From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 5 Jul 2017 09:40:54 -0400
Subject: Harden profiles

- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
---
 etc/franz.profile | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

(limited to 'etc/franz.profile')

diff --git a/etc/franz.profile b/etc/franz.profile
index c68b47d80..859c6ed9b 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
-caps.drop all
-netfilter
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-#tracelog
-
 whitelist ${DOWNLOADS}
 mkdir ~/.config/Franz
 whitelist ~/.config/Franz
@@ -30,3 +22,21 @@ mkdir ~/.pki
 whitelist ~/.pki
 
 include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
+disable-mnt
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-54-g00ecf