From 47e3c82ab58b0d0c02066666aea3f7a04078c86b Mon Sep 17 00:00:00 2001 From: pirate486743186 <> Date: Thu, 16 Mar 2023 02:30:52 +0100 Subject: create blink-common.profile --- etc/profile-a-l/blink-common-hardened.inc.profile | 11 ++++++ etc/profile-a-l/blink-common.profile | 40 ++++++++++++++++++++++ .../chromium-common-hardened.inc.profile | 17 +++++---- etc/profile-a-l/chromium-common.profile | 25 ++------------ etc/profile-a-l/electron-common.profile | 25 ++------------ 5 files changed, 65 insertions(+), 53 deletions(-) create mode 100644 etc/profile-a-l/blink-common-hardened.inc.profile create mode 100644 etc/profile-a-l/blink-common.profile (limited to 'etc') diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile new file mode 100644 index 000000000..c092a9746 --- /dev/null +++ b/etc/profile-a-l/blink-common-hardened.inc.profile @@ -0,0 +1,11 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include blink-common-hardened.inc.local + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp !chroot + +#restrict-namespaces diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile new file mode 100644 index 000000000..ff17dc479 --- /dev/null +++ b/etc/profile-a-l/blink-common.profile @@ -0,0 +1,40 @@ +# Firejail profile for blink-common +# Description: Common profile for Blink-based applications +# This file is overwritten after every install/update +# Persistent local customizations +include blink-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-common.inc +#include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# If your kernel allows the creation of user namespaces by unprivileged users +# (for example, if running `unshare -U echo enabled` prints "enabled"), you +# can add the next line to your blink-common.local. +#include blink-common-hardened.inc.profile + +apparmor +caps.keep sys_admin,sys_chroot +netfilter +nodvd +nogroups +noinput +notv + +disable-mnt +private-cache + +dbus-system none diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index c3944bd65..0e0416de1 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile @@ -1,11 +1,10 @@ -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile alias for blink-common-hardened.inc +# This file is overwritten after every install/update +# Persistent local customizations include chromium-common-hardened.inc.local +# Persistent global definitions +# added by caller profile +#include globals.local -caps.drop all -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp !chroot - -#restrict-namespaces +# Redirect +include blink-common-hardened.inc.profile diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f1f2f5f68..878e0fe1d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox # to have access to Gnome extensions (extensions.gnome.org) via browser connector #include allow-python3.inc -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki -whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.pki whitelist /usr/share/mozilla/extensions whitelist /usr/share/webext -include whitelist-common.inc include whitelist-run-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you # can add the next line to your chromium-common.local. #include chromium-common-hardened.inc.profile -apparmor -caps.keep sys_admin,sys_chroot -netfilter -nodvd -nogroups -noinput -notv ?BROWSER_DISABLE_U2F: nou2f -disable-mnt -private-cache ?BROWSER_DISABLE_U2F: private-dev #private-tmp - issues when using multiple browser sessions @@ -61,7 +40,9 @@ blacklist ${PATH}/wget blacklist ${PATH}/wget2 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. -dbus-system none # The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 + +# Redirect +include blink-common.profile diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile index 73b6d1067..bb48d6332 100644 --- a/etc/profile-a-l/electron-common.profile +++ b/etc/profile-a-l/electron-common.profile @@ -7,40 +7,21 @@ include electron-common.local noblacklist ${HOME}/.config/Electron noblacklist ${HOME}/.config/electron*-flag*.conf -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - -whitelist ${DOWNLOADS} whitelist ${HOME}/.config/Electron whitelist ${HOME}/.config/electron*-flag*.conf -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you # can add the next line to your electron-common.local. #include electron-common-hardened.inc.profile -apparmor -caps.keep sys_admin,sys_chroot -netfilter -nodvd -nogroups -noinput -notv nou2f novideo -disable-mnt -private-cache private-dev private-tmp dbus-user none -dbus-system none + +# Redirect +include blink-common.profile -- cgit v1.2.3-70-g09d2