From 4f36b7246a74ecd3c2599292677ed82d96130801 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 24 Sep 2015 08:03:57 -0400 Subject: security profile work --- RELNOTES | 9 +++++---- etc/audacious.profile | 4 ++++ etc/clementine.profile | 4 ++++ etc/deadbeef.profile | 4 ++++ etc/deluge.profile | 4 ++++ etc/disable-secret.inc | 1 - etc/dropbox.profile | 4 ++++ etc/evince.profile | 4 ++++ etc/fbreader.profile | 4 ++++ etc/generic.profile | 5 ++++- etc/gnome-mplayer.profile | 4 ++++ etc/qbittorrent.profile | 4 ++++ etc/rhythmbox.profile | 4 ++++ etc/totem.profile | 4 ++++ etc/transmission-gtk.profile | 4 ++++ etc/transmission-qt.profile | 6 +++++- etc/vlc.profile | 4 ++++ 17 files changed, 66 insertions(+), 7 deletions(-) diff --git a/RELNOTES b/RELNOTES index 87497e538..483b4cfa6 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,11 +1,12 @@ -ffirejail (0.9.31) baseline; urgency=low - * disable X11 autostart folders in default profiles - * disable subversion and git config files in home directory +firejail (0.9.31) baseline; urgency=low + * lots of security profile changes * added FBReader default profile + * added --interface option + * bugfixes -- netblue30 current development -irejail (0.9.30) baseline; urgency=low +firejail (0.9.30) baseline; urgency=low * added a disable-history.inc profile as a result of Firefox PDF.js exploit; disable-history.inc included in all default profiles * Firefox PDF.js exploit (CVE-2015-4495) fixes diff --git a/etc/audacious.profile b/etc/audacious.profile index 923b70184..5f870c8ab 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/clementine.profile b/etc/clementine.profile index 47c40506a..b972c18ff 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 68027bd7c..d25db072c 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/deluge.profile b/etc/deluge.profile index 24a082099..b54e31cfa 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp netfilter diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc index 8ac1b3792..1042582a0 100644 --- a/etc/disable-secret.inc +++ b/etc/disable-secret.inc @@ -4,6 +4,5 @@ tmpfs ${HOME}/.gnome2_private blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/kde4/share/apps/kwallet blacklist ${HOME}/kde/share/apps/kwallet -blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.gnupg blacklist ${HOME}/.local/share/recently-used.xbel diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 008660f77..76723eb38 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps seccomp noroot diff --git a/etc/evince.profile b/etc/evince.profile index 023fd2444..a79c4cf54 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 97baa2a3e..bf707d8ca 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -4,6 +4,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp netfilter diff --git a/etc/generic.profile b/etc/generic.profile index f1c6af30d..c5dfb7929 100644 --- a/etc/generic.profile +++ b/etc/generic.profile @@ -5,7 +5,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc - +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp netfilter diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 4be1c1093..201af5007 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd7be997c..b4c2c91c7 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp netfilter diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index f2870d543..e2cd0ef71 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/totem.profile b/etc/totem.profile index 6b26a4e0e..a6e26dbdb 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index dc1d9d524..525ee1785 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp netfilter diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 64c2ba8ad..9857ac712 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -3,7 +3,11 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc -caps.drop all +cblacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store +aps.drop all seccomp netfilter noroot diff --git a/etc/vlc.profile b/etc/vlc.profile index 365ea838a..ef687abb7 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -3,6 +3,10 @@ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc +blacklist ${HOME}/.pki/nssdb +blacklist {HOME}/.lastpass +blacklist {HOME}/.keepassx +blacklist {HOME}/.password-store caps.drop all seccomp noroot -- cgit v1.2.3-70-g09d2