diff options
author | Tad <tad@spotco.us> | 2018-03-18 21:35:55 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2018-03-18 21:35:55 -0400 |
commit | 5018a209d23e7f7e7dae2a93b3b57a40e5e3a980 (patch) | |
tree | 5da1d145515595c1ee94bd1ef13d090fb8bfaa82 | |
parent | typo (diff) | |
download | firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.gz firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.zst firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.zip |
Misc profile hardening and fixes
-rw-r--r-- | etc/asunder.profile | 3 | ||||
-rw-r--r-- | etc/atool.profile | 1 | ||||
-rw-r--r-- | etc/brasero.profile | 1 | ||||
-rw-r--r-- | etc/frozen-bubble.profile | 2 | ||||
-rw-r--r-- | etc/gnome-twitch.profile | 1 | ||||
-rw-r--r-- | etc/open-invaders.profile | 1 | ||||
-rw-r--r-- | etc/pingus.profile | 1 | ||||
-rw-r--r-- | etc/simutrans.profile | 1 | ||||
-rw-r--r-- | etc/supertux2.profile | 2 | ||||
-rw-r--r-- | etc/terasology.profile | 2 |
10 files changed, 11 insertions, 4 deletions
diff --git a/etc/asunder.profile b/etc/asunder.profile index ce68f8897..0fbc3a158 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -10,8 +10,6 @@ noblacklist ${HOME}/.asunder_album_genre | |||
10 | noblacklist ${HOME}/.asunder_album_title | 10 | noblacklist ${HOME}/.asunder_album_title |
11 | noblacklist ${HOME}/.asunder_album_artist | 11 | noblacklist ${HOME}/.asunder_album_artist |
12 | 12 | ||
13 | |||
14 | |||
15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
@@ -29,7 +27,6 @@ protocol unix,inet,inet6 | |||
29 | seccomp | 27 | seccomp |
30 | shell none | 28 | shell none |
31 | 29 | ||
32 | |||
33 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 30 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
34 | private-dev | 31 | private-dev |
35 | private-tmp | 32 | private-tmp |
diff --git a/etc/atool.profile b/etc/atool.profile index c2e772f9d..4cc3f02de 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | net none | ||
17 | no3d | 18 | no3d |
18 | nodvd | 19 | nodvd |
19 | nogroups | 20 | nogroups |
diff --git a/etc/brasero.profile b/etc/brasero.profile index f90d4688a..90a7b176e 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 0660137e0..ca38ed1b8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.frozen-bubble | 10 | noblacklist ${HOME}/.frozen-bubble |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -29,6 +30,7 @@ protocol unix,netlink | |||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
33 | disable-mnt | ||
32 | # private-bin frozen-bubble | 34 | # private-bin frozen-bubble |
33 | private-dev | 35 | private-dev |
34 | # private-etc none | 36 | # private-etc none |
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 9c94404d1..9e8f2a241 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
@@ -30,6 +30,7 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | disable-mnt | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 331bfa939..191f8d87b 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.openinvaders | 10 | noblacklist ${HOME}/.openinvaders |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/pingus.profile b/etc/pingus.profile index 65aeedd86..ec7eff632 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.pingus | 10 | noblacklist ${HOME}/.pingus |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 89d1f2925..8b4113d2f 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.simutrans | 10 | noblacklist ${HOME}/.simutrans |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 2b5bb07c3..d60d7fa5f 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.local/share/supertux2 | 10 | noblacklist ${HOME}/.local/share/supertux2 |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -29,6 +30,7 @@ protocol unix,netlink | |||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
33 | disable-mnt | ||
32 | # private-bin supertux2 | 34 | # private-bin supertux2 |
33 | private-dev | 35 | private-dev |
34 | # private-etc none | 36 | # private-etc none |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 3d27134c4..ea25938d3 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for terasology | 1 | # Firejail profile for terasology |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/default.local | 4 | include /etc/firejail/terasology.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||