Extra hardening for wget

author: glitsj16 <glitsj16@users.noreply.github.com> 2020-01-02 21:13:38 +0000
committer: GitHub <noreply@github.com> 2020-01-02 21:13:38 +0000
commit: 24c11634594842c222367299a748a38bd4dd8ff3 (patch)
tree: e74f32bd883105d68b6ace680fae909d0622f293
parent: Additional hardening for whois (diff)
download: firejail-24c11634594842c222367299a748a38bd4dd8ff3.tar.gz
firejail-24c11634594842c222367299a748a38bd4dd8ff3.tar.zst
firejail-24c11634594842c222367299a748a38bd4dd8ff3.zip
1 files changed, 14 insertions, 2 deletions
diff --git a/etc/wget.profile b/etc/wget.profile
index c034a3f0e..5b1ba6202 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,13 +7,20 @@ include wget.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
+include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -21,6 +28,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 machine-id
+nodbus
 netfilter
 no3d
 nodvd
@@ -36,9 +44,13 @@ seccomp
 shell none
 tracelog
-# private-bin wget
+private-bin wget
+private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
+# depending on workflow you can uncomment the below or put this private-etc in your wget.local
+#private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl,wgetrc
 # private-tmp
 memory-deny-write-execute
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-01-02 21:13:38 +0000
committer	GitHub <noreply@github.com>	2020-01-02 21:13:38 +0000
commit	24c11634594842c222367299a748a38bd4dd8ff3 (patch)
tree	e74f32bd883105d68b6ace680fae909d0622f293
parent	Additional hardening for whois (diff)
download	firejail-24c11634594842c222367299a748a38bd4dd8ff3.tar.gz firejail-24c11634594842c222367299a748a38bd4dd8ff3.tar.zst firejail-24c11634594842c222367299a748a38bd4dd8ff3.zip

diff --git a/etc/wget.profile b/etc/wget.profile index c034a3f0e..5b1ba6202 100644 --- a/etc/wget.profile +++ b/etc/wget.profile
@@ -7,13 +7,20 @@ include wget.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	noblacklist ${HOME}/.netrc
10	noblacklist ${HOME}/.wget-hsts	11	noblacklist ${HOME}/.wget-hsts
11	noblacklist ${HOME}/.wgetrc	12	noblacklist ${HOME}/.wgetrc
12		13
		14	blacklist /tmp/.X11-unix
		15
13	include disable-common.inc	16	include disable-common.inc
		17	include disable-devel.inc
14	include disable-exec.inc	18	include disable-exec.inc
		19	include disable-interpreters.inc
15	include disable-passwdmgr.inc	20	include disable-passwdmgr.inc
16	include disable-programs.inc	21	include disable-programs.inc
		22	# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
		23	include disable-xdg.inc
17		24
18	include whitelist-usr-share-common.inc	25	include whitelist-usr-share-common.inc
19	include whitelist-var-common.inc	26	include whitelist-var-common.inc
@@ -21,6 +28,7 @@ include whitelist-var-common.inc
21	caps.drop all	28	caps.drop all
22	ipc-namespace	29	ipc-namespace
23	machine-id	30	machine-id
		31	nodbus
24	netfilter	32	netfilter
25	no3d	33	no3d
26	nodvd	34	nodvd
@@ -36,9 +44,13 @@ seccomp
36	shell none	44	shell none
37	tracelog	45	tracelog
38		46
39	# private-bin wget	47	private-bin wget
		48	private-cache
40	private-dev	49	private-dev
41	# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl	50
		51
		52	# depending on workflow you can uncomment the below or put this private-etc in your wget.local
		53	#private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl,wgetrc
42	# private-tmp	54	# private-tmp
43		55
44	memory-deny-write-execute	56	memory-deny-write-execute