hardening onionshare-gui.profile (#4959)

* hardening onionshare-gui.profile * add another dbus-user filter to onionshare-gui.profile * harden onionshare
author: glitsj16 <glitsj16@users.noreply.github.com> 2022-03-13 15:09:51 +0000
committer: GitHub <noreply@github.com> 2022-03-13 15:09:51 +0000
commit: ddebc20bbce1efa73343124e3f8e3836e77622c0 (patch)
tree: 2485c2b1211d5dc8efca59df67792ba91b57530c
parent: fbuilder: don't consider flatpak/snapd directories (diff)
download: firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.gz
firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.zst
firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index cf4d7db30..ed35862ca 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -1,4 +1,5 @@
 # Firejail profile for onionshare-gui
+# Description: Share a file over Tor Hidden Services anonymously and securely
 # This file is overwritten after every install/update
 # Persistent local customizations
 include onionshare-gui.local
@@ -14,18 +15,30 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
+include disable-shell.inc
+mkdir ${HOME}/.config/onionshare
+mkdir ${HOME}/OnionShare
+whitelist ${HOME}/.config/onionshare
+whitelist ${HOME}/OnionShare
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -33,9 +46,20 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
+#tracelog - may cause issues, see #1930
+disable-mnt
+private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
+private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
 memory-deny-write-execute
author	glitsj16 <glitsj16@users.noreply.github.com>	2022-03-13 15:09:51 +0000
committer	GitHub <noreply@github.com>	2022-03-13 15:09:51 +0000
commit	ddebc20bbce1efa73343124e3f8e3836e77622c0 (patch)
tree	2485c2b1211d5dc8efca59df67792ba91b57530c
parent	fbuilder: don't consider flatpak/snapd directories (diff)
download	firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.gz firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.zst firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.zip

diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index cf4d7db30..ed35862ca 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile
@@ -1,4 +1,5 @@
1	# Firejail profile for onionshare-gui	1	# Firejail profile for onionshare-gui
		2	# Description: Share a file over Tor Hidden Services anonymously and securely
2	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
3	# Persistent local customizations	4	# Persistent local customizations
4	include onionshare-gui.local	5	include onionshare-gui.local
@@ -14,18 +15,30 @@ include disable-common.inc
14	include disable-devel.inc	15	include disable-devel.inc
15	include disable-exec.inc	16	include disable-exec.inc
16	include disable-interpreters.inc	17	include disable-interpreters.inc
		18	include disable-proc.inc
17	include disable-programs.inc	19	include disable-programs.inc
		20	include disable-shell.inc
18		21
		22	mkdir ${HOME}/.config/onionshare
		23	mkdir ${HOME}/OnionShare
		24	whitelist ${HOME}/.config/onionshare
		25	whitelist ${HOME}/OnionShare
		26	include whitelist-common.inc
		27	include whitelist-run-common.inc
		28	include whitelist-runuser-common.inc
		29	include whitelist-usr-share-common.inc
19	include whitelist-var-common.inc	30	include whitelist-var-common.inc
20		31
21	caps.drop all	32	caps.drop all
22	ipc-namespace	33	ipc-namespace
		34	machine-id
23	netfilter	35	netfilter
24	no3d	36	no3d
25	nodvd	37	nodvd
26	nogroups	38	nogroups
27	noinput	39	noinput
28	nonewprivs	40	nonewprivs
		41	noprinters
29	noroot	42	noroot
30	nosound	43	nosound
31	notv	44	notv
@@ -33,9 +46,20 @@ nou2f
33	novideo	46	novideo
34	protocol unix,inet,inet6	47	protocol unix,inet,inet6
35	seccomp	48	seccomp
		49	seccomp.block-secondary
36	shell none	50	shell none
		51	#tracelog - may cause issues, see #1930
37		52
		53	disable-mnt
		54	private-bin onionshare,onionshare-cli,onionshare-gui,python,tor
		55	private-cache
38	private-dev	56	private-dev
39	private-tmp	57	private-tmp
40		58
		59	dbus-user filter
		60	dbus-user.talk org.freedesktop.Notifications
		61	dbus-user.talk org.freedesktop.secrets
		62	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		63	dbus-system none
		64
41	memory-deny-write-execute	65	memory-deny-write-execute