From c0ba48bec1bc11c98cbac3c6cc9fdf117dcb98d1 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 19 Sep 2018 15:32:18 -0400 Subject: Misc profile hardening --- etc/android-studio.profile | 2 ++ etc/apktool.profile | 2 ++ etc/bless.profile | 2 ++ etc/dex2jar.profile | 2 ++ etc/gitg.profile | 2 ++ etc/jd-gui.profile | 2 ++ etc/liferea.profile | 1 + etc/lollypop.profile | 2 ++ etc/meld.profile | 2 ++ etc/minetest.profile | 2 ++ etc/mumble.profile | 1 + etc/patch.profile | 2 ++ etc/picard.profile | 2 ++ etc/pithos.profile | 1 + etc/remmina.profile | 2 ++ etc/sdat2img.profile | 2 ++ etc/shellcheck.profile | 2 ++ etc/soundconverter.profile | 2 ++ etc/sqlitebrowser.profile | 2 ++ etc/vlc.profile | 2 +- etc/xonotic.profile | 1 + 21 files changed, 37 insertions(+), 1 deletion(-) diff --git a/etc/android-studio.profile b/etc/android-studio.profile index d845bd4b9..8f5cd56cc 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile @@ -20,6 +20,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter nodvd diff --git a/etc/apktool.profile b/etc/apktool.profile index 2043cf5af..d157b1478 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/bless.profile b/etc/bless.profile index 01f75b00d..0da3436e8 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -14,6 +14,8 @@ include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index b61d68e06..da59fc71a 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/gitg.profile b/etc/gitg.profile index 5a7349eb1..87d8c0a1f 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile @@ -16,6 +16,8 @@ include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nodvd diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 81e538153..3a280dab7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/liferea.profile b/etc/liferea.profile index 673182c10..04c649121 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/liferea whitelist ${HOME}/.config/liferea whitelist ${HOME}/.local/share/liferea include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 0f8f49488..efd40e899 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -22,6 +22,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all netfilter no3d diff --git a/etc/meld.profile b/etc/meld.profile index 00d5c6caa..1a7935800 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/minetest.profile b/etc/minetest.profile index 7de546791..3e06b6d30 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile @@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc mkdir ${HOME}/.minetest whitelist ${HOME}/.minetest include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all ipc-namespace netfilter +nodbus nodvd nogroups nonewprivs diff --git a/etc/mumble.profile b/etc/mumble.profile index f894acb57..c5af9aa42 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -20,6 +20,7 @@ mkdir ${HOME}/.local/share/data/Mumble whitelist ${HOME}/.config/Mumble whitelist ${HOME}/.local/share/data/Mumble include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/patch.profile b/etc/patch.profile index d4058d6e7..8fa6ac966 100644 --- a/etc/patch.profile +++ b/etc/patch.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all ipc-namespace net none diff --git a/etc/picard.profile b/etc/picard.profile index 2cc0b5c68..8474eeda6 100644 --- a/etc/picard.profile +++ b/etc/picard.profile @@ -23,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all no3d nodvd diff --git a/etc/pithos.profile b/etc/pithos.profile index e5af9c973..cbe7ac9c6 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -20,6 +20,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/remmina.profile b/etc/remmina.profile index 5078000bb..51c0f2d17 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile @@ -18,6 +18,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all nodvd nogroups diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index e318dd568..a2a54f838 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index f6c154183..90fc9cb8c 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile @@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all ipc-namespace net none diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index ee4d90265..69efe5244 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile @@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 75e8ed5c0..0f030d559 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc +include /etc/firejail/whitelist-var-common.inc + caps.drop all net none no3d diff --git a/etc/vlc.profile b/etc/vlc.profile index 20dafba25..594a5944b 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -25,7 +25,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter #nodbus -#nogroups +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 29b2bb382..a7e8edc0f 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -21,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all netfilter +nodbus nodvd nogroups nonewprivs -- cgit v1.2.3-54-g00ecf