From d452e45a9196aa2f4d34706fcfb7907707a19ff9 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 8 Sep 2021 23:21:07 +0200 Subject: Add profiles for build-systems (/package-managers) Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby --- etc/inc/allow-common-devel.inc | 5 ++- etc/inc/allow-ruby.inc | 1 + etc/inc/disable-interpreters.inc | 1 + etc/inc/disable-programs.inc | 3 +- etc/profile-a-l/build-systems-common.profile | 65 ++++++++++++++++++++++++++++ etc/profile-a-l/bundle.profile | 24 ++++++++++ etc/profile-a-l/cargo.profile | 61 +++----------------------- etc/profile-a-l/cmake.profile | 15 +++++++ etc/profile-m-z/make.profile | 13 ++++++ etc/profile-m-z/meson.profile | 16 +++++++ etc/profile-m-z/pip.profile | 20 +++++++++ 11 files changed, 168 insertions(+), 56 deletions(-) create mode 100644 etc/profile-a-l/build-systems-common.profile create mode 100644 etc/profile-a-l/bundle.profile create mode 100644 etc/profile-a-l/cmake.profile create mode 100644 etc/profile-m-z/make.profile create mode 100644 etc/profile-m-z/meson.profile create mode 100644 etc/profile-m-z/pip.profile (limited to 'etc') diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history noblacklist ${HOME}/.python_history noblacklist ${HOME}/.pythonhist +# Ruby +noblacklist ${HOME}/.bundle + # Rust -noblacklist ${HOME}/.cargo/* +noblacklist ${HOME}/.cargo diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc @@ -4,3 +4,4 @@ include allow-ruby.local noblacklist ${PATH}/ruby noblacklist /usr/lib/ruby +noblacklist /usr/lib64/ruby diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc @@ -48,6 +48,7 @@ blacklist /usr/share/php* # Ruby blacklist ${PATH}/ruby blacklist /usr/lib/ruby +blacklist /usr/lib64/ruby # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus # Python 2 diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..694e62a5f 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter +blacklist ${HOME}/.bundle blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/* +blacklist ${HOME}/.cargo blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz blacklist ${HOME}/.clion* diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..159593eb7 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile @@ -0,0 +1,65 @@ +# Firejail profile for build-systems-common +# This file is overwritten after every install/update +# Persistent local customizations +include build-systems-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${HOME}/Projects +whitelist /usr/share/pkgconfig +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +# net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..269bfd130 --- /dev/null +++ b/etc/profile-a-l/bundle.profile @@ -0,0 +1,24 @@ +# Firejail profile for bundle +# Description: Ruby Dependency Management +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include bundle.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.bundle + +# Allow ruby (blacklisted by disable-interpreters.inc) +include allow-ruby.inc + +mkdir ${HOME}/.bundle +whitelist ${HOME}/.bundle +whitelist /usr/share/gems +whitelist /usr/share/ruby +whitelist /usr/share/rubygems + +private-bin bundle,bundler,ruby,ruby-mri + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -7,66 +7,19 @@ include cargo.local # Persistent global definitions include globals.local -ignore noexec ${HOME} -ignore noexec /tmp - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -# Allows files commonly used by IDEs -include allow-common-devel.inc - -# Allow ssh (blacklisted by disable-common.inc) -#include allow-ssh.inc - -include disable-common.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - -#mkdir ${HOME}/.cargo -#whitelist ${HOME}/YOUR_CARGO_PROJECTS -#whitelist ${HOME}/.cargo -#whitelist ${HOME}/.rustup -#include whitelist-common.inc -whitelist /usr/share/pkgconfig -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc +mkdir ${HOME}/.cargo +whitelist ${HOME}/.cargo +whitelist ${HOME}/.rustup -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -seccomp.block-secondary -shell none -tracelog - -disable-mnt #private-bin cargo,rustc -private-cache -private-dev private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl -private-tmp - -dbus-user none -dbus-system none memory-deny-write-execute -read-write ${HOME}/.cargo/bin + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..1fb893f86 --- /dev/null +++ b/etc/profile-a-l/cmake.profile @@ -0,0 +1,15 @@ +# Firejail profile for cargo +# Description: The Rust package manager +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cargo.local +# Persistent global definitions +include