From 53dff25d69ad0d1a83dea3ce19d2d54210025f20 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Fri, 12 Apr 2019 19:01:38 +0200 Subject: Harden bibletime.profile --- README | 5 +++-- README.md | 2 +- RELNOTES | 2 +- etc/bibletime.profile | 7 ++++++- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/README b/README index 7e49d1429..7b7c36c17 100644 --- a/README +++ b/README @@ -544,13 +544,14 @@ rusty-snake (https://github.com/rusty-snake) - added profiles: thunderbird-wayland, supertuxkart, ghostwriter - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano - added profiles: gajim-history-manager, freemind, nomacs, kid3 - - added profiles: kid3-qt, kid3-cli, anki + - added profiles: kid3-qt, kid3-cli, anki, utox - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool - - fixed profiles: gnome-logs + - fixed profiles: gnome-logs, klavaro - hardened profiles: disable-common.inc, disable-programs.inc - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox - hardened profiles: gnome-clocks, meld, minetest, youtube-dl + - hardened profiles: bibletime - gnome-mpv was renamed to celluloid - updates for ~/.cargo and ~/.python-history Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) diff --git a/README.md b/README.md index 429f3362c..1a5b20a66 100644 --- a/README.md +++ b/README.md @@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ## Current development version: 0.9.59 ## New profiles: -anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer +anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer diff --git a/RELNOTES b/RELNOTES index a3cf6bea0..80b5e58ff 100644 --- a/RELNOTES +++ b/RELNOTES @@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem - * new profiles: vultureseye, vulturesclaw, anki + * new profiles: vultureseye, vulturesclaw, anki, utox * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * memory-deny-write-execute now also blocks memfd_create * drop support for flatpak/snap packages diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 6e40054f7..c41aafd47 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime whitelist ${HOME}/.sword whitelist ${HOME}/.local/share/bibletime include whitelist-common.inc +include whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice shell none +disable-mnt # private-bin bibletime,qt5ct +private-cache private-dev -private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf private-tmp -- cgit v1.2.3-70-g09d2