Harden profiles

- Added 'disable-devel.conf' to many profiles - Added 'disable-mnt' to many profiles - Added 'noexec' to many profiles - Removed 'netfilter' and 'net none' from profiles with 'protocol unix' - Cleaned up profiles using defaults
author: Tad <tad@spotco.us> 2017-07-05 09:40:54 -0400
committer: Tad <tad@spotco.us> 2017-08-02 00:13:42 -0400
commit: 0dba38435ef92ccc01cc9ff23b69df55489ec983 (patch)
tree: dfd1d8db02f579183fa77acdbde9aa315596220f /etc/psi-plus.profile
parent: x11/xpra support (diff)
download: firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.tar.gz
firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.tar.zst
firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.zip
1 files changed, 15 insertions, 1 deletions
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index e3ffad9a1..9500731fe 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local
 # Firejail profile for Psi+
 noblacklist ${HOME}/.config/psi+
 noblacklist ${HOME}/.local/share/psi+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+
 mkdir ~/.cache/psi+
 whitelist ~/.cache/psi+
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+no3d
+nogroups
+nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
-include /etc/firejail/whitelist-common.inc
+private-dev
+private-tmp
+disable-mnt
+noexec ${HOME}
+noexec /tmp
author	Tad <tad@spotco.us>	2017-07-05 09:40:54 -0400
committer	Tad <tad@spotco.us>	2017-08-02 00:13:42 -0400
commit	0dba38435ef92ccc01cc9ff23b69df55489ec983 (patch)
tree	dfd1d8db02f579183fa77acdbde9aa315596220f /etc/psi-plus.profile
parent	x11/xpra support (diff)
download	firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.tar.gz firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.tar.zst firejail-0dba38435ef92ccc01cc9ff23b69df55489ec983.zip

diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e3ffad9a1..9500731fe 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile
@@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local
8	# Firejail profile for Psi+	8	# Firejail profile for Psi+
9	noblacklist ${HOME}/.config/psi+	9	noblacklist ${HOME}/.config/psi+
10	noblacklist ${HOME}/.local/share/psi+	10	noblacklist ${HOME}/.local/share/psi+
		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
14		16
@@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+
20	mkdir ~/.cache/psi+	22	mkdir ~/.cache/psi+
21	whitelist ~/.cache/psi+	23	whitelist ~/.cache/psi+
22		24
		25	include /etc/firejail/whitelist-common.inc
		26
23	caps.drop all	27	caps.drop all
24	netfilter	28	netfilter
		29	no3d
		30	nogroups
		31	nonewprivs
25	noroot	32	noroot
		33	novideo
26	protocol unix,inet,inet6	34	protocol unix,inet,inet6
27	seccomp	35	seccomp
		36	shell none
28		37
29	include /etc/firejail/whitelist-common.inc	38	private-dev
		39	private-tmp
		40	disable-mnt
		41
		42	noexec ${HOME}
		43	noexec /tmp