Add profiles for tar (gtar), unzip and unrar

I've tested compression and uncompression of various tar formats and also straced unzip/unrar regarding their file access in /etc. -> should be fine. If you want to unpack files in /usr/bin, then use the --ignore=private-bin switch. Same for /etc: --ignore=private-etc
netblue30 · Jul 30, 2016 · 2d60937 · 2d60937
1 parent 8643c07
commit 2d60937
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 0 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -144,6 +144,7 @@ realinstall:
  install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+ install -c -m 0644 .etc/gtar.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/.
@@ -201,13 +202,16 @@ realinstall:
  install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+ install -c -m 0644 .etc/tar.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+ install -c -m 0644 .etc/unrar.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+ install -c -m 0644 .etc/unzip.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
  install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/.

diff --git a/README b/README
@@ -34,6 +34,7 @@ Peter Hogg (https://github.com/pigmonkey)
 Thomas Jarosch (https://github.com/thomasjfox)
  - disable keepassx in disable-passwdmgr.inc
  - added uudeview profile
+ - added tar (gtar), unzip and unrar profile
  - improved profile list
 Niklas Haas (https://github.com/haasn)
  - blacklisting for keybase.io's client

diff --git a/README.md b/README.md
@@ -156,4 +156,5 @@ Browsers: Palemoon
 ## New security profiles
 
 Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
+tar (gtar), unzip, unrar
 
diff --git a/etc/gtar.profile b/etc/gtar.profile
@@ -0,0 +1 @@
+include /etc/firejail/tar.profile
diff --git a/etc/tar.profile b/etc/tar.profile
@@ -0,0 +1,13 @@
+# tar profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+
+# support compressed archives
+private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-dev
+private-etc passwd,group,localtime
+hostname tar
+nosound
diff --git a/etc/unrar.profile b/etc/unrar.profile
@@ -0,0 +1,11 @@
+# unrar profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin unrar
+private-dev
+private-etc passwd,group,localtime
+hostname unrar
+nosound
diff --git a/etc/unzip.profile b/etc/unzip.profile
@@ -0,0 +1,11 @@
+# unzip profile
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin unzip
+private-dev
+private-etc passwd,group,localtime
+hostname unzip
+nosound
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
@@ -50,6 +50,7 @@
 /etc/firejail/google-chrome.profile
 /etc/firejail/google-play-music-desktop-player.profile
 /etc/firejail/gpredict.profile
+/etc/firejail/gtar.profile
 /etc/firejail/gthumb.profile
 /etc/firejail/gwenview.profile
 /etc/firejail/gzip.profile
@@ -108,13 +109,16 @@
 /etc/firejail/steam.profile
 /etc/firejail/stellarium.profile
 /etc/firejail/strings.profile
+/etc/firejail/tar.profile
 /etc/firejail/telegram.profile
 /etc/firejail/thunderbird.profile
 /etc/firejail/totem.profile
 /etc/firejail/transmission-gtk.profile
 /etc/firejail/transmission-qt.profile
 /etc/firejail/uget-gtk.profile
 /etc/firejail/unbound.profile
+/etc/firejail/unrar.profile
+/etc/firejail/unzip.profile
 /etc/firejail/uudeview.profile
 /etc/firejail/vivaldi-beta.profile
 /etc/firejail/vivaldi.profile