From 052081416736808e6ec0dbd59aa01097c86c359e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 Apr 2018 18:35:47 -0500 Subject: Replace shell and seccomp filter for firefox >= 60, should fix #1765 and #1847 --- etc/basilisk.profile | 5 +++++ etc/firefox-common.profile | 5 +++-- etc/firejail-default | 1 + etc/palemoon.profile | 5 +++++ 4 files changed, 14 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/basilisk.profile b/etc/basilisk.profile index ac7f30c04..fe63a59f1 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile @@ -14,6 +14,11 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/moonchild productions/basilisk whitelist ${HOME}/.moonchild productions +# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) +ignore seccomp.drop +seccomp +shell none + #private-bin basilisk # private-etc must first be enabled in firefox-common.profile #private-etc basilisk diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 3fe83eda0..843f41fee 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -33,8 +33,9 @@ nonewprivs noroot notv protocol unix,inet,inet6,netlink -seccomp -shell none +seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +# shell none breaks firefox>=60, see issue #1765 +# shell none tracelog disable-mnt diff --git a/etc/firejail-default b/etc/firejail-default index 5d116fbbc..ad3fdd718 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -72,6 +72,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, ########## /proc/ r, /proc/** r, +owner /proc/[0-9]*/{uid_map,gid_map,setgroups} w, # Uncomment to silence all denied write warnings #deny /proc/** w, deny /proc/@{PID}/oom_adj w, diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ff7087e55..c68574df5 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -13,6 +13,11 @@ mkdir ${HOME}/.moonchild productions whitelist ${HOME}/.cache/moonchild productions/pale moon whitelist ${HOME}/.moonchild productions +# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) +ignore seccomp.drop +seccomp +shell none + #private-bin palemoon # private-etc must first be enabled in firefox-common.profile #private-etc palemoon -- cgit v1.2.3-70-g09d2