From 18e4e7aa36a94ef7c34a05dc42b7153788ff6bad Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 15 Sep 2017 15:47:55 -0400 Subject: Add a profile for Terasology --- etc/disable-programs.inc | 1 + etc/terasology.profile | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 etc/terasology.profile (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7e44d582e..ff750ecd9 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -318,6 +318,7 @@ blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/supertux2 blacklist ${HOME}/.local/share/telepathy +blacklist ${HOME}/.local/share/terasology blacklist ${HOME}/.local/share/torbrowser blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/vpltd diff --git a/etc/terasology.profile b/etc/terasology.profile new file mode 100644 index 000000000..ca580c0d0 --- /dev/null +++ b/etc/terasology.profile @@ -0,0 +1,42 @@ +# Firejail profile for terasology +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/default.local +# Persistent global definitions +include /etc/firejail/globals.local + + +noblacklist ${HOME}/.java +noblacklist ${HOME}/.local/share/terasology + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.java +mkdir ${HOME}/.local/share/terasology +whitelist ${HOME}/.java +whitelist ${HOME}/.local/share/terasology +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-dev +private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk +private-tmp + +noexec ${HOME} -- cgit v1.2.3-70-g09d2 From 280f37eba89ebc211d0c02848d3d47d086458b25 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Sep 2017 08:49:05 -0400 Subject: --build --- Makefile.in | 4 +- configure | 3 +- configure.ac | 2 +- etc/virtualbox.profile | 1 + src/fbuilder/Makefile.in | 45 +++++++ src/fbuilder/build_fs.c | 276 +++++++++++++++++++++++++++++++++++++++++++ src/fbuilder/build_home.c | 199 +++++++++++++++++++++++++++++++ src/fbuilder/build_profile.c | 165 ++++++++++++++++++++++++++ src/fbuilder/build_seccomp.c | 191 ++++++++++++++++++++++++++++++ src/fbuilder/fbuilder.h | 65 ++++++++++ src/fbuilder/filedb.c | 79 +++++++++++++ src/fbuilder/main.c | 71 +++++++++++ src/fbuilder/utils.c | 72 +++++++++++ src/firejail/main.c | 22 ++++ 14 files changed, 1192 insertions(+), 3 deletions(-) create mode 100644 src/fbuilder/Makefile.in create mode 100644 src/fbuilder/build_fs.c create mode 100644 src/fbuilder/build_home.c create mode 100644 src/fbuilder/build_profile.c create mode 100644 src/fbuilder/build_seccomp.c create mode 100644 src/fbuilder/fbuilder.h create mode 100644 src/fbuilder/filedb.c create mode 100644 src/fbuilder/main.c create mode 100644 src/fbuilder/utils.c (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index e20aa5b62..be5ab837f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man filters MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx @@ -99,6 +99,7 @@ endif install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. @@ -169,6 +170,7 @@ install-strip: all strip src/fseccomp/fseccomp strip src/fcopy/fcopy strip src/fldd/fldd + strip src/fbuilder/fbuilder $(MAKE) realinstall uninstall: diff --git a/configure b/configure index e1cc0147f..f64aa2dac 100755 --- a/configure +++ b/configure @@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4541,6 +4541,7 @@ do "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; + "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; diff --git a/configure.ac b/configure.ac index e06512665..900c8b959 100644 --- a/configure.ac +++ b/configure.ac @@ -176,7 +176,7 @@ if test "$prefix" = /usr; then fi AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ -src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ +src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \ src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile) echo diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 6e153d559..8eef45d8c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -20,6 +20,7 @@ mkdir ~/.config/VirtualBox mkdir ~/VirtualBox VMs whitelist ~/.config/VirtualBox whitelist ~/VirtualBox VMs +whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in new file mode 100644 index 000000000..dd8e2ce6e --- /dev/null +++ b/src/fbuilder/Makefile.in @@ -0,0 +1,45 @@ +all: fbuilder + +CC=@CC@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +sysconfdir=@sysconfdir@ + +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ +HAVE_SECCOMP=@HAVE_SECCOMP@ +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_BIND=@HAVE_BIND@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +fbuilder: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) + +clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno + +distclean: clean + rm -fr Makefile diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c new file mode 100644 index 000000000..76281a54d --- /dev/null +++ b/src/fbuilder/build_fs.c @@ -0,0 +1,276 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" + +// common file processing function, using the callback for each line in the file +static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { + assert(fname); + assert(dir); + assert(callback); + + int dir_len = strlen(dir); + + // process trace file + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + // remove \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // parse line: 4:galculator:access /etc/fonts/conf.d:0 + // number followed by : + ptr = buf; + if (!isdigit(*ptr)) + continue; + while (isdigit(*ptr)) + ptr++; + if (*ptr != ':') + continue; + ptr++; + + // next : + ptr = strchr(ptr, ':'); + if (!ptr) + continue; + ptr++; + if (strncmp(ptr, "access ", 7) == 0) + ptr += 7; + else if (strncmp(ptr, "fopen ", 6) == 0) + ptr += 6; + else if (strncmp(ptr, "fopen64 ", 8) == 0) + ptr += 8; + else if (strncmp(ptr, "open64 ", 7) == 0) + ptr += 7; + else if (strncmp(ptr, "open ", 5) == 0) + ptr += 5; + else + continue; + if (strncmp(ptr, dir, dir_len) != 0) + continue; + + // end of filename + char *ptr2 = strchr(ptr, ':'); + if (!ptr2) + continue; + *ptr2 = '\0'; + + callback(ptr); + } + + fclose(fp); +} + +// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 +static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { + assert(fname); + assert(dir); + assert(callback); + + // run fname + process_file(fname, dir, callback); + + // run all the rest + struct stat s; + int i; + for (i = 1; i <= 5; i++) { + char *newname; + if (asprintf(&newname, "%s.%d", fname, i) == -1) + errExit("asprintf"); + if (stat(newname, &s) == 0) + process_file(newname, dir, callback); + free(newname); + } +} + +//******************************************* +// etc directory +//******************************************* +static FileDB *etc_out = NULL; + +static void etc_callback(char *ptr) { + // skip firejail directory + if (strncmp(ptr, "/etc/firejail", 13) == 0) + return; + + // add only top files and directories + ptr += 5; // skip "/etc/" + char *end = strchr(ptr, '/'); + if (end) + *end = '\0'; + etc_out = filedb_add(etc_out, ptr); +} + +void build_etc(const char *fname) { + assert(fname); + + process_files(fname, "/etc", etc_callback); + + printf("private-etc "); + if (etc_out == NULL) + printf("none\n"); + else { + FileDB *ptr = etc_out; + while (ptr) { + printf("%s,", ptr->fname); + ptr = ptr->next; + } + printf("\n"); + } +} + +//******************************************* +// var directory +//******************************************* +static FileDB *var_out = NULL; +static void var_callback(char *ptr) { + if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) + var_out = filedb_add(var_out, "/var/lib/menu-xdg"); + else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) + var_out = filedb_add(var_out, "/var/cache/fontconfig"); + else + var_out = filedb_add(var_out, ptr); +} + +void build_var(const char *fname) { + assert(fname); + + process_files(fname, "/var", var_callback); + + if (var_out == NULL) + printf("blacklist /var\n"); + else + filedb_print(var_out, "whitelist "); +} + +//******************************************* +// tmp directory +//******************************************* +static FileDB *tmp_out = NULL; +static void tmp_callback(char *ptr) { + filedb_add(tmp_out, ptr); +} + +void build_tmp(const char *fname) { + assert(fname); + + process_files(fname, "/tmp", tmp_callback); + + if (tmp_out == NULL) + printf("private-tmp\n"); + else { + printf("\n"); + printf("# private-tmp\n"); + printf("# File accessed in /tmp directory:\n"); + printf("# "); + FileDB *ptr = tmp_out; + while (ptr) { + printf("%s,", ptr->fname); + ptr = ptr->next; + } + printf("\n"); + } +} + +//******************************************* +// dev directory +//******************************************* +static char *dev_skip[] = { + "/dev/zero", + "/dev/null", + "/dev/full", + "/dev/random", + "/dev/urandom", + "/dev/tty", + "/dev/snd", + "/dev/dri", + "/dev/pts", + "/dev/nvidia0", + "/dev/nvidia1", + "/dev/nvidia2", + "/dev/nvidia3", + "/dev/nvidia4", + "/dev/nvidia5", + "/dev/nvidia6", + "/dev/nvidia7", + "/dev/nvidia8", + "/dev/nvidia9", + "/dev/nvidiactl", + "/dev/nvidia-modeset", + "/dev/nvidia-uvm", + "/dev/video0", + "/dev/video1", + "/dev/video2", + "/dev/video3", + "/dev/video4", + "/dev/video5", + "/dev/video6", + "/dev/video7", + "/dev/video8", + "/dev/video9", + "/dev/dvb", + "/dev/sr0", + NULL +}; + +static FileDB *dev_out = NULL; +static void dev_callback(char *ptr) { + // skip private-dev devices + int i = 0; + int found = 0; + while (dev_skip[i]) { + if (strcmp(ptr, dev_skip[i]) == 0) { + found = 1; + break; + } + i++; + } + if (!found) + filedb_add(dev_out, ptr); +} + +void build_dev(const char *fname) { + assert(fname); + + process_files(fname, "/tmp", tmp_callback); + + if (dev_out == NULL) + printf("private-dev\n"); + else { + printf("\n"); + printf("# private-dev\n"); + printf("# This is the list of devices accessed (on top of regular private-dev devices:\n"); + printf("# "); + FileDB *ptr = dev_out; + while (ptr) { + printf("%s,", ptr->fname); + ptr = ptr->next; + } + printf("\n"); + } +} + diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c new file mode 100644 index 000000000..947f172d8 --- /dev/null +++ b/src/fbuilder/build_home.c @@ -0,0 +1,199 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" + +static FileDB *db_skip = NULL; +static FileDB *db_out = NULL; + +static void load_whitelist_common(void) { + FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + if (strncmp(buf, "whitelist ~/", 12) != 0) + continue; + char *fn = buf + 12; + char *ptr = strchr(buf, '\n'); + if (!ptr) + continue; + *ptr = '\0'; + + // add the file to skip list + db_skip = filedb_add(db_skip, fn); + } + + fclose(fp); +} + +void process_home(const char *fname, char *home, int home_len) { + assert(fname); + assert(home); + assert(home_len); + + // process trace file + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + // remove \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // parse line: 4:galculator:access /etc/fonts/conf.d:0 + // number followed by : + ptr = buf; + if (!isdigit(*ptr)) + continue; + while (isdigit(*ptr)) + ptr++; + if (*ptr != ':') + continue; + ptr++; + + // next : + ptr = strchr(ptr, ':'); + if (!ptr) + continue; + ptr++; + if (strncmp(ptr, "access /home", 12) == 0) + ptr += 7; + else if (strncmp(ptr, "fopen /home", 11) == 0) + ptr += 6; + else if (strncmp(ptr, "fopen64 /home", 13) == 0) + ptr += 8; + else if (strncmp(ptr, "open64 /home", 12) == 0) + ptr += 7; + else if (strncmp(ptr, "open /home", 10) == 0) + ptr += 5; + else + continue; + + // end of filename + char *ptr2 = strchr(ptr, ':'); + if (!ptr2) + continue; + *ptr2 = '\0'; + + // check home directory + if (strncmp(ptr, home, home_len) != 0) + continue; + if (strcmp(ptr, home) == 0) + continue; + ptr += home_len + 1; + + // skip files handled automatically by firejail + if (strcmp(ptr, ".Xauthority") == 0 || + strcmp(ptr, ".Xdefaults-debian") == 0 || + strncmp(ptr, ".config/pulse/", 13) == 0 || + strncmp(ptr, ".pulse/", 7) == 0 || + strncmp(ptr, ".bash_hist", 10) == 0 || + strcmp(ptr, ".bashrc") == 0) + continue; + + + // try to find the relevant directory for this file + char *dir = extract_dir(ptr); + char *toadd = (dir)? dir: ptr; + + // skip some dot directories + if (strcmp(toadd, ".config") == 0 || + strcmp(toadd, ".local") == 0 || + strcmp(toadd, ".local/share") == 0 || + strcmp(toadd, ".cache") == 0) { + if (dir) + free(dir); + continue; + } + + // clean .cache entries + if (strncmp(toadd, ".cache/", 7) == 0) { + char *ptr2 = toadd + 7; + ptr2 = strchr(ptr2, '/'); + if (ptr2) + *ptr2 = '\0'; + } + + // skip files and directories in whitelist-common.inc + if (filedb_find(db_skip, toadd)) { + if (dir) + free(dir); + continue; + } + + // add the file to out list + db_out = filedb_add(db_out, toadd); + if (dir) + free(dir); + + } + fclose(fp); +} + + +// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 +void build_home(const char *fname) { + assert(fname); + + // load whitelist common + load_whitelist_common(); + + // find user home directory + struct passwd *pw = getpwuid(getuid()); + if (!pw) + errExit("getpwuid"); + char *home = pw->pw_dir; + if (!home) + errExit("getpwuid"); + int home_len = strlen(home); + + // run fname + process_home(fname, home, home_len); + + // run all the rest + struct stat s; + int i; + for (i = 1; i <= 5; i++) { + char *newname; + if (asprintf(&newname, "%s.%d", fname, i) == -1) + errExit("asprintf"); + if (stat(newname, &s) == 0) + process_home(newname, home, home_len); + free(newname); + } + + // print the out list if any + if (db_out) { + filedb_print(db_out, "whitelist ~/"); + printf("include /etc/firejail/whitelist-common.inc\n"); + } + else + printf("private\n"); + +} \ No newline at end of file diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c new file mode 100644 index 000000000..5fca22648 --- /dev/null +++ b/src/fbuilder/build_profile.c @@ -0,0 +1,165 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" +#include +#include + +#define TRACE_OUTPUT "/tmp/firejail-trace" +#define STRACE_OUTPUT "/tmp/firejail-strace" + +static char *cmdlist[] = { + "/usr/bin/firejail", + "--quiet", + "--output=" TRACE_OUTPUT, + "--noprofile", + "--caps.drop=all", + "--nonewprivs", + "--trace", + "/usr/bin/strace", // also used as a marker in build_profile() + "-c", + "-f", + "-o" STRACE_OUTPUT, +}; + +static void clear_tmp_files(void) { + unlink(STRACE_OUTPUT); + unlink(TRACE_OUTPUT); + + // run all the rest + int i; + for (i = 1; i <= 5; i++) { + char *newname; + if (asprintf(&newname, "%s.