Harden /var

author: Tad <tad@spotco.us> 2017-08-22 20:23:01 -0400
committer: Tad <tad@spotco.us> 2017-08-22 21:31:40 -0400
commit: a7f934325a3a4f8ca0dd35e5aaf38d309c46da00 (patch)
tree: 5b5f1d78692c3465b7c93b1004483cbdade06f77 /etc
parent: Fix Steam regressions (diff)
download: firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.tar.gz
firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.tar.zst
firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.zip
3 files changed, 15 insertions, 0 deletions
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 0b61e7b9f..1b7b2c258 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c220b9c50..294ff6bcb 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
 blacklist ${PATH}/zuluMount-cli
 # var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
 blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/systemd
+blacklist /var/lib/upower
+blacklist /var/log
 blacklist /var/mail
+blacklist /var/opt
 blacklist /var/run/acpid.socket
 blacklist /var/run/docker.sock
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/mysql/mysqld.sock
 blacklist /var/run/mysqld/mysqld.sock
 blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/run/systemd
 blacklist /var/spool/anacron
 blacklist /var/spool/cron
diff --git a/etc/server.profile b/etc/server.profile
index 04ef555de..edd4666e1 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+# noblacklist /var/log
+# noblacklist /var/opt
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
author	Tad <tad@spotco.us>	2017-08-22 20:23:01 -0400
committer	Tad <tad@spotco.us>	2017-08-22 21:31:40 -0400
commit	a7f934325a3a4f8ca0dd35e5aaf38d309c46da00 (patch)
tree	5b5f1d78692c3465b7c93b1004483cbdade06f77 /etc
parent	Fix Steam regressions (diff)
download	firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.tar.gz firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.tar.zst firejail-a7f934325a3a4f8ca0dd35e5aaf38d309c46da00.zip

diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0b61e7b9f..1b7b2c258 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
7		7
8	noblacklist /sbin	8	noblacklist /sbin
9	noblacklist /usr/sbin	9	noblacklist /usr/sbin
		10	noblacklist /var/log
10		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-devel.inc	13	include /etc/firejail/disable-devel.inc


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c220b9c50..294ff6bcb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
107	blacklist ${PATH}/zuluMount-cli	107	blacklist ${PATH}/zuluMount-cli
108		108
109	# var	109	# var
		110	blacklist /var/cache/apt
		111	blacklist /var/cache/pacman
		112	blacklist /var/lib/apt
		113	blacklist /var/lib/clamav
		114	blacklist /var/lib/dkms
110	blacklist /var/lib/mysql/mysql.sock	115	blacklist /var/lib/mysql/mysql.sock
111	blacklist /var/lib/mysqld/mysql.sock	116	blacklist /var/lib/mysqld/mysql.sock
		117	blacklist /var/lib/pacman
		118	blacklist /var/lib/systemd
		119	blacklist /var/lib/upower
		120	blacklist /var/log
112	blacklist /var/mail	121	blacklist /var/mail
		122	blacklist /var/opt
113	blacklist /var/run/acpid.socket	123	blacklist /var/run/acpid.socket
114	blacklist /var/run/docker.sock	124	blacklist /var/run/docker.sock
115	blacklist /var/run/minissdpd.sock	125	blacklist /var/run/minissdpd.sock
116	blacklist /var/run/mysql/mysqld.sock	126	blacklist /var/run/mysql/mysqld.sock
117	blacklist /var/run/mysqld/mysqld.sock	127	blacklist /var/run/mysqld/mysqld.sock
118	blacklist /var/run/rpcbind.sock	128	blacklist /var/run/rpcbind.sock
		129	blacklist /var/run/screens
		130	blacklist /var/run/systemd
119	blacklist /var/spool/anacron	131	blacklist /var/spool/anacron
120	blacklist /var/spool/cron	132	blacklist /var/spool/cron
121		133


diff --git a/etc/server.profile b/etc/server.profile index 04ef555de..edd4666e1 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
13		13
14	noblacklist /sbin	14	noblacklist /sbin
15	noblacklist /usr/sbin	15	noblacklist /usr/sbin
		16	# noblacklist /var/log
		17	# noblacklist /var/opt
16		18
17	include /etc/firejail/disable-common.inc	19	include /etc/firejail/disable-common.inc
18	# include /etc/firejail/disable-devel.inc	20	# include /etc/firejail/disable-devel.inc