From 184c191cd61db921ace252c1403c8508fa1a0ab7 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 29 Dec 2020 17:15:50 +0100 Subject: Added first profile for coyim --- etc/profile-a-l/coyim.profile | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 etc/profile-a-l/coyim.profile diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile new file mode 100644 index 000000000..5c5ebe166 --- /dev/null +++ b/etc/profile-a-l/coyim.profile @@ -0,0 +1,41 @@ +# Firejail profile for coyim +# Description: GTK Jabber client written in Go +# This file is overwritten after every install/update +# Persistent local customizations +include coyim.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/coyim + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/coyim +whitelist ${HOME}/.config/coyim + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ssl +private-tmp -- cgit v1.2.3-54-g00ecf From a4a875c2d7e42403f89fa0d38aabb953246fb1b8 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 29 Dec 2020 17:23:21 +0100 Subject: Added some more restrictions to coyim profile --- etc/profile-a-l/coyim.profile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 5c5ebe166..2ca6c20f8 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile @@ -39,3 +39,8 @@ private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,ssl private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute -- cgit v1.2.3-54-g00ecf From d60281e009d13ca997a1b2e2483a6a52f5355370 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 29 Dec 2020 17:53:40 +0100 Subject: Implementing some of the suggested changes from #3853 --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/coyim.profile | 6 +++--- src/firecfg/firecfg.config | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 07fefec8c..a2d45a98d 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -191,6 +191,7 @@ blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/com.github.bleakgrey.tootle blacklist ${HOME}/.config/corebird blacklist ${HOME}/.config/cower +blacklist ${HOME}/.config/coyim blacklist ${HOME}/.config/darktable blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/deluge diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 2ca6c20f8..80aae097e 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile @@ -15,11 +15,11 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc -include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/coyim whitelist ${HOME}/.config/coyim +include whitelist-common.inc caps.drop all netfilter @@ -37,10 +37,10 @@ tracelog disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl private-tmp dbus-user none dbus-system none -memory-deny-write-execute +#memory-deny-write-execute diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3f1591cbd..4853e099b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -149,6 +149,7 @@ conkeror conky conplay corebird +coyim crawl crawl-tiles crow -- cgit v1.2.3-54-g00ecf From 19e7970ed5e5757592eec23d2c249d741d2f7dd0 Mon Sep 17 00:00:00 2001 From: Nex Date: Wed, 6 Jan 2021 23:09:44 +0100 Subject: Added additional whitelists --- etc/profile-a-l/coyim.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 80aae097e..75813c494 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile @@ -20,6 +20,9 @@ include disable-xdg.inc mkdir ${HOME}/.config/coyim whitelist ${HOME}/.config/coyim include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc caps.drop all netfilter -- cgit v1.2.3-54-g00ecf