From 409a82b7b3308e4f0a8c44f96cfe2c02a390e8e6 Mon Sep 17 00:00:00 2001 From: Nicola Davide Mannarelli <1094368+NDMann@users.noreply.github.com> Date: Sun, 17 Jan 2021 12:48:21 +0100 Subject: Update telegram.profile Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads --- etc/profile-m-z/telegram.profile | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc') diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 0e7413fc9..8b176d8f4 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -14,6 +14,13 @@ include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +mkdir ${HOME}/.TelegramDesktop +mkdir ${HOME}/.local/share/TelegramDesktop +whitelist ${DOWNLOADS} +whitelist ${HOME}/.TelegramDesktop +whitelist ${HOME}/.local/share/TelegramDesktop +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nodvd -- cgit v1.2.3-54-g00ecf From 27b868607a2eb44a34d91ea46f7a75847a633efe Mon Sep 17 00:00:00 2001 From: Nicola Davide Mannarelli <1094368+NDMann@users.noreply.github.com> Date: Sun, 17 Jan 2021 13:24:21 +0100 Subject: Update telegram.profile Optimized "include whitelist-common.inc" --- etc/profile-m-z/telegram.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 8b176d8f4..1f2847ae5 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -19,7 +19,7 @@ mkdir ${HOME}/.local/share/TelegramDesktop whitelist ${DOWNLOADS} whitelist ${HOME}/.TelegramDesktop whitelist ${HOME}/.local/share/TelegramDesktop -include /etc/firejail/whitelist-common.inc +include whitelist-common.inc caps.drop all netfilter -- cgit v1.2.3-54-g00ecf From ae66496a9fef3ee63c083f9c226071339af8f9c1 Mon Sep 17 00:00:00 2001 From: Nicola Davide Mannarelli <1094368+nidamanx@users.noreply.github.com> Date: Mon, 25 Jan 2021 11:45:09 +0100 Subject: Enhance security --- etc/profile-m-z/telegram.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'etc') diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 1f2847ae5..7187378e6 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -19,7 +19,18 @@ mkdir ${HOME}/.local/share/TelegramDesktop whitelist ${DOWNLOADS} whitelist ${HOME}/.TelegramDesktop whitelist ${HOME}/.local/share/TelegramDesktop + include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +include whitelist-runuser-common.inc +include disable-shell.inc +include disable-passwdmgr.inc +include disable-xdg.inc + +apparmor +shell none +private-dev caps.drop all netfilter -- cgit v1.2.3-54-g00ecf From d3aa66cd4ca213d0aaa3b5188ecbd659e446abaa Mon Sep 17 00:00:00 2001 From: Nicola Davide Mannarelli <1094368+nidamanx@users.noreply.github.com> Date: Mon, 25 Jan 2021 13:31:27 +0100 Subject: Profile ordering/sorting as in profile.template --- etc/profile-m-z/telegram.profile | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'etc') diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 7187378e6..50983dfec 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -12,26 +12,22 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.TelegramDesktop mkdir ${HOME}/.local/share/TelegramDesktop -whitelist ${DOWNLOADS} whitelist ${HOME}/.TelegramDesktop whitelist ${HOME}/.local/share/TelegramDesktop - +whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -include whitelist-runuser-common.inc -include disable-shell.inc -include disable-passwdmgr.inc -include disable-xdg.inc apparmor -shell none -private-dev - caps.drop all netfilter nodvd @@ -40,8 +36,10 @@ noroot notv protocol unix,inet,inet6,netlink seccomp +shell none disable-mnt private-cache +private-dev private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg private-tmp -- cgit v1.2.3-54-g00ecf