From 1379851360349d6617ad32944a25ee5e2bb74fc2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Aug 2015 19:12:30 -0400 Subject: Baseline firejail 0.9.28 --- etc/audacious.profile | 8 +++++ etc/chromium-browser.profile | 3 ++ etc/chromium.profile | 7 ++++ etc/clementine.profile | 7 ++++ etc/deadbeef.profile | 8 +++++ etc/deluge.profile | 9 +++++ etc/disable-common.inc | 10 ++++++ etc/disable-mgmt.inc | 12 +++++++ etc/disable-secret.inc | 9 +++++ etc/dropbox.profile | 7 ++++ etc/empathy.profile | 6 ++++ etc/evince.profile | 8 +++++ etc/filezilla.profile | 10 ++++++ etc/firefox.profile | 9 +++++ etc/firejail.bash_completion | 86 ++++++++++++++++++++++++++++++++++++++++++++ etc/firemon.bash_completion | 39 ++++++++++++++++++++ etc/generic.profile | 41 +++++++++++++++++++++ etc/gnome-mplayer.profile | 7 ++++ etc/icecat.profile | 2 ++ etc/icedove.profile | 3 ++ etc/iceweasel.profile | 2 ++ etc/login.users | 14 ++++++++ etc/midori.profile | 9 +++++ etc/opera.profile | 8 +++++ etc/pidgin.profile | 7 ++++ etc/qbittorrent.profile | 9 +++++ etc/quassel.profile | 7 ++++ etc/rhythmbox.profile | 7 ++++ etc/server.profile | 6 ++++ etc/thunderbird.profile | 9 +++++ etc/totem.profile | 7 ++++ etc/transmission-gtk.profile | 9 +++++ etc/transmission-qt.profile | 9 +++++ etc/vlc.profile | 7 ++++ etc/xchat.profile | 7 ++++ 35 files changed, 408 insertions(+) create mode 100644 etc/audacious.profile create mode 100644 etc/chromium-browser.profile create mode 100644 etc/chromium.profile create mode 100644 etc/clementine.profile create mode 100644 etc/deadbeef.profile create mode 100644 etc/deluge.profile create mode 100644 etc/disable-common.inc create mode 100644 etc/disable-mgmt.inc create mode 100644 etc/disable-secret.inc create mode 100644 etc/dropbox.profile create mode 100644 etc/empathy.profile create mode 100644 etc/evince.profile create mode 100644 etc/filezilla.profile create mode 100644 etc/firefox.profile create mode 100644 etc/firejail.bash_completion create mode 100644 etc/firemon.bash_completion create mode 100644 etc/generic.profile create mode 100644 etc/gnome-mplayer.profile create mode 100644 etc/icecat.profile create mode 100644 etc/icedove.profile create mode 100644 etc/iceweasel.profile create mode 100644 etc/login.users create mode 100644 etc/midori.profile create mode 100644 etc/opera.profile create mode 100644 etc/pidgin.profile create mode 100644 etc/qbittorrent.profile create mode 100644 etc/quassel.profile create mode 100644 etc/rhythmbox.profile create mode 100644 etc/server.profile create mode 100644 etc/thunderbird.profile create mode 100644 etc/totem.profile create mode 100644 etc/transmission-gtk.profile create mode 100644 etc/transmission-qt.profile create mode 100644 etc/vlc.profile create mode 100644 etc/xchat.profile (limited to 'etc') diff --git a/etc/audacious.profile b/etc/audacious.profile new file mode 100644 index 000000000..23f223a29 --- /dev/null +++ b/etc/audacious.profile @@ -0,0 +1,8 @@ +# Audacious profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot + diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile new file mode 100644 index 000000000..4cdc098d1 --- /dev/null +++ b/etc/chromium-browser.profile @@ -0,0 +1,3 @@ +# Chromium browser profile +include /etc/firejail/chromium.profile + diff --git a/etc/chromium.profile b/etc/chromium.profile new file mode 100644 index 000000000..4f6e7e450 --- /dev/null +++ b/etc/chromium.profile @@ -0,0 +1,7 @@ +# Chromium browser profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc chromium +netfilter + + diff --git a/etc/clementine.profile b/etc/clementine.profile new file mode 100644 index 000000000..dd855cc62 --- /dev/null +++ b/etc/clementine.profile @@ -0,0 +1,7 @@ +# Clementine profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile new file mode 100644 index 000000000..e2f5787cc --- /dev/null +++ b/etc/deadbeef.profile @@ -0,0 +1,8 @@ +# DeaDBeeF profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot + diff --git a/etc/deluge.profile b/etc/deluge.profile new file mode 100644 index 000000000..138d0a133 --- /dev/null +++ b/etc/deluge.profile @@ -0,0 +1,9 @@ +# deluge profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/disable-common.inc b/etc/disable-common.inc new file mode 100644 index 000000000..926000411 --- /dev/null +++ b/etc/disable-common.inc @@ -0,0 +1,10 @@ +blacklist ${HOME}/.adobe +blacklist ${HOME}/.macromedia +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.icedove +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.config/midori +blacklist ${HOME}/.config/opera +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.filezilla diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc new file mode 100644 index 000000000..f04619ea0 --- /dev/null +++ b/etc/disable-mgmt.inc @@ -0,0 +1,12 @@ +# system directories +blacklist /sbin +blacklist /usr/sbin + +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/strace diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc new file mode 100644 index 000000000..8ac1b3792 --- /dev/null +++ b/etc/disable-secret.inc @@ -0,0 +1,9 @@ +# HOME directory +blacklist ${HOME}/.ssh +tmpfs ${HOME}/.gnome2_private +blacklist ${HOME}/.gnome2/keyrings +blacklist ${HOME}/kde4/share/apps/kwallet +blacklist ${HOME}/kde/share/apps/kwallet +blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.gnupg +blacklist ${HOME}/.local/share/recently-used.xbel diff --git a/etc/dropbox.profile b/etc/dropbox.profile new file mode 100644 index 000000000..82b54adb1 --- /dev/null +++ b/etc/dropbox.profile @@ -0,0 +1,7 @@ +# dropbox profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps +seccomp +noroot diff --git a/etc/empathy.profile b/etc/empathy.profile new file mode 100644 index 000000000..d24cae528 --- /dev/null +++ b/etc/empathy.profile @@ -0,0 +1,6 @@ +# Empathy profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp diff --git a/etc/evince.profile b/etc/evince.profile new file mode 100644 index 000000000..4d96d5904 --- /dev/null +++ b/etc/evince.profile @@ -0,0 +1,8 @@ +# evince profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +netfilter +noroot diff --git a/etc/filezilla.profile b/etc/filezilla.profile new file mode 100644 index 000000000..a54b5a734 --- /dev/null +++ b/etc/filezilla.profile @@ -0,0 +1,10 @@ +# FileZilla profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc .filezilla +caps.drop all +seccomp +noroot +netfilter + + diff --git a/etc/firefox.profile b/etc/firefox.profile new file mode 100644 index 000000000..dc3489d35 --- /dev/null +++ b/etc/firefox.profile @@ -0,0 +1,9 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc .mozilla +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/firejail.bash_completion b/etc/firejail.bash_completion new file mode 100644 index 000000000..50eccf536 --- /dev/null +++ b/etc/firejail.bash_completion @@ -0,0 +1,86 @@ +# bash completion for firejail -*- shell-script -*- +#******************************************************************** +# Script based on completions/configure script in bash-completion package in +# Debian. The original package is release under GPL v2 license, the webpage is +# http://bash-completion.alioth.debian.org +#******************************************************************* + +__interfaces(){ + cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs +} + + +_firejail() +{ + local cur prev words cword split + _init_completion -s || return + + case $prev in + --help|--version|-debug-caps|--debug-syscalls|--list|--tree|--top|--join|--shutdown) + return 0 + ;; + --profile) + _filedir + return 0 + ;; + --chroot) + _filedir -d + return 0 + ;; + --cgroup) + _filedir -d + return 0 + ;; + --tmpfs) + _filedir + return 0 + ;; + --blacklist) + _filedir + return 0 + ;; + --read-only) + _filedir + return 0 + ;; + --bind) + _filedir + return 0 + ;; + --private) + _filedir + return 0 + ;; + --shell) + _filedir + return 0 + ;; + --net) + comps=$(__interfaces) + COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) + return 0 + ;; + esac + + $split && return 0 + + # if $COMP_CONFIGURE_HINTS is not null, then completions of the form + # --option=SETTING will include 'SETTING' as a contextual hint + [[ "$cur" != -* ]] && _filedir && return 0 + + if [[ -n $COMP_CONFIGURE_HINTS ]]; then + COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \ + awk '/^ --[A-Za-z]/ { print $1; \ + if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \ + -- "$cur" ) ) + [[ $COMPREPLY == *=* ]] && compopt -o nospace + else + COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) + [[ $COMPREPLY == *= ]] && compopt -o nospace + fi + +} && +complete -F _firejail firejail + + + diff --git a/etc/firemon.bash_completion b/etc/firemon.bash_completion new file mode 100644 index 000000000..befbf2388 --- /dev/null +++ b/etc/firemon.bash_completion @@ -0,0 +1,39 @@ +# bash completion for firemon -*- shell-script -*- +#******************************************************************** +# Script based on completions/configure script in bash-completion package in +# Debian. The original package is release under GPL v2 license, the webpage is +# http://bash-completion.alioth.debian.org +#******************************************************************* + +_firemon() +{ + local cur prev words cword split + _init_completion -s || return + + case $prev in + --help|--version) + return + ;; + esac + + $split && return 0 + + # if $COMP_CONFIGURE_HINTS is not null, then completions of the form + # --option=SETTING will include 'SETTING' as a contextual hint + [[ "$cur" != -* ]] && return 0 + + if [[ -n $COMP_CONFIGURE_HINTS ]]; then + COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \ + awk '/^ --[A-Za-z]/ { print $1; \ + if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \ + -- "$cur" ) ) + [[ $COMPREPLY == *=* ]] && compopt -o nospace + else + COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) + [[ $COMPREPLY == *= ]] && compopt -o nospace + fi +} && +complete -F _firemon firemon + + + diff --git a/etc/generic.profile b/etc/generic.profile new file mode 100644 index 000000000..83bf59e0a --- /dev/null +++ b/etc/generic.profile @@ -0,0 +1,41 @@ +################################ +# Generic profile based on Firefox profile +################################ +#include /etc/firejail/disable-mgmt.inc +# system directories +blacklist /sbin +blacklist /usr/sbin +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/strace + +#include /etc/firejail/disable-secret.inc +# HOME directory +blacklist ${HOME}/.ssh +tmpfs ${HOME}/.gnome2_private +blacklist ${HOME}/.gnome2/keyrings +blacklist ${HOME}/kde4/share/apps/kwallet +blacklist ${HOME}/kde/share/apps/kwallet +blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.gnupg +blacklist ${HOME}/.local/share/recently-used.xbel + +blacklist ${HOME}/.adobe +blacklist ${HOME}/.macromedia +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.icedove +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.config/opera +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/google-chrome + +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile new file mode 100644 index 000000000..b69cf3a57 --- /dev/null +++ b/etc/gnome-mplayer.profile @@ -0,0 +1,7 @@ +# GNOME MPlayer profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/icecat.profile b/etc/icecat.profile new file mode 100644 index 000000000..25d426ad2 --- /dev/null +++ b/etc/icecat.profile @@ -0,0 +1,2 @@ +# Firejail profile for GNU Icecat +include /etc/firejail/firefox.profile diff --git a/etc/icedove.profile b/etc/icedove.profile new file mode 100644 index 000000000..057e0c9ef --- /dev/null +++ b/etc/icedove.profile @@ -0,0 +1,3 @@ +# Firejail profile for Mozilla Thunderbird (Icedove in Debian) +include /etc/firejail/thunderbird.profile + diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile new file mode 100644 index 000000000..e9b32846a --- /dev/null +++ b/etc/iceweasel.