Harden mate-* profiles

author: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-09-24 14:19:14 -0500
committer: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-09-24 14:19:14 -0500
commit: e3d22faf5a107c6e1717cfbb145a358e054b55f0 (patch)
tree: f1b29b2ed9fad34d9df49f474cd9221417b94c93 /etc
parent: tighten mate-calc profile (diff)
download: firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.tar.gz
firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.tar.zst
firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.zip
2 files changed, 18 insertions, 1 deletions
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 26ce42fbf..7df7d7faa 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.fonts
+whitelist ${HOME}/.icons
+whitelist ${HOME}/.themes
 caps.drop all
 netfilter
 no3d
@@ -26,9 +31,11 @@ seccomp
 shell none
 disable-mnt
-private
+private-bin mate-color-select
+private-etc fonts
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index f0de57e0d..3f85addaf 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${HOME}/.config/mate/mate-dictionary
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.fonts
+whitelist ${HOME}/.icons
+whitelist ${HOME}/.themes
 caps.drop all
 netfilter
 no3d
@@ -27,8 +33,12 @@ seccomp
 shell none
 disable-mnt
+private-bin mate-dictionary
+private-etc fonts,resolv.conf
+private-opt mate-dictionary
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
author	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-09-24 14:19:14 -0500
committer	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-09-24 14:19:14 -0500
commit	e3d22faf5a107c6e1717cfbb145a358e054b55f0 (patch)
tree	f1b29b2ed9fad34d9df49f474cd9221417b94c93 /etc
parent	tighten mate-calc profile (diff)
download	firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.tar.gz firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.tar.zst firejail-e3d22faf5a107c6e1717cfbb145a358e054b55f0.zip

diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 26ce42fbf..7df7d7faa 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	whitelist ${HOME}/.config/gtk-3.0
		15	whitelist ${HOME}/.fonts
		16	whitelist ${HOME}/.icons
		17	whitelist ${HOME}/.themes
		18
14	caps.drop all	19	caps.drop all
15	netfilter	20	netfilter
16	no3d	21	no3d
@@ -26,9 +31,11 @@ seccomp
26	shell none	31	shell none
27		32
28	disable-mnt	33	disable-mnt
29	private	34	private-bin mate-color-select
		35	private-etc fonts
30	private-dev	36	private-dev
31	private-tmp	37	private-tmp
32		38
		39	memory-deny-write-execute
33	noexec ${HOME}	40	noexec ${HOME}
34	noexec /tmp	41	noexec /tmp


diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index f0de57e0d..3f85addaf 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	whitelist ${HOME}/.config/mate/mate-dictionary
		16	whitelist ${HOME}/.config/gtk-3.0
		17	whitelist ${HOME}/.fonts
		18	whitelist ${HOME}/.icons
		19	whitelist ${HOME}/.themes
		20
15	caps.drop all	21	caps.drop all
16	netfilter	22	netfilter
17	no3d	23	no3d
@@ -27,8 +33,12 @@ seccomp
27	shell none	33	shell none
28		34
29	disable-mnt	35	disable-mnt
		36	private-bin mate-dictionary
		37	private-etc fonts,resolv.conf
		38	private-opt mate-dictionary
30	private-dev	39	private-dev
31	private-tmp	40	private-tmp
32		41
		42	memory-deny-write-execute
33	noexec ${HOME}	43	noexec ${HOME}
34	noexec /tmp	44	noexec /tmp