hardening some profiles (#3505)

* hardening some profiles - harden and fix flameshot - wruc: frogatto, ghostwriter - harden gnome-latex - add whitelist opt-in note to keepassxc - add comment to minetest - harden openarena, tremulous, xonotic - add profile for xonotic-sdl-wrapper * followup
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-07-09 10:49:17 +0000
committer: GitHub <noreply@github.com> 2020-07-09 10:49:17 +0000
commit: deb6c12454191b7aeff3d259612a00427d1aa6a1 (patch)
tree: bdf4351c170112ded7b076298b2b4bddd7664f2b /etc/profile-m-z/openarena.profile
parent: Update disable-common.inc (#3499) (diff)
download: firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.gz
firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.zst
firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.zip
1 files changed, 16 insertions, 11 deletions
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 3b15a6e42..45682fc31 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -16,30 +16,35 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.openarena
+whitelist ${HOME}/.openarena
+whitelist /usr/share/openarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.in
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-# ipc-namespace
+netfilter
-# netfilter
+nodvd
-# nodvd
+nogroups
-# nogroups
 nonewprivs
 noroot
 notv
-# nou2f
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# tracelog
+tracelog
-# disable-mnt
+disable-mnt
-# private-bin openarena
+private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
-# dbus-user none
+dbus-user none
-# dbus-system none
+dbus-system none
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-07-09 10:49:17 +0000
committer	GitHub <noreply@github.com>	2020-07-09 10:49:17 +0000
commit	deb6c12454191b7aeff3d259612a00427d1aa6a1 (patch)
tree	bdf4351c170112ded7b076298b2b4bddd7664f2b /etc/profile-m-z/openarena.profile
parent	Update disable-common.inc (#3499) (diff)
download	firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.gz firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.tar.zst firejail-deb6c12454191b7aeff3d259612a00427d1aa6a1.zip

diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 3b15a6e42..45682fc31 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile
@@ -16,30 +16,35 @@ include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
17	include disable-xdg.inc	17	include disable-xdg.inc
18		18
		19	mkdir ${HOME}/.openarena
		20	whitelist ${HOME}/.openarena
		21	whitelist /usr/share/openarena
		22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.in
19	include whitelist-var-common.inc	25	include whitelist-var-common.inc
20		26
21	apparmor	27	apparmor
22	caps.drop all	28	caps.drop all
23	# ipc-namespace	29	netfilter
24	# netfilter	30	nodvd
25	# nodvd	31	nogroups
26	# nogroups
27	nonewprivs	32	nonewprivs
28	noroot	33	noroot
29	notv	34	notv
30	# nou2f	35	nou2f
31	novideo	36	novideo
32	protocol unix,inet,inet6,netlink	37	protocol unix,inet,inet6,netlink
33	seccomp	38	seccomp
34	shell none	39	shell none
35	# tracelog	40	tracelog
36		41
37	# disable-mnt	42	disable-mnt
38	# private-bin openarena	43	private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
39	private-cache	44	private-cache
40	private-dev	45	private-dev
41	# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg	46	private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
42	private-tmp	47	private-tmp
43		48
44	# dbus-user none	49	dbus-user none
45	# dbus-system none	50	dbus-system none