From 5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 21 Dec 2022 23:35:59 +0000 Subject: [PATCH] seahorse refactoring (#5543) * seahorse: fixes and hardening * seahorse-daemon: hardening * seahorse-tool: move private-etc items to seahorse * seahorse: unbreak nautilus file encryption As suggested [in review](https://github.com/netblue30/firejail/pull/5543#pullrequestreview-1225250520). * seahorse-tool: move private-tmp to seahorse * seahorse: add private-tmp * seahorse: fix access to ssh-agent socket --- etc/profile-m-z/seahorse-daemon.profile | 3 +++ etc/profile-m-z/seahorse-tool.profile | 4 ---- etc/profile-m-z/seahorse.profile | 6 +++--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile index 6410da4d8..b3ead7191 100644 --- a/etc/profile-m-z/seahorse-daemon.profile +++ b/etc/profile-m-z/seahorse-daemon.profile @@ -8,6 +8,9 @@ include seahorse-daemon.local # added by included profile #include globals.local +blacklist ${RUNUSER}/wayland-* +include disable-X11.inc + memory-deny-write-execute # Redirect diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index 9ef174606..e5c9e6b10 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile @@ -7,9 +7,5 @@ include seahorse-tool.local # added by included profile #include globals.local -# private-etc workaround for: #2877 -private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd -private-tmp - # Redirect include seahorse.profile diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 0b7232cc4..e6f51bff9 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -6,8 +6,6 @@ include seahorse.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix - noblacklist ${HOME}/.gnupg # Allow ssh (blacklisted by disable-common.inc) @@ -59,12 +57,14 @@ tracelog disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg +private-tmp writable-run-user dbus-user filter dbus-user.own org.gnome.seahorse dbus-user.own org.gnome.seahorse.Application +dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.secrets dbus-system none