diff options
author | netblue30 <netblue30@yahoo.com> | 2020-03-18 22:17:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-03-18 22:17:59 -0400 |
commit | 3c555a6ca44323c846d958e9ad5dcda540a25e95 (patch) | |
tree | 88789ef47c8cf60290c1f5bd33e89aba575626d2 /etc | |
parent | profile fixes (diff) | |
download | firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.gz firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.tar.zst firejail-3c555a6ca44323c846d958e9ad5dcda540a25e95.zip |
nslookup, host profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/dig.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 15 | ||||
-rw-r--r-- | etc/host.profile | 49 | ||||
-rw-r--r-- | etc/nslookup.profile | 49 |
4 files changed, 114 insertions, 1 deletions
diff --git a/etc/dig.profile b/etc/dig.profile index 0e1598406..e6b7e46d9 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -8,6 +8,7 @@ include dig.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.digrc | 10 | noblacklist ${HOME}/.digrc |
11 | noblacklist ${PATH}/dig | ||
11 | 12 | ||
12 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
13 | 14 | ||
@@ -48,7 +49,6 @@ tracelog | |||
48 | disable-mnt | 49 | disable-mnt |
49 | private | 50 | private |
50 | private-bin bash,dig,sh | 51 | private-bin bash,dig,sh |
51 | private-cache | ||
52 | private-dev | 52 | private-dev |
53 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 53 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
54 | #private-lib | 54 | #private-lib |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 6f9149dee..6ff83964d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -469,3 +469,18 @@ blacklist ${HOME}/sent | |||
469 | 469 | ||
470 | # kernel configuration | 470 | # kernel configuration |
471 | blacklist /proc/config.gz | 471 | blacklist /proc/config.gz |
472 | |||
473 | # prevent DNS malware attempting to communicate with the server | ||
474 | # using regular DNS tools | ||
475 | blacklist ${PATH}/dig | ||
476 | blacklist ${PATH}/kdig | ||
477 | blacklist ${PATH}/nslookup | ||
478 | blacklist ${PATH}/host | ||
479 | blacklist ${PATH}/dlint | ||
480 | blacklist ${PATH}/dnswalk | ||
481 | blacklist ${PATH}/dns2tcp | ||
482 | blacklist ${PATH}/iodine | ||
483 | blacklist ${PATH}/knsupdate | ||
484 | |||
485 | |||
486 | |||
diff --git a/etc/host.profile b/etc/host.profile new file mode 100644 index 000000000..7e2012597 --- /dev/null +++ b/etc/host.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for dig | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include host.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/host | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin bash,host,sh | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/nslookup.profile b/etc/nslookup.profile new file mode 100644 index 000000000..40897a3a8 --- /dev/null +++ b/etc/nslookup.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for dig | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include nslookup.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/nslookup | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin bash,nslookup,sh | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | memory-deny-write-execute | ||