From 4429e6fcafb2558661faad9a787281cb5ce6540e Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 20 Jun 2019 12:46:24 +0200 Subject: Improve profile.template * uncomment .local includes * add options * ##ignore noexec /tmp * ##caps.keep CAPS * ##hostname NAME * ##writable-etc * ##writable-run-user * ##writable-var * ##writable-var-log * add disable x11 * x11 none * blacklist /tmp/.X11-unix * comment when which of the both option should be used * sort private-etc template Common * add comments * machine-id: breaks sound and sometime dbus related functions * private-bin: python should be added by 'python*' * protocol: auxiliary comment for protocol line * add 'packet' to protocol list * Sections structure: OPTIONS: now has seccomp* instead of seccomp --- etc/templates/profile.template | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0ccb3fae0..892fd71ef 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -30,7 +30,7 @@ # MKDIRS # WHITELISTS # WHITELIST INCLUDES -# OPTIONS (caps*, net*, no*, protocol, seccomp, shell none, tracelog) +# OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES @@ -49,13 +49,16 @@ # --- CUT HERE --- ##quiet # Persistent local customizations -#include PROFILE.local +include PROFILE.local # Persistent global definitions -#include globals.local +include globals.local ##ignore noexec ${HOME} +##ignore noexec /tmp ##blacklist PATH +# Disable X11 (CLI only), see also 'x11 none' below +#blacklist /tmp/.X11-unix # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc @@ -105,8 +108,11 @@ #apparmor #caps.drop all +##caps.keep CAPS +##hostname NAME # CLI only ##ipc-namespace +# breaks sound and sometime dbus related functions #machine-id # 'net none' or 'netfilter' #net none @@ -121,20 +127,28 @@ #notv #nou2f #novideo -#protocol unix,inet,inet6,netlink +# Remove every not needed protocol +# - unix is usually needed +# - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above) +# - netlink is rarely needed +# - packet almost never +#protocol unix,inet,inet6,netlink,packet #seccomp ##seccomp.drop SYSCALLS (see also syscalls.txt) #shell none #tracelog +# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set +##x11 none #disable-mnt ##private +# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 #private-bin PROGRAMS #private-cache #private-dev #private-etc FILES # private-etc templates (see also #1734, #2093) -# Common: ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg +# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg # Extra: magic,magic.mgc,passwd,group # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc # Extra: proxychains.conf,gai.conf @@ -148,6 +162,10 @@ ##private-lib LIBS ##private-opt NAME #private-tmp +##writable-etc +##writable-run-user +##writable-var +##writable-var-log ##env VAR=VALUE #memory-deny-write-execute -- cgit v1.2.3-54-g00ecf