From 8ef2c87931fa83c2d1fd6b35f23ac650adee6355 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 29 Oct 2017 13:06:19 +0100 Subject: fix and harden various profiles --- etc/atril.profile | 3 +-- etc/calligra.profile | 8 ++++---- etc/disable-common.inc | 9 +++++---- etc/evince.profile | 3 +-- etc/inox.profile | 8 +++++++- etc/iridium.profile | 10 ++++++++++ etc/kdenlive.profile | 10 +++++----- etc/krita.profile | 4 ++-- etc/okular.profile | 2 +- etc/thunderbird.profile | 1 + etc/vivaldi.profile | 1 + etc/xreader.profile | 3 +-- 12 files changed, 39 insertions(+), 23 deletions(-) (limited to 'etc') diff --git a/etc/atril.profile b/etc/atril.profile index 8c5bdc6fb..98142012c 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -35,8 +35,7 @@ private-etc fonts,ld.so.cache # atril uses webkit gtk to display epub files # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 private-lib webkit2gtk-4.0 -# atril needs access to /tmp/mozilla* to work in firefox -# private-tmp +private-tmp # webkit gtk killed by memory-deny-write-execute #memory-deny-write-execute diff --git a/etc/calligra.profile b/etc/calligra.profile index a57694752..f09716bc3 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,7 +5,7 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus +# blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace -net none +# net none nodvd nogroups nonewprivs @@ -25,8 +25,8 @@ protocol unix seccomp shell none -private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch +private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 private-dev -#noexec ${HOME} +# noexec ${HOME} noexec /tmp diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f01953ed4..09ab39968 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -76,10 +76,11 @@ read-only ${HOME}/.kde4/share/kde4/services read-only ${HOME}/.kde4/share/config/kdeglobals read-only ${HOME}/.local/share/kservices5 -# kdeinit sockets -blacklist /run/user/*/kdeinit* -blacklist /run/user/*/ksocket-*/kdeinit* -blacklist /tmp/ksocket-*/kdeinit* +# kdeinit socket +blacklist /run/user/*/kdeinit5__* +# blacklist /run/user/*/ksocket-*/kdeinit4__* +# blacklist /tmp/ksocket-*/kdeinit4__* +# - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 # systemd blacklist ${HOME}/.config/systemd diff --git a/etc/evince.profile b/etc/evince.profile index acca8878f..b68d272df 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -36,8 +36,7 @@ private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts private-lib -# evince needs access to /tmp/mozilla* to work in firefox -# private-tmp +private-tmp memory-deny-write-execute noexec ${HOME} diff --git a/etc/inox.profile b/etc/inox.profile index de4d6205b..221acd309 100644 --- a/etc/inox.profile +++ b/etc/inox.profile @@ -20,11 +20,17 @@ whitelist ~/.cache/inox whitelist ~/.config/inox whitelist ~/.pki include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.keep sys_chroot,sys_admin netfilter nodvd nogroups -noroot notv shell none + +private-dev +# private-tmp - problems with multiple browser sessions + +noexec ${HOME} +noexec /tmp diff --git a/etc/iridium.profile b/etc/iridium.profile index db9c5c7cf..5b1268f4e 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile @@ -21,7 +21,17 @@ whitelist ~/.cache/iridium whitelist ~/.config/iridium whitelist ~/.pki include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc +caps.keep sys_chroot,sys_admin netfilter nodvd +nogroups notv +shell none + +private-dev +# private-tmp - problems with multiple browser sessions + +noexec ${HOME} +noexec /tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index e42e5920a..871706b02 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,7 +5,7 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus +# blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -13,19 +13,19 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -net none +# net none nodvd nogroups nonewprivs noroot notv -protocol unix,inet,inet6 +protocol unix,netlink seccomp shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev -#private-etc fonts,alternatives,X11,pulse,passwd +# private-etc fonts,alternatives,X11,pulse,passwd -#noexec ${HOME} +# noexec ${HOME} noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile index ac723f303..52329eaab 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,7 +5,7 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus +# blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace -net none +# net none nodvd nogroups nonewprivs diff --git a/etc/okular.profile b/etc/okular.profile index 60390e4d8..53148add5 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -39,7 +39,7 @@ tracelog # private-bin okular,kbuildsycoca4,kdeinit4,lpr private-dev # private-etc fonts,X11 -private-tmp +# private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird # memory-deny-write-execute noexec ${HOME} diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index db944a2c0..52965cf90 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -24,6 +24,7 @@ whitelist ~/.thunderbird include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp machine-id disable-mnt diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 503916b26..3cbc5b45c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -18,6 +18,7 @@ whitelist ${DOWNLOADS} whitelist ~/.cache/vivaldi whitelist ~/.config/vivaldi include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.keep sys_chroot,sys_admin netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 11e5d1102..9583b6ee1 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -33,8 +33,7 @@ tracelog private-bin xreader,xreader-previewer,xreader-thumbnailer private-dev private-etc fonts,ld.so.cache -# xreader needs access to /tmp/mozilla* to work in firefox -# private-tmp +private-tmp memory-deny-write-execute noexec ${HOME} -- cgit v1.2.3-70-g09d2