diff options
author | Tad <tad@spotco.us> | 2017-04-17 17:11:24 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-04-17 17:11:24 -0400 |
commit | 4f238b75de05d91f200305335da1f019810ac149 (patch) | |
tree | 40f021c8d9e7bb70f7bd0a868d571286fa438420 /etc | |
parent | Merge pull request #1229 from SpotComms/firecfg2 (diff) | |
download | firejail-4f238b75de05d91f200305335da1f019810ac149.tar.gz firejail-4f238b75de05d91f200305335da1f019810ac149.tar.zst firejail-4f238b75de05d91f200305335da1f019810ac149.zip |
Harden more profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/bleachbit.profile | 1 | ||||
-rw-r--r-- | etc/bless.profile | 1 | ||||
-rw-r--r-- | etc/chromium.profile | 15 | ||||
-rw-r--r-- | etc/dino.profile | 1 | ||||
-rw-r--r-- | etc/eog.profile | 1 | ||||
-rw-r--r-- | etc/evince.profile | 1 | ||||
-rw-r--r-- | etc/evolution.profile | 1 | ||||
-rw-r--r-- | etc/file-roller.profile | 1 | ||||
-rw-r--r-- | etc/firefox.profile | 2 | ||||
-rw-r--r-- | etc/gedit.profile | 1 | ||||
-rw-r--r-- | etc/gimp.profile | 1 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/hexchat.profile | 1 | ||||
-rw-r--r-- | etc/jd-gui.profile | 1 | ||||
-rw-r--r-- | etc/lollypop.profile | 1 | ||||
-rw-r--r-- | etc/multimc5.profile | 1 | ||||
-rw-r--r-- | etc/mumble.profile | 1 | ||||
-rw-r--r-- | etc/pdfsam.profile | 1 | ||||
-rw-r--r-- | etc/pithos.profile | 1 | ||||
-rw-r--r-- | etc/polari.profile | 11 | ||||
-rw-r--r-- | etc/ssh.profile | 1 | ||||
-rw-r--r-- | etc/steam.profile | 1 | ||||
-rw-r--r-- | etc/totem.profile | 1 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | etc/wget.profile | 1 | ||||
-rw-r--r-- | etc/wireshark.profile | 1 | ||||
-rw-r--r-- | etc/xonotic.profile | 1 |
27 files changed, 48 insertions, 4 deletions
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 7ea55f505..fe08de40e 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | ipc-namespace | ||
12 | net none | 13 | net none |
13 | netfilter | 14 | netfilter |
14 | no3d | 15 | no3d |
diff --git a/etc/bless.profile b/etc/bless.profile index 869f13cc0..f4b5c2e2f 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc | |||
17 | 17 | ||
18 | #Options | 18 | #Options |
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | ||
20 | net none | 21 | net none |
21 | netfilter | 22 | netfilter |
22 | no3d | 23 | no3d |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 995c0001b..071c8a18a 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -8,12 +8,8 @@ noblacklist ~/.cache/chromium | |||
8 | noblacklist ~/.pki | 8 | noblacklist ~/.pki |
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
11 | |||
12 | # chromium is distributed with a perl script on Arch | 11 | # chromium is distributed with a perl script on Arch |
13 | # include /etc/firejail/disable-devel.inc | 12 | # include /etc/firejail/disable-devel.inc |
14 | # | ||
15 | |||
16 | netfilter | ||
17 | 13 | ||
18 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
19 | mkdir ~/.config/chromium | 15 | mkdir ~/.config/chromium |
@@ -27,3 +23,14 @@ whitelist ~/.pki | |||
27 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
28 | 24 | ||
29 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | |||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nogroups | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/dino.profile b/etc/dino.profile index 3de858618..5f587ef8a 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -16,6 +16,7 @@ whitelist ${HOME}/.local/share/dino | |||
16 | include /etc/firejail/whitelist-common.inc | 16 | include /etc/firejail/whitelist-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
19 | netfilter | 20 | netfilter |
20 | no3d | 21 | no3d |
21 | nogroups | 22 | nogroups |
diff --git a/etc/eog.profile b/etc/eog.profile index 7c2cd557c..32ceebb1d 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | ||
14 | net none | 15 | net none |
15 | netfilter | 16 | netfilter |
16 | no3d | 17 | no3d |
diff --git a/etc/evince.profile b/etc/evince.profile index ae50425b9..508a0d1a5 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | ||
14 | netfilter | 15 | netfilter |
15 | #net none - creates some problems on some distributions | 16 | #net none - creates some problems on some distributions |
16 | no3d | 17 | no3d |
diff --git a/etc/evolution.profile b/etc/evolution.profile index 04bf480ff..6fe58cbf9 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -20,6 +20,7 @@ include /etc/firejail/disable-devel.inc | |||
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | ||
23 | netfilter | 24 | netfilter |
24 | no3d | 25 | no3d |
25 | nogroups | 26 | nogroups |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index a3f687651..6bc74c79d 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | ipc-namespace | ||
12 | net none | 13 | net none |
13 | netfilter | 14 | netfilter |
14 | no3d | 15 | no3d |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 4d96c05c8..0013062a5 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -16,7 +16,9 @@ include /etc/firejail/disable-programs.inc | |||
16 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
19 | netfilter | 20 | netfilter |
21 | nogroups | ||
20 | nonewprivs | 22 | nonewprivs |
21 | noroot | 23 | noroot |
