From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 5 Jul 2017 09:40:54 -0400
Subject: Harden profiles

- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
---
 etc/google-play-music-desktop-player.profile | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'etc/google-play-music-desktop-player.profile')

diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index ed6b11002..c373cc34c 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -13,13 +13,25 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
+
 caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-netfilter
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 
-#whitelist ~/.pulse
-#whitelist ~/.config/pulse
-whitelist ~/.config/Google Play Music Desktop Player
+private-dev
+private-tmp
+disable-mnt
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-70-g09d2