ocenaudio hardening (#5056)

* ocenaudio: blacklist cache dir * ocenaudio: hardenings * ocenaudio: fix protocol comment
author: glitsj16 <glitsj16@users.noreply.github.com> 2022-03-18 10:20:07 +0000
committer: GitHub <noreply@github.com> 2022-03-18 10:20:07 +0000
commit: 362486cbd2c9efe441385ac7621e8d56a7d0f773 (patch)
tree: dc340e886251993f7eecca4e1461bae507be48ec /etc/profile-m-z/ocenaudio.profile
parent: cmake: fix local override & wusc (#5054) (diff)
download: firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.tar.gz
firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.tar.zst
firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.zip
1 files changed, 20 insertions, 13 deletions
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 0bfb35333..080b4c92b 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,8 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/ocenaudio
 noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
 include disable-common.inc
@@ -18,38 +19,44 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/ocenaudio
+mkdir ${HOME}/.local/share/ocenaudio
+whitelist ${HOME}/.cache/ocenaudio
+whitelist ${HOME}/.local/share/ocenaudio
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-ipc-namespace
+#ipc-namespace
-# net none - breaks update functionality and AppArmor on Ubuntu systems
-# Add 'net none' to your ocenaudio.local when you want that functionality.
-#net none
 netfilter
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix
+# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
+protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-private-bin ocenaudio
+private-bin ocenaudio,ocenvst
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-opt ocenaudio
 private-tmp
-# breaks preferences
+dbus-user none
-# dbus-user none
+dbus-system none
-# dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
author	glitsj16 <glitsj16@users.noreply.github.com>	2022-03-18 10:20:07 +0000
committer	GitHub <noreply@github.com>	2022-03-18 10:20:07 +0000
commit	362486cbd2c9efe441385ac7621e8d56a7d0f773 (patch)
tree	dc340e886251993f7eecca4e1461bae507be48ec /etc/profile-m-z/ocenaudio.profile
parent	cmake: fix local override & wusc (#5054) (diff)
download	firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.tar.gz firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.tar.zst firejail-362486cbd2c9efe441385ac7621e8d56a7d0f773.zip

diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 0bfb35333..080b4c92b 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,8 +6,9 @@ include ocenaudio.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${HOME}/.cache/ocenaudio
9	noblacklist ${HOME}/.local/share/ocenaudio	10	noblacklist ${HOME}/.local/share/ocenaudio
10	noblacklist ${DOCUMENTS}	11
11	noblacklist ${MUSIC}	12	noblacklist ${MUSIC}
12		13
13	include disable-common.inc	14	include disable-common.inc
@@ -18,38 +19,44 @@ include disable-programs.inc
18	include disable-shell.inc	19	include disable-shell.inc
19	include disable-xdg.inc	20	include disable-xdg.inc
20		21
		22	mkdir ${HOME}/.cache/ocenaudio
		23	mkdir ${HOME}/.local/share/ocenaudio
		24	whitelist ${HOME}/.cache/ocenaudio
		25	whitelist ${HOME}/.local/share/ocenaudio
		26	whitelist ${DOWNLOADS}
		27	whitelist ${MUSIC}
		28	include whitelist-common.inc
		29	include whitelist-run-common.inc
		30	include whitelist-runuser-common.inc
21	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	32	include whitelist-var-common.inc
23		33
24	apparmor	34	apparmor
25	caps.drop all	35	caps.drop all
26	ipc-namespace	36	#ipc-namespace
27	# net none - breaks update functionality and AppArmor on Ubuntu systems
28	# Add 'net none' to your ocenaudio.local when you want that functionality.
29	#net none
30	netfilter	37	netfilter
31	no3d	38	no3d
32	nodvd	39	nodvd
33	nogroups	40	nogroups
34	noinput	41	noinput
35	nonewprivs	42	nonewprivs
		43	noprinters
36	noroot	44	noroot
37	notv	45	notv
38	nou2f	46	nou2f
39	novideo	47	novideo
40	protocol unix	48	# Add `protocol unix\nignore protocol` to your ocenaudio.local to disable networking.
		49	protocol unix,inet,inet6
41	seccomp	50	seccomp
42	shell none	51	shell none
43	tracelog	52	tracelog
44		53
45	private-bin ocenaudio	54	private-bin ocenaudio,ocenvst
46	private-cache	55	private-cache
47	private-dev	56	private-dev
48	private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse	57	private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
		58	private-opt ocenaudio
49	private-tmp	59	private-tmp
50		60
51	# breaks preferences	61	dbus-user none
52	# dbus-user none	62	dbus-system none
53	# dbus-system none
54
55	#memory-deny-write-execute - breaks on Arch (see issue #1803)