Merge pull request #891 from valoq/master

various changes
2026-05-21 06:45:29 -06:00 · 2016-11-05 09:19:33 -04:00 · 2016-11-05 09:19:33 -04:00 · 8464a84343
commit 8464a84343
parent 15298f20af 5cf192650b
20 changed files with 31 additions and 23 deletions
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@ -15,7 +15,6 @@ seccomp

 shell none
 private-bin deluge,sh,python,uname
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp

--- a/etc/eog.profile
+++ b/etc/eog.profile
@ -12,6 +12,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+nosound
 protocol unix
 seccomp
 shell none
--- a/etc/evince.profile
+++ b/etc/evince.profile
@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc

 caps.drop all
+netfilter
+net none
 nogroups
 nonewprivs
 noroot
@ -16,3 +18,5 @@ tracelog

 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
+private-etc fonts
+private-tmp
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@ -17,6 +17,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
 shell none
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@ -16,6 +16,5 @@ seccomp

 shell none
 private-bin fbreader,FBReader
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp
--- a/etc/feh.profile
+++ b/etc/feh.profile
@ -16,6 +16,6 @@ seccomp
 shell none

 private-bin feh
-whitelist /tmp/.X11-unix
 private-dev
 private-etc feh
+private-tmp
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@ -17,5 +17,4 @@ shell none

 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc

 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+
+private-bin firefox,which,sh,dbus-launch,dbus-send,env
+private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-dev
+private-tmp
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@ -17,5 +17,5 @@ shell none
 tracelog

 private-bin gthumb
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@ -12,12 +12,16 @@ nosound
 protocol unix
 seccomp
 netfilter
+net none
 shell none
 tracelog

+seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+
 private-bin mupdf
 private-tmp
 private-dev
+private-etc fonts

 # mupdf will never write anything
 read-only ${HOME}
--- a/etc/pix.profile
+++ b/etc/pix.profile
@ -18,5 +18,5 @@ shell none
 tracelog

 private-bin pix
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@ -16,5 +16,4 @@ seccomp
 #shell none
 #private-bin qbittorrent
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@ -14,5 +14,5 @@ seccomp

 shell none
 private-bin rtorrent
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@ -19,5 +19,4 @@ tracelog

 private-bin transmission-gtk
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@ -19,5 +19,4 @@ tracelog

 private-bin transmission-qt
 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@ -16,8 +16,8 @@ shell none

 private-bin uget-gtk
 private-dev
+private-tmp

-whitelist /tmp/.X11-unix
 whitelist ${DOWNLOADS}
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@ -15,8 +15,7 @@ protocol unix,inet,inet6
 seccomp

 private-dev
-
-whitelist /tmp/.X11-unix
+private-tmp

 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc

 caps.drop all
 netfilter
+net none
 nogroups
 nonewprivs
 noroot
@ -19,7 +20,7 @@ protocol unix
 private-bin zathura
 private-dev
 private-etc fonts
-whitelist /tmp/.X11-unix
+private-tmp

 read-only ~/
 read-write ~/.local/share/zathura/
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf

 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br

 .br