diff options
author | netblue30 <netblue30@protonmail.com> | 2022-03-24 08:32:24 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-24 08:32:24 -0400 |
commit | 70184cbf86b0ce175dc2ac5470c8cf371e097467 (patch) | |
tree | 71e99d08f032292f44186b2163791a60cc9441c1 | |
parent | Merge pull request #5058 from glitsj16/nodejs-nvm (diff) | |
parent | ping: fix hardening comment (diff) | |
download | firejail-70184cbf86b0ce175dc2ac5470c8cf371e097467.tar.gz firejail-70184cbf86b0ce175dc2ac5470c8cf371e097467.tar.zst firejail-70184cbf86b0ce175dc2ac5470c8cf371e097467.zip |
Merge pull request #5061 from glitsj16/ping-fixes
ping: (extra) hardening
-rw-r--r-- | etc/profile-m-z/ping-hardened.inc.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/ping.profile | 21 |
2 files changed, 28 insertions, 4 deletions
diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile new file mode 100644 index 000000000..eda53654a --- /dev/null +++ b/etc/profile-m-z/ping-hardened.inc.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include ping-hardened.inc.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6 | ||
9 | seccomp | ||
10 | |||
11 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index b4923c38a..ed21bd1ce 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -7,23 +7,30 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
14 | include disable-devel.inc | 13 | include disable-devel.inc |
15 | include disable-exec.inc | 14 | include disable-exec.inc |
16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-X11.inc | ||
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
23 | 26 | ||
27 | # Add the next line to your ping.local if your kernel allows unprivileged userns clone. | ||
28 | #include ping-hardened.inc.profile | ||
29 | |||
24 | apparmor | 30 | apparmor |
25 | caps.keep net_raw | 31 | caps.keep net_raw |
26 | ipc-namespace | 32 | ipc-namespace |
33 | machine-id | ||
27 | #net tun0 | 34 | #net tun0 |
28 | #netfilter /etc/firejail/ping.net | 35 | #netfilter /etc/firejail/ping.net |
29 | netfilter | 36 | netfilter |
@@ -31,8 +38,9 @@ no3d | |||
31 | nodvd | 38 | nodvd |
32 | nogroups | 39 | nogroups |
33 | noinput | 40 | noinput |
34 | # ping needs to rise privileges, noroot and nonewprivs will kill it | 41 | # ping needs to raise privileges, nonewprivs and noroot will kill it |
35 | #nonewprivs | 42 | #nonewprivs |
43 | noprinters | ||
36 | #noroot | 44 | #noroot |
37 | nosound | 45 | nosound |
38 | notv | 46 | notv |
@@ -40,15 +48,18 @@ nou2f | |||
40 | novideo | 48 | novideo |
41 | # protocol command is built using seccomp; nonewprivs will kill it | 49 | # protocol command is built using seccomp; nonewprivs will kill it |
42 | #protocol unix,inet,inet6,netlink,packet | 50 | #protocol unix,inet,inet6,netlink,packet |
43 | # killed by no-new-privs | ||
44 | #seccomp | 51 | #seccomp |
52 | shell none | ||
53 | tracelog | ||
45 | 54 | ||
46 | disable-mnt | 55 | disable-mnt |
47 | private | 56 | private |
48 | #private-bin has mammoth problems with execvp: "No such file or directory" | 57 | #private-bin ping - has mammoth problems with execvp: "No such file or directory" |
58 | private-cache | ||
49 | private-dev | 59 | private-dev |
50 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 60 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
51 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 61 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
62 | private-lib | ||
52 | private-tmp | 63 | private-tmp |
53 | 64 | ||
54 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 65 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
@@ -56,3 +67,5 @@ private-tmp | |||
56 | 67 | ||
57 | dbus-user none | 68 | dbus-user none |
58 | dbus-system none | 69 | dbus-system none |
70 | |||
71 | read-only ${HOME} | ||