github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

private-etc: groups modified

Browse source
This commit is contained in:
netblue30 2023-02-05 20:48:48 -05:00
parent 5d0822c52c
commit 0f996ea4de
45 changed files with 93 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

2
etc/profile-a-l/anki.profile
View file

@ -49,7 +49,7 @@ disable-mnt
private-bin anki,python*
private-cache
private-dev
private-etc @tls-ca,@x11,Trolltech.conf
private-etc @tls-ca,@x11
private-tmp
dbus-user none

2
etc/profile-a-l/celluloid.profile
View file

@ -52,7 +52,7 @@ tracelog
private-bin celluloid,env,gnome-mpv,python*,youtube-dl
private-cache
private-etc @tls-ca,@x11,libva.conf,pkcs11,selinux
private-etc @tls-ca,@x11,libva.conf,pkcs11
private-dev
private-tmp

2
etc/profile-a-l/chatterino.profile
View file

@ -70,7 +70,7 @@ private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamli
# private-cache may cause issues with mpv (see #2838)
private-cache
private-dev
private-etc @tls-ca,@x11,dbus-1,rpc,services,Trolltech.conf
private-etc @tls-ca,@x11,dbus-1,rpc,services
private-srv none
private-tmp

2
etc/profile-a-l/dolphin-emu.profile
View file

@ -54,7 +54,7 @@ private-bin bash,dolphin-emu,dolphin-emu-x11,sh
private-cache
# Add the next line to your dolphin-emu.local if you do not need controller support.
#private-dev
private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services,Trolltech.conf
private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services
private-opt none
private-tmp

2
etc/profile-a-l/email-common.profile
View file

@ -69,7 +69,7 @@ tracelog
# disable-mnt
private-cache
private-dev
private-etc @tls-ca,@x11,gnupg,groups,hosts.conf,mailname,selinux,timezone
private-etc @tls-ca,@x11,gnupg,groups,hosts.conf,mailname,timezone
private-tmp
# encrypting and signing email
writable-run-user

2
etc/profile-a-l/equalx.profile
View file

@ -53,7 +53,7 @@ disable-mnt
private-bin equalx,gs,pdflatex,pdftocairo
private-cache
private-dev
private-etc @x11,equalx,equalx.conf,latexmk.conf,papersize,texlive,Trolltech.conf
private-etc @x11,equalx,equalx.conf,latexmk.conf,papersize,texlive
private-tmp
dbus-user none

2
etc/profile-a-l/falkon.profile
View file

@ -47,7 +47,7 @@ disable-mnt
# private-bin falkon
private-cache
private-dev
private-etc @tls-ca,@x11,adobe,mailcap,mime.types,selinux
private-etc @tls-ca,@x11,adobe,mailcap,mime.types
private-tmp
# dbus-user filter

2
etc/profile-a-l/fractal.profile
View file

@ -46,7 +46,7 @@ disable-mnt
private-bin fractal
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user filter

2
etc/profile-a-l/ghostwriter.profile
View file

@ -51,7 +51,7 @@ private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,p
private-cache
private-dev
# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
private-etc @tls-ca,@x11,dbus-1,firejail,gconf,groups,host.conf,mime.types,rpc,services,texlive,Trolltech.conf
private-etc @tls-ca,@x11,dbus-1,firejail,gconf,groups,host.conf,mime.types,rpc,services,texlive
private-tmp
dbus-user filter

2
etc/profile-a-l/git-cola.profile
View file

@ -69,7 +69,7 @@ tracelog
private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
private-cache
private-dev
private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,selinux,ssh
private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,ssh
private-tmp
writable-run-user

2
etc/profile-a-l/gnome-music.profile
View file

@ -41,7 +41,7 @@ tracelog
# private-bin calls a file manager - whatever is installed!
#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
private-dev
private-etc @x11,selinux
private-etc @x11
private-tmp
restrict-namespaces

2
etc/profile-a-l/homebank.profile
View file

@ -49,7 +49,7 @@ disable-mnt
private-bin homebank
private-cache
private-dev
private-etc @tls-ca,@x11,mime.types,selinux
private-etc @tls-ca,@x11,mime.types
private-tmp
dbus-user none

