Harden qtox

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-03-13 13:10:26 +0100
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-03-13 13:10:26 +0100
commit: 8c68c369bf25e6b2e14d45e4117552313abfc324 (patch)
tree: 5c08aee8cfc7c751152d6d45d15ec2bf42f0ba6b /etc
parent: add disable-exec.inc to few more profiles (diff)
download: firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.tar.gz
firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.tar.zst
firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 3dc4c6a30..2c3b69c46 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/tox
 whitelist ${DOWNLOADS}
@@ -20,9 +21,11 @@ whitelist ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,9 +39,11 @@ tracelog
 disable-mnt
 private-bin qtox
-private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-cache
 private-dev
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-03-13 13:10:26 +0100
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-03-13 13:10:26 +0100
commit	8c68c369bf25e6b2e14d45e4117552313abfc324 (patch)
tree	5c08aee8cfc7c751152d6d45d15ec2bf42f0ba6b /etc
parent	add disable-exec.inc to few more profiles (diff)
download	firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.tar.gz firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.tar.zst firejail-8c68c369bf25e6b2e14d45e4117552313abfc324.zip

diff --git a/etc/qtox.profile b/etc/qtox.profile index 3dc4c6a30..2c3b69c46 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
13	include disable-interpreters.inc	13	include disable-interpreters.inc
14	include disable-passwdmgr.inc	14	include disable-passwdmgr.inc
15	include disable-programs.inc	15	include disable-programs.inc
		16	include disable-xdg.inc
16		17
17	mkdir ${HOME}/.config/tox	18	mkdir ${HOME}/.config/tox
18	whitelist ${DOWNLOADS}	19	whitelist ${DOWNLOADS}
@@ -20,9 +21,11 @@ whitelist ${HOME}/.config/tox
20	include whitelist-common.inc	21	include whitelist-common.inc
21	include whitelist-var-common.inc	22	include whitelist-var-common.inc
22		23
		24	apparmor
23	caps.drop all	25	caps.drop all
24	ipc-namespace	26	ipc-namespace
25	netfilter	27	netfilter
		28	nodbus
26	nodvd	29	nodvd
27	nogroups	30	nogroups
28	nonewprivs	31	nonewprivs
@@ -36,9 +39,11 @@ tracelog
36		39
37	disable-mnt	40	disable-mnt
38	private-bin qtox	41	private-bin qtox
39	private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse	42	private-cache
40	private-dev	43	private-dev
		44	private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
41	private-tmp	45	private-tmp
42		46
		47	memory-deny-write-execute
43	noexec ${HOME}	48	noexec ${HOME}
44	noexec /tmp	49	noexec /tmp