mocp: hardening (#6017)

author: glitsj16 <glitsj16@users.noreply.github.com> 2023-09-23 01:43:43 +0000
committer: GitHub <noreply@github.com> 2023-09-23 01:43:43 +0000
commit: 9690ce753bb75169de4bd013c1c7064036323ec2 (patch)
tree: bdd9e9e4771f27fa21b5766b0a7f401d2a954af1 /etc
parent: mocp: fix networking (#6016) (diff)
download: firejail-9690ce753bb75169de4bd013c1c7064036323ec2.tar.gz
firejail-9690ce753bb75169de4bd013c1c7064036323ec2.tar.zst
firejail-9690ce753bb75169de4bd013c1c7064036323ec2.zip
1 files changed, 13 insertions, 2 deletions
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 7937ad65e..0a5e4255a 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
 noblacklist ${HOME}/.moc
 noblacklist ${MUSIC}
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-usr-share-common.inc
+mkdir ${HOME}/.moc
+whitelist ${HOME}/.moc
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -30,12 +39,14 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 private-bin mocp
author	glitsj16 <glitsj16@users.noreply.github.com>	2023-09-23 01:43:43 +0000
committer	GitHub <noreply@github.com>	2023-09-23 01:43:43 +0000
commit	9690ce753bb75169de4bd013c1c7064036323ec2 (patch)
tree	bdd9e9e4771f27fa21b5766b0a7f401d2a954af1 /etc
parent	mocp: fix networking (#6016) (diff)
download	firejail-9690ce753bb75169de4bd013c1c7064036323ec2.tar.gz firejail-9690ce753bb75169de4bd013c1c7064036323ec2.tar.zst firejail-9690ce753bb75169de4bd013c1c7064036323ec2.zip

diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index 7937ad65e..0a5e4255a 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
10	noblacklist ${HOME}/.moc	10	noblacklist ${HOME}/.moc
11	noblacklist ${MUSIC}	11	noblacklist ${MUSIC}
12		12
		13	blacklist /tmp/.X11-unix
		14	blacklist ${RUNUSER}/wayland-*
		15
13	include disable-common.inc	16	include disable-common.inc
14	include disable-devel.inc	17	include disable-devel.inc
15	include disable-exec.inc	18	include disable-exec.inc
16	include disable-interpreters.inc	19	include disable-interpreters.inc
		20	include disable-proc.inc
17	include disable-programs.inc	21	include disable-programs.inc
18	include disable-xdg.inc	22	include disable-xdg.inc
19		23
20	include whitelist-usr-share-common.inc	24	mkdir ${HOME}/.moc
		25	whitelist ${HOME}/.moc
		26	whitelist ${MUSIC}
		27	include whitelist-common.inc
		28	include whitelist-run-common.inc
21	include whitelist-runuser-common.inc	29	include whitelist-runuser-common.inc
		30	include whitelist-usr-share-common.inc
22	include whitelist-var-common.inc	31	include whitelist-var-common.inc
23		32
24	apparmor	33	apparmor
@@ -30,12 +39,14 @@ nodvd
30	nogroups	39	nogroups
31	noinput	40	noinput
32	nonewprivs	41	nonewprivs
		42	noprinters
33	noroot	43	noroot
34	notv	44	notv
35	nou2f	45	nou2f
36	novideo	46	novideo
37	protocol unix,inet,inet6,netlink	47	protocol unix,inet,inet6
38	seccomp	48	seccomp
		49	seccomp.block-secondary
39	tracelog	50	tracelog
40		51
41	private-bin mocp	52	private-bin mocp