Commit 9d5f377d authored by netblue30's avatar netblue30

security: ~/.pki directory whitelisted and later blacklisted. This affects...

security: ~/.pki directory whitelisted and later blacklisted. This affects most browsers, and disables the custom certificates installed by the user.
parent 0d2044aa
......@@ -13,6 +13,8 @@ firejail (0.9.45) baseline; urgency=low
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
* security: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user.
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
......
......@@ -5,6 +5,7 @@ include /etc/firejail/abrowser.local
# Firejail profile for Abrowser
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/chromium.local
# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/cyberfox.local
# Firejail profile for Cyberfox (based on Mozilla Firefox)
noblacklist ~/.8pecxstudios
noblacklist ~/.cache/8pecxstudios
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -8,6 +8,7 @@ noblacklist ~/.cache/mozilla
noblacklist ~/.config/qpdfview
noblacklist ~/.local/share/qpdfview
noblacklist ~/.kde/share/apps/okular
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......@@ -34,6 +35,7 @@ whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
mkdir ~/.pki
whitelist ~/.pki
whitelist ~/.config/qpdfview
whitelist ~/.local/share/qpdfview
......
......@@ -11,6 +11,7 @@ include /etc/firejail/flashpeak-slimjet.local
#
noblacklist ~/.config/slimjet
noblacklist ~/.cache/slimjet
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/franz.local
# Franz profile
noblacklist ~/.config/Franz
noblacklist ~/.cache/Franz
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-beta.local
# Google Chrome beta browser profile
noblacklist ~/.config/google-chrome-beta
noblacklist ~/.cache/google-chrome-beta
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome-unstable.local
# Google Chrome unstable browser profile
noblacklist ~/.config/google-chrome-unstable
noblacklist ~/.cache/google-chrome-unstable
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/google-chrome.local
# Google Chrome browser profile
noblacklist ~/.config/google-chrome
noblacklist ~/.cache/google-chrome
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/icecat.local
# Firejail profile for GNU Icecat
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/inox.local
# Inox browser profile
noblacklist ~/.config/inox
noblacklist ~/.cache/inox
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/opera-beta.local
# Opera-beta browser profile
noblacklist ~/.config/opera-beta
noblacklist ~/.cache/opera-beta
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/opera.local
noblacklist ~/.config/opera
noblacklist ~/.cache/opera
noblacklist ~/.opera
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/seamonkey.local
# Firejail profile for Seamoneky based off Mozilla Firefox
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment