diff options
author | smitsohu <smitsohu@gmail.com> | 2017-08-31 23:18:45 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2017-08-31 23:18:45 +0200 |
commit | 24934a4710e2acd015292e41414e24a7c3197038 (patch) | |
tree | f27789958aa1ad06ad7967ab6b2d92a3918257a8 | |
parent | merges (diff) | |
download | firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.gz firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.zst firejail-24934a4710e2acd015292e41414e24a7c3197038.zip |
improve servers, harden musescore
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | etc/cpio.profile | 2 | ||||
-rw-r--r-- | etc/cvlc.profile | 2 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 7 | ||||
-rw-r--r-- | etc/dnsmasq.profile | 3 | ||||
-rw-r--r-- | etc/file.profile | 1 | ||||
-rw-r--r-- | etc/musescore.profile | 5 | ||||
-rw-r--r-- | etc/unbound.profile | 7 |
8 files changed, 25 insertions, 4 deletions
@@ -409,7 +409,7 @@ smithsohu (https://github.com/smitsohu) | |||
409 | - lots of profile hardening and fixes | 409 | - lots of profile hardening and fixes |
410 | - added MuseScore profile | 410 | - added MuseScore profile |
411 | - fixed device discovery for simple-scan | 411 | - fixed device discovery for simple-scan |
412 | - add novideo support in all profiles | 412 | - add novideo support in many profiles |
413 | soredake (https://github.com/soredake) | 413 | soredake (https://github.com/soredake) |
414 | - fix steam startup with >=llvm-4 | 414 | - fix steam startup with >=llvm-4 |
415 | SpotComms (https://github.com/SpotComms) | 415 | SpotComms (https://github.com/SpotComms) |
diff --git a/etc/cpio.profile b/etc/cpio.profile index 4122e2c92..7f4bc4a84 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -17,9 +17,9 @@ include /etc/firejail/disable-programs.inc | |||
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
20 | net none | ||
21 | no3d | 20 | no3d |
22 | nodvd | 21 | nodvd |
22 | nonewprivs | ||
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | 25 | novideo |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index f095f487e..81ccbc530 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/cvlc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # clvc doesn't like private-bin | 8 | # cvlc doesn't like private-bin |
9 | ignore private-bin | 9 | ignore private-bin |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 7d48905ee..e99a2b89b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/dnscrypt-proxy.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
10 | 12 | ||
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
15 | 17 | ||
18 | caps | ||
16 | no3d | 19 | no3d |
17 | nodvd | 20 | nodvd |
21 | nonewprivs | ||
18 | nosound | 22 | nosound |
19 | notv | 23 | notv |
20 | novideo | 24 | novideo |
21 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 25 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
22 | 26 | ||
27 | disable-mnt | ||
23 | private | 28 | private |
24 | private-dev | 29 | private-dev |
30 | |||
31 | memory-deny-write-execute | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 0893dff35..e38244ef8 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/dnsmasq.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
10 | 12 | ||
@@ -14,7 +16,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
15 | 17 | ||
16 | caps | 18 | caps |
17 | netfilter | ||
18 | no3d | 19 | no3d |
19 | nodvd | 20 | nodvd |
20 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/file.profile b/etc/file.profile index f3b08e34b..a83b2cf7d 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/musescore.profile b/etc/musescore.profile index bd00bea69..3b5a0b13c 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -10,6 +10,11 @@ noblacklist ~/.config/MuseScore | |||
10 | noblacklist ~/.local/share/data/MusE | 10 | noblacklist ~/.local/share/data/MusE |
11 | noblacklist ~/.local/share/data/MuseScore | 11 | noblacklist ~/.local/share/data/MuseScore |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
13 | caps.drop all | 18 | caps.drop all |
14 | netfilter | 19 | netfilter |
15 | no3d | 20 | no3d |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 4775a450d..73c538dbe 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/unbound.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /tmp/.X11-unix | ||
9 | |||
8 | noblacklist /sbin | 10 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
10 | 12 | ||
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
15 | 17 | ||
18 | caps | ||
16 | no3d | 19 | no3d |
17 | nodvd | 20 | nodvd |
21 | nonewprivs | ||
18 | nosound | 22 | nosound |
19 | notv | 23 | notv |
20 | novideo | 24 | novideo |
21 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 25 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
22 | 26 | ||
27 | disable-mnt | ||
23 | private | 28 | private |
24 | private-dev | 29 | private-dev |
30 | |||
31 | memory-deny-write-execute | ||