improve servers, harden musescore

author: smitsohu <smitsohu@gmail.com> 2017-08-31 23:18:45 +0200
committer: smitsohu <smitsohu@gmail.com> 2017-08-31 23:18:45 +0200
commit: 24934a4710e2acd015292e41414e24a7c3197038 (patch)
tree: f27789958aa1ad06ad7967ab6b2d92a3918257a8 /etc
parent: merges (diff)
download: firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.gz
firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.zst
firejail-24934a4710e2acd015292e41414e24a7c3197038.zip
7 files changed, 24 insertions, 3 deletions
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 4122e2c92..7f4bc4a84 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -17,9 +17,9 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
-net none
 no3d
 nodvd
+nonewprivs
 nosound
 notv
 novideo
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index f095f487e..81ccbc530 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -5,7 +5,7 @@ include /etc/firejail/cvlc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# clvc doesn't like private-bin
+# cvlc doesn't like private-bin
 ignore private-bin
 # Redirect
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 7d48905ee..e99a2b89b 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -5,6 +5,8 @@ include /etc/firejail/dnscrypt-proxy.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+caps
 no3d
 nodvd
+nonewprivs
 nosound
 notv
 novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+disable-mnt
 private
 private-dev
+memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 0893dff35..e38244ef8 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -5,6 +5,8 @@ include /etc/firejail/dnsmasq.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -14,7 +16,6 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
-netfilter
 no3d
 nodvd
 nonewprivs
diff --git a/etc/file.profile b/etc/file.profile
index f3b08e34b..a83b2cf7d 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -21,6 +21,7 @@ nogroups
 nonewprivs
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/musescore.profile b/etc/musescore.profile
index bd00bea69..3b5a0b13c 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -10,6 +10,11 @@ noblacklist ~/.config/MuseScore
 noblacklist ~/.local/share/data/MusE
 noblacklist ~/.local/share/data/MuseScore
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4775a450d..73c538dbe 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -5,6 +5,8 @@ include /etc/firejail/unbound.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+caps
 no3d
 nodvd
+nonewprivs
 nosound
 notv
 novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+disable-mnt
 private
 private-dev
+memory-deny-write-execute
author	smitsohu <smitsohu@gmail.com>	2017-08-31 23:18:45 +0200
committer	smitsohu <smitsohu@gmail.com>	2017-08-31 23:18:45 +0200
commit	24934a4710e2acd015292e41414e24a7c3197038 (patch)
tree	f27789958aa1ad06ad7967ab6b2d92a3918257a8 /etc
parent	merges (diff)
download	firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.gz firejail-24934a4710e2acd015292e41414e24a7c3197038.tar.zst firejail-24934a4710e2acd015292e41414e24a7c3197038.zip

diff --git a/etc/cpio.profile b/etc/cpio.profile index 4122e2c92..7f4bc4a84 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile
@@ -17,9 +17,9 @@ include /etc/firejail/disable-programs.inc
17		17
18	caps.drop all	18	caps.drop all
19	net none	19	net none
20	net none
21	no3d	20	no3d
22	nodvd	21	nodvd
		22	nonewprivs
23	nosound	23	nosound
24	notv	24	notv
25	novideo	25	novideo


diff --git a/etc/cvlc.profile b/etc/cvlc.profile index f095f487e..81ccbc530 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile
@@ -5,7 +5,7 @@ include /etc/firejail/cvlc.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
8	# clvc doesn't like private-bin	8	# cvlc doesn't like private-bin
9	ignore private-bin	9	ignore private-bin
10		10
11	# Redirect	11	# Redirect


diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 7d48905ee..e99a2b89b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -5,6 +5,8 @@ include /etc/firejail/dnscrypt-proxy.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	blacklist /tmp/.X11-unix
		9
8	noblacklist /sbin	10	noblacklist /sbin
9	noblacklist /usr/sbin	11	noblacklist /usr/sbin
10		12
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
15		17
		18	caps
16	no3d	19	no3d
17	nodvd	20	nodvd
		21	nonewprivs
18	nosound	22	nosound
19	notv	23	notv
20	novideo	24	novideo
21	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	25	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
22		26
		27	disable-mnt
23	private	28	private
24	private-dev	29	private-dev
		30
		31	memory-deny-write-execute


diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 0893dff35..e38244ef8 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile
@@ -5,6 +5,8 @@ include /etc/firejail/dnsmasq.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	blacklist /tmp/.X11-unix
		9
8	noblacklist /sbin	10	noblacklist /sbin
9	noblacklist /usr/sbin	11	noblacklist /usr/sbin
10		12
@@ -14,7 +16,6 @@ include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
15		17
16	caps	18	caps
17	netfilter
18	no3d	19	no3d
19	nodvd	20	nodvd
20	nonewprivs	21	nonewprivs


diff --git a/etc/file.profile b/etc/file.profile index f3b08e34b..a83b2cf7d 100644 --- a/etc/file.profile +++ b/etc/file.profile
@@ -21,6 +21,7 @@ nogroups
21	nonewprivs	21	nonewprivs
22	nosound	22	nosound
23	notv	23	notv
		24	novideo
24	protocol unix	25	protocol unix
25	seccomp	26	seccomp
26	shell none	27	shell none


diff --git a/etc/musescore.profile b/etc/musescore.profile index bd00bea69..3b5a0b13c 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile
@@ -10,6 +10,11 @@ noblacklist ~/.config/MuseScore
10	noblacklist ~/.local/share/data/MusE	10	noblacklist ~/.local/share/data/MusE
11	noblacklist ~/.local/share/data/MuseScore	11	noblacklist ~/.local/share/data/MuseScore
12		12
		13	include /etc/firejail/disable-common.inc
		14	include /etc/firejail/disable-devel.inc
		15	include /etc/firejail/disable-passwdmgr.inc
		16	include /etc/firejail/disable-programs.inc
		17
13	caps.drop all	18	caps.drop all
14	netfilter	19	netfilter
15	no3d	20	no3d


diff --git a/etc/unbound.profile b/etc/unbound.profile index 4775a450d..73c538dbe 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -5,6 +5,8 @@ include /etc/firejail/unbound.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	blacklist /tmp/.X11-unix
		9
8	noblacklist /sbin	10	noblacklist /sbin
9	noblacklist /usr/sbin	11	noblacklist /usr/sbin
10		12
@@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
15		17
		18	caps
16	no3d	19	no3d
17	nodvd	20	nodvd
		21	nonewprivs
18	nosound	22	nosound
19	notv	23	notv
20	novideo	24	novideo
21	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	25	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
22		26
		27	disable-mnt
23	private	28	private
24	private-dev	29	private-dev
		30
		31	memory-deny-write-execute