Harden bibletime.profile

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-04-12 19:01:38 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-04-12 19:01:38 +0200
commit: 53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch)
tree: 7fddb0caa3e97f2c9a0e416a318b653f0495f2b8 /etc
parent: adding disable-exec.inc to the remaining profiles (diff)
download: firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz
firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst
firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 6e40054f7..c41aafd47 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.local/share/bibletime
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
+disable-mnt
 # private-bin bibletime,qt5ct
+private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-04-12 19:01:38 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-04-12 19:01:38 +0200
commit	53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch)
tree	7fddb0caa3e97f2c9a0e416a318b653f0495f2b8 /etc
parent	adding disable-exec.inc to the remaining profiles (diff)
download	firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip

diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 6e40054f7..c41aafd47 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime
14		14
15	include disable-common.inc	15	include disable-common.inc
16	include disable-devel.inc	16	include disable-devel.inc
		17	include disable-exec.inc
17	include disable-interpreters.inc	18	include disable-interpreters.inc
18	include disable-passwdmgr.inc	19	include disable-passwdmgr.inc
19	include disable-programs.inc	20	include disable-programs.inc
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime
25	whitelist ${HOME}/.sword	26	whitelist ${HOME}/.sword
26	whitelist ${HOME}/.local/share/bibletime	27	whitelist ${HOME}/.local/share/bibletime
27	include whitelist-common.inc	28	include whitelist-common.inc
		29	include whitelist-var-common.inc
28		30
		31	apparmor
29	caps.drop all	32	caps.drop all
30	machine-id	33	machine-id
31	netfilter	34	netfilter
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink
42	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	45	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
43	shell none	46	shell none
44		47
		48	disable-mnt
45	# private-bin bibletime,qt5ct	49	# private-bin bibletime,qt5ct
		50	private-cache
46	private-dev	51	private-dev
47	private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies	52	private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
48	private-tmp	53	private-tmp