harden sysprof (#3802)

author: glitsj16 <glitsj16@users.noreply.github.com> 2020-12-09 23:14:33 +0000
committer: GitHub <noreply@github.com> 2020-12-09 23:14:33 +0000
commit: a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af (patch)
tree: 2102d820f73b6dc37408d57f396b97e8b5f5c86c /etc
parent: fixes (diff)
download: firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.tar.gz
firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.tar.zst
firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.zip
1 files changed, 25 insertions, 8 deletions
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ad3346285..9e9d2a448 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -6,6 +6,7 @@ include sysprof.local
 # Persistent global definitions
 include globals.local
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -14,6 +15,19 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+# help menu functionality (yelp) - comment or add this block prepended with 'ignore'
+# to your sysprof.local if you don't need the help functionality
+noblacklist ${HOME}/.config/yelp
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/share/help/C/sysprof
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
+whitelist /usr/share/yelp-xsl
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -26,27 +40,30 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
+# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial
-#noroot
+noroot
 nosound
 notv
 nou2f
 novideo
 protocol unix,netlink
+seccomp
 shell none
 tracelog
 disable-mnt
-#private-bin sysprof - breaks GUI help menu
+#private-bin sysprof - breaks help menu
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
-# private-lib breaks GUI help menu
+# private-lib breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
-# makes settings immutable
+dbus-user filter
-# dbus-user none
+dbus-user.own org.gnome.Shell
-# dbus-system none
+dbus-user.own org.gnome.Yelp
+dbus-user.own org.gnome.Sysprof3
+dbus-user.talk ca.desrt.dconf
-# memory-deny-write-execute - Breaks GUI on Arch
+# memory-deny-write-execute - breaks on Arch
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-12-09 23:14:33 +0000
committer	GitHub <noreply@github.com>	2020-12-09 23:14:33 +0000
commit	a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af (patch)
tree	2102d820f73b6dc37408d57f396b97e8b5f5c86c /etc
parent	fixes (diff)
download	firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.tar.gz firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.tar.zst firejail-a8ad436d7e6f4464bdcc7464aa7df6cb4d0177af.zip

diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ad3346285..9e9d2a448 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile
@@ -6,6 +6,7 @@ include sysprof.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	noblacklist ${DOCUMENTS}
9	include disable-common.inc	10	include disable-common.inc
10	include disable-devel.inc	11	include disable-devel.inc
11	include disable-exec.inc	12	include disable-exec.inc
@@ -14,6 +15,19 @@ include disable-passwdmgr.inc
14	include disable-programs.inc	15	include disable-programs.inc
15	include disable-xdg.inc	16	include disable-xdg.inc
16		17
		18	# help menu functionality (yelp) - comment or add this block prepended with 'ignore'
		19	# to your sysprof.local if you don't need the help functionality
		20	noblacklist ${HOME}/.config/yelp
		21	mkdir ${HOME}/.config/yelp
		22	whitelist ${HOME}/.config/yelp
		23	whitelist /usr/share/help/C/sysprof
		24	whitelist /usr/share/yelp
		25	whitelist /usr/share/yelp-tools
		26	whitelist /usr/share/yelp-xsl
		27
		28	whitelist ${DOCUMENTS}
		29	include whitelist-common.inc
		30	include whitelist-runuser-common.inc
17	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc
18	include whitelist-var-common.inc	32	include whitelist-var-common.inc
19		33
@@ -26,27 +40,30 @@ no3d
26	nodvd	40	nodvd
27	nogroups	41	nogroups
28	nonewprivs	42	nonewprivs
29	# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that	43	# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial
30	#noroot	44	noroot
31	nosound	45	nosound
32	notv	46	notv
33	nou2f	47	nou2f
34	novideo	48	novideo
35	protocol unix,netlink	49	protocol unix,netlink
		50	seccomp
36	shell none	51	shell none
37	tracelog	52	tracelog
38		53
39	disable-mnt	54	disable-mnt
40	#private-bin sysprof - breaks GUI help menu	55	#private-bin sysprof - breaks help menu
41	private-cache	56	private-cache
42	private-dev	57	private-dev
43	private-etc alternatives,fonts,ld.so.cache,machine-id,ssl	58	private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
44	# private-lib breaks GUI help menu	59	# private-lib breaks help menu
45	#private-lib gdk-pixbuf-2.,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so	60	#private-lib gdk-pixbuf-2.,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
46	private-tmp	61	private-tmp
47		62
48	# makes settings immutable	63	dbus-user filter
49	# dbus-user none	64	dbus-user.own org.gnome.Shell
50	# dbus-system none	65	dbus-user.own org.gnome.Yelp
		66	dbus-user.own org.gnome.Sysprof3
		67	dbus-user.talk ca.desrt.dconf
51		68
52	# memory-deny-write-execute - Breaks GUI on Arch	69	# memory-deny-write-execute - breaks on Arch