From c86cae2d08da10eaec01964654c505387ee51eac Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 4 Sep 2021 19:08:32 +0200 Subject: Add new condition ALLOW_TRAY --- etc/firejail.config | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..5111bb769 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -2,6 +2,9 @@ # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. +# Allow programs to display a tray icon +# allow-tray no + # Enable AppArmor functionality, default enabled. # apparmor yes -- cgit v1.2.3-70-g09d2 From d452e45a9196aa2f4d34706fcfb7907707a19ff9 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 8 Sep 2021 23:21:07 +0200 Subject: Add profiles for build-systems (/package-managers) Profiles: bunler, cargo (refactor), cmake (untested), make, meson, pip All redirect to build-systems-common.profile Other fixes: - blacklist ${HOME}/.bundle - blacklist ${HOME}/.cargo/* -> blacklist ${HOME}/.cargo - blacklist /usr/lib64/ruby --- etc/inc/allow-common-devel.inc | 5 ++- etc/inc/allow-ruby.inc | 1 + etc/inc/disable-interpreters.inc | 1 + etc/inc/disable-programs.inc | 3 +- etc/profile-a-l/build-systems-common.profile | 65 ++++++++++++++++++++++++++++ etc/profile-a-l/bundle.profile | 24 ++++++++++ etc/profile-a-l/cargo.profile | 61 +++----------------------- etc/profile-a-l/cmake.profile | 15 +++++++ etc/profile-m-z/make.profile | 13 ++++++ etc/profile-m-z/meson.profile | 16 +++++++ etc/profile-m-z/pip.profile | 20 +++++++++ 11 files changed, 168 insertions(+), 56 deletions(-) create mode 100644 etc/profile-a-l/build-systems-common.profile create mode 100644 etc/profile-a-l/bundle.profile create mode 100644 etc/profile-a-l/cmake.profile create mode 100644 etc/profile-m-z/make.profile create mode 100644 etc/profile-m-z/meson.profile create mode 100644 etc/profile-m-z/pip.profile (limited to 'etc') diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history noblacklist ${HOME}/.python_history noblacklist ${HOME}/.pythonhist +# Ruby +noblacklist ${HOME}/.bundle + # Rust -noblacklist ${HOME}/.cargo/* +noblacklist ${HOME}/.cargo diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc @@ -4,3 +4,4 @@ include allow-ruby.local noblacklist ${PATH}/ruby noblacklist /usr/lib/ruby +noblacklist /usr/lib64/ruby diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc @@ -48,6 +48,7 @@ blacklist /usr/share/php* # Ruby blacklist ${PATH}/ruby blacklist /usr/lib/ruby +blacklist /usr/lib64/ruby # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus # Python 2 diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..694e62a5f 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter +blacklist ${HOME}/.bundle blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/* +blacklist ${HOME}/.cargo blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz blacklist ${HOME}/.clion* diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..159593eb7 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile @@ -0,0 +1,65 @@ +# Firejail profile for build-systems-common +# This file is overwritten after every install/update +# Persistent local customizations +include build-systems-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${HOME}/Projects +whitelist /usr/share/pkgconfig +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +# net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..269bfd130 --- /dev/null +++ b/etc/profile-a-l/bundle.profile @@ -0,0 +1,24 @@ +# Firejail profile for bundle +# Description: Ruby Dependency Management +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include bundle.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.bundle + +# Allow ruby (blacklisted by disable-interpreters.inc) +include allow-ruby.inc + +mkdir ${HOME}/.bundle +whitelist ${HOME}/.bundle +whitelist /usr/share/gems +whitelist /usr/share/ruby +whitelist /usr/share/rubygems + +private-bin bundle,bundler,ruby,ruby-mri + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..af188e7f9 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -7,66 +7,19 @@ include cargo.local # Persistent global definitions include globals.local -ignore noexec ${HOME} -ignore noexec /tmp - -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -# Allows files commonly used by IDEs -include allow-common-devel.inc - -# Allow ssh (blacklisted by disable-common.inc) -#include allow-ssh.inc - -include disable-common.