From 7ed7d6dafdcbfc8e0362d5497836cebe62c6bbda Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 23 Feb 2023 12:28:41 +0000 Subject: New profiles: qpdf and redirects (#5675) * Create qpdf.profile and redirects qpdf (CLI) provides PDF metadata cleaning. See privacy-handbuch.de[1] for details. The site offers pdf-meta-clean.sh[2], which works very well with firejailed qpdf. [1] https://www.privacy-handbuch.de/handbuch_43a.htm [2] https://www.privacy-handbuch.de/download/pdf-meta-clean.sh * RELNOTES: add qpdf and redirects to new profiles section * firecfg.config: add qpdf and redirects * qpdf: use 'seccomp socket' instead of 'protocol unix' See https://github.com/netblue30/firejail/issues/639. Thanks @rusty-snake in code review. --- etc/profile-a-l/fix-qdf.profile | 13 ++++++++ etc/profile-m-z/qpdf.profile | 68 ++++++++++++++++++++++++++++++++++++++ etc/profile-m-z/zlib-flate.profile | 13 ++++++++ 3 files changed, 94 insertions(+) create mode 100644 etc/profile-a-l/fix-qdf.profile create mode 100644 etc/profile-m-z/qpdf.profile create mode 100644 etc/profile-m-z/zlib-flate.profile (limited to 'etc') diff --git a/etc/profile-a-l/fix-qdf.profile b/etc/profile-a-l/fix-qdf.profile new file mode 100644 index 000000000..2dbb44e1d --- /dev/null +++ b/etc/profile-a-l/fix-qdf.profile @@ -0,0 +1,13 @@ +# Firejail profile for fix-qdf +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include fix-qdf.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin fix-qdf + +# Redirect +include qpdf.profile diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile new file mode 100644 index 000000000..0c1e09e92 --- /dev/null +++ b/etc/profile-m-z/qpdf.profile @@ -0,0 +1,68 @@ +# Firejail profile for qpdf +# Description: A Content-Preserving PDF Transformation System +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include qpdf.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* + +noblacklist ${DOCUMENTS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname qpdf +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +# block the socket syscall to simulate an be empty protocol line, see #639 +seccomp socket +tracelog +x11 none + +private-bin qpdf +private-cache +private-dev +private-etc +private-lib libqpdf.so.* +#private-tmp # breaks on Arch Linux + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces +read-only ${HOME} +read-write ${DOCUMENTS} +read-write ${DOWNLOADS} diff --git a/etc/profile-m-z/zlib-flate.profile b/etc/profile-m-z/zlib-flate.profile new file mode 100644 index 000000000..48a2c9845 --- /dev/null +++ b/etc/profile-m-z/zlib-flate.profile @@ -0,0 +1,13 @@ +# Firejail profile for zlib-flate +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include zlib-flate.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin zlib-flate + +# Redirect +include qpdf.profile -- cgit v1.2.3-70-g09d2