From da2a3fd0d1780fe7751f33cd9628879a78669118 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sun, 12 May 2019 12:53:46 +0200 Subject: harden & fix xiphos.profile --- README | 4 ++-- etc/xiphos.profile | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README b/README index fb8ccfb6a..3e48b2a85 100644 --- a/README +++ b/README @@ -560,11 +560,11 @@ rusty-snake (https://github.com/rusty-snake) - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller - - fixed profiles: eog, eom + - fixed profiles: eog, eom, xiphos - hardened profiles: disable-common.inc, disable-programs.inc - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox - hardened profiles: gnome-clocks, meld, minetest, youtube-dl - - hardened profiles: bibletime, whois, etr, display, feh, mpv + - hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos - gnome-mpv was renamed to celluloid - some typo fixes Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 3ad03e2c6..33056395e 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.xiphos include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -20,8 +21,11 @@ include disable-programs.inc whitelist ${HOME}/.sword whitelist ${HOME}/.xiphos include whitelist-common.inc +include whitelist-var-common.inc +apparmor caps.drop all +machine-id netfilter nodvd nogroups @@ -36,7 +40,9 @@ seccomp shell none tracelog +disable-mnt private-bin xiphos +private-cache private-dev -private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies private-tmp -- cgit v1.2.3-54-g00ecf