%d", TRACE_OUTPUT, i) == -1) + errExit("asprintf"); + unlink(newname); + free(newname); + } + +} + +void build_profile(int argc, char **argv, int index) { + unlink("/tmp/strace-output"); + + // next index is the application name + if (index >= argc) { + fprintf(stderr, "Error: application name missing\n"); + exit(1); + } + + // clean /tmp files + clear_tmp_files(); + + // detect strace + int have_strace = 0; + if (access("/usr/bin/strace", X_OK) == 0) + have_strace = 1; + + // calculate command length + int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; + if (arg_debug) + printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); + char *cmd[len]; + + // build command + int i = 0; + for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { + // skip strace if not installed + if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) + break; + cmd[i] = cmdlist[i]; + } + + int i2 = index; + for (; i < (len - 1); i++, i2++) + cmd[i] = argv[i2]; + cmd[i] = NULL; + + if (arg_debug) { + for (i = 0; i < len; i++) + printf("\t%s\n", cmd[i]); + } + + // fork and execute + pid_t child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + int rv = execvp(cmd[0], cmd); + errExit("execv"); + } + + // wait for all processes to finish + int status; + if (waitpid(child, &status, 0) != child) + errExit("waitpid"); + + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + printf("\n\n\n"); + printf("############################################\n"); + printf("# %s profile\n", argv[index]); + printf("############################################\n"); + printf("# Persistent global definitions\n"); + printf("# include /etc/firejail/globals.local\n"); + printf("\n"); + + printf("### basic blacklisting\n"); + printf("include /etc/firejail/disable-common.inc\n"); + printf("# include /etc/firejail/disable-devel.inc\n"); + printf("include /etc/firejail/disable-passwdmgr.inc\n"); + printf("# include /etc/firejail/disable-programs.inc\n"); + printf("\n"); + + printf("### home directory whitelisting\n"); + build_home(TRACE_OUTPUT); + printf("\n"); + + printf("### filesystem\n"); + build_tmp(TRACE_OUTPUT); + build_dev(TRACE_OUTPUT); + build_etc(TRACE_OUTPUT); + build_var(TRACE_OUTPUT); + printf("\n"); + + printf("### security filters\n"); + printf("caps.drop all\n"); + printf("nonewprivs\n"); + printf("seccomp\n"); + if (have_strace) + build_seccomp(STRACE_OUTPUT); + else { + printf("# If you install strace on your system, Firejail will also create a\n"); + printf("# whitelisted seccomp filter.\n"); + } + printf("\n"); + + printf("### network\n"); + build_protocol(TRACE_OUTPUT); + printf("\n"); + + printf("### environment\n"); + printf("shell none\n"); + + } + else { + fprintf(stderr, "Error: cannot run the sandbox\n"); + exit(1); + } +} diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c new file mode 100644 index 000000000..18a767518 --- /dev/null +++ b/src/fbuilder/build_seccomp.c @@ -0,0 +1,191 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" + +void build_seccomp(const char *fname) { + assert(fname); + + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + char buf[MAX_BUF]; + int line = 1; + int position = 0; + int cnt = 0; + while (fgets(buf, MAX_BUF, fp)) { + // remove \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // first line: + //% time seconds usecs/call calls errors syscall + if (line == 1) { + // extract syscall position + ptr = strstr(buf, "syscall"); + if (*buf != '%' || ptr == NULL) { + // skip this line, it could be garbage from strace + continue; + } + position = (int) (ptr - buf); + } + else if (line == 2) { + if (*buf != '-') { + fprintf(stderr, "Error: invalid strace output\n%s\n", buf); + exit(1); + } + } + else { + // get out on the next "----" line + if (*buf == '-') + break; + + if (line == 3) + printf("# seccomp.keep %s", buf + position); + else + printf(",%s", buf + position); + cnt++; + } + line++; + } + printf("\n"); + printf("# %d syscalls total\n", cnt); + printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); + printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); + printf("# running your sandbox.\n"); + + fclose(fp); +} + +//*************************************** +// protocol +//*************************************** +int unix_s = 0; +int inet = 0; +int inet6 = 0; +int netlink = 0; +int packet = 0; +static void process_protocol(const char *fname) { + assert(fname); + + // process trace file + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + // remove \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // parse line: 4:galculator:access /etc/fonts/conf.d:0 + // number followed by : + ptr = buf; + if (!isdigit(*ptr)) + continue; + while (isdigit(*ptr)) + ptr++; + if (*ptr != ':') + continue; + ptr++; + + // next : + ptr = strchr(ptr, ':'); + if (!ptr) + continue; + ptr++; + if (strncmp(ptr, "socket ", 7) == 0) + ptr += 7; + else + continue; + + if (strncmp(ptr, "AF_LOCAL ", 9) == 0) + unix_s = 1; + else if (strncmp(ptr, "AF_INET ", 8) == 0) + inet = 1; + else if (strncmp(ptr, "AF_INET6 ", 9) == 0) + inet6 = 1; + else if (strncmp(ptr, "AF_NETLINK ", 9) == 0) + netlink = 1; + else if (strncmp(ptr, "AF_PACKET ", 9) == 0) + packet = 1; + } + + fclose(fp); +} + + +// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 +void build_protocol(const char *fname) { + assert(fname); + + // run fname + process_protocol(fname); + + // run all the rest + struct stat s; + int i; + for (i = 1; i <= 5; i++) { + char *newname; + if (asprintf(&newname, "%s.%d", fname, i) == -1) + errExit("asprintf"); + if (stat(newname, &s) == 0) + process_protocol(newname); + free(newname); + } + + int net = 0; + if (unix_s || inet || inet6 || netlink || packet) { + printf("protocol "); + if (unix_s) + printf("unix,"); + if (inet) { + printf("inet,"); + net = 1; + } + if (inet6) { + printf("inet6,"); + net = 1; + } + if (netlink) + printf("netlink,"); + if (packet) { + printf("packet"); + net = 1; + } + printf("\n"); + } + + if (net == 0) + printf("net none\n"); + else { + printf("# net eth0\n"); + printf("netfilter\n"); + } +} + diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h new file mode 100644 index 000000000..a9049ea2d --- /dev/null +++ b/src/fbuilder/fbuilder.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#ifndef FBUILDER_H +#define FBUILDER_H +#include "../include/common.h" +#include +#include +#include +#include + + +#define MAX_BUF 4096 +// main.c +extern int arg_debug; + +// build_profile.c +void build_profile(int argc, char **argv, int index); + +// build_seccomp.c +void build_seccomp(const char *fname); +void build_protocol(const char *fname); + +// build_fs.c +void build_etc(const char *fname); +void build_var(const char *fname); +void build_tmp(const char *fname); +void build_dev(const char *fname); + +// build_home.c +void build_home(const char *fname); + +// utils.c +int is_dir(const char *fname); +char *extract_dir(char *fname); + +// filedb.c +typedef struct filedb_t { + struct filedb_t *next; + char *fname; // file name + int len; // length of file name +} FileDB; + +FileDB *filedb_add(FileDB *head, const char *fname); +FileDB *filedb_find(FileDB *head, const char *fname); +void filedb_print(FileDB *head, const char *prefix); + +#endif \ No newline at end of file diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c new file mode 100644 index 000000000..a76fbc961 --- /dev/null +++ b/src/fbuilder/filedb.c @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" + +FileDB *filedb_find(FileDB *head, const char *fname) { + FileDB *ptr = head; + int found = 0; + int len = strlen(fname); + + while (ptr) { + // exact name + if (strcmp(fname, ptr->fname) == 0) { + found = 1; + break; + } + + // parent directory in the list + if (len > ptr->len && + fname[ptr->len] == '/' && + strncmp(ptr->fname, fname, ptr->len) == 0) { + found = 1; + break; + } + + ptr = ptr->next; + } + + if (found) + return ptr; + + return NULL; +} + +FileDB *filedb_add(FileDB *head, const char *fname) { + assert(fname); + + // don't add it if it is already there or if the parent directory is already in the list + if (filedb_find(head, fname)) + return head; + + // add a new entry + FileDB *entry = malloc(sizeof(FileDB)); + if (!entry) + errExit("malloc"); + memset(entry, 0, sizeof(FileDB)); + entry->fname = strdup(fname); + if (!entry->fname) + errExit("strdup"); + entry->len = strlen(entry->fname); + entry->next = head; + return entry; +}; + +void filedb_print(FileDB *head, const char *prefix) { + FileDB *ptr = head; + while (ptr) { + printf("%s%s\n", prefix, ptr->fname); + ptr = ptr->next; + } +} + diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c new file mode 100644 index 000000000..83217ef98 --- /dev/null +++ b/src/fbuilder/main.c @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fbuilder.h" +int arg_debug = 0; + +static void usage(void) { + printf("Firejail profile builder\n"); + printf("Usage: firejail [--debug] --build program-and-arguments\n"); +} + +int main(int argc, char **argv) { +#if 0 +{ +system("cat /proc/self/status"); +int i; +for (i = 0; i < argc; i++) + printf("*%s* ", argv[i]); +printf("\n"); +} +#endif + + int i; + int prog_index = 0; + + // parse arguments and extract program index + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; + else if (strcmp(argv[i], "--build") == 0) + ; // do nothing, this is passed down from firejail + else { + if (*argv[i] == '-') { + fprintf(stderr, "Error fbuilder: invalid program\n"); + usage(); + exit(1); + } + prog_index = i; + break; + } + } + + if (prog_index == 0) { + fprintf(stderr, "Error fbuilder: program and arguments required\n"); + usage(); + exit(1); + } + + build_profile(argc, argv, prog_index); + return 0; +} diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c new file mode 100644 index 000000000..902290899 --- /dev/null +++ b/src/fbuilder/utils.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fbuilder.h" + +// todo: duplicated from src/firejail/util.c - remove dplication +// return 1 if the file is a directory +int is_dir(const char *fname) { + assert(fname); + if (*fname == '\0') + return 0; + + // if fname doesn't end in '/', add one + int rv; + struct stat s; + if (fname[strlen(fname) - 1] == '/') + rv = stat(fname, &s); + else { + char *tmp; + if (asprintf(&tmp, "%s/", fname) == -1) { + fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); + errExit("asprintf"); + } + rv = stat(tmp, &s); + free(tmp); + } + + if (rv == -1) + return 0; + + if (S_ISDIR(s.st_mode)) + return 1; + + return 0; +} + +// return NULL if fname is already a directory, or if no directory found +char *extract_dir(char *fname) { + assert(fname); + if (is_dir(fname)) + return NULL; + + char *name = strdup(fname); + if (!name) + errExit("strdup"); + + char *ptr = strrchr(name, '/'); + if (!ptr) { + free(name); + return NULL; + } + *ptr = '\0'; + + return name; +} diff --git a/src/firejail/main.c b/src/firejail/main.c index 399770142..1b49c5fb3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -849,6 +849,24 @@ static int check_arg(int argc, char **argv, const char *argument) { return found; } +static void run_builder(int argc, char **argv) { + EUID_ASSERT(); + + // drop privileges + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + assert(getenv("LD_PRELOAD") == NULL); + + argv[0] = LIBDIR "/firejail/fbuilder"; + execvp(argv[0], argv); + + perror("execvp"); + exit(1); +} + + //******************************************* // Main program //******************************************* @@ -907,6 +925,10 @@ int main(int argc, char **argv) { git_uninstall(); // this function will not return #endif + // profile builder + if (check_arg(argc, argv, "--build")) + run_builder(argc, argv); // this function will not return + // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') run_symlink(argc, argv); // this function will not return -- cgit v1.2.3-70-g09d2 From e6cc6c7b13f6495ffb2688509c2bcf2fc5793b7e Mon Sep 17 00:00:00 2001 From: James Elford Date: Sun, 17 Sep 2017 15:47:44 +0100 Subject: Set `shell none` for ssh-agent configuration It's common to invoke ssh-agent in shell login config, so if firejail launches it through a shell, that can lead to an infinite loop --- etc/ssh-agent.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 7e9d34c92..fa5728d9b 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +shell none caps.drop all netfilter no3d -- cgit v1.2.3-70-g09d2 From efcda9cb5f9da6f8bed95313b7f7a93b26b390ce Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Sep 2017 11:27:51 -0400 Subject: whitelisting /var --- README.md | 5 +++++ RELNOTES | 1 + etc/chromium.profile | 1 + etc/firefox.profile | 1 + etc/galculator.profile | 1 + etc/gimp.profile | 2 ++ etc/inkscape.profile | 2 ++ etc/leafpad.profile | 2 ++ etc/mousepad.profile | 2 ++ etc/mpv.profile | 2 ++ etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/vlc.profile | 2 ++ etc/whitelist-var-common.inc | 10 ++++++++++ platform/debian/conffiles | 1 + 15 files changed, 34 insertions(+) create mode 100644 etc/whitelist-var-common.inc (limited to 'etc') diff --git a/README.md b/README.md index 1831b6695..ba8ae77ac 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,11 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir ````` # Current development version: 0.9.51 +## Whitelisting /var + +Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working, +send a pull request. I did it so far for some more common applications like Firefox, Chromium etc. + ## Profile build tool ````` $ firejail --build appname diff --git a/RELNOTES b/RELNOTES index 85c554b32..d4302c134 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.51) baseline; urgency=low * work in progress! * feature: --writable-run-user + * feature: profile build tool (--build) -- netblue30 Thu, 14 Sep 2017 20:00:00 -0500 firejail (0.9.50~rc1) baseline; urgency=low diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -23,6 +23,7 @@ whitelist ~/.config/chromium whitelist ~/.config/chromium-flags.conf whitelist ~/.pki include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.keep sys_chroot,sys_admin netfilter diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bd45ebd1..f65b020a9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64 whitelist ~/.zotero whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc mkdir ~/.config/galculator whitelist ~/.config/galculator include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all net none diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none nodvd diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..3266d8230 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nogroups diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} whitelist ~/.cache/transmission whitelist ~/.config/transmission include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} whitelist ~/.cache/transmission whitelist ~/.config/transmission include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter # nogroups diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..67c2a14c2 --- /dev/null +++ b/etc/whitelist-var-common.inc @@ -0,0 +1,10 @@ +# Local customizations come here +include /etc/firejail/whitelist-var-common.local + +# common /var whitelist for all profiles + +whitelist /var/lib/dbus/machine-id +whitelist /var/lib/menu-xdg +whitelist /var/cache/fontconfig +whitelist /var/tmp +whitelist /var/run diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -357,3 +357,4 @@ /etc/firejail/zoom.profile /etc/firejail/yandex-browser.profile /etc/firejail/itch.profile +/etc/firejail/whitelist-var-common.inc -- cgit v1.2.3-70-g09d2 From 1a764cd80a986e22dd39955bf3a4f00f40201fa4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Sep 2017 11:51:37 -0400 Subject: whitelist /var: temporary fix for Xubuntu --- etc/whitelist-var-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index 67c2a14c2..2229a9066 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc @@ -3,7 +3,7 @@ include /etc/firejail/whitelist-var-common.local # common /var whitelist for all profiles -whitelist /var/lib/dbus/machine-id +#whitelist /var/lib/dbus/machine-id - problems on Xubuntu, it is a symlink to /etc/machine-id, whitelist will fail whitelist /var/lib/menu-xdg whitelist /var/cache/fontconfig whitelist /var/tmp -- cgit v1.2.3-70-g09d2 From 18d83b528dd4273e0e4b48bbfa4f96b1c3a42106 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Sep 2017 13:19:06 -0400 Subject: whitelist /var - Xubuntu fixes --- etc/catfish.profile | 7 ++++++- etc/evince.profile | 2 ++ etc/gnome-calculator.profile | 1 + etc/whitelist-common.inc | 1 + etc/whitelist-var-common.inc | 2 +- 5 files changed, 11 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/catfish.profile b/etc/catfish.profile index 498f3b6ee..5fc585d90 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -8,8 +8,13 @@ include /etc/firejail/globals.local # We can't blacklist much since catfish # is for finding files/content noblacklist ~/.config/catfish +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc +whitelist /var/lib/mlocate +include /etc/firejail/whitelist-var-common.inc caps.drop all net none diff --git a/etc/evince.profile b/etc/evince.profile index 5c6215bb2..f503b9a8e 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6547c73df..326222426 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ba4b91451..ef95a7e5e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -16,6 +16,7 @@ whitelist ~/.drirc whitelist ~/.mime.types whitelist ~/.local/share/applications read-only ~/.local/share/applications +whitelist ~/.config/ibus # fonts whitelist ~/.fonts diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index 2229a9066..bd3473acc 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc @@ -3,7 +3,7 @@ include /etc/firejail/whitelist-var-common.local # common /var whitelist for all profiles -#whitelist /var/lib/dbus/machine-id - problems on Xubuntu, it is a symlink to /etc/machine-id, whitelist will fail +whitelist /var/lib/dbus whitelist /var/lib/menu-xdg whitelist /var/cache/fontconfig whitelist /var/tmp -- cgit v1.2.3-70-g09d2 From b44ee405f734d8a23ba1159ccd35bb832d3c0303 Mon Sep 17 00:00:00 2001 From: soredake Date: Mon, 18 Sep 2017 02:19:33 +0300 Subject: fix usage of STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 in steam.profile steam.sh executes `/sbin/ldconfig -XNv 2> /dev/null` when STEAM_RUNTIME_PREFER_HOST_LIBRARIES is not zero and fails in some cases (see https://github.com/ValveSoftware/steam-for-linux/issues/4768) because of blacklisted /sbin and missing ld.so.conf{,.d} https://steamcommunity.com/groups/SteamClientBeta/announcements/detail/586991182161672256 --- etc/steam.profile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/steam.profile b/etc/steam.profile index 227162e1f..b4b9ede70 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -21,6 +21,8 @@ noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid # with >=llvm-4 mesa drivers need llvm stuff noblacklist /usr/lib/llvm* +# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work +noblacklist /sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -44,5 +46,5 @@ shell none # private-dev should be commented for controllers private-dev -private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl +private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl private-tmp -- cgit v1.2.3-70-g09d2 From 529db471f29a994dce9131111ecd71500dffaf8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Sep 2017 08:32:49 -0400 Subject: blacklist clipboard manager in disable-common.inc --- etc/disable-common.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5dd3dfd30..ca6ba9710 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -2,13 +2,15 @@ # Persistent customizations should go in a .local file. include /etc/firejail/disable-common.local -# History files in $HOME +# History files and clipboard managers in $HOME blacklist-nolog ${HOME}/.*_history blacklist-nolog ${HOME}/.adobe blacklist-nolog ${HOME}/.bash_history blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.local/share/fish/fish_history blacklist-nolog ${HOME}/.macromedia +blacklist-nolog /tmp/clipmenu* +blacklist-nolog ${HOME}/.cache/greenclip* # X11 session autostart # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs -- cgit v1.2.3-70-g09d2 From b0abaaaedc723a37efb993211a9f9ae83fbecc84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Sep 2017 09:00:47 -0400 Subject: electron profile whitelisting --- README | 2 ++ etc/disable-programs.inc | 1 + etc/electron.profile | 5 ++++- 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/README b/README index eb776514c..e3169e161 100644 --- a/README +++ b/README @@ -509,6 +509,8 @@ Topi Miettinen (https://github.com/topimiettinen) - seccomp default list update - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature +user1024 (user1024@tut.by) + - electron profile whitelisting valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ff750ecd9..e740353a6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -51,6 +51,7 @@ blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc blacklist ${HOME}/.config/Riot +blacklist ${HOME}/.config/Rocket.Chat blacklist ${HOME}/.config/Slack blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/VirtualBox diff --git a/etc/electron.profile b/etc/electron.profile index 9b21c1bfd..e5aee4358 100644 --- a/etc/electron.profile +++ b/etc/electron.profile @@ -5,11 +5,14 @@ include /etc/firejail/electron.local # Persistent global definitions include /etc/firejail/globals.local - +noblacklist ~/.config/Rocket.Chat include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +whitelist ${DOWNLOADS} +whitelist ~/.config/Rocket.Chat + caps.drop all netfilter nodvd -- cgit v1.2.3-70-g09d2 From b8c47f080215c3b12baed438944d40b11878f7d8 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Mon, 18 Sep 2017 15:38:07 +0200 Subject: profiles: add profile for surf browser --- etc/disable-programs.inc | 1 + etc/surf.profile | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 etc/surf.profile (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e740353a6..3007a51b3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -362,6 +362,7 @@ blacklist ${HOME}/.steampath blacklist ${HOME}/.steampid blacklist ${HOME}/.stellarium blacklist ${HOME}/.subversion +blacklist ${HOME}/.surf blacklist ${HOME}/.sword blacklist ${HOME}/.sylpheed-2.0 blacklist ${HOME}/.synfig diff --git a/etc/surf.profile b/etc/surf.profile new file mode 100644 index 000000000..251331902 --- /dev/null +++ b/etc/surf.profile @@ -0,0 +1,35 @@ +# Firejail profile for surf +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/surf.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.surf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.surf +whitelist ${DOWNLOADS} +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nodvd +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop +private-dev +private-etc passwd,group,hosts,resolv.conf,fonts,ssl +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2 From 8c04e94af899701884bf152180c55299d346b29e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Sep 2017 09:50:39 -0400 Subject: whitelist /var --- etc/2048-qt.profile | 2 ++ etc/calibre.profile | 2 ++ etc/dosbox.profile | 2 ++ etc/gpicview.profile | 2 ++ etc/handbrake.profile | 2 ++ etc/virtualbox.profile | 1 + etc/youtube-dl.profile | 2 ++ 7 files changed, 13 insertions(+) (limited to 'etc') diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 06cc69503..964a9e5fa 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/calibre.profile b/etc/calibre.profile index aa0de473c..844231032 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/dosbox.profile b/etc/dosbox.profile index fa9b26e82..a64578e5c 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 26bc589ee..1842c9cb1 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none nodvd diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b33051e2..f5e7bc329 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nogroups diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 8eef45d8c..b01e6d144 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -22,6 +22,7 @@ whitelist ~/.config/VirtualBox whitelist ~/VirtualBox VMs whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index e20fb3e99..d41591fd6 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all ipc-namespace netfilter -- cgit v1.2.3-70-g09d2 From 409e32ba033b1f20fea9d87f1a294a5a28610a4a Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 18 Sep 2017 10:29:19 -0400 Subject: Add a profile for Rocket.Chat --- etc/electron.profile | 2 -- etc/riot-web.profile | 4 ++-- etc/rocketchat.profile | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 etc/rocketchat.profile (limited to 'etc') diff --git a/etc/electron.profile b/etc/electron.profile index e5aee4358..91e5cd3df 100644 --- a/etc/electron.profile +++ b/etc/electron.profile @@ -5,13 +5,11 @@ include /etc/firejail/electron.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ~/.config/Rocket.Chat include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} -whitelist ~/.config/Rocket.Chat caps.drop all netfilter diff --git a/etc/riot-web.profile b/etc/riot-web.profile index c714652df..06dbbe9d9 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile @@ -5,9 +5,9 @@ include /etc/firejail/riot-web.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ~/.config/Riot +noblacklist ${HOME}/.config/Riot -whitelist ~/.config/Riot +whitelist ${HOME}/.config/Riot include /etc/firejail/whitelist-common.inc # Redirect diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile new file mode 100644 index 000000000..da92cd938 --- /dev/null +++ b/etc/rocketchat.profile @@ -0,0 +1,14 @@ +# Firejail profile for rocketchat +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/rocketchat.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.config/Rocket.Chat + +whitelist ${HOME}/.config/Rocket.Chat +include /etc/firejail/whitelist-common.inc + +# Redirect +include /etc/firejail/electron.profile -- cgit v1.2.3-70-g09d2 From 395aa4f6320277f2488b1601f38d3491487dc0d6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Sep 2017 11:58:27 -0400 Subject: whitelist /var --- etc/amarok.profile | 2 ++ etc/digikam.profile | 2 ++ etc/dragon.profile | 2 ++ etc/k3b.profile | 2 ++ etc/kate.profile | 2 ++ etc/kcalc.profile | 2 ++ etc/kwrite.profile | 2 ++ etc/libreoffice.profile | 2 ++ etc/okular.profile | 2 ++ 9 files changed, 18 insertions(+) (limited to 'etc') diff --git a/etc/amarok.profile b/etc/amarok.profile index 478d5285c..79343fcdf 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nogroups diff --git a/etc/digikam.profile b/etc/digikam.profile index 43191ec06..ef518470e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/dragon.profile b/etc/dragon.profile index 211c2432f..c37f81ac9 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/k3b.profile b/etc/k3b.profile index ca190ecb9..58623d823 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nonewprivs diff --git a/etc/kate.profile b/etc/kate.profile index ec5d09ce2..69100d49d 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/kcalc.profile b/etc/kcalc.profile index f334c4c72..0de23f106 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 6ba076dc0..6b458ede3 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index ec7356002..8d05a557c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/okular.profile b/etc/okular.profile index 5a704ad26..94736fbae 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -20,6 +20,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd -- cgit v1.2.3-70-g09d2 From dcfb4b9522cf0cc074c36d73bf5eb108a658eee7 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 18 Sep 2017 12:19:15 -0400 Subject: Add a profile for ClamAV's clamscan --- etc/clamscan.profile | 32 ++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 33 insertions(+) create mode 100644 etc/clamscan.profile (limited to 'etc') diff --git a/etc/clamscan.profile b/etc/clamscan.profile new file mode 100644 index 000000000..2fd10171f --- /dev/null +++ b/etc/clamscan.profile @@ -0,0 +1,32 @@ +# Firejail profile for clamscan +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include /etc/firejail/clamscan.local +# Persistent global definitions +include /etc/firejail/globals.local + + +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-dev +read-only ${HOME} + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3f73ac635..e623a1aa2 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -41,6 +41,7 @@ catfish cherrytree chromium chromium-browser +clamscan claws-mail clementine clipit -- cgit v1.2.3-70-g09d2 From ae5948cb84bd1327ab9f6f0577fd75bfe9a74787 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 18 Sep 2017 14:27:58 -0400 Subject: Add a profile for clamdscan, clamdtop, and freshclam --- etc/clamav.profile | 32 ++++++++++++++++++++++++++++++++ etc/clamdscan.profile | 6 ++++++ etc/clamdtop.profile | 6 ++++++ etc/clamscan.profile | 32 +++----------------------------- etc/freshclam.profile | 34 ++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 3 +++ 6 files changed, 84 insertions(+), 29 deletions(-) create mode 100644 etc/clamav.profile create mode 100644 etc/clamdscan.profile create mode 100644 etc/clamdtop.profile create mode 100644 etc/freshclam.profile (limited to 'etc') diff --git a/etc/clamav.profile b/etc/clamav.profile new file mode 100644 index 000000000..a5aacc1d5 --- /dev/null +++ b/etc/clamav.profile @@ -0,0 +1,32 @@ +# Firejail profile for clamav +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include /etc/firejail/clamav.local +# Persistent global definitions +include /etc/firejail/globals.local + + +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-dev +read-only ${HOME} + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdscan.profile @@ -0,0 +1,6 @@ +# Firejail profile alias for clamav +# This file is overwritten after every install/update + + +# Redirect +include /etc/firejail/clamav.profile diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdtop.profile @@ -0,0 +1,6 @@ +# Firejail profile alias for clamav +# This file is overwritten after every install/update + + +# Redirect +include /etc/firejail/clamav.profile diff --git a/etc/clamscan.profile b/etc/clamscan.profile index 2fd10171f..1fc728206 100644 --- a/etc/clamscan.profile +++ b/etc/clamscan.profile @@ -1,32 +1,6 @@ -# Firejail profile for clamscan +# Firejail profile alias for clamav # This file is overwritten after every install/update -quiet -# Persistent local customizations -include /etc/firejail/clamscan.local -# Persistent global definitions -include /etc/firejail/globals.local -caps.drop all -ipc-namespace -net none -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-dev -read-only ${HOME} - -memory-deny-write-execute -noexec ${HOME} -noexec /tmp +# Redirect +include /etc/firejail/clamav.profile diff --git a/etc/freshclam.profile b/etc/freshclam.profile new file mode 100644 index 000000000..08eac5595 --- /dev/null +++ b/etc/freshclam.profile @@ -0,0 +1,34 @@ +# Firejail profile for freshclam +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include /etc/firejail/clamav.local +# Persistent global definitions +include /etc/firejail/globals.local + + +caps.keep setgid,setuid +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private +private-dev +private-tmp +writable-var +writable-var-log + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e623a1aa2..600743a41 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -41,6 +41,8 @@ catfish cherrytree chromium chromium-browser +clamdscan +clamdtop clamscan claws-mail clementine @@ -86,6 +88,7 @@ flashpeak-slimjet flowblade fontforge franz +freshclam frozen-bubble gajim galculator -- cgit v1.2.3-70-g09d2 From f493dee7e78bfc387dbb0d70af1dd85f148975fe Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 18 Sep 2017 18:22:54 -0400 Subject: Add a profile for xmr-stak-cpu - Add list of new profiles to README.md - Update firecfg - Further restrict silentarmy --- README.md | 4 ++++ etc/silentarmy.profile | 3 +++ etc/xmr-stak-cpu.profile | 42 ++++++++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 2 ++ 4 files changed, 51 insertions(+) create mode 100644 etc/xmr-stak-cpu.profile (limited to 'etc') diff --git a/README.md b/README.md index ba8ae77ac..5e79dbe8a 100644 --- a/README.md +++ b/README.md @@ -170,3 +170,7 @@ $ Example: $ sudo firejail --writable-run-user ````` + +## New profiles: + +terasology, surf, rocketchat, clamscan, dlamdscan, clamdtop, freshclam, xmr-stak-cpu diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index abc68a499..977cfea99 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd @@ -28,6 +30,7 @@ disable-mnt private # private-bin silentarmy,sa-solver,python3 private-dev +private-opt none private-tmp noexec ${HOME} diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile new file mode 100644 index 000000000..9cc6e0c1f --- /dev/null +++ b/etc/xmr-stak-cpu.profile @@ -0,0 +1,42 @@ +# Firejail profile for xmr-stak-cpu +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/xmr-stak-cpu.local +# Persistent global definitions +include /etc/firejail/globals.local + + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +include /etc/firejail/whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private +private-bin xmr-stak-cpu +private-dev +private-etc xmr-stak-cpu.json +private-lib +private-opt none +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 600743a41..67b5b7042 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -240,6 +240,7 @@ remmina rhythmbox riot-web ristretto +rocketchat rtorrent scribus sdat2img @@ -309,6 +310,7 @@ xfce4-dict xfce4-notes xiphos xmms +xmr-stak-cpu xonotic xonotic-glx xonotic-sdl -- cgit v1.2.3-70-g09d2 From 5b649f1a421c7330d9d8181f4ee7774abb2be4c5 Mon Sep 17 00:00:00 2001 From: Melvin Vermeeren Date: Sat, 16 Sep 2017 13:08:06 -0400 Subject: Add a profile for TeamSpeak3 --- etc/teamspeak3.profile | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 etc/teamspeak3.profile (limited to 'etc') diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..7ca5ae666 --- /dev/null +++ b/etc/teamspeak3.profile @@ -0,0 +1,25 @@ +# Firejail profile for teamspeak3 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/teamspeak3.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${DOWNLOADS} +noblacklist ${HOME}/.ts3client + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.ts3client +whitelist ${DOWNLOADS} +whitelist ${HOME}/.ts3client +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From 9c833ae929f64fa54c5d8aa49e4a784803b805c8 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Sat, 16 Sep 2017 13:18:26 -0400 Subject: Add 31 profiles --- etc/Viber.profile | 38 ++++++++++++++++++++++++++++++++++++++ etc/amule.profile | 33 +++++++++++++++++++++++++++++++++ etc/ardour5.profile | 36 ++++++++++++++++++++++++++++++++++++ etc/brackets.profile | 31 +++++++++++++++++++++++++++++++ etc/calligra.profile | 37 +++++++++++++++++++++++++++++++++++++ etc/calligraauthor.profile | 5 +++++ etc/calligraconverter.profile | 5 +++++ etc/calligraflow.profile | 5 +++++ etc/calligraplan.profile | 5 +++++ etc/calligraplanwork.profile | 5 +++++ etc/calligrasheets.profile | 5 +++++ etc/calligrastage.profile | 5 +++++ etc/calligrawords.profile | 5 +++++ etc/cin.profile | 32 ++++++++++++++++++++++++++++++++ etc/fetchmail.profile | 31 +++++++++++++++++++++++++++++++ etc/freecad.profile | 36 ++++++++++++++++++++++++++++++++++++ etc/freecadcmd.profile | 5 +++++ etc/google-earth.profile | 32 ++++++++++++++++++++++++++++++++ etc/imagej.profile | 34 ++++++++++++++++++++++++++++++++++ etc/kdenlive.profile | 32 ++++++++++++++++++++++++++++++++ etc/linphone.profile | 22 ++++++++++++++++++++++ etc/lmms.profile | 32 ++++++++++++++++++++++++++++++++ etc/macrofusion.profile | 28 ++++++++++++++++++++++++++++ etc/mpd.profile | 26 ++++++++++++++++++++++++++ etc/natron.profile | 34 ++++++++++++++++++++++++++++++++++ etc/ricochet.profile | 30 ++++++++++++++++++++++++++++++ etc/shotcut.profile | 28 ++++++++++++++++++++++++++++ etc/tor-browser-en.profile | 41 +++++++++++++++++++++++++++++++++++++++++ etc/tor.profile | 38 ++++++++++++++++++++++++++++++++++++++ etc/x-terminal-emulator.profile | 25 +++++++++++++++++++++++++ etc/zart.profile | 27 +++++++++++++++++++++++++++ 31 files changed, 748 insertions(+) create mode 100644 etc/Viber.profile create mode 100644 etc/amule.profile create mode 100644 etc/ardour5.profile create mode 100644 etc/brackets.profile create mode 100644 etc/calligra.profile create mode 100644 etc/calligraauthor.profile create mode 100644 etc/calligraconverter.profile create mode 100644 etc/calligraflow.profile create mode 100644 etc/calligraplan.profile create mode 100644 etc/calligraplanwork.profile create mode 100644 etc/calligrasheets.profile create mode 100644 etc/calligrastage.profile create mode 100644 etc/calligrawords.profile create mode 100644 etc/cin.profile create mode 100644 etc/fetchmail.profile create mode 100644 etc/freecad.profile create mode 100644 etc/freecadcmd.profile create mode 100644 etc/google-earth.profile create mode 100644 etc/imagej.profile create mode 100644 etc/kdenlive.profile create mode 100644 etc/linphone.profile create mode 100644 etc/lmms.profile create mode 100644 etc/macrofusion.profile create mode 100644 etc/mpd.profile create mode 100644 etc/natron.profile create mode 100644 etc/ricochet.profile create mode 100644 etc/shotcut.profile create mode 100644 etc/tor-browser-en.profile create mode 100644 etc/tor.profile create mode 100644 etc/x-terminal-emulator.profile create mode 100644 etc/zart.profile (limited to 'etc') diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..5de92f36f --- /dev/null +++ b/etc/Viber.profile @@ -0,0 +1,38 @@ +# Firejail profile for Viber +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/Viber.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.ViberPC +whitelist /dev/dri +whitelist /dev/full +whitelist /dev/null +whitelist /dev/ptmx +whitelist /dev/pts +whitelist /dev/random +whitelist /dev/shm +whitelist /dev/snd +whitelist /dev/tty +whitelist /dev/urandom +whitelist /dev/video0 +whitelist /dev/zero +whitelist /opt/viber +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin sh,dig,awk +private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..5cd6e613e --- /dev/null +++ b/etc/amule.profile @@ -0,0 +1,33 @@ +# Firejail profile for amule +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/amule.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.aMule +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.themes +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +nonewprivs +noroot +seccomp +shell none + +private-bin amule +private-dev +private-etc fonts,hosts +private-tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..f17c74e2b --- /dev/null +++ b/etc/ardour5.profile @@ -0,0 +1,36 @@ +# Firejail profile for ardour5 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ardour5.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/ardour4 +whitelist ${HOME}/.config/ardour5 +whitelist ${HOME}/.lv2 +whitelist ${HOME}/.vst +whitelist ${HOME}/Documents +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +private-dev +private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +private-tmp + +noexec /home +noexec /tmp diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..3c7622435 --- /dev/null +++ b/etc/brackets.profile @@ -0,0 +1,31 @@ +# Firejail profile for brackets +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/brackets.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Brackets +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.themes +whitelist ${HOME}/Documents +whitelist /opt/brackets/ +whitelist /opt/google/ +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +# Comment out or use --ignore=net if you want to install extensions or themes +net none +# Disable these if you use live preview (until I figure out a workaround) +# Doing so should be relatively safe since there is no network access +noroot +seccomp + +private-bin bash,brackets,readlink,dirname,google-chrome,cat +private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..260097560 --- /dev/null +++ b/etc/calligra.profile @@ -0,0 +1,37 @@ +# Firejail profile for calligra +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/calligra.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Trolltech.conf +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.kde +whitelist ${HOME}/.themes +whitelist ${HOME}/Documents +whitelist /tmp/.X11-unix +# DBus is forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch +private-dev +private-etc fonts,passwd,alternatives,X11 + +noexec /home +noexec /tmp diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraauthor.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraconverter.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraflow.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplan.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplanwork.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrasheets.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrastage.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrawords.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..3a8a4d8de --- /dev/null +++ b/etc/cin.profile @@ -0,0 +1,32 @@ +# Firejail profile for cin +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/cin.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.bcast5 +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin cin +private-dev +private-etc fonts,pulse + +noexec /home +noexec /tmp diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..dc7f4abc3 --- /dev/null +++ b/etc/fetchmail.profile @@ -0,0 +1,31 @@ +# Firejail profile for fetchmail +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/fetchmail.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc +# whitelist ${HOME}/.fetchmailrc.gpg +whitelist ${HOME}/.procmailrc.brown +whitelist ${HOME}/.procmailrc.gmail +whitelist ${HOME}/Mail +whitelist ${HOME}/scripts/fetchmail-real.sh +whitelist /tmp/fetchmailrc +include /etc/firejail/whitelist-common.inc + +caps.drop all +nogroups +noroot +nosound +seccomp +x11 none + +# private-bin fetchmail,procmail,bash,chmod +private-dev +# private-etc passwd,hosts,resolv.conf diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..0467edb6d --- /dev/null +++ b/etc/freecad.profile @@ -0,0 +1,36 @@ +# Firejail profile for freecad +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/freecad.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/FreeCAD +whitelist ${HOME}/Documents +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +nosound +protocol unix +seccomp +shell none + +private-bin freecad,freecadcmd +private-dev +private-etc fonts,passwd,alternatives,X11 +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..41cfd3fab --- /dev/null +++ b/etc/freecadcmd.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for freecad +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/freecad.profile diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..a339402e2 --- /dev/null +++ b/etc/google-earth.profile @@ -0,0 +1,32 @@ +# Firejail profile for google-earth +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/google-earth.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt + +whitelist ${HOME}/.config/Google +whitelist ${HOME}/.googleearth/Cache/ +whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/myplaces.backup.kml +whitelist ${HOME}/.googleearth/myplaces.kml +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin google-earth,sh,grep,sed,ls,dirname +private-dev +private-etc fonts,resolv.conf,X11,alternatives,pulse + +noexec /home +noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..4404cc9a2 --- /dev/null +++ b/etc/imagej.profile @@ -0,0 +1,34 @@ +# Firejail profile for imagej +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/imagej.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.imagej +whitelist ${HOME}/.themes +whitelist ${HOME}/Pictures +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +nonewprivs +noroot +seccomp + +private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln +private-dev +# private-etc passwd,alternatives,hosts,fonts,X11 +private-tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..b982bd045 --- /dev/null +++ b/etc/kdenlive.profile @@ -0,0 +1,32 @@ +# Firejail profile for kdenlive +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/kdenlive.