From 836bbf586f3134d41f6bb97f5eb00ba35f53962e Mon Sep 17 00:00:00 2001 From: Vasya Novikov Date: Sat, 19 Nov 2016 21:12:13 +0300 Subject: explain audit for seccomp logging --- src/man/firejail.txt | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bb9ae270c..8441f25d5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1340,6 +1340,10 @@ at run time only if the correct architecture was detected. For the case of I386 both 32-bit and 64-bit filters are installed. .br +.br +Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag). +.br + .br Example: .br -- cgit v1.2.3-54-g00ecf From fa10ab0e093a4224b16491273b0162b0e0a77a3a Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 21:57:42 +0100 Subject: many new profiles --- README.md | 4 +++ etc/amarok.profile | 19 ++++++++++++++ etc/ark.profile | 23 +++++++++++++++++ etc/atool.profile | 24 +++++++++++++++++ etc/bleachbit.profile | 21 +++++++++++++++ etc/brasero.profile | 23 +++++++++++++++++ etc/dolphin.profile | 23 +++++++++++++++++ etc/dragon.profile | 22 ++++++++++++++++ etc/elinks.profile | 24 +++++++++++++++++ etc/enchant.profile | 23 +++++++++++++++++ etc/exiftool.profile | 28 ++++++++++++++++++++ etc/file-roller.profile | 21 +++++++++++++++ etc/gedit.profile | 26 +++++++++++++++++++ etc/gjs.profile | 28 ++++++++++++++++++++ etc/gnome-books.profile | 26 +++++++++++++++++++ etc/gnome-clocks.profile | 22 ++++++++++++++++ etc/gnome-documents.profile | 24 +++++++++++++++++ etc/gnome-maps.profile | 24 +++++++++++++++++ etc/gnome-music.profile | 22 ++++++++++++++++ etc/gnome-photos.profile | 26 +++++++++++++++++++ etc/gnome-weather.profile | 26 +++++++++++++++++++ etc/goobox.profile | 20 +++++++++++++++ etc/gpa.profile | 23 +++++++++++++++++ etc/gpg-agent.profile | 24 +++++++++++++++++ etc/gpg.profile | 24 +++++++++++++++++ etc/highlight.profile | 24 +++++++++++++++++ etc/img2txt.profile | 24 +++++++++++++++++ etc/k3b.profile | 21 +++++++++++++++ etc/kate.profile | 28 ++++++++++++++++++++ etc/lynx.profile | 22 ++++++++++++++++ etc/mediainfo.profile | 26 +++++++++++++++++++ etc/nautilus.profile | 26 +++++++++++++++++++ etc/odt2txt.profile | 24 +++++++++++++++++ etc/okular.profile | 16 ++++++------ etc/pdftotext.profile | 22 ++++++++++++++++ etc/simple-scan.profile | 23 +++++++++++++++++ etc/skanlite.profile | 21 +++++++++++++++ etc/ssh-agent.profile | 15 +++++++++++ etc/tracker.profile | 24 +++++++++++++++++ etc/transmission-cli.profile | 24 +++++++++++++++++ etc/transmission-show.profile | 24 +++++++++++++++++ etc/w3m.profile | 23 +++++++++++++++++ etc/xfburn.profile | 23 +++++++++++++++++ etc/xpra.profile | 21 +++++++++++++++ platform/debian/conffiles | 42 ++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 60 +++++++++++++++++++++++++++++++++++++++++-- 46 files changed, 1093 insertions(+), 10 deletions(-) create mode 100644 etc/amarok.profile create mode 100644 etc/ark.profile create mode 100644 etc/atool.profile create mode 100644 etc/bleachbit.profile create mode 100644 etc/brasero.profile create mode 100644 etc/dolphin.profile create mode 100644 etc/dragon.profile create mode 100644 etc/elinks.profile create mode 100644 etc/enchant.profile create mode 100644 etc/exiftool.profile create mode 100644 etc/file-roller.profile create mode 100644 etc/gedit.profile create mode 100644 etc/gjs.profile create mode 100644 etc/gnome-books.profile create mode 100644 etc/gnome-clocks.profile create mode 100644 etc/gnome-documents.profile create mode 100644 etc/gnome-maps.profile create mode 100644 etc/gnome-music.profile create mode 100644 etc/gnome-photos.profile create mode 100644 etc/gnome-weather.profile create mode 100644 etc/goobox.profile create mode 100644 etc/gpa.profile create mode 100644 etc/gpg-agent.profile create mode 100644 etc/gpg.profile create mode 100644 etc/highlight.profile create mode 100644 etc/img2txt.profile create mode 100644 etc/k3b.profile create mode 100644 etc/kate.profile create mode 100644 etc/lynx.profile create mode 100644 etc/mediainfo.profile create mode 100644 etc/nautilus.profile create mode 100644 etc/odt2txt.profile create mode 100644 etc/pdftotext.profile create mode 100644 etc/simple-scan.profile create mode 100644 etc/skanlite.profile create mode 100644 etc/ssh-agent.profile create mode 100644 etc/tracker.profile create mode 100644 etc/transmission-cli.profile create mode 100644 etc/transmission-show.profile create mode 100644 etc/w3m.profile create mode 100644 etc/xfburn.profile create mode 100644 etc/xpra.profile (limited to 'src') diff --git a/README.md b/README.md index ad90639e2..87a5b3f63 100644 --- a/README.md +++ b/README.md @@ -53,4 +53,8 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, exiftool, file-roller, gedit +gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather +goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext +simple-scan, skanlite, ssh-agent, transmission-cli, transmission-show, w3m, xfburn, xpra diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..962865790 --- /dev/null +++ b/etc/amarok.profile @@ -0,0 +1,19 @@ +# amorak profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +#seccomp +protocol unix,inet,inet6 + +#private-bin amorak +private-dev +private-tmp +#private-etc none diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile @@ -0,0 +1,23 @@ +# ark profile +noblacklist ~/.config/arkrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile @@ -0,0 +1,24 @@ +# atool profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin atool +private-tmp +private-dev +private-etc none + + diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile @@ -0,0 +1,21 @@ +# bleachbit profile +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile @@ -0,0 +1,23 @@ +# brasero profile +noblacklist ~/.config/brasero + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin brasero +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile @@ -0,0 +1,23 @@ +# dolphin profile +noblacklist ~/.config/dolphinrc +noblacklist ~/.local/share/dolphin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile @@ -0,0 +1,22 @@ +# dragon player profile +noblacklist ~/.config/dragonplayerrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix,inet,inet6 + +private-bin dragon +private-dev +private-tmp +# private-etc + diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile @@ -0,0 +1,24 @@ +# elinks profile +noblacklist ~/.elinks + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin elinks +private-tmp +private-dev +# private-etc none + diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile @@ -0,0 +1,23 @@ +# enchant profile +noblacklist ~/.config/enchant + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin enchant +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile @@ -0,0 +1,28 @@ +# exiftool profile +noblacklist /usr/bin/perl +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin exiftool,perl +private-tmp +private-dev +private-etc none + + diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile @@ -0,0 +1,21 @@ +# file-roller profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin file-roller +# private-tmp +private-dev +# private-etc fonts diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile @@ -0,0 +1,26 @@ +# gedit profile + +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + +noblacklist ~/.config/gedit + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gedit +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile @@ -0,0 +1,28 @@ +# gjs (gnome javascript bindings) profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books +noblacklist ~/.config/libreoffice +noblacklist ~/.local/share/gnome-photos +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile @@ -0,0 +1,26 @@ +# gnome-books profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-books +private-tmp +private-dev +private-etc fonts diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..30adadda1 --- /dev/null +++ b/etc/gnome-clocks.profile @@ -0,0 +1,22 @@ +# gnome-clocks profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-clocks +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile @@ -0,0 +1,24 @@ +# gnome-documents profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.config/libreoffice + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile @@ -0,0 +1,24 @@ +# gnome-maps profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-maps +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile @@ -0,0 +1,22 @@ +# gnome-music profile +noblacklist ~/.local/share/gnome-music + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-music,python3 +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile @@ -0,0 +1,26 @@ +# gnome-photos profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.local/share/gnome-photos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-photos +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile @@ -0,0 +1,26 @@ +# gnome-weather profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile @@ -0,0 +1,20 @@ +# goobox profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin goobox +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile @@ -0,0 +1,23 @@ +# gpa profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gpa,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..31ed8812e --- /dev/null +++ b/etc/gpg-agent.profile @@ -0,0 +1,24 @@ +# gpg-agent profile + +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gpg-agent,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile @@ -0,0 +1,24 @@ +# gpg profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin gpg,gpg-agent +private-tmp +private-dev +# private-etc none diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile @@ -0,0 +1,24 @@ +# highlight profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin highlight +private-tmp +private-dev + + + diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile @@ -0,0 +1,24 @@ +# img2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +#private-bin img2txt +private-tmp +private-dev +#private-etc none + + diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..6e16d233c --- /dev/null +++ b/etc/k3b.profile @@ -0,0 +1,21 @@ +# k3b profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile @@ -0,0 +1,28 @@ +# kate profile +noblacklist ~/.local/share/kate +noblacklist ~/.config/katerc +noblacklist ~/.config/katepartrc +noblacklist ~/.config/kateschemarc +noblacklist ~/.config/katesyntaxhighlightingrc +noblacklist ~/.config/katevirc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin kate +private-tmp +private-dev +# private-etc fonts diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile @@ -0,0 +1,22 @@ +# lynx profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin lynx +private-tmp +private-dev +# private-etc none + diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile @@ -0,0 +1,26 @@ +# mediainfo profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin mediainfo +private-tmp +private-dev +private-etc none + + + + diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile @@ -0,0 +1,26 @@ +# nautilus profile + +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. + +noblacklist ~/.config/nautilus + +include /etc/firejail/disable-common.inc +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin nautilus +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile @@ -0,0 +1,24 @@ +# odt2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin odt2txt +private-tmp +private-dev +private-etc none + +read-only ${HOME} diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups +netfilter nonewprivs +nogroups noroot +nosound protocol unix seccomp -nosound +shell none +tracelog +# private-bin okular,kbuildsycoca4,kbuildsycoca5 +# private-etc X11 private-dev - -#Experimental: -#net none -#shell none -#private-bin okular,kbuildsycoca4,kbuildsycoca5 -#private-etc X11 +private-tmp diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile @@ -0,0 +1,22 @@ +# pdftotext profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin pdftotext +private-tmp +private-dev +private-etc none diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile @@ -0,0 +1,23 @@ +# simple-scan profile +noblacklist ~/.cache/simple-scan + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +#seccomp +netfilter +shell none +tracelog + +# private-bin simple-scan +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..6e8face75 --- /dev/null +++ b/etc/skanlite.profile @@ -0,0 +1,21 @@ +# skanlite profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +#seccomp +protocol unix + +private-bin skanlite +# private-dev +# private-tmp +# private-etc + diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile @@ -0,0 +1,15 @@ +# ssh-agent +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile @@ -0,0 +1,24 @@ +# tracker profile + +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin tracker +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile @@ -0,0 +1,24 @@ +# transmission-cli bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +#private-bin transmission-cli +private-tmp +private-dev +private-etc none diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile @@ -0,0 +1,24 @@ +# transmission-show profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin +private-tmp +private-dev +private-etc none diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile @@ -0,0 +1,23 @@ +# w3m profile +noblacklist ~/.w3m + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin w3m +private-tmp +private-dev +private-etc none diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile @@ -0,0 +1,23 @@ +# xfburn profile +noblacklist ~/.config/xfburn + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin xfburn +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile @@ -0,0 +1,21 @@ +# xpra profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix,inet,inet6 + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6377c7426..60b4e0508 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -5,13 +5,18 @@ /etc/firejail/Telegram.profile /etc/firejail/Wire.profile /etc/firejail/abrowser.profile +/etc/firejail/amarok.profile +/etc/firejail/ark.