From f9c9c469a23dbb6d484f82f6ba719d662b784753 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 17 Jan 2020 23:31:46 +0000 Subject: hardenings for various profiles (#3160) * harden devilspie * harden devilspie2 * harden curl * harden wget * harden curl * harden dig * harden claws-mail * harden dnscrypt-proxy * harden dnscrypt-proxy * harden dnscrypt-proxy * harden exfalso * refactor easystroke as whitelist profile * refactor enchant as whitelist profile * safeguard ${DOCUMENTS} Thanks @rusty-snake for the suggestion. * drop x11-none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for saving the bacon... * drop x11 none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for preventing breakage! * drop ipc-namespace Better safe than sorry... --- etc/dnscrypt-proxy.profile | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc/dnscrypt-proxy.profile') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d0430d5ca..65722b3ef 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -7,6 +7,8 @@ include dnscrypt-proxy.local # Persistent global definitions include globals.local +blacklist /tmp/.X11-unix + noblacklist /sbin noblacklist /usr/sbin @@ -20,10 +22,13 @@ include disable-xdg.inc whitelist /usr/share/dnscrypt-proxy include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot ipc-namespace machine-id +netfilter no3d nodbus nodvd @@ -34,6 +39,8 @@ nou2f novideo protocol inet,inet6 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice +shell none +tracelog disable-mnt private -- cgit v1.2.3-70-g09d2