Harden youtube-dl.profile (#2584)

* Harden youtube-dl.profile * Add dis-exec to ytdl * Comment mdwe in ytdl
author: rusty-snake <print_hello_world+GitHub@protonmail.com> 2019-03-13 17:35:00 +0000
committer: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-13 17:35:00 +0000
commit: bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e (patch)
tree: e3d1d358949ba2fdf473a23a4e8fba40820e2d86 /etc
parent: Merge pull request #2582 from rusty-snake/harden_qtox (diff)
download: firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.gz
firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.zst
firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.zip
1 files changed, 13 insertions, 3 deletions
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 0878c91ef..621ffb2b0 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3*
 noblacklist /usr/local/lib/python2*
 noblacklist /usr/local/lib/python3*
+# breaks when installed via pip
+ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,10 +32,13 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
+machine-id
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,8 +52,11 @@ seccomp
 shell none
 tracelog
+disable-mnt
+private-bin youtube-dl,python*,ffmpeg
+private-cache
 private-dev
+private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types
+private-tmp
-# breaks when installed via pip
+# memory-deny-write-execute - breaks on Arch
-#noexec ${HOME}
-noexec /tmp
author	rusty-snake <print_hello_world+GitHub@protonmail.com>	2019-03-13 17:35:00 +0000
committer	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-13 17:35:00 +0000
commit	bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e (patch)
tree	e3d1d358949ba2fdf473a23a4e8fba40820e2d86 /etc
parent	Merge pull request #2582 from rusty-snake/harden_qtox (diff)
download	firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.gz firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.tar.zst firejail-bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e.zip

diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 0878c91ef..621ffb2b0 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3*
19	noblacklist /usr/local/lib/python2*	19	noblacklist /usr/local/lib/python2*
20	noblacklist /usr/local/lib/python3*	20	noblacklist /usr/local/lib/python3*
21		21
		22	# breaks when installed via pip
		23	ignore noexec ${HOME}
		24
22	include disable-common.inc	25	include disable-common.inc
23	include disable-devel.inc	26	include disable-devel.inc
		27	include disable-exec.inc
24	include disable-interpreters.inc	28	include disable-interpreters.inc
25	include disable-passwdmgr.inc	29	include disable-passwdmgr.inc
26	include disable-programs.inc	30	include disable-programs.inc
@@ -28,10 +32,13 @@ include disable-xdg.inc
28		32
29	include whitelist-var-common.inc	33	include whitelist-var-common.inc
30		34
		35	apparmor
31	caps.drop all	36	caps.drop all
32	ipc-namespace	37	ipc-namespace
		38	machine-id
33	netfilter	39	netfilter
34	no3d	40	no3d
		41	nodbus
35	nodvd	42	nodvd
36	nogroups	43	nogroups
37	nonewprivs	44	nonewprivs
@@ -45,8 +52,11 @@ seccomp
45	shell none	52	shell none
46	tracelog	53	tracelog
47		54
		55	disable-mnt
		56	private-bin youtube-dl,python*,ffmpeg
		57	private-cache
48	private-dev	58	private-dev
		59	private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types
		60	private-tmp
49		61
50	# breaks when installed via pip	62	# memory-deny-write-execute - breaks on Arch
51	#noexec ${HOME}
52	noexec /tmp