From 8d9b12d1c61000af20eb3ff39af712939ca8788a Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 14 Sep 2020 12:23:34 +0200
Subject: New profiles + fixes + hardening

- blacklist ~/.rustup in disable-devel.inc
- add note to mpv (See #3628)
- harden warsow
- update relnotes
- new profile qrencode, dbus-send, notify-send
---
 etc/inc/disable-devel.inc           |  1 +
 etc/profile-a-l/dbus-send.profile   | 59 ++++++++++++++++++++++++++++++++++++
 etc/profile-m-z/mpv.profile         | 13 ++++++++
 etc/profile-m-z/notify-send.profile | 60 +++++++++++++++++++++++++++++++++++++
 etc/profile-m-z/qrencode.profile    | 58 +++++++++++++++++++++++++++++++++++
 etc/profile-m-z/warsow.profile      |  3 ++
 6 files changed, 194 insertions(+)
 create mode 100644 etc/profile-a-l/dbus-send.profile
 create mode 100644 etc/profile-m-z/notify-send.profile
 create mode 100644 etc/profile-m-z/qrencode.profile

(limited to 'etc')

diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e1ba13380..e74b1b40b 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -49,6 +49,7 @@ blacklist ${PATH}/openssl-1.0
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
+blacklist ${HOME}/.rustup
 
 # tcc - Tiny C Compiler
 blacklist ${PATH}/tcc
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
new file mode 100644
index 000000000..76a14d99b
--- /dev/null
+++ b/etc/profile-a-l/dbus-send.profile
@@ -0,0 +1,59 @@
+# Firejail profile for dbus-send
+# Description: Send a message to a message bus
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dbus-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+# Breaks abstract sockets
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin dbus-send
+private-cache
+private-dev
+private-etc alternatives,dbus-1
+private-lib libpcre2-8.so.0
+private-tmp
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 7ca57334d..08318d08e 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,19 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
+# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# with external resources which are blocked by firejail. In such cases
+# you need to allow these resources by
+#  - adding additional binaries to private-bin
+#  - whitelisting additional paths
+#  - noblacklisting paths
+#  - weaking the dbus-policy
+#  - ...
+#
+# Often these scripts require a shell:
+#noblacklist ${PATH}/sh
+#private-bin sh
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
new file mode 100644
index 000000000..ff292f409
--- /dev/null
+++ b/etc/profile-m-z/notify-send.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notify-send
+# Description: a program to send desktop notifications
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include notify-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin notify-send
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
new file mode 100644
index 000000000..5e49a342a
--- /dev/null
+++ b/etc/profile-m-z/qrencode.profile
@@ -0,0 +1,58 @@
+# Firejail profile for qrencode
+# Description: Encode input data in a QR Code and save as a PNG or EPS image.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qrencode.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin qrencode
+private-cache
+private-dev
+private-etc none
+private-lib libpcre2-8.so.0
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index d8cd5557e..178e0c7b1 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -24,7 +24,10 @@ mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
 whitelist ${HOME}/.cache/warsow-2.1
 whitelist ${HOME}/.local/share/warsow-2.1
+whitelist /usr/share/warsow
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-- 
cgit v1.2.3-70-g09d2