From 29ab333108072307c38e475e9a70c32fb5182ce6 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 21 Dec 2016 10:29:14 +0100 Subject: hardened various profiles --- etc/7z.profile | 5 +++++ etc/cpio.profile | 3 ++- etc/exiftool.profile | 3 +++ etc/gpg-agent.profile | 3 +++ etc/gpg.profile | 3 +++ etc/less.profile | 3 +++ etc/mutt.profile | 3 +++ etc/odt2txt.profile | 3 +++ etc/pdftotext.profile | 3 +++ etc/ssh-agent.profile | 3 +++ etc/strings.profile | 3 ++- etc/tracker.profile | 3 +++ etc/wget.profile | 2 ++ etc/xpra.profile | 2 ++ 14 files changed, 40 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/7z.profile b/etc/7z.profile index 0cb72ff8d..319126540 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,9 +1,14 @@ # 7zip crompression tool profile quiet ignore noroot + include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + tracelog net none shell none private-dev nosound +no3d diff --git a/etc/cpio.profile b/etc/cpio.profile index 519bd244c..cf89acdac 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -16,6 +16,7 @@ shell none tracelog net none nosound +no3d - +blacklist /tmp/.X11-unix diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 384695473..1cae8c093 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -17,9 +17,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin exiftool,perl private-tmp private-dev diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index b0ebdf43c..59c7383d7 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -14,9 +14,12 @@ nosound protocol unix seccomp netfilter +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin gpg-agent,gpg private-tmp private-dev diff --git a/etc/gpg.profile b/etc/gpg.profile index 31372eb90..d711c6f3e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -15,9 +15,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + # private-bin gpg,gpg-agent private-tmp private-dev diff --git a/etc/less.profile b/etc/less.profile index 08758aead..c01dfc466 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,7 +5,10 @@ include /etc/firejail/default.profile net none nosound +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-dev diff --git a/etc/mutt.profile b/etc/mutt.profile index 2718421c5..5a714de4a 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -33,8 +33,11 @@ nogroups nonewprivs noroot nosound +no3d protocol unix,inet,inet6 seccomp shell none +blacklist /tmp/.X11-unix + private-dev diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 329275022..c4e28f70e 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -13,9 +13,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-bin odt2txt private-tmp private-dev diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 632c9d15e..fe9e9e3cd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -13,9 +13,12 @@ protocol unix seccomp netfilter net none +no3d shell none tracelog +blacklist /tmp/.X11-unix + private-bin pdftotext private-tmp private-dev diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 548ede37d..bea3a6061 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -12,5 +12,8 @@ caps.drop all netfilter nonewprivs noroot +no3d protocol unix,inet,inet6 seccomp + +blacklist /tmp/.X11-unix diff --git a/etc/strings.profile b/etc/strings.profile index 2b7724b11..2bbab1366 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -7,5 +7,6 @@ net none nosound shell none tracelog - private-dev +no3d +blacklist /tmp/.X11-unix diff --git a/etc/tracker.profile b/etc/tracker.profile index 217631216..7f4f371eb 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -12,12 +12,15 @@ nogroups nonewprivs noroot nosound +no3d protocol unix seccomp netfilter shell none tracelog +blacklist /tmp/.X11-unix + # private-bin tracker # private-tmp # private-dev diff --git a/etc/wget.profile b/etc/wget.profile index d9bca2acc..ff4b92bae 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -10,10 +10,12 @@ nonewprivs noroot nogroups nosound +no3d protocol unix,inet,inet6 seccomp shell none +blacklist /tmp/.X11-unix # private-bin wget # private-etc resolv.conf diff --git a/etc/xpra.profile b/etc/xpra.profile index 8584e4e5b..32be90b19 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -14,6 +14,8 @@ shell none seccomp protocol unix,inet,inet6 +# blacklist /tmp/.X11-unix + # private-bin private-dev private-tmp -- cgit v1.2.3-54-g00ecf