various hardening (#3394)

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-05-02 17:58:02 +0000
committer: GitHub <noreply@github.com> 2020-05-02 17:58:02 +0000
commit: 49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch)
tree: 76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/profile-a-l
parent: fixes for zeal.profile (diff)
download: firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip
4 files changed, 14 insertions, 1 deletions
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 7afcd01d7..72f588366 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.etr
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
@@ -17,7 +18,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.etr
 whitelist ${HOME}/.etr
+whitelist /usr/share/etr
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index d1dc64bb9..9245ae3a9 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -17,10 +17,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.frozen-bubble
 whitelist ${HOME}/.frozen-bubble
+whitelist /usr/share/perl5
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -36,6 +40,7 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 disable-mnt
 # private-bin frozen-bubble
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 2e2e86ac9..c1d2a34c0 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -17,6 +17,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+#mkdir ${HOME}/.local/share/gnome-chess
+#whitelist ${HOME}/.local/share/gnome-chess
+#include whitelist-common.inc
 whitelist /usr/share/gnuchess
 whitelist /usr/share/gnome-chess
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 873a47ea9..59fe330a1 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -40,7 +40,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc machine-id
+private-etc alsa,asound.conf,machine-id,pulse
 private-tmp
 dbus-user none
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-05-02 17:58:02 +0000
committer	GitHub <noreply@github.com>	2020-05-02 17:58:02 +0000
commit	49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch)
tree	76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/profile-a-l
parent	fixes for zeal.profile (diff)
download	firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip

diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index 7afcd01d7..72f588366 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile
@@ -9,6 +9,7 @@ include globals.local
9	noblacklist ${HOME}/.etr	9	noblacklist ${HOME}/.etr
10		10
11	include disable-common.inc	11	include disable-common.inc
		12	include disable-devel.inc
12	include disable-exec.inc	13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
@@ -17,7 +18,10 @@ include disable-xdg.inc
17		18
18	mkdir ${HOME}/.etr	19	mkdir ${HOME}/.etr
19	whitelist ${HOME}/.etr	20	whitelist ${HOME}/.etr
		21	whitelist /usr/share/etr
20	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	25	include whitelist-var-common.inc
22		26
23	apparmor	27	apparmor


diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index d1dc64bb9..9245ae3a9 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile
@@ -17,10 +17,14 @@ include disable-exec.inc
17	include disable-interpreters.inc	17	include disable-interpreters.inc
18	include disable-passwdmgr.inc	18	include disable-passwdmgr.inc
19	include disable-programs.inc	19	include disable-programs.inc
		20	include disable-xdg.inc
20		21
21	mkdir ${HOME}/.frozen-bubble	22	mkdir ${HOME}/.frozen-bubble
22	whitelist ${HOME}/.frozen-bubble	23	whitelist ${HOME}/.frozen-bubble
		24	whitelist /usr/share/perl5
23	include whitelist-common.inc	25	include whitelist-common.inc
		26	include whitelist-runuser-common.inc
		27	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	28	include whitelist-var-common.inc
25		29
26	apparmor	30	apparmor
@@ -36,6 +40,7 @@ novideo
36	protocol unix,netlink	40	protocol unix,netlink
37	seccomp	41	seccomp
38	shell none	42	shell none
		43	tracelog
39		44
40	disable-mnt	45	disable-mnt
41	# private-bin frozen-bubble	46	# private-bin frozen-bubble


diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index 2e2e86ac9..c1d2a34c0 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile
@@ -17,6 +17,10 @@ include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18	include disable-xdg.inc	18	include disable-xdg.inc
19		19
		20	#mkdir ${HOME}/.local/share/gnome-chess
		21	#whitelist ${HOME}/.local/share/gnome-chess
		22	#include whitelist-common.inc
		23
20	whitelist /usr/share/gnuchess	24	whitelist /usr/share/gnuchess
21	whitelist /usr/share/gnome-chess	25	whitelist /usr/share/gnome-chess
22	include whitelist-runuser-common.inc	26	include whitelist-runuser-common.inc


diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 873a47ea9..59fe330a1 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -40,7 +40,7 @@ private
40	private-bin gnome-hexgl	40	private-bin gnome-hexgl
41	private-cache	41	private-cache
42	private-dev	42	private-dev
43	private-etc machine-id	43	private-etc alsa,asound.conf,machine-id,pulse
44	private-tmp	44	private-tmp
45		45
46	dbus-user none	46	dbus-user none