From 94468d6a3bea5ad6a6e0c2e92036e195c68d57d1 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 13:09:31 +0000 Subject: add whitelist-common.inc --- etc/evince.profile | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index 72c1ffc97..6582ad692 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all @@ -39,6 +40,10 @@ private-etc fonts #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 #private-lib evince,libpoppler-glib.so.8 +# the below works on Arch Linux (same Gnome Shell & Mutter) +# leaving commented as it seems private-lib is currently under development +# offered here to (try to) help with that +#private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2 private-tmp -- cgit v1.2.3-54-g00ecf From 88ebb529ee6c67946d545e045726b11f052798d0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 13:18:15 +0000 Subject: Create evince-previewer.profile On Arch Linux evince comes with 3 executables (evince, evince-previewer and evince-thumbnailer), of which only /usr/bin/evince is currently covered by firejail. Adding both others as redirects. --- etc/evince-previewer.profile | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/evince-previewer.profile (limited to 'etc') diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile new file mode 100644 index 000000000..d5bc6db33 --- /dev/null +++ b/etc/evince-previewer.profile @@ -0,0 +1,10 @@ +# Firejail profile for evince-previewer +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/evince-previewer.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/evince.profile -- cgit v1.2.3-54-g00ecf From ba735fb99becdad665cc0dd551ea61eb49cbc4bd Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 13:22:08 +0000 Subject: Create evince-thumbnailer.profile On Arch Linux evince comes with 3 executables (evince, evince-previewer and evince-thumbnailer), of which only /usr/bin/evince is currently covered by firejail. Adding both others as redirects. --- etc/evince-thumbnailer.profile | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/evince-thumbnailer.profile (limited to 'etc') diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile new file mode 100644 index 000000000..abc21632d --- /dev/null +++ b/etc/evince-thumbnailer.profile @@ -0,0 +1,10 @@ +# Firejail profile for evince-thumbnailer +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/evince-thumbnailer.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/evince.profile -- cgit v1.2.3-54-g00ecf From 45732a22d1ea4ec0ade0775be7243e8669b7f850 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 20:26:59 +0100 Subject: Revert "add whitelist-common.inc" This reverts commit 94468d6a3bea5ad6a6e0c2e92036e195c68d57d1. --- etc/evince.profile | 5 ----- 1 file changed, 5 deletions(-) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index 6582ad692..72c1ffc97 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all @@ -40,10 +39,6 @@ private-etc fonts #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 #private-lib evince,libpoppler-glib.so.8 -# the below works on Arch Linux (same Gnome Shell & Mutter) -# leaving commented as it seems private-lib is currently under development -# offered here to (try to) help with that -#private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2 private-tmp -- cgit v1.2.3-54-g00ecf From 1a8ce98198a0a5098d88c81116ef1ccbc3764b8e Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 25 Mar 2018 14:11:05 +0200 Subject: various profile hardening --- etc/disable-common.inc | 1 + etc/disable-programs.inc | 2 ++ etc/kate.profile | 3 +++ etc/kmail.profile | 3 ++- etc/kwrite.profile | 3 +++ 5 files changed, 11 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19be56f86..e5de0b61f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc blacklist ${HOME}/.local/share/kglobalaccel blacklist ${HOME}/.local/share/kwin blacklist ${HOME}/.local/share/plasma +blacklist ${HOME}/.local/share/plasmashell blacklist ${HOME}/.local/share/solid read-only ${HOME}/.cache/ksycoca5_* read-only ${HOME}/.config/*notifyrc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3f0d7b337..de88cbc24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore blacklist ${HOME}/.local/share/data/qBittorrent blacklist ${HOME}/.local/share/dino blacklist ${HOME}/.local/share/dolphin +blacklist ${HOME}/.local/share/emailidentities blacklist ${HOME}/.local/share/epiphany blacklist ${HOME}/.local/share/evolution blacklist ${HOME}/.local/share/feral-interactive @@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/qutebrowser diff --git a/etc/kate.profile b/etc/kate.profile index a3d2be6b2..5042077e5 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -42,4 +42,7 @@ private-dev # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg private-tmp +# noexec ${HOME} +noexec /tmp + join-or-start kate diff --git a/etc/kmail.profile b/etc/kmail.profile index 3ee8370cb..952af55c8 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -5,7 +5,7 @@ include /etc/firejail/kmail.local # Persistent global definitions include /etc/firejail/globals.local -# if akonadi has a mysql backend, starting it inside this sandbox will fail +# if akonadi has a mysql backend, starting it inside this sandbox will fail. # one solution is to have akonadi already running when kmail is launched noblacklist ${HOME}/.cache/akonadi* @@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities noblacklist ${HOME}/.config/kmail2rc noblacklist ${HOME}/.local/share/akonadi/* noblacklist ${HOME}/.local/share/contacts +noblacklist ${HOME}/.local/share/emailidentities noblacklist ${HOME}/.local/share/kmail2 noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.gnupg diff --git a/etc/kwrite.profile b/etc/kwrite.profile index a785f3541..1c4e50b77 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -43,4 +43,7 @@ private-dev private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg private-tmp +noexec ${HOME} +noexec /tmp + join-or-start kwrite -- cgit v1.2.3-54-g00ecf