profiles: hexchat: allow lua/downloads and harden (#6331)

* profiles: hexchat: hardenings * profiles: hexchat: allow lua/downloads and harden Allow more paths and add some extra options to harden the profile. We allow Perl but keep it out of private-bin. Do the same for Lua and clarify in the private-bin comment how to enable these interpreters. Consulted resources: - https://github.com/hexchat/hexchat/ - https://hexchat.readthedocs.io/
author: glitsj16 <glitsj16@users.noreply.github.com> 2024-05-07 19:10:43 +0000
committer: GitHub <noreply@github.com> 2024-05-07 19:10:43 +0000
commit: 4fa0bb7cd6f228ade683a400f582a00ee180a5a3 (patch)
tree: f0d92bab48a0e5b34c49a00c8ee2b65b63d79a2b
parent: build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 (diff)
download: firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.gz
firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.zst
firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.zip
1 files changed, 17 insertions, 1 deletions
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index def7bf25f..ba5a5fbac 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -18,17 +21,24 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/hexchat
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/hexchat
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -45,14 +55,20 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 disable-mnt
-# debug note: private-bin requires perl, python, etc on some systems
+# If you need Lua and/or Perl support, add the relevant binaries from
+# allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local.
 private-bin hexchat,python*,sh
 private-dev
 #private-lib # python problems
 private-tmp
+dbus-user filter
+dbus-user.own org.hexchat.service
+dbus-system none
 #memory-deny-write-execute # breaks python
 restrict-namespaces
author	glitsj16 <glitsj16@users.noreply.github.com>	2024-05-07 19:10:43 +0000
committer	GitHub <noreply@github.com>	2024-05-07 19:10:43 +0000
commit	4fa0bb7cd6f228ade683a400f582a00ee180a5a3 (patch)
tree	f0d92bab48a0e5b34c49a00c8ee2b65b63d79a2b
parent	build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 (diff)
download	firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.gz firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.zst firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.zip

diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index def7bf25f..ba5a5fbac 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat
11	# Allow /bin/sh (blacklisted by disable-shell.inc)	11	# Allow /bin/sh (blacklisted by disable-shell.inc)
12	include allow-bin-sh.inc	12	include allow-bin-sh.inc
13		13
		14	# Allow lua (blacklisted by disable-interpreters.inc)
		15	include allow-lua.inc
		16
14	# Allow perl (blacklisted by disable-interpreters.inc)	17	# Allow perl (blacklisted by disable-interpreters.inc)
15	include allow-perl.inc	18	include allow-perl.inc
16		19
@@ -18,17 +21,24 @@ include allow-perl.inc
18	include allow-python2.inc	21	include allow-python2.inc
19	include allow-python3.inc	22	include allow-python3.inc
20		23
		24	blacklist /usr/libexec
		25
21	include disable-common.inc	26	include disable-common.inc
22	include disable-devel.inc	27	include disable-devel.inc
23	include disable-exec.inc	28	include disable-exec.inc
24	include disable-interpreters.inc	29	include disable-interpreters.inc
		30	include disable-proc.inc
25	include disable-programs.inc	31	include disable-programs.inc
26	include disable-shell.inc	32	include disable-shell.inc
27	include disable-xdg.inc	33	include disable-xdg.inc
28		34
29	mkdir ${HOME}/.config/hexchat	35	mkdir ${HOME}/.config/hexchat
		36	whitelist ${DOWNLOADS}
30	whitelist ${HOME}/.config/hexchat	37	whitelist ${HOME}/.config/hexchat
31	include whitelist-common.inc	38	include whitelist-common.inc
		39	include whitelist-run-common.inc
		40	include whitelist-runuser-common.inc
		41	include whitelist-usr-share-common.inc
32	include whitelist-var-common.inc	42	include whitelist-var-common.inc
33		43
34	caps.drop all	44	caps.drop all
@@ -45,14 +55,20 @@ nou2f
45	novideo	55	novideo
46	protocol unix,inet,inet6	56	protocol unix,inet,inet6
47	seccomp	57	seccomp
		58	seccomp.block-secondary
48	tracelog	59	tracelog
49		60
50	disable-mnt	61	disable-mnt
51	# debug note: private-bin requires perl, python, etc on some systems	62	# If you need Lua and/or Perl support, add the relevant binaries from
		63	# allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local.
52	private-bin hexchat,python*,sh	64	private-bin hexchat,python*,sh
53	private-dev	65	private-dev
54	#private-lib # python problems	66	#private-lib # python problems
55	private-tmp	67	private-tmp
56		68
		69	dbus-user filter
		70	dbus-user.own org.hexchat.service
		71	dbus-system none
		72
57	#memory-deny-write-execute # breaks python	73	#memory-deny-write-execute # breaks python
58	restrict-namespaces	74	restrict-namespaces