hardenings for various profiles (#3160)

* harden devilspie * harden devilspie2 * harden curl * harden wget * harden curl * harden dig * harden claws-mail * harden dnscrypt-proxy * harden dnscrypt-proxy * harden dnscrypt-proxy * harden exfalso * refactor easystroke as whitelist profile * refactor enchant as whitelist profile * safeguard ${DOCUMENTS} Thanks @rusty-snake for the suggestion. * drop x11-none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for saving the bacon... * drop x11 none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for preventing breakage! * drop ipc-namespace Better safe than sorry...
author: glitsj16 <glitsj16@users.noreply.github.com> 2020-01-17 23:31:46 +0000
committer: GitHub <noreply@github.com> 2020-01-17 23:31:46 +0000
commit: f9c9c469a23dbb6d484f82f6ba719d662b784753 (patch)
tree: 9485d36a39798b0542ed70b9a5df688bab2c3d69 /etc/dig.profile
parent: join: wait with effective uid of the user (diff)
download: firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.gz
firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.zst
firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/etc/dig.profile b/etc/dig.profile
index af71ff17f..054e4891d 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -9,6 +9,8 @@ include globals.local
 noblacklist ${HOME}/.digrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
@@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
-# ipc-namespace
+ipc-namespace
 machine-id
 netfilter
 no3d
@@ -40,6 +42,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-01-17 23:31:46 +0000
committer	GitHub <noreply@github.com>	2020-01-17 23:31:46 +0000
commit	f9c9c469a23dbb6d484f82f6ba719d662b784753 (patch)
tree	9485d36a39798b0542ed70b9a5df688bab2c3d69 /etc/dig.profile
parent	join: wait with effective uid of the user (diff)
download	firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.gz firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.zst firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.zip

diff --git a/etc/dig.profile b/etc/dig.profile index af71ff17f..054e4891d 100644 --- a/etc/dig.profile +++ b/etc/dig.profile
@@ -9,6 +9,8 @@ include globals.local
9		9
10	noblacklist ${HOME}/.digrc	10	noblacklist ${HOME}/.digrc
11		11
		12	blacklist /tmp/.X11-unix
		13
12	include disable-common.inc	14	include disable-common.inc
13	# include disable-devel.inc	15	# include disable-devel.inc
14	include disable-exec.inc	16	include disable-exec.inc
@@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	26	include whitelist-var-common.inc
25		27
26	caps.drop all	28	caps.drop all
27	# ipc-namespace	29	ipc-namespace
28	machine-id	30	machine-id
29	netfilter	31	netfilter
30	no3d	32	no3d
@@ -40,6 +42,7 @@ novideo
40	protocol unix,inet,inet6	42	protocol unix,inet,inet6
41	seccomp	43	seccomp
42	shell none	44	shell none
		45	tracelog
43		46
44	disable-mnt	47	disable-mnt
45	private	48	private