aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2022-03-21 07:53:51 +0000
committerLibravatar GitHub <noreply@github.com>2022-03-21 07:53:51 +0000
commita21920e63219fc54f43265ad105ece3becec27a9 (patch)
treee03d22c10964cfac4e96e93e12a49c9e5281487d /etc
parentocenaudio hardening (#5056) (diff)
downloadfirejail-a21920e63219fc54f43265ad105ece3becec27a9.tar.gz
firejail-a21920e63219fc54f43265ad105ece3becec27a9.tar.zst
firejail-a21920e63219fc54f43265ad105ece3becec27a9.zip
ping: extra hardening
Diffstat (limited to 'etc')
-rw-r--r--etc/profile-m-z/ping.profile21
1 files changed, 17 insertions, 4 deletions
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index b4923c38a..1b9ce2d2c 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,23 +7,30 @@ include ping.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER} 10blacklist ${RUNUSER}
12 11
13include disable-common.inc 12include disable-common.inc
14include disable-devel.inc 13include disable-devel.inc
15include disable-exec.inc 14include disable-exec.inc
16include disable-interpreters.inc 15include disable-interpreters.inc
16include disable-proc.inc
17include disable-programs.inc 17include disable-programs.inc
18include disable-X11.inc
18include disable-xdg.inc 19include disable-xdg.inc
19 20
20include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-run-common.inc
23include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 25include whitelist-var-common.inc
23 26
27# Add the next line to your ping.local if your kernel allows unprivileged userns clone.
28include ping-hardened.inc.profile
29
24apparmor 30apparmor
25caps.keep net_raw 31caps.keep net_raw
26ipc-namespace 32ipc-namespace
33machine-id
27#net tun0 34#net tun0
28#netfilter /etc/firejail/ping.net 35#netfilter /etc/firejail/ping.net
29netfilter 36netfilter
@@ -31,8 +38,9 @@ no3d
31nodvd 38nodvd
32nogroups 39nogroups
33noinput 40noinput
34# ping needs to rise privileges, noroot and nonewprivs will kill it 41# ping needs to raise privileges, nonewprivs and noroot will kill it
35#nonewprivs 42#nonewprivs
43noprinters
36#noroot 44#noroot
37nosound 45nosound
38notv 46notv
@@ -40,15 +48,18 @@ nou2f
40novideo 48novideo
41# protocol command is built using seccomp; nonewprivs will kill it 49# protocol command is built using seccomp; nonewprivs will kill it
42#protocol unix,inet,inet6,netlink,packet 50#protocol unix,inet,inet6,netlink,packet
43# killed by no-new-privs
44#seccomp 51#seccomp
52shell none
53tracelog
45 54
46disable-mnt 55disable-mnt
47private 56private
48#private-bin has mammoth problems with execvp: "No such file or directory" 57#private-bin ping - has mammoth problems with execvp: "No such file or directory"
58private-cache
49private-dev 59private-dev
50# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! 60# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
51#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl 61#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
62private-lib
52private-tmp 63private-tmp
53 64
54# memory-deny-write-execute is built using seccomp; nonewprivs will kill it 65# memory-deny-write-execute is built using seccomp; nonewprivs will kill it
@@ -56,3 +67,5 @@ private-tmp
56 67
57dbus-user none 68dbus-user none
58dbus-system none 69dbus-system none
70
71read-only ${HOME}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 20:28:05 +0000