mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
hardening some profiles (#3505)
* hardening some profiles - harden and fix flameshot - wruc: frogatto, ghostwriter - harden gnome-latex - add whitelist opt-in note to keepassxc - add comment to minetest - harden openarena, tremulous, xonotic - add profile for xonotic-sdl-wrapper * followup
This commit is contained in:
rusty-snake
GitHub
parent
470effe5b3
commit
deb6c12454
14 changed files with 76 additions and 17 deletions
|
|
@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
|
|||
penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
|
||||
four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
|
||||
hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
|
||||
seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication
|
||||
seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded
|
||||
|
|
|
|||
3
RELNOTES
3
RELNOTES
|
|
@ -36,7 +36,8 @@ firejail (0.9.63) baseline; urgency=low
|
|||
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
|
||||
* new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
|
||||
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
|
||||
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication
|
||||
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
|
||||
* new profiles: gapplication, openarena_ded
|
||||
-- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500
|
||||
|
||||
firejail (0.9.62) baseline; urgency=low
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ include flameshot.local
|
|||
include globals.local
|
||||
|
||||
noblacklist ${PICTURES}
|
||||
noblacklist ${HOME}/.config/Dharkael
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
|
|
@ -18,7 +19,13 @@ include disable-programs.inc
|
|||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
#whitelist ${PICTURES}
|
||||
#whitelist ${HOME}/.config/Dharkael
|
||||
whitelist /usr/share/flameshot
|
||||
#include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
ipc-namespace
|
||||
|
|
@ -35,13 +42,15 @@ novideo
|
|||
protocol unix,inet,inet6
|
||||
seccomp
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
disable-mnt
|
||||
private-bin flameshot
|
||||
private-cache
|
||||
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
|
||||
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
dbus-user filter
|
||||
dbus-user.own org.dharkael.Flameshot
|
||||
dbus-system none
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto
|
|||
whitelist ${HOME}/.frogatto
|
||||
whitelist /usr/share/frogatto
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter
|
|||
whitelist /usr/share/mozilla-dicts
|
||||
whitelist /usr/share/texlive
|
||||
whitelist /usr/share/pandoc*
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
|
||||
apparmor
|
||||
|
|
|
|||
|
|
@ -49,3 +49,5 @@ private-cache
|
|||
private-dev
|
||||
# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
|
||||
private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
|
||||
|
||||
dbus-system none
|
||||
|
|
|
|||
|
|
@ -23,6 +23,17 @@ include disable-programs.inc
|
|||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
|
||||
# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
|
||||
#mkdir ${HOME}/Documents/KeePassXC
|
||||
#whitelist ${HOME}/Documents/KeePassXC
|
||||
# Needed for KeePassXC-Browser
|
||||
#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
|
||||
#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
|
||||
#mkdir ${HOME}/.config/keepassxc
|
||||
#whitelist ${HOME}/.config/keepassxc
|
||||
#include whitelist-common.inc
|
||||
|
||||
whitelist /usr/share/keepassxc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@ include minetest.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
|
||||
# screenshot_path = /home/<USER>/.minetest/screenshots
|
||||
|
||||
noblacklist ${HOME}/.cache/minetest
|
||||
noblacklist ${HOME}/.minetest
|
||||
|
||||
|
|
|
|||
|
|
@ -16,30 +16,35 @@ include disable-passwdmgr.inc
|
|||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.openarena
|
||||
whitelist ${HOME}/.openarena
|
||||
whitelist /usr/share/openarena
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.in
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
# ipc-namespace
|
||||
# netfilter
|
||||
# nodvd
|
||||
# nogroups
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
# nou2f
|
||||
nou2f
|
||||
novideo
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp
|
||||
shell none
|
||||
# tracelog
|
||||
tracelog
|
||||
|
||||
# disable-mnt
|
||||
# private-bin openarena
|
||||
disable-mnt
|
||||
private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
|
||||
private-cache
|
||||
private-dev
|
||||
# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
|
||||
private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
|
||||
private-tmp
|
||||
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
|
|
|||
5
etc/profile-m-z/openarena_ded.profile
Normal file
5
etc/profile-m-z/openarena_ded.profile
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Firejail profile alias for openarena
|
||||
# This file is overwritten after every install/update
|
||||
|
||||
# Redirect
|
||||
include openarena.profile
|
||||
|
|
@ -19,7 +19,10 @@ include disable-xdg.inc
|
|||
|
||||
mkdir ${HOME}/.tremulous
|
||||
whitelist ${HOME}/.tremulous
|
||||
whitelist /usr/share/tremulous
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
|
|
|
|||
6
etc/profile-m-z/xonotic-sdl-wrapper.profile
Normal file
6
etc/profile-m-z/xonotic-sdl-wrapper.profile
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
# Firejail profile alias for xonotic
|
||||
# This file is overwritten after every install/update
|
||||
include xonotic-sdl-wrapper.local
|
||||
|
||||
# Redirect
|
||||
include xonotic.profile
|
||||
|
|
@ -14,12 +14,17 @@ include disable-exec.inc
|
|||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.xonotic
|
||||
whitelist ${HOME}/.xonotic
|
||||
whitelist /usr/share/xonotic
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
netfilter
|
||||
nodvd
|
||||
|
|
@ -32,12 +37,17 @@ novideo
|
|||
protocol unix,inet,inet6
|
||||
seccomp
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
disable-mnt
|
||||
private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
|
||||
private-cache
|
||||
private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
|
||||
private-dev
|
||||
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
read-only ${HOME}
|
||||
read-write ${HOME}/.xonotic
|
||||
|
|
|
|||
|
|
@ -522,6 +522,7 @@ ooffice
|
|||
ooviewdoc
|
||||
open-invaders
|
||||
openarena
|
||||
openarena_ded
|
||||
opencity
|
||||
openclonk
|
||||
openoffice.org
|
||||
|
|
@ -783,6 +784,7 @@ xmr-stak
|
|||
xonotic
|
||||
xonotic-glx
|
||||
xonotic-sdl
|
||||
xonotic-sdl-wrapper
|
||||
xournal
|
||||
xpdf
|
||||
xplayer
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue