Harden bibletime.profile

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-04-12 19:01:38 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-04-12 19:01:38 +0200
commit: 53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch)
tree: 7fddb0caa3e97f2c9a0e416a318b653f0495f2b8
parent: adding disable-exec.inc to the remaining profiles (diff)
download: firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz
firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst
firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip
4 files changed, 11 insertions, 5 deletions
diff --git a/README b/README
index 7e49d1429..7b7c36c17 100644
--- a/README
+++ b/README
@@ -544,13 +544,14 @@ rusty-snake (https://github.com/rusty-snake)
        - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
        - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
        - added profiles: gajim-history-manager, freemind, nomacs, kid3
-        - added profiles: kid3-qt, kid3-cli, anki
+        - added profiles: kid3-qt, kid3-cli, anki, utox
        - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
        - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
-        - fixed profiles: gnome-logs
+        - fixed profiles: gnome-logs, klavaro
        - hardened profiles: disable-common.inc, disable-programs.inc
        - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
        - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
+        - hardened profiles: bibletime
        - gnome-mpv was renamed to celluloid
        - updates for ~/.cargo and ~/.python-history
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
diff --git a/README.md b/README.md
index 429f3362c..1a5b20a66 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 ## New profiles:
-anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
+anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index a3cf6bea0..80b5e58ff 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low
  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
-  * new profiles: vultureseye, vulturesclaw, anki
+  * new profiles: vultureseye, vulturesclaw, anki, utox
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * memory-deny-write-execute now also blocks memfd_create
  * drop support for flatpak/snap packages
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 6e40054f7..c41aafd47 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.local/share/bibletime
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
+disable-mnt
 # private-bin bibletime,qt5ct
+private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-04-12 19:01:38 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-04-12 19:01:38 +0200
commit	53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch)
tree	7fddb0caa3e97f2c9a0e416a318b653f0495f2b8
parent	adding disable-exec.inc to the remaining profiles (diff)
download	firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip