diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-02 10:08:49 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-02 10:08:49 -0400 |
commit | 7deec25a94430c3893f99955a1a5bbea380e9ef9 (patch) | |
tree | 943ad437dd091d0cefa5394a84d8a83d1a45b892 | |
parent | feh, ranger, zathura profiles (diff) | |
parent | fixed description (diff) | |
download | firejail-7deec25a94430c3893f99955a1a5bbea380e9ef9.tar.gz firejail-7deec25a94430c3893f99955a1a5bbea380e9ef9.tar.zst firejail-7deec25a94430c3893f99955a1a5bbea380e9ef9.zip |
Merge pull request #828 from vismir2/master
hardened profiles and fixed blacklisting
-rw-r--r-- | etc/cherrytree.profile | 6 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/feh.profile | 12 | ||||
-rw-r--r-- | etc/mupdf.profile | 6 | ||||
-rw-r--r-- | etc/ranger.profile | 11 | ||||
-rw-r--r-- | etc/zathura.profile | 7 |
7 files changed, 37 insertions, 11 deletions
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 76ee70679..7c324a34b 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -6,12 +6,6 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | whitelist ${HOME}/cherrytree | ||
10 | mkdir ~/.config/cherrytree | ||
11 | whitelist ${HOME}/.config/cherrytree/ | ||
12 | mkdir ~/.local/share | ||
13 | whitelist ${HOME}/.local/share/ | ||
14 | |||
15 | caps.drop all | 9 | caps.drop all |
16 | netfilter | 10 | netfilter |
17 | nonewprivs | 11 | nonewprivs |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c4169db8a..4f854c8d8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -121,6 +121,9 @@ blacklist ${HOME}/.smbcredentials | |||
121 | blacklist ${HOME}/*.kdbx | 121 | blacklist ${HOME}/*.kdbx |
122 | blacklist ${HOME}/*.kdb | 122 | blacklist ${HOME}/*.kdb |
123 | blacklist ${HOME}/*.key | 123 | blacklist ${HOME}/*.key |
124 | blacklist ${HOME}/.muttrc | ||
125 | blacklist ${HOME}/.mutt/muttrc | ||
126 | blacklist ${HOME}/.msmtprc | ||
124 | blacklist /etc/shadow | 127 | blacklist /etc/shadow |
125 | blacklist /etc/gshadow | 128 | blacklist /etc/gshadow |
126 | blacklist /etc/passwd- | 129 | blacklist /etc/passwd- |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e9416b34a..c13885739 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -69,6 +69,9 @@ blacklist ${HOME}/.config/qutebrowser | |||
69 | blacklist ${HOME}/.8pecxstudios | 69 | blacklist ${HOME}/.8pecxstudios |
70 | blacklist ${HOME}/.config/brave | 70 | blacklist ${HOME}/.config/brave |
71 | blacklist ${HOME}/.config/inox | 71 | blacklist ${HOME}/.config/inox |
72 | blacklist ${HOME}/.muttrc | ||
73 | blacklist ${HOME}/.mutt/muttrc | ||
74 | blacklist ${HOME}/.msmtprc | ||
72 | 75 | ||
73 | # Instant Messaging | 76 | # Instant Messaging |
74 | blacklist ${HOME}/.config/hexchat | 77 | blacklist ${HOME}/.config/hexchat |
diff --git a/etc/feh.profile b/etc/feh.profile index ba8f32f44..5fcb6bf25 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -5,9 +5,17 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix | ||
8 | netfilter | 10 | netfilter |
11 | net none | ||
9 | nonewprivs | 12 | nonewprivs |
10 | noroot | 13 | noroot |
14 | nogroups | ||
11 | nosound | 15 | nosound |
12 | protocol unix | 16 | shell none |
13 | seccomp | 17 | |
18 | private-bin feh | ||
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | ||
21 | private-etc feh | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 6f2db511b..d1a157c3c 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -11,8 +11,14 @@ noroot | |||
11 | nosound | 11 | nosound |
12 | protocol unix | 12 | protocol unix |
13 | seccomp | 13 | seccomp |
14 | netfilter | ||
14 | shell none | 15 | shell none |
15 | tracelog | 16 | tracelog |
16 | 17 | ||
18 | private-bin mupdf | ||
17 | private-tmp | 19 | private-tmp |
18 | private-dev | 20 | private-dev |
21 | |||
22 | # mupdf will never write anything | ||
23 | read-only ${HOME} | ||
24 | |||
diff --git a/etc/ranger.profile b/etc/ranger.profile index 775098d91..a040cd6bc 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -1,4 +1,9 @@ | |||
1 | # ranger file manager profile | 1 | # ranger file manager profile |
2 | noblacklist /usr/bin/perl | ||
3 | #noblacklist /usr/bin/cpan* | ||
4 | noblacklist /usr/share/perl* | ||
5 | noblacklist /usr/lib/perl* | ||
6 | |||
2 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
@@ -6,8 +11,14 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 11 | ||
7 | caps.drop all | 12 | caps.drop all |
8 | netfilter | 13 | netfilter |
14 | net none | ||
9 | nonewprivs | 15 | nonewprivs |
10 | noroot | 16 | noroot |
17 | nogroups | ||
11 | protocol unix | 18 | protocol unix |
12 | seccomp | 19 | seccomp |
13 | nosound | 20 | nosound |
21 | |||
22 | private-tmp | ||
23 | private-dev | ||
24 | |||
diff --git a/etc/zathura.profile b/etc/zathura.profile index 955792b2e..7093c52b2 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -12,8 +12,9 @@ protocol unix | |||
12 | netfilter | 12 | netfilter |
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | nogroups | ||
15 | nosound | 16 | nosound |
16 | |||
17 | #net none | ||
18 | shell none | 17 | shell none |
19 | #private-etc X11 | 18 | |
19 | private-bin zathura | ||
20 | private-dev | ||