aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2020-01-17 23:31:46 +0000
committerLibravatar GitHub <noreply@github.com>2020-01-17 23:31:46 +0000
commitf9c9c469a23dbb6d484f82f6ba719d662b784753 (patch)
tree9485d36a39798b0542ed70b9a5df688bab2c3d69 /etc
parentjoin: wait with effective uid of the user (diff)
downloadfirejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.gz
firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.tar.zst
firejail-f9c9c469a23dbb6d484f82f6ba719d662b784753.zip
hardenings for various profiles (#3160)
* harden devilspie * harden devilspie2 * harden curl * harden wget * harden curl * harden dig * harden claws-mail * harden dnscrypt-proxy * harden dnscrypt-proxy * harden dnscrypt-proxy * harden exfalso * refactor easystroke as whitelist profile * refactor enchant as whitelist profile * safeguard ${DOCUMENTS} Thanks @rusty-snake for the suggestion. * drop x11-none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for saving the bacon... * drop x11 none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for preventing breakage! * drop ipc-namespace Better safe than sorry...
Diffstat (limited to 'etc')
-rw-r--r--etc/claws-mail.profile3
-rw-r--r--etc/curl.profile4
-rw-r--r--etc/devilspie.profile3
-rw-r--r--etc/devilspie2.profile3
-rw-r--r--etc/dig.profile5
-rw-r--r--etc/dnscrypt-proxy.profile7
-rw-r--r--etc/easystroke.profile5
-rw-r--r--etc/enchant.profile6
-rw-r--r--etc/exfalso.profile1
9 files changed, 36 insertions, 1 deletions
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index f07e2039b..44124f4a3 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -13,11 +13,14 @@ noblacklist ${HOME}/.signature
13# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications 13# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
14noblacklist ${HOME}/Mail 14noblacklist ${HOME}/Mail
15 15
16noblacklist ${DOCUMENTS}
16include disable-common.inc 17include disable-common.inc
17include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc
18include disable-interpreters.inc 20include disable-interpreters.inc
19include disable-passwdmgr.inc 21include disable-passwdmgr.inc
20include disable-programs.inc 22include disable-programs.inc
23include disable-xdg.inc
21 24
22whitelist /usr/share/doc/claws-mail 25whitelist /usr/share/doc/claws-mail
23whitelist /usr/share/gnupg 26whitelist /usr/share/gnupg
diff --git a/etc/curl.profile b/etc/curl.profile
index 679f5a152..3f93e5f7e 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -9,10 +9,14 @@ include globals.local
9 9
10noblacklist ${HOME}/.curlrc 10noblacklist ${HOME}/.curlrc
11 11
12blacklist /tmp/.X11-unix
13
12include disable-common.inc 14include disable-common.inc
13include disable-exec.inc 15include disable-exec.inc
14include disable-passwdmgr.inc 16include disable-passwdmgr.inc
15include disable-programs.inc 17include disable-programs.inc
18# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local
19#include disable-xdg.inc
16 20
17include whitelist-usr-share-common.inc 21include whitelist-usr-share-common.inc
18 22
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index ad891ffaf..bbbdfd702 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -8,6 +8,8 @@ include globals.local
8 8
9noblacklist ${HOME}/.devilspie 9noblacklist ${HOME}/.devilspie
10 10
11blacklist /tmp/.X11-unix
12
11include disable-common.inc 13include disable-common.inc
12include disable-devel.inc 14include disable-devel.inc
13include disable-exec.inc 15include disable-exec.inc
@@ -41,6 +43,7 @@ protocol unix
41seccomp 43seccomp
42shell none 44shell none
43tracelog 45tracelog
46x11 none
44 47
45disable-mnt 48disable-mnt
46private-bin devilspie 49private-bin devilspie
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index f2bacda9a..253e3856c 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -8,6 +8,8 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/devilspie2 9noblacklist ${HOME}/.config/devilspie2
10 10
11blacklist /tmp/.X11-unix
12
11# Allow lua (blacklisted by disable-interpreters.inc) 13# Allow lua (blacklisted by disable-interpreters.inc)
12include allow-lua.inc 14include allow-lua.inc
13 15
