Merge pull request #1367 from SpotComms/mh

Harden profiles
author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-02 09:37:20 -0500
committer: GitHub <noreply@github.com> 2017-08-02 09:37:20 -0500
commit: caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree: 0c1fd52865432943dff536a7679408bec47df683 /etc/nemo.profile
parent: get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent: Fixes (diff)
download: firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip
1 files changed, 7 insertions, 10 deletions
diff --git a/etc/nemo.profile b/etc/nemo.profile
index 1d9124d19..5e6f4936f 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -16,18 +16,15 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
+novideo
 protocol unix,inet,inet6
 seccomp
-#
-# depending on your usage, you can enable some of the commands below:
-#
-nogroups
 shell none
-# private-bin program
-# private-etc none
+noexec ${HOME}
-# private-dev
+noexec /tmp
-# private-tmp
-# nosound
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-02 09:37:20 -0500
committer	GitHub <noreply@github.com>	2017-08-02 09:37:20 -0500
commit	caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree	0c1fd52865432943dff536a7679408bec47df683 /etc/nemo.profile
parent	get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent	Fixes (diff)
download	firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip

diff --git a/etc/nemo.profile b/etc/nemo.profile index 1d9124d19..5e6f4936f 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile
@@ -16,18 +16,15 @@ include /etc/firejail/disable-devel.inc
16		16
17	caps.drop all	17	caps.drop all
18	netfilter	18	netfilter
		19	no3d
		20	nogroups
19	nonewprivs	21	nonewprivs
20	noroot	22	noroot
		23	nosound
		24	novideo
21	protocol unix,inet,inet6	25	protocol unix,inet,inet6
22	seccomp	26	seccomp
23
24	#
25	# depending on your usage, you can enable some of the commands below:
26	#
27	nogroups
28	shell none	27	shell none
29	# private-bin program	28
30	# private-etc none	29	noexec ${HOME}
31	# private-dev	30	noexec /tmp
32	# private-tmp
33	# nosound