diff options
author | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2017-04-16 16:44:42 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-16 16:44:42 +0000 |
commit | e21e994fd259d269866e9af65b6c87afab700720 (patch) | |
tree | 6732d63a38e53684811bcc8f118f2821b3401e93 /etc | |
parent | Merge pull request #1228 from SpotComms/viking (diff) | |
parent | Harden 9 more profiles (diff) | |
download | firejail-e21e994fd259d269866e9af65b6c87afab700720.tar.gz firejail-e21e994fd259d269866e9af65b6c87afab700720.tar.zst firejail-e21e994fd259d269866e9af65b6c87afab700720.zip |
Merge pull request #1226 from SpotComms/harden2
Harden 8 more profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/audacity.profile | 5 | ||||
-rw-r--r-- | etc/bleachbit.profile | 8 | ||||
-rw-r--r-- | etc/deadbeef.profile | 10 | ||||
-rw-r--r-- | etc/firefox.profile | 4 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/ssh.profile | 11 | ||||
-rw-r--r-- | etc/steam.profile | 2 | ||||
-rw-r--r-- | etc/wget.profile | 8 | ||||
-rw-r--r-- | etc/wireshark.profile | 4 |
9 files changed, 48 insertions, 5 deletions
diff --git a/etc/audacity.profile b/etc/audacity.profile index 4394416ff..779cd8cdb 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -11,7 +11,9 @@ include /etc/firejail/disable-passwdmgr.inc | |||
11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | net none | ||
14 | netfilter | 15 | netfilter |
16 | no3d | ||
15 | nogroups | 17 | nogroups |
16 | nonewprivs | 18 | nonewprivs |
17 | noroot | 19 | noroot |
@@ -23,3 +25,6 @@ tracelog | |||
23 | private-bin audacity | 25 | private-bin audacity |
24 | private-dev | 26 | private-dev |
25 | private-tmp | 27 | private-tmp |
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index b406b9985..7ea55f505 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -9,17 +9,21 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | net none | ||
12 | netfilter | 13 | netfilter |
14 | no3d | ||
13 | nogroups | 15 | nogroups |
14 | nonewprivs | 16 | nonewprivs |
15 | noroot | 17 | noroot |
16 | nosound | 18 | nosound |
17 | shell none | ||
18 | seccomp | ||
19 | protocol unix | 19 | protocol unix |
20 | seccomp | ||
21 | shell none | ||
20 | 22 | ||
21 | # private-bin | 23 | # private-bin |
22 | # private-dev | 24 | # private-dev |
23 | # private-tmp | 25 | # private-tmp |
24 | # private-etc | 26 | # private-etc |
25 | 27 | ||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 603d6345c..efd8b463b 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -11,7 +11,17 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | ||
15 | no3d | ||
16 | nogroups | ||
14 | nonewprivs | 17 | nonewprivs |
15 | noroot | 18 | noroot |
16 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
17 | seccomp | 20 | seccomp |
21 | shell none | ||
22 | |||
23 | private-dev | ||
24 | private-tmp | ||
25 | |||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bc3eb769..4d96c05c8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
23 | seccomp | 23 | seccomp |
24 | shell none | ||
24 | tracelog | 25 | tracelog |
25 | 26 | ||
26 | whitelist ${DOWNLOADS} | 27 | whitelist ${DOWNLOADS} |
@@ -59,3 +60,6 @@ include /etc/firejail/whitelist-common.inc | |||
59 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 60 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
60 | private-dev | 61 | private-dev |
61 | private-tmp | 62 | private-tmp |
63 | |||
64 | noexec ${HOME} | ||
65 | noexec /tmp | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index f5d952e3d..e9366f07d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | #net none | 20 | #net none |
21 | no3d | 21 | no3d |
22 | nogroups | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | nosound | 25 | nosound |
diff --git a/etc/ssh.profile b/etc/ssh.profile index b1ef6b27e..425841399 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -14,7 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | no3d | ||
18 | nogroups | ||
17 | nonewprivs | 19 | nonewprivs |
18 | noroot | 20 | noroot |
21 | nosound | ||
19 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
20 | seccomp | 23 | seccomp |
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | private-dev | ||
28 | #private-tmp #Breaks when exiting | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index c81836dfc..536588e4b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -12,11 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | nogroups | ||
15 | nonewprivs | 16 | nonewprivs |
16 | noroot | 17 | noroot |
17 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
18 | seccomp | 19 | seccomp |
19 | shell none | 20 | shell none |
21 | tracelog | ||
20 | 22 | ||
21 | private-dev | 23 | private-dev |
22 | private-tmp | 24 | private-tmp |
diff --git a/etc/wget.profile b/etc/wget.profile index cd156a376..3ba97d95d 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -10,11 +10,11 @@ include /etc/firejail/disable-passwdmgr.inc | |||
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | netfilter | 12 | netfilter |
13 | no3d | ||
14 | nogroups | ||
13 | nonewprivs | 15 | nonewprivs |
14 | noroot | 16 | noroot |
15 | nogroups | ||
16 | nosound | 17 | nosound |
17 | no3d | ||
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | shell none | 20 | shell none |
@@ -22,7 +22,9 @@ shell none | |||
22 | blacklist /tmp/.X11-unix | 22 | blacklist /tmp/.X11-unix |
23 | 23 | ||
24 | # private-bin wget | 24 | # private-bin wget |
25 | # private-etc resolv.conf | ||
26 | private-dev | 25 | private-dev |
26 | # private-etc resolv.conf | ||
27 | private-tmp | 27 | private-tmp |
28 | 28 | ||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 90909edf1..dc224b31c 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
18 | #protocol unix,inet,inet6,netlink | 18 | #protocol unix,inet,inet6,netlink |
19 | 19 | ||
20 | netfilter | 20 | netfilter |
21 | no3d | ||
21 | nogroups | 22 | nogroups |
22 | nonewprivs | 23 | nonewprivs |
23 | nosound | 24 | nosound |
@@ -28,3 +29,6 @@ tracelog | |||
28 | #private-bin wireshark | 29 | #private-bin wireshark |
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||