From 1edc42036e632de5c5e620bbb5044d932e0d37c4 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 21 Sep 2017 16:27:39 +0200
Subject: harden corebird

---
 etc/corebird.profile     | 14 ++++++++++++++
 etc/disable-programs.inc |  1 +
 2 files changed, 15 insertions(+)

diff --git a/etc/corebird.profile b/etc/corebird.profile
index 87f7a970b..99a3335ef 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -5,16 +5,30 @@ include /etc/firejail/corebird.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ~/.config/corebird
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
+nogroups
+nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-bin corebird
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 88b7e7d32..615e28172 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -82,6 +82,7 @@ blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
-- 
cgit v1.2.3-54-g00ecf