@@ -44,6 +46,7 @@ protocol unix
44seccomp 46seccomp
45shell none 47shell none
46tracelog 48tracelog
49x11 none
47 50
48disable-mnt 51disable-mnt
49private-bin devilspie2 52private-bin devilspie2
diff --git a/etc/dig.profile b/etc/dig.profile
index af71ff17f..054e4891d 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -9,6 +9,8 @@ include globals.local
9 9
10noblacklist ${HOME}/.digrc 10noblacklist ${HOME}/.digrc
11 11
12blacklist /tmp/.X11-unix
13
12include disable-common.inc 14include disable-common.inc
13# include disable-devel.inc 15# include disable-devel.inc
14include disable-exec.inc 16include disable-exec.inc
@@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc
24include whitelist-var-common.inc 26include whitelist-var-common.inc
25 27
26caps.drop all 28caps.drop all
27# ipc-namespace 29ipc-namespace
28machine-id 30machine-id
29netfilter 31netfilter
30no3d 32no3d
@@ -40,6 +42,7 @@ novideo
40protocol unix,inet,inet6 42protocol unix,inet,inet6
41seccomp 43seccomp
42shell none 44shell none
45tracelog
43 46
44disable-mnt 47disable-mnt
45private 48private
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index d0430d5ca..65722b3ef 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -7,6 +7,8 @@ include dnscrypt-proxy.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11
10noblacklist /sbin 12noblacklist /sbin
11noblacklist /usr/sbin 13noblacklist /usr/sbin
12 14
@@ -20,10 +22,13 @@ include disable-xdg.inc
20 22
21whitelist /usr/share/dnscrypt-proxy 23whitelist /usr/share/dnscrypt-proxy
22include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
23 26
27apparmor
24caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot 28caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
25ipc-namespace 29ipc-namespace
26machine-id 30machine-id
31netfilter
27no3d 32no3d
28nodbus 33nodbus
29nodvd 34nodvd
@@ -34,6 +39,8 @@ nou2f
34novideo 39novideo
35protocol inet,inet6 40protocol inet,inet6
36seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice 41seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
42shell none
43tracelog
37 44
38disable-mnt 45disable-mnt
39private 46private
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 623a4cadc..1297f5f40 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -16,7 +16,11 @@ include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-xdg.inc 17include disable-xdg.inc
18 18
19mkdir ${HOME}/.easystroke
20whitelist ${HOME}/.easystroke
21include whitelist-common.inc
19include whitelist-usr-share-common.inc 22include whitelist-usr-share-common.inc
23include whitelist-var-common.inc
20 24
21apparmor 25apparmor
22caps.drop all 26caps.drop all
@@ -35,6 +39,7 @@ novideo
35protocol unix 39protocol unix
36seccomp 40seccomp
37shell none 41shell none
42tracelog
38 43
39disable-mnt 44disable-mnt
40# breaks custom shell command functionality 45# breaks custom shell command functionality
diff --git a/etc/enchant.profile b/etc/enchant.profile
index d276cec84..e2811a955 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -8,6 +8,8 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/enchant 9noblacklist ${HOME}/.config/enchant
10 10
11blacklist /tmp/.X11-unix
12
11include disable-common.inc 13include disable-common.inc
12include disable-devel.inc 14include disable-devel.inc
13include disable-exec.inc 15include disable-exec.inc
@@ -16,7 +18,11 @@ include disable-passwdmgr.inc
16include disable-programs.inc 18include disable-programs.inc
17include disable-xdg.inc 19include disable-xdg.inc
18 20
21mkdir ${HOME}/.config/enchant
22whitelist ${HOME}/.config/enchant
23include whitelist-common.inc
19include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
20 26
21apparmor 27apparmor
22caps.drop all 28caps.drop all
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 7d91f2854..04bafdde4 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -31,6 +31,7 @@ include whitelist-usr-share-common.inc
31include whitelist-var-common.inc 31include whitelist-var-common.inc
32 32
33caps.drop all 33caps.drop all
34ipc-namespace
34machine-id 35machine-id
35netfilter 36netfilter
36no3d 37no3d
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 16:38:53 +0000