From 3b8453d5301608386d9a933c0862e5e049c4879e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 24 Oct 2016 15:21:41 -0500 Subject: blacklisted kernel files --- etc/disable-common.inc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* -- cgit v1.2.3-54-g00ecf From b588020b4540480fdd3aaa11da8bd472b2dfdb60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2016 12:26:17 -0400 Subject: fixes --- README | 2 ++ etc/disable-common.inc | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) (limited to 'etc/disable-common.inc') diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README @@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) + - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles @@ -83,6 +84,7 @@ valoq (https://github.com/valoq) - cherrytree profile fixes - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles + - blacklist suid binaries in disable-common.inc Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -137,6 +137,11 @@ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + # system management blacklist ${PATH}/umount blacklist ${PATH}/mount @@ -149,11 +154,23 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc blacklist ${PATH}/ncat - -# system directories -blacklist /sbin -blacklist /usr/sbin -blacklist /usr/local/sbin +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -- cgit v1.2.3-54-g00ecf From 834da29e4c467ca074209b51effef38f8a238e84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 Oct 2016 09:15:50 -0400 Subject: removed ping blacklisting --- etc/disable-common.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3c0b2160c..848513454 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -169,7 +169,6 @@ blacklist ${PATH}/chsh blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry -blacklist ${PATH}/ping blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session -- cgit v1.2.3-54-g00ecf