From 29ab333108072307c38e475e9a70c32fb5182ce6 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 21 Dec 2016 10:29:14 +0100 Subject: hardened various profiles --- etc/7z.profile | 5 +++++ etc/cpio.profile | 3 ++- etc/exiftool.profile | 3 +++ etc/gpg-agent.profile | 3 +++ etc/gpg.profile | 3 +++ etc/less.profile | 3 +++ etc/mutt.profile | 3 +++ etc/odt2txt.profile | 3 +++ etc/pdftotext.profile | 3 +++ etc/ssh-agent.profile | 3 +++ etc/strings.profile | 3 ++- etc/tracker.profile | 3 +++ etc/wget.profile | 2 ++ etc/xpra.profile | 2 ++ 14 files changed, 40 insertions(+), 2 deletions(-) diff --git a/etc/7z.profile b/etc/7z.profile index 0cb72ff8d..319126540 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,9 +1,14 @@ # 7zip crompression tool profile quiet ignore noroot + include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + tracelog net none shell none private-dev nosound +no3d diff --git a/etc/cpio.profile b/etc/cpio.profile index 519bd244c..cf89acdac 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -16,6 +16,7 @@ shell none tracelog net none nosound +no3d - +blacklist /tmp/.X11-unix diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 384695473..1cae8c093 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -17,9 +17,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin exiftool,perl private-tmp private-dev diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index b0ebdf43c..59c7383d7 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -14,9 +14,12 @@ nosound protocol unix seccomp netfilter +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin gpg-agent,gpg private-tmp private-dev diff --git a/etc/gpg.profile b/etc/gpg.profile index 31372eb90..d711c6f3e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -15,9 +15,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin gpg,gpg-agent private-tmp private-dev diff --git a/etc/less.profile b/etc/less.profile index 08758aead..c01dfc466 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,7 +5,10 @@ include /etc/firejail/default.profile net none nosound +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-dev diff --git a/etc/mutt.profile b/etc/mutt.profile index 2718421c5..5a714de4a 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -33,8 +33,11 @@ nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp shell none +blacklist /tmp/.X11-unix + private-dev diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 329275022..c4e28f70e 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -13,9 +13,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-bin odt2txt private-tmp private-dev diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 632c9d15e..fe9e9e3cd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -13,9 +13,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-bin pdftotext private-tmp private-dev diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 548ede37d..bea3a6061 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -12,5 +12,8 @@ caps.drop all netfilter nonewprivs noroot +no3d protocol unix,inet,inet6 seccomp + +blacklist /tmp/.X11-unix diff --git a/etc/strings.profile b/etc/strings.profile index 2b7724b11..2bbab1366 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -7,5 +7,6 @@ net none nosound shell none tracelog - private-dev +no3d +blacklist /tmp/.X11-unix diff --git a/etc/tracker.profile b/etc/tracker.profile index 217631216..7f4f371eb 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -12,12 +12,15 @@ nogroups nonewprivs noroot nosound +no3d protocol unix seccomp netfilter shell none tracelog +blacklist /tmp/.X11-unix + # private-bin tracker # private-tmp # private-dev diff --git a/etc/wget.profile b/etc/wget.profile index d9bca2acc..ff4b92bae 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -10,10 +10,12 @@ nonewprivs noroot nogroups nosound +no3d protocol unix,inet,inet6 seccomp shell none +blacklist /tmp/.X11-unix # private-bin wget # private-etc resolv.conf diff --git a/etc/xpra.profile b/etc/xpra.profile index 8584e4e5b..32be90b19 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -14,6 +14,8 @@ shell none seccomp protocol unix,inet,inet6 +# blacklist /tmp/.X11-unix + # private-bin private-dev private-tmp -- cgit v1.2.3-54-g00ecf From 77a97aae04c6ed92cc13779d6b4c25a5155a7315 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 21 Dec 2016 10:34:28 +0100 Subject: profile improvements --- etc/atool.profile | 3 +++ etc/git.profile | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/atool.profile b/etc/atool.profile index 3fbfb9fc7..578a88fc7 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -13,9 +13,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin atool private-tmp private-dev diff --git a/etc/git.profile b/etc/git.profile index d60e58c03..80e534e20 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc - caps.drop all netfilter nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp shell none +blacklist /tmp/.X11-unix + private-dev -- cgit v1.2.3-54-g00ecf From 4ed9a798064610c86cd9167fb098969dd6665b8f Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 21 Dec 2016 11:39:14 +0100 Subject: more profile improvements --- etc/elinks.profile | 3 +++ etc/highlight.profile | 4 ++++ etc/lynx.profile | 3 +++ etc/mediainfo.profile | 3 +++ etc/w3m.profile | 3 +++ 5 files changed, 16 insertions(+) diff --git a/etc/elinks.profile b/etc/elinks.profile index df817ea56..ade15f203 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -11,12 +11,15 @@ nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp netfilter shell none tracelog +blacklist /tmp/.X11-unix + # private-bin elinks private-tmp private-dev diff --git a/etc/highlight.profile b/etc/highlight.profile index f95f3924a..4bab18349 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -13,10 +13,14 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-bin highlight +# private-etc none private-tmp private-dev diff --git a/etc/lynx.profile b/etc/lynx.profile index 6e150f62e..3e8d72103 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile @@ -9,12 +9,15 @@ nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp netfilter shell none tracelog +blacklist /tmp/.X11-unix + # private-bin lynx private-tmp private-dev diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c07a9a9e8..65d12c49e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -9,6 +9,7 @@ nogroups nonewprivs noroot nosound +no3d protocol unix seccomp netfilter @@ -16,6 +17,8 @@ net none shell none tracelog +blacklist /tmp/.X11-unix + private-bin mediainfo private-tmp private-dev diff --git a/etc/w3m.profile b/etc/w3m.profile index d765217cf..7ee91bb70 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile @@ -11,12 +11,15 @@ nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp netfilter shell none tracelog +blacklist /tmp/.X11-unix + # private-bin w3m private-tmp private-dev -- cgit v1.2.3-54-g00ecf