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +# Apparently these break kdenlive for some people - they work for me though? +# whitelist ${DOWNLOADS} +# whitelist ${HOME}/.config/ +# whitelist ${HOME}/Videos +# whitelist ${HOME}/kdenlive +whitelist /tmp/.X11-unix +# DBus is forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +net none +nogroups +noroot +seccomp +shell none + +private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper +private-dev +private-etc fonts,alternatives,X11,pulse,passwd diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..850fcb320 --- /dev/null +++ b/etc/linphone.profile @@ -0,0 +1,22 @@ +# Firejail profile for linphone +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/linphone.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.linphone-history.db +whitelist ${HOME}/.linphonerc +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..8ac039cc0 --- /dev/null +++ b/etc/lmms.profile @@ -0,0 +1,32 @@ +# Firejail profile for lmms +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/lmms.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.lmmsrc.xml +whitelist ${HOME}/Music +whitelist ${HOME}/lmms +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-dev +private-etc fonts,pulse + +noexec /home +noexec /tmp diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..287a5ea85 --- /dev/null +++ b/etc/macrofusion.profile @@ -0,0 +1,28 @@ +# Firejail profile for macrofusion +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/macrofusion.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/gtk-3.0 +whitelist ${HOME}/.config/mfusion +whitelist ${HOME}/.themes +whitelist ${HOME}/Pictures +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +nonewprivs +noroot +seccomp +shell none + +private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack +private-dev +private-etc fonts +private-tmp diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..44baab7e9 --- /dev/null +++ b/etc/mpd.profile @@ -0,0 +1,26 @@ +# Firejail profile for mpd +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mpd.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${HOME}/.config/pulse/ +whitelist ${HOME}/.mpdconf +whitelist ${HOME}/.pulse/ +whitelist ${HOME}/Music +whitelist ${HOME}/mpd +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp + +private-bin mpd,bash +private-dev +read-only ${HOME}/Music/ diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..6101d1331 --- /dev/null +++ b/etc/natron.profile @@ -0,0 +1,34 @@ +# Firejail profile for natron +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/natron.local +# Persistent global definitions +include /etc/firejail/globals.local + +# Contributed by triceratops1 (https://github.com/triceratops1) + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Natron +whitelist ${HOME}/.cache/INRIA/Natron/ +whitelist ${HOME}/.config/INRIA/ +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.themes +whitelist ${HOME}/Videos +whitelist /opt/natron/ +whitelist /tmp/.X11-unix/ +include /etc/firejail/whitelist-common.inc + +ipc-namespace +shell none + +private-bin natron +private-etc fonts,X11,pulse + +noexec ${HOME} +noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..47b16b30e --- /dev/null +++ b/etc/ricochet.profile @@ -0,0 +1,30 @@ +# Firejail profile for ricochet +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ricochet.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.local/share/Ricochet +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin ricochet,tor +private-dev +private-etc fonts,tor,X11,alternatives + +noexec /home +noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..2bf3cc2e0 --- /dev/null +++ b/etc/shotcut.profile @@ -0,0 +1,28 @@ +# Firejail profile for shotcut +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/shotcut.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /usr/local/bin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Meltytech +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +net none +nogroups +noroot +seccomp +shell none + +private-bin shotcut,melt,qmelt,nice +private-dev +private-etc X11,alternatives,pulse,fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..1f0b61c75 --- /dev/null +++ b/etc/tor-browser-en.profile @@ -0,0 +1,41 @@ +# Firejail profile for tor-browser-en +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/tor-browser-en.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /var + +whitelist ${HOME}/.tor-browser-en +whitelist /dev/dri +whitelist /dev/full +whitelist /dev/null +whitelist /dev/ptmx +whitelist /dev/pts +whitelist /dev/random +whitelist /dev/shm +whitelist /dev/snd +whitelist /dev/tty +whitelist /dev/urandom +whitelist /dev/video0 +whitelist /dev/zero +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp +shell none + +private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr +# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) +# https://github.com/netblue30/firejail/issues/955 +private-etc X11,pulse,machine-id +private-tmp + +noexec /tmp diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..2e2172cad --- /dev/null +++ b/etc/tor.profile @@ -0,0 +1,38 @@ +# Firejail profile for tor +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/tor.local +# Persistent global definitions +include /etc/firejail/globals.local + +# How to use: +# Create a script called anything (e.g. mytor) +# with the following contents: +# #!/bin/bash +# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" +# sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD + +# You'll also likely want to disable the system service (if it exists) +# Run mytor (or whatever you called the script above) whenever you want to start tor + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +caps.keep setuid,setgid,net_bind_service,dac_read_search +ipc-namespace +no3d +nogroups +nonewprivs +nosound +seccomp +shell none +writable-var +x11 none + +private +private-bin tor,bash +private-dev +private-etc tor,passwd +private-tmp diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..eb4c58480 --- /dev/null +++ b/etc/x-terminal-emulator.profile @@ -0,0 +1,25 @@ +# Firejail profile for x-terminal-emulator +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/x-terminal-emulator.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist /tmp/.X11-unix/X470 +whitelist /tmp/fcitx-socket-:0 +whitelist /tmp/user/1000/ +include /etc/firejail/whitelist-common.inc + +caps.drop all +env DISPLAY=:470 +ipc-namespace +net none +netfilter +nogroups +noroot +seccomp + +private-dev + +noexec /tmp diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..654679174 --- /dev/null +++ b/etc/zart.profile @@ -0,0 +1,27 @@ +# Firejail profile for zart +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/zart.local +# Persistent global definitions +include /etc/firejail/globals.local + +# Contributed by triceratops1 (https://github.com/triceratops1) + +whitelist ${DOWNLOADS} +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +noroot +seccomp +shell none + +private-bin zart,ffmpeg,melt,ffprobe,ffplay +private-dev +private-etc fonts,X11 + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2 From c435504a3eb66dee9a2964658bce8e17627e9c68 Mon Sep 17 00:00:00 2001 From: juan Date: Sat, 16 Sep 2017 13:20:36 -0400 Subject: Add 5 profiles --- etc/ardour4.profile | 34 ++++++++++++++++++++++++++++++++++ etc/dooble-qt4.profile | 33 +++++++++++++++++++++++++++++++++ etc/dooble.profile | 33 +++++++++++++++++++++++++++++++++ etc/karbon.profile | 37 +++++++++++++++++++++++++++++++++++++ etc/krita.profile | 37 +++++++++++++++++++++++++++++++++++++ 5 files changed, 174 insertions(+) create mode 100644 etc/ardour4.profile create mode 100644 etc/dooble-qt4.profile create mode 100644 etc/dooble.profile create mode 100644 etc/karbon.profile create mode 100644 etc/krita.profile (limited to 'etc') diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..3a52edb66 --- /dev/null +++ b/etc/ardour4.profile @@ -0,0 +1,34 @@ +# Firejail profile for ardour4 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ardour4.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.config/ardour4 + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/ardour4 +whitelist ~/.config/ardour4 +whitelist ~/Music +whitelist ~/Música +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix +seccomp +shell none +tracelog + +# private-bin ardour4 +private-dev +# private-etc ardour4 +private-tmp diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile new file mode 100644 index 000000000..ec85c7b58 --- /dev/null +++ b/etc/dooble-qt4.profile @@ -0,0 +1,33 @@ +# Firejail profile for dooble-qt4 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/dooble-qt4.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.dooble + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.dooble +mkdir ~/usr/lib/dooble-qt4 +whitelist ${DOWNLOADS} +whitelist ~/.config/keepassx +whitelist ~/.config/lastpass +whitelist ~/.dooble +whitelist ~/.keepassx +whitelist ~/.lastpass +whitelist ~/keepassx.kdbx +whitelist ~/usr/lib/dooble +whitelist ~/usr/lib/dooble-qt4 +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog diff --git a/etc/dooble.profile b/etc/dooble.profile new file mode 100644 index 000000000..13e4ead96 --- /dev/null +++ b/etc/dooble.profile @@ -0,0 +1,33 @@ +# Firejail profile for dooble +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/dooble.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.dooble + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.dooble +mkdir ~/usr/lib/dooble-qt4 +whitelist ${DOWNLOADS} +whitelist ~/.config/keepassx +whitelist ~/.config/lastpass +whitelist ~/.dooble +whitelist ~/.keepassx +whitelist ~/.lastpass +whitelist ~/keepassx.kdbx +whitelist ~/usr/lib/dooble +whitelist ~/usr/lib/dooble-qt4 +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog diff --git a/etc/karbon.profile b/etc/karbon.profile new file mode 100644 index 000000000..da72432f7 --- /dev/null +++ b/etc/karbon.profile @@ -0,0 +1,37 @@ +# Firejail profile for karbon +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/karbon.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Trolltech.conf +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.kde4 +whitelist ${HOME}/.themes +whitelist ${HOME}/Images +whitelist /tmp/.X11-unix +# DBus has been forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +# private-bin krita,dbus-launch +private-dev +# private-etc fonts,passwd,alternatives,X11 + +noexec /home +noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile new file mode 100644 index 000000000..f6e62e387 --- /dev/null +++ b/etc/krita.profile @@ -0,0 +1,37 @@ +# Firejail profile for krita +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/krita.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Trolltech.conf +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.kde4 +whitelist ${HOME}/.themes +whitelist ${HOME}/Images +whitelist /tmp/.X11-unix +# DBus has been forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +# private-bin krita,dbus-launch +private-dev +# private-etc fonts,passwd,alternatives,X11 + +noexec /home +noexec /tmp -- cgit v1.2.3-70-g09d2 From 60606c2d041dc08b0af10baff1b18dbf507f8d81 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 13:47:31 -0400 Subject: Fixup 36 profiles --- etc/Viber.profile | 20 +++++++------------- etc/amule.profile | 17 +++++++---------- etc/ardour4.profile | 33 ++------------------------------- etc/ardour5.profile | 25 +++++++++++-------------- etc/brackets.profile | 18 ++++++------------ etc/calligra.profile | 21 +++++---------------- etc/calligraauthor.profile | 2 +- etc/calligraconverter.profile | 2 +- etc/calligraflow.profile | 2 +- etc/calligraplan.profile | 2 +- etc/calligraplanwork.profile | 2 +- etc/calligrasheets.profile | 2 +- etc/calligrastage.profile | 2 +- etc/calligrawords.profile | 2 +- etc/cin.profile | 16 ++++++---------- etc/dooble-qt4.profile | 32 ++------------------------------ etc/dooble.profile | 16 +++++----------- etc/fetchmail.profile | 17 ++++------------- etc/freecad.profile | 18 +++++++----------- etc/freecadcmd.profile | 2 +- etc/google-earth.profile | 22 ++++++++++++---------- etc/imagej.profile | 19 ++++++------------- etc/karbon.profile | 20 ++++---------------- etc/kdenlive.profile | 19 +++++-------------- etc/krita.profile | 20 ++++---------------- etc/linphone.profile | 15 +++++++++------ etc/lmms.profile | 16 ++++++---------- etc/macrofusion.profile | 16 ++++++++-------- etc/mpd.profile | 19 +++++++------------ etc/natron.profile | 26 +++++++++----------------- etc/ricochet.profile | 14 ++++++++------ etc/shotcut.profile | 14 +++++++------- etc/tor-browser-en.profile | 28 +++++++--------------------- etc/tor.profile | 10 +++++----- etc/x-terminal-emulator.profile | 6 ------ etc/zart.profile | 10 ++++------ 36 files changed, 172 insertions(+), 353 deletions(-) (limited to 'etc') diff --git a/etc/Viber.profile b/etc/Viber.profile index 5de92f36f..ee1ab6219 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -6,21 +6,15 @@ include /etc/firejail/Viber.local include /etc/firejail/globals.local +noblacklist ${HOME}/.ViberPC + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + whitelist ${DOWNLOADS} whitelist ${HOME}/.ViberPC -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero -whitelist /opt/viber include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/amule.profile b/etc/amule.profile index 5cd6e613e..48aad759d 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -5,18 +5,16 @@ include /etc/firejail/amule.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin + +noblacklist ${HOME}/.aMule + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.aMule -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.themes include /etc/firejail/whitelist-common.inc caps.drop all @@ -29,5 +27,4 @@ shell none private-bin amule private-dev -private-etc fonts,hosts private-tmp diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 3a52edb66..095685364 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile @@ -1,34 +1,5 @@ -# Firejail profile for ardour4 +# Firejail profile alias for ardour5 # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/ardour4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.config/ardour4 -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.config/ardour4 -whitelist ~/.config/ardour4 -whitelist ~/Music -whitelist ~/Música -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nogroups -nonewprivs -noroot -protocol unix -seccomp -shell none -tracelog - -# private-bin ardour4 -private-dev -# private-etc ardour4 -private-tmp +include /etc/firejail/ardour5.profile diff --git a/etc/ardour5.profile b/etc/ardour5.profile index f17c74e2b..42744f4dd 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -5,19 +5,16 @@ include /etc/firejail/ardour5.