From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 5 Jul 2017 09:40:54 -0400
Subject: Harden profiles

- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
---
 etc/psi-plus.profile | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'etc/psi-plus.profile')

diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index e3ffad9a1..9500731fe 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local
 # Firejail profile for Psi+
 noblacklist ${HOME}/.config/psi+
 noblacklist ${HOME}/.local/share/psi+
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
@@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+
 mkdir ~/.cache/psi+
 whitelist ~/.cache/psi+
 
+include /etc/firejail/whitelist-common.inc
+
 caps.drop all
 netfilter
+no3d
+nogroups
+nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
 
-include /etc/firejail/whitelist-common.inc
+private-dev
+private-tmp
+disable-mnt
+
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-54-g00ecf