From a21920e63219fc54f43265ad105ece3becec27a9 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 21 Mar 2022 07:53:51 +0000 Subject: ping: extra hardening --- etc/profile-m-z/ping.profile | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index b4923c38a..1b9ce2d2c 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile @@ -7,23 +7,30 @@ include ping.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-proc.inc include disable-programs.inc +include disable-X11.inc include disable-xdg.inc include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +# Add the next line to your ping.local if your kernel allows unprivileged userns clone. +include ping-hardened.inc.profile + apparmor caps.keep net_raw ipc-namespace +machine-id #net tun0 #netfilter /etc/firejail/ping.net netfilter @@ -31,8 +38,9 @@ no3d nodvd nogroups noinput -# ping needs to rise privileges, noroot and nonewprivs will kill it +# ping needs to raise privileges, nonewprivs and noroot will kill it #nonewprivs +noprinters #noroot nosound notv @@ -40,15 +48,18 @@ nou2f novideo # protocol command is built using seccomp; nonewprivs will kill it #protocol unix,inet,inet6,netlink,packet -# killed by no-new-privs #seccomp +shell none +tracelog disable-mnt private -#private-bin has mammoth problems with execvp: "No such file or directory" +#private-bin ping - has mammoth problems with execvp: "No such file or directory" +private-cache private-dev # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl +private-lib private-tmp # memory-deny-write-execute is built using seccomp; nonewprivs will kill it @@ -56,3 +67,5 @@ private-tmp dbus-user none dbus-system none + +read-only ${HOME} -- cgit v1.2.3-54-g00ecf From dd2b56c33306eeba442b4f9fca000a13d14ba39c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 21 Mar 2022 07:59:08 +0000 Subject: Create ping-hardened.inc.profile --- etc/profile-m-z/ping-hardened.inc.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/profile-m-z/ping-hardened.inc.profile diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile new file mode 100644 index 000000000..eda53654a --- /dev/null +++ b/etc/profile-m-z/ping-hardened.inc.profile @@ -0,0 +1,11 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include ping-hardened.inc.local + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +memory-deny-write-execute -- cgit v1.2.3-54-g00ecf From c5967dc4981eaf161e7dd766d97b88fc948a1421 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 21 Mar 2022 18:50:57 +0000 Subject: ping: fix hardening comment --- etc/profile-m-z/ping.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 1b9ce2d2c..ed21bd1ce 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile @@ -25,7 +25,7 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc # Add the next line to your ping.local if your kernel allows unprivileged userns clone. -include ping-hardened.inc.profile +#include ping-hardened.inc.profile apparmor caps.keep net_raw -- cgit v1.2.3-54-g00ecf