From 4f238b75de05d91f200305335da1f019810ac149 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 17 Apr 2017 17:11:24 -0400
Subject: Harden more profiles

---
 etc/bleachbit.profile        |  1 +
 etc/bless.profile            |  1 +
 etc/chromium.profile         | 15 +++++++++++----
 etc/dino.profile             |  1 +
 etc/eog.profile              |  1 +
 etc/evince.profile           |  1 +
 etc/evolution.profile        |  1 +
 etc/file-roller.profile      |  1 +
 etc/firefox.profile          |  2 ++
 etc/gedit.profile            |  1 +
 etc/gimp.profile             |  1 +
 etc/gnome-calculator.profile |  1 +
 etc/hexchat.profile          |  1 +
 etc/jd-gui.profile           |  1 +
 etc/lollypop.profile         |  1 +
 etc/multimc5.profile         |  1 +
 etc/mumble.profile           |  1 +
 etc/pdfsam.profile           |  1 +
 etc/pithos.profile           |  1 +
 etc/polari.profile           | 11 +++++++++++
 etc/ssh.profile              |  1 +
 etc/steam.profile            |  1 +
 etc/totem.profile            |  1 +
 etc/vlc.profile              |  1 +
 etc/wget.profile             |  1 +
 etc/wireshark.profile        |  1 +
 etc/xonotic.profile          |  1 +
 27 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 7ea55f505..fe08de40e 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/bless.profile b/etc/bless.profile
index 869f13cc0..f4b5c2e2f 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 995c0001b..071c8a18a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -8,12 +8,8 @@ noblacklist ~/.cache/chromium
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
-
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
-#
-
-netfilter
 
 whitelist ${DOWNLOADS}
 mkdir ~/.config/chromium
@@ -27,3 +23,14 @@ whitelist ~/.pki
 whitelist ~/.config/chromium-flags.conf
 
 include /etc/firejail/whitelist-common.inc
+
+ipc-namespace
+netfilter
+nogroups
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index 3de858618..5f587ef8a 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.local/share/dino
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/eog.profile b/etc/eog.profile
index 7c2cd557c..32ceebb1d 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/evince.profile b/etc/evince.profile
index ae50425b9..508a0d1a5 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 #net none - creates some problems on some distributions
 no3d
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 04bf480ff..6fe58cbf9 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -20,6 +20,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index a3f687651..6bc74c79d 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 4d96c05c8..0013062a5 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -16,7 +16,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
 caps.drop all
+ipc-namespace
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 07bdb1bbe..2c429c808 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 net none
 no3d
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 5f8ccb4fb..59d88e9ec 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 net none
 nogroups
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index e9366f07d..28f0d646c 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,6 +16,7 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
+ipc-namespace
 netfilter
 #net none                                     
 no3d
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index d24f492d8..18cbcea5c 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 6ff618187..61841e2c5 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index e84118b9e..d6d2cdd73 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 12a7646ae..4b561405b 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -25,6 +25,7 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
+ipc-namespace
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/mumble.profile b/etc/mumble.profile
index c5c6a4d1a..19d7a131a 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -17,6 +17,7 @@ whitelist ${HOME}/.local/share/data/Mumble
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nonewprivs
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index dfe463c98..db8aacaa5 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+ipc-namespace
 net none
 netfilter
 no3d
diff --git a/etc/pithos.profile b/etc/pithos.profile
index c25b5772b..f599283fb 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -16,6 +16,7 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/polari.profile b/etc/polari.profile
index 834a8b3d6..db5fc9487 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -23,7 +23,18 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 425841399..f9750972f 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/steam.profile b/etc/steam.profile
index 536588e4b..eef91a0d5 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/totem.profile b/etc/totem.profile
index fadfbb00b..d280296f0 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 21282dfbd..5d759ffd4 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/wget.profile b/etc/wget.profile
index 3ba97d95d..52c8b68a1 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index dc224b31c..45ccfb89a 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 #noroot 
 #protocol unix,inet,inet6,netlink
 
+ipc-namespace
 netfilter
 no3d
 nogroups
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 6bfb26484..0bf372fc6 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -22,6 +22,7 @@ include /etc/firejail/whitelist-common.inc
 
 #Options
 caps.drop all
+ipc-namespace
 netfilter
 nogroups
 nonewprivs
-- 
cgit v1.2.3-54-g00ecf