Harden gnome-logs.profile (#2461)

author: glitsj16 <glitsj16@users.noreply.github.com> 2019-02-24 21:43:33 +0000
committer: GitHub <noreply@github.com> 2019-02-24 21:43:33 +0000
commit: a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c (patch)
tree: 5c7003eb2c79f9e46b9e719875b089c86cfc3848 /etc
parent: Harden gnome-calculator.profile (#2460) (diff)
download: firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.tar.gz
firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.tar.zst
firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index c429c7697..9ea4fb9f6 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -16,7 +16,9 @@ include disable-xdg.inc
 whitelist /var/log/journal
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+ipc-namespace
 net none
 no3d
 nodbus
@@ -36,11 +38,16 @@ shell none
 disable-mnt
 private-bin gnome-logs
+private-cache
 private-dev
 private-etc alternatives,fonts,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
+# comment this if you export logs to a file in your ${HOME}
+read-only ${HOME}
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-02-24 21:43:33 +0000
committer	GitHub <noreply@github.com>	2019-02-24 21:43:33 +0000
commit	a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c (patch)
tree	5c7003eb2c79f9e46b9e719875b089c86cfc3848 /etc
parent	Harden gnome-calculator.profile (#2460) (diff)
download	firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.tar.gz firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.tar.zst firejail-a1d92b15fef9dfa5f75b7caa97304e6d1ca93a9c.zip

diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index c429c7697..9ea4fb9f6 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile
@@ -16,7 +16,9 @@ include disable-xdg.inc
16	whitelist /var/log/journal	16	whitelist /var/log/journal
17	include whitelist-var-common.inc	17	include whitelist-var-common.inc
18		18
		19	apparmor
19	caps.drop all	20	caps.drop all
		21	ipc-namespace
20	net none	22	net none
21	no3d	23	no3d
22	nodbus	24	nodbus
@@ -36,11 +38,16 @@ shell none
36		38
37	disable-mnt	39	disable-mnt
38	private-bin gnome-logs	40	private-bin gnome-logs
		41	private-cache
39	private-dev	42	private-dev
40	private-etc alternatives,fonts,localtime,machine-id	43	private-etc alternatives,fonts,localtime,machine-id
41	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*	44	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*
42	private-tmp	45	private-tmp
43	writable-var-log	46	writable-var-log
44		47
		48	memory-deny-write-execute
45	noexec ${HOME}	49	noexec ${HOME}
46	noexec /tmp	50	noexec /tmp
		51
		52	# comment this if you export logs to a file in your ${HOME}
		53	read-only ${HOME}