diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2022-03-21 07:53:51 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-21 07:53:51 +0000 |
commit | a21920e63219fc54f43265ad105ece3becec27a9 (patch) | |
tree | e03d22c10964cfac4e96e93e12a49c9e5281487d | |
parent | ocenaudio hardening (#5056) (diff) | |
download | firejail-a21920e63219fc54f43265ad105ece3becec27a9.tar.gz firejail-a21920e63219fc54f43265ad105ece3becec27a9.tar.zst firejail-a21920e63219fc54f43265ad105ece3becec27a9.zip |
ping: extra hardening
-rw-r--r-- | etc/profile-m-z/ping.profile | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index b4923c38a..1b9ce2d2c 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -7,23 +7,30 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
14 | include disable-devel.inc | 13 | include disable-devel.inc |
15 | include disable-exec.inc | 14 | include disable-exec.inc |
16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-X11.inc | ||
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
23 | 26 | ||
27 | # Add the next line to your ping.local if your kernel allows unprivileged userns clone. | ||
28 | include ping-hardened.inc.profile | ||
29 | |||
24 | apparmor | 30 | apparmor |
25 | caps.keep net_raw | 31 | caps.keep net_raw |
26 | ipc-namespace | 32 | ipc-namespace |
33 | machine-id | ||
27 | #net tun0 | 34 | #net tun0 |
28 | #netfilter /etc/firejail/ping.net | 35 | #netfilter /etc/firejail/ping.net |
29 | netfilter | 36 | netfilter |
@@ -31,8 +38,9 @@ no3d | |||
31 | nodvd | 38 | nodvd |
32 | nogroups | 39 | nogroups |
33 | noinput | 40 | noinput |
34 | # ping needs to rise privileges, noroot and nonewprivs will kill it | 41 | # ping needs to raise privileges, nonewprivs and noroot will kill it |
35 | #nonewprivs | 42 | #nonewprivs |
43 | noprinters | ||
36 | #noroot | 44 | #noroot |
37 | nosound | 45 | nosound |
38 | notv | 46 | notv |
@@ -40,15 +48,18 @@ nou2f | |||
40 | novideo | 48 | novideo |
41 | # protocol command is built using seccomp; nonewprivs will kill it | 49 | # protocol command is built using seccomp; nonewprivs will kill it |
42 | #protocol unix,inet,inet6,netlink,packet | 50 | #protocol unix,inet,inet6,netlink,packet |
43 | # killed by no-new-privs | ||
44 | #seccomp | 51 | #seccomp |
52 | shell none | ||
53 | tracelog | ||
45 | 54 | ||
46 | disable-mnt | 55 | disable-mnt |
47 | private | 56 | private |
48 | #private-bin has mammoth problems with execvp: "No such file or directory" | 57 | #private-bin ping - has mammoth problems with execvp: "No such file or directory" |
58 | private-cache | ||
49 | private-dev | 59 | private-dev |
50 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 60 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
51 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 61 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
62 | private-lib | ||
52 | private-tmp | 63 | private-tmp |
53 | 64 | ||
54 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 65 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
@@ -56,3 +67,5 @@ private-tmp | |||
56 | 67 | ||
57 | dbus-user none | 68 | dbus-user none |
58 | dbus-system none | 69 | dbus-system none |
70 | |||
71 | read-only ${HOME} | ||