From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 5 Jul 2017 09:40:54 -0400
Subject: Harden profiles

- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
---
 etc/dropbox.profile | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'etc/dropbox.profile')

diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index f1d7fad82..2319b337b 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local
 noblacklist ~/.config/autostart
 noblacklist ~/.dropbox-dist
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-caps
-nonewprivs
-noroot
-novideo
-protocol unix,inet,inet6
-seccomp
-
 mkdir ~/Dropbox
 whitelist ~/Dropbox
 mkdir ~/.dropbox
@@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist
 
 mkfile ~/.config/autostart/dropbox.desktop
 whitelist ~/.config/autostart/dropbox.desktop
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec /tmp
-- 
cgit v1.2.3-70-g09d2