22 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 07bdb1bbe..2c429c808 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | ||
17 | netfilter | 18 | netfilter |
18 | net none | 19 | net none |
19 | no3d | 20 | no3d |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 5f8ccb4fb..59d88e9ec 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | ipc-namespace | ||
12 | netfilter | 13 | netfilter |
13 | net none | 14 | net none |
14 | nogroups | 15 | nogroups |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index e9366f07d..28f0d646c 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/whitelist-common.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
19 | netfilter | 20 | netfilter |
20 | #net none | 21 | #net none |
21 | no3d | 22 | no3d |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index d24f492d8..18cbcea5c 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc | |||
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | ipc-namespace | ||
15 | netfilter | 16 | netfilter |
16 | no3d | 17 | no3d |
17 | nogroups | 18 | nogroups |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 6ff618187..61841e2c5 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
19 | net none | 20 | net none |
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index e84118b9e..d6d2cdd73 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc | |||
17 | 17 | ||
18 | #Options | 18 | #Options |
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | ||
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
22 | nogroups | 23 | nogroups |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 12a7646ae..4b561405b 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -25,6 +25,7 @@ include /etc/firejail/whitelist-common.inc | |||
25 | 25 | ||
26 | #Options | 26 | #Options |
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | ||
28 | netfilter | 29 | netfilter |
29 | nogroups | 30 | nogroups |
30 | nonewprivs | 31 | nonewprivs |
diff --git a/etc/mumble.profile b/etc/mumble.profile index c5c6a4d1a..19d7a131a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -17,6 +17,7 @@ whitelist ${HOME}/.local/share/data/Mumble | |||
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | ||
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
22 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index dfe463c98..db8aacaa5 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc | |||
14 | 14 | ||
15 | #Options | 15 | #Options |
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | ||
17 | net none | 18 | net none |
18 | netfilter | 19 | netfilter |
19 | no3d | 20 | no3d |
diff --git a/etc/pithos.profile b/etc/pithos.profile index c25b5772b..f599283fb 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/whitelist-common.inc | |||
16 | 16 | ||
17 | #Options | 17 | #Options |
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | ||
19 | netfilter | 20 | netfilter |
20 | no3d | 21 | no3d |
21 | nogroups | 22 | nogroups |
diff --git a/etc/polari.profile b/etc/polari.profile index 834a8b3d6..db5fc9487 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -23,7 +23,18 @@ include /etc/firejail/whitelist-common.inc | |||
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
26 | no3d | ||
27 | nogroups | ||
26 | nonewprivs | 28 | nonewprivs |
27 | noroot | 29 | noroot |
30 | nosound | ||
28 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
29 | seccomp | 32 | seccomp |
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 425841399..f9750972f 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | ipc-namespace | ||
16 | netfilter | 17 | netfilter |
17 | no3d | 18 | no3d |
18 | nogroups | 19 | nogroups |
diff --git a/etc/steam.profile b/etc/steam.profile index 536588e4b..eef91a0d5 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | ||
14 | netfilter | 15 | netfilter |
15 | nogroups | 16 | nogroups |
16 | nonewprivs | 17 | nonewprivs |
diff --git a/etc/totem.profile b/etc/totem.profile index fadfbb00b..d280296f0 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | ipc-namespace | ||
15 | netfilter | 16 | netfilter |
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 21282dfbd..5d759ffd4 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | ||
14 | netfilter | 15 | netfilter |
15 | # nogroups | 16 | # nogroups |
16 | nonewprivs | 17 | nonewprivs |
diff --git a/etc/wget.profile b/etc/wget.profile index 3ba97d95d..52c8b68a1 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | ipc-namespace | ||
12 | netfilter | 13 | netfilter |
13 | no3d | 14 | no3d |
14 | nogroups | 15 | nogroups |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index dc224b31c..45ccfb89a 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | #noroot | 17 | #noroot |
18 | #protocol unix,inet,inet6,netlink | 18 | #protocol unix,inet,inet6,netlink |
19 | 19 | ||
20 | ipc-namespace | ||
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
22 | nogroups | 23 | nogroups |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 6bfb26484..0bf372fc6 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -22,6 +22,7 @@ include /etc/firejail/whitelist-common.inc | |||
22 | 22 | ||
23 | #Options | 23 | #Options |
24 | caps.drop all | 24 | caps.drop all |
25 | ipc-namespace | ||
25 | netfilter | 26 | netfilter |
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |