diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2024-05-07 19:10:43 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-07 19:10:43 +0000 |
commit | 4fa0bb7cd6f228ade683a400f582a00ee180a5a3 (patch) | |
tree | f0d92bab48a0e5b34c49a00c8ee2b65b63d79a2b /etc/profile-a-l/hexchat.profile | |
parent | build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 (diff) | |
download | firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.gz firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.tar.zst firejail-4fa0bb7cd6f228ade683a400f582a00ee180a5a3.zip |
profiles: hexchat: allow lua/downloads and harden (#6331)
* profiles: hexchat: hardenings
* profiles: hexchat: allow lua/downloads and harden
Allow more paths and add some extra options to harden the profile.
We allow Perl but keep it out of private-bin. Do the same for Lua and
clarify in the private-bin comment how to enable these interpreters.
Consulted resources:
- https://github.com/hexchat/hexchat/
- https://hexchat.readthedocs.io/
Diffstat (limited to 'etc/profile-a-l/hexchat.profile')
-rw-r--r-- | etc/profile-a-l/hexchat.profile | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index def7bf25f..ba5a5fbac 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat | |||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
12 | include allow-bin-sh.inc | 12 | include allow-bin-sh.inc |
13 | 13 | ||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
16 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | 17 | # Allow perl (blacklisted by disable-interpreters.inc) |
15 | include allow-perl.inc | 18 | include allow-perl.inc |
16 | 19 | ||
@@ -18,17 +21,24 @@ include allow-perl.inc | |||
18 | include allow-python2.inc | 21 | include allow-python2.inc |
19 | include allow-python3.inc | 22 | include allow-python3.inc |
20 | 23 | ||
24 | blacklist /usr/libexec | ||
25 | |||
21 | include disable-common.inc | 26 | include disable-common.inc |
22 | include disable-devel.inc | 27 | include disable-devel.inc |
23 | include disable-exec.inc | 28 | include disable-exec.inc |
24 | include disable-interpreters.inc | 29 | include disable-interpreters.inc |
30 | include disable-proc.inc | ||
25 | include disable-programs.inc | 31 | include disable-programs.inc |
26 | include disable-shell.inc | 32 | include disable-shell.inc |
27 | include disable-xdg.inc | 33 | include disable-xdg.inc |
28 | 34 | ||
29 | mkdir ${HOME}/.config/hexchat | 35 | mkdir ${HOME}/.config/hexchat |
36 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.config/hexchat | 37 | whitelist ${HOME}/.config/hexchat |
31 | include whitelist-common.inc | 38 | include whitelist-common.inc |
39 | include whitelist-run-common.inc | ||
40 | include whitelist-runuser-common.inc | ||
41 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
33 | 43 | ||
34 | caps.drop all | 44 | caps.drop all |
@@ -45,14 +55,20 @@ nou2f | |||
45 | novideo | 55 | novideo |
46 | protocol unix,inet,inet6 | 56 | protocol unix,inet,inet6 |
47 | seccomp | 57 | seccomp |
58 | seccomp.block-secondary | ||
48 | tracelog | 59 | tracelog |
49 | 60 | ||
50 | disable-mnt | 61 | disable-mnt |
51 | # debug note: private-bin requires perl, python, etc on some systems | 62 | # If you need Lua and/or Perl support, add the relevant binaries from |
63 | # allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local. | ||
52 | private-bin hexchat,python*,sh | 64 | private-bin hexchat,python*,sh |
53 | private-dev | 65 | private-dev |
54 | #private-lib # python problems | 66 | #private-lib # python problems |
55 | private-tmp | 67 | private-tmp |
56 | 68 | ||
69 | dbus-user filter | ||
70 | dbus-user.own org.hexchat.service | ||
71 | dbus-system none | ||
72 | |||
57 | #memory-deny-write-execute # breaks python | 73 | #memory-deny-write-execute # breaks python |
58 | restrict-namespaces | 74 | restrict-namespaces |