From 3c3602fe4e747f3489c917f4de991c9043df9751 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sat, 16 Sep 2017 14:11:43 -0400
Subject: Harden 25 profiles

---
 etc/Viber.profile          |  5 +++++
 etc/amule.profile          |  9 +++++++++
 etc/ardour5.profile        |  5 ++++-
 etc/brackets.profile       | 14 +++++++++-----
 etc/calligra.profile       |  9 ++++++---
 etc/cin.profile            |  7 +++++--
 etc/dooble.profile         | 12 ++++++++++++
 etc/fetchmail.profile      |  9 ++++++++-
 etc/freecad.profile        |  5 ++++-
 etc/google-earth.profile   |  7 ++++++-
 etc/imagej.profile         | 10 +++++++++-
 etc/karbon.profile         | 24 ++----------------------
 etc/kdenlive.profile       |  4 ++++
 etc/krita.profile          |  7 +++++++
 etc/linphone.profile       | 16 ++++++++++++++++
 etc/lmms.profile           | 10 ++++++++--
 etc/macrofusion.profile    |  9 ++++++++-
 etc/mpd.profile            | 13 +++++++++++++
 etc/natron.profile         | 11 +++++++++--
 etc/ricochet.profile       | 10 +++++++++-
 etc/shotcut.profile        |  7 +++++--
 etc/teamspeak3.profile     | 16 ++++++++++++++++
 etc/tor-browser-en.profile |  8 ++++++++
 etc/tor.profile            |  9 +++++++++
 etc/zart.profile           |  6 ++++++
 25 files changed, 197 insertions(+), 45 deletions(-)

(limited to 'etc')

diff --git a/etc/Viber.profile b/etc/Viber.profile
index ee1ab6219..468199dd8 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 ipc-namespace
+netfilter
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
 seccomp
 shell none
 
+disable-mnt
 private-bin sh,dig,awk
 private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
 private-tmp
diff --git a/etc/amule.profile b/etc/amule.profile
index 48aad759d..c59377850 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 ipc-namespace
+netfilter
+no3d
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
 seccomp
 shell none
 
 private-bin amule
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 42744f4dd..738b5990a 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
 seccomp
 shell none
 
@@ -29,5 +32,5 @@ private-dev
 #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
 private-tmp
 
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 151d88bdd..0a8c592a7 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-# Comment out or use --ignore=net if you want to install extensions or themes
-net none
-# Disable these if you use live preview (until I figure out a workaround)
-# Doing so should be relatively safe since there is no network access
+netfilter
+nodvd
+nogroups
+nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
 
-private-bin bash,brackets,readlink,dirname,google-chrome,cat
 private-dev
diff --git a/etc/calligra.profile b/etc/calligra.profile
index 58006f203..e90c8efe8 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 ipc-namespace
-net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
 
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
 private-dev
-#private-etc fonts,passwd,alternatives,X11
 
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index e895805eb..93a94c910 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
+notv
 noroot
+protocol unix
 seccomp
 shell none
 
 private-bin cin
 private-dev
-#private-etc fonts,pulse
 
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/dooble.profile b/etc/dooble.profile
index cbb0f96b8..aabfcd8bb 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+nodvd
+nogroups
 nonewprivs
 noroot
+notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
+
+disable-mnt
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 2b2be4c16..9ee59f453 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+netfilter
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
 nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
 
 # private-bin fetchmail,procmail,bash,chmod
 private-dev
-# private-etc passwd,hosts,resolv.conf
diff --git a/etc/freecad.profile b/etc/freecad.profile
index c2d4661e8..4fde66839 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
 nosound
+notv
+novideo
 protocol unix
 seccomp
 shell none
 
 private-bin freecad,freecadcmd
 private-dev
-#private-etc fonts,passwd,alternatives,X11
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
index 11d55281a..32da9a5a8 100644
--- a/etc/google-earth.profile
+++ b/etc/google-earth.profile
@@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 ipc-namespace
+netfilter
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 
 private-bin google-earth,sh,grep,sed,ls,dirname
 private-dev
-#private-etc fonts,resolv.conf,X11,alternatives,pulse
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 4613e378f..88a56c706 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
+shell none
 
 private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
 private-dev
-# private-etc passwd,alternatives,hosts,fonts,X11
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/karbon.profile b/etc/karbon.profile
index 7d7f25ad0..d94f20012 100644
--- a/etc/karbon.profile
+++ b/etc/karbon.profile
@@ -1,25 +1,5 @@
-# Firejail profile for karbon
+# Firejail profile alias for krita
 # This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/karbon.local
-# Persistent global definitions
-include /etc/firejail/globals.local
 
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-seccomp
-shell none
-
-private-dev
-
-noexec /home
-noexec /tmp
+include /etc/firejail/krita.profile
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index b91bd9c41..56bb729e1 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+protocol unix,inet,inet6
 seccomp
 shell none
 
diff --git a/etc/krita.profile b/etc/krita.profile
index d60ef2fa7..2dfd084ef 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
 shell none
 
 private-dev
+private-tmp
 
 noexec /home
 noexec /tmp
diff --git a/etc/linphone.profile b/etc/linphone.profile
index 8763b348a..41f9245a2 100644
--- a/etc/linphone.profile
+++ b/etc/linphone.profile
@@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
index 14a7209a9..29ed235c6 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
 
 private-dev
-private-etc fonts,pulse
+private-tmp
 
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index e53f175f8..be66cf6ee 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
 shell none
 
 #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
 private-dev
-#private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
index ebcdca443..601861083 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
 
 #private-bin mpd,bash
 private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/natron.profile b/etc/natron.profile
index 8f266f56c..ac89409f1 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
-ipc-namespace
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
 shell none
 
 private-bin natron
-#private-etc fonts,X11,pulse
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index 423dfb887..6da0e21d5 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 ipc-namespace
+netfilter
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 
+disable-mnt
 private-bin ricochet,tor
 private-dev
 #private-etc fonts,tor,X11,alternatives
 
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 1a7ce6bce..e30bc1f46 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+protocol unix
 seccomp
 shell none
 
-private-bin shotcut,melt,qmelt,nice
+#private-bin shotcut,melt,qmelt,nice
 private-dev
-#private-etc X11,alternatives,pulse,fonts
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index 7ca5ae666..f8afff551 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
+ipc-namespace
 netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
+
+disable-mnt
+private
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
index 65ea41e18..75a079a2e 100644
--- a/etc/tor-browser-en.profile
+++ b/etc/tor-browser-en.profile
@@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 
+disable-mnt
 private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr
 private-tmp
 
diff --git a/etc/tor.profile b/etc/tor.profile
index 73577825a..fcb123eef 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc
 
 caps.keep setuid,setgid,net_bind_service,dac_read_search
 ipc-namespace
+netfilter
 no3d
+nodvd
 nogroups
 nonewprivs
 nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 writable-var
 
+disable-mnt
 private
 private-bin tor,bash
 private-dev
 private-etc tor,passwd
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/zart.profile b/etc/zart.profile
index 6022e8260..b5897f4a9 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
 
-- 
cgit v1.2.3-54-g00ecf