From 2d60937932a44ed5dfe3afecdae846386275a25a Mon Sep 17 00:00:00 2001
From: Thomas Jarosch <thomas.jarosch@intra2net.com>
Date: Sat, 30 Jul 2016 23:10:50 +0200
Subject: Add profiles for tar (gtar), unzip and unrar

I've tested compression and uncompression of
various tar formats and also straced unzip/unrar
regarding their file access in /etc.

-> should be fine.

If you want to unpack files in /usr/bin,
then use the --ignore=private-bin switch.

Same for /etc: --ignore=private-etc
---
 etc/gtar.profile  |  1 +
 etc/tar.profile   | 13 +++++++++++++
 etc/unrar.profile | 11 +++++++++++
 etc/unzip.profile | 11 +++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 etc/gtar.profile
 create mode 100644 etc/tar.profile
 create mode 100644 etc/unrar.profile
 create mode 100644 etc/unzip.profile

(limited to 'etc')

diff --git a/etc/gtar.profile b/etc/gtar.profile
new file mode 100644
index 000000000..5dbc550f6
--- /dev/null
+++ b/etc/gtar.profile
@@ -0,0 +1 @@
+include /etc/firejail/tar.profile
diff --git a/etc/tar.profile b/etc/tar.profile
new file mode 100644
index 000000000..4ce3e59f0
--- /dev/null
+++ b/etc/tar.profile
@@ -0,0 +1,13 @@
+# tar profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+
+# support compressed archives
+private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-dev
+private-etc passwd,group,localtime
+hostname tar
+nosound
diff --git a/etc/unrar.profile b/etc/unrar.profile
new file mode 100644
index 000000000..ccd144699
--- /dev/null
+++ b/etc/unrar.profile
@@ -0,0 +1,11 @@
+# unrar profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin unrar
+private-dev
+private-etc passwd,group,localtime
+hostname unrar
+nosound
diff --git a/etc/unzip.profile b/etc/unzip.profile
new file mode 100644
index 000000000..d4862004c
--- /dev/null
+++ b/etc/unzip.profile
@@ -0,0 +1,11 @@
+# unzip profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin unzip
+private-dev
+private-etc passwd,group,localtime
+hostname unzip
+nosound
-- 
cgit v1.2.3-54-g00ecf


From f72ac8eab33b4c923d75e010545721cc8fe552ce Mon Sep 17 00:00:00 2001
From: Thomas Jarosch <thomas.jarosch@intra2net.com>
Date: Sun, 31 Jul 2016 00:22:46 +0200
Subject: Add file.profile

---
 Makefile.in               |  1 +
 README                    |  1 +
 README.md                 |  2 +-
 RELNOTES                  |  1 +
 etc/file.profile          | 11 +++++++++++
 platform/debian/conffiles |  1 +
 6 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 etc/file.profile

(limited to 'etc')

diff --git a/Makefile.in b/Makefile.in
index 50210fcd9..6837d59cd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -131,6 +131,7 @@ realinstall:
 	install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/file.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
diff --git a/README b/README
index 76c0ed30d..9e2073e66 100644
--- a/README
+++ b/README
@@ -35,6 +35,7 @@ Thomas Jarosch (https://github.com/thomasjfox)
 	- disable keepassx in disable-passwdmgr.inc
 	- added uudeview profile
 	- added tar (gtar), unzip and unrar profile
+	- added file profile
 	- improved profile list
 Niklas Haas (https://github.com/haasn)
 	- blacklisting for keybase.io's client
diff --git a/README.md b/README.md
index faa647125..b186db8db 100644
--- a/README.md
+++ b/README.md
@@ -156,5 +156,5 @@ Browsers: Palemoon
 ## New security profiles
 
 Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
-tar (gtar), unzip, unrar
+tar (gtar), unzip, unrar, file
 
diff --git a/RELNOTES b/RELNOTES
index e37e24778..4d7f67bda 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
   * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less
   * new profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  * new profiles: tar (gtar), unzip, unrar, file
  -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
 
 firejail (0.9.40) baseline; urgency=low
diff --git a/etc/file.profile b/etc/file.profile
new file mode 100644
index 000000000..357576040
--- /dev/null
+++ b/etc/file.profile
@@ -0,0 +1,11 @@
+# file profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin file
+private-dev
+private-etc magic.mgc,magic,localtime
+hostname file
+nosound
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d302c5732..76ca9d44e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -36,6 +36,7 @@
 /etc/firejail/epiphany.profile
 /etc/firejail/evince.profile
 /etc/firejail/fbreader.profile
+/etc/firejail/file.profile
 /etc/firejail/filezilla.profile
 /etc/firejail/firefox-esr.profile
 /etc/firejail/firefox.profile
-- 
cgit v1.2.3-54-g00ecf