aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2019-03-15 12:37:36 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2019-03-15 12:37:36 +0100
commit529315fe17a526eb8200e42a44b57ddffbd7a838 (patch)
treea70214750cdd46f0e6945d24a715ab19125a8244 /etc
parentffmpegthumbnailer breaks in ranger with private-cache enabled from (#2596) (diff)
downloadfirejail-529315fe17a526eb8200e42a44b57ddffbd7a838.tar.gz
firejail-529315fe17a526eb8200e42a44b57ddffbd7a838.tar.zst
firejail-529315fe17a526eb8200e42a44b57ddffbd7a838.zip
profile hardening: add disable-exec.inc in more places
Diffstat (limited to 'etc')
-rw-r--r--etc/clamav.profile4
-rw-r--r--etc/default.profile2
-rw-r--r--etc/dig.profile3
-rw-r--r--etc/disable-exec.inc6
-rw-r--r--etc/freshclam.profile3
-rw-r--r--etc/mupdf.profile1
-rw-r--r--etc/patch.profile3
-rw-r--r--etc/pdfchain.profile3
-rw-r--r--etc/server.profile5
-rw-r--r--etc/ssh.profile3
-rw-r--r--etc/start-tor-browser.profile4
-rw-r--r--etc/strings.profile1
12 files changed, 17 insertions, 21 deletions
diff --git a/etc/clamav.profile b/etc/clamav.profile
index a48fa8039..45e7723eb 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -7,6 +7,8 @@ include clamav.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10include disable-exec.inc
11
10caps.drop all 12caps.drop all
11ipc-namespace 13ipc-namespace
12net none 14net none
@@ -30,5 +32,3 @@ private-dev
30read-only ${HOME} 32read-only ${HOME}
31 33
32memory-deny-write-execute 34memory-deny-write-execute
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/default.profile b/etc/default.profile
index efa66d5db..3eacf9546 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -14,7 +14,7 @@ include disable-common.inc
14# include disable-interpreters.inc 14# include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17#include disable-xdg.inc 17# include disable-xdg.inc
18 18
19# apparmor 19# apparmor
20caps.drop all 20caps.drop all
diff --git a/etc/dig.profile b/etc/dig.profile
index 23970d9d0..1843f6e46 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.digrc
11 11
12include disable-common.inc 12include disable-common.inc
13# include disable-devel.inc 13# include disable-devel.inc
14include disable-exec.inc
14# include disable-interpreters.inc 15# include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -49,5 +50,3 @@ private-lib
49private-tmp 50private-tmp
50 51
51memory-deny-write-execute 52memory-deny-write-execute
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc
index c535af7d4..ee3391730 100644
--- a/etc/disable-exec.inc
+++ b/etc/disable-exec.inc
@@ -6,6 +6,6 @@ noexec ${HOME}
6noexec ${RUNUSER} 6noexec ${RUNUSER}
7noexec /dev/shm 7noexec /dev/shm
8noexec /tmp 8noexec /tmp
9# /var/tmp is noexec by default 9# /var is noexec by default for unprivileged users
10# just in case there is a keep-var-tmp option: 10# except there is a writable-var option, so just in case:
11noexec /var/tmp 11noexec /var
diff --git a/etc/freshclam.profile b/etc/freshclam.profile
index 2dd55d8cc..2bab79e2e 100644
--- a/etc/freshclam.profile
+++ b/etc/freshclam.profile
@@ -6,6 +6,7 @@ include clamav.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include disable-exec.inc
9 10
10caps.keep setgid,setuid 11caps.keep setgid,setuid
11ipc-namespace 12ipc-namespace
@@ -32,5 +33,3 @@ writable-var
32writable-var-log 33writable-var-log
33 34
34memory-deny-write-execute 35memory-deny-write-execute
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 1f2afa5f0..1d5953ff7 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -41,4 +41,5 @@ private-dev
41private-etc alternatives,fonts 41private-etc alternatives,fonts
42private-tmp 42private-tmp
43 43
44memory-deny-write-execute
44read-only ${HOME} 45read-only ${HOME}
diff --git a/etc/patch.profile b/etc/patch.profile
index c0937bfc5..9515bffdf 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-xdg.inc 17include disable-xdg.inc
@@ -39,5 +40,3 @@ private-dev
39private-lib libfakeroot 40private-lib libfakeroot
40 41
41memory-deny-write-execute 42memory-deny-write-execute
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index d9f721578..98a9f1840 100644
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS}
9 9
10include disable-common.inc 10include disable-common.inc
11include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
12include disable-interpreters.inc 13include disable-interpreters.inc
13include disable-passwdmgr.inc 14include disable-passwdmgr.inc
14include disable-programs.inc 15include disable-programs.inc
@@ -38,5 +39,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0,xdg
38private-tmp 39private-tmp
39 40
40memory-deny-write-execute 41memory-deny-write-execute
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/server.profile b/etc/server.profile
index 8da4853e7..686268a18 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -17,10 +17,11 @@ noblacklist /usr/sbin
17 17
18include disable-common.inc 18include disable-common.inc
19# include disable-devel.inc 19# include disable-devel.inc
20# include disable-exec.inc
20# include disable-interpreters.inc 21# include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
23#include disable-xdg.inc 24# include disable-xdg.inc
24 25
25caps 26caps
26# ipc-namespace 27# ipc-namespace
@@ -48,5 +49,3 @@ private-dev
48private-tmp 49private-tmp
49 50
50# memory-deny-write-execute 51# memory-deny-write-execute
51# noexec ${HOME}
52# noexec /tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index de627dcf0..4c8af65b8 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-*
12noblacklist ${HOME}/.ssh 12noblacklist ${HOME}/.ssh
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-exec.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
17 18
@@ -36,6 +37,4 @@ private-dev
36# private-tmp # Breaks when exiting 37# private-tmp # Breaks when exiting
37 38
38memory-deny-write-execute 39memory-deny-write-execute
39noexec ${HOME}
40noexec /tmp
41writable-run-user 40writable-run-user
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index b0cb52a0f..8acf77349 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -5,9 +5,11 @@ include start-tor-browser.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8ignore noexec ${HOME}
8 9
9include disable-common.inc 10include disable-common.inc
10include disable-devel.inc 11include disable-devel.inc
12include disable-exec.inc
11include disable-interpreters.inc 13include disable-interpreters.inc
12include disable-passwdmgr.inc 14include disable-passwdmgr.inc
13include disable-programs.inc 15include disable-programs.inc
@@ -36,5 +38,3 @@ private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,r
36private-dev 38private-dev
37private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache 39private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
38private-tmp 40private-tmp
39
40noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index ca7bd0922..cacf919f5 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -8,6 +8,7 @@ include strings.local
8#include globals.local 8#include globals.local
9 9
10blacklist /tmp/.X11-unix 10blacklist /tmp/.X11-unix
11include disable-exec.inc
11 12
12ignore noroot 13ignore noroot
13net none 14net none
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 18:53:04 +0000