diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2017-04-15 22:06:37 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-15 22:06:37 +0000 |
commit | f13aa1b80ac13085503bc190bf4ee7d7513607be (patch) | |
tree | b32a354af0af97e19b779380382ec973275a1006 | |
parent | noblacklist .config/qt5ct (part 1) (diff) | |
parent | Harden Steam (diff) | |
download | firejail-f13aa1b80ac13085503bc190bf4ee7d7513607be.tar.gz firejail-f13aa1b80ac13085503bc190bf4ee7d7513607be.tar.zst firejail-f13aa1b80ac13085503bc190bf4ee7d7513607be.zip |
Merge pull request #1220 from SpotComms/harden
Harden some profiles
-rw-r--r-- | etc/bless.profile | 14 | ||||
-rw-r--r-- | etc/dino.profile | 3 | ||||
-rw-r--r-- | etc/eog.profile | 5 | ||||
-rw-r--r-- | etc/evince.profile | 4 | ||||
-rw-r--r-- | etc/evolution.profile | 5 | ||||
-rw-r--r-- | etc/file-roller.profile | 7 | ||||
-rw-r--r-- | etc/gedit.profile | 9 | ||||
-rw-r--r-- | etc/gimp.profile | 4 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 12 | ||||
-rw-r--r-- | etc/hexchat.profile | 4 | ||||
-rw-r--r-- | etc/jd-gui.profile | 13 | ||||
-rw-r--r-- | etc/keepass.profile | 8 | ||||
-rw-r--r-- | etc/keepassx.profile | 4 | ||||
-rw-r--r-- | etc/keepassx2.profile | 6 | ||||
-rw-r--r-- | etc/keepassxc.profile | 6 | ||||
-rw-r--r-- | etc/libreoffice.profile | 4 | ||||
-rw-r--r-- | etc/lollypop.profile | 10 | ||||
-rw-r--r-- | etc/multimc5.profile | 9 | ||||
-rw-r--r-- | etc/mumble.profile | 4 | ||||
-rw-r--r-- | etc/pdfsam.profile | 13 | ||||
-rw-r--r-- | etc/pithos.profile | 9 | ||||
-rw-r--r-- | etc/steam.profile | 4 | ||||
-rw-r--r-- | etc/totem.profile | 12 | ||||
-rw-r--r-- | etc/vlc.profile | 3 | ||||
-rw-r--r-- | etc/xonotic.profile | 9 |
25 files changed, 169 insertions, 12 deletions
diff --git a/etc/bless.profile b/etc/bless.profile index b8325de39..869f13cc0 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -17,8 +17,20 @@ include /etc/firejail/disable-devel.inc | |||
17 | 17 | ||
18 | #Options | 18 | #Options |
19 | caps.drop all | 19 | caps.drop all |
20 | net none | ||
20 | netfilter | 21 | netfilter |
22 | no3d | ||
23 | nogroups | ||
21 | nonewprivs | 24 | nonewprivs |
22 | noroot | 25 | noroot |
23 | protocol unix,inet,inet6 | 26 | nosound |
27 | protocol unix | ||
24 | seccomp | 28 | seccomp |
29 | shell none | ||
30 | |||
31 | private-dev | ||
32 | private-etc fonts,mono | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/dino.profile b/etc/dino.profile index a71ab27d7..cec86812f 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -30,3 +30,6 @@ private-bin dino | |||
30 | #private-etc fonts #breaks server connection | 30 | #private-etc fonts #breaks server connection |
31 | private-dev | 31 | private-dev |
32 | private-tmp | 32 | private-tmp |
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index c5afec7fa..7c2cd557c 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | net none | ||
14 | netfilter | 15 | netfilter |
16 | no3d | ||
15 | nogroups | 17 | nogroups |
16 | nonewprivs | 18 | nonewprivs |
17 | noroot | 19 | noroot |
@@ -24,3 +26,6 @@ private-bin eog | |||
24 | private-dev | 26 | private-dev |
25 | private-etc fonts | 27 | private-etc fonts |
26 | private-tmp | 28 | private-tmp |
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 94cefdd8b..ae50425b9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | #net none - creates some problems on some distributions | 15 | #net none - creates some problems on some distributions |
16 | no3d | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
@@ -27,3 +28,6 @@ private-dev | |||
27 | private-etc fonts | 28 | private-etc fonts |
28 | # evince needs access to /tmp/mozilla* to work in firefox | 29 | # evince needs access to /tmp/mozilla* to work in firefox |
29 | # private-tmp | 30 | # private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index cb6615716..04bf480ff 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution | |||
9 | noblacklist ~/.pki | 9 | noblacklist ~/.pki |
10 | noblacklist ~/.pki/nssdb | 10 | noblacklist ~/.pki/nssdb |
11 | noblacklist ~/.gnupg | 11 | noblacklist ~/.gnupg |
12 | noblacklist ~/.bogofilter | ||
12 | 13 | ||
13 | noblacklist /var/spool/mail | 14 | noblacklist /var/spool/mail |
14 | noblacklist /var/mail | 15 | noblacklist /var/mail |
@@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
20 | 21 | ||
21 | caps.drop all | 22 | caps.drop all |
22 | netfilter | 23 | netfilter |
24 | no3d | ||
23 | nogroups | 25 | nogroups |
24 | nonewprivs | 26 | nonewprivs |
25 | noroot | 27 | noroot |
@@ -30,3 +32,6 @@ shell none | |||
30 | 32 | ||
31 | private-dev | 33 | private-dev |
32 | private-tmp | 34 | private-tmp |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 804d20ce1..a3f687651 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | net none | ||
13 | netfilter | ||