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-xdg.inc - -#mkdir ${HOME}/.cargo -#whitelist ${HOME}/YOUR_CARGO_PROJECTS -#whitelist ${HOME}/.cargo -#whitelist ${HOME}/.rustup -#include whitelist-common.inc -whitelist /usr/share/pkgconfig -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc +mkdir ${HOME}/.cargo +whitelist ${HOME}/.cargo +whitelist ${HOME}/.rustup -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -seccomp.block-secondary -shell none -tracelog - -disable-mnt #private-bin cargo,rustc -private-cache -private-dev private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl -private-tmp - -dbus-user none -dbus-system none memory-deny-write-execute -read-write ${HOME}/.cargo/bin + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..1fb893f86 --- /dev/null +++ b/etc/profile-a-l/cmake.profile @@ -0,0 +1,15 @@ +# Firejail profile for cargo +# Description: The Rust package manager +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cargo.local +# Persistent global definitions +include globals.local + +private-bin cmake + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile @@ -0,0 +1,13 @@ +# Firejail profile for make +# Description: GNU make utility to maintain groups of programs +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include make.local +# Persistent global definitions +include globals.local + +memory-deny-write-execute + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..43109e771 --- /dev/null +++ b/etc/profile-m-z/meson.profile @@ -0,0 +1,16 @@ +# Firejail profile for meson +# Description: A high productivity build system +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +private-bin meson,python3* + +# Redirect +include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..54d95e335 --- /dev/null +++ b/etc/profile-m-z/pip.profile @@ -0,0 +1,20 @@ +# Firejail profile for pip +# Description: package manager for Python packages +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include meson.local +# Persistent global definitions +include globals.local + +ignore read-only ${HOME}/.local/lib + +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +whitelist ${HOME}/.local/lib/python* + +private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* + +# Redirect +include build-systems-common.profile -- cgit v1.2.3-70-g09d2 From 2712dd7274a59727b3118982044c7c9426099232 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 14:38:18 +0200 Subject: build-systems-common: Make whitelist opt-in --- etc/profile-a-l/build-systems-common.profile | 5 +++-- etc/profile-a-l/bundle.profile | 5 +++-- etc/profile-a-l/cargo.profile | 5 ++--- etc/profile-m-z/pip.profile | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index 159593eb7..1b199d612 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile @@ -28,9 +28,10 @@ include disable-shell.inc include disable-X11.inc include disable-xdg.inc -whitelist ${HOME}/Projects +#whitelist ${HOME}/Projects +#include whitelist-common.inc + whitelist /usr/share/pkgconfig -include whitelist-common.inc include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index 269bfd130..a3a3e3cde 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -12,8 +12,9 @@ noblacklist ${HOME}/.bundle # Allow ruby (blacklisted by disable-interpreters.inc) include allow-ruby.inc -mkdir ${HOME}/.bundle -whitelist ${HOME}/.bundle +#whitelist ${HOME}/.bundle +#whitelist ${HOME}/.gem +#whitelist ${HOME}/.local/share/gem whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index af188e7f9..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile @@ -12,9 +12,8 @@ ignore read-only ${HOME}/.cargo/bin noblacklist ${HOME}/.cargo/credentials noblacklist ${HOME}/.cargo/credentials.toml -mkdir ${HOME}/.cargo -whitelist ${HOME}/.cargo -whitelist ${HOME}/.rustup +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup #private-bin cargo,rustc private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 54d95e335..1f551b718 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -12,7 +12,7 @@ ignore read-only ${HOME}/.local/lib # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -whitelist ${HOME}/.local/lib/python* +#whitelist ${HOME}/.local/lib/python* private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* -- cgit v1.2.3-70-g09d2 From f0d23924c185f4692d34d591a146ab8ea1186dad Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 11 Sep 2021 19:45:26 +0200 Subject: Drop private-bin from build-systems --- etc/profile-a-l/bundle.profile | 2 -- etc/profile-a-l/cmake.profile | 2 -- etc/profile-m-z/meson.profile | 2 -- etc/profile-m-z/pip.profile | 2 -- 4 files changed, 8 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile index a3a3e3cde..bb82022b1 100644 --- a/etc/profile-a-l/bundle.profile +++ b/etc/profile-a-l/bundle.profile @@ -19,7 +19,5 @@ whitelist /usr/share/gems whitelist /usr/share/ruby whitelist /usr/share/rubygems -private-bin bundle,bundler,ruby,ruby-mri - # Redirect include build-systems-common.profile diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile index 1fb893f86..26cc2a00a 100644 --- a/etc/profile-a-l/cmake.profile +++ b/etc/profile-a-l/cmake.profile @@ -7,8 +7,6 @@ include cargo.local # Persistent global definitions include globals.local -private-bin cmake - memory-deny-write-execute # Redirect diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile index 43109e771..b4909a9d8 100644 --- a/etc/profile-m-z/meson.profile +++ b/etc/profile-m-z/meson.profile @@ -10,7 +10,5 @@ include globals.local # Allow python3 (blacklisted by disable-interpreters.inc) include allow-python3.inc -private-bin meson,python3* - # Redirect include build-systems-common.profile diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile index 1f551b718..a0926371f 100644 --- a/etc/profile-m-z/pip.profile +++ b/etc/profile-m-z/pip.profile @@ -14,7 +14,5 @@ include allow-python3.inc #whitelist ${HOME}/.local/lib/python* -private-bin pip,pip[0-9].[0-9],pip[0-9].[0-9],python3* - # Redirect include build-systems-common.profile -- cgit v1.2.3-70-g09d2 From 23d723149d6096cd584fe2ced62aefd59a79496e Mon Sep 17 00:00:00 2001 From: Christian Pinedo Date: Thu, 24 Jun 2021 20:19:57 +0200 Subject: Comment to use UPnP with amule.profile In order UPnP to work netlink protocol must be enabled. --- etc/profile-a-l/amule.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index e3c4164ee..f6e399e9f 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile @@ -33,6 +33,7 @@ nosound notv nou2f novideo +# Add netlink protocol to use UPnP protocol unix,inet,inet6 seccomp shell none -- cgit v1.2.3-70-g09d2 From 8e0172529de792e0bc1e3cf06eaac11e85a22195 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:09:14 -0300 Subject: vscodium.profile: fix wrong program name in the comments Added on commit 4bb7dee49 ("small changes", 2019-02-07). --- etc/profile-m-z/vscodium.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index a4a4fb7d8..176d00822 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile @@ -1,4 +1,4 @@ -# Firejail profile alias for Visual Studio Code +# Firejail profile alias for VSCodium # This file is overwritten after every install/update # Persistent local customizations include vscodium.local -- cgit v1.2.3-70-g09d2 From 186b32cf2ea2aa1866c80b25d1c3ab7a16fff88e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:01:07 -0300 Subject: vscodium.profile: add missing paths It creates the following directories on startup: * ~/.config/VSCodium * ~/.vscode-oss Environment: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Q vscodium-bin vscodium-bin 1.60.2-2 Note: The following entry is already on disable-programs.inc: noblacklist ${HOME}/.vscode-oss It was added on commit de90834a8 ("Update disable-programs.inc", 2019-03-02). Relates to #3871. --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/vscodium.profile | 2 ++ 2 files changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 511d8730e..e11df4e64 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -142,6 +142,7 @@ blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/Twitch blacklist ${HOME}/.config/Unknown Organization +blacklist ${HOME}/.config/VSCodium blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/Wire diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index 176d00822..9c0a887b2 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile @@ -7,6 +7,8 @@ include vscodium.local #include globals.local noblacklist ${HOME}/.VSCodium +noblacklist ${HOME}/.config/VSCodium +noblacklist ${HOME}/.vscode-oss # Redirect include code.profile -- cgit v1.2.3-70-g09d2 From 94ab0ec71b3c550ff8ce0d6458d3257a3d3d1ed7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 4 Oct 2021 02:14:07 -0300 Subject: Add codium.profile as a redirect to vscodium.profile Both base names are valid: $ grep '^NAME' /etc/os-release NAME="Artix Linux" $ pacman -Q vscodium-bin vscodium-bin 1.60.2-2 $ pacman -Qlq vscodium-bin | grep -v -e '/$' -e /resources/ | grep /bin/ /usr/bin/codium /usr/bin/vscodium /usr/share/vscodium-bin/bin/codium Note: The first two paths are symlinks to the third one. Fixes #3871. --- etc/profile-a-l/codium.profile | 10 ++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 11 insertions(+) create mode 100644 etc/profile-a-l/codium.profile (limited to 'etc') diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile new file mode 100644 index 000000000..9ff87ed8a --- /dev/null +++ b/etc/profile-a-l/codium.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for VSCodium +# This file is overwritten after every install/update +# Persistent local customizations +include codium.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include vscodium.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a544e25f2..aad22ec7a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -151,6 +151,7 @@ clocks cmus code code-oss +codium cola colorful com.github.bleakgrey.tootle -- cgit v1.2.3-70-g09d2