diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-04-30 10:34:38 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-04-30 10:34:47 +0200 |
commit | a9c1a56bc21c6f583292f0f543673730c5737c1b (patch) | |
tree | 7eb5e5d77e47c9665782fd8e27d0bfaf91582f07 /etc/profile-m-z | |
parent | Merge pull request #4219 from Neo00001/master (diff) | |
download | firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.gz firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.tar.zst firejail-a9c1a56bc21c6f583292f0f543673730c5737c1b.zip |
Harden some game profiles
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/mrrescue.profile | 6 | ||||
-rw-r--r-- | etc/profile-m-z/neverball.profile | 16 | ||||
-rw-r--r-- | etc/profile-m-z/pingus.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/supertux2.profile | 3 |
4 files changed, 27 insertions, 2 deletions
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index f02a4f357..5b2164bae 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -8,18 +8,23 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/love | 9 | noblacklist ${HOME}/.local/share/love |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
14 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 21 | include disable-xdg.inc |
18 | 22 | ||
19 | mkdir ${HOME}/.local/share/love | 23 | mkdir ${HOME}/.local/share/love |
20 | whitelist ${HOME}/.local/share/love | 24 | whitelist ${HOME}/.local/share/love |
21 | whitelist /usr/share/mrrescue | 25 | whitelist /usr/share/mrrescue |
22 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
25 | 30 | ||
@@ -35,6 +40,7 @@ nou2f | |||
35 | novideo | 40 | novideo |
36 | protocol unix,netlink | 41 | protocol unix,netlink |
37 | seccomp | 42 | seccomp |
43 | seccomp.block-secondary | ||
38 | shell none | 44 | shell none |
39 | tracelog | 45 | tracelog |
40 | 46 | ||
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index 84c634549..5c7c2b3da 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile | |||
@@ -14,13 +14,19 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
17 | 19 | ||
18 | mkdir ${HOME}/.neverball | 20 | mkdir ${HOME}/.neverball |
19 | whitelist ${HOME}/.neverball | 21 | whitelist ${HOME}/.neverball |
22 | whitelist /usr/share/neverball | ||
20 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
21 | 27 | ||
22 | caps.drop all | 28 | caps.drop all |
23 | netfilter | 29 | net none |
24 | nodvd | 30 | nodvd |
25 | nogroups | 31 | nogroups |
26 | nonewprivs | 32 | nonewprivs |
@@ -28,12 +34,18 @@ noroot | |||
28 | notv | 34 | notv |
29 | nou2f | 35 | nou2f |
30 | novideo | 36 | novideo |
31 | protocol unix,netlink | 37 | protocol unix |
32 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
33 | shell none | 40 | shell none |
41 | tracelog | ||
34 | 42 | ||
35 | disable-mnt | 43 | disable-mnt |
36 | private-bin neverball | 44 | private-bin neverball |
45 | private-cache | ||
37 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,fonts,machine-id | ||
38 | private-tmp | 48 | private-tmp |
39 | 49 | ||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index ebfd236aa..e3b20e59f 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -8,12 +8,15 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.pingus | 9 | noblacklist ${HOME}/.pingus |
10 | 10 | ||
11 | include allow-bin-sh.inc | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
14 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
19 | mkdir ${HOME}/.pingus | 22 | mkdir ${HOME}/.pingus |
@@ -36,6 +39,7 @@ nou2f | |||
36 | novideo | 39 | novideo |
37 | protocol unix,netlink | 40 | protocol unix,netlink |
38 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
39 | shell none | 43 | shell none |
40 | tracelog | 44 | tracelog |
41 | 45 | ||
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 9cc023765..d31f25c0d 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.local/share/supertux2 | 20 | mkdir ${HOME}/.local/share/supertux2 |
@@ -42,6 +43,8 @@ tracelog | |||
42 | 43 | ||
43 | disable-mnt | 44 | disable-mnt |
44 | # private-bin supertux2 | 45 | # private-bin supertux2 |
46 | private-cache | ||
47 | private-etc machine-id | ||
45 | private-dev | 48 | private-dev |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||