harden gradio.profile

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-06-25 15:09:44 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-06-25 15:09:44 +0200
commit: eb34c2d931698529ff6de2b3b90d7b1703f3b13a (patch)
tree: b3e12067ad232da69642be1a0530fbacc6a53fd3 /etc/profile-a-l
parent: new profiles (diff)
download: firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.tar.gz
firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.tar.zst
firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 82e2504b9..a16e65efb 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -14,12 +14,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
 whitelist ${HOME}/.cache/gradio
 whitelist ${HOME}/.local/share/gradio
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -30,11 +33,23 @@ nogroups
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
+disable-mnt
+private-bin gradio
+private-cache
+private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+dbus-user filter
+dbus-user.own de.haeckerfelix.gradio
+dbus-user.own org.mpris.MediaPlayer2.gradio
+dbus-user.talk ca.desrt.dconf
+dbus-system none
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-06-25 15:09:44 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-06-25 15:09:44 +0200
commit	eb34c2d931698529ff6de2b3b90d7b1703f3b13a (patch)
tree	b3e12067ad232da69642be1a0530fbacc6a53fd3 /etc/profile-a-l
parent	new profiles (diff)
download	firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.tar.gz firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.tar.zst firejail-eb34c2d931698529ff6de2b3b90d7b1703f3b13a.zip

diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index 82e2504b9..a16e65efb 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile
@@ -14,12 +14,15 @@ include disable-exec.inc
14	include disable-interpreters.inc	14	include disable-interpreters.inc
15	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
17		18
18	mkdir ${HOME}/.cache/gradio	19	mkdir ${HOME}/.cache/gradio
19	mkdir ${HOME}/.local/share/gradio	20	mkdir ${HOME}/.local/share/gradio
20	whitelist ${HOME}/.cache/gradio	21	whitelist ${HOME}/.cache/gradio
21	whitelist ${HOME}/.local/share/gradio	22	whitelist ${HOME}/.local/share/gradio
22	include whitelist-common.inc	23	include whitelist-common.inc
		24	include whitelist-runuser-common.inc
		25	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	26	include whitelist-var-common.inc
24		27
25	caps.drop all	28	caps.drop all
@@ -30,11 +33,23 @@ nogroups
30	nonewprivs	33	nonewprivs
31	noroot	34	noroot
32	notv	35	notv
		36	nou2f
33	novideo	37	novideo
34	protocol unix,inet,inet6	38	protocol unix,inet,inet6
35	seccomp	39	seccomp
		40	seccomp.block-secondary
36	shell none	41	shell none
		42	tracelog
37		43
		44	disable-mnt
		45	private-bin gradio
		46	private-cache
		47	private-dev
38	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg	48	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
39	private-tmp	49	private-tmp
40		50
		51	dbus-user filter
		52	dbus-user.own de.haeckerfelix.gradio
		53	dbus-user.own org.mpris.MediaPlayer2.gradio
		54	dbus-user.talk ca.desrt.dconf
		55	dbus-system none