From 5354f20012b488c50cd556e315b78ad351ae0f9d Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 4 Jul 2017 10:51:43 -0400 Subject: Harden 50 profiles Hardened many profiles using disable-mnt and novideo Fixed gnome-font-viewer --- etc/0ad.profile | 1 + etc/arduino.profile | 1 + etc/brave.profile | 2 ++ etc/chromium.profile | 1 + etc/dino.profile | 1 + etc/dnsmasq.profile | 2 ++ etc/file-roller.profile | 1 + etc/firefox.profile | 1 + etc/gajim.profile | 1 + etc/gnome-2048.profile | 10 ++++++++++ etc/gnome-books.profile | 5 +++++ etc/gnome-calculator.profile | 1 + etc/gnome-chess.profile | 6 ++++++ etc/gnome-clocks.profile | 7 ++++++- etc/gnome-contacts.profile | 10 ++++++++++ etc/gnome-documents.profile | 5 +++++ etc/gnome-font-viewer.profile | 29 +++++++++++++++-------------- etc/gnome-maps.profile | 5 +++++ etc/gnome-mplayer.profile | 4 ++++ etc/gnome-music.profile | 6 ++++++ etc/gnome-photos.profile | 3 +++ etc/gnome-weather.profile | 6 ++++++ etc/hedgewars.profile | 1 + etc/hexchat.profile | 2 ++ etc/jd-gui.profile | 1 + etc/jitsi.profile | 1 + etc/kodi.profile | 1 + etc/less.profile | 6 +++++- etc/lollypop.profile | 1 + etc/meld.profile | 1 + etc/multimc5.profile | 2 ++ etc/mumble.profile | 1 + etc/pdfsam.profile | 1 + etc/pithos.profile | 2 ++ etc/polari.profile | 1 + etc/qtox.profile | 1 + etc/quiterss.profile | 1 + etc/rhythmbox.profile | 5 +++++ etc/skype.profile | 6 ++++++ etc/skypeforlinux.profile | 6 ++++++ etc/slack.profile | 1 + etc/spotify.profile | 1 + etc/steam.profile | 1 + etc/stellarium.profile | 1 + etc/strings.profile | 3 ++- etc/telegram.profile | 6 ++++++ etc/warzone2100.profile | 1 + etc/wget.profile | 1 + etc/wire.profile | 1 + etc/xonotic.profile | 1 + etc/youtube-dl.profile | 1 + 51 files changed, 149 insertions(+), 17 deletions(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index e946c1418..a564d0a09 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -37,3 +37,4 @@ tracelog private-dev private-tmp +disable-mnt diff --git a/etc/arduino.profile b/etc/arduino.profile index 2d7d92856..60c071c01 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile @@ -22,6 +22,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/brave.profile b/etc/brave.profile index 9dac688c2..e73dd37a2 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -23,6 +23,8 @@ netfilter #protocol unix,inet,inet6,netlink #seccomp +#disable-mnt + whitelist ${DOWNLOADS} mkdir ~/.config/brave diff --git a/etc/chromium.profile b/etc/chromium.profile index 2728bf74a..330c455b6 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -35,6 +35,7 @@ shell none private-dev #private-tmp - problems with multiple browser sessions +#disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/dino.profile b/etc/dino.profile index 6d63e894e..94563fa1d 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -35,6 +35,7 @@ private-bin dino #private-etc fonts #breaks server connection private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 317efdd9a..797f093a1 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -22,3 +22,5 @@ nosound no3d protocol unix,inet,inet6,netlink seccomp + +disable-mnt diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 49b65c91d..72d00b4ce 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -20,6 +20,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none diff --git a/etc/firefox.profile b/etc/firefox.profile index 70b41a240..aff6e8334 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -71,6 +71,7 @@ include /etc/firejail/whitelist-common.inc # private-dev might prevent video calls going out private-dev private-tmp +#disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gajim.profile b/etc/gajim.profile index b2d68a9be..a3deb2c73 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -43,3 +43,4 @@ shell none #private-etc fonts private-dev #private-tmp +disable-mnt diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 0e757a06f..5e0dfc2a1 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile @@ -26,7 +26,17 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +no3d nonewprivs noroot +#nosound +novideo protocol unix,inet,inet6 seccomp + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 07431e51b..af6da6cd4 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot nosound +novideo protocol unix seccomp netfilter @@ -30,3 +32,6 @@ tracelog private-tmp private-dev #private-etc fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index bdc450dfe..e64f62b70 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -34,6 +34,7 @@ private-bin gnome-calculator private-dev #private-etc fonts private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 9ff978803..8c098d592 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -14,10 +14,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none @@ -27,3 +29,7 @@ private-bin fairymax,gnome-chess,hoichess private-dev private-etc fonts,gnome-chess private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 40df92454..129bd6e71 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -12,10 +12,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot -nosound +novideo protocol unix,inet,inet6 seccomp netfilter @@ -26,3 +27,7 @@ tracelog private-tmp private-dev # private-etc fonts +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 55817323d..9164f6360 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile @@ -20,7 +20,17 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +no3d nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 03277e6e1..5d2a90b64 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -17,10 +17,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot nosound +novideo protocol unix seccomp netfilter @@ -29,3 +31,6 @@ tracelog private-tmp private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 3ea1b6b33..605dafc62 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile @@ -5,25 +5,26 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/gnome-font-viewer.local -private -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc +#Options caps.drop all netfilter +no3d nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp -# -# depending on your usage, you can enable some of the commands below: -# -nogroups -shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 1494c1493..8c7310fa9 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -19,6 +19,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp netfilter @@ -29,3 +30,7 @@ tracelog private-tmp private-dev # private-etc fonts +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 4216791e3..51b3279f3 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -22,3 +22,7 @@ shell none # private-bin gnome-mplayer,mplayer private-dev private-tmp + + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 44931576f..abdb6bfb5 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -14,9 +14,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot +novideo protocol unix seccomp netfilter @@ -27,3 +29,7 @@ tracelog private-tmp private-dev # private-etc fonts + + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 6ee2ccf82..93823d0f4 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -31,3 +31,6 @@ tracelog private-tmp private-dev # private-etc fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 9a2c4d553..815fba7ca 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -16,10 +16,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +no3d nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp netfilter @@ -30,3 +32,7 @@ tracelog private-tmp private-dev # private-etc fonts +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 5848640af..a5c23d0aa 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -23,6 +23,7 @@ tracelog private-dev private-tmp +disable-mnt mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/hexchat.profile b/etc/hexchat.profile index ebfd9224c..36ddb9e89 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -22,6 +22,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp shell none @@ -35,6 +36,7 @@ private-bin hexchat #debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2520babb1..a96eedee6 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -27,6 +27,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 642ad6cc2..59459b5e9 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -22,3 +22,4 @@ shell none tracelog private-tmp +disable-mnt diff --git a/etc/kodi.profile b/etc/kodi.profile index 132a0044c..ea4020232 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -19,6 +19,7 @@ netfilter nogroups nonewprivs noroot +#novideo protocol unix,inet,inet6,netlink seccomp shell none diff --git a/etc/less.profile b/etc/less.profile index dd63d3e2e..9d4eb3fcf 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -11,11 +11,15 @@ ignore noroot include /etc/firejail/default.profile net none -nosound no3d +nosound +novideo shell none tracelog blacklist /tmp/.X11-unix private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 6494ccc6b..4be7721e3 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -26,6 +26,7 @@ no3d nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/meld.profile b/etc/meld.profile index 0ec737989..bc4cd8356 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -22,6 +22,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none diff --git a/etc/multimc5.profile b/etc/multimc5.profile index c5a2eb525..e45ab9cba 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -33,12 +33,14 @@ netfilter nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 #seccomp shell none private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/mumble.profile b/etc/mumble.profile index d92156ebb..7303ac65a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -33,6 +33,7 @@ tracelog private-bin mumble private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 36694dcc6..611ca3775 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -25,6 +25,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none diff --git a/etc/pithos.profile b/etc/pithos.profile index 67b8ee7e4..c08f27f17 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -25,12 +25,14 @@ no3d nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp shell none private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/polari.profile b/etc/polari.profile index 1a82f2819..657139b6b 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -38,6 +38,7 @@ tracelog private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 7601372ca..cc2a45bb2 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -34,3 +34,4 @@ noexec /tmp private-bin qtox private-tmp +disable-mnt diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 4a852bc67..c8112f064 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -39,5 +39,6 @@ tracelog private-bin quiterss private-dev #private-etc X11,ssl +disable-mnt include /etc/firejail/whitelist-common.inc diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 192382f77..930a8fed5 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -13,9 +13,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +#no3d nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp shell none @@ -24,3 +26,6 @@ tracelog private-bin rhythmbox private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/skype.profile b/etc/skype.profile index 67cacea63..8b97c7152 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -17,3 +17,9 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index bcdb251dd..71bc1b9a6 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -16,3 +16,9 @@ netfilter noroot seccomp protocol unix,inet,inet6,netlink + +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/slack.profile b/etc/slack.profile index 7cde1067e..a68717ea3 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -30,6 +30,7 @@ private-bin slack private-dev private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime private-tmp +disable-mnt mkdir ${HOME}/.config mkdir ${HOME}/.config/Slack diff --git a/etc/spotify.profile b/etc/spotify.profile index e7890d23f..07103b112 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -38,6 +38,7 @@ private-bin spotify,bash,sh,dash private-etc fonts,machine-id,pulse,resolv.conf private-dev private-tmp +disable-mnt blacklist ${HOME}/.bashrc blacklist /boot diff --git a/etc/steam.profile b/etc/steam.profile index 7e806c2ad..e2dc6216b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -25,6 +25,7 @@ netfilter nogroups nonewprivs noroot +#novideo protocol unix,inet,inet6,netlink seccomp shell none diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 78c442a4a..00579f8fd 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -33,3 +33,4 @@ tracelog private-bin stellarium private-dev private-tmp +disable-mnt diff --git a/etc/strings.profile b/etc/strings.profile index a9301c652..af49feb04 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -11,9 +11,10 @@ ignore noroot include /etc/firejail/default.profile net none +no3d nosound +novideo shell none tracelog private-dev -no3d blacklist /tmp/.X11-unix diff --git a/etc/telegram.profile b/etc/telegram.profile index 2d3325a94..5282789ce 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -17,3 +17,9 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 6f3f0bd15..767824d8d 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -32,3 +32,4 @@ tracelog private-bin warzone2100 private-dev private-tmp +disable-mnt diff --git a/etc/wget.profile b/etc/wget.profile index b5ba8b196..1b09eac26 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -20,6 +20,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/wire.profile b/etc/wire.profile index 1fdd8b018..71147ebc1 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -25,6 +25,7 @@ shell none private-tmp private-dev +disable-mnt # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. # To use wire with firejail run "firejail /opt/Wire/wire" diff --git a/etc/xonotic.profile b/etc/xonotic.profile index b9115b70a..611c7b379 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -37,6 +37,7 @@ shell none private-bin xonotic-sdl,xonotic-glx,blind-id private-dev private-tmp +disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 90ed12b3b..a58617ddf 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -22,6 +22,7 @@ nogroups nonewprivs noroot nosound +novideo protocol unix,inet,inet6 seccomp shell none -- cgit v1.2.3-70-g09d2