Harden easystroke (#2606)

author: glitsj16 <glitsj16@users.noreply.github.com> 2019-03-18 16:33:45 +0000
committer: GitHub <noreply@github.com> 2019-03-18 16:33:45 +0000
commit: cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed (patch)
tree: e6ef24f48dcfc7fb37dd1041937294adbf584403 /etc
parent: pavucontrol does not work with ipc-namespace (#2604) (diff)
download: firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.tar.gz
firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.tar.zst
firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.zip
1 files changed, 8 insertions, 6 deletions
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 44156f97e..42529d302 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.easystroke
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+apparmor
 caps.drop all
-ipc-namespace
 machine-id
 net none
 no3d
@@ -33,13 +35,13 @@ seccomp
 shell none
 disable-mnt
-private-bin easystroke,bash,sh
+# breaks custom shell command functionality
+#private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,group,passwd
-private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+# breaks custom shell command functionality
+#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-03-18 16:33:45 +0000
committer	GitHub <noreply@github.com>	2019-03-18 16:33:45 +0000
commit	cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed (patch)
tree	e6ef24f48dcfc7fb37dd1041937294adbf584403 /etc
parent	pavucontrol does not work with ipc-namespace (#2604) (diff)
download	firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.tar.gz firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.tar.zst firejail-cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed.zip

diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 44156f97e..42529d302 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.easystroke
10		10
11	include disable-common.inc	11	include disable-common.inc
12	include disable-devel.inc	12	include disable-devel.inc
		13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
15	include disable-programs.inc	16	include disable-programs.inc
		17	include disable-xdg.inc
16		18
		19	apparmor
17	caps.drop all	20	caps.drop all
18	ipc-namespace
19	machine-id	21	machine-id
20	net none	22	net none
21	no3d	23	no3d
@@ -33,13 +35,13 @@ seccomp
33	shell none	35	shell none
34		36
35	disable-mnt	37	disable-mnt
36	private-bin easystroke,bash,sh	38	# breaks custom shell command functionality
		39	#private-bin bash,easystroke,sh
37	private-cache	40	private-cache
38	private-dev	41	private-dev
39	private-etc alternatives,fonts	42	private-etc alternatives,fonts,group,passwd
40	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*	43	# breaks custom shell command functionality
		44	#private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*
41	private-tmp	45	private-tmp
42		46
43	memory-deny-write-execute	47	memory-deny-write-execute
44	noexec ${HOME}
45	noexec /tmp