diff options
-rw-r--r-- | etc/clamav.profile | 4 | ||||
-rw-r--r-- | etc/default.profile | 2 | ||||
-rw-r--r-- | etc/dig.profile | 3 | ||||
-rw-r--r-- | etc/disable-exec.inc | 6 | ||||
-rw-r--r-- | etc/freshclam.profile | 3 | ||||
-rw-r--r-- | etc/mupdf.profile | 1 | ||||
-rw-r--r-- | etc/patch.profile | 3 | ||||
-rw-r--r-- | etc/pdfchain.profile | 3 | ||||
-rw-r--r-- | etc/server.profile | 5 | ||||
-rw-r--r-- | etc/ssh.profile | 3 | ||||
-rw-r--r-- | etc/start-tor-browser.profile | 4 | ||||
-rw-r--r-- | etc/strings.profile | 1 |
12 files changed, 17 insertions, 21 deletions
diff --git a/etc/clamav.profile b/etc/clamav.profile index a48fa8039..45e7723eb 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -7,6 +7,8 @@ include clamav.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include disable-exec.inc | ||
11 | |||
10 | caps.drop all | 12 | caps.drop all |
11 | ipc-namespace | 13 | ipc-namespace |
12 | net none | 14 | net none |
@@ -30,5 +32,3 @@ private-dev | |||
30 | read-only ${HOME} | 32 | read-only ${HOME} |
31 | 33 | ||
32 | memory-deny-write-execute | 34 | memory-deny-write-execute |
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/default.profile b/etc/default.profile index efa66d5db..3eacf9546 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -14,7 +14,7 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | #include disable-xdg.inc | 17 | # include disable-xdg.inc |
18 | 18 | ||
19 | # apparmor | 19 | # apparmor |
20 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/dig.profile b/etc/dig.profile index 23970d9d0..1843f6e46 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.digrc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | # include disable-devel.inc | 13 | # include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | # include disable-interpreters.inc | 15 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -49,5 +50,3 @@ private-lib | |||
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | memory-deny-write-execute | 52 | memory-deny-write-execute |
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc index c535af7d4..ee3391730 100644 --- a/etc/disable-exec.inc +++ b/etc/disable-exec.inc | |||
@@ -6,6 +6,6 @@ noexec ${HOME} | |||
6 | noexec ${RUNUSER} | 6 | noexec ${RUNUSER} |
7 | noexec /dev/shm | 7 | noexec /dev/shm |
8 | noexec /tmp | 8 | noexec /tmp |
9 | # /var/tmp is noexec by default | 9 | # /var is noexec by default for unprivileged users |
10 | # just in case there is a keep-var-tmp option: | 10 | # except there is a writable-var option, so just in case: |
11 | noexec /var/tmp | 11 | noexec /var |
diff --git a/etc/freshclam.profile b/etc/freshclam.profile index 2dd55d8cc..2bab79e2e 100644 --- a/etc/freshclam.profile +++ b/etc/freshclam.profile | |||
@@ -6,6 +6,7 @@ include clamav.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-exec.inc | ||
9 | 10 | ||
10 | caps.keep setgid,setuid | 11 | caps.keep setgid,setuid |
11 | ipc-namespace | 12 | ipc-namespace |
@@ -32,5 +33,3 @@ writable-var | |||
32 | writable-var-log | 33 | writable-var-log |
33 | 34 | ||
34 | memory-deny-write-execute | 35 | memory-deny-write-execute |
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 1f2afa5f0..1d5953ff7 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -41,4 +41,5 @@ private-dev | |||
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | memory-deny-write-execute | ||
44 | read-only ${HOME} | 45 | read-only ${HOME} |
diff --git a/etc/patch.profile b/etc/patch.profile index c0937bfc5..9515bffdf 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-xdg.inc | 17 | include disable-xdg.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-lib libfakeroot | 40 | private-lib libfakeroot |
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index d9f721578..98a9f1840 100644 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile | |||
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS} | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0,xdg | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/server.profile b/etc/server.profile index 8da4853e7..686268a18 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -17,10 +17,11 @@ noblacklist /usr/sbin | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | ||
20 | # include disable-interpreters.inc | 21 | # include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | #include disable-xdg.inc | 24 | # include disable-xdg.inc |
24 | 25 | ||
25 | caps | 26 | caps |
26 | # ipc-namespace | 27 | # ipc-namespace |
@@ -48,5 +49,3 @@ private-dev | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
51 | # noexec ${HOME} | ||
52 | # noexec /tmp | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index de627dcf0..4c8af65b8 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-* | |||
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
@@ -36,6 +37,4 @@ private-dev | |||
36 | # private-tmp # Breaks when exiting | 37 | # private-tmp # Breaks when exiting |
37 | 38 | ||
38 | memory-deny-write-execute | 39 | memory-deny-write-execute |
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
41 | writable-run-user | 40 | writable-run-user |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index b0cb52a0f..8acf77349 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -5,9 +5,11 @@ include start-tor-browser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
8 | 9 | ||
9 | include disable-common.inc | 10 | include disable-common.inc |
10 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -36,5 +38,3 @@ private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,r | |||
36 | private-dev | 38 | private-dev |
37 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 39 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
38 | private-tmp | 40 | private-tmp |
39 | |||
40 | noexec /tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile index ca7bd0922..cacf919f5 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | include disable-exec.inc | ||
11 | 12 | ||
12 | ignore noroot | 13 | ignore noroot |
13 | net none | 14 | net none |