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/ardour4 -whitelist ${HOME}/.config/ardour5 -whitelist ${HOME}/.lv2 -whitelist ${HOME}/.vst -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/ardour4 +noblacklist ${HOME}/.config/ardour5 +noblacklist ${HOME}/.lv2 +noblacklist ${HOME}/.vst + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -27,9 +24,9 @@ noroot seccomp shell none -private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev -private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp noexec /home diff --git a/etc/brackets.profile b/etc/brackets.profile index 3c7622435..151d88bdd 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -5,19 +5,13 @@ include /etc/firejail/brackets.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Brackets +noblacklist /opt/brackets/ +noblacklist /opt/google/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Brackets -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /opt/brackets/ -whitelist /opt/google/ -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all # Comment out or use --ignore=net if you want to install extensions or themes diff --git a/etc/calligra.profile b/etc/calligra.profile index 260097560..58006f203 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,21 +5,10 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt - -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -31,7 +20,7 @@ shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/cin.profile b/etc/cin.profile index 3a8a4d8de..e895805eb 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -5,16 +5,12 @@ include /etc/firejail/cin.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.bcast5 -whitelist ${DOWNLOADS} -whitelist ${HOME}/.bcast5 -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -26,7 +22,7 @@ shell none private-bin cin private-dev -private-etc fonts,pulse +#private-etc fonts,pulse noexec /home noexec /tmp diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index ec85c7b58..67df7ce36 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile @@ -1,33 +1,5 @@ -# Firejail profile for dooble-qt4 +# Firejail profile alias for dooble # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/dooble-qt4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.dooble -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 -whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass -whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -tracelog +include /etc/firejail/dooble.profile diff --git a/etc/dooble.profile b/etc/dooble.profile index 13e4ead96..cbb0f96b8 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,27 +1,21 @@ -# Firejail profile for dooble +# Firejail profile for dooble-qt4 # This file is overwritten after every install/update # Persistent local customizations -include /etc/firejail/dooble.local +include /etc/firejail/dooble-qt4.local # Persistent global definitions include /etc/firejail/globals.local + noblacklist ~/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 +mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index dc7f4abc3..2b2be4c16 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -5,26 +5,17 @@ include /etc/firejail/fetchmail.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc -# whitelist ${HOME}/.fetchmailrc.gpg -whitelist ${HOME}/.procmailrc.brown -whitelist ${HOME}/.procmailrc.gmail -whitelist ${HOME}/Mail -whitelist ${HOME}/scripts/fetchmail-real.sh -whitelist /tmp/fetchmailrc -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups noroot nosound seccomp -x11 none # private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/freecad.profile b/etc/freecad.profile index 0467edb6d..c2d4661e8 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -5,17 +5,13 @@ include /etc/firejail/freecad.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/FreeCAD -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/FreeCAD + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,7 +25,7 @@ shell none private-bin freecad,freecadcmd private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 41cfd3fab..82ce8fcaa 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/freecad.profile +include /etc/firejail/freecad.profile diff --git a/etc/google-earth.profile b/etc/google-earth.profile index a339402e2..11d55281a 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -5,16 +5,18 @@ include /etc/firejail/google-earth.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Google +noblacklist ${HOME}/.googleearth +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.config/Google +mkdir ${HOME}/.googleearth whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth/Cache/ -whitelist ${HOME}/.googleearth/Temp/ -whitelist ${HOME}/.googleearth/myplaces.backup.kml -whitelist ${HOME}/.googleearth/myplaces.kml -whitelist /tmp/.X11-unix +whitelist ${HOME}/.googleearth include /etc/firejail/whitelist-common.inc caps.drop all @@ -26,7 +28,7 @@ shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -private-etc fonts,resolv.conf,X11,alternatives,pulse +#private-etc fonts,resolv.conf,X11,alternatives,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4404cc9a2..4613e378f 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -5,20 +5,13 @@ include /etc/firejail/imagej.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.imagej -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.imagej + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/karbon.profile b/etc/karbon.profile index da72432f7..7d7f25ad0 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -5,21 +5,11 @@ include /etc/firejail/karbon.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b982bd045..b91bd9c41 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,20 +5,11 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Apparently these break kdenlive for some people - they work for me though? -# whitelist ${DOWNLOADS} -# whitelist ${HOME}/.config/ -# whitelist ${HOME}/Videos -# whitelist ${HOME}/kdenlive -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -29,4 +20,4 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev -private-etc fonts,alternatives,X11,pulse,passwd +#private-etc fonts,alternatives,X11,pulse,passwd diff --git a/etc/krita.profile b/etc/krita.profile index f6e62e387..d60ef2fa7 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,21 +5,11 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 850fcb320..8763b348a 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -5,13 +5,16 @@ include /etc/firejail/linphone.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.linphone-history.db +noblacklist ${HOME}/.linphonerc -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkfile ${HOME}/.linphone-history.db +mkfile ${HOME}/.linphonerc whitelist ${HOME}/.linphone-history.db whitelist ${HOME}/.linphonerc whitelist ${HOME}/Downloads diff --git a/etc/lmms.profile b/etc/lmms.profile index 8ac039cc0..14a7209a9 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -5,17 +5,13 @@ include /etc/firejail/lmms.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.lmmsrc.xml -whitelist ${HOME}/Music -whitelist ${HOME}/lmms -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.lmmsrc.xml + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 287a5ea85..e53f175f8 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -6,12 +6,12 @@ include /etc/firejail/macrofusion.local include /etc/firejail/globals.local -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.config/mfusion -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/mfusion + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -22,7 +22,7 @@ noroot seccomp shell none -private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack +#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -private-etc fonts +#private-etc fonts private-tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 44baab7e9..ebcdca443 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -5,22 +5,17 @@ include /etc/firejail/mpd.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${HOME}/.config/pulse/ -whitelist ${HOME}/.mpdconf -whitelist ${HOME}/.pulse/ -whitelist ${HOME}/Music -whitelist ${HOME}/mpd -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.mpdconf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all noroot seccomp -private-bin mpd,bash +#private-bin mpd,bash private-dev -read-only ${HOME}/Music/ diff --git a/etc/natron.profile b/etc/natron.profile index 6101d1331..8f266f56c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -5,30 +5,22 @@ include /etc/firejail/natron.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /usr/local/bin -blacklist /usr/local/sbin +noblacklist ${HOME}/.Natron +noblacklist ${HOME}/.cache/INRIA/Natron/ +noblacklist ${HOME}/.config/INRIA/ +noblacklist /opt/natron/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.Natron -whitelist ${HOME}/.cache/INRIA/Natron/ -whitelist ${HOME}/.config/INRIA/ -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Videos -whitelist /opt/natron/ -whitelist /tmp/.X11-unix/ -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc ipc-namespace shell none private-bin natron -private-etc fonts,X11,pulse +#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 47b16b30e..423dfb887 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -5,14 +5,16 @@ include /etc/firejail/ricochet.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt + +noblacklist ${HOME}/.local/share/Ricochet + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/Ricochet -whitelist /tmp/.X11-unix include /etc/firejail/whitelist-common.inc caps.drop all @@ -24,7 +26,7 @@ shell none private-bin ricochet,tor private-dev -private-etc fonts,tor,X11,alternatives +#private-etc fonts,tor,X11,alternatives noexec /home noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 2bf3cc2e0..1a7ce6bce 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -5,13 +5,13 @@ include /etc/firejail/shotcut.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Meltytech -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/Meltytech + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -22,7 +22,7 @@ shell none private-bin shotcut,melt,qmelt,nice private-dev -private-etc X11,alternatives,pulse,fonts +#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 1f0b61c75..65ea41e18 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -5,26 +5,15 @@ include /etc/firejail/tor-browser-en.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /var + +noblacklist ${HOME}/.tor-browser-en + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${HOME}/.tor-browser-en -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero include /etc/firejail/whitelist-common.inc caps.drop all @@ -33,9 +22,6 @@ seccomp shell none private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) -# https://github.com/netblue30/firejail/issues/955 -private-etc X11,pulse,machine-id private-tmp noexec /tmp diff --git a/etc/tor.profile b/etc/tor.profile index 2e2172cad..73577825a 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local # How to use: # Create a script called anything (e.g. mytor) # with the following contents: + # #!/bin/bash # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" # sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD @@ -15,10 +16,10 @@ include /etc/firejail/globals.local # You'll also likely want to disable the system service (if it exists) # Run mytor (or whatever you called the script above) whenever you want to start tor -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace @@ -29,7 +30,6 @@ nosound seccomp shell none writable-var -x11 none private private-bin tor,bash diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index eb4c58480..aca0d7144 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -6,13 +6,7 @@ include /etc/firejail/x-terminal-emulator.local include /etc/firejail/globals.local -whitelist /tmp/.X11-unix/X470 -whitelist /tmp/fcitx-socket-:0 -whitelist /tmp/user/1000/ -include /etc/firejail/whitelist-common.inc - caps.drop all -env DISPLAY=:470 ipc-namespace net none netfilter diff --git a/etc/zart.profile b/etc/zart.profile index 654679174..6022e8260 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -5,12 +5,11 @@ include /etc/firejail/zart.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -whitelist ${DOWNLOADS} -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -21,7 +20,6 @@ shell none private-bin zart,ffmpeg,melt,ffprobe,ffplay private-dev -private-etc fonts,X11 noexec ${HOME} noexec /tmp -- cgit v1.2.3-70-g09d2 From 3c3602fe4e747f3489c917f4de991c9043df9751 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:11:43 -0400 Subject: Harden 25 profiles --- etc/Viber.profile | 5 +++++ etc/amule.profile | 9 +++++++++ etc/ardour5.profile | 5 ++++- etc/brackets.profile | 14 +++++++++----- etc/calligra.profile | 9 ++++++--- etc/cin.profile | 7 +++++-- etc/dooble.profile | 12 ++++++++++++ etc/fetchmail.profile | 9 ++++++++- etc/freecad.profile | 5 ++++- etc/google-earth.profile | 7 ++++++- etc/imagej.profile | 10 +++++++++- etc/karbon.profile | 24 ++---------------------- etc/kdenlive.profile | 4 ++++ etc/krita.profile | 7 +++++++ etc/linphone.profile | 16 ++++++++++++++++ etc/lmms.profile | 10 ++++++++-- etc/macrofusion.profile | 9 ++++++++- etc/mpd.profile | 13 +++++++++++++ etc/natron.profile | 11 +++++++++-- etc/ricochet.profile | 10 +++++++++- etc/shotcut.profile | 7 +++++-- etc/teamspeak3.profile | 16 ++++++++++++++++ etc/tor-browser-en.profile | 8 ++++++++ etc/tor.profile | 9 +++++++++ etc/zart.profile | 6 ++++++ 25 files changed, 197 insertions(+), 45 deletions(-) (limited to 'etc') diff --git a/etc/Viber.profile b/etc/Viber.profile index ee1ab6219..468199dd8 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv seccomp shell none +disable-mnt private-bin sh,dig,awk private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index 48aad759d..c59377850 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups nonewprivs noroot +nosound +notv +novideo seccomp shell none private-bin amule private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 42744f4dd..738b5990a 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +notv seccomp shell none @@ -29,5 +32,5 @@ private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/brackets.profile b/etc/brackets.profile index 151d88bdd..0a8c592a7 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -# Comment out or use --ignore=net if you want to install extensions or themes -net none -# Disable these if you use live preview (until I figure out a workaround) -# Doing so should be relatively safe since there is no network access +netfilter +nodvd +nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none -private-bin bash,brackets,readlink,dirname,google-chrome,cat private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile index 58006f203..e90c8efe8 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace -net none +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -#private-etc fonts,passwd,alternatives,X11 -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/cin.profile b/etc/cin.profile index e895805eb..