diff options
| author |  smitsohu <smitsohu@gmail.com> | 2017-09-03 21:34:07 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2017-09-03 21:34:07 +0200 |
| commit | 8a0725cd013564500af985c728c1589ae9eb47f7 (patch) | |
| tree | ac078334ce7fbde29e68a69ac7790a20df74e095 | |
| parent | Merge pull request #1523 from pizzadude/patch-4 (diff) | |
| download | firejail-8a0725cd013564500af985c728c1589ae9eb47f7.tar.gz firejail-8a0725cd013564500af985c728c1589ae9eb47f7.tar.zst firejail-8a0725cd013564500af985c728c1589ae9eb47f7.zip | |
tighten capability sets
| -rw-r--r-- | etc/dnscrypt-proxy.profile | 2 | ||||
| -rw-r--r-- | etc/unbound.profile | 2 | ||||
| -rw-r--r-- | etc/wireshark.profile | 3 |
3 files changed, 4 insertions, 3 deletions
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index a1ccfbe22..86af9c7b3 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
| @@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
| 18 | 18 | ||
| 19 | caps | 19 | caps |
| 20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | 20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
| 21 | no3d | 21 | no3d |
| 22 | nodvd | 22 | nodvd |
| 23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/unbound.profile b/etc/unbound.profile index afc903e88..2a38aa7c6 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
| @@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
| 17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
| 18 | 18 | ||
| 19 | caps | 19 | caps |
| 20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | 20 | # caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource |
| 21 | no3d | 21 | no3d |
| 22 | nodvd | 22 | nodvd |
| 23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 57f4f2f5b..7504d0b9c 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
| @@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc | |||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | # caps.drop all | 15 | caps.keep net_admin,net_raw |
| 16 | netfilter | 16 | netfilter |
| 17 | no3d | 17 | no3d |
| 18 | # nogroups - breaks unprivileged wireshark usage | 18 | # nogroups - breaks unprivileged wireshark usage |
| @@ -21,6 +21,7 @@ no3d | |||
| 21 | nodvd | 21 | nodvd |
| 22 | nosound | 22 | nosound |
| 23 | notv | 23 | notv |
| 24 | novideo | ||
| 24 | # protocol unix,inet,inet6,netlink | 25 | # protocol unix,inet,inet6,netlink |
| 25 | # seccomp - breaks unprivileged wireshark usage | 26 | # seccomp - breaks unprivileged wireshark usage |
| 26 | shell none | 27 | shell none |