diff options
-rw-r--r-- | etc/dig.profile | 3 | ||||
-rw-r--r-- | etc/nslookup.profile | 5 | ||||
-rw-r--r-- | etc/unknown-horizons.profile | 4 | ||||
-rw-r--r-- | etc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | src/profstats/main.c | 11 |
5 files changed, 22 insertions, 2 deletions
diff --git a/etc/dig.profile b/etc/dig.profile index 270a95c05..f283db962 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -25,6 +25,7 @@ include disable-xdg.inc | |||
25 | #mkfile ${HOME}/.digrc -- see #903 | 25 | #mkfile ${HOME}/.digrc -- see #903 |
26 | whitelist ${HOME}/.digrc | 26 | whitelist ${HOME}/.digrc |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
30 | 31 | ||
@@ -32,6 +33,7 @@ apparmor | |||
32 | caps.drop all | 33 | caps.drop all |
33 | ipc-namespace | 34 | ipc-namespace |
34 | machine-id | 35 | machine-id |
36 | memory-deny-write-execute | ||
35 | netfilter | 37 | netfilter |
36 | no3d | 38 | no3d |
37 | nodbus | 39 | nodbus |
@@ -49,7 +51,6 @@ shell none | |||
49 | tracelog | 51 | tracelog |
50 | 52 | ||
51 | disable-mnt | 53 | disable-mnt |
52 | private | ||
53 | private-bin bash,dig,sh | 54 | private-bin bash,dig,sh |
54 | private-dev | 55 | private-dev |
55 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 56 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 4aa1cfcbf..9ed6ef1e9 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile | |||
@@ -21,6 +21,9 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | whitelist ${HOME}/.nslookuprc | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
26 | 29 | ||
@@ -28,6 +31,7 @@ apparmor | |||
28 | caps.drop all | 31 | caps.drop all |
29 | ipc-namespace | 32 | ipc-namespace |
30 | machine-id | 33 | machine-id |
34 | memory-deny-write-execute | ||
31 | netfilter | 35 | netfilter |
32 | no3d | 36 | no3d |
33 | nodbus | 37 | nodbus |
@@ -45,7 +49,6 @@ shell none | |||
45 | tracelog | 49 | tracelog |
46 | 50 | ||
47 | disable-mnt | 51 | disable-mnt |
48 | private | ||
49 | private-bin bash,nslookup,sh | 52 | private-bin bash,nslookup,sh |
50 | private-dev | 53 | private-dev |
51 | private-tmp | 54 | private-tmp |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 1e623f9ce..489de67bb 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -16,10 +16,14 @@ include disable-programs.inc | |||
16 | mkdir ${HOME}/.unknown-horizons | 16 | mkdir ${HOME}/.unknown-horizons |
17 | whitelist ${HOME}/.unknown-horizons | 17 | whitelist ${HOME}/.unknown-horizons |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
20 | whitelist /usr/share/unknown-horizons | ||
21 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
20 | 23 | ||
21 | apparmor | 24 | apparmor |
22 | caps.drop all | 25 | caps.drop all |
26 | # memory-deny-write-execute - doesn't work | ||
23 | nodvd | 27 | nodvd |
24 | nogroups | 28 | nogroups |
25 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index 8a0f6774a..193b00a2a 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -50,6 +50,7 @@ whitelist /usr/share/qt4 | |||
50 | whitelist /usr/share/qt5 | 50 | whitelist /usr/share/qt5 |
51 | whitelist /usr/share/sounds | 51 | whitelist /usr/share/sounds |
52 | whitelist /usr/share/tcl8.6 | 52 | whitelist /usr/share/tcl8.6 |
53 | whitelist /usr/share/tcltk | ||
53 | whitelist /usr/share/terminfo | 54 | whitelist /usr/share/terminfo |
54 | whitelist /usr/share/texlive | 55 | whitelist /usr/share/texlive |
55 | whitelist /usr/share/texmf | 56 | whitelist /usr/share/texmf |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 7c6bfce9d..ac02c69bc 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -38,6 +38,7 @@ static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | |||
38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | 38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc |
39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
40 | static int cnt_ssh = 0; | 40 | static int cnt_ssh = 0; |
41 | static int cnt_mdwx = 0; | ||
41 | 42 | ||
42 | static int level = 0; | 43 | static int level = 0; |
43 | static int arg_debug = 0; | 44 | static int arg_debug = 0; |
@@ -51,6 +52,7 @@ static int arg_whitelistvar = 0; | |||
51 | static int arg_whitelistrunuser = 0; | 52 | static int arg_whitelistrunuser = 0; |
52 | static int arg_whitelistusrshare = 0; | 53 | static int arg_whitelistusrshare = 0; |
53 | static int arg_ssh = 0; | 54 | static int arg_ssh = 0; |
55 | static int arg_mdwx = 0; | ||
54 | 56 | ||
55 | static char *profile = NULL; | 57 | static char *profile = NULL; |
56 | 58 | ||
@@ -66,6 +68,7 @@ static void usage(void) { | |||
66 | printf(" --private-dev - print profiles without private-dev\n"); | 68 | printf(" --private-dev - print profiles without private-dev\n"); |
67 | printf(" --private-tmp - print profiles without private-tmp\n"); | 69 | printf(" --private-tmp - print profiles without private-tmp\n"); |
68 | printf(" --seccomp - print profiles without seccomp\n"); | 70 | printf(" --seccomp - print profiles without seccomp\n"); |
71 | printf(" --memory-deny-write-execute - profile without it\n"); | ||
69 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 72 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
70 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); | 73 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); |
71 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | 74 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); |
@@ -114,6 +117,8 @@ void process_file(const char *fname) { | |||
114 | cnt_whitelistusrshare++; | 117 | cnt_whitelistusrshare++; |
115 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 118 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
116 | cnt_ssh++; | 119 | cnt_ssh++; |
120 | else if (strncmp(ptr, "memory-deny-write-execute", 25) == 0) | ||
121 | cnt_mdwx++; | ||
117 | else if (strncmp(ptr, "net none", 8) == 0) | 122 | else if (strncmp(ptr, "net none", 8) == 0) |
118 | cnt_netnone++; | 123 | cnt_netnone++; |
119 | else if (strncmp(ptr, "apparmor", 8) == 0) | 124 | else if (strncmp(ptr, "apparmor", 8) == 0) |
@@ -161,6 +166,8 @@ int main(int argc, char **argv) { | |||
161 | arg_caps = 1; | 166 | arg_caps = 1; |
162 | else if (strcmp(argv[i], "--seccomp") == 0) | 167 | else if (strcmp(argv[i], "--seccomp") == 0) |
163 | arg_seccomp = 1; | 168 | arg_seccomp = 1; |
169 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | ||
170 | arg_mdwx = 1; | ||
164 | else if (strcmp(argv[i], "--noexec") == 0) | 171 | else if (strcmp(argv[i], "--noexec") == 0) |
165 | arg_noexec = 1; | 172 | arg_noexec = 1; |
166 | else if (strcmp(argv[i], "--private-dev") == 0) | 173 | else if (strcmp(argv[i], "--private-dev") == 0) |
@@ -205,6 +212,7 @@ int main(int argc, char **argv) { | |||
205 | int whitelistrunuser = cnt_whitelistrunuser; | 212 | int whitelistrunuser = cnt_whitelistrunuser; |
206 | int whitelistusrshare = cnt_whitelistusrshare; | 213 | int whitelistusrshare = cnt_whitelistusrshare; |
207 | int ssh = cnt_ssh; | 214 | int ssh = cnt_ssh; |
215 | int mdwx = cnt_mdwx; | ||
208 | 216 | ||
209 | // process file | 217 | // process file |
210 | profile = argv[i]; | 218 | profile = argv[i]; |
@@ -242,6 +250,8 @@ int main(int argc, char **argv) { | |||
242 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); | 250 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); |
243 | if (arg_ssh && ssh == cnt_ssh) | 251 | if (arg_ssh && ssh == cnt_ssh) |
244 | printf("No include disable-common.inc found in %s\n", argv[i]); | 252 | printf("No include disable-common.inc found in %s\n", argv[i]); |
253 | if (arg_mdwx && mdwx == cnt_mdwx) | ||
254 | printf("No memory-deny-write-execute found in %s\n", argv[i]); | ||
245 | 255 | ||
246 | assert(level == 0); | 256 | assert(level == 0); |
247 | } | 257 | } |
@@ -255,6 +265,7 @@ int main(int argc, char **argv) { | |||
255 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | 265 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); |
256 | printf(" capabilities\t\t%d\n", cnt_caps); | 266 | printf(" capabilities\t\t%d\n", cnt_caps); |
257 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 267 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
268 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | ||
258 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 269 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
259 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 270 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
260 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 271 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |