Merge pull request #1367 from SpotComms/mh

Harden profiles
author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-02 09:37:20 -0500
committer: GitHub <noreply@github.com> 2017-08-02 09:37:20 -0500
commit: caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree: 0c1fd52865432943dff536a7679408bec47df683 /etc/ristretto.profile
parent: get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent: Fixes (diff)
download: firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip
1 files changed, 12 insertions, 10 deletions
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index ca4b1a64d..3d3491658 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -10,22 +10,24 @@ noblacklist ~/.Steam
 noblacklist ~/.steam
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+nosound
+novideo
+protocol unix
 seccomp
-#
-# depending on your usage, you can enable some of the commands below:
-#
-nogroups
 shell none
-# private-bin program
-# private-etc none
 private-dev
-# private-tmp
+private-tmp
+noexec ${HOME}
+noexec /tmp
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-02 09:37:20 -0500
committer	GitHub <noreply@github.com>	2017-08-02 09:37:20 -0500
commit	caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree	0c1fd52865432943dff536a7679408bec47df683 /etc/ristretto.profile
parent	get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent	Fixes (diff)
download	firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip

diff --git a/etc/ristretto.profile b/etc/ristretto.profile index ca4b1a64d..3d3491658 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile
@@ -10,22 +10,24 @@ noblacklist ~/.Steam
10	noblacklist ~/.steam	10	noblacklist ~/.steam
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-devel.inc
14	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
15		16
16	caps.drop all	17	caps.drop all
17	netfilter	18	netfilter
		19	no3d
		20	nogroups
18	nonewprivs	21	nonewprivs
19	noroot	22	noroot
20	protocol unix,inet,inet6	23	nosound
		24	novideo
		25	protocol unix
21	seccomp	26	seccomp
22
23	#
24	# depending on your usage, you can enable some of the commands below:
25	#
26	nogroups
27	shell none	27	shell none
28	# private-bin program	28
29	# private-etc none
30	private-dev	29	private-dev
31	# private-tmp	30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp