Merge pull request #1367 from SpotComms/mh

Harden profiles
author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-02 09:37:20 -0500
committer: GitHub <noreply@github.com> 2017-08-02 09:37:20 -0500
commit: caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree: 0c1fd52865432943dff536a7679408bec47df683 /etc/google-chrome.profile
parent: get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent: Fixes (diff)
download: firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip
1 files changed, 13 insertions, 3 deletions
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 84e0c6cdc..e6fceadec 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -16,9 +16,6 @@ include /etc/firejail/disable-programs.inc
 # include /etc/firejail/disable-devel.inc
 #
-caps.keep sys_chroot,sys_admin
-netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome
 whitelist ~/.config/google-chrome
@@ -27,3 +24,16 @@ whitelist ~/.cache/google-chrome
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+caps.keep sys_chroot,sys_admin
+#ipc-namespace
+netfilter
+nogroups
+shell none
+private-dev
+#private-tmp - problems with multiple browser sessions
+#disable-mnt
+noexec ${HOME}
+noexec /tmp
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-02 09:37:20 -0500
committer	GitHub <noreply@github.com>	2017-08-02 09:37:20 -0500
commit	caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree	0c1fd52865432943dff536a7679408bec47df683 /etc/google-chrome.profile
parent	get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent	Fixes (diff)
download	firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip

diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84e0c6cdc..e6fceadec 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile
@@ -16,9 +16,6 @@ include /etc/firejail/disable-programs.inc
16	# include /etc/firejail/disable-devel.inc	16	# include /etc/firejail/disable-devel.inc
17	#	17	#
18		18
19	caps.keep sys_chroot,sys_admin
20	netfilter
21
22	whitelist ${DOWNLOADS}	19	whitelist ${DOWNLOADS}
23	mkdir ~/.config/google-chrome	20	mkdir ~/.config/google-chrome
24	whitelist ~/.config/google-chrome	21	whitelist ~/.config/google-chrome
@@ -27,3 +24,16 @@ whitelist ~/.cache/google-chrome
27	mkdir ~/.pki	24	mkdir ~/.pki
28	whitelist ~/.pki	25	whitelist ~/.pki
29	include /etc/firejail/whitelist-common.inc	26	include /etc/firejail/whitelist-common.inc
		27
		28	caps.keep sys_chroot,sys_admin
		29	#ipc-namespace
		30	netfilter
		31	nogroups
		32	shell none
		33
		34	private-dev
		35	#private-tmp - problems with multiple browser sessions
		36	#disable-mnt
		37
		38	noexec ${HOME}
		39	noexec /tmp