more private-etc

netblue30 · Feb 25, 2023 · 2531759 · 2531759
1 parent 7ed7d6d
commit 2531759
Show file tree

Hide file tree

Showing 10 changed files with 39 additions and 56 deletions.
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
@@ -50,7 +50,7 @@ tracelog
 
 private-bin audacity
 private-dev
-private-etc @tls-ca,@x11
+private-etc @x11
 private-tmp
 
 # problems on Fedora 27

diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc @tls-ca,@x11,python*
+private-etc @x11,python*
 private-tmp
 
 dbus-user none

diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
@@ -13,6 +13,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
 
+whitelist ${HOME}/.local/share/glib-2.0/schemas
+include whitelist-common.inc
+
+include whitelist-runuser-common.inc
+whitelist /usr/share/iagno
+whitelist /usr/share/gdm
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -28,11 +35,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 
 disable-mnt
-private
 private-bin iagno
 private-dev
+private-etc @x11,gconf
 private-tmp
 
 # dbus-user none

diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
@@ -51,6 +51,7 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-cache
 private-dev
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 dbus-user filter

diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
@@ -51,7 +51,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 # makes settings immutable

diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
@@ -28,6 +28,10 @@
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	"alternatives",
 	"fonts",
+	"gcrypt", 	// GNU crypto library - it contains configuration for specialized encryption
+		// and random number generators hardware.
+		// The directory is not installed in Debian. On Fedora it is an empty directory.
+		// The defaults in glibc cover the regular PC.
 	"group",
 	"ld.so.cache",
 	"ld.so.conf",
@@ -49,7 +53,6 @@ static char *etc_group_games[] = {
 	"openal", // 3D sound
 	"timidity", // MIDI
 	"timidity.cfg",
-	"vulkan", // next generation OpenGL stack
 	NULL
 };
 
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
-	"gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
-		// and random number generators. The file is not installed by Debian.
 	"pki",
 	"ssl",
 	NULL
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = {
 	"nvidia", // 3D
 	"pango", // text rendering/internationalization
 	"Trolltech.conf", // old QT config file
+	"vulkan", // next generation OpenGL stack
 	"X11",
 	"xdg",
 	NULL

diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
@@ -7,17 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail less sysutils.sh\r"
+send -- "rm -f /tmp/tt\r"
+after 500
+
+send -- "firejail less sysutils.sh > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t | grep Authors\r"
 expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-	"Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
+	timeout {puts "TESTING ERROR 0\n";exit}
 	"Firejail Authors"
 }
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"MALLOC_CHECK"
-}
-
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp
@@ -7,12 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail man firejail\r"
+send -- "rm -f /tmp/t\r"
+after 500
+
+send -- "firejail man firejail > /tmp/t\r"
+sleep 1
+
+send -- "cat /tmp/t\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	"(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-	"Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
 	"NAME"
 }
 after 100
+
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
@@ -47,14 +47,6 @@ else
 	echo "TESTING SKIP: gzip not found"
 fi
 
-if command -v xzdec
-then
-	echo "TESTING: xzdec"
-	./xzdec.exp
-else
-	echo "TESTING SKIP: xzdec not found"
-fi
-
 if command -v xz
 then
 	echo "TESTING: xz"

diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp