Harden some game profiles

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-04-30 10:34:38 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2021-04-30 10:34:47 +0200
commit: a9c1a56bc21c6f583292f0f543673730c5737c1b (patch)
tree: 7eb5e5d77e47c9665782fd8e27d0bfaf91582f07 /etc/profile-m-z/neverball.profile
parent: Merge pull request #4219 from Neo00001/master (diff)
download: firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.gz
firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.zst
firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.zip
1 files changed, 14 insertions, 2 deletions
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..5c7c2b3da 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -14,13 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 mkdir ${HOME}/.neverball
 whitelist ${HOME}/.neverball
+whitelist /usr/share/neverball
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
@@ -28,12 +34,18 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,netlink
+protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 disable-mnt
 private-bin neverball
+private-cache
 private-dev
+private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,fonts,machine-id
 private-tmp
+dbus-user none
+dbus-system none
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-04-30 10:34:38 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2021-04-30 10:34:47 +0200
commit	a9c1a56bc21c6f583292f0f543673730c5737c1b (patch)
tree	7eb5e5d77e47c9665782fd8e27d0bfaf91582f07 /etc/profile-m-z/neverball.profile
parent	Merge pull request #4219 from Neo00001/master (diff)
download	firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.gz firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.zst firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.zip

diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index 84c634549..5c7c2b3da 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile
@@ -14,13 +14,19 @@ include disable-exec.inc
14	include disable-interpreters.inc	14	include disable-interpreters.inc
15	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
17		19
18	mkdir ${HOME}/.neverball	20	mkdir ${HOME}/.neverball
19	whitelist ${HOME}/.neverball	21	whitelist ${HOME}/.neverball
		22	whitelist /usr/share/neverball
20	include whitelist-common.inc	23	include whitelist-common.inc
		24	include whitelist-runuser-common.inc
		25	include whitelist-usr-share-common.inc
		26	include whitelist-var-common.inc
21		27
22	caps.drop all	28	caps.drop all
23	netfilter	29	net none
24	nodvd	30	nodvd
25	nogroups	31	nogroups
26	nonewprivs	32	nonewprivs
@@ -28,12 +34,18 @@ noroot
28	notv	34	notv
29	nou2f	35	nou2f
30	novideo	36	novideo
31	protocol unix,netlink	37	protocol unix
32	seccomp	38	seccomp
		39	seccomp.block-secondary
33	shell none	40	shell none
		41	tracelog
34		42
35	disable-mnt	43	disable-mnt
36	private-bin neverball	44	private-bin neverball
		45	private-cache
37	private-dev	46	private-dev
		47	private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,fonts,machine-id
38	private-tmp	48	private-tmp
39		49
		50	dbus-user none
		51	dbus-system none