diff options
| author |  glitsj16 <glitsj16@users.noreply.github.com> | 2023-07-22 12:37:24 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-07-22 12:37:24 +0000 |
| commit | 9057fd7a5e80268d68dc7b10852120f9cc7df2a6 (patch) | |
| tree | 95eb52f4cd417c2a4b80fae65827d3fa8998cf66 /etc/profile-m-z | |
| parent | firefox-common-addons.profile: restore vulkan whitelist (diff) | |
| download | firejail-9057fd7a5e80268d68dc7b10852120f9cc7df2a6.tar.gz firejail-9057fd7a5e80268d68dc7b10852120f9cc7df2a6.tar.zst firejail-9057fd7a5e80268d68dc7b10852120f9cc7df2a6.zip | |
torbrowser-launcher: hardening (#5886)
torbrowser-launcher: more hardening as per review
torbrowser-launcher: revert enabling restrict-namespaces
Suggested in review by @rusty-snake.
Diffstat (limited to 'etc/profile-m-z')
| -rw-r--r-- | etc/profile-m-z/torbrowser-launcher.profile | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 41ac6f7a7..86746c7f1 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
| @@ -22,6 +22,7 @@ include disable-common.inc | |||
| 22 | include disable-devel.inc | 22 | include disable-devel.inc |
| 23 | include disable-exec.inc | 23 | include disable-exec.inc |
| 24 | include disable-interpreters.inc | 24 | include disable-interpreters.inc |
| 25 | include disable-proc.inc | ||
| 25 | include disable-programs.inc | 26 | include disable-programs.inc |
| 26 | include disable-xdg.inc | 27 | include disable-xdg.inc |
| 27 | 28 | ||
| @@ -33,9 +34,10 @@ whitelist ${HOME}/.local/share/torbrowser | |||
| 33 | whitelist /opt/tor-browser | 34 | whitelist /opt/tor-browser |
| 34 | whitelist /usr/share/torbrowser-launcher | 35 | whitelist /usr/share/torbrowser-launcher |
| 35 | include whitelist-common.inc | 36 | include whitelist-common.inc |
| 36 | include whitelist-var-common.inc | 37 | include whitelist-run-common.inc |
| 37 | include whitelist-runuser-common.inc | 38 | include whitelist-runuser-common.inc |
| 38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
| 40 | include whitelist-var-common.inc | ||
| 39 | 41 | ||
| 40 | # Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. | 42 | # Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. |
| 41 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | 43 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need |
| @@ -53,12 +55,14 @@ nou2f | |||
| 53 | novideo | 55 | novideo |
| 54 | protocol unix,inet,inet6 | 56 | protocol unix,inet,inet6 |
| 55 | seccomp !chroot | 57 | seccomp !chroot |
| 58 | seccomp.block-secondary | ||
| 56 | #tracelog - may cause issues, see #1930 | 59 | #tracelog - may cause issues, see #1930 |
| 57 | 60 | ||
| 58 | disable-mnt | 61 | disable-mnt |
| 59 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 62 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
| 60 | private-dev | 63 | private-dev |
| 61 | private-etc @tls-ca | 64 | private-etc @tls-ca |
| 65 | #private-opt tor-browser - can cause slow startup | ||
| 62 | private-tmp | 66 | private-tmp |
| 63 | 67 | ||
| 64 | dbus-user none | 68 | dbus-user none |