From 9057fd7a5e80268d68dc7b10852120f9cc7df2a6 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 22 Jul 2023 12:37:24 +0000 Subject: torbrowser-launcher: hardening (#5886) torbrowser-launcher: more hardening as per review torbrowser-launcher: revert enabling restrict-namespaces Suggested in review by @rusty-snake. --- etc/profile-m-z/torbrowser-launcher.profile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'etc/profile-m-z/torbrowser-launcher.profile') diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 41ac6f7a7..86746c7f1 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile @@ -22,6 +22,7 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-proc.inc include disable-programs.inc include disable-xdg.inc @@ -33,9 +34,10 @@ whitelist ${HOME}/.local/share/torbrowser whitelist /opt/tor-browser whitelist /usr/share/torbrowser-launcher include whitelist-common.inc -include whitelist-var-common.inc +include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc +include whitelist-var-common.inc # Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need @@ -53,12 +55,14 @@ nou2f novideo protocol unix,inet,inet6 seccomp !chroot +seccomp.block-secondary #tracelog - may cause issues, see #1930 disable-mnt private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity private-dev private-etc @tls-ca +#private-opt tor-browser - can cause slow startup private-tmp dbus-user none -- cgit v1.2.3-70-g09d2