From 24934a4710e2acd015292e41414e24a7c3197038 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 31 Aug 2017 23:18:45 +0200 Subject: improve servers, harden musescore --- etc/dnscrypt-proxy.profile | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 7d48905ee..e99a2b89b 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -5,6 +5,8 @@ include /etc/firejail/dnscrypt-proxy.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /tmp/.X11-unix + noblacklist /sbin noblacklist /usr/sbin @@ -13,12 +15,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +caps no3d nodvd +nonewprivs nosound notv novideo seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open +disable-mnt private private-dev + +memory-deny-write-execute -- cgit v1.2.3-70-g09d2 From 54ce2bc558f341c8f3f19da0cfc4502b4830a8a0 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 1 Sep 2017 03:27:46 +0200 Subject: drop disable-mnt --- etc/dnscrypt-proxy.profile | 1 - etc/unbound.profile | 1 - 2 files changed, 2 deletions(-) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e99a2b89b..ebe085e08 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -24,7 +24,6 @@ notv novideo seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open -disable-mnt private private-dev diff --git a/etc/unbound.profile b/etc/unbound.profile index 73c538dbe..67e0d785b 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -24,7 +24,6 @@ notv novideo seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open -disable-mnt private private-dev -- cgit v1.2.3-70-g09d2 From f31a1dd2464e4a5c19a574a1cb3bee04f0a58319 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 2 Sep 2017 00:23:26 +0200 Subject: add back disable-mnt --- etc/dnscrypt-proxy.profile | 2 ++ etc/unbound.profile | 2 ++ 2 files changed, 4 insertions(+) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ebe085e08..ddd2f0b9e 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -24,7 +24,9 @@ notv novideo seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open +disable-mnt private private-dev +# mdwe may break dnscrypt-proxy modules/plugins memory-deny-write-execute diff --git a/etc/unbound.profile b/etc/unbound.profile index 67e0d785b..d86fbd3bb 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -24,7 +24,9 @@ notv novideo seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open +disable-mnt private private-dev +# mdwe may break unbound modules/plugins memory-deny-write-execute -- cgit v1.2.3-70-g09d2 From fe955f7ce3eda61e1cc66202ab9700e173cb7eee Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 2 Sep 2017 01:00:37 +0200 Subject: fix mdwe --- etc/dnscrypt-proxy.profile | 2 +- etc/unbound.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ddd2f0b9e..14a6a7a2d 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -29,4 +29,4 @@ private private-dev # mdwe may break dnscrypt-proxy modules/plugins -memory-deny-write-execute +# memory-deny-write-execute diff --git a/etc/unbound.profile b/etc/unbound.profile index d86fbd3bb..b9148be20 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -29,4 +29,4 @@ private private-dev # mdwe may break unbound modules/plugins -memory-deny-write-execute +# memory-deny-write-execute -- cgit v1.2.3-70-g09d2 From 3ae20e0f404f312db9e48b965622b97d9381c9a4 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 2 Sep 2017 04:15:00 +0200 Subject: slightly rephrase --- etc/dnscrypt-proxy.profile | 2 +- etc/unbound.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 14a6a7a2d..9d0d764d1 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -28,5 +28,5 @@ disable-mnt private private-dev -# mdwe may break dnscrypt-proxy modules/plugins +# mdwe can break modules/plugins # memory-deny-write-execute diff --git a/etc/unbound.profile b/etc/unbound.profile index b9148be20..47c1e85db 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -28,5 +28,5 @@ disable-mnt private private-dev -# mdwe may break unbound modules/plugins +# mdwe can break modules/plugins # memory-deny-write-execute -- cgit v1.2.3-70-g09d2 From 271d0368ebace9fc00a7e1bc711614737dd609cf Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 2 Sep 2017 16:17:36 +0200 Subject: add caps.keep to unbound,dnscrypt --- etc/dnscrypt-proxy.profile | 1 + etc/unbound.profile | 1 + 2 files changed, 2 insertions(+) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 9d0d764d1..0edf815af 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps +# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource no3d nodvd nonewprivs diff --git a/etc/unbound.profile b/etc/unbound.profile index 47c1e85db..3fc2d5d51 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps +# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource no3d nodvd nonewprivs -- cgit v1.2.3-70-g09d2