2
etc/profile-a-l/kazam.profile
View file

@ -48,7 +48,7 @@ disable-mnt
# private-bin kazam,python*
private-cache
private-dev
private-etc @x11,selinux
private-etc @x11
private-tmp
dbus-system none

2
etc/profile-a-l/kube.profile
View file

@ -67,7 +67,7 @@ tracelog
private-bin kube,sink_synchronizer
private-cache
private-dev
private-etc @tls-ca,@x11,selinux
private-etc @tls-ca,@x11
private-tmp
writable-run-user

2
etc/profile-m-z/man.profile
View file

@ -56,7 +56,7 @@ disable-mnt
#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
private-cache
private-dev
private-etc @x11,groff,man_db.conf,manpath.config,selinux,sysless
private-etc @x11,groff,man_db.conf,manpath.config,sysless
#private-tmp
dbus-user none

2
etc/profile-m-z/menulibre.profile
View file

@ -51,7 +51,7 @@ tracelog
disable-mnt
private-cache
private-dev
private-etc @tls-ca,@x11,mime.types,selinux
private-etc @tls-ca,@x11,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/minecraft-launcher.profile
View file

@ -50,7 +50,7 @@ private-cache
private-dev
# If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
# or 'ignore private-etc' to your minecraft-launcher.local.
private-etc @tls-ca,@x11,host.conf,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,mime.types,selinux,services,timezone
private-etc @tls-ca,@x11,host.conf,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,mime.types,services,timezone
private-opt minecraft-launcher
private-tmp

2
etc/profile-m-z/minitube.profile
View file

@ -53,7 +53,7 @@ disable-mnt
private-bin minitube
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/mirage.profile
View file

@ -53,7 +53,7 @@ disable-mnt
private-bin ldconfig,mirage
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/musictube.profile
View file

@ -49,7 +49,7 @@ disable-mnt
private-bin musictube
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/mutt.profile
View file

@ -124,7 +124,7 @@ tracelog
# disable-mnt
private-cache
private-dev
private-etc @tls-ca,@x11,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,terminfo
private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
private-tmp
writable-run-user
writable-var

2
etc/profile-m-z/neochat.profile
View file

@ -53,7 +53,7 @@ tracelog
disable-mnt
private-bin neochat
private-dev
private-etc @tls-ca,@x11,dbus-1,host.conf,mime.types,rpc,services,Trolltech.conf
private-etc @tls-ca,@x11,dbus-1,host.conf,mime.types,rpc,services
private-tmp
dbus-user filter

2
etc/profile-m-z/neomutt.profile
View file

@ -116,7 +116,7 @@ tracelog
# disable-mnt
private-cache
private-dev
private-etc @tls-ca,@x11,gnupg,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver
private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
private-tmp
writable-run-user
writable-var

2
etc/profile-m-z/nextcloud.profile
View file

@ -61,7 +61,7 @@ tracelog
disable-mnt
private-bin nextcloud,nextcloud-desktop
private-cache
private-etc @tls-ca,@x11,host.conf,Nextcloud,os-release,selinux
private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
private-dev
private-tmp

2
etc/profile-m-z/nheko.profile
View file

@ -47,7 +47,7 @@ disable-mnt
private-bin nheko
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user filter

2
etc/profile-m-z/nuclear.profile
View file

@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
no3d
# private-bin nuclear
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-opt nuclear
# Redirect

2
etc/profile-m-z/onboard.profile
View file

@ -49,7 +49,7 @@ disable-mnt
private-cache
private-bin onboard,python*,tput
private-dev
private-etc @x11,dbus-1,mime.types,selinux
private-etc @x11,dbus-1,mime.types
private-tmp
dbus-system none

2
etc/profile-m-z/openarena.profile
View file

@ -42,7 +42,7 @@ disable-mnt
private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
private-cache
private-dev
private-etc @games,@x11,selinux,udev
private-etc @games,@x11,udev
private-tmp
dbus-user none

2
etc/profile-m-z/openmw.profile
View file

@ -52,7 +52,7 @@ tracelog
private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
private-cache
private-dev
private-etc @x11,bumblebee,glvnd,mime.types,openmw,Trolltech.conf
private-etc @x11,bumblebee,glvnd,mime.types,openmw
private-opt none
private-tmp

