Hardening compressors (#2594)

* Harden atool * Harden cpio * Fix ordering in private-* options * Harden gzip * Harden tar * Harden bsdtar * Harden+ tar * Harden+ gzip * Harden+ cpio * Create bzip2.profile * Description for bunzip2 * Add bzip2/bunzip2 to firecfg
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-14 12:01:43 +0000
committer: GitHub <noreply@github.com> 2019-03-14 12:01:43 +0000
commit: 097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree: bb5159f2651680606ccf7208dd4f48e1add373fe /etc/tar.profile
parent: Fixes for seahorse/seahorse-tool (#2592) (diff)
download: firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst
firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/tar.profile b/etc/tar.profile
index e1cfe9c80..14fc00d21 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -10,12 +10,20 @@ include tar.local
 blacklist /tmp/.X11-unix
-hostname tar
+include disable-exec.inc
+include disable-interpreters.inc
 ignore noroot
+apparmor
+hostname tar
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nosound
 notv
 nou2f
@@ -25,10 +33,13 @@ tracelog
 # support compressed archives
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
+memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-14 12:01:43 +0000
committer	GitHub <noreply@github.com>	2019-03-14 12:01:43 +0000
commit	097aba97d8cb0a848f1f21018f65c58d48ef3cb2 (patch)
tree	bb5159f2651680606ccf7208dd4f48e1add373fe /etc/tar.profile
parent	Fixes for seahorse/seahorse-tool (#2592) (diff)
download	firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.gz firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.tar.zst firejail-097aba97d8cb0a848f1f21018f65c58d48ef3cb2.zip

diff --git a/etc/tar.profile b/etc/tar.profile index e1cfe9c80..14fc00d21 100644 --- a/etc/tar.profile +++ b/etc/tar.profile
@@ -10,12 +10,20 @@ include tar.local
10		10
11	blacklist /tmp/.X11-unix	11	blacklist /tmp/.X11-unix
12		12
13	hostname tar	13	include disable-exec.inc
		14	include disable-interpreters.inc
		15
14	ignore noroot	16	ignore noroot
		17
		18	apparmor
		19	hostname tar
		20	ipc-namespace
		21	machine-id
15	net none	22	net none
16	no3d	23	no3d
17	nodbus	24	nodbus
18	nodvd	25	nodvd
		26	nogroups
19	nosound	27	nosound
20	notv	28	notv
21	nou2f	29	nou2f
@@ -25,10 +33,13 @@ tracelog
25		33
26	# support compressed archives	34	# support compressed archives
27	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop	35	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
		36	private-cache
28	private-dev	37	private-dev
29	private-etc alternatives,passwd,group,localtime	38	private-etc alternatives,passwd,group,localtime
30	private-lib libfakeroot	39	private-lib libfakeroot
31		40
		41	memory-deny-write-execute
		42
32	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)	43	# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
33	writable-var	44	writable-var
34		45