14 | no3d | ||
12 | nogroups | 15 | nogroups |
13 | nonewprivs | 16 | nonewprivs |
14 | noroot | 17 | noroot |
15 | nosound | 18 | nosound |
16 | protocol unix | 19 | protocol unix |
17 | seccomp | 20 | seccomp |
18 | netfilter | ||
19 | shell none | 21 | shell none |
20 | tracelog | 22 | tracelog |
21 | 23 | ||
@@ -23,3 +25,6 @@ tracelog | |||
23 | # private-tmp | 25 | # private-tmp |
24 | private-dev | 26 | private-dev |
25 | # private-etc fonts | 27 | # private-etc fonts |
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 9f4eee9b3..07bdb1bbe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
18 | net none | ||
19 | no3d | ||
17 | nogroups | 20 | nogroups |
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | nosound | 23 | nosound |
21 | protocol unix | 24 | protocol unix |
22 | seccomp | 25 | seccomp |
23 | netfilter | ||
24 | shell none | 26 | shell none |
25 | tracelog | 27 | tracelog |
26 | 28 | ||
27 | # private-bin gedit | 29 | # private-bin gedit |
28 | private-tmp | ||
29 | private-dev | 30 | private-dev |
30 | # private-etc fonts | 31 | # private-etc fonts |
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index 4088bd680..5f8ccb4fb 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc | |||
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | netfilter | 12 | netfilter |
13 | net none | ||
13 | nogroups | 14 | nogroups |
14 | nonewprivs | 15 | nonewprivs |
15 | noroot | 16 | noroot |
16 | nosound | 17 | nosound |
17 | protocol unix | 18 | protocol unix |
18 | seccomp | 19 | seccomp |
20 | shell none | ||
19 | 21 | ||
20 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | 22 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory |
21 | # if you are not using external plugins, you can enable noexec statement below | 23 | # if you are not using external plugins, you can enable noexec statement below |
22 | # noexec ${HOME} | 24 | # noexec ${HOME} |
23 | 25 | ||
24 | noexec /tmp | 26 | noexec /tmp |
25 | 27 | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 714a97650..f5d952e3d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -17,7 +17,19 @@ include /etc/firejail/whitelist-common.inc | |||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
20 | #net none | ||
21 | no3d | ||
20 | nonewprivs | 22 | nonewprivs |
21 | noroot | 23 | noroot |
24 | nosound | ||
22 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
23 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | |||
29 | private-bin gnome-calculator | ||
30 | private-dev | ||
31 | private-etc fonts | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 53f447f7e..d24f492d8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | no3d | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
@@ -30,3 +31,6 @@ private-bin hexchat | |||
30 | #debug note: private-bin requires perl, python, etc on some systems | 31 | #debug note: private-bin requires perl, python, etc on some systems |
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2ba1a4380..6ff618187 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -16,8 +16,19 @@ include /etc/firejail/disable-devel.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | net none | ||
19 | netfilter | 20 | netfilter |
21 | no3d | ||
22 | nogroups | ||
20 | nonewprivs | 23 | nonewprivs |
21 | noroot | 24 | noroot |
22 | protocol unix,inet,inet6 | 25 | nosound |
26 | protocol unix | ||
23 | seccomp | 27 | seccomp |
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile index d269c3e8a..abe52eca3 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | no3d | ||
18 | nogroups | 20 | nogroups |
19 | nonewprivs | 21 | nonewprivs |
20 | noroot | 22 | noroot |
21 | nosound | 23 | nosound |
22 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
23 | seccomp | 25 | seccomp |
24 | netfilter | ||
25 | shell none | 26 | shell none |
26 | 27 | ||
27 | private-tmp | ||
28 | private-dev | 28 | private-dev |
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 379b8a668..845a1bcc9 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
18 | no3d | ||
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
@@ -28,3 +29,6 @@ private-bin keepassx | |||
28 | private-etc fonts | 29 | private-etc fonts |
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index a21caf3f1..32dddc2fe 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
18 | no3d | ||
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
@@ -24,6 +25,9 @@ seccomp | |||
24 | shell none | 25 | shell none |
25 | 26 | ||
26 | private-bin keepassx2 | 27 | private-bin keepassx2 |
27 | private-etc fonts | ||
28 | private-dev | 28 | private-dev |
29 | private-etc fonts | ||
29 | private-tmp | 30 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 654a30682..369d4a5ae 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | # To use KeePassHTTP, comment out `net none` | 16 | # To use KeePassHTTP, comment out `net none` |
