diff options
author | rusty-snake <print_hello_world+GitHub@protonmail.com> | 2019-03-13 17:35:00 +0000 |
---|---|---|
committer | glitsj16 <glitsj16@users.noreply.github.com> | 2019-03-13 17:35:00 +0000 |
commit | bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e (patch) | |
tree | e3d1d358949ba2fdf473a23a4e8fba40820e2d86 /etc | |
parent | Merge pull request #2582 from rusty-snake/harden_qtox (diff) | |
download | firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.gz firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.zst firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.zip |
Harden youtube-dl.profile (#2584)
* Harden youtube-dl.profile
* Add dis-exec to ytdl
* Comment mdwe in ytdl
Diffstat (limited to 'etc')
-rw-r--r-- | etc/youtube-dl.profile | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 0878c91ef..621ffb2b0 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3* | |||
19 | noblacklist /usr/local/lib/python2* | 19 | noblacklist /usr/local/lib/python2* |
20 | noblacklist /usr/local/lib/python3* | 20 | noblacklist /usr/local/lib/python3* |
21 | 21 | ||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | |||
22 | include disable-common.inc | 25 | include disable-common.inc |
23 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -28,10 +32,13 @@ include disable-xdg.inc | |||
28 | 32 | ||
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
35 | apparmor | ||
31 | caps.drop all | 36 | caps.drop all |
32 | ipc-namespace | 37 | ipc-namespace |
38 | machine-id | ||
33 | netfilter | 39 | netfilter |
34 | no3d | 40 | no3d |
41 | nodbus | ||
35 | nodvd | 42 | nodvd |
36 | nogroups | 43 | nogroups |
37 | nonewprivs | 44 | nonewprivs |
@@ -45,8 +52,11 @@ seccomp | |||
45 | shell none | 52 | shell none |
46 | tracelog | 53 | tracelog |
47 | 54 | ||
55 | disable-mnt | ||
56 | private-bin youtube-dl,python*,ffmpeg | ||
57 | private-cache | ||
48 | private-dev | 58 | private-dev |
59 | private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types | ||
60 | private-tmp | ||
49 | 61 | ||
50 | # breaks when installed via pip | 62 | # memory-deny-write-execute - breaks on Arch |
51 | #noexec ${HOME} | ||
52 | noexec /tmp | ||