Harden some profiles

author: Tad <tad@spotco.us> 2017-04-15 08:57:13 -0400
committer: Tad <tad@spotco.us> 2017-04-15 15:25:08 -0400
commit: 90cd669eba680369c6ba8d96af194b70c8cc8706 (patch)
tree: 31c4d14fa5b56003b9898c8e6d19f03b7d91b091 /etc
parent: noblacklist .config/qt5ct (part 1) (diff)
download: firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.tar.gz
firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.tar.zst
firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.zip
7 files changed, 77 insertions, 4 deletions
diff --git a/etc/bless.profile b/etc/bless.profile
index b8325de39..08a756989 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -18,7 +18,19 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+protocol unix           
 seccomp
+shell none
+private-dev
+private-etc fonts,mono
+private-tmp
+noexec ${HOME}
+noexec /tmp
+no3d
+nosound
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 2ba1a4380..25b7b5bb1 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -17,7 +17,18 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+#protocol unix
 seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
+no3d
+nosound
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 06ed415d6..4b51f69b0 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -18,7 +18,18 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-dev
+private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
+no3d
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 6b8946be3..8a6211984 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+#protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 37adabb39..92bad8751 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -15,7 +15,18 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+#protocol unix,inet,inet6
 seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
+no3d
+#nosound
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 500e35989..beb76909f 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -17,7 +17,17 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
+no3d
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index f2690c6c3..6bfb26484 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin xonotic-sdl,xonotic-glx,blind-id
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
author	Tad <tad@spotco.us>	2017-04-15 08:57:13 -0400
committer	Tad <tad@spotco.us>	2017-04-15 15:25:08 -0400
commit	90cd669eba680369c6ba8d96af194b70c8cc8706 (patch)
tree	31c4d14fa5b56003b9898c8e6d19f03b7d91b091 /etc
parent	noblacklist .config/qt5ct (part 1) (diff)
download	firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.tar.gz firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.tar.zst firejail-90cd669eba680369c6ba8d96af194b70c8cc8706.zip

diff --git a/etc/bless.profile b/etc/bless.profile index b8325de39..08a756989 100644 --- a/etc/bless.profile +++ b/etc/bless.profile
@@ -18,7 +18,19 @@ include /etc/firejail/disable-devel.inc
18	#Options	18	#Options
19	caps.drop all	19	caps.drop all
20	netfilter	20	netfilter
		21	nogroups
21	nonewprivs	22	nonewprivs
22	noroot	23	noroot
23	protocol unix,inet,inet6	24	protocol unix
24	seccomp	25	seccomp
		26	shell none
		27
		28	private-dev
		29	private-etc fonts,mono
		30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp
		34
		35	no3d
		36	nosound


diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2ba1a4380..25b7b5bb1 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile
@@ -17,7 +17,18 @@ include /etc/firejail/disable-devel.inc
17	#Options	17	#Options
18	caps.drop all	18	caps.drop all
19	netfilter	19	netfilter
		20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
22	protocol unix,inet,inet6	23	#protocol unix
23	seccomp	24	seccomp
		25	shell none
		26
		27	private-dev
		28	private-tmp
		29
		30	noexec ${HOME}
		31	noexec /tmp
		32
		33	no3d
		34	nosound


diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 06ed415d6..4b51f69b0 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile
@@ -18,7 +18,18 @@ include /etc/firejail/disable-devel.inc
18	#Options	18	#Options
19	caps.drop all	19	caps.drop all
20	netfilter	20	netfilter
		21	nogroups
21	nonewprivs	22	nonewprivs
22	noroot	23	noroot
23	protocol unix,inet,inet6	24	protocol unix,inet,inet6
24	seccomp	25	seccomp
		26	shell none
		27
		28	private-dev
		29	private-etc fonts
		30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp
		34
		35	no3d


diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b8946be3..8a6211984 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile
@@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc
26	#Options	26	#Options
27	caps.drop all	27	caps.drop all
28	netfilter	28	netfilter
		29	nogroups
29	nonewprivs	30	nonewprivs
30	noroot	31	noroot
31	protocol unix,inet,inet6	32	#protocol unix,inet,inet6
		33	seccomp
		34	shell none
		35
		36	private-dev
		37	private-tmp
		38
		39	noexec ${HOME}
		40	noexec /tmp


diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 37adabb39..92bad8751 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile
@@ -15,7 +15,18 @@ include /etc/firejail/disable-devel.inc
15	#Options	15	#Options
16	caps.drop all	16	caps.drop all
17	netfilter	17	netfilter
		18	nogroups
18	nonewprivs	19	nonewprivs
19	noroot	20	noroot
20	protocol unix,inet,inet6	21	#protocol unix,inet,inet6
21	seccomp	22	seccomp
		23	shell none
		24
		25	private-dev
		26	private-tmp
		27
		28	noexec ${HOME}
		29	noexec /tmp
		30
		31	no3d
		32	#nosound


diff --git a/etc/pithos.profile b/etc/pithos.profile index 500e35989..beb76909f 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile
@@ -17,7 +17,17 @@ include /etc/firejail/whitelist-common.inc
17	#Options	17	#Options
18	caps.drop all	18	caps.drop all
19	netfilter	19	netfilter
		20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
22	protocol unix,inet,inet6	23	protocol unix,inet,inet6
23	seccomp	24	seccomp
		25	shell none
		26
		27	private-dev
		28	private-tmp
		29
		30	noexec ${HOME}
		31	noexec /tmp
		32
		33	no3d


diff --git a/etc/xonotic.profile b/etc/xonotic.profile index f2690c6c3..6bfb26484 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile
@@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc
23	#Options	23	#Options
24	caps.drop all	24	caps.drop all
25	netfilter	25	netfilter
		26	nogroups
26	nonewprivs	27	nonewprivs
27	noroot	28	noroot
28	protocol unix,inet,inet6	29	protocol unix,inet,inet6
29	seccomp	30	seccomp
		31	shell none
		32
		33	private-bin xonotic-sdl,xonotic-glx,blind-id
		34	private-dev
		35	private-tmp
		36
		37	noexec ${HOME}
		38	noexec /tmp