aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar Tad <tad@spotco.us>2017-07-30 16:56:31 -0400
committerLibravatar Tad <tad@spotco.us>2017-08-02 00:13:42 -0400
commitb18f42ab0236de7eed5888f43ba36cdaf990cbca (patch)
tree589537e44ce9efbfae2b84275367967550eadd75 /etc
parentHarden profiles (diff)
downloadfirejail-b18f42ab0236de7eed5888f43ba36cdaf990cbca.tar.gz
firejail-b18f42ab0236de7eed5888f43ba36cdaf990cbca.tar.zst
firejail-b18f42ab0236de7eed5888f43ba36cdaf990cbca.zip
Initial adding of memory-deny-write-execute to profiles
- mdwe breaks most vm-based languages so python/java/javascript and some mono programs are not compatible - mdwe also breaks most 3d accelerated programs such as 3d games - mdwe is similar to PaX's mprotect meaning PaX flag managers can be used as reference -- See https://github.com/copperhead/paxd-archive/blob/master/paxd.conf -- See https://github.com/nning/linux-pax-flags
Diffstat (limited to 'etc')
-rw-r--r--etc/bleachbit.profile1
-rw-r--r--etc/brasero.profile1
-rw-r--r--etc/cvlc.profile2
-rw-r--r--etc/eog.profile1
-rw-r--r--etc/evince.profile1
-rw-r--r--etc/file-roller.profile1
-rw-r--r--etc/gnome-calculator.profile1
-rw-r--r--etc/keepassxc.profile1
-rw-r--r--etc/less.profile1
-rw-r--r--etc/mumble.profile1
-rw-r--r--etc/peek.profile1
-rw-r--r--etc/ssh.profile1
-rw-r--r--etc/strings.profile2
-rw-r--r--etc/transmission-cli.profile2
-rw-r--r--etc/transmission-gtk.profile2
-rw-r--r--etc/vlc.profile1
16 files changed, 20 insertions, 0 deletions
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 9d8ec1733..5cc025a4a 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -28,5 +28,6 @@ shell none
28# private-tmp 28# private-tmp
29# private-etc 29# private-etc
30 30
31memory-deny-write-execute
31noexec ${HOME} 32noexec ${HOME}
32noexec /tmp 33noexec /tmp
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 1d6856b73..cafb9f39a 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -30,5 +30,6 @@ tracelog
30# private-etc fonts 30# private-etc fonts
31# private-tmp 31# private-tmp
32 32
33memory-deny-write-execute
33noexec ${HOME} 34noexec ${HOME}
34noexec /tmp 35noexec /tmp
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index a52d62f83..921d505a9 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -27,3 +27,5 @@ tracelog
27#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc 27#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
28private-dev 28private-dev
29private-tmp 29private-tmp
30
31memory-deny-write-execute
diff --git a/etc/eog.profile b/etc/eog.profile
index 7c21b241e..aa986e7d7 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -33,5 +33,6 @@ private-dev
33private-etc fonts 33private-etc fonts
34private-tmp 34private-tmp
35 35
36memory-deny-write-execute
36noexec ${HOME} 37noexec ${HOME}
37noexec /tmp 38noexec /tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index 2173c7422..ee637c607 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -32,5 +32,6 @@ private-etc fonts
32# evince needs access to /tmp/mozilla* to work in firefox 32# evince needs access to /tmp/mozilla* to work in firefox
33# private-tmp 33# private-tmp
34 34
35memory-deny-write-execute
35noexec ${HOME} 36noexec ${HOME}
36noexec /tmp 37noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 920a60159..7cbfc4edb 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -29,5 +29,6 @@ tracelog
29private-dev 29private-dev
30# private-etc fonts 30# private-etc fonts
31 31
32memory-deny-write-execute
32noexec ${HOME} 33noexec ${HOME}
33noexec /tmp 34noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 90749be8c..40328e5c3 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -37,5 +37,6 @@ private-dev
37private-tmp 37private-tmp
38disable-mnt 38disable-mnt
39 39
40memory-deny-write-execute
40noexec ${HOME} 41noexec ${HOME}
41noexec /tmp 42noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 4e4c305f0..719cf1dec 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -33,5 +33,6 @@ private-dev
33private-etc fonts,ld.so.cache 33private-etc fonts,ld.so.cache
34private-tmp 34private-tmp
35 35
36memory-deny-write-execute
36noexec ${HOME} 37noexec ${HOME}
37noexec /tmp 38noexec /tmp
diff --git a/etc/less.profile b/etc/less.profile
index 9d4eb3fcf..f8c26879e 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -21,5 +21,6 @@ blacklist /tmp/.X11-unix
21 21
22private-dev 22private-dev
23 23
24memory-deny-write-execute
24noexec ${HOME} 25noexec ${HOME}
25noexec /tmp 26noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 7303ac65a..a2104957d 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -35,5 +35,6 @@ private-bin mumble
35private-tmp 35private-tmp
36disable-mnt 36disable-mnt
37 37
38memory-deny-write-execute
38noexec ${HOME} 39noexec ${HOME}
39noexec /tmp 40noexec /tmp
diff --git a/etc/peek.profile b/etc/peek.profile
index cf60452d3..c2dd5c010 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -28,5 +28,6 @@ shell none
28private-dev 28private-dev
29private-tmp 29private-tmp
30 30
31memory-deny-write-execute
31noexec ${HOME} 32noexec ${HOME}
32noexec /tmp 33noexec /tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index e592841a1..466abdc88 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -31,5 +31,6 @@ tracelog
31private-dev 31private-dev
32#private-tmp #Breaks when exiting 32#private-tmp #Breaks when exiting
33 33
34memory-deny-write-execute
34noexec ${HOME} 35noexec ${HOME}
35noexec /tmp 36noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index af49feb04..a83e3a801 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -18,3 +18,5 @@ shell none
18tracelog 18tracelog
19private-dev 19private-dev
20blacklist /tmp/.X11-unix 20blacklist /tmp/.X11-unix
21
22memory-deny-write-execute
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 0502bbfb4..5b7e6e7c8 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -28,3 +28,5 @@ tracelog
28private-tmp 28private-tmp
29private-dev 29private-dev
30private-etc none 30private-etc none
31
32memory-deny-write-execute
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 84d01179c..7f85aa69c 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -34,3 +34,5 @@ tracelog
34private-bin transmission-gtk 34private-bin transmission-gtk
35private-dev 35private-dev
36private-tmp 36private-tmp
37
38memory-deny-write-execute
diff --git a/etc/vlc.profile b/etc/vlc.profile
index b36e844ff..34f4aa5ff 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -27,5 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
27private-dev 27private-dev
28private-tmp 28private-tmp
29 29
30memory-deny-write-execute
30noexec ${HOME} 31noexec ${HOME}
31noexec /tmp 32noexec /tmp
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 17:24:20 +0000