diff options
| author |  Tad <tad@spotco.us> | 2018-09-19 15:32:18 -0400 |
|---|---|---|
| committer | Tad <tad@spotco.us> | 2018-09-19 15:32:48 -0400 |
| commit | c0ba48bec1bc11c98cbac3c6cc9fdf117dcb98d1 (patch) | |
| tree | 83e0f2b4020db3c9ae6c0501aab2d30f56df086e | |
| parent | 0.9.56 released (diff) | |
| download | firejail-c0ba48bec1bc11c98cbac3c6cc9fdf117dcb98d1.tar.gz firejail-c0ba48bec1bc11c98cbac3c6cc9fdf117dcb98d1.tar.zst firejail-c0ba48bec1bc11c98cbac3c6cc9fdf117dcb98d1.zip | |
Misc profile hardening
| -rw-r--r-- | etc/android-studio.profile | 2 | ||||
| -rw-r--r-- | etc/apktool.profile | 2 | ||||
| -rw-r--r-- | etc/bless.profile | 2 | ||||
| -rw-r--r-- | etc/dex2jar.profile | 2 | ||||
| -rw-r--r-- | etc/gitg.profile | 2 | ||||
| -rw-r--r-- | etc/jd-gui.profile | 2 | ||||
| -rw-r--r-- | etc/liferea.profile | 1 | ||||
| -rw-r--r-- | etc/lollypop.profile | 2 | ||||
| -rw-r--r-- | etc/meld.profile | 2 | ||||
| -rw-r--r-- | etc/minetest.profile | 2 | ||||
| -rw-r--r-- | etc/mumble.profile | 1 | ||||
| -rw-r--r-- | etc/patch.profile | 2 | ||||
| -rw-r--r-- | etc/picard.profile | 2 | ||||
| -rw-r--r-- | etc/pithos.profile | 1 | ||||
| -rw-r--r-- | etc/remmina.profile | 2 | ||||
| -rw-r--r-- | etc/sdat2img.profile | 2 | ||||
| -rw-r--r-- | etc/shellcheck.profile | 2 | ||||
| -rw-r--r-- | etc/soundconverter.profile | 2 | ||||
| -rw-r--r-- | etc/sqlitebrowser.profile | 2 | ||||
| -rw-r--r-- | etc/vlc.profile | 2 | ||||
| -rw-r--r-- | etc/xonotic.profile | 1 |
21 files changed, 37 insertions, 1 deletions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index d845bd4b9..8f5cd56cc 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
| @@ -20,6 +20,8 @@ include /etc/firejail/disable-common.inc | |||
| 20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
| 21 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
| 22 | 22 | ||
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 24 | |||
| 23 | caps.drop all | 25 | caps.drop all |
| 24 | netfilter | 26 | netfilter |
| 25 | nodvd | 27 | nodvd |
diff --git a/etc/apktool.profile b/etc/apktool.profile index 2043cf5af..d157b1478 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
| @@ -12,6 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
| 13 | include /etc/firejail/disable-xdg.inc | 13 | include /etc/firejail/disable-xdg.inc |
| 14 | 14 | ||
| 15 | include /etc/firejail/whitelist-var-common.inc | ||
| 16 | |||
| 15 | caps.drop all | 17 | caps.drop all |
| 16 | net none | 18 | net none |
| 17 | no3d | 19 | no3d |
diff --git a/etc/bless.profile b/etc/bless.profile index 01f75b00d..0da3436e8 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
| @@ -14,6 +14,8 @@ include /etc/firejail/disable-interpreters.inc | |||
| 14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
| 16 | 16 | ||
| 17 | include /etc/firejail/whitelist-var-common.inc | ||
| 18 | |||
| 17 | caps.drop all | 19 | caps.drop all |
| 18 | net none | 20 | net none |
| 19 | no3d | 21 | no3d |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index b61d68e06..da59fc71a 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
| @@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 19 | include /etc/firejail/disable-programs.inc | 19 | include /etc/firejail/disable-programs.inc |
| 20 | include /etc/firejail/disable-xdg.inc | 20 | include /etc/firejail/disable-xdg.inc |
| 21 | 21 | ||
| 22 | include /etc/firejail/whitelist-var-common.inc | ||
| 23 | |||
| 22 | caps.drop all | 24 | caps.drop all |
| 23 | net none | 25 | net none |
| 24 | no3d | 26 | no3d |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 5a7349eb1..87d8c0a1f 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
| @@ -16,6 +16,8 @@ include /etc/firejail/disable-interpreters.inc | |||
| 16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
| 17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
| 18 | 18 | ||
| 19 | include /etc/firejail/whitelist-var-common.inc | ||
| 20 | |||
| 19 | caps.drop all | 21 | caps.drop all |
| 20 | no3d | 22 | no3d |
| 21 | nodvd | 23 | nodvd |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 81e538153..3a280dab7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
