From a83a3a906ead5291a0ad9ca1db1234eda6a43d50 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 14:58:30 +0100 Subject: update gwenview.profile - gwenview listens for uevents to see if a monitor was plugged in, hence the need for netlink. This fixes an error message on startup, I unfortunately couldn't check if the feature actually works now - nosound removes the sound from video previews - add KDE5 folders --- etc/gwenview.profile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/gwenview.profile b/etc/gwenview.profile index f636792f0..f6fc56995 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,6 +5,8 @@ include /etc/firejail/gwenview.local # KDE gwenview profile noblacklist ~/.kde/share/apps/gwenview noblacklist ~/.kde/share/config/gwenviewrc +noblacklist ~/.config/gwenviewrc +noblacklist ~/.config/org.kde.gwenviewrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -14,13 +16,13 @@ caps.drop all nogroups nonewprivs noroot -protocol unix +protocol unix,netlink seccomp -nosound +tracelog private-dev -#Experimental: +# Experimental: #shell none #private-bin gwenview #private-etc X11 -- cgit v1.2.3-54-g00ecf From 88f5bd7e28dc63c9122cb1ff8d15d2eae9c4bd79 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 15:10:50 +0100 Subject: harden Audacious Audaciousrc is the KFileDialog history --- etc/audacious.profile | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'etc') diff --git a/etc/audacious.profile b/etc/audacious.profile index 63ba9af9c..d12032166 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -4,13 +4,21 @@ include /etc/firejail/audacious.local # Audacious media player profile noblacklist ~/.config/audacious +noblacklist ~/.config/Audaciousrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin audacious +private-dev +private-tmp -- cgit v1.2.3-54-g00ecf From f5eb0b5df373f0d45bbb9e655de957c3fccd8cbe Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 15:17:04 +0100 Subject: Update scribus.profile scribusrc keeps the KFileDialog history --- etc/scribus.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/scribus.profile b/etc/scribus.profile index da2076286..5d0dc5af9 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -5,9 +5,15 @@ include /etc/firejail/scribus.local # Firejail profile for Scribus noblacklist ~/.scribus noblacklist ~/.config/scribus +noblacklist ~/.config/scribusrc noblacklist ~/.local/share/scribus noblacklist ~/.gimp* +# Support for PDF readers (Scribus 1.5 and higher) +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde/share/config/okularpartrc + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-54-g00ecf From 408d7c65c2b8429eaf40c4edb12d6b20a14115fc Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 15:24:53 +0100 Subject: update disable-programs.inc (audacious, gwenview, scribus) --- etc/disable-programs.inc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 12f40e062..643396366 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -58,6 +58,7 @@ blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.claws-mail blacklist ${HOME}/.config/0ad blacklist ${HOME}/.config/Atom +blacklist ${HOME}/.config/Audaciousrc blacklist ${HOME}/.config/Brackets blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Franz @@ -108,6 +109,7 @@ blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.config/google-chrome-beta blacklist ${HOME}/.config/google-chrome-unstable blacklist ${HOME}/.config/gthumb +blacklist ${HOME}/.config/gwenviewrc blacklist ${HOME}/.config/hexchat blacklist ${HOME}/.config/inox blacklist ${HOME}/.config/jd-gui.cfg @@ -125,6 +127,7 @@ blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta +blacklist ${HOME}/.config/org.kde.gwenviewrc blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/psi+ @@ -267,6 +270,7 @@ blacklist ${HOME}/.qemu-launcher blacklist ${HOME}/.remmina blacklist ${HOME}/.retroshare blacklist ${HOME}/.scribus +blacklist ${HOME}/.scribusrc blacklist ${HOME}/.steam blacklist ${HOME}/.steampath blacklist ${HOME}/.steampid -- cgit v1.2.3-54-g00ecf From 9d0a19b7818a67e34f716d45bcb4ccf06e45ae96 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 20:01:13 +0100 Subject: fix ~/.pki unblacklisting in browser profiles --- etc/disable-passwdmgr.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index c4112d4d5..35c40052b 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -2,7 +2,7 @@ # Persistent customizations should go in a .local file. include /etc/firejail/disable-passwdmgr.local -blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.pki blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.keepass -- cgit v1.2.3-54-g00ecf From a7660de8bcabd5bf3dd8aacaf14029436278a024 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 20:02:18 +0100 Subject: redundant with disable-passwdmgr.inc --- etc/disable-programs.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 643396366..c60333a00 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -264,7 +264,6 @@ blacklist ${HOME}/.openshot blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.opera blacklist ${HOME}/.opera-beta -blacklist ${HOME}/.pki blacklist ${HOME}/.purple blacklist ${HOME}/.qemu-launcher blacklist ${HOME}/.remmina -- cgit v1.2.3-54-g00ecf From 867eefd7223445fb68d94e994dcacb426a3a327a Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 21:45:19 +0100 Subject: move ~/.pki blacklist to disable-common.inc --- etc/disable-passwdmgr.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 35c40052b..b5260e897 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -2,7 +2,6 @@ # Persistent customizations should go in a .local file. include /etc/firejail/disable-passwdmgr.local -blacklist ${HOME}/.pki blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.keepass -- cgit v1.2.3-54-g00ecf From 02b893dc12488a71980596e76b992d247610e0f1 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Fri, 24 Mar 2017 21:48:59 +0100 Subject: move ~/.pki blacklist to disable-common.inc --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 49ba7bc15..ae15a3f63 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -165,6 +165,7 @@ blacklist ${HOME}/*.key blacklist ${HOME}/.muttrc blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.pki blacklist /etc/shadow blacklist /etc/gshadow blacklist /etc/passwd- -- cgit v1.2.3-54-g00ecf From c71f0d6b98b287d9682b20c7089be79f48999a51 Mon Sep 17 00:00:00 2001 From: Alexandros Afentoulis Date: Sat, 25 Mar 2017 14:47:16 +0200 Subject: Adds icedove directories in thunderbird profile In debian stretch icedove is renamed to thunderbird. This happens as of icedove version 1:45.7.1-1, see debian bug #816679 for details. Thunderbird debian package, as of stretch, contains a migration script for user profiles. Namely /usr/bin/thunderbird is a wrapper script, thunderbird-wrapper.sh. This scripts symlinks ~/.icedove (if exists) to ~/.thunderbird thus ensuring Thunderbird will be able to read old user's profiles. That symlink breaks thunderbird when run with firejail since firejail thunderbird.profile does not allow access to ~/.icedove. This commit modifies accordingly the thunderbird.profile. --- etc/thunderbird.profile | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 1dc8b15c7..df1a4cdbb 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -14,6 +14,10 @@ noblacklist ~/.thunderbird mkdir ~/.thunderbird whitelist ~/.thunderbird +noblacklist ~/.icedove +mkdir ~/.icedove +whitelist ~/.icedove + # allow browsers ignore private-tmp include /etc/firejail/firefox.profile -- cgit v1.2.3-54-g00ecf From f1b5b764b25f063eea68fc95982dc3b5d674f50e Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Sat, 25 Mar 2017 15:13:13 +0100 Subject: undo netlink addition --- etc/gwenview.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/gwenview.profile b/etc/gwenview.profile index f6fc56995..b8067866c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -16,7 +16,7 @@ caps.drop all nogroups nonewprivs noroot -protocol unix,netlink +protocol unix seccomp tracelog -- cgit v1.2.3-54-g00ecf