From 2d60937932a44ed5dfe3afecdae846386275a25a Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:10:50 +0200 Subject: Add profiles for tar (gtar), unzip and unrar I've tested compression and uncompression of various tar formats and also straced unzip/unrar regarding their file access in /etc. -> should be fine. If you want to unpack files in /usr/bin, then use the --ignore=private-bin switch. Same for /etc: --ignore=private-etc --- etc/gtar.profile | 1 + etc/tar.profile | 13 +++++++++++++ etc/unrar.profile | 11 +++++++++++ etc/unzip.profile | 11 +++++++++++ 4 files changed, 36 insertions(+) create mode 100644 etc/gtar.profile create mode 100644 etc/tar.profile create mode 100644 etc/unrar.profile create mode 100644 etc/unzip.profile (limited to 'etc') diff --git a/etc/gtar.profile b/etc/gtar.profile new file mode 100644 index 000000000..5dbc550f6 --- /dev/null +++ b/etc/gtar.profile @@ -0,0 +1 @@ +include /etc/firejail/tar.profile diff --git a/etc/tar.profile b/etc/tar.profile new file mode 100644 index 000000000..4ce3e59f0 --- /dev/null +++ b/etc/tar.profile @@ -0,0 +1,13 @@ +# tar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none + +# support compressed archives +private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-dev +private-etc passwd,group,localtime +hostname tar +nosound diff --git a/etc/unrar.profile b/etc/unrar.profile new file mode 100644 index 000000000..ccd144699 --- /dev/null +++ b/etc/unrar.profile @@ -0,0 +1,11 @@ +# unrar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unrar +private-dev +private-etc passwd,group,localtime +hostname unrar +nosound diff --git a/etc/unzip.profile b/etc/unzip.profile new file mode 100644 index 000000000..d4862004c --- /dev/null +++ b/etc/unzip.profile @@ -0,0 +1,11 @@ +# unzip profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unzip +private-dev +private-etc passwd,group,localtime +hostname unzip +nosound -- cgit v1.2.3-70-g09d2