2
etc/profile-m-z/otter-browser.profile
View file

@ -52,7 +52,7 @@ disable-mnt
private-bin bash,otter-browser,sh,which
private-cache
?BROWSER_DISABLE_U2F: private-dev
private-etc @tls-ca,@x11,mailcap,mime.types,selinux
private-etc @tls-ca,@x11,mailcap,mime.types
private-tmp
dbus-system none

2
etc/profile-m-z/psi.profile
View file

@ -70,7 +70,7 @@ disable-mnt
private-bin getopt,psi
private-cache
private-dev
private-etc @tls-ca,@x11,selinux
private-etc @tls-ca,@x11
private-tmp
dbus-user none

2
etc/profile-m-z/pybitmessage.profile
View file

@ -40,7 +40,7 @@ seccomp
disable-mnt
private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
private-dev
private-etc @tls-ca,@x11,PyBitmessage,PyBitmessage.conf,selinux,sni-qt.conf,system-fips,Trolltech.conf
private-etc @tls-ca,@x11,PyBitmessage,PyBitmessage.conf,sni-qt.conf,system-fips
private-tmp
restrict-namespaces

2
etc/profile-m-z/qcomicbook.profile
View file

@ -52,7 +52,7 @@ tracelog
private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
private-cache
private-dev
private-etc @x11,mime.types,Trolltech.conf
private-etc @x11,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/qgis.profile
View file

@ -51,7 +51,7 @@ tracelog
disable-mnt
private-cache
private-dev
private-etc @tls-ca,QGIS,QGIS.conf,Trolltech.conf
private-etc @tls-ca,@x11,QGIS,QGIS.conf
private-tmp
dbus-user none

2
etc/profile-m-z/quaternion.profile
View file

@ -46,7 +46,7 @@ disable-mnt
private-bin quaternion
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user none

2
etc/profile-m-z/smuxi-frontend-gnome.profile
View file

@ -47,7 +47,7 @@ disable-mnt
private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
private-cache
private-dev
private-etc @tls-ca,@x11,mono,selinux
private-etc @tls-ca,@x11,mono
private-tmp
dbus-user none

2
etc/profile-m-z/spectral.profile
View file

@ -45,7 +45,7 @@ disable-mnt
private-cache
private-bin spectral
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,host.conf,mime.types
private-tmp
dbus-user filter

2
etc/profile-m-z/trojita.profile
View file

@ -53,7 +53,7 @@ tracelog
private-bin trojita
private-cache
private-dev
private-etc @tls-ca,@x11,selinux
private-etc @tls-ca,@x11
private-tmp
dbus-user filter

2
etc/profile-m-z/twitch.profile
View file

@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
whitelist ${HOME}/.config/Twitch
private-bin electron,electron[0-9],electron[0-9][0-9],twitch
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
private-opt Twitch
# Redirect

2
etc/profile-m-z/youtube.profile
View file

@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
whitelist ${HOME}/.config/Youtube
private-bin electron,electron[0-9],electron[0-9][0-9],youtube
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
private-opt Youtube
# Redirect

2
etc/profile-m-z/youtubemusic-nativefier.profile
View file

@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
whitelist ${HOME}/.config/youtubemusic-nativefier-040164
private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
private-opt youtubemusic-nativefier
# Redirect

2
etc/profile-m-z/ytmdesktop.profile
View file

@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
whitelist ${HOME}/.config/youtube-music-desktop-app
# private-bin env,ytmdesktop
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types,selinux
private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
# private-opt
# Redirect

2
etc/profile-m-z/zeal.profile
View file

@ -60,7 +60,7 @@ disable-mnt
private-bin zeal
private-cache
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services,Trolltech.conf
private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
private-tmp
dbus-user filter

2
src/include/etc_groups.h
View file

@ -39,6 +39,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
"login.defs", // firejail reading UID/GID MIN and MAX at startup
"nsswitch.conf",
"passwd",
"selinux",
NULL
};
@ -89,6 +90,7 @@ static char *etc_group_x11[] = {
"kde5rc",
"nvidia", // 3D
"pango", // text rendering/internationalization
"Trolltech.conf", // old QT config file
"X11",
"xdg",
NULL

