Harden 50 profiles

Hardened many profiles using disable-mnt and novideo Fixed gnome-font-viewer
author: Tad <tad@spotco.us> 2017-07-04 10:51:43 -0400
committer: Tad <tad@spotco.us> 2017-07-04 11:35:29 -0400
commit: 5354f20012b488c50cd556e315b78ad351ae0f9d (patch)
tree: 89c737f738f8525da446786083473c249b8a9f79 /etc/gnome-font-viewer.profile
parent: per-profile disable-mnt (diff)
download: firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.gz
firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.zst
firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.zip
1 files changed, 15 insertions, 14 deletions
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 3ea1b6b33..605dafc62 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -5,25 +5,26 @@ include /etc/firejail/globals.local
 # Persistent customizations should go in a .local file.
 include /etc/firejail/gnome-font-viewer.local
-private
+#Blacklist Paths
-#include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-common.inc
-#include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-programs.inc
-#include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
 caps.drop all
 netfilter
+no3d
 nonewprivs
 noroot
+nosound
+novideo
 protocol unix,inet,inet6
 seccomp
-#
+private-dev
-# depending on your usage, you can enable some of the commands below: 
+private-tmp
-#
+disable-mnt
-nogroups
-shell none
+noexec ${HOME}
-# private-bin program
+noexec /tmp
-# private-etc none
-# private-dev
-# private-tmp
-nosound
author	Tad <tad@spotco.us>	2017-07-04 10:51:43 -0400
committer	Tad <tad@spotco.us>	2017-07-04 11:35:29 -0400
commit	5354f20012b488c50cd556e315b78ad351ae0f9d (patch)
tree	89c737f738f8525da446786083473c249b8a9f79 /etc/gnome-font-viewer.profile
parent	per-profile disable-mnt (diff)
download	firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.gz firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.tar.zst firejail-5354f20012b488c50cd556e315b78ad351ae0f9d.zip

diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 3ea1b6b33..605dafc62 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile
@@ -5,25 +5,26 @@ include /etc/firejail/globals.local
5	# Persistent customizations should go in a .local file.	5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/gnome-font-viewer.local	6	include /etc/firejail/gnome-font-viewer.local
7		7
8	private	8	#Blacklist Paths
9	#include /etc/firejail/disable-common.inc	9	include /etc/firejail/disable-common.inc
10	#include /etc/firejail/disable-programs.inc	10	include /etc/firejail/disable-programs.inc
11	#include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
		12	include /etc/firejail/disable-devel.inc
12		13
		14	#Options
13	caps.drop all	15	caps.drop all
14	netfilter	16	netfilter
		17	no3d
15	nonewprivs	18	nonewprivs
16	noroot	19	noroot
		20	nosound
		21	novideo
17	protocol unix,inet,inet6	22	protocol unix,inet,inet6
18	seccomp	23	seccomp
19		24
20	#	25	private-dev
21	# depending on your usage, you can enable some of the commands below:	26	private-tmp
22	#	27	disable-mnt
23	nogroups	28
24	shell none	29	noexec ${HOME}
25	# private-bin program	30	noexec /tmp
26	# private-etc none
27	# private-dev
28	# private-tmp
29	nosound