From 65911742d70fbe287fc9d0e6f2c9a92e2b6657de Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Oct 2020 09:18:18 -0400 Subject: added bluetooth to the list of protocols allowed by seccomp --- etc/apparmor/firejail-default | 3 ++- etc/profile-m-z/tcpdump.profile | 2 +- etc/profile-m-z/tshark.profile | 44 ++------------------------------------- etc/profile-m-z/wireshark.profile | 4 ++-- 4 files changed, 7 insertions(+), 46 deletions(-) (limited to 'etc') diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index e396ae7d9..ec87f1d2d 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default @@ -112,7 +112,8 @@ network inet6, network unix, network netlink, network raw, -# needed for wireshark +# needed for wireshark, tcpdump etc +network bluetooth, network packet, ########## diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 881fbf49e..7984702f3 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile @@ -33,7 +33,7 @@ nosound notv nou2f novideo -protocol unix,inet,inet6,netlink,packet +protocol unix,inet,inet6,netlink,packet,bluetooth seccomp disable-mnt diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index 684a9491d..a5cefb47a 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile @@ -1,46 +1,6 @@ # Firejail profile for tshark # This file is overwritten after every install/update quiet -# Persistent local customizations -include tshark.local -# Persistent global definitions -include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -whitelist /usr/share/wireshark -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -#caps.keep net_raw -caps.keep dac_override,net_admin,net_raw -ipc-namespace -#net tun0 -netfilter -no3d -nodvd -# nogroups - breaks network traffic capture for unprivileged users -# nonewprivs - breaks network traffic capture for unprivileged users -# noroot -nosound -notv -nou2f -novideo -#protocol unix,inet,inet6,netlink,packet -#seccomp - -disable-mnt -#private -private-cache -#private-bin tshark -private-dev -private-tmp +# Redirect +include wireshark.profile diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index a30cb43d5..6a84246e1 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile @@ -38,8 +38,8 @@ nosound notv nou2f novideo -# protocol unix,inet,inet6,netlink -# seccomp - breaks network traffic capture for unprivileged users +# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols +seccomp shell none tracelog -- cgit v1.2.3-70-g09d2