From ddebc20bbce1efa73343124e3f8e3836e77622c0 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Sun, 13 Mar 2022 15:09:51 +0000
Subject: hardening onionshare-gui.profile (#4959)

* hardening onionshare-gui.profile

* add another dbus-user filter to onionshare-gui.profile

* harden onionshare
---
 etc/profile-m-z/onionshare-gui.profile | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index cf4d7db30..ed35862ca 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -1,4 +1,5 @@
 # Firejail profile for onionshare-gui
+# Description: Share a file over Tor Hidden Services anonymously and securely
 # This file is overwritten after every install/update
 # Persistent local customizations
 include onionshare-gui.local
@@ -14,18 +15,30 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
+include disable-shell.inc
 
+mkdir ${HOME}/.config/onionshare
+mkdir ${HOME}/OnionShare
+whitelist ${HOME}/.config/onionshare
+whitelist ${HOME}/OnionShare
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -33,9 +46,20 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
+#tracelog - may cause issues, see #1930
 
+disable-mnt
+private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
+private-cache
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+
 memory-deny-write-execute
-- 
cgit v1.2.3-70-g09d2