diff options
author | Tad <tad@spotco.us> | 2017-09-18 14:27:58 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-09-18 14:27:58 -0400 |
commit | ae5948cb84bd1327ab9f6f0577fd75bfe9a74787 (patch) | |
tree | ee6f8a1bd5659453c8ecf24036adaef8f11bee3b | |
parent | Add a profile for ClamAV's clamscan (diff) | |
download | firejail-ae5948cb84bd1327ab9f6f0577fd75bfe9a74787.tar.gz firejail-ae5948cb84bd1327ab9f6f0577fd75bfe9a74787.tar.zst firejail-ae5948cb84bd1327ab9f6f0577fd75bfe9a74787.zip |
Add a profile for clamdscan, clamdtop, and freshclam
-rw-r--r-- | etc/clamav.profile | 32 | ||||
-rw-r--r-- | etc/clamdscan.profile | 6 | ||||
-rw-r--r-- | etc/clamdtop.profile | 6 | ||||
-rw-r--r-- | etc/clamscan.profile | 32 | ||||
-rw-r--r-- | etc/freshclam.profile | 34 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 |
6 files changed, 84 insertions, 29 deletions
diff --git a/etc/clamav.profile b/etc/clamav.profile new file mode 100644 index 000000000..a5aacc1d5 --- /dev/null +++ b/etc/clamav.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.drop all | ||
11 | ipc-namespace | ||
12 | net none | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | x11 none | ||
26 | |||
27 | private-dev | ||
28 | read-only ${HOME} | ||
29 | |||
30 | memory-deny-write-execute | ||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdscan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdtop.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamscan.profile b/etc/clamscan.profile index 2fd10171f..1fc728206 100644 --- a/etc/clamscan.profile +++ b/etc/clamscan.profile | |||
@@ -1,32 +1,6 @@ | |||
1 | # Firejail profile for clamscan | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamscan.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | 3 | ||
9 | 4 | ||
10 | caps.drop all | 5 | # Redirect |
11 | ipc-namespace | 6 | include /etc/firejail/clamav.profile |
12 | net none | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | x11 none | ||
26 | |||
27 | private-dev | ||
28 | read-only ${HOME} | ||
29 | |||
30 | memory-deny-write-execute | ||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile new file mode 100644 index 000000000..08eac5595 --- /dev/null +++ b/etc/freshclam.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for freshclam | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.keep setgid,setuid | ||
11 | ipc-namespace | ||
12 | netfilter | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | disable-mnt | ||
26 | private | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | writable-var | ||
30 | writable-var-log | ||
31 | |||
32 | memory-deny-write-execute | ||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e623a1aa2..600743a41 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -41,6 +41,8 @@ catfish | |||
41 | cherrytree | 41 | cherrytree |
42 | chromium | 42 | chromium |
43 | chromium-browser | 43 | chromium-browser |
44 | clamdscan | ||
45 | clamdtop | ||
44 | clamscan | 46 | clamscan |
45 | claws-mail | 47 | claws-mail |
46 | clementine | 48 | clementine |
@@ -86,6 +88,7 @@ flashpeak-slimjet | |||
86 | flowblade | 88 | flowblade |
87 | fontforge | 89 | fontforge |
88 | franz | 90 | franz |
91 | freshclam | ||
89 | frozen-bubble | 92 | frozen-bubble |
90 | gajim | 93 | gajim |
91 | galculator | 94 | galculator |