From ba9edec22cce71b57266b20262fbb586314f3f8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:54:05 +0200 Subject: added muttrc to blacklisted secets ~/.muttrc, ~/.mutt/muttrc and ~/.msmtprc contain in most cases login credentials of the users mail accounts --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c4169db8a..4f854c8d8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -121,6 +121,9 @@ blacklist ${HOME}/.smbcredentials blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc blacklist /etc/shadow blacklist /etc/gshadow blacklist /etc/passwd- -- cgit v1.2.3-54-g00ecf From 8026502c3758e82f64c13154030083460fa4528b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:55:19 +0200 Subject: added muttrc to disable-programs --- etc/disable-programs.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e2b81d27..bd338f401 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -67,6 +67,9 @@ blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc # Instant Messaging blacklist ${HOME}/.config/hexchat -- cgit v1.2.3-54-g00ecf From 931f09d320dc7ab6f27ea5e724e9791eda2cec8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:59:27 +0200 Subject: Removed whitelisting There is no reason to assume the users database for cherrytree is in any of these specific directories. --- etc/cherrytree.profile | 6 ------ 1 file changed, 6 deletions(-) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 76ee70679..7c324a34b 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -6,12 +6,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -whitelist ${HOME}/cherrytree -mkdir ~/.config/cherrytree -whitelist ${HOME}/.config/cherrytree/ -mkdir ~/.local/share -whitelist ${HOME}/.local/share/ - caps.drop all netfilter nonewprivs -- cgit v1.2.3-54-g00ecf From b2b955ef34a62ec734d982fc601d77492dc4a232 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:41:45 +0200 Subject: hardened profile for feh --- etc/feh.profile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/feh.profile b/etc/feh.profile index ba8f32f44..5fcb6bf25 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,9 +5,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +seccomp +protocol unix netfilter +net none nonewprivs noroot +nogroups nosound -protocol unix -seccomp +shell none + +private-bin feh +whitelist /tmp/.X11-unix +private-dev +private-etc feh -- cgit v1.2.3-54-g00ecf From 83f5ee2ec327a9eca98fc835cc0f5cd68006c179 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:43:49 +0200 Subject: Fixed ranger to work correctly with atool needed perl, hardened profile --- etc/ranger.profile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile index 775098d91..af137fa13 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,9 @@ -# ranger file manager profile +# ranger profile +noblacklist /usr/bin/perl +#noblacklist /usr/bin/cpan* +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -6,8 +11,14 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nonewprivs noroot +nogroups protocol unix seccomp nosound + +private-tmp +private-dev + -- cgit v1.2.3-54-g00ecf From 8edf59794fb37758f94e4b5a208615b957ac5863 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:45:14 +0200 Subject: hardened profile for zathura --- etc/zathura.profile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile index 99d9a1a90..f6651af09 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura document viewer profile +# zathura viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc @@ -12,8 +12,9 @@ protocol unix netfilter nonewprivs noroot +nogroups nosound - -#net none shell none -#private-etc X11 + +private-bin zathura +private-dev -- cgit v1.2.3-54-g00ecf From 248bc971750a533888c61d0b97d0ff35542fe71d Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:49:26 +0200 Subject: hardened mupdf --- etc/mupdf.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 6f2db511b..d1a157c3c 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -11,8 +11,14 @@ noroot nosound protocol unix seccomp +netfilter shell none tracelog +private-bin mupdf private-tmp private-dev + +# mupdf will never write anything +read-only ${HOME} + -- cgit v1.2.3-54-g00ecf From 1bb1eb6d0970e8e60938fe70ee54b677288312c8 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:13 +0200 Subject: fixed description --- etc/ranger.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile index af137fa13..a040cd6bc 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,4 @@ -# ranger profile +# ranger file manager profile noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* -- cgit v1.2.3-54-g00ecf From c313409c3d60dbde22ae932db7447d4ee8cb92fd Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:41 +0200 Subject: fixed description --- etc/zathura.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile index f6651af09..b3a9b0af8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura viewer profile +# zathura document viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc -- cgit v1.2.3-54-g00ecf