From 8768270650960ff42dd20009e6fab48bfd73047b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=B2=9A=E0=B2=BF=E0=B2=B0=E0=B2=BE=E0=B2=97=E0=B3=8D=20?= =?UTF-8?q?=E0=B2=A8=E0=B2=9F=E0=B2=B0=E0=B2=BE=E0=B2=9C=E0=B3=8D?= Date: Thu, 24 Jan 2019 03:34:02 +0000 Subject: [PATCH] Update profiles to use XDG config dirs, even in the case of applications which don't normally follow those (you may have to change paths if you don't use this) --- Viber.profile | 3 +- chromium.profile | 3 +- elinks.profile | 2 +- emacs.profile | 16 ++++----- firefox.profile | 10 +++--- freecadcmd.profile | 4 --- git.profile | 10 +++--- mpd.profile | 6 ++-- mutt.profile | 31 ++++++++--------- newsboat.profile | 3 +- private-profile.sh | 57 ++++++++++++++++++++++++++++---- private-profiles/firefox.private | 4 +-- ssh.profile | 4 +-- virtualbox.profile | 2 +- x-terminal-emulator.profile | 5 +-- 15 files changed, 98 insertions(+), 62 deletions(-) diff --git a/Viber.profile b/Viber.profile index 11ff4bad..811ac003 100644 --- a/Viber.profile +++ b/Viber.profile @@ -6,9 +6,10 @@ ignore memory-deny-write-execute include ${HOME}/.config/firejail/common.inc -mkdir ${HOME}/.ViberPC +mkdir ${HOME}/.config/ViberPC whitelist ${HOME}/.ViberPC +whitelist ${HOME}/.config/ViberPC whitelist ${DOWNLOADS} private-bin sh,dig,awk,xdg-mime,cut,touch,mv diff --git a/chromium.profile b/chromium.profile index ff7cec66..806829a1 100644 --- a/chromium.profile +++ b/chromium.profile @@ -14,7 +14,7 @@ mkdir ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.themes -whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.config/gtk-3.0 whitelist ${DOWNLOADS} @@ -37,3 +37,4 @@ private-etc fonts,alternatives,X11,pulse,resolv.conf,localtime,chromium.d # whitelist /dev/zero caps.keep sys_chroot,sys_admin +blacklist /usr/share/fonts/truetype/unifont diff --git a/elinks.profile b/elinks.profile index b589d588..717e76d0 100644 --- a/elinks.profile +++ b/elinks.profile @@ -3,7 +3,7 @@ ignore net none include ${HOME}/.config/firejail/common.inc whitelist ${DOWNLOADS} -whitelist ${HOME}/.elinks +whitelist ${HOME}/.config/elinks private-bin elinks private-lib diff --git a/emacs.profile b/emacs.profile index 449d2b3c..215fe28b 100644 --- a/emacs.profile +++ b/emacs.profile @@ -1,5 +1,5 @@ ignore private-tmp -ignore private-dev +ignore noexec ${HOME} include ${HOME}/.config/firejail/common.inc @@ -9,22 +9,18 @@ include ${HOME}/.config/firejail/common.inc whitelist /tmp/user/1000/ whitelist /tmp/.X11-unix/ -mkfile ${HOME}/.emacs -mkdir ${HOME}/.emacs.d -mkdir ${HOME}/emacs_tmp/ +mkdir ${HOME}/.config/emacs whitelist ${DOWNLOADS} whitelist ${DOCUMENTS} -whitelist ${HOME}/.emacs whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.config/emacs whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.gnupg -whitelist ${HOME}/.git -whitelist ${HOME}/mpd/socket -whitelist ${HOME}/texmf -whitelist ${HOME}/emacs_tmp +whitelist ${HOME}/.local/share/fonts +whitelist ${HOME}/.local/share/texmf keep-var-tmp writable-var writable-run-user keep-dev-shm + diff --git a/firefox.profile b/firefox.profile index 543e2366..407a4dd4 100644 --- a/firefox.profile +++ b/firefox.profile @@ -6,9 +6,10 @@ ignore memory-deny-write-execute include ${HOME}/.config/firejail/common.inc -mkdir ${HOME}/.mozilla/firefox +mkdir ${HOME}/.config/mozilla/firefox -whitelist ${HOME}/.mozilla/firefox +# whitelist ${HOME}/.mozilla +whitelist ${HOME}/.config/mozilla/firefox whitelist ${DOWNLOADS} whitelist ${HOME}/.pulse whitelist ${HOME}/.cache/mozilla/firefox @@ -16,9 +17,9 @@ whitelist ${HOME}/.config/pulse whitelist ${HOME}/.config/gtk-3.0 whitelist ${HOME}/.gtkrc-2.0 whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.themes +whitelist ${HOME}/.local/share/themes -private-bin firefox,firefox-esr,which,sh,env +private-bin firefox,firefox-esr,which,sh,env,bash private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf,resolv.conf # Disabled for now because it crashes certain sites @@ -32,3 +33,4 @@ private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse, # whitelist /usr/share/zoneinfo # whitelist /usr/share/locale # whitelist /usr/share/glib-2.0 +blacklist /usr/share/fonts/truetype/unifont diff --git a/freecadcmd.profile b/freecadcmd.profile index 41cfd3fa..4bc519bf 100644 --- a/freecadcmd.profile +++ b/freecadcmd.profile @@ -1,5 +1 @@ -# Firejail profile alias for freecad -# This file is overwritten after every install/update - - include ${HOME}/.config/firejail/freecad.profile diff --git a/git.profile b/git.profile index 99b56841..da2a227e 100644 --- a/git.profile +++ b/git.profile @@ -2,13 +2,13 @@ ignore blacklist /usr/share/ include ${HOME}/.config/firejail/ssh.profile whitelist ${DOCUMENTS} -whitelist ${HOME}/.gitconfig -whitelist ${HOME}/.gnupg +whitelist ${HOME}/.config/git +whitelist ${HOME}/.config/gnupg whitelist ${HOME}/.password-store -private-bin git,git-receive-pack,git-shell,git-upload-archive,git-upload-pack,gpg -private-etc ssl -private-lib git-core,libcurl-gnutls.so.4,libexpat.so.1,ssl,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1 +private-bin git,git-receive-pack,git-shell,git-upload-archive,git-upload-pack,gpg,pager +private-etc ssl,alternatives,terminfo +private-lib git-core,libcurl-gnutls.so.4,libexpat.so.1,ssl,x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,terminfo whitelist /usr/share/git-core diff --git a/mpd.profile b/mpd.profile index c0ffe602..d54cb2de 100644 --- a/mpd.profile +++ b/mpd.profile @@ -1,11 +1,11 @@ include ${HOME}/.config/firejail/common.inc mkdir ${HOME}/mpd -mkfile ${HOME}/.mpdconf +mkfile ${HOME}/.config/mpd/mpd.conf whitelist ${MUSIC} -whitelist ${HOME}/mpd -whitelist ${HOME}/.mpdconf +whitelist ${HOME}/.local/share/mpd +whitelist ${HOME}/.config/mpd/ whitelist ${HOME}/.config/pulse/ whitelist ${HOME}/.pulse/ read-only ${MUSIC} diff --git a/mutt.profile b/mutt.profile index 972ef0ac..5f400ef0 100644 --- a/mutt.profile +++ b/mutt.profile @@ -1,24 +1,20 @@ ignore private-tmp ignore private-dev -ignore net +ignore net none include ${HOME}/.config/firejail/common.inc -mkdir ${HOME}/.mutt -mkdir ${HOME}/.muttrc -mkdir ${HOME}/.mutt_cache -mkdir ${HOME}/.signatures - -whitelist ${HOME}/.mutt -whitelist ${HOME}/.muttrc -whitelist ${HOME}/.mutt_certificates -whitelist ${HOME}/.signatures -whitelist ${HOME}/.mailcap -whitelist ${HOME}/sent -whitelist ${HOME}/.mutt_cache +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/mutt/muttrc +mkdir ${HOME}/.config/mutt/mutt_cache +mkdir ${HOME}/.config/mutt/signatures + +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/mailcap whitelist ${HOME}/Mail whitelist ${HOME}/.gnupg -whitelist ${HOME}/.rolo +whitelist ${HOME}/.config/gnupg +whitelist ${HOME}/.config/rolo whitelist ${DOWNLOADS} whitelist /tmp/user/1000/emacs1000/ @@ -27,9 +23,10 @@ whitelist /tmp/user/1000/mutt1000/ # Enhance security private-bin sh,dash,mutt,mutt_dotlock,bash,emacsclient,emacsclient.emacs25,elinks,gpg,gpg-agent,gpgsm,pinentry,dig,awk,pinentry-gtk-2,mutt_vc_query -private-lib x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv,libapparmor.so.1,libtinfo.so.6,libtic.so.6,terminfo +# private-lib x86_64-linux-gnu/sasl2,nss,libdb-5.3.so,libcrypt-2.27.so,libcrypto.so.1.1,gconv,libapparmor.so.1,libtinfo.so.6,libtic.so.6,terminfo whitelist /usr/share/locale +whitelist /usr/share/zoneinfo whitelist /dev/stdout whitelist /dev/stdin @@ -39,8 +36,8 @@ whitelist /dev/random whitelist /dev/null whitelist /dev/tty -private-etc Muttrc.d,Muttrc,alternatives,resolv.conf,ssl,mime.types +private-etc Muttrc.d,Muttrc,alternatives,resolv.conf,ssl,mime.types,localtime -seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo,kill,sendmsg,setresuid,setsid,listen,pselect6,accept,getsockopt,tgkill,madvise,exit,statfs,getrandom,fchmod,fchown,gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait,inotify_init,inotify_add_watch,prlimit64,getresuid,getresgid,dup,eventfd2,munlock,fstatfs,fadvise64,shmget,shmat,shmctl,shmdt,symlink,restart_syscall,getdents64 +seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo,kill,sendmsg,setresuid,setsid,listen,pselect6,accept,getsockopt,tgkill,madvise,exit,statfs,getrandom,fchmod,fchown,gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait,inotify_init,inotify_add_watch,prlimit64,getresuid,getresgid,dup,eventfd2,munlock,fstatfs,fadvise64,shmget,shmat,shmctl,shmdt,symlink,restart_syscall,getdents64,pipe2,readlinkat,timerfd_create writable-run-user diff --git a/newsboat.profile b/newsboat.profile index 6a651727..5b0b1107 100644 --- a/newsboat.profile +++ b/newsboat.profile @@ -3,7 +3,8 @@ ignore private-tmp include ${HOME}/.config/firejail/common.inc -whitelist ${HOME}/.newsboat +whitelist ${HOME}/.config/newsboat +whitelist ${HOME}/.local/share/newsboat whitelist /tmp/user/1000/ whitelist /tmp/.X11-unix/X0 diff --git a/private-profile.sh b/private-profile.sh index 2edad497..cc716a4a 100755 --- a/private-profile.sh +++ b/private-profile.sh @@ -1,18 +1,37 @@ #!/bin/bash private=0 +privlib=0 +use_systemd=0 name="" copy=0 netns="" rmprof=0 +to_copy=() +evvars=() -set -ue +exitm() +{ + echo "$1" + rmprof + exit 1 +} + +rmprof() +{ + if [[ "$rmprof" -eq 1 && -n "${profile+x}" ]] + then + rm -r "${profile}" + fi +} + +set -e while getopts "p:tcn:" arg do case ${arg} in p) - profile=${OPTARG} + profile="${OPTARG}" name=$(basename "$profile") ;; t) @@ -22,7 +41,7 @@ do copy=1 ;; n) - netns=${OPTARG} + netns="${OPTARG}" ;; *) exit 1 @@ -37,6 +56,11 @@ varfile="$1" shift +if [[ -z "${progname:+x}" || -z "${profiledir:+x}" ]] +then + exitm '$progname and $profiledir must be specified and cannot be empty strings!' +fi + vpncmd() { systemctl -q is-active openvpn@us3-TCP-chaanakya && netns="" || netns="$netns" @@ -49,6 +73,10 @@ fjargs=( "--nowhitelist=${profiledir}" ) if [ "$privlib" -eq 1 ] then + if [[ -z "${genlib+x}" || -z "${libdir+x}" ]] + then + exitm '$genlib and $libdir must all be set for $privlib!' + fi . "$genlib" libs=$(compile_list "${libdir}" "${extralibs}") fjargs+=( "--private-lib=$libs" ) @@ -58,6 +86,10 @@ fi if [ "$private" -eq 1 ] then + if [[ -z "${destdir+x}" ]] + then + exitm '$destdir must be specified (even if it is an empty string)!' + fi nprofile=$(mktemp -d -p "${profiledir}") name=$(basename "$nprofile") if [ "${destdir}" != "" ] @@ -67,6 +99,10 @@ then rmprof=1 if [ "$copy" -eq 1 ] then + if [[ -z "${profile+x}" ]] + then + exitm 'A profile must be specified on the command-line if copying is enabled!' + fi for i in "${tocopy[@]}" do cp -R "${profile}"/"${i}" "${nprofile}"/"${destdir}"/"${i}" @@ -75,6 +111,11 @@ then profile="$nprofile" fi +if [[ -z "${profile+x}" ]] +then + exitm 'Either $profile must be specified on the command-line or a temporary profile must be requested!' +fi + sprogname=$(basename "${progname}") fjargs+=( "--whitelist=${profile}" "--name=${sprogname}-${name}" ) @@ -91,6 +132,11 @@ do fjargs+=( "--env=${i}" ) done +if [[ -z "${progargs+x}" || -z "${rprogargs+x}" ]] +then + exitm '$progargs and $rprogargs must be specified (even if as empty arrays)!' +fi + cmd="${firejail} ${fjargs[*]} -- ${progname} $(eval echo "${progargs[@]}")" rcmd="${progname} $(eval echo "${rprogargs[@]}")" @@ -115,7 +161,4 @@ fi # Remove profile if asked -if [ "$rmprof" -eq 1 ] -then - rm -r "${profile}" -fi +rmprof diff --git a/private-profiles/firefox.private b/private-profiles/firefox.private index 0f8ba69e..10fc7509 100644 --- a/private-profiles/firefox.private +++ b/private-profiles/firefox.private @@ -1,9 +1,9 @@ libdir=/usr/lib/firefox extralibs="nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1,libnss_resolve.so.2,libnss_systemd.so.2" -genlib=~/scripts/gen_libraries +genlib=~/bin/gen_libraries privlib=1 use_systemd=1 -profiledir=~/.mozilla/firefox/ +profiledir=~/.config/mozilla/firefox/ tocopy=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json prefs.js gmp gmp-widevinecdm gmp-gmpopenh264 search.json.mozlz4 pluginreg.dat ) destdir="" progname="firefox" diff --git a/ssh.profile b/ssh.profile index 44ed868a..de601b52 100644 --- a/ssh.profile +++ b/ssh.profile @@ -3,7 +3,7 @@ ignore net none include ${HOME}/.config/firejail/common.inc whitelist ${DOWNLOADS} -whitelist ${HOME}/.ssh +whitelist ${HOME}/.local/share/ssh writable-run-user join-or-start ssh @@ -13,5 +13,3 @@ private-etc ssh,resolv.conf,nsswitch.conf,hosts,passwd private-lib openssh blacklist /usr/share/ - -quiet diff --git a/virtualbox.profile b/virtualbox.profile index 9a9a577c..dd7bb060 100644 --- a/virtualbox.profile +++ b/virtualbox.profile @@ -14,7 +14,7 @@ mkdir ${HOME}/.config/VirtualBox mkfile ${HOME}/.config/Trolltech.conf whitelist ${DOWNLOADS} -whitelist ${HOME}/VirtualBox_VMs +whitelist ${HOME}/.local/share/vms/vbox whitelist ${HOME}/.config/VirtualBox whitelist ${HOME}/.gtkrc-2.0 whitelist ${HOME}/.gtkrc.mine diff --git a/x-terminal-emulator.profile b/x-terminal-emulator.profile index ac991134..81af98ad 100644 --- a/x-terminal-emulator.profile +++ b/x-terminal-emulator.profile @@ -1,7 +1,5 @@ ignore nodbus ignore private-tmp -ignore private-dev -ignore nou2f ignore memory-deny-write-execute ignore noexec ${HOME} @@ -9,3 +7,6 @@ include ${HOME}/.config/firejail/common.inc whitelist /tmp/user/1000 whitelist /tmp/.X11-unix/ + +writable-run-user +keep-dev-shm