Harden 10 profiles

author: Chiraag Nataraj <chiraag.nataraj@gmail.com> 2017-09-16 14:24:54 -0400
committer: Tad <tad@spotco.us> 2017-09-18 18:24:13 -0400
commit: 28faab8af4d2ea0699fbb09b0345f2c68d5ad382 (patch)
tree: 3b1ca33ede83d499cccf28c8384df026a1fdd836 /etc
parent: Fixup 12 profiles (diff)
download: firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.tar.gz
firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.tar.zst
firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.zip
10 files changed, 18 insertions, 0 deletions
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 12bb06fb5..55434e45b 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+mkfile ${HOME}/.config/akregatorrc
+mkdir ${HOME}/.local/share/akregator
+whitelist ${HOME}/.config/akregatorrc
+whitelist ${HOME}/.local/share/akregator
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
 no3d
@@ -27,6 +33,7 @@ seccomp
 shell none
 disable-mnt
+private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
 private-tmp
diff --git a/etc/darktable.profile b/etc/darktable.profile
index e04163486..c2dc0b42c 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+#private-bin darktable
 private-dev
 private-tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index a625ab36d..abe83ac8c 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -27,6 +27,7 @@ seccomp
 shell none
 disable-mnt
+#private-bin dia
 private-dev
 private-tmp
diff --git a/etc/hugin.profile b/etc/hugin.profile
index d3cd181b1..ff88e0d5c 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
 private-dev
 private-tmp
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 3266d8230..c062ab8ef 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -27,6 +27,7 @@ protocol unix
 seccomp
 shell none
+#private-bin inkscape
 private-dev
 private-tmp
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index bd32e0c70..ec2a65290 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -26,6 +26,7 @@ seccomp
 shell none
 tracelog
+#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
 private-dev
 private-tmp
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index dd610920a..d195cf586 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -27,3 +27,6 @@ tracelog
 private-bin pidgin
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e4c88be49..dd06fa59f 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -38,5 +38,6 @@ protocol unix
 seccomp
 tracelog
+#private-bin scribus,gs
 private-dev
 # private-tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index f3e504a3f..b12f9879e 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -24,6 +24,7 @@ seccomp
 shell none
 disable-mnt
+#private-bin skype,bash
 private-dev
 private-tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 08ece1e9b..b0014ace6 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
+#private-bin synfigstudio
 private-dev
 private-tmp
author	Chiraag Nataraj <chiraag.nataraj@gmail.com>	2017-09-16 14:24:54 -0400
committer	Tad <tad@spotco.us>	2017-09-18 18:24:13 -0400
commit	28faab8af4d2ea0699fbb09b0345f2c68d5ad382 (patch)
tree	3b1ca33ede83d499cccf28c8384df026a1fdd836 /etc
parent	Fixup 12 profiles (diff)
download	firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.tar.gz firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.tar.zst firejail-28faab8af4d2ea0699fbb09b0345f2c68d5ad382.zip

diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	mkfile ${HOME}/.config/akregatorrc
		17	mkdir ${HOME}/.local/share/akregator
		18	whitelist ${HOME}/.config/akregatorrc
		19	whitelist ${HOME}/.local/share/akregator
		20	include /etc/firejail/whitelist-common.inc
		21
16	caps.drop all	22	caps.drop all
17	netfilter	23	netfilter
18	no3d	24	no3d
@@ -27,6 +33,7 @@ seccomp
27	shell none	33	shell none
28		34
29	disable-mnt	35	disable-mnt
		36	private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
30	private-dev	37	private-dev
31	private-tmp	38	private-tmp
32		39


diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	#private-bin darktable
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile
@@ -27,6 +27,7 @@ seccomp
27	shell none	27	shell none
28		28
29	disable-mnt	29	disable-mnt
		30	#private-bin dia
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
32		33


diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile
@@ -25,6 +25,7 @@ protocol unix
25	seccomp	25	seccomp
26	shell none	26	shell none
27		27
		28	private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
28	private-dev	29	private-dev
29	private-tmp	30	private-tmp
30		31


diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 3266d8230..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile
@@ -27,6 +27,7 @@ protocol unix
27	seccomp	27	seccomp
28	shell none	28	shell none
29		29
		30	#private-bin inkscape
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
32		33


diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile
@@ -26,6 +26,7 @@ seccomp
26	shell none	26	shell none
27	tracelog	27	tracelog
28		28
		29	#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32


diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile
@@ -27,3 +27,6 @@ tracelog
27	private-bin pidgin	27	private-bin pidgin
28	private-dev	28	private-dev
29	private-tmp	29	private-tmp
		30
		31	noexec ${HOME}
		32	noexec /tmp


diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile
@@ -38,5 +38,6 @@ protocol unix
38	seccomp	38	seccomp
39	tracelog	39	tracelog
40		40
		41	#private-bin scribus,gs
41	private-dev	42	private-dev
42	# private-tmp	43	# private-tmp


diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile
@@ -24,6 +24,7 @@ seccomp
24	shell none	24	shell none
25		25
26	disable-mnt	26	disable-mnt
		27	#private-bin skype,bash
27	private-dev	28	private-dev
28	private-tmp	29	private-tmp
29		30


diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile
@@ -26,6 +26,7 @@ protocol unix
26	seccomp	26	seccomp
27	shell none	27	shell none
28		28
		29	#private-bin synfigstudio
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
31		32