Merge pull request #1526 from smitsohu/caps

tighten some capability sets further
author: startx2017 <vradu.startx@yandex.com> 2017-09-05 08:13:25 -0400
committer: GitHub <noreply@github.com> 2017-09-05 08:13:25 -0400
commit: 16497087c03e68c46b54247fda6e4e03f8e52d34 (patch)
tree: 7269e726126d1614cc60cc103cfc33466f596496 /etc
parent: Merge pull request #1530 from smitsohu/snap (diff)
parent: wireshark needs cap_dac_override (diff)
download: firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.gz
firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.zst
firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.zip
4 files changed, 5 insertions, 3 deletions
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index a1ccfbe22..86af9c7b3 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 no3d
 nodvd
 nonewprivs
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index ce159c343..d4cd0530e 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
+# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
 no3d
 nodvd
 nonewprivs
diff --git a/etc/unbound.profile b/etc/unbound.profile
index afc903e88..2a38aa7c6 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
 nonewprivs
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 57f4f2f5b..f1a17ba93 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# caps.drop all
+caps.keep dac_override,net_admin,net_raw
 netfilter
 no3d
 # nogroups - breaks unprivileged wireshark usage
@@ -21,6 +21,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 # protocol unix,inet,inet6,netlink
 # seccomp - breaks unprivileged wireshark usage
 shell none
author	startx2017 <vradu.startx@yandex.com>	2017-09-05 08:13:25 -0400
committer	GitHub <noreply@github.com>	2017-09-05 08:13:25 -0400
commit	16497087c03e68c46b54247fda6e4e03f8e52d34 (patch)
tree	7269e726126d1614cc60cc103cfc33466f596496 /etc
parent	Merge pull request #1530 from smitsohu/snap (diff)
parent	wireshark needs cap_dac_override (diff)
download	firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.gz firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.zst firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.zip

diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index a1ccfbe22..86af9c7b3 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
19	caps	19	caps
20	# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource	20	# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
21	no3d	21	no3d
22	nodvd	22	nodvd
23	nonewprivs	23	nonewprivs


diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index ce159c343..d4cd0530e 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
19	caps	19	caps
		20	# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
20	no3d	21	no3d
21	nodvd	22	nodvd
22	nonewprivs	23	nonewprivs


diff --git a/etc/unbound.profile b/etc/unbound.profile index afc903e88..2a38aa7c6 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
19	caps	19	caps
20	# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource	20	# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
21	no3d	21	no3d
22	nodvd	22	nodvd
23	nonewprivs	23	nonewprivs


diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 57f4f2f5b..f1a17ba93 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
15	# caps.drop all	15	caps.keep dac_override,net_admin,net_raw
16	netfilter	16	netfilter
17	no3d	17	no3d
18	# nogroups - breaks unprivileged wireshark usage	18	# nogroups - breaks unprivileged wireshark usage
@@ -21,6 +21,7 @@ no3d
21	nodvd	21	nodvd
22	nosound	22	nosound
23	notv	23	notv
		24	novideo
24	# protocol unix,inet,inet6,netlink	25	# protocol unix,inet,inet6,netlink
25	# seccomp - breaks unprivileged wireshark usage	26	# seccomp - breaks unprivileged wireshark usage
26	shell none	27	shell none