| @@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 21 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
| 22 | include /etc/firejail/disable-xdg.inc | 22 | include /etc/firejail/disable-xdg.inc |
| 23 | 23 | ||
| 24 | include /etc/firejail/whitelist-var-common.inc | ||
| 25 | |||
| 24 | caps.drop all | 26 | caps.drop all |
| 25 | net none | 27 | net none |
| 26 | no3d | 28 | no3d |
diff --git a/etc/liferea.profile b/etc/liferea.profile index 673182c10..04c649121 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
| @@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/liferea | |||
| 29 | whitelist ${HOME}/.config/liferea | 29 | whitelist ${HOME}/.config/liferea |
| 30 | whitelist ${HOME}/.local/share/liferea | 30 | whitelist ${HOME}/.local/share/liferea |
| 31 | include /etc/firejail/whitelist-common.inc | 31 | include /etc/firejail/whitelist-common.inc |
| 32 | include /etc/firejail/whitelist-var-common.inc | ||
| 32 | 33 | ||
| 33 | caps.drop all | 34 | caps.drop all |
| 34 | netfilter | 35 | netfilter |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 0f8f49488..efd40e899 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
| @@ -22,6 +22,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 22 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
| 23 | include /etc/firejail/disable-xdg.inc | 23 | include /etc/firejail/disable-xdg.inc |
| 24 | 24 | ||
| 25 | include /etc/firejail/whitelist-var-common.inc | ||
| 26 | |||
| 25 | caps.drop all | 27 | caps.drop all |
| 26 | netfilter | 28 | netfilter |
| 27 | no3d | 29 | no3d |
diff --git a/etc/meld.profile b/etc/meld.profile index 00d5c6caa..1a7935800 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
| @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 15 | 15 | ||
| 16 | include /etc/firejail/whitelist-var-common.inc | ||
| 17 | |||
| 16 | caps.drop all | 18 | caps.drop all |
| 17 | net none | 19 | net none |
| 18 | no3d | 20 | no3d |
diff --git a/etc/minetest.profile b/etc/minetest.profile index 7de546791..3e06b6d30 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
| @@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc | |||
| 17 | mkdir ${HOME}/.minetest | 17 | mkdir ${HOME}/.minetest |
| 18 | whitelist ${HOME}/.minetest | 18 | whitelist ${HOME}/.minetest |
| 19 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
| 20 | include /etc/firejail/whitelist-var-common.inc | ||
| 20 | 21 | ||
| 21 | caps.drop all | 22 | caps.drop all |
| 22 | ipc-namespace | 23 | ipc-namespace |
| 23 | netfilter | 24 | netfilter |
| 25 | nodbus | ||
| 24 | nodvd | 26 | nodvd |
| 25 | nogroups | 27 | nogroups |
| 26 | nonewprivs | 28 | nonewprivs |
diff --git a/etc/mumble.profile b/etc/mumble.profile index f894acb57..c5af9aa42 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
| @@ -20,6 +20,7 @@ mkdir ${HOME}/.local/share/data/Mumble | |||
| 20 | whitelist ${HOME}/.config/Mumble | 20 | whitelist ${HOME}/.config/Mumble |
| 21 | whitelist ${HOME}/.local/share/data/Mumble | 21 | whitelist ${HOME}/.local/share/data/Mumble |
| 22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 23 | 24 | ||
| 24 | caps.drop all | 25 | caps.drop all |
| 25 | netfilter | 26 | netfilter |
diff --git a/etc/patch.profile b/etc/patch.profile index d4058d6e7..8fa6ac966 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
| @@ -15,6 +15,8 @@ include /etc/firejail/disable-interpreters.inc | |||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-xdg.inc | 16 | include /etc/firejail/disable-xdg.inc |
| 17 | 17 | ||
| 18 | include /etc/firejail/whitelist-var-common.inc | ||
| 19 | |||
| 18 | caps.drop all | 20 | caps.drop all |
| 19 | ipc-namespace | 21 | ipc-namespace |
| 20 | net none | 22 | net none |
diff --git a/etc/picard.profile b/etc/picard.profile index 2cc0b5c68..8474eeda6 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
| @@ -23,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 23 | include /etc/firejail/disable-programs.inc | 23 | include /etc/firejail/disable-programs.inc |
| 24 | include /etc/firejail/disable-xdg.inc | 24 | include /etc/firejail/disable-xdg.inc |
| 25 | 25 | ||
| 26 | include /etc/firejail/whitelist-var-common.inc | ||
| 27 | |||
| 26 | caps.drop all | 28 | caps.drop all |
| 27 | no3d | 29 | no3d |
| 28 | nodvd | 30 | nodvd |
diff --git a/etc/pithos.profile b/etc/pithos.profile index e5af9c973..cbe7ac9c6 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
| @@ -20,6 +20,7 @@ include /etc/firejail/disable-programs.inc | |||
| 20 | include /etc/firejail/disable-xdg.inc | 20 | include /etc/firejail/disable-xdg.inc |
| 21 | 21 | ||
| 22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 23 | 24 | ||
| 24 | caps.drop all | 25 | caps.drop all |
| 25 | netfilter | 26 | netfilter |
diff --git a/etc/remmina.profile b/etc/remmina.profile index 5078000bb..51c0f2d17 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
| @@ -18,6 +18,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
| 19 | include /etc/firejail/disable-xdg.inc | 19 | include /etc/firejail/disable-xdg.inc |
| 20 | 20 | ||
| 21 | include /etc/firejail/whitelist-var-common.inc | ||
| 22 | |||
| 21 | caps.drop all | 23 | caps.drop all |
| 22 | nodvd | 24 | nodvd |
| 23 | nogroups | 25 | nogroups |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index e318dd568..a2a54f838 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
| @@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 19 | include /etc/firejail/disable-programs.inc | 19 | include /etc/firejail/disable-programs.inc |
| 20 | include /etc/firejail/disable-xdg.inc | 20 | include /etc/firejail/disable-xdg.inc |
| 21 | 21 | ||
| 22 | include /etc/firejail/whitelist-var-common.inc | ||
| 23 | |||
| 22 | caps.drop all | 24 | caps.drop all |
| 23 | net none | 25 | net none |
| 24 | no3d | 26 | no3d |
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index f6c154183..90fc9cb8c 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
| @@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
| 17 | include /etc/firejail/disable-xdg.inc | 17 | include /etc/firejail/disable-xdg.inc |
| 18 | 18 | ||
| 19 | include /etc/firejail/whitelist-var-common.inc | ||
| 20 | |||
| 19 | caps.drop all | 21 | caps.drop all |
| 20 | ipc-namespace | 22 | ipc-namespace |
| 21 | net none | 23 | net none |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index ee4d90265..69efe5244 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
| @@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 21 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
| 22 | include /etc/firejail/disable-xdg.inc | 22 | include /etc/firejail/disable-xdg.inc |
| 23 | 23 | ||
| 24 | include /etc/firejail/whitelist-var-common.inc | ||
| 25 | |||
| 24 | caps.drop all | 26 | caps.drop all |
| 25 | net none | 27 | net none |
| 26 | no3d | 28 | no3d |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 75e8ed5c0..0f030d559 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
| @@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
| 17 | include /etc/firejail/disable-xdg.inc | 17 | include /etc/firejail/disable-xdg.inc |
| 18 | 18 | ||
| 19 | include /etc/firejail/whitelist-var-common.inc | ||
| 20 | |||
| 19 | caps.drop all | 21 | caps.drop all |
| 20 | net none | 22 | net none |
| 21 | no3d | 23 | no3d |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 20dafba25..594a5944b 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
| @@ -25,7 +25,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
| 25 | caps.drop all | 25 | caps.drop all |
| 26 | netfilter | 26 | netfilter |
| 27 | #nodbus | 27 | #nodbus |
| 28 | #nogroups | 28 | nogroups |
| 29 | nonewprivs | 29 | nonewprivs |
| 30 | noroot | 30 | noroot |
| 31 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 29b2bb382..a7e8edc0f 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
| @@ -21,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
| 21 | 21 | ||
| 22 | caps.drop all | 22 | caps.drop all |
| 23 | netfilter | 23 | netfilter |
| 24 | nodbus | ||
| 24 | nodvd | 25 | nodvd |
| 25 | nogroups | 26 | nogroups |
| 26 | nonewprivs | 27 | nonewprivs |