Add profile templates

Create etc/templates * profile.template * redirect_alias-profile.template * syscalls.txt * Notes
kmk3 · May 30, 2019 · cb98aea · cb98aea
1 parent 360b066
commit cb98aea
Show file tree

Hide file tree

Showing 6 changed files with 172 additions and 18 deletions.
diff --git a/README b/README
@@ -566,24 +566,9 @@ rusty-snake (https://github.com/rusty-snake)
 	- added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
 	- added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
 	- added profiles: ktouch, yelp
-	- fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
-	- fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
-	- fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
-	- fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
-	- fixed profiles: default, mpv, authenticator, gramps, webstorm
-	- fixed profiles: freeoffice-planmaker, freeoffice-presentations
-	- fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion
-	- fixed profiles: android-studio, git, gitg, github-desktop, idea.sh
-	- fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller
-	- fixed profiles: eog, eom, xiphos, firefox-common, libreoffice
-	- fixed profiles: ocenaudio, sysprof, exiftool
-	- hardened profiles: disable-common.inc, disable-programs.inc
-	- hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
-	- hardened profiles: gnome-clocks, meld, minetest, youtube-dl
-	- hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos
-	- hardened profiles: gnome-chess
-	- gnome-mpv was renamed to celluloid
+	- many profile fixing and hardening
 	- some typo fixes
+	- added profile templates
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
 	- fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)

diff --git a/RELNOTES b/RELNOTES
@@ -1,5 +1,6 @@
-ffirejail (0.9.60) baseline; urgency=low
+firejail (0.9.60) baseline; urgency=low
   * work in progress
+  * profile templates
  -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
 
 firejail (0.9.60) baseline; urgency=low

diff --git a/etc/templates/Notes b/etc/templates/Notes
@@ -0,0 +1,7 @@
+Notes
+=====
+
+ * Lines with one # are often used
+ * Lines with two ## are only in special situation needed
+ * Add programs specific paths like .config/program to disable-programs.inc
+ * Add the name of the profile/program to src/firecfg/firecfg.config
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
@@ -0,0 +1,82 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+##quiet
+# Persistent local customizations
+#include PROFILE.local
+# Persistent global definitions
+#include globals.local
+
+##ignore noexec ${HOME}
+
+##blacklist PATH
+
+#noblacklist PATH
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+#noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+#noblacklist /usr/local/lib/python3*
+
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-var-common.inc
+
+#apparmor
+#caps.drop all
+# CLI only
+##ipc-namespace
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+#nodbus
+#nodvd
+#nogroups
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+#protocol unix,inet,inet6,netlink
+#seccomp
+##seccomp.drop SYSCALLS
+#shell none
+#tracelog
+
+#disable-mnt
+##private
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734)
+#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#  GUIs: fonts
+#  Alternatives: alternatives
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+
+##env VAR=VALUE
+#memory-deny-write-execute
+##read-only ${HOME}
+##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,36 @@
+# Firejail profile for PRGOGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: let include globals.local commented
+
+# Additional blacklisting (if needed)
+#blacklist PATH
+
+# Additional noblacklisting (if needed)
+#noblacklist PATH
+
+# Additional whitelisting (if needed)
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+
+# Additional options if needed (see firejail-profile.example)
+
+# Add programs to private-bin (if needed)
+#private-bin PROGRAMS
+# Add files to private-etc (if needed)
+#private-etc FILES
+
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
@@ -0,0 +1,43 @@
+Hints for writing seccomp.drop lines
+====================================
+
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@module=delete_module,finit_module,init_module
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot,
+@swap=swapon,swapoff
+
+@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@resources=set_mempolicy,migrate_pages,move_pages,mbind
+
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+
+@default-keep=execve,prctl
+
+
++---------+----------------+---------------+
+| @clock  | @cpu-emulation | @default-keep |
+| @module | @debug         |               |
+| @raw-io | @obsolete      |               |
+| @reboot | @resources     |               |
+| @swap   |                |               |
++---------+----------------+---------------+
+     :              :
++-------------+     :
+| @privileged |     :
++-------------+     :
+     :              :
++----------+        :
+| @default |........:
++----------+
+    :
++----------------------+
+| @default-nodebuggers |
++----------------------+
+