From c23fb14420fe964720243d9f27d00d26f7f13780 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Fri, 10 Apr 2020 18:40:29 +0200
Subject: misc profiles

 - disable-interpreters: blacklist /usr/lib64/libmozjs-*
 - fdns:
   - fix .local name
   - remove server.profile comment (do we need /sbin and /usr/sbin?)
   - add wusc and wvc (commented because untested)
   - minimize caps.keep (based on fdns.service)
   - fix protocol position
   - add private-etc (based on fdns.service)
---
 etc/disable-interpreters.inc   |  3 +++
 etc/fdns.profile               | 14 ++++++--------
 etc/scorched3d-wrapper.profile |  2 ++
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 495a75a54..59e9c7de3 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -17,6 +17,9 @@ blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
 blacklist /usr/share/lua*
 
+# mozjs
+blacklist /usr/lib64/libmozjs-*
+
 # Node.js
 blacklist ${PATH}/node
 blacklist /usr/include/node
diff --git a/etc/fdns.profile b/etc/fdns.profile
index 4b266f7f8..179540806 100644
--- a/etc/fdns.profile
+++ b/etc/fdns.profile
@@ -1,14 +1,10 @@
 # Firejail profile for server
 # This file is overwritten after every install/update
 # Persistent local customizations
-include server.local
+include fdns.local
 # Persistent global definitions
 include globals.local
 
-# generic server profile
-# it allows /sbin and /usr/sbin directories - this is where servers are installed
-# depending on your usage, you can enable some of the commands below:
-#
 noblacklist /sbin
 noblacklist /usr/sbin
 
@@ -23,8 +19,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-caps.keep chown,kill,net_admin,net_bind_service,setgid,setuid,sys_admin,sys_chroot,syslog
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
 
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
 # netfilter /etc/firejail/webserver.net
 no3d
@@ -36,6 +34,7 @@ nosound
 notv
 nou2f
 novideo
+protocol unix,inet,inet6
 #seccomp
 #shell none
 
@@ -44,9 +43,8 @@ private
 private-bin bash,fdns,sh
 # private-cache
 private-dev
-# private-etc alternatives
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
 
-protocol unix,inet,inet6
 memory-deny-write-execute
diff --git a/etc/scorched3d-wrapper.profile b/etc/scorched3d-wrapper.profile
index 3eed8842b..9cbb19bff 100644
--- a/etc/scorched3d-wrapper.profile
+++ b/etc/scorched3d-wrapper.profile
@@ -1,5 +1,7 @@
 # Firejail profile for scorched3d
 # This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
 
 # Redirect
 include scorched3d.profile
-- 
cgit v1.2.3-54-g00ecf