From b7d51c2df6fb62d7830bdd3a873fff618adb00dc Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 16:07:25 -0400 Subject: Harden 19 more profiles --- etc/bless.profile | 1 + etc/eog.profile | 5 +++++ etc/evince.profile | 4 ++++ etc/evolution.profile | 5 +++++ etc/file-roller.profile | 7 ++++++- etc/gedit.profile | 9 +++++++-- etc/gimp.profile | 4 +++- etc/gnome-calculator.profile | 12 ++++++++++++ etc/hexchat.profile | 4 ++++ etc/jd-gui.profile | 1 + etc/keepass.profile | 8 ++++++-- etc/keepassx.profile | 4 ++++ etc/keepassx2.profile | 6 +++++- etc/keepassxc.profile | 6 +++++- etc/libreoffice.profile | 5 +++++ etc/mumble.profile | 4 ++++ etc/pdfsam.profile | 1 + etc/totem.profile | 12 +++++++++++- etc/vlc.profile | 3 +++ 19 files changed, 92 insertions(+), 9 deletions(-) diff --git a/etc/bless.profile b/etc/bless.profile index 08a756989..ac4c08fb0 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/eog.profile b/etc/eog.profile index c5afec7fa..7c2cd557c 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none netfilter +no3d nogroups nonewprivs noroot @@ -24,3 +26,6 @@ private-bin eog private-dev private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/evince.profile b/etc/evince.profile index 94cefdd8b..ae50425b9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter #net none - creates some problems on some distributions +no3d nogroups nonewprivs noroot @@ -27,3 +28,6 @@ private-dev private-etc fonts # evince needs access to /tmp/mozilla* to work in firefox # private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/evolution.profile b/etc/evolution.profile index cb6615716..04bf480ff 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution noblacklist ~/.pki noblacklist ~/.pki/nssdb noblacklist ~/.gnupg +noblacklist ~/.bogofilter noblacklist /var/spool/mail noblacklist /var/mail @@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -30,3 +32,6 @@ shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 804d20ce1..a3f687651 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none tracelog @@ -23,3 +25,6 @@ tracelog # private-tmp private-dev # private-etc fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/gedit.profile b/etc/gedit.profile index 9f4eee9b3..07bdb1bbe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none tracelog # private-bin gedit -private-tmp private-dev # private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/gimp.profile b/etc/gimp.profile index 4088bd680..5f8ccb4fb 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nogroups nonewprivs noroot nosound protocol unix seccomp +shell none # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory # if you are not using external plugins, you can enable noexec statement below -# noexec ${HOME} +# noexec ${HOME} noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 714a97650..f5d952e3d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -17,7 +17,19 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +#net none +no3d nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none + +private-bin gnome-calculator +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 53f447f7e..d24f492d8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -30,3 +31,6 @@ private-bin hexchat #debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 1802c59fd..e0184908b 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/keepass.profile b/etc/keepass.profile index d269c3e8a..abe52eca3 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix,inet,inet6 seccomp -netfilter shell none -private-tmp private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 379b8a668..845a1bcc9 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none +no3d nogroups nonewprivs noroot @@ -28,3 +29,6 @@ private-bin keepassx private-etc fonts private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index a21caf3f1..32dddc2fe 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none +no3d nogroups nonewprivs noroot @@ -24,6 +25,9 @@ seccomp shell none private-bin keepassx2 -private-etc fonts private-dev +private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 654a30682..369d4a5ae 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc # To use KeePassHTTP, comment out `net none` caps.drop all net none +no3d nogroups nonewprivs noroot @@ -25,6 +26,9 @@ seccomp shell none private-bin keepassxc -private-etc fonts private-dev +private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 685073e7c..dda4e6ab9 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -17,7 +17,12 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none tracelog private-dev # whitelist /tmp/.X11-unix/ + +noexec ${HOME} +noexec /tmp + diff --git a/etc/mumble.profile b/etc/mumble.profile index d5405a6ae..c5c6a4d1a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +no3d nonewprivs nogroups noroot @@ -28,3 +29,6 @@ tracelog private-bin mumble private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index c37ccba09..523c11f26 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/totem.profile b/etc/totem.profile index 0b3942cf0..fadfbb00b 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot -netfilter protocol unix,inet,inet6 seccomp +shell none + +private-bin totem +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/vlc.profile b/etc/vlc.profile index 0c96f0108..21282dfbd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -22,3 +22,6 @@ shell none private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc # private-dev private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2