diff --git a/Makefile.in b/Makefile.in index 143ac5975..b7629a9e5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -93,6 +93,7 @@ realinstall: install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README b/README index c84e92ea7..78a2fb750 100644 --- a/README +++ b/README @@ -27,6 +27,7 @@ avoidr (https://github.com/avoidr) - whitelist fix - blacklist ncat, manpage fixes, - hostname support in profile file + - Google Chrome profile rework Bruno Nova (https://github.com/brunonova) - whitelist fix - bash arguments fix diff --git a/RELNOTES b/RELNOTES index 881c2883b..4d5e0e796 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,12 @@ firejail (0.9.35) baseline; urgency=low * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat and rtorrent profiles + * Google Chrome profile rework + * added google-chrome-stable profile + * added google-chrome-beta profile + * added google-chrome-unstable profile + * Opera profile rework + * added opera-beta profile * added --noblacklist option * whitelist command enhancements * prevent leaking user information by modifying /home directory, diff --git a/etc/chromium.profile b/etc/chromium.profile index c3a7a186c..76dc6b234 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -1,4 +1,15 @@ # Chromium browser profile noblacklist ${HOME}/.config/chromium +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter +whitelist ${DOWNLOADS} whitelist ~/.config/chromium -include /etc/firejail/chromium-common.profile +whitelist ~/.cache/chromium +include /etc/firejail/whitelist-common.inc diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 177588f5b..fdb3e552b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -11,8 +11,11 @@ blacklist ${HOME}/.thunderbird blacklist ${HOME}/.sylpheed-2.0 blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/opera +blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/chromium blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.config/google-chrome-beta +blacklist ${HOME}/.config/google-chrome-unstable blacklist ${HOME}/.filezilla blacklist ${HOME}/.config/filezilla blacklist ${HOME}/.local/share/systemd diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 0f7078adc..6122876bf 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -1,4 +1,16 @@ -# Chromium browser profile +# Google Chrome beta browser profile noblacklist ${HOME}/.config/google-chrome-beta +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter +whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome-beta -include /etc/firejail/chromium-common.profile +whitelist ~/.cache/google-chrome-beta +include /etc/firejail/whitelist-common.inc + diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 3cc58c4d2..78c8ca6e5 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile @@ -1,4 +1,2 @@ -# Chromium browser profile -noblacklist ${HOME}/.config/google-chrome -whitelist ~/.config/google-chrome -include /etc/firejail/chromium-common.profile +# Google Chrome browser profile +include /etc/firejail/google-chrome.profile diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index db184419d..7b8b12d04 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -1,4 +1,16 @@ -# Chromium browser profile +# Google Chrome unstable browser profile noblacklist ${HOME}/.config/google-chrome-unstable +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter +whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome-unstable -include /etc/firejail/chromium-common.profile +whitelist ~/.cache/google-chrome-unstable +include /etc/firejail/whitelist-common.inc + diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 3cc58c4d2..351490d7f 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -1,4 +1,15 @@ -# Chromium browser profile +# Google Chrome browser profile noblacklist ${HOME}/.config/google-chrome +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter +whitelist ${DOWNLOADS} whitelist ~/.config/google-chrome -include /etc/firejail/chromium-common.profile +whitelist ~/.cache/google-chrome +include /etc/firejail/whitelist-common.inc diff --git a/etc/chromium-common.profile b/etc/opera-beta.profile similarity index 54% rename from etc/chromium-common.profile rename to etc/opera-beta.profile index 25eab0707..c1672abce 100644 --- a/etc/chromium-common.profile +++ b/etc/opera-beta.profile @@ -1,12 +1,13 @@ -# Chromium browser profile +# Opera-beta browser profile +noblacklist ${HOME}/.config/opera-beta include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc - -# chromium is distributed with a perl script on Arch -# include /etc/firejail/disable-devel.inc -# - +include /etc/firejail/disable-devel.inc netfilter +whitelist ~/.config/opera-beta whitelist ${DOWNLOADS} +whitelist ~/.cache/opera-beta include /etc/firejail/whitelist-common.inc + + diff --git a/etc/opera.profile b/etc/opera.profile index 34a034a17..a76806ed0 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -1,10 +1,13 @@ -# Chromium browser profile +# Opera browser profile noblacklist ${HOME}/.config/opera include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc netfilter -noroot +whitelist ~/.config/opera +whitelist ${DOWNLOADS} +whitelist ~/.cache/opera +include /etc/firejail/whitelist-common.inc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ea17a121e..bda064f60 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -14,6 +14,7 @@ /etc/firejail/disable-mgmt.inc /etc/firejail/firefox.profile /etc/firejail/opera.profile +/etc/firejail/opera-beta.profile /etc/firejail/thunderbird.profile /etc/firejail/transmission-gtk.profile /etc/firejail/transmission-qt.profile diff --git a/todo b/todo index 863a34fe4..fe82248b8 100644 --- a/todo +++ b/todo @@ -143,15 +143,4 @@ dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 -20. Check this out: - -I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. - Here's what my fstab looks like now: - -/dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2 -/dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2 -/dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2 -/dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2 -/dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2 -/dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2 -tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1 +20. blacklist ~/.cache in disable-common.inc???