Skip to content

Commit

Permalink
a second round of blacklisting in disable-common.inc
Browse files Browse the repository at this point in the history
  • Loading branch information
@netblue30
netblue30 committed Aug 22, 2023
1 parent e60964b commit 96beb33
Showing 1 changed file with 30 additions and 1 deletion.
31 changes: 30 additions & 1 deletion etc/inc/disable-common.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ blacklist ${RUNUSER}/gsconnect
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist ${PATH}/systemctl
blacklist ${PATH}/systemd-run
blacklist ${PATH}/systemd*
blacklist ${RUNUSER}/systemd
blacklist /etc/credstore*
blacklist /etc/systemd/network
Expand Down Expand Up @@ -518,7 +518,10 @@ blacklist ${PATH}/kdesudo
blacklist ${PATH}/ksu
blacklist ${PATH}/mount
blacklist ${PATH}/mount.ecryptfs_private
blacklist ${PATH}/mountpoint
blacklist ${PATH}/nc
blacklist ${PATH}/nc.traditional
blacklist ${PATH}/nc.openbsd
blacklist ${PATH}/ncat
blacklist ${PATH}/nmap
blacklist ${PATH}/newgidmap
Expand Down Expand Up @@ -572,7 +575,28 @@ blacklist ${PATH}/nmtui-hostname
blacklist ${PATH}/networkctl
blacklist ${PATH}/ss
blacklist ${PATH}/traceroute
# since firejail version 0.9.73
blacklist ${PATH}/dpkg*
blacklist ${PATH}/fakeroot*

This comment has been minimized.

Sign in to view

Copy link
@glitsj16

glitsj16 Aug 23, 2023

Collaborator

Blacklisting fakeroot will break makepkg on Arch Linux (-based) systems. I'll add a counterpart noblacklist in its profile.
blacklist ${PATH}/apt*
blacklist ${PATH}/dumpcap
blacklist ${PATH}/efibootdump
blacklist ${PATH}/efibootmgr
blacklist ${PATH}/passmass
blacklist ${PATH}/proxy
blacklist ${PATH}/aa-*
blacklist ${PATH}/airscan-discover
blacklist ${PATH}/avahi*
blacklist ${PATH}/dbus-*
blacklist ${PATH}/debconf*
blacklist ${PATH}/grub-*
blacklist ${PATH}/kernel-install # from systemd package

# binaries installed by firejail
blacklist ${PATH}/firemon
blacklist ${PATH}/firecfg
blacklist ${PATH}/jailcheck
blacklist ${PATH}/firetools

# other SUID binaries
blacklist /opt/microsoft/msedge*/msedge-sandbox
Expand Down Expand Up @@ -653,10 +677,13 @@ blacklist ${HOME}/sent
blacklist /proc/config.gz

# prevent DNS malware attempting to communicate with the server using regular DNS tools
blacklist ${PATH}/delv
blacklist ${PATH}/dig
blacklist ${PATH}/dlint
blacklist ${PATH}/dns2tcp
blacklist ${PATH}/dnssec-*
blacklist ${PATH}/dnstap-read
blacklist ${PATH}/mdig
blacklist ${PATH}/dnswalk
blacklist ${PATH}/drill
blacklist ${PATH}/host
Expand All @@ -667,6 +694,8 @@ blacklist ${PATH}/knsupdate
blacklist ${PATH}/ldns-*
blacklist ${PATH}/ldnsd
blacklist ${PATH}/nslookup
blacklist ${PATH}/nsupdate
blacklist ${PATH}/nstat
blacklist ${PATH}/resolvectl
blacklist ${PATH}/unbound-host

Expand Down

0 comments on commit 96beb33

Please sign in to comment.