Hardening compressors (#2594)

* Harden atool * Harden cpio * Fix ordering in private-* options * Harden gzip * Harden tar * Harden bsdtar * Harden+ tar * Harden+ gzip * Harden+ cpio * Create bzip2.profile * Description for bunzip2 * Add bzip2/bunzip2 to firecfg
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-14 12:01:43 +0000
committer: GitHub <noreply@github.com> 2019-03-14 12:01:43 +0000
commit: 097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree: bb5159f2651680606ccf7208dd4f48e1add373fe /etc/atool.profile
parent: Fixes for seahorse/seahorse-tool (#2592) (diff)
download: firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/etc/atool.profile b/etc/atool.profile
index c82108cef..b17498e9d 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl*
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
-netfilter
+hostname atool
+ipc-namespace
+machine-id
 net none
+netfilter
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 noroot
@@ -39,9 +45,11 @@ seccomp
 shell none
 tracelog
+# private-bin atool,perl
 private-cache
-# private-bin atool
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,passwd,group,login.defs
 private-tmp
+memory-deny-write-execute
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-14 12:01:43 +0000
committer	GitHub <noreply@github.com>	2019-03-14 12:01:43 +0000
commit	097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree	bb5159f2651680606ccf7208dd4f48e1add373fe /etc/atool.profile
parent	Fixes for seahorse/seahorse-tool (#2592) (diff)
download	firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip

diff --git a/etc/atool.profile b/etc/atool.profile index c82108cef..b17498e9d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl*
18		18
19	include disable-common.inc	19	include disable-common.inc
20	# include disable-devel.inc	20	# include disable-devel.inc
		21	include disable-exec.inc
21	include disable-interpreters.inc	22	include disable-interpreters.inc
22	include disable-passwdmgr.inc	23	include disable-passwdmgr.inc
23	include disable-programs.inc	24	include disable-programs.inc
24		25
		26	apparmor
25	caps.drop all	27	caps.drop all
26	netfilter	28	hostname atool
		29	ipc-namespace
		30	machine-id
27	net none	31	net none
		32	netfilter
28	no3d	33	no3d
29	nodvd	34	nodvd
		35	nodbus
30	nogroups	36	nogroups
31	nonewprivs	37	nonewprivs
32	noroot	38	noroot
@@ -39,9 +45,11 @@ seccomp
39	shell none	45	shell none
40	tracelog	46	tracelog
41		47
		48	# private-bin atool,perl
42	private-cache	49	private-cache
43	# private-bin atool
44	private-dev	50	private-dev
45	# without login.defs atool complains and uses UID/GID 1000 by default	51	# without login.defs atool complains and uses UID/GID 1000 by default
46	private-etc alternatives,passwd,group,login.defs	52	private-etc alternatives,passwd,group,login.defs
47	private-tmp	53	private-tmp
		54
		55	memory-deny-write-execute