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
19 | no3d | ||
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
@@ -25,6 +26,9 @@ seccomp | |||
25 | shell none | 26 | shell none |
26 | 27 | ||
27 | private-bin keepassxc | 28 | private-bin keepassxc |
28 | private-etc fonts | ||
29 | private-dev | 29 | private-dev |
30 | private-etc fonts | ||
30 | private-tmp | 31 | private-tmp |
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 685073e7c..fb82195b3 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -17,7 +17,11 @@ nonewprivs | |||
17 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | shell none | ||
20 | tracelog | 21 | tracelog |
21 | 22 | ||
22 | private-dev | 23 | private-dev |
23 | # whitelist /tmp/.X11-unix/ | 24 | # whitelist /tmp/.X11-unix/ |
25 | |||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 06ed415d6..e84118b9e 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -18,7 +18,17 @@ include /etc/firejail/disable-devel.inc | |||
18 | #Options | 18 | #Options |
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | no3d | ||
22 | nogroups | ||
21 | nonewprivs | 23 | nonewprivs |
22 | noroot | 24 | noroot |
23 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
24 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | |||
29 | private-dev | ||
30 | private-etc fonts | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b8946be3..12a7646ae 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc | |||
26 | #Options | 26 | #Options |
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | nogroups | ||
29 | nonewprivs | 30 | nonewprivs |
30 | noroot | 31 | noroot |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
33 | #seccomp | ||
34 | shell none | ||
35 | |||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/mumble.profile b/etc/mumble.profile index d5405a6ae..c5c6a4d1a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | no3d | ||
21 | nonewprivs | 22 | nonewprivs |
22 | nogroups | 23 | nogroups |
23 | noroot | 24 | noroot |
@@ -28,3 +29,6 @@ tracelog | |||
28 | 29 | ||
29 | private-bin mumble | 30 | private-bin mumble |
30 | private-tmp | 31 | private-tmp |
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 37adabb39..dfe463c98 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -14,8 +14,19 @@ include /etc/firejail/disable-devel.inc | |||
14 | 14 | ||
15 | #Options | 15 | #Options |
16 | caps.drop all | 16 | caps.drop all |
17 | net none | ||
17 | netfilter | 18 | netfilter |
19 | no3d | ||
20 | nogroups | ||
18 | nonewprivs | 21 | nonewprivs |
19 | noroot | 22 | noroot |
20 | protocol unix,inet,inet6 | 23 | nosound |
24 | protocol unix | ||
21 | seccomp | 25 | seccomp |
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile index 500e35989..c25b5772b 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -17,7 +17,16 @@ include /etc/firejail/whitelist-common.inc | |||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
20 | no3d | ||
21 | nogroups | ||
20 | nonewprivs | 22 | nonewprivs |
21 | noroot | 23 | noroot |
22 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
23 | seccomp | 25 | seccomp |
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index b527589de..c81836dfc 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -16,3 +16,7 @@ nonewprivs | |||
16 | noroot | 16 | noroot |
17 | protocol unix,inet,inet6,netlink | 17 | protocol unix,inet,inet6,netlink |
18 | seccomp | 18 | seccomp |
19 | shell none | ||
20 | |||
21 | private-dev | ||
22 | private-tmp | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 0b3942cf0..fadfbb00b 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
16 | nogroups | ||
15 | nonewprivs | 17 | nonewprivs |
16 | noroot | 18 | noroot |
17 | netfilter | ||
18 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
19 | seccomp | 20 | seccomp |
21 | shell none | ||
22 | |||
23 | private-bin totem | ||
24 | private-dev | ||
25 | private-etc fonts | ||
26 | private-tmp | ||
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 0c96f0108..21282dfbd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -22,3 +22,6 @@ shell none | |||
22 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 22 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
23 | # private-dev | 23 | # private-dev |
24 | private-tmp | 24 | private-tmp |
25 | |||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index f2690c6c3..6bfb26484 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc | |||
23 | #Options | 23 | #Options |
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
26 | nogroups | ||
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
31 | shell none | ||
32 | |||
33 | private-bin xonotic-sdl,xonotic-glx,blind-id | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||