globals.local + +private-bin cmake + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile @@ -0,0 +1,13 @@ +# Firejail profile for make +# Description: GNU make utility to maintain groups of programs +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include make.local +# Persistent global definitions +include globals.local + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..43109e771 --- /dev/null +++ b/etc/profile-m-z/meson.profile @@ -0,0 +1,16 @@ +# Firejail profile for meson +# Description: A high productivity build system +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +private-bin meson,python3* + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..54d95e335 --- /dev/null +++ b/etc/profile-m-z/pip.profile @@ -0,0 +1,20 @@ +# Firejail profile for pip +# Description: package manager for Python packages +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +ignore read-only ${HOME}/.local/lib + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +whitelist ${HOME}/.local/lib/python* + +private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* + +# Redirect +include build-systems-common.profile -- cgit v1.2.3-54-g00ecf From 2712dd7274a59727b3118982044c7c9426099232 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 14:38:18 +0200 Subject: build-systems-common: Make whitelist opt-in --- etc/profile-a-l/build-systems-common.profile | 5 +++-- etc/profile-a-l/bundle.profile | 5 +++-- etc/profile-a-l/cargo.profile | 5 ++--- etc/profile-m-z/pip.profile | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index 159593eb7..1b199d612 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile @@ -28,9 +28,10 @@ include disable-shell.inc include disable-X11.inc include disable-xdg.inc -whitelist ${HOME}/Projects +#whitelist ${HOME}/Projects +#include whitelist-common.inc + whitelist /usr/share/pkgconfig -include whitelist-common.inc include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index 269bfd130..a3a3e3cde 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -12,8 +12,9 @@ noblacklist ${HOME}/.bundle # Allow ruby (blacklisted by disable-interpreters.inc) include allow-ruby.inc -mkdir ${HOME}/.bundle -whitelist ${HOME}/.bundle +#whitelist ${HOME}/.bundle +#whitelist ${HOME}/.gem +#whitelist ${HOME}/.local/share/gem whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index af188e7f9..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -12,9 +12,8 @@ ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -mkdir ${HOME}/.cargo -whitelist ${HOME}/.cargo -whitelist ${HOME}/.rustup +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup #private-bin cargo,rustc private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 54d95e335..1f551b718 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -12,7 +12,7 @@ ignore read-only ${HOME}/.local/lib # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -whitelist ${HOME}/.local/lib/python* +#whitelist ${HOME}/.local/lib/python* private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* -- cgit v1.2.3-54-g00ecf From f0d23924c185f4692d34d591a146ab8ea1186dad Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 19:45:26 +0200 Subject: Drop private-bin from build-systems --- etc/profile-a-l/bundle.profile | 2 -- etc/profile-a-l/cmake.profile | 2 -- etc/profile-m-z/meson.profile | 2 -- etc/profile-m-z/pip.profile | 2 -- 4 files changed, 8 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index a3a3e3cde..bb82022b1 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -19,7 +19,5 @@ whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems -private-bin bundle,bundler,ruby,ruby-mri - # Redirect include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile index 1fb893f86..26cc2a00a 100644 --- a/etc/profile-a-l/cmake.profile +++ b/etc/profile-a-l/cmake.profile @@ -7,8 +7,6 @@ include cargo.local # Persistent global definitions include globals.local -private-bin cmake - memory-deny-write-execute # Redirect diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile index 43109e771..b4909a9d8 100644 --- a/etc/profile-m-z/meson.profile +++ b/etc/profile-m-z/meson.profile @@ -10,7 +10,5 @@ include globals.local # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -private-bin meson,python3* - # Redirect include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 1f551b718..a0926371f 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -14,7 +14,5 @@ include allow-python3.inc #whitelist ${HOME}/.local/lib/python* -private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* - # Redirect include build-systems-common.profile -- cgit v1.2.3-54-g00ecf