From 53dff25d69ad0d1a83dea3ce19d2d54210025f20 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Fri, 12 Apr 2019 19:01:38 +0200 Subject: Harden bibletime.profile --- etc/bibletime.profile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'etc/bibletime.profile') diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 6e40054f7..c41aafd47 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc @@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime whitelist ${HOME}/.sword whitelist ${HOME}/.local/share/bibletime include whitelist-common.inc +include whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice shell none +disable-mnt # private-bin bibletime,qt5ct +private-cache private-dev -private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies +private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf private-tmp -- cgit v1.2.3-70-g09d2