Update ffmpeg.profile (#2529)

* Harden ffmpeg.profile * Review #2529
author: rusty-snake <print_hello_world+GitHub@protonmail.com> 2019-03-06 20:07:09 +0000
committer: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-06 20:07:09 +0000
commit: f843166a6c56aca547cc1213a95c24cf16788cc4 (patch)
tree: db86fef30c73bd2308ce75303156463a45b16990
parent: Merge pull request #2517 from veloute/keepassxc (diff)
download: firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.tar.gz
firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.tar.zst
firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 44b5d5530..aa7a91928 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -7,28 +7,35 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
+ipc-namespace
 machine-id
-net none
+netfilter
+# no3d might break HW accelerated de/encoding - comment when appropriate
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
-nonewprivs
+protocol inet,inet6
-noroot
-# protocol none - needs to be implemented!
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
@@ -37,6 +44,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
+private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
 private-tmp
 # memory-deny-write-execute - it breaks old versions of ffmpeg
author	rusty-snake <print_hello_world+GitHub@protonmail.com>	2019-03-06 20:07:09 +0000
committer	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-06 20:07:09 +0000
commit	f843166a6c56aca547cc1213a95c24cf16788cc4 (patch)
tree	db86fef30c73bd2308ce75303156463a45b16990
parent	Merge pull request #2517 from veloute/keepassxc (diff)
download	firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.tar.gz firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.tar.zst firejail-f843166a6c56aca547cc1213a95c24cf16788cc4.zip

diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 44b5d5530..aa7a91928 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile
@@ -7,28 +7,35 @@ include ffmpeg.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	noblacklist ${MUSIC}
		11	noblacklist ${VIDEOS}
		12
10	include disable-common.inc	13	include disable-common.inc
11	include disable-devel.inc	14	include disable-devel.inc
12	include disable-interpreters.inc	15	include disable-interpreters.inc
13	include disable-passwdmgr.inc	16	include disable-passwdmgr.inc
14	include disable-programs.inc	17	include disable-programs.inc
		18	include disable-xdg.inc
15		19
16	include whitelist-var-common.inc	20	include whitelist-var-common.inc
17		21
18	apparmor	22	apparmor
19	caps.drop all	23	caps.drop all
		24	ipc-namespace
20	machine-id	25	machine-id
21	net none	26	netfilter
		27	# no3d might break HW accelerated de/encoding - comment when appropriate
22	no3d	28	no3d
23	nodbus	29	nodbus
24	nodvd	30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
25	nosound	34	nosound
26	notv	35	notv
27	nou2f	36	nou2f
28	novideo	37	novideo
29	nonewprivs	38	protocol inet,inet6
30	noroot
31	# protocol none - needs to be implemented!
32	seccomp	39	seccomp
33	# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom	40	# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
34	shell none	41	shell none
@@ -37,6 +44,7 @@ tracelog
37	private-bin ffmpeg	44	private-bin ffmpeg
38	private-cache	45	private-cache
39	private-dev	46	private-dev
		47	private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
40	private-tmp	48	private-tmp
41		49
42	# memory-deny-write-execute - it breaks old versions of ffmpeg	50	# memory-deny-write-execute - it breaks old versions of ffmpeg