13,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all net none -nodbus +# following line makes settings immutable +# nodbus nodvd nogroups nonewprivs diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index a4ef9cfc1..24615e828 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -20,7 +20,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/kcalc.profile b/etc/kcalc.profile index db10167ed..0e10dc061 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -22,10 +22,10 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all -# net none +net none netfilter no3d -# nodbus +nodbus nodvd nogroups nonewprivs diff --git a/etc/pluma.profile b/etc/pluma.profile index a6c36f647..da9766a81 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -21,7 +21,7 @@ machine-id net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 62d0f6334..f02d0363b 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -19,7 +19,7 @@ caps.drop all netfilter # no3d # following line makes settings immutable -nodbus +# nodbus nogroups nonewprivs noroot diff --git a/etc/scribus.profile b/etc/scribus.profile index 7325b663d..f9f585a20 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -48,5 +48,5 @@ tracelog private-dev private-tmp -# noexec ${HOME} +noexec ${HOME} noexec /tmp diff --git a/etc/totem.profile b/etc/totem.profile index f466b3ea6..0b242ab8f 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -20,7 +20,7 @@ apparmor caps.drop all netfilter # following line makes settings immutable -nodbus +# nodbus nogroups nonewprivs noroot diff --git a/etc/xed.profile b/etc/xed.profile index 2bc73693e..5f245f9ff 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -21,7 +21,7 @@ machine-id net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs diff --git a/etc/xplayer.profile b/etc/xplayer.profile index ef1eb38e7..e0b7b4322 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -20,7 +20,7 @@ apparmor caps.drop all netfilter # following line makes settings immutable -nodbus +# nodbus nogroups nonewprivs noroot diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 86d0b6d4a..35e9398ad 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -23,7 +23,7 @@ caps.drop all net none no3d # following line makes settings immutable -nodbus +# nodbus nodvd nogroups nonewprivs -- cgit v1.2.3-70-g09d2 From 3a6f7552de0aa2fe5e97e50a5b1d37c4f0f10494 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 30 Mar 2018 11:34:19 +0200 Subject: comment apparmor, net where they interfere with dconf - #1843 --- README.md | 8 +++----- etc/audacity.profile | 2 +- etc/engrampa.profile | 4 +--- etc/eog.profile | 8 +++----- etc/eom.profile | 8 +++----- etc/file-roller.profile | 4 +--- etc/gedit.profile | 8 +++----- etc/gimp.profile | 8 +++----- etc/gnome-calculator.profile | 8 +++----- etc/kcalc.profile | 1 - etc/pluma.profile | 8 +++----- etc/rhythmbox.profile | 6 ++---- etc/totem.profile | 6 ++---- etc/xed.profile | 8 +++----- etc/xplayer.profile | 6 ++---- etc/xviewer.profile | 8 +++----- 16 files changed, 36 insertions(+), 65 deletions(-) (limited to 'etc/xed.profile') diff --git a/README.md b/README.md index 57267e414..4739b22fd 100644 --- a/README.md +++ b/README.md @@ -259,12 +259,10 @@ enable/disable apparmor functionality globally. By default the flag is enabled. AppArmor deployment: we are starting apparmor by default for the following programs: - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) - torrent clients: transmission-qt, transmission-gtk, qbittorrent -- media players: vlc, mpv, audacious, totem, rhythmbox, kodi, smplayer, xplayer -- media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot -- image viewers: eom, eog, gwenview, xviewer +- media players: vlc, mpv, audacious, kodi, smplayer +- media editing: kdenlive, audacity, handbrake, inkscape, krita, openshot - archive managers: ark, engrampa, file-roller -- text editors: gedit, kwrite, pluma, xed -- etc.: digikam, gnome-calculator, galculator, kcalc, okular, libreoffice, asunder +- etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc Checking apparmor status: ````` diff --git a/etc/audacity.profile b/etc/audacity.profile index e8ad7347a..907dbeb55 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -18,7 +18,7 @@ apparmor caps.drop all net none no3d -# nodbus +# nodbus - problems on Fedora 27 nodvd nogroups nonewprivs diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 25607d0a0..cf32d579e 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -12,13 +12,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable apparmor caps.drop all net none no3d -# following line makes settings immutable -# nodbus +nodbus nodvd nogroups nonewprivs diff --git a/etc/eog.profile b/etc/eog.profile index cbb0dc3cf..66434ae05 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -17,13 +17,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/eom.profile b/etc/eom.profile index 93acd7f28..48965bcb9 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -17,13 +17,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/file-roller.profile b/etc/file-roller.profile index f21f8af85..eb76d1dbb 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -12,13 +12,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable apparmor caps.drop all net none no3d -# following line makes settings immutable -# nodbus +nodbus nodvd nogroups nonewprivs diff --git a/etc/gedit.profile b/etc/gedit.profile index 49d99becf..e78b8a708 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -16,14 +16,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all machine-id -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index 5685eb5c1..630f02229 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -13,12 +13,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all -net none -# following line makes settings immutable -# nodbus +# net none - makes settings immutable +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 24615e828..9d737efb1 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -14,13 +14,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 0e10dc061..86a3b1462 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -23,7 +23,6 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all net none -netfilter no3d nodbus nodvd diff --git a/etc/pluma.profile b/etc/pluma.profile index da9766a81..d0acfeb1a 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -14,14 +14,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all machine-id -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index f02d0363b..6322f8217 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -13,13 +13,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all netfilter # no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nogroups nonewprivs noroot diff --git a/etc/totem.profile b/etc/totem.profile index 0b242ab8f..ad3845d90 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -15,12 +15,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all netfilter -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nogroups nonewprivs noroot diff --git a/etc/xed.profile b/etc/xed.profile index 5f245f9ff..5d46560b7 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -14,14 +14,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all machine-id -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs diff --git a/etc/xplayer.profile b/etc/xplayer.profile index e0b7b4322..7e475bd58 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -15,12 +15,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all netfilter -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nogroups nonewprivs noroot diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 35e9398ad..26f9f0238 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -17,13 +17,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -# following line makes settings immutable -apparmor +# apparmor - makes settings immutable caps.drop all -net none +# net none - makes settings immutable no3d -# following line makes settings immutable -# nodbus +# nodbus - makes settings immutable nodvd nogroups nonewprivs -- cgit v1.2.3-70-g09d2