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile +/etc/firejail/atool.profile /etc/firejail/atril.profile /etc/firejail/audacious.profile /etc/firejail/audacity.profile /etc/firejail/aweather.profile /etc/firejail/bitlbee.profile +/etc/firejail/bleachbit.profile +/etc/firejail/brasero.profile /etc/firejail/brave.profile /etc/firejail/cherrytree.profile /etc/firejail/chromium-browser.profile @@ -34,17 +39,23 @@ /etc/firejail/display.profile /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile +/etc/firejail/dolphin.profile /etc/firejail/dosbox.profile +/etc/firejail/dragon.profile /etc/firejail/dropbox.profile +/etc/firejail/elinks.profile /etc/firejail/emacs.profile /etc/firejail/empathy.profile +/etc/firejail/enchant.profile /etc/firejail/eog.profile /etc/firejail/eom.profile /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/evolution.profile +/etc/firejail/exiftool.profile /etc/firejail/fbreader.profile /etc/firejail/feh.profile +/etc/firejail/file-roller.profile /etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile @@ -54,16 +65,29 @@ /etc/firejail/flowblade.profile /etc/firejail/franz.profile /etc/firejail/gajim.profile +/etc/firejail/gedit.profile /etc/firejail/gimp.profile /etc/firejail/git.profile /etc/firejail/gitter.profile +/etc/firejail/gjs.profile +/etc/firejail/gnome-books.profile /etc/firejail/gnome-chess.profile +/etc/firejail/gnome-clocks.profile +/etc/firejail/gnome-documents.profile +/etc/firejail/gnome-maps.profile /etc/firejail/gnome-mplayer.profile +/etc/firejail/gnome-music.profile +/etc/firejail/gnome-photos.profile +/etc/firejail/gnome-weather.profile +/etc/firejail/goobox.profile /etc/firejail/google-chrome-beta.profile /etc/firejail/google-chrome-stable.profile /etc/firejail/google-chrome-unstable.profile /etc/firejail/google-chrome.profile /etc/firejail/google-play-music-desktop-player.profile +/etc/firejail/gpa.profile +/etc/firejail/gpg-agent.profile +/etc/firejail/gpg.profile /etc/firejail/gpredict.profile /etc/firejail/gtar.profile /etc/firejail/gthumb.profile @@ -72,12 +96,16 @@ /etc/firejail/gzip.profile /etc/firejail/hedgewars.profile /etc/firejail/hexchat.profile +/etc/firejail/highlight.profile /etc/firejail/icecat.profile /etc/firejail/icedove.profile /etc/firejail/iceweasel.profile +/etc/firejail/img2txt.profile /etc/firejail/inkscape.profile /etc/firejail/inox.profile /etc/firejail/jitsi.profile +/etc/firejail/k3b.profile +/etc/firejail/kate.profile /etc/firejail/keepass.profile /etc/firejail/keepass2.profile /etc/firejail/keepassx.profile @@ -96,16 +124,20 @@ /etc/firejail/lowriter.profile /etc/firejail/luminance-hdr.profile /etc/firejail/lxterminal.profile +/etc/firejail/lynx.profile /etc/firejail/mathematica.profile /etc/firejail/mcabber.profile +/etc/firejail/mediainfo.profile /etc/firejail/midori.profile /etc/firejail/mpv.profile /etc/firejail/mumble.profile /etc/firejail/mupdf.profile /etc/firejail/mupen64plus.profile /etc/firejail/mutt.profile +/etc/firejail/nautilus.profile /etc/firejail/netsurf.profile /etc/firejail/nolocal.net +/etc/firejail/odt2txt.profile /etc/firejail/okular.profile /etc/firejail/openbox.profile /etc/firejail/openshot.profile @@ -113,6 +145,7 @@ /etc/firejail/opera.profile /etc/firejail/palemoon.profile /etc/firejail/parole.profile +/etc/firejail/pdftotext.profile /etc/firejail/pidgin.profile /etc/firejail/pix.profile /etc/firejail/polari.profile @@ -131,12 +164,15 @@ /etc/firejail/seamonkey-bin.profile /etc/firejail/seamonkey.profile /etc/firejail/server.profile +/etc/firejail/simple-scan.profile +/etc/firejail/skanlite.profile /etc/firejail/skype.profile /etc/firejail/skypeforlinux.profile /etc/firejail/slack.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile +/etc/firejail/ssh-agent.profile /etc/firejail/ssh.profile /etc/firejail/start-tor-browser.profile /etc/firejail/steam.profile @@ -147,8 +183,11 @@ /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile /etc/firejail/totem.profile +/etc/firejail/tracker.profile +/etc/firejail/transmission-cli.profile /etc/firejail/transmission-gtk.profile /etc/firejail/transmission-qt.profile +/etc/firejail/transmission-show.profile /etc/firejail/uget-gtk.profile /etc/firejail/unbound.profile /etc/firejail/unrar.profile @@ -159,6 +198,7 @@ /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile /etc/firejail/vlc.profile +/etc/firejail/w3m.profile /etc/firejail/warzone2100.profile /etc/firejail/webserver.net /etc/firejail/weechat-curses.profile @@ -168,9 +208,11 @@ /etc/firejail/wine.profile /etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xfburn.profile /etc/firejail/xiphos.profile /etc/firejail/xpdf.profile /etc/firejail/xplayer.profile +/etc/firejail/xpra.profile /etc/firejail/xreader.profile /etc/firejail/xviewer.profile /etc/firejail/xz.