Harden 50 profiles

Hardened many profiles using disable-mnt and novideo Fixed gnome-font-viewer
author: Tad <tad@spotco.us> 2017-07-04 10:51:43 -0400
committer: Tad <tad@spotco.us> 2017-07-04 11:35:29 -0400
commit: 5354f20012b488c50cd556e315b78ad351ae0f9d (patch)
tree: 89c737f738f8525da446786083473c249b8a9f79
parent: per-profile disable-mnt (diff)
download: firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.gz
firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.zst
firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.zip
51 files changed, 149 insertions, 17 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index e946c1418..a564d0a09 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -37,3 +37,4 @@ tracelog
 private-dev
 private-tmp
+disable-mnt
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 2d7d92856..60c071c01 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/brave.profile b/etc/brave.profile
index 9dac688c2..e73dd37a2 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -23,6 +23,8 @@ netfilter
 #protocol unix,inet,inet6,netlink
 #seccomp
+#disable-mnt
 whitelist ${DOWNLOADS}
 mkdir ~/.config/brave
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 2728bf74a..330c455b6 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -35,6 +35,7 @@ shell none
 private-dev
 #private-tmp - problems with multiple browser sessions
+#disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index 6d63e894e..94563fa1d 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -35,6 +35,7 @@ private-bin dino
 #private-etc fonts #breaks server connection
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 317efdd9a..797f093a1 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -22,3 +22,5 @@ nosound
 no3d
 protocol unix,inet,inet6,netlink
 seccomp
+disable-mnt
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 49b65c91d..72d00b4ce 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 70b41a240..aff6e8334 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -71,6 +71,7 @@ include /etc/firejail/whitelist-common.inc
 # private-dev might prevent video calls going out
 private-dev
 private-tmp
+#disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index b2d68a9be..a3deb2c73 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -43,3 +43,4 @@ shell none
 #private-etc fonts
 private-dev
 #private-tmp
+disable-mnt
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index 0e757a06f..5e0dfc2a1 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -26,7 +26,17 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+no3d
 nonewprivs
 noroot
+#nosound
+novideo
 protocol unix,inet,inet6
 seccomp
+private-dev
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 07431e51b..af6da6cd4 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
@@ -30,3 +32,6 @@ tracelog
 private-tmp
 private-dev
 #private-etc fonts
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index bdc450dfe..e64f62b70 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -34,6 +34,7 @@ private-bin gnome-calculator
 private-dev
 #private-etc fonts
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 9ff978803..8c098d592 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
@@ -27,3 +29,7 @@ private-bin fairymax,gnome-chess,hoichess
 private-dev
 private-etc fonts,gnome-chess
 private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 40df92454..129bd6e71 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -12,10 +12,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
-nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
@@ -26,3 +27,7 @@ tracelog
 private-tmp
 private-dev
 # private-etc fonts
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 55817323d..9164f6360 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -20,7 +20,17 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+no3d
 nonewprivs
 noroot
+nosound
+novideo
 protocol unix,inet,inet6
 seccomp
+private-dev
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 03277e6e1..5d2a90b64 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
@@ -29,3 +31,6 @@ tracelog
 private-tmp
 private-dev
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 3ea1b6b33..605dafc62 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -5,25 +5,26 @@ include /etc/firejail/globals.local
 # Persistent customizations should go in a .local file.
 include /etc/firejail/gnome-font-viewer.local
-private
+#Blacklist Paths
-#include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-common.inc
-#include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-programs.inc
-#include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
 caps.drop all
 netfilter
+no3d
 nonewprivs
 noroot
+nosound
+novideo
 protocol unix,inet,inet6
 seccomp
-#
+private-dev
-# depending on your usage, you can enable some of the commands below: 
+private-tmp
-#
+disable-mnt
-nogroups
-shell none
+noexec ${HOME}
-# private-bin program
+noexec /tmp
-# private-etc none
-# private-dev
-# private-tmp
-nosound
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 1494c1493..8c7310fa9 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
@@ -29,3 +30,7 @@ tracelog
 private-tmp
 private-dev
 # private-etc fonts
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 4216791e3..51b3279f3 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -22,3 +22,7 @@ shell none
 # private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 44931576f..abdb6bfb5 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -14,9 +14,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 netfilter
@@ -27,3 +29,7 @@ tracelog
 private-tmp
 private-dev
 # private-etc fonts
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 6ee2ccf82..93823d0f4 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -31,3 +31,6 @@ tracelog
 private-tmp
 private-dev
 # private-etc fonts
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 9a2c4d553..815fba7ca 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
@@ -30,3 +32,7 @@ tracelog
 private-tmp
 private-dev
 # private-etc fonts
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 5848640af..a5c23d0aa 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -23,6 +23,7 @@ tracelog
 private-dev
 private-tmp
+disable-mnt
 mkdir     ~/.hedgewars
 whitelist ~/.hedgewars
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index ebfd9224c..36ddb9e89 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -35,6 +36,7 @@ private-bin hexchat
 #debug note: private-bin requires perl, python, etc on some systems
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 2520babb1..a96eedee6 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -27,6 +27,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 642ad6cc2..59459b5e9 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -22,3 +22,4 @@ shell none
 tracelog
 private-tmp
+disable-mnt
diff --git a/etc/kodi.profile b/etc/kodi.profile
index 132a0044c..ea4020232 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -19,6 +19,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+#novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/less.profile b/etc/less.profile
index dd63d3e2e..9d4eb3fcf 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -11,11 +11,15 @@ ignore noroot
 include /etc/firejail/default.profile
 net none
-nosound
 no3d
+nosound
+novideo
 shell none
 tracelog
 blacklist /tmp/.X11-unix
 private-dev
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 6494ccc6b..4be7721e3 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -26,6 +26,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/meld.profile b/etc/meld.profile
index 0ec737989..bc4cd8356 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index c5a2eb525..e45ab9cba 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -33,12 +33,14 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 #seccomp
 shell none
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
index d92156ebb..7303ac65a 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -33,6 +33,7 @@ tracelog
 private-bin mumble
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 36694dcc6..611ca3775 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -25,6 +25,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 67b8ee7e4..c08f27f17 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -25,12 +25,14 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/polari.profile b/etc/polari.profile
index 1a82f2819..657139b6b 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -38,6 +38,7 @@ tracelog
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 7601372ca..cc2a45bb2 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -34,3 +34,4 @@ noexec /tmp
 private-bin qtox
 private-tmp
+disable-mnt
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 4a852bc67..c8112f064 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -39,5 +39,6 @@ tracelog
 private-bin quiterss
 private-dev
 #private-etc X11,ssl
+disable-mnt
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 192382f77..930a8fed5 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,9 +13,11 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+#no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -24,3 +26,6 @@ tracelog
 private-bin rhythmbox
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 67cacea63..8b97c7152 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -17,3 +17,9 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index bcdb251dd..71bc1b9a6 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -16,3 +16,9 @@ netfilter
 noroot
 seccomp
 protocol unix,inet,inet6,netlink
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/slack.profile b/etc/slack.profile
index 7cde1067e..a68717ea3 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -30,6 +30,7 @@ private-bin slack
 private-dev
 private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
 private-tmp
+disable-mnt
 mkdir ${HOME}/.config
 mkdir ${HOME}/.config/Slack
diff --git a/etc/spotify.profile b/etc/spotify.profile
index e7890d23f..07103b112 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -38,6 +38,7 @@ private-bin spotify,bash,sh,dash
 private-etc fonts,machine-id,pulse,resolv.conf
 private-dev
 private-tmp
+disable-mnt
 blacklist ${HOME}/.bashrc
 blacklist /boot
diff --git a/etc/steam.profile b/etc/steam.profile
index 7e806c2ad..e2dc6216b 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -25,6 +25,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+#novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 78c442a4a..00579f8fd 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -33,3 +33,4 @@ tracelog
 private-bin stellarium
 private-dev
 private-tmp
+disable-mnt
diff --git a/etc/strings.profile b/etc/strings.profile
index a9301c652..af49feb04 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -11,9 +11,10 @@ ignore noroot
 include /etc/firejail/default.profile
 net none
+no3d
 nosound
+novideo
 shell none
 tracelog
 private-dev
-no3d
 blacklist /tmp/.X11-unix
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 2d3325a94..5282789ce 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -17,3 +17,9 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 6f3f0bd15..767824d8d 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -32,3 +32,4 @@ tracelog
 private-bin warzone2100
 private-dev
 private-tmp
+disable-mnt
diff --git a/etc/wget.profile b/etc/wget.profile
index b5ba8b196..1b09eac26 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/wire.profile b/etc/wire.profile
index 1fdd8b018..71147ebc1 100644
--- a/etc/wire.profile
+++ b/etc/wire.profile
@@ -25,6 +25,7 @@ shell none
 private-tmp
 private-dev
+disable-mnt
 # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
 # To use wire with firejail run "firejail /opt/Wire/wire"
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index b9115b70a..611c7b379 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -37,6 +37,7 @@ shell none
 private-bin xonotic-sdl,xonotic-glx,blind-id
 private-dev
 private-tmp
+disable-mnt
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 90ed12b3b..a58617ddf 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
author	Tad <tad@spotco.us>	2017-07-04 10:51:43 -0400
committer	Tad <tad@spotco.us>	2017-07-04 11:35:29 -0400
commit	5354f20012b488c50cd556e315b78ad351ae0f9d (patch)
tree	89c737f738f8525da446786083473c249b8a9f79
parent	per-profile disable-mnt (diff)
download	firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.gz firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.zst firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.zip