nslookup, host profiles

author: netblue30 <netblue30@yahoo.com> 2020-03-18 22:17:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-03-18 22:17:59 -0400
commit: 3c555a6ca44323c846d958e9ad5dcda540a25e95 (patch)
tree: 88789ef47c8cf60290c1f5bd33e89aba575626d2
parent: profile fixes (diff)
download: firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.gz
firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.zst
firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.zip
5 files changed, 118 insertions, 1 deletions
diff --git a/etc/dig.profile b/etc/dig.profile
index 0e1598406..e6b7e46d9 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -8,6 +8,7 @@ include dig.local
 include globals.local
 noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
 blacklist /tmp/.X11-unix
@@ -48,7 +49,6 @@ tracelog
 disable-mnt
 private
 private-bin bash,dig,sh
-private-cache
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
 #private-lib
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 6f9149dee..6ff83964d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -469,3 +469,18 @@ blacklist ${HOME}/sent
 # kernel configuration
 blacklist /proc/config.gz
+# prevent DNS malware attempting to communicate with the server
+# using regular DNS tools
+blacklist ${PATH}/dig
+blacklist ${PATH}/kdig
+blacklist ${PATH}/nslookup
+blacklist ${PATH}/host
+blacklist ${PATH}/dlint
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/iodine
+blacklist ${PATH}/knsupdate
diff --git a/etc/host.profile b/etc/host.profile
new file mode 100644
index 000000000..7e2012597
--- /dev/null
+++ b/etc/host.profile
@@ -0,0 +1,49 @@
+# Firejail profile for dig
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PATH}/host
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
new file mode 100644
index 000000000..40897a3a8
--- /dev/null
+++ b/etc/nslookup.profile
@@ -0,0 +1,49 @@
+# Firejail profile for dig
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PATH}/nslookup
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c27f78d0f..c2401ee32 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -149,6 +149,7 @@ desktopeditors
 devhelp
 dex2jar
 dia
+dig
 digikam
 dillo
 dino
@@ -305,6 +306,7 @@ hashcat
 hedgewars
 hexchat
 highlight
+host
 hugin
 icecat
 icedove
@@ -468,6 +470,7 @@ nitroshare-nmh
 nitroshare-send
 nitroshare-ui
 nomacs
+nslookup
 nylas
 nyx
 obs
@@ -481,6 +484,7 @@ ooviewdoc
 open-invaders
 openarena
 opencity
+openclonk
 openoffice.org
 openshot
 openshot-qt
author	netblue30 <netblue30@yahoo.com>	2020-03-18 22:17:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-03-18 22:17:59 -0400
commit	3c555a6ca44323c846d958e9ad5dcda540a25e95 (patch)
tree	88789ef47c8cf60290c1f5bd33e89aba575626d2
parent	profile fixes (diff)
download	firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.gz firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.zst firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.zip

diff --git a/etc/dig.profile b/etc/dig.profile index 0e1598406..e6b7e46d9 100644 --- a/etc/dig.profile +++ b/etc/dig.profile
@@ -8,6 +8,7 @@ include dig.local
8	include globals.local	8	include globals.local
9		9
10	noblacklist ${HOME}/.digrc	10	noblacklist ${HOME}/.digrc
		11	noblacklist ${PATH}/dig
11		12
12	blacklist /tmp/.X11-unix	13	blacklist /tmp/.X11-unix
13		14
@@ -48,7 +49,6 @@ tracelog
48	disable-mnt	49	disable-mnt
49	private	50	private
50	private-bin bash,dig,sh	51	private-bin bash,dig,sh
51	private-cache
52	private-dev	52	private-dev
53	# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)	53	# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
54	#private-lib	54	#private-lib


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 6f9149dee..6ff83964d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -469,3 +469,18 @@ blacklist ${HOME}/sent
469		469
470	# kernel configuration	470	# kernel configuration
471	blacklist /proc/config.gz	471	blacklist /proc/config.gz
		472
		473	# prevent DNS malware attempting to communicate with the server
		474	# using regular DNS tools
		475	blacklist ${PATH}/dig
		476	blacklist ${PATH}/kdig
		477	blacklist ${PATH}/nslookup
		478	blacklist ${PATH}/host
		479	blacklist ${PATH}/dlint
		480	blacklist ${PATH}/dnswalk
		481	blacklist ${PATH}/dns2tcp
		482	blacklist ${PATH}/iodine
		483	blacklist ${PATH}/knsupdate
		484
		485
		486


diff --git a/etc/host.profile b/etc/host.profile new file mode 100644 index 000000000..7e2012597 --- /dev/null +++ b/etc/host.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for dig
		2	# Description: DNS lookup utility
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include host.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${PATH}/host
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-passwdmgr.inc
		17	include disable-programs.inc
		18	include disable-xdg.inc
		19
		20	include whitelist-usr-share-common.inc
		21	include whitelist-var-common.inc
		22
		23	apparmor
		24	caps.drop all
		25	ipc-namespace
		26	machine-id
		27	netfilter
		28	no3d
		29	nodbus
		30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
		34	nosound
		35	notv
		36	nou2f
		37	novideo
		38	protocol unix,inet,inet6
		39	seccomp
		40	shell none
		41	tracelog
		42
		43	disable-mnt
		44	private
		45	private-bin bash,host,sh
		46	private-dev
		47	private-tmp
		48
		49	memory-deny-write-execute


diff --git a/etc/nslookup.profile b/etc/nslookup.profile new file mode 100644 index 000000000..40897a3a8 --- /dev/null +++ b/etc/nslookup.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for dig
		2	# Description: DNS lookup utility
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include nslookup.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${PATH}/nslookup
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-passwdmgr.inc
		17	include disable-programs.inc
		18	include disable-xdg.inc
		19
		20	include whitelist-usr-share-common.inc
		21	include whitelist-var-common.inc
		22
		23	apparmor
		24	caps.drop all
		25	ipc-namespace
		26	machine-id
		27	netfilter
		28	no3d
		29	nodbus
		30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
		34	nosound
		35	notv
		36	nou2f
		37	novideo
		38	protocol unix,inet,inet6
		39	seccomp
		40	shell none
		41	tracelog
		42
		43	disable-mnt
		44	private
		45	private-bin bash,nslookup,sh
		46	private-dev
		47	private-tmp
		48
		49	memory-deny-write-execute


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c27f78d0f..c2401ee32 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -149,6 +149,7 @@ desktopeditors
149	devhelp	149	devhelp
150	dex2jar	150	dex2jar
151	dia	151	dia
		152	dig
152	digikam	153	digikam
153	dillo	154	dillo
154	dino	155	dino
@@ -305,6 +306,7 @@ hashcat
305	hedgewars	306	hedgewars
306	hexchat	307	hexchat
307	highlight	308	highlight
		309	host
308	hugin	310	hugin
309	icecat	311	icecat
310	icedove	312	icedove
@@ -468,6 +470,7 @@ nitroshare-nmh
468	nitroshare-send	470	nitroshare-send
469	nitroshare-ui	471	nitroshare-ui
470	nomacs	472	nomacs
		473	nslookup
471	nylas	474	nylas
472	nyx	475	nyx
473	obs	476	obs
@@ -481,6 +484,7 @@ ooviewdoc
481	open-invaders	484	open-invaders
482	openarena	485	openarena
483	opencity	486	opencity
		487	openclonk
484	openoffice.org	488	openoffice.org
485	openshot	489	openshot
486	openshot-qt	490	openshot-qt