various hardening (#3394)

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-05-02 17:58:02 +0000
committer: GitHub <noreply@github.com> 2020-05-02 17:58:02 +0000
commit: 49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch)
tree: 76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/profile-m-z
parent: fixes for zeal.profile (diff)
download: firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip
9 files changed, 34 insertions, 1 deletions
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 86e7f129e..19f9edf05 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -18,9 +18,13 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
+whitelist /usr/share/megaglest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 619173024..f201b13d7 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -21,7 +21,10 @@ mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
+whitelist /usr/share/minetest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index 378d267f6..4cd4dae17 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -18,7 +18,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.ostrichriders
 whitelist ${HOME}/.ostrichriders
+whitelist /usr/share/ostrichriders
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index cfe45b9c9..0b6a9ad5f 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+whitelist /usr/share/pingus
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -33,9 +37,13 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
-# private-bin pingus
+disbale-mnt
+private-bin pingus,pingus.bin,sh
+private-cache
 private-dev
+private-etc machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
index 9cbb19bff..507d0827e 100644
--- a/etc/profile-m-z/scorched3d-wrapper.profile
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -3,5 +3,8 @@
 # Persistent local customizations
 include scorched3d-wrapper.local
+whitelist /usr/share/opengl-games-utils
+private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
 # Redirect
 include scorched3d.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index b5e51198b..6a1003c33 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
+whitelist /usr/share/scorched3d
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index e1cdb114c..ceaae8fbf 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
+whitelist /usr/share/supertux2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -33,6 +37,7 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 disable-mnt
 # private-bin supertux2
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index 8dcd7447b..1ed78934e 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.torcs
 whitelist ${HOME}/.torcs
+whitelist /usr/share/games/torcs
+whitelist /var/games/torcs
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -37,6 +40,7 @@ shell none
 tracelog
 disable-mnt
+private-bin bash,chmod,cp,mkdir,rm,torcs
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile
index baa970307..03111ec56 100644
--- a/etc/profile-m-z/transmission-gtk.profile
+++ b/etc/profile-m-z/transmission-gtk.profile
@@ -10,6 +10,7 @@ include globals.local
 include whitelist-runuser-common.inc
 private-bin transmission-gtk
+private-cache
 ignore memory-deny-write-execute
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-05-02 17:58:02 +0000
committer	GitHub <noreply@github.com>	2020-05-02 17:58:02 +0000
commit	49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch)
tree	76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/profile-m-z
parent	fixes for zeal.profile (diff)
download	firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip

diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 86e7f129e..19f9edf05 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile
@@ -18,9 +18,13 @@ include disable-xdg.inc
18		18
19	mkdir ${HOME}/.megaglest	19	mkdir ${HOME}/.megaglest
20	whitelist ${HOME}/.megaglest	20	whitelist ${HOME}/.megaglest
		21	whitelist /usr/share/megaglest
21	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	25	include whitelist-var-common.inc
23		26
		27	apparmor
24	caps.drop all	28	caps.drop all
25	ipc-namespace	29	ipc-namespace
26	netfilter	30	netfilter


diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 619173024..f201b13d7 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile
@@ -21,7 +21,10 @@ mkdir ${HOME}/.cache/minetest
21	mkdir ${HOME}/.minetest	21	mkdir ${HOME}/.minetest
22	whitelist ${HOME}/.cache/minetest	22	whitelist ${HOME}/.cache/minetest
23	whitelist ${HOME}/.minetest	23	whitelist ${HOME}/.minetest
		24	whitelist /usr/share/minetest
24	include whitelist-common.inc	25	include whitelist-common.inc
		26	include whitelist-runuser-common.inc
		27	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	28	include whitelist-var-common.inc
26		29
27	caps.drop all	30	caps.drop all


diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index 378d267f6..4cd4dae17 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile
@@ -18,7 +18,9 @@ include disable-xdg.inc
18		18
19	mkdir ${HOME}/.ostrichriders	19	mkdir ${HOME}/.ostrichriders
20	whitelist ${HOME}/.ostrichriders	20	whitelist ${HOME}/.ostrichriders
		21	whitelist /usr/share/ostrichriders
21	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	24	include whitelist-var-common.inc
23		25
24	caps.drop all	26	caps.drop all


diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index cfe45b9c9..0b6a9ad5f 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
14	include disable-interpreters.inc	14	include disable-interpreters.inc
15	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
17		18
18	mkdir ${HOME}/.pingus	19	mkdir ${HOME}/.pingus
19	whitelist ${HOME}/.pingus	20	whitelist ${HOME}/.pingus
		21	whitelist /usr/share/pingus
20	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	25	include whitelist-var-common.inc
22		26
23	apparmor	27	apparmor
@@ -33,9 +37,13 @@ novideo
33	protocol unix,netlink	37	protocol unix,netlink
34	seccomp	38	seccomp
35	shell none	39	shell none
		40	tracelog
36		41
37	# private-bin pingus	42	disbale-mnt
		43	private-bin pingus,pingus.bin,sh
		44	private-cache
38	private-dev	45	private-dev
		46	private-etc machine-id
39	private-tmp	47	private-tmp
40		48
41	dbus-user none	49	dbus-user none


diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile index 9cbb19bff..507d0827e 100644 --- a/etc/profile-m-z/scorched3d-wrapper.profile +++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -3,5 +3,8 @@
3	# Persistent local customizations	3	# Persistent local customizations
4	include scorched3d-wrapper.local	4	include scorched3d-wrapper.local
5		5
		6	whitelist /usr/share/opengl-games-utils
		7	private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
		8
6	# Redirect	9	# Redirect
7	include scorched3d.profile	10	include scorched3d.profile


diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index b5e51198b..6a1003c33 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
18		18
19	mkdir ${HOME}/.scorched3d	19	mkdir ${HOME}/.scorched3d
20	whitelist ${HOME}/.scorched3d	20	whitelist ${HOME}/.scorched3d
		21	whitelist /usr/share/scorched3d
21	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	25	include whitelist-var-common.inc
23		26
24	caps.drop all	27	caps.drop all


diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index e1cdb114c..ceaae8fbf 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
14	include disable-interpreters.inc	14	include disable-interpreters.inc
15	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
16	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
17		18
18	mkdir ${HOME}/.local/share/supertux2	19	mkdir ${HOME}/.local/share/supertux2
19	whitelist ${HOME}/.local/share/supertux2	20	whitelist ${HOME}/.local/share/supertux2
		21	whitelist /usr/share/supertux2
20	include whitelist-common.inc	22	include whitelist-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
21	include whitelist-var-common.inc	25	include whitelist-var-common.inc
22		26
23	apparmor	27	apparmor
@@ -33,6 +37,7 @@ novideo
33	protocol unix,netlink	37	protocol unix,netlink
34	seccomp	38	seccomp
35	shell none	39	shell none
		40	tracelog
36		41
37	disable-mnt	42	disable-mnt
38	# private-bin supertux2	43	# private-bin supertux2


diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index 8dcd7447b..1ed78934e 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
18		18
19	mkdir ${HOME}/.torcs	19	mkdir ${HOME}/.torcs
20	whitelist ${HOME}/.torcs	20	whitelist ${HOME}/.torcs
		21	whitelist /usr/share/games/torcs
		22	whitelist /var/games/torcs
21	include whitelist-common.inc	23	include whitelist-common.inc
		24	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	25	include whitelist-var-common.inc
23		26
24	caps.drop all	27	caps.drop all
@@ -37,6 +40,7 @@ shell none
37	tracelog	40	tracelog
38		41
39	disable-mnt	42	disable-mnt
		43	private-bin bash,chmod,cp,mkdir,rm,torcs
40	private-cache	44	private-cache
41	private-dev	45	private-dev
42	private-tmp	46	private-tmp


diff --git a/etc/profile-m-z/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile index baa970307..03111ec56 100644 --- a/etc/profile-m-z/transmission-gtk.profile +++ b/etc/profile-m-z/transmission-gtk.profile
@@ -10,6 +10,7 @@ include globals.local
10	include whitelist-runuser-common.inc	10	include whitelist-runuser-common.inc
11		11
12	private-bin transmission-gtk	12	private-bin transmission-gtk
		13	private-cache
13		14
14	ignore memory-deny-write-execute	15	ignore memory-deny-write-execute
15		16