Merge pull request #1367 from SpotComms/mh

Harden profiles
author: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-02 09:37:20 -0500
committer: GitHub <noreply@github.com> 2017-08-02 09:37:20 -0500
commit: caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree: 0c1fd52865432943dff536a7679408bec47df683 /etc/xpdf.profile
parent: get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent: Fixes (diff)
download: firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip
1 files changed, 11 insertions, 2 deletions
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 5b3018ce8..ce8cd2459 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -9,17 +9,26 @@ include /etc/firejail/xpdf.local
 # xpdf application profile
 ################################
 noblacklist ${HOME}/.xpdfrc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
+novideo
 protocol unix
-shell none
 seccomp
+shell none
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
author	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-02 09:37:20 -0500
committer	GitHub <noreply@github.com>	2017-08-02 09:37:20 -0500
commit	caaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree	0c1fd52865432943dff536a7679408bec47df683 /etc/xpdf.profile
parent	get_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parent	Fixes (diff)
download	firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip

diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 5b3018ce8..ce8cd2459 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile
@@ -9,17 +9,26 @@ include /etc/firejail/xpdf.local
9	# xpdf application profile	9	# xpdf application profile
10	################################	10	################################
11	noblacklist ${HOME}/.xpdfrc	11	noblacklist ${HOME}/.xpdfrc
		12
12	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-devel.inc
14	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
		16	include /etc/firejail/disable-programs.inc
15		17
16	caps.drop all	18	caps.drop all
17	net none	19	net none
		20	no3d
		21	nogroups
18	nonewprivs	22	nonewprivs
19	noroot	23	noroot
		24	nosound
		25	novideo
20	protocol unix	26	protocol unix
21	shell none
22	seccomp	27	seccomp
		28	shell none
23		29
24	private-dev	30	private-dev
25	private-tmp	31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp