From 28faab8af4d2ea0699fbb09b0345f2c68d5ad382 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Sat, 16 Sep 2017 14:24:54 -0400 Subject: Harden 10 profiles --- etc/akregator.profile | 7 +++++++ etc/darktable.profile | 1 + etc/dia.profile | 1 + etc/hugin.profile | 1 + etc/inkscape.profile | 1 + etc/luminance-hdr.profile | 1 + etc/pidgin.profile | 3 +++ etc/scribus.profile | 1 + etc/skype.profile | 1 + etc/synfigstudio.profile | 1 + 10 files changed, 18 insertions(+) diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +mkfile ${HOME}/.config/akregatorrc +mkdir ${HOME}/.local/share/akregator +whitelist ${HOME}/.config/akregatorrc +whitelist ${HOME}/.local/share/akregator +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter no3d @@ -27,6 +33,7 @@ seccomp shell none disable-mnt +private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev private-tmp diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -26,6 +26,7 @@ protocol unix,inet,inet6 seccomp shell none +#private-bin darktable private-dev private-tmp diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -27,6 +27,7 @@ seccomp shell none disable-mnt +#private-bin dia private-dev private-tmp diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend private-dev private-tmp diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 3266d8230..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -27,6 +27,7 @@ protocol unix seccomp shell none +#private-bin inkscape private-dev private-tmp diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -26,6 +26,7 @@ seccomp shell none tracelog +#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack private-dev private-tmp diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -27,3 +27,6 @@ tracelog private-bin pidgin private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -38,5 +38,6 @@ protocol unix seccomp tracelog +#private-bin scribus,gs private-dev # private-tmp diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -24,6 +24,7 @@ seccomp shell none disable-mnt +#private-bin skype,bash private-dev private-tmp diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -26,6 +26,7 @@ protocol unix seccomp shell none +#private-bin synfigstudio private-dev private-tmp -- cgit v1.2.3-54-g00ecf