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d10d59657..7d7fad0a6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -14,6 +14,8 @@ qbittorrent rtorrent transmission-gtk transmission-qt +transmission-cli +transmission-show uget-gtk # browsers/email @@ -51,6 +53,9 @@ thunderbird vivaldi-beta vivaldi evolution +elinks +lynx +w3m # chat/messaging bitlbee @@ -94,21 +99,41 @@ wesnot warzone2100 # Media +amarok audacious audacity +bleachbit +brasero clementine cmus deadbeef display +dolphin +dragon +exiftool feh +gjs +gnome-books +gnome-clocks +gnome-documents +gnome-maps gnome-mplayer +gnome-music +goobox google-play-music-desktop-player +img2txt +k3b +mediainfo mpv +nautilus parole rhythmbox +simple-scan +skanlite spotify totem vlc +xfburn xplayer xviewer eom @@ -121,10 +146,13 @@ atril cherrytree evince fbreader +gedit gimp gthumb gwenview +highlight inkscape +kate libreoffice localc lodraw @@ -141,7 +169,9 @@ soffice synfigstudio Mathematica mathematica +odt2txt okular +pdftotext pix xpdf xreader @@ -151,14 +181,40 @@ flowblade eog # other -ssh -atom-beta atom +atom-beta +gpa +gpg +# don't run ssh-agent and gpg-agent with firejail by default +# this will break many processes using them in the background +# ssh-agent +# gpg-agent +git ranger keepass keepass2 keepassx +ssh +tracker xiphos +xpra # weather/climate aweather +gnome-weather + +# compressing tools +ark +atool +file-roller + +# when used by other processes in the background, it will break stuff +#7z +#cpio +#gtar +#gzip +#tar +#unrar +#unzip +#xz +#xzdec -- cgit v1.2.3-54-g00ecf From aaa9bcb02fae1eb9ffb765080d6b466f52918285 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 11:19:25 -0500 Subject: profiles --- README | 34 +++++++++++++++++++--------------- etc/default.profile | 7 +++++-- etc/mupdf.profile | 8 +++++--- src/fseccomp/main.c | 4 ++-- 4 files changed, 31 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/README b/README index bd32034a3..45d021008 100644 --- a/README +++ b/README @@ -80,6 +80,25 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +valoq (https://github.com/valoq) + - lots of profile fixes + - added support for /srv in --whitelist feature + - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles + - blacklist suid binaries in disable-common.inc + - fix man pages + - added keypass2, qemu profiles + - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles + - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles + - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles + - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles + - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles +Vasya Novikov (https://github.com/vn971) + - Wesnoth profile + - Hedegewars profile + - manpage fixes + - fixed firecfg clean/clear issue + - found the ugliest bug so far + - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile @@ -95,15 +114,6 @@ BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) - added mumble profile -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes - - added support for /srv in --whitelist feature - - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - - blacklist suid binaries in disable-common.inc - - fix man pages - - various profile improvements - - added keypass2, qemu profiles Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) @@ -196,12 +206,6 @@ avoidr (https://github.com/avoidr) - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile -Vasya Novikov (https://github.com/vn971) - - Wesnoth profile - - Hedegewars profile - - manpage fixes - - fixed firecfg clean/clear issue - - found the ugliest bug so far Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp -shell none +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none # private-bin program # private-etc none # private-dev diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,9 +16,6 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev - -private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts @@ -26,3 +23,8 @@ private-etc fonts # mupdf will never write anything read-only ${HOME} +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 471e0b193..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-54-g00ecf