harden songrec

as suggested by @rusty-snake in addition blacklist/noblacklist/whitelist songrec application files
author: smitsohu <smitsohu@gmail.com> 2022-03-11 15:39:17 +0100
committer: smitsohu <smitsohu@gmail.com> 2022-03-11 15:39:17 +0100
commit: df4b26977de4ce05d269caa8c3914f6f2f7ba8b8 (patch)
tree: 4b4be360bb023ed336029e00ad082f6e8e284ce2 /etc/profile-m-z/songrec.profile
parent: Merge pull request #4260 from sandsmark/martin/songrec (diff)
download: firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.tar.gz
firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.tar.zst
firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.zip
1 files changed, 14 insertions, 2 deletions
diff --git a/etc/profile-m-z/songrec.profile b/etc/profile-m-z/songrec.profile
index d121f7845..f63a47c18 100644
--- a/etc/profile-m-z/songrec.profile
+++ b/etc/profile-m-z/songrec.profile
@@ -6,23 +6,34 @@ include songrec.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.local/share/SongRec
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
+nowhitelist ${PICTURES}
+mkdir ${HOME}/.local/share/SongRec
+whitelist ${HOME}/.local/share/SongRec
 include whitelist-common.inc
 include whitelist-player-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
 no3d
 nogroups
+noinput
 nonewprivs
 noroot
 notv
@@ -34,7 +45,8 @@ seccomp.block-secondary
 shell none
 disable-mnt
-private-bin songrec,ffmpeg
+private-bin ffmpeg,songrec
+private-cache
 private-dev
 private-tmp
author	smitsohu <smitsohu@gmail.com>	2022-03-11 15:39:17 +0100
committer	smitsohu <smitsohu@gmail.com>	2022-03-11 15:39:17 +0100
commit	df4b26977de4ce05d269caa8c3914f6f2f7ba8b8 (patch)
tree	4b4be360bb023ed336029e00ad082f6e8e284ce2 /etc/profile-m-z/songrec.profile
parent	Merge pull request #4260 from sandsmark/martin/songrec (diff)
download	firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.tar.gz firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.tar.zst firejail-df4b26977de4ce05d269caa8c3914f6f2f7ba8b8.zip

diff --git a/etc/profile-m-z/songrec.profile b/etc/profile-m-z/songrec.profile index d121f7845..f63a47c18 100644 --- a/etc/profile-m-z/songrec.profile +++ b/etc/profile-m-z/songrec.profile
@@ -6,23 +6,34 @@ include songrec.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${HOME}/.local/share/SongRec
		10	noblacklist ${MUSIC}
		11	noblacklist ${VIDEOS}
9		12
10	include disable-common.inc	13	include disable-common.inc
11	include disable-devel.inc	14	include disable-devel.inc
12	include disable-exec.inc	15	include disable-exec.inc
13	include disable-interpreters.inc	16	include disable-interpreters.inc
14	include disable-passwdmgr.inc
15	include disable-programs.inc	17	include disable-programs.inc
16	include disable-shell.inc	18	include disable-shell.inc
		19	include disable-xdg.inc
17		20
		21	nowhitelist ${PICTURES}
		22
		23	mkdir ${HOME}/.local/share/SongRec
		24	whitelist ${HOME}/.local/share/SongRec
18	include whitelist-common.inc	25	include whitelist-common.inc
19	include whitelist-player-common.inc	26	include whitelist-player-common.inc
		27	include whitelist-run-common.inc
		28	include whitelist-runuser-common.inc
		29	include whitelist-var-common.inc
20		30
21	apparmor	31	apparmor
22	caps.drop all	32	caps.drop all
23	netfilter	33	netfilter
24	no3d	34	no3d
25	nogroups	35	nogroups
		36	noinput
26	nonewprivs	37	nonewprivs
27	noroot	38	noroot
28	notv	39	notv
@@ -34,7 +45,8 @@ seccomp.block-secondary
34	shell none	45	shell none
35		46
36	disable-mnt	47	disable-mnt
37	private-bin songrec,ffmpeg	48	private-bin ffmpeg,songrec
		49	private-cache
38	private-dev	50	private-dev
39	private-tmp	51	private-tmp
40		52