Misc profile hardening and fixes

author: Tad <tad@spotco.us> 2018-03-18 21:35:55 -0400
committer: Tad <tad@spotco.us> 2018-03-18 21:35:55 -0400
commit: 5018a209d23e7f7e7dae2a93b3b57a40e5e3a980 (patch)
tree: 5da1d145515595c1ee94bd1ef13d090fb8bfaa82 /etc
parent: typo (diff)
download: firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.gz
firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.zst
firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.zip
10 files changed, 11 insertions, 4 deletions
diff --git a/etc/asunder.profile b/etc/asunder.profile
index ce68f8897..0fbc3a158 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -10,8 +10,6 @@ noblacklist ${HOME}/.asunder_album_genre
 noblacklist ${HOME}/.asunder_album_title
 noblacklist ${HOME}/.asunder_album_artist
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -29,7 +27,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
index c2e772f9d..4cc3f02de 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/brasero.profile b/etc/brasero.profile
index f90d4688a..90a7b176e 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 0660137e0..ca38ed1b8 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.frozen-bubble
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -29,6 +30,7 @@ protocol unix,netlink
 seccomp
 shell none
+disable-mnt
 # private-bin frozen-bubble
 private-dev
 # private-etc none
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile
index 9c94404d1..9e8f2a241 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/gnome-twitch.profile
@@ -30,6 +30,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+disable-mnt
 private-dev
 private-tmp
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 331bfa939..191f8d87b 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.openinvaders
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 65aeedd86..ec7eff632 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.pingus
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 89d1f2925..8b4113d2f 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.simutrans
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 2b5bb07c3..d60d7fa5f 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
 noblacklist ${HOME}/.local/share/supertux2
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -29,6 +30,7 @@ protocol unix,netlink
 seccomp
 shell none
+disable-mnt
 # private-bin supertux2
 private-dev
 # private-etc none
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 3d27134c4..ea25938d3 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -1,7 +1,7 @@
 # Firejail profile for terasology
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/default.local
+include /etc/firejail/terasology.local
 # Persistent global definitions
 include /etc/firejail/globals.local
author	Tad <tad@spotco.us>	2018-03-18 21:35:55 -0400
committer	Tad <tad@spotco.us>	2018-03-18 21:35:55 -0400
commit	5018a209d23e7f7e7dae2a93b3b57a40e5e3a980 (patch)
tree	5da1d145515595c1ee94bd1ef13d090fb8bfaa82 /etc
parent	typo (diff)
download	firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.gz firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.tar.zst firejail-5018a209d23e7f7e7dae2a93b3b57a40e5e3a980.zip

diff --git a/etc/asunder.profile b/etc/asunder.profile index ce68f8897..0fbc3a158 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile
@@ -10,8 +10,6 @@ noblacklist ${HOME}/.asunder_album_genre
10	noblacklist ${HOME}/.asunder_album_title	10	noblacklist ${HOME}/.asunder_album_title
11	noblacklist ${HOME}/.asunder_album_artist	11	noblacklist ${HOME}/.asunder_album_artist
12		12
13
14
15	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
16	include /etc/firejail/disable-devel.inc	14	include /etc/firejail/disable-devel.inc
17	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
@@ -29,7 +27,6 @@ protocol unix,inet,inet6
29	seccomp	27	seccomp
30	shell none	28	shell none
31		29
32
33	#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc	30	#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
34	private-dev	31	private-dev
35	private-tmp	32	private-tmp


diff --git a/etc/atool.profile b/etc/atool.profile index c2e772f9d..4cc3f02de 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
14		14
15	caps.drop all	15	caps.drop all
16	netfilter	16	netfilter
		17	net none
17	no3d	18	no3d
18	nodvd	19	nodvd
19	nogroups	20	nogroups


diff --git a/etc/brasero.profile b/etc/brasero.profile index f90d4688a..90a7b176e 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
15	caps.drop all	15	caps.drop all
		16	net none
16	nogroups	17	nogroups
17	nonewprivs	18	nonewprivs
18	noroot	19	noroot


diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 0660137e0..ca38ed1b8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
10	noblacklist ${HOME}/.frozen-bubble	10	noblacklist ${HOME}/.frozen-bubble
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
15		16
@@ -29,6 +30,7 @@ protocol unix,netlink
29	seccomp	30	seccomp
30	shell none	31	shell none
31		32
		33	disable-mnt
32	# private-bin frozen-bubble	34	# private-bin frozen-bubble
33	private-dev	35	private-dev
34	# private-etc none	36	# private-etc none


diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 9c94404d1..9e8f2a241 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile
@@ -30,6 +30,7 @@ protocol unix,inet,inet6
30	seccomp	30	seccomp
31	shell none	31	shell none
32		32
		33	disable-mnt
33	private-dev	34	private-dev
34	private-tmp	35	private-tmp
35		36


diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 331bfa939..191f8d87b 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
10	noblacklist ${HOME}/.openinvaders	10	noblacklist ${HOME}/.openinvaders
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
15		16


diff --git a/etc/pingus.profile b/etc/pingus.profile index 65aeedd86..ec7eff632 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
10	noblacklist ${HOME}/.pingus	10	noblacklist ${HOME}/.pingus
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
15		16


diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 89d1f2925..8b4113d2f 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
10	noblacklist ${HOME}/.simutrans	10	noblacklist ${HOME}/.simutrans
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
15		16


diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 2b5bb07c3..d60d7fa5f 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus
10	noblacklist ${HOME}/.local/share/supertux2	10	noblacklist ${HOME}/.local/share/supertux2
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
15		16
@@ -29,6 +30,7 @@ protocol unix,netlink
29	seccomp	30	seccomp
30	shell none	31	shell none
31		32
		33	disable-mnt
32	# private-bin supertux2	34	# private-bin supertux2
33	private-dev	35	private-dev
34	# private-etc none	36	# private-etc none


diff --git a/etc/terasology.profile b/etc/terasology.profile index 3d27134c4..ea25938d3 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile
@@ -1,7 +1,7 @@
1	# Firejail profile for terasology	1	# Firejail profile for terasology
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	# Persistent local customizations	3	# Persistent local customizations
4	include /etc/firejail/default.local	4	include /etc/firejail/terasology.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7