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs +notv noroot +protocol unix seccomp shell none private-bin cin private-dev -#private-etc fonts,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/dooble.profile b/etc/dooble.profile index cbb0f96b8..aabfcd8bb 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nodvd +nogroups nonewprivs noroot +notv +novideo protocol unix,inet,inet6,netlink seccomp +shell none tracelog + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 2b2be4c16..9ee59f453 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd nogroups +nonewprivs noroot nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none # private-bin fetchmail,procmail,bash,chmod private-dev -# private-etc passwd,hosts,resolv.conf diff --git a/etc/freecad.profile b/etc/freecad.profile index c2d4661e8..4fde66839 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot nosound +notv +novideo protocol unix seccomp shell none private-bin freecad,freecadcmd private-dev -#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 11d55281a..32da9a5a8 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -#private-etc fonts,resolv.conf,X11,alternatives,pulse noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4613e378f..88a56c706 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp +shell none private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln private-dev -# private-etc passwd,alternatives,hosts,fonts,X11 private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/karbon.profile b/etc/karbon.profile index 7d7f25ad0..d94f20012 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -1,25 +1,5 @@ -# Firejail profile for karbon +# Firejail profile alias for krita # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/karbon.local -# Persistent global definitions -include /etc/firejail/globals.local -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -caps.drop all -ipc-namespace -net none -nogroups -noroot -seccomp -shell none - -private-dev - -noexec /home -noexec /tmp +include /etc/firejail/krita.profile diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b91bd9c41..56bb729e1 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/krita.profile b/etc/krita.profile index d60ef2fa7..2dfd084ef 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none private-dev +private-tmp noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 8763b348a..41f9245a2 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/lmms.profile b/etc/lmms.profile index 14a7209a9..29ed235c6 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-dev -private-etc fonts,pulse +private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index e53f175f8..be66cf6ee 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -#private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index ebcdca443..601861083 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none #private-bin mpd,bash private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/natron.profile b/etc/natron.profile index 8f266f56c..ac89409f1 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -ipc-namespace +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6 +seccomp shell none private-bin natron -#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 423dfb887..6da0e21d5 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin ricochet,tor private-dev #private-etc fonts,tor,X11,alternatives -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 1a7ce6bce..e30bc1f46 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix seccomp shell none -private-bin shotcut,melt,qmelt,nice +#private-bin shotcut,melt,qmelt,nice private-dev -#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 7ca5ae666..f8afff551 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client include /etc/firejail/whitelist-common.inc caps.drop all +ipc-namespace netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 65ea41e18..75a079a2e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr private-tmp diff --git a/etc/tor.profile b/etc/tor.profile index 73577825a..fcb123eef 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace +netfilter no3d +nodvd nogroups nonewprivs nosound +notv +novideo +protocol unix,inet,inet6 seccomp shell none writable-var +disable-mnt private private-bin tor,bash private-dev private-etc tor,passwd private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/zart.profile b/etc/zart.profile index 6022e8260..b5897f4a9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none -- cgit v1.2.3-70-g09d2 From 8751a4c857a245abc2924b8827e28d7d9be2d641 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:13:02 -0400 Subject: Fixup 12 profiles --- etc/ardour4.profile | 1 + etc/calligraauthor.profile | 1 + etc/calligraconverter.profile | 1 + etc/calligraflow.profile | 1 + etc/calligraplan.profile | 1 + etc/calligraplanwork.profile | 1 + etc/calligrasheets.profile | 1 + etc/calligrastage.profile | 1 + etc/calligrawords.profile | 1 + etc/dooble-qt4.profile | 1 + etc/freecadcmd.profile | 1 + etc/karbon.profile | 1 + 12 files changed, 12 insertions(+) (limited to 'etc') diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 095685364..7d1163174 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/ardour5.profile diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 162823019..629ab46c1 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 162823019..629ab46c1 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 162823019..629ab46c1 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 162823019..629ab46c1 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 162823019..629ab46c1 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 162823019..629ab46c1 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 162823019..629ab46c1 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 162823019..629ab46c1 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index 67df7ce36..4e1227a0f 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/dooble.profile diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 82ce8fcaa..f8bbff593 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/freecad.profile diff --git a/etc/karbon.profile b/etc/karbon.profile index d94f20012..3525a3e06 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/krita.profile -- cgit v1.2.3-70-g09d2 From 28faab8af4d2ea0699fbb09b0345f2c68d5ad382 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Sat, 16 Sep 2017 14:24:54 -0400 Subject: Harden 10 profiles --- etc/akregator.profile | 7 +++++++ etc/darktable.profile | 1 + etc/dia.profile | 1 + etc/hugin.profile | 1 + etc/inkscape.profile | 1 + etc/luminance-hdr.profile | 1 + etc/pidgin.profile | 3 +++ etc/scribus.profile | 1 + etc/skype.profile | 1 + etc/synfigstudio.profile | 1 + 10 files changed, 18 insertions(+) (limited to 'etc') diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +mkfile ${HOME}/.config/akregatorrc +mkdir ${HOME}/.local/share/akregator +whitelist ${HOME}/.config/akregatorrc +whitelist ${HOME}/.local/share/akregator +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter no3d @@ -27,6 +33,7 @@ seccomp shell none disable-mnt +private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev private-tmp diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -26,6 +26,7 @@ protocol unix,inet,inet6 seccomp shell none +#private-bin darktable private-dev private-tmp diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -27,6 +27,7 @@ seccomp shell none disable-mnt +#private-bin dia private-dev private-tmp diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend private-dev private-tmp diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 3266d8230..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -27,6 +27,7 @@ protocol unix seccomp shell none +#private-bin inkscape private-dev private-tmp diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -26,6 +26,7 @@ seccomp shell none tracelog +#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack private-dev private-tmp diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -27,3 +27,6 @@ tracelog private-bin pidgin private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -38,5 +38,6 @@ protocol unix seccomp tracelog +#private-bin scribus,gs private-dev # private-tmp diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -24,6 +24,7 @@ seccomp shell none disable-mnt +#private-bin skype,bash private-dev private-tmp diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -26,6 +26,7 @@ protocol unix seccomp shell none +#private-bin synfigstudio private-dev private-tmp -- cgit v1.2.3-70-g09d2 From 48b1758ba2f4d9839fed307b9121c0f39b2514eb Mon Sep 17 00:00:00 2001 From: juan Date: Sat, 16 Sep 2017 14:28:30 -0400 Subject: Add an alias for Natron --- etc/Natron.profile | 6 ++++++ etc/natron.profile | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 etc/Natron.profile (limited to 'etc') diff --git a/etc/Natron.profile b/etc/Natron.profile new file mode 100644 index 000000000..b21790fe4 --- /dev/null +++ b/etc/Natron.profile @@ -0,0 +1,6 @@ +# Firejail profile alias for natron +# This file is overwritten after every install/update + + +# Redirect +include /etc/firejail/natron.profile diff --git a/etc/natron.profile b/etc/natron.profile index ac89409f1..49eaf2f0d 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -27,7 +27,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin natron +private-bin natron,Natron,NatronRenderer noexec ${HOME} noexec /tmp -- cgit v1.2.3-70-g09d2 From e800e4e8c65994b8ba13aa2dd86af3139281ebd2 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:37:17 -0400 Subject: Update disable-programs.inc --- etc/disable-programs.inc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3007a51b3..e22fb6fa3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam blacklist ${HOME}/.Steampath blacklist ${HOME}/.Steampid blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.ViberPC blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.aMule blacklist ${HOME}/.android blacklist ${HOME}/.arduino15 blacklist ${HOME}/.atom @@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets blacklist ${HOME}/.config/Clementine blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.config/FreeCAD blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Google blacklist ${HOME}/.config/Gpredict @@ -124,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/mate/mate-dictionary +blacklist ${HOME}/.config/mfusion blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus @@ -188,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.curlrc blacklist ${HOME}/.dia blacklist ${HOME}/.dillo +blacklist ${HOME}/.dooble blacklist ${HOME}/.dosbox blacklist ${HOME}/.dropbox-dist blacklist ${HOME}/.electrum* @@ -203,15 +208,13 @@ blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig -blacklist ${HOME}/.googleearth/Cache/ -blacklist ${HOME}/.googleearth/Temp/ -blacklist ${HOME}/.googleearth/myplaces.backup.kml -blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.googleearth blacklist ${HOME}/.gradle blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hedgewars blacklist ${HOME}/.hugin blacklist ${HOME}/.icedove +blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape blacklist ${HOME}/.java blacklist ${HOME}/.jitsi @@ -410,6 +413,7 @@ blacklist ${HOME}/.cache/google-chrome blacklist ${HOME}/.cache/google-chrome-beta blacklist ${HOME}/.cache/google-chrome-unstable blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/INRIA/Natron blacklist ${HOME}/.cache/inox blacklist ${HOME}/.cache/libgweather blacklist ${HOME}/.cache/midori -- cgit v1.2.3-70-g09d2 From 78bb84ddf277dab653a08f97303894e35433402f Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 15:35:55 -0400 Subject: Misc fixes Thanks to @Fred-Barclay, @smitsohu and @reinerh for a bunch of these --- etc/Viber.profile | 3 ++- etc/amule.profile | 1 + etc/ardour5.profile | 3 ++- etc/cin.profile | 2 +- etc/disable-programs.inc | 5 ++++- etc/dooble.profile | 6 +++--- etc/fetchmail.profile | 2 +- etc/google-earth.profile | 17 +++++++++++++---- etc/kdenlive.profile | 3 +++ etc/krita.profile | 2 +- etc/mpd.profile | 1 - etc/natron.profile | 6 +++--- etc/teamspeak3.profile | 2 -- etc/tor-browser-en.profile | 35 +++-------------------------------- etc/torbrowser-launcher.profile | 11 +++++++---- etc/x-terminal-emulator.profile | 1 + etc/zart.profile | 1 - 17 files changed, 45 insertions(+), 56 deletions(-) (limited to 'etc') diff --git a/etc/Viber.profile b/etc/Viber.profile index 468199dd8..03e5f1086 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -25,11 +25,12 @@ nogroups nonewprivs noroot notv +protocol unix,inet,inet6 seccomp shell none disable-mnt -private-bin sh,dig,awk +private-bin sh,bash,dash,dig,awk,Viber private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index c59377850..98ec52015 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -28,6 +28,7 @@ noroot nosound notv novideo +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 738b5990a..69b3dde46 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -24,10 +24,11 @@ nogroups nonewprivs noroot notv +protocol unix seccomp shell none -#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp diff --git a/etc/cin.profile b/etc/cin.profile index 93a94c910..eeeda476f 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -24,7 +24,7 @@ protocol unix seccomp shell none -private-bin cin +#private-bin cin private-dev noexec ${HOME} diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e22fb6fa3..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -208,7 +208,10 @@ blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig -blacklist ${HOME}/.googleearth +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml blacklist ${HOME}/.gradle blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hedgewars diff --git a/etc/dooble.profile b/etc/dooble.profile index aabfcd8bb..2a57b0ef3 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,4 +1,4 @@ -# Firejail profile for dooble-qt4 +# Firejail profile for dooble # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/dooble-qt4.local @@ -6,7 +6,7 @@ include /etc/firejail/dooble-qt4.local include /etc/firejail/globals.local -noblacklist ~/.dooble +noblacklist ${HOME}/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -15,7 +15,7 @@ include /etc/firejail/disable-programs.inc mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.dooble +whitelist ${HOME}/.dooble include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 9ee59f453..3fd7f3d75 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -25,5 +25,5 @@ protocol unix,inet,inet6 seccomp shell none -# private-bin fetchmail,procmail,bash,chmod +#private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 32da9a5a8..b60f5b3a5 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -6,7 +6,10 @@ include /etc/firejail/google-earth.local include /etc/firejail/globals.local noblacklist ${HOME}/.config/Google -noblacklist ${HOME}/.googleearth +noblacklist ${HOME}/.googleearth/Cache/ +noblacklist ${HOME}/.googleearth/Temp/ +noblacklist ${HOME}/.googleearth/myplaces.backup.kml +noblacklist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -14,9 +17,15 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/Google -mkdir ${HOME}/.googleearth +mkdir ${HOME}/.googleearth/Cache/ +mkdir ${HOME}/.googleearth/Temp/ +mkfile ${HOME}/.googleearth/myplaces.backup.kml +mkfile ${HOME}/.googleearth/myplaces.kml whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth +whitelist ${HOME}/.googleearth/Cache/ +whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/myplaces.backup.kml +whitelist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/whitelist-common.inc caps.drop all @@ -32,7 +41,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin google-earth,sh,grep,sed,ls,dirname +private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname private-dev noexec ${HOME} diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 56bb729e1..a1a5f957c 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -25,3 +25,6 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev #private-etc fonts,alternatives,X11,pulse,passwd + +noexec ${HOME} +noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile index 2dfd084ef..e91f5b242 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -28,5 +28,5 @@ shell none private-dev private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 601861083..7bfa47d77 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -17,7 +17,6 @@ caps.drop all netfilter no3d nodvd -nogroups nonewprivs noroot notv diff --git a/etc/natron.profile b/etc/natron.profile index 49eaf2f0d..d77539d83 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -7,9 +7,9 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.Natron -noblacklist ${HOME}/.cache/INRIA/Natron/ -noblacklist ${HOME}/.config/INRIA/ -noblacklist /opt/natron/ +noblacklist ${HOME}/.cache/INRIA/Natron +noblacklist ${HOME}/.config/INRIA +noblacklist /opt/natron include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index f8afff551..86f96ba50 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -5,7 +5,6 @@ include /etc/firejail/teamspeak3.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ${DOWNLOADS} noblacklist ${HOME}/.ts3client include /etc/firejail/disable-common.inc @@ -33,7 +32,6 @@ seccomp shell none disable-mnt -private private-dev private-tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 75a079a2e..bf3a80139 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -1,35 +1,6 @@ -# Firejail profile for tor-browser-en +# Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/tor-browser-en.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ${HOME}/.tor-browser-en - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -whitelist ${HOME}/.tor-browser-en -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -novideo -protocol unix,inet,inet6 -seccomp -shell none - -disable-mnt -private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -private-tmp - -noexec /tmp +# Redirect +include /etc/firejail/torbrowser-launcher.profile diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local # Persistent global definitions include /etc/firejail/globals.local - +noblacklist ~/.tor-browser-en noblacklist ~/.config/torbrowser -whitelist ~/.config/torbrowser noblacklist ~/.local/share/torbrowser -whitelist ~/.local/share/torbrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +whitelist ~/.tor-browser-en +whitelist ~/.config/torbrowser +whitelist ~/.local/share/torbrowser +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nodvd @@ -29,7 +32,7 @@ seccomp shell none tracelog -private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher private-dev private-etc fonts private-tmp diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index aca0d7144..1395b81c9 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -12,6 +12,7 @@ net none netfilter nogroups noroot +protocol unix seccomp private-dev diff --git a/etc/zart.profile b/etc/zart.profile index b5897f4a9..6e136d0c9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -19,7 +19,6 @@ nogroups nonewprivs noroot notv -novideo protocol unix seccomp shell none -- cgit v1.2.3-70-g09d2 From e6a595b16e7f66e1fce647e113a77d1022c1bf0a Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 19 Sep 2017 13:44:26 +0200 Subject: update KDE whitelist --- etc/whitelist-common.inc | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc') diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ef95a7e5e..310149ecd 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -35,10 +35,14 @@ whitelist ~/.gtkrc-2.0 whitelist ~/.gtk-2.0 whitelist ~/.config/gtk-2.0 whitelist ~/.config/gtk-3.0 +whitelist ~/.config/gtkrc +whitelist ~/.config/gtkrc-2.0 whitelist ~/.themes whitelist ~/.local/share/themes whitelist ~/.kde/share/config/gtkrc whitelist ~/.kde/share/config/gtkrc-2.0 +whitelist ~/.kde4/share/config/gtkrc +whitelist ~/.kde4/share/config/gtkrc-2.0 whitelist ~/.gnome2 whitelist ~/.gnome2-private @@ -51,3 +55,6 @@ whitelist ~/.config/kdeglobals whitelist ~/.kde/share/config/oxygenrc whitelist ~/.kde/share/config/kdeglobals whitelist ~/.kde/share/icons +whitelist ~/.kde4/share/config/oxygenrc +whitelist ~/.kde4/share/config/kdeglobals +whitelist ~/.kde4/share/icons -- cgit v1.2.3-70-g09d2 From cbbc90381b41156c16bcb30934a10c843c8298c0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Sep 2017 09:47:26 -0400 Subject: add private-bin support to profile builder --- README.md | 9 ++-- etc/whitelist-var-common.inc | 1 + smtube.profile | 37 ------------- src/fbuilder/build_bin.c | 121 +++++++++++++++++++++++++++++++++++++++++++ src/fbuilder/build_profile.c | 4 +- src/fbuilder/fbuilder.h | 3 ++ src/libtrace/libtrace.c | 12 +++++ 7 files changed, 144 insertions(+), 43 deletions(-) delete mode 100644 smtube.profile create mode 100644 src/fbuilder/build_bin.c (limited to 'etc') diff --git a/README.md b/README.md index 91bba52d2..c694bc8db 100644 --- a/README.md +++ b/README.md @@ -114,12 +114,12 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w Example: ````` -$ firejail --build vlc ~/Videos/test.mp4 +$ firejail --build /usr/bin/vlc ~/Videos/test.mp4 [...] ############################################ -# vlc profile +# /usr/bin/vlc profile ############################################ # Persistent global definitions # include /etc/firejail/globals.local @@ -141,13 +141,14 @@ private-tmp private-dev private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, whitelist /var/lib/menu-xdg +# private-bin vlc, ### security filters caps.drop all nonewprivs seccomp -# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create -# 82 syscalls total +# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create +# 76 syscalls total # Probably you will need to add more syscalls to seccomp.keep. Look for # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while # running your sandbox. diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index bd3473acc..024995f20 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc @@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg whitelist /var/cache/fontconfig whitelist /var/tmp whitelist /var/run +whitelist /var/lock diff --git a/smtube.profile b/smtube.profile deleted file mode 100644 index 2694dd5b0..000000000 --- a/smtube.profile +++ /dev/null @@ -1,37 +0,0 @@ -# Firejail profile for smtube -# This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/smtube.local -# Persistent global definitions -include /etc/firejail/globals.local - -noblacklist ${HOME}/.config/smplayer -noblacklist ${HOME}/.config/smtube -noblacklist ${HOME}/.config/mpv -noblacklist ${HOME}/.mplayer -noblacklist ${HOME}/.config/vlc -noblacklist ${HOME}/.local/share/vlc - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -caps.drop all -netfilter -nodvd -notv -novideo -nogroups -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none - -#no private-bin because users can add their own players to smtube and that would prevent that -private-dev -private-tmp - -noexec ${HOME} -noexec /tmp diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c new file mode 100644 index 000000000..7d0e2cb7c --- /dev/null +++ b/src/fbuilder/build_bin.c @@ -0,0 +1,121 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fbuilder.h" + +static FileDB *bin_out = NULL; + +static void process_bin(const char *fname) { + assert(fname); + + // process trace file + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + // remove \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // parse line: 4:galculator:access /etc/fonts/conf.d:0 + // number followed by : + ptr = buf; + if (!isdigit(*ptr)) + continue; + while (isdigit(*ptr)) + ptr++; + if (*ptr != ':') + continue; + ptr++; + + // next : + ptr = strchr(ptr, ':'); + if (!ptr) + continue; + ptr++; + if (strncmp(ptr, "exec ", 5) == 0) + ptr += 5; + else + continue; + if (strncmp(ptr, "/bin/", 5) == 0) + ptr += 5; + else if (strncmp(ptr, "/sbin/", 6) == 0) + ptr += 6; + else if (strncmp(ptr, "/usr/bin/", 9) == 0) + ptr += 9; + else if (strncmp(ptr, "/usr/sbin/", 10) == 0) + ptr += 10; + else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) + ptr += 15; + else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) + ptr += 16; + else if (strncmp(ptr, "/usr/games/", 11) == 0) + ptr += 12; + else if (strncmp(ptr, "/usr/local/games/", 17) == 0) + ptr += 17; + else + continue; + + // end of filename + char *ptr2 = strchr(ptr, ':'); + if (!ptr2) + continue; + *ptr2 = '\0'; + + bin_out = filedb_add(bin_out, ptr); + } + + fclose(fp); +} + + +// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 +void build_bin(const char *fname) { + assert(fname); + + // run fname + process_bin(fname); + + // run all the rest + struct stat s; + int i; + for (i = 1; i <= 5; i++) { + char *newname; + if (asprintf(&newname, "%s.%d", fname, i) == -1) + errExit("asprintf"); + if (stat(newname, &s) == 0) + process_bin(newname); + free(newname); + } + + if (bin_out) { + printf("# private-bin "); + FileDB *ptr = bin_out; + while (ptr) { + printf("%s,", ptr->fname); + ptr = ptr->next; + } + printf("\n"); + } +} diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5fca22648..3f5fe48ca 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -33,6 +33,7 @@ static char *cmdlist[] = { "--caps.drop=all", "--nonewprivs", "--trace", + "--shell=none", "/usr/bin/strace", // also used as a marker in build_profile() "-c", "-f", @@ -56,8 +57,6 @@ static void clear_tmp_files(void) { } void build_profile(int argc, char **argv, int index) { - unlink("/tmp/strace-output"); - // next index is the application name if (index >= argc) { fprintf(stderr, "Error: application name missing\n"); @@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) { build_dev(TRACE_OUTPUT); build_etc(TRACE_OUTPUT); build_var(TRACE_OUTPUT); + build_bin(TRACE_OUTPUT); printf("\n"); printf("### security filters\n"); diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index a9049ea2d..c448f3e06 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h @@ -44,6 +44,9 @@ void build_var(const char *fname); void build_tmp(const char *fname); void build_dev(const char *fname); +// build_bin.c +void build_bin(const char *fname); + // build_home.c void build_home(const char *fname); diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 5cdb254a3..04cf64997 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { return rv; } + +// every time a new process is started, this gets called +// it can be used to build things like private-bin +__attribute__((constructor)) +static void log_exec(int argc, char** argv) { + static char buf[PATH_MAX + 1]; + int rv = readlink("/proc/self/exe", buf, PATH_MAX); + if (rv != -1) { + buf[rv] = '\0'; // readlink does not add a '\0' at the end + printf("%u:%s:exec %s:0\n", pid(), name(), buf); + } +} -- cgit v1.2.3-70-g09d2 From 807ec197d34c90500fe2f81e777c207c2a8d6e8e Mon Sep 17 00:00:00 2001 From: Irvine Date: Tue, 19 Sep 2017 10:28:36 -0400 Subject: Add a profile for Conky --- README.md | 3 ++- etc/conky.profile | 35 +++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 etc/conky.profile (limited to 'etc') diff --git a/README.md b/README.md index 91bba52d2..7d0bccc14 100644 --- a/README.md +++ b/README.md @@ -178,4 +178,5 @@ amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, -ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart +ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, +conky diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile @@ -0,0 +1,35 @@ +# Firejail profile for conky +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/conky.local +# Persistent global definitions +include /etc/firejail/globals.local + + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-dev +private-tmp + +memory-deny-write-execute +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5d6afe68b..95fc14d04 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -65,6 +65,7 @@ clementine clipit cmus conkeror +conky corebird cvlc cyberfox -- cgit v1.2.3-70-g09d2 From 2bd6c546c75a516d7e21e4e6e6524ce3b2809ffc Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 20 Sep 2017 00:09:40 +0200 Subject: add nogroups --- etc/audacious.profile | 1 + etc/musescore.profile | 1 + etc/tuxguitar.profile | 1 + 3 files changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/audacious.profile b/etc/audacious.profile index bd2367fe0..52e701821 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot notv diff --git a/etc/musescore.profile b/etc/musescore.profile index 3b5a0b13c..b039d07b2 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile @@ -19,6 +19,7 @@ caps.drop all netfilter no3d nodvd +nogroups nonewprivs noroot notv diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 5b6a257f6..fbc198cc3 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile @@ -17,6 +17,7 @@ caps.drop all netfilter no3d nodvd +nogroups nonewprivs noroot notv -- cgit v1.2.3-70-g09d2