66
src/tools/cleanup_etc.c
View file

@ -38,6 +38,8 @@ static int arr_x11 = 0;
static int arr_games = 0;
static char outbuf[256 * 1024];
static char *outptr;
static int arg_replace = 0;
static int arg_debug = 0;
void outprintf(char* fmt, ...) {
va_list args;
@ -78,6 +80,17 @@ static void arr_add(const char *fname) {
arr_cnt++;
}
int arr_cmp(const void *p1, const void *p2) {
char **ptr1 = (char **) p1;
char **ptr2 = (char **) p2;
return strcmp(*ptr1, *ptr2);
}
static void arr_sort(void) {
qsort(&arr[0], arr_cnt, sizeof(char *), arr_cmp);
}
static void arr_clean(void) {
int i;
for (i = 0; i < arr_cnt; i++) {
@ -119,7 +132,7 @@ static void process_file(const char *fname) {
FILE *fp = fopen(fname, "r");
if (!fp) {
fprintf(stderr, "Error: cannot open profile file\n");
fprintf(stderr, "Error: cannot open %s file\n", fname);
exit(1);
}
@ -133,10 +146,11 @@ static void process_file(const char *fname) {
int print = 0;
while (fgets(line, MAX_BUF, fp)) {
cnt++;
if (strncmp(line, "private-etc ", 12) != 0) {
if (strncmp(line, "private-etc", 11) != 0) {
outprintf("%s", line);
continue;
}
strcpy(orig_line,line);
char *ptr = strchr(line, '\n');
if (ptr)
@ -158,6 +172,8 @@ static void process_file(const char *fname) {
ptr = strtok(ptr, ",");
while (ptr) {
if (arg_debug)
printf("%s\n", ptr);
if (arr_check(ptr, &etc_list[0]));
else if (arr_check(ptr, &etc_group_sound[0]));
else if (arr_check(ptr, &etc_group_network[0]));
@ -179,34 +195,36 @@ static void process_file(const char *fname) {
ptr = strtok(NULL, ",");
}
arr_sort();
char *last_line = arr_print();
if (strcmp(last_line, orig_line) == 0) {
fclose(fp);
return;
}
printf("\n********************\n%s\n\n%s\n%s\n", fname, orig_line, last_line);
printf("\n********************\nfile: %s\n\nold: %s\nnew: %s\n", fname, orig_line, last_line);
print = 1;
}
fclose(fp);
if (print) {
// printf("Replace? (Y/N): ", fname);
// fgets(line, MAX_BUF, stdin);
// if (*line == 'y' || *line == 'Y') {
fp = fopen(fname, "w");
if (!fp) {
fprintf(stderr, "Error: cannot open profile file\n");
exit(1);
}
fprintf(fp, "%s", outbuf);
fclose(fp);
// }
if (print && arg_replace) {
fp = fopen(fname, "w");
if (!fp) {
fprintf(stderr, "Error: cannot open profile file\n");
exit(1);
}
fprintf(fp, "%s", outbuf);
fclose(fp);
}
}
static void usage(void) {
printf("usage: cleanup-etc file.profile\n");
printf("usage: cleanup-etc [options] file.profile [file.profile]\n");
printf("Group and clean private-etc entries in one or more profile files.\n");
printf("Options:\n");
printf(" --debug - print debug messages\n");
printf(" --help - this help screen\n");
printf(" --replace - replace profile file\n");
}
int main(int argc, char **argv) {
@ -218,13 +236,25 @@ int main(int argc, char **argv) {
int i;
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "-h") == 0) {
if (strcmp(argv[i], "-h") == 0 ||
strcmp(argv[i], "-?") == 0 ||
strcmp(argv[i], "--help") == 0) {
usage();
return 0;
}
else if (strcmp(argv[i], "--debug") == 0)
arg_debug = 1;
else if (strcmp(argv[i], "--replace") == 0)
arg_replace = 1;
else if (*argv[i] == '-') {
fprintf(stderr, "Error: invalid program option %s\n", argv[i]);
return 1;
}
else
break;
}
for (i = 1; i < argc; i++)
for (; i < argc; i++)
process_file(argv[i]);
return 0;