diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-04-12 19:01:38 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-04-12 19:01:38 +0200 |
commit | 53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch) | |
tree | 7fddb0caa3e97f2c9a0e416a318b653f0495f2b8 | |
parent | adding disable-exec.inc to the remaining profiles (diff) | |
download | firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip |
Harden bibletime.profile
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/bibletime.profile | 7 |
4 files changed, 11 insertions, 5 deletions
@@ -544,13 +544,14 @@ rusty-snake (https://github.com/rusty-snake) | |||
544 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter | 544 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter |
545 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano | 545 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
546 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 | 546 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
547 | - added profiles: kid3-qt, kid3-cli, anki | 547 | - added profiles: kid3-qt, kid3-cli, anki, utox |
548 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse | 548 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse |
549 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool | 549 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool |
550 | - fixed profiles: gnome-logs | 550 | - fixed profiles: gnome-logs, klavaro |
551 | - hardened profiles: disable-common.inc, disable-programs.inc | 551 | - hardened profiles: disable-common.inc, disable-programs.inc |
552 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox | 552 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox |
553 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl | 553 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl |
554 | - hardened profiles: bibletime | ||
554 | - gnome-mpv was renamed to celluloid | 555 | - gnome-mpv was renamed to celluloid |
555 | - updates for ~/.cargo and ~/.python-history | 556 | - updates for ~/.cargo and ~/.python-history |
556 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) | 557 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) |
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
102 | ## Current development version: 0.9.59 | 102 | ## Current development version: 0.9.59 |
103 | 103 | ||
104 | ## New profiles: | 104 | ## New profiles: |
105 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer | 105 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer |
@@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low | |||
11 | * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus | 11 | * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus |
12 | * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt | 12 | * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt |
13 | * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem | 13 | * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem |
14 | * new profiles: vultureseye, vulturesclaw, anki | 14 | * new profiles: vultureseye, vulturesclaw, anki, utox |
15 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell | 15 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell |
16 | * memory-deny-write-execute now also blocks memfd_create | 16 | * memory-deny-write-execute now also blocks memfd_create |
17 | * drop support for flatpak/snap packages | 17 | * drop support for flatpak/snap packages |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 6e40054f7..c41aafd47 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime | |||
25 | whitelist ${HOME}/.sword | 26 | whitelist ${HOME}/.sword |
26 | whitelist ${HOME}/.local/share/bibletime | 27 | whitelist ${HOME}/.local/share/bibletime |
27 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-var-common.inc | ||
28 | 30 | ||
31 | apparmor | ||
29 | caps.drop all | 32 | caps.drop all |
30 | machine-id | 33 | machine-id |
31 | netfilter | 34 | netfilter |
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink | |||
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
43 | shell none | 46 | shell none |
44 | 47 | ||
48 | disable-mnt | ||
45 | # private-bin bibletime,qt5ct | 49 | # private-bin bibletime,qt5ct |
50 | private-cache | ||
46 | private-dev | 51 | private-dev |
47 | private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies | 52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
48 | private-tmp | 53 | private-tmp |