misc profile fixups and hardening

author: rusty-snake <print_hello_world+Public@protonmail.com> 2020-01-08 14:46:03 +0100
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2020-01-08 14:46:26 +0100
commit: 105dce9bba1136484251daf645e578d64366bbed (patch)
tree: b87b8cc22f56a7a51f294be32cebdfa50da60595 /etc
parent: Merge pull request #3102 from kris7t/dhcp-client (diff)
download: firejail-105dce9bba1136484251daf645e578d64366bbed.tar.gz
firejail-105dce9bba1136484251daf645e578d64366bbed.tar.zst
firejail-105dce9bba1136484251daf645e578d64366bbed.zip
6 files changed, 13 insertions, 1 deletions
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index ab68c7f13..5a3bf0008 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf
+# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot
diff --git a/etc/curl.profile b/etc/curl.profile
index 2624e5545..679f5a152 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -33,6 +33,7 @@ novideo
 protocol inet,inet6
 seccomp
 shell none
+tracelog
 # private-bin curl
 private-cache
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 5c0631eb2..94035bc02 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -21,6 +21,7 @@ noblacklist ${PICTURES}
 include disable-common.inc
 include disable-exec.inc
+include disable-devel.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index ffae4919f..e11e2acaa 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -9,6 +9,7 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+#include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index e9572d914..f8448f514 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -22,6 +22,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
+ipc-namespace
 machine-id
 net none
 no3d
@@ -41,6 +42,7 @@ tracelog
 x11 none
 private-bin pdftotext
+private-cache
 private-dev
 private-etc alternatives
 private-tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 5b3c5439d..072cc2c0d 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -29,6 +29,7 @@ nou2f
 protocol unix
 seccomp
 shell none
+tracelog
 #private-bin melt,nice,qmelt,shotcut
 private-cache
author	rusty-snake <print_hello_world+Public@protonmail.com>	2020-01-08 14:46:03 +0100
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2020-01-08 14:46:26 +0100
commit	105dce9bba1136484251daf645e578d64366bbed (patch)
tree	b87b8cc22f56a7a51f294be32cebdfa50da60595 /etc
parent	Merge pull request #3102 from kris7t/dhcp-client (diff)
download	firejail-105dce9bba1136484251daf645e578d64366bbed.tar.gz firejail-105dce9bba1136484251daf645e578d64366bbed.tar.zst firejail-105dce9bba1136484251daf645e578d64366bbed.zip

diff --git a/etc/celluloid.profile b/etc/celluloid.profile index ab68c7f13..5a3bf0008 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
29	apparmor	29	apparmor
30	caps.drop all	30	caps.drop all
31	netfilter	31	netfilter
32	# nodbus -- uses dconf	32	# nodbus -- uses dconf, MPRIS
33	nogroups	33	nogroups
34	nonewprivs	34	nonewprivs
35	noroot	35	noroot


diff --git a/etc/curl.profile b/etc/curl.profile index 2624e5545..679f5a152 100644 --- a/etc/curl.profile +++ b/etc/curl.profile
@@ -33,6 +33,7 @@ novideo
33	protocol inet,inet6	33	protocol inet,inet6
34	seccomp	34	seccomp
35	shell none	35	shell none
		36	tracelog
36		37
37	# private-bin curl	38	# private-bin curl
38	private-cache	39	private-cache


diff --git a/etc/gimp.profile b/etc/gimp.profile index 5c0631eb2..94035bc02 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile
@@ -21,6 +21,7 @@ noblacklist ${PICTURES}
21		21
22	include disable-common.inc	22	include disable-common.inc
23	include disable-exec.inc	23	include disable-exec.inc
		24	include disable-devel.inc
24	include disable-passwdmgr.inc	25	include disable-passwdmgr.inc
25	include disable-programs.inc	26	include disable-programs.inc
26	include disable-xdg.inc	27	include disable-xdg.inc


diff --git a/etc/midori.profile b/etc/midori.profile index ffae4919f..e11e2acaa 100644 --- a/etc/midori.profile +++ b/etc/midori.profile
@@ -9,6 +9,7 @@ include globals.local
9	# noexec ${HOME} breaks DRM binaries.	9	# noexec ${HOME} breaks DRM binaries.
10	?BROWSER_ALLOW_DRM: ignore noexec ${HOME}	10	?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
11		11
		12	noblacklist ${HOME}/.cache/midori
12	noblacklist ${HOME}/.config/midori	13	noblacklist ${HOME}/.config/midori
13	noblacklist ${HOME}/.local/share/midori	14	noblacklist ${HOME}/.local/share/midori
14	# noblacklist ${HOME}/.local/share/webkit	15	# noblacklist ${HOME}/.local/share/webkit
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori
16	noblacklist ${HOME}/.pki	17	noblacklist ${HOME}/.pki
17	noblacklist ${HOME}/.local/share/pki	18	noblacklist ${HOME}/.local/share/pki
18		19
		20	noblacklist ${HOME}/.cache/gnome-mplayer
		21	noblacklist ${HOME}/.config/gnome-mplayer
		22	noblacklist ${HOME}/.lastpass
		23
19	include disable-common.inc	24	include disable-common.inc
20	include disable-devel.inc	25	include disable-devel.inc
21	include disable-exec.inc	26	include disable-exec.inc
22	include disable-interpreters.inc	27	include disable-interpreters.inc
		28	#include disable-passwdmgr.inc
23	include disable-programs.inc	29	include disable-programs.inc
		30	include disable-xdg.inc
24		31
25	mkdir ${HOME}/.cache/midori	32	mkdir ${HOME}/.cache/midori
26	mkdir ${HOME}/.config/midori	33	mkdir ${HOME}/.config/midori


diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index e9572d914..f8448f514 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile
@@ -22,6 +22,7 @@ include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	22	include whitelist-var-common.inc
23		23
24	caps.drop all	24	caps.drop all
		25	ipc-namespace
25	machine-id	26	machine-id
26	net none	27	net none
27	no3d	28	no3d
@@ -41,6 +42,7 @@ tracelog
41	x11 none	42	x11 none
42		43
43	private-bin pdftotext	44	private-bin pdftotext
		45	private-cache
44	private-dev	46	private-dev
45	private-etc alternatives	47	private-etc alternatives
46	private-tmp	48	private-tmp


diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 5b3c5439d..072cc2c0d 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile
@@ -29,6 +29,7 @@ nou2f
29	protocol unix	29	protocol unix
30	seccomp	30	seccomp
31	shell none	31	shell none
		32	tracelog
32		33
33	#private-bin melt,nice,qmelt,shotcut	34	#private-bin melt,nice,qmelt,shotcut
34	private-cache	35	private-cache