diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2022-03-13 15:09:51 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-13 15:09:51 +0000 |
commit | ddebc20bbce1efa73343124e3f8e3836e77622c0 (patch) | |
tree | 2485c2b1211d5dc8efca59df67792ba91b57530c /etc | |
parent | fbuilder: don't consider flatpak/snapd directories (diff) | |
download | firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.gz firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.tar.zst firejail-ddebc20bbce1efa73343124e3f8e3836e77622c0.zip |
hardening onionshare-gui.profile (#4959)
* hardening onionshare-gui.profile
* add another dbus-user filter to onionshare-gui.profile
* harden onionshare
Diffstat (limited to 'etc')
-rw-r--r-- | etc/profile-m-z/onionshare-gui.profile | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index cf4d7db30..ed35862ca 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for onionshare-gui | 1 | # Firejail profile for onionshare-gui |
2 | # Description: Share a file over Tor Hidden Services anonymously and securely | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include onionshare-gui.local | 5 | include onionshare-gui.local |
@@ -14,18 +15,30 @@ include disable-common.inc | |||
14 | include disable-devel.inc | 15 | include disable-devel.inc |
15 | include disable-exec.inc | 16 | include disable-exec.inc |
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-proc.inc | ||
17 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | ||
18 | 21 | ||
22 | mkdir ${HOME}/.config/onionshare | ||
23 | mkdir ${HOME}/OnionShare | ||
24 | whitelist ${HOME}/.config/onionshare | ||
25 | whitelist ${HOME}/OnionShare | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-run-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
20 | 31 | ||
21 | caps.drop all | 32 | caps.drop all |
22 | ipc-namespace | 33 | ipc-namespace |
34 | machine-id | ||
23 | netfilter | 35 | netfilter |
24 | no3d | 36 | no3d |
25 | nodvd | 37 | nodvd |
26 | nogroups | 38 | nogroups |
27 | noinput | 39 | noinput |
28 | nonewprivs | 40 | nonewprivs |
41 | noprinters | ||
29 | noroot | 42 | noroot |
30 | nosound | 43 | nosound |
31 | notv | 44 | notv |
@@ -33,9 +46,20 @@ nou2f | |||
33 | novideo | 46 | novideo |
34 | protocol unix,inet,inet6 | 47 | protocol unix,inet,inet6 |
35 | seccomp | 48 | seccomp |
49 | seccomp.block-secondary | ||
36 | shell none | 50 | shell none |
51 | #tracelog - may cause issues, see #1930 | ||
37 | 52 | ||
53 | disable-mnt | ||
54 | private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* | ||
55 | private-cache | ||
38 | private-dev | 56 | private-dev |
39 | private-tmp | 57 | private-tmp |
40 | 58 | ||
59 | dbus-user filter | ||
60 | dbus-user.talk org.freedesktop.Notifications | ||
61 | dbus-user.talk org.freedesktop.secrets | ||
62 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
63 | dbus-system none | ||
64 | |||
41 | memory-deny-write-execute | 65 | memory-deny-write-execute |