Merge pull request #2582 from rusty-snake/harden_qtox

Harden qtox
author: SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com> 2019-03-13 16:08:14 +0000
committer: GitHub <noreply@github.com> 2019-03-13 16:08:14 +0000
commit: 0bccd25744ae6e6ab3afea22d363b00e64abde98 (patch)
tree: bfae0a671cdcab21907204dfe14bbaf46728d7bb /etc
parent: Merge pull request #2583 from rusty-snake/harden_minetest (diff)
parent: Add disable-exec.inc to qtox (diff)
download: firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.tar.gz
firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.tar.zst
firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 3dc4c6a30..0ca5a5ef0 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/tox
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/tox
 whitelist ${DOWNLOADS}
@@ -20,9 +22,11 @@ whitelist ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,9 +40,9 @@ tracelog
 disable-mnt
 private-bin qtox
-private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-cache
 private-dev
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
 private-tmp
-noexec ${HOME}
+memory-deny-write-execute
-noexec /tmp
author	SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com>	2019-03-13 16:08:14 +0000
committer	GitHub <noreply@github.com>	2019-03-13 16:08:14 +0000
commit	0bccd25744ae6e6ab3afea22d363b00e64abde98 (patch)
tree	bfae0a671cdcab21907204dfe14bbaf46728d7bb /etc
parent	Merge pull request #2583 from rusty-snake/harden_minetest (diff)
parent	Add disable-exec.inc to qtox (diff)
download	firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.tar.gz firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.tar.zst firejail-0bccd25744ae6e6ab3afea22d363b00e64abde98.zip

diff --git a/etc/qtox.profile b/etc/qtox.profile index 3dc4c6a30..0ca5a5ef0 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/tox
10		10
11	include disable-common.inc	11	include disable-common.inc
12	include disable-devel.inc	12	include disable-devel.inc
		13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
15	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
16		18
17	mkdir ${HOME}/.config/tox	19	mkdir ${HOME}/.config/tox
18	whitelist ${DOWNLOADS}	20	whitelist ${DOWNLOADS}
@@ -20,9 +22,11 @@ whitelist ${HOME}/.config/tox
20	include whitelist-common.inc	22	include whitelist-common.inc
21	include whitelist-var-common.inc	23	include whitelist-var-common.inc
22		24
		25	apparmor
23	caps.drop all	26	caps.drop all
24	ipc-namespace	27	ipc-namespace
25	netfilter	28	netfilter
		29	nodbus
26	nodvd	30	nodvd
27	nogroups	31	nogroups
28	nonewprivs	32	nonewprivs
@@ -36,9 +40,9 @@ tracelog
36		40
37	disable-mnt	41	disable-mnt
38	private-bin qtox	42	private-bin qtox
39	private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse	43	private-cache
40	private-dev	44	private-dev
		45	private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
41	private-tmp	46	private-tmp
42		47
43	noexec ${HOME}	48	memory-deny-write-execute
44	noexec /tmp