Merge pull request #828 from vismir2/master

hardened profiles and fixed blacklisting

7 files changed, 37 insertions, 11 deletions

diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 76ee70679..7c324a34b 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -6,12 +6,6 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-whitelist ${HOME}/cherrytree
-mkdir ~/.config/cherrytree
-whitelist ${HOME}/.config/cherrytree/
-mkdir ~/.local/share
-whitelist ${HOME}/.local/share/
-
 caps.drop all
 netfilter
 nonewprivs
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c4169db8a..4f854c8d8 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -121,6 +121,9 @@ blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.key
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.mutt/muttrc
+blacklist ${HOME}/.msmtprc
 blacklist /etc/shadow
 blacklist /etc/gshadow
 blacklist /etc/passwd-
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index e9416b34a..c13885739 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.config/qutebrowser
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/inox
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.mutt/muttrc
+blacklist ${HOME}/.msmtprc
 
 # Instant Messaging
 blacklist ${HOME}/.config/hexchat
diff --git a/etc/feh.profile b/etc/feh.profile
index ba8f32f44..5fcb6bf25 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -5,9 +5,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+seccomp
+protocol unix
 netfilter
+net none
 nonewprivs
 noroot
+nogroups
 nosound
-protocol unix
-seccomp
+shell none
+
+private-bin feh
+whitelist /tmp/.X11-unix
+private-dev
+private-etc feh
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 6f2db511b..d1a157c3c 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -11,8 +11,14 @@ noroot
 nosound
 protocol unix
 seccomp
+netfilter
 shell none
 tracelog
 
+private-bin mupdf
 private-tmp
 private-dev
+
+# mupdf will never write anything
+read-only ${HOME}
+
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 775098d91..a040cd6bc 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -1,4 +1,9 @@
 # ranger file manager profile
+noblacklist /usr/bin/perl
+#noblacklist /usr/bin/cpan*
+noblacklist /usr/share/perl*
+noblacklist /usr/lib/perl*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -6,8 +11,14 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+net none
 nonewprivs
 noroot
+nogroups
 protocol unix
 seccomp
 nosound
+
+private-tmp
+private-dev
+
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 955792b2e..7093c52b2 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -12,8 +12,9 @@ protocol unix
 netfilter
 nonewprivs
 noroot
+nogroups
 nosound
-
-#net none
 shell none
-#private-etc X11
+
+private-bin zathura
+private-dev