Tighten multiple profiles.

This adds whitelist-var-common, machine-id, memory-deny-write-execute, and noexec home and tmp when possible.
author: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-04 16:24:36 -0500
committer: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-04 16:24:36 -0500
commit: c6259375dff79484b9f3d587da9fbfa76a3b68b9 (patch)
tree: 1b7c010c2f6b0886ccd7a537bb146f7f46cb1d7f /etc/gitter.profile
parent: Tighten spotify profile (diff)
download: firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.gz
firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.zst
firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 0a47bf888..3e84455f1 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${DOWNLOADS}
+whitelist ~/.config/autostart
+whitelist ~/.config/Gitter
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+disable-mnt
 private-bin bash,env,gitter
+private-etc fonts,pulse,resolv.conf
 private-opt Gitter
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
author	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-04 16:24:36 -0500
committer	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-04 16:24:36 -0500
commit	c6259375dff79484b9f3d587da9fbfa76a3b68b9 (patch)
tree	1b7c010c2f6b0886ccd7a537bb146f7f46cb1d7f /etc/gitter.profile
parent	Tighten spotify profile (diff)
download	firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.gz firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.zst firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.zip

diff --git a/etc/gitter.profile b/etc/gitter.profile index 0a47bf888..3e84455f1 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile
@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	whitelist ${DOWNLOADS}
		17	whitelist ~/.config/autostart
		18	whitelist ~/.config/Gitter
		19	include /etc/firejail/whitelist-var-common.inc
		20
16	caps.drop all	21	caps.drop all
		22	machine-id
17	netfilter	23	netfilter
18	nodvd	24	nodvd
19	nogroups	25	nogroups
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink
25	seccomp	31	seccomp
26	shell none	32	shell none
27		33
		34	disable-mnt
28	private-bin bash,env,gitter	35	private-bin bash,env,gitter
		36	private-etc fonts,pulse,resolv.conf
29	private-opt Gitter	37	private-opt Gitter
30	private-dev	38	private-dev
31	private-tmp	39	private-tmp
		40
		41	noexec ${HOME}
		42	noexec /tmp