clipit hardening (#5521)

* clipit hardening * clipit: fix hardening * clipit: add xdotool lib to private-lib
author: glitsj16 <glitsj16@users.noreply.github.com> 2022-12-12 13:10:48 +0000
committer: GitHub <noreply@github.com> 2022-12-12 13:10:48 +0000
commit: f99a296347a3a70fe898915746306dfe78bcdeae (patch)
tree: 090feeb8301e595e07614af34e67b22c91ecdfe5 /etc/profile-a-l/clipit.profile
parent: small nettrace fixes (diff)
download: firejail-f99a296347a3a70fe898915746306dfe78bcdeae.tar.gz
firejail-f99a296347a3a70fe898915746306dfe78bcdeae.tar.zst
firejail-f99a296347a3a70fe898915746306dfe78bcdeae.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index ef1800aaa..0356547cd 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -13,7 +13,9 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/clipit
@@ -21,6 +23,8 @@ mkdir ${HOME}/.local/share/clipit
 whitelist ${HOME}/.config/clipit
 whitelist ${HOME}/.local/share/clipit
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -34,6 +38,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -41,9 +46,18 @@ nou2f
 novideo
 protocol unix
 seccomp
+tracelog
 disable-mnt
+private-bin clipit,xdotool
 private-cache
 private-dev
+private-lib libxdo.so.*
 private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
author	glitsj16 <glitsj16@users.noreply.github.com>	2022-12-12 13:10:48 +0000
committer	GitHub <noreply@github.com>	2022-12-12 13:10:48 +0000
commit	f99a296347a3a70fe898915746306dfe78bcdeae (patch)
tree	090feeb8301e595e07614af34e67b22c91ecdfe5 /etc/profile-a-l/clipit.profile
parent	small nettrace fixes (diff)
download	firejail-f99a296347a3a70fe898915746306dfe78bcdeae.tar.gz firejail-f99a296347a3a70fe898915746306dfe78bcdeae.tar.zst firejail-f99a296347a3a70fe898915746306dfe78bcdeae.zip

diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index ef1800aaa..0356547cd 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile
@@ -13,7 +13,9 @@ include disable-common.inc
13	include disable-devel.inc	13	include disable-devel.inc
14	include disable-exec.inc	14	include disable-exec.inc
15	include disable-interpreters.inc	15	include disable-interpreters.inc
		16	include disable-proc.inc
16	include disable-programs.inc	17	include disable-programs.inc
		18	include disable-shell.inc
17	include disable-xdg.inc	19	include disable-xdg.inc
18		20
19	mkdir ${HOME}/.config/clipit	21	mkdir ${HOME}/.config/clipit
@@ -21,6 +23,8 @@ mkdir ${HOME}/.local/share/clipit
21	whitelist ${HOME}/.config/clipit	23	whitelist ${HOME}/.config/clipit
22	whitelist ${HOME}/.local/share/clipit	24	whitelist ${HOME}/.local/share/clipit
23	include whitelist-common.inc	25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
24	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	29	include whitelist-var-common.inc
26		30
@@ -34,6 +38,7 @@ nodvd
34	nogroups	38	nogroups
35	noinput	39	noinput
36	nonewprivs	40	nonewprivs
		41	noprinters
37	noroot	42	noroot
38	nosound	43	nosound
39	notv	44	notv
@@ -41,9 +46,18 @@ nou2f
41	novideo	46	novideo
42	protocol unix	47	protocol unix
43	seccomp	48	seccomp
		49	tracelog
44		50
45	disable-mnt	51	disable-mnt
		52	private-bin clipit,xdotool
46	private-cache	53	private-cache
47	private-dev	54	private-dev
		55	private-lib libxdo.so.*
48	private-tmp	56	private-tmp
49		57
		58	dbus-user none
		59	dbus-system none
		60
		61	#memory-deny-write-execute
		62	restrict-namespaces
		63	read-only ${HOME}