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +include /etc/firejail/firefox.profile diff --git a/etc/login.users b/etc/login.users new file mode 100644 index 000000000..5d5969091 --- /dev/null +++ b/etc/login.users @@ -0,0 +1,14 @@ +# /etc/firejail/login.users - restricted user shell configuration +# +# Each user entry consists of a user name and firejail +# program arguments: +# +# user name: arguments +# +# For example: +# +# netblue:--debug --net=none +# +# The extra arguments are inserted into program command line if firejail +# was started as a login shell. + diff --git a/etc/midori.profile b/etc/midori.profile new file mode 100644 index 000000000..5479ba172 --- /dev/null +++ b/etc/midori.profile @@ -0,0 +1,9 @@ +# Midory browser profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc midori +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/opera.profile b/etc/opera.profile new file mode 100644 index 000000000..852f10719 --- /dev/null +++ b/etc/opera.profile @@ -0,0 +1,8 @@ +# Chromium browser profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc opera +netfilter +noroot + + diff --git a/etc/pidgin.profile b/etc/pidgin.profile new file mode 100644 index 000000000..6f5594919 --- /dev/null +++ b/etc/pidgin.profile @@ -0,0 +1,7 @@ +# Pidgin profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile new file mode 100644 index 000000000..f85dfc994 --- /dev/null +++ b/etc/qbittorrent.profile @@ -0,0 +1,9 @@ +# abittorrent profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/quassel.profile b/etc/quassel.profile new file mode 100644 index 000000000..a2057ad01 --- /dev/null +++ b/etc/quassel.profile @@ -0,0 +1,7 @@ +# Quassel IRC profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile new file mode 100644 index 000000000..42d4dc0fa --- /dev/null +++ b/etc/rhythmbox.profile @@ -0,0 +1,7 @@ +# Rhythmbox profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/server.profile b/etc/server.profile new file mode 100644 index 000000000..bb15774fa --- /dev/null +++ b/etc/server.profile @@ -0,0 +1,6 @@ +# generic server profile +include /etc/firejail/disable-mgmt.inc sbin +private +private-dev +seccomp + diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile new file mode 100644 index 000000000..8b63a6ec5 --- /dev/null +++ b/etc/thunderbird.profile @@ -0,0 +1,9 @@ +# Firejail profile for Mozilla Thunderbird (Icedove in Debian) +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc thunderbird icedove +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/totem.profile b/etc/totem.profile new file mode 100644 index 000000000..50115deb5 --- /dev/null +++ b/etc/totem.profile @@ -0,0 +1,7 @@ +# Totem profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile new file mode 100644 index 000000000..9ccece285 --- /dev/null +++ b/etc/transmission-gtk.profile @@ -0,0 +1,9 @@ +# transmission-gtk profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile new file mode 100644 index 000000000..65a045f8e --- /dev/null +++ b/etc/transmission-qt.profile @@ -0,0 +1,9 @@ +# transmission-qt profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +netfilter +noroot + diff --git a/etc/vlc.profile b/etc/vlc.profile new file mode 100644 index 000000000..76e1395f9 --- /dev/null +++ b/etc/vlc.profile @@ -0,0 +1,7 @@ +# VLC profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot diff --git a/etc/xchat.profile b/etc/xchat.profile new file mode 100644 index 000000000..b8d8cb1e2 --- /dev/null +++ b/etc/xchat.profile @@ -0,0 +1,7 @@ +# XChat profile +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +caps.drop all +seccomp +noroot -- cgit v1.2.3-70-g09d2