From 8d0bde2b85542e1f3385a104ac105d2ed8e795e1 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 8 Aug 2017 19:45:44 -0400
Subject: Harden 17 profiles using private-bin

---
 etc/apktool.profile  | 1 +
 etc/arm.profile      | 2 +-
 etc/baobab.profile   | 1 +
 etc/bless.profile    | 1 +
 etc/chromium.profile | 1 +
 etc/dex2jar.profile  | 1 +
 etc/gitg.profile     | 1 +
 etc/hashcat.profile  | 3 +++
 etc/jd-gui.profile   | 1 +
 etc/meld.profile     | 1 +
 etc/multimc5.profile | 2 ++
 etc/obs.profile      | 1 +
 etc/pdfsam.profile   | 1 +
 etc/peek.profile     | 1 +
 etc/pithos.profile   | 1 +
 etc/sdat2img.profile | 1 +
 etc/strings.profile  | 2 ++
 17 files changed, 21 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/apktool.profile b/etc/apktool.profile
index 58854df3b..0ca0ea0b0 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -24,6 +24,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin apktool,bash,java,dirname,basename,expr
 private-dev
 
 noexec ${HOME}
diff --git a/etc/arm.profile b/etc/arm.profile
index a75130e4d..4e6bb9b1c 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -32,7 +32,7 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig
+# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig
 private-dev
 private-etc tor,passwd
 private-tmp
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 5eef557bc..c67f01503 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -24,6 +24,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin baobab
 private-dev
 private-tmp
 
diff --git a/etc/bless.profile b/etc/bless.profile
index 6da8187b1..8c7cc5fe5 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+# private-bin bless,sh,bash,mono
 private-dev
 private-etc fonts,mono
 private-tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7637b8ea5..3ccc8e4cb 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -31,6 +31,7 @@ nogroups
 notv
 shell none
 
+# private-bin chromium,chromium-browser,chromedriver
 private-dev
 # private-tmp - problems with multiple browser sessions
 
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index a3a1c4ad5..fab7ccb13 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
 private-dev
 
 noexec ${HOME}
diff --git a/etc/gitg.profile b/etc/gitg.profile
index f28fbe03f..273cc006c 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
+private-bin gitg,git,ssh
 private-dev
 private-tmp
 
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index 677c47b13..189f364f8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.hashcat
+noblacklist /usr/include
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
@@ -25,6 +27,7 @@ seccomp
 shell none
 
 disable-mnt
+private-bin hashcat
 private-dev
 private-tmp
 
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 2422d5b48..8df805895 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin jd-gui,sh,bash
 private-dev
 private-tmp
 
diff --git a/etc/meld.profile b/etc/meld.profile
index 92aefaf78..280004f49 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+# private-bin meld,python2,python2.7
 private-dev
 private-tmp
 
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index a51defafa..e99876447 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -32,6 +32,8 @@ protocol unix,inet,inet6
 shell none
 
 disable-mnt
+# private-bin works, but causes weirdness
+# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
 private-dev
 private-tmp
 
diff --git a/etc/obs.profile b/etc/obs.profile
index f7d7ac310..11c18e0b6 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -22,6 +22,7 @@ seccomp
 shell none
 tracelog
 
+private-bin obs
 private-dev
 private-tmp
 
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 4dbc05413..e2fbd81ae 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
 private-dev
 private-tmp
 
diff --git a/etc/peek.profile b/etc/peek.profile
index 0157ca9d4..e65d3f172 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+# private-bin breaks gif mode, mp4 and webm mode work fine however
 # private-bin peek,convert,ffmpeg
 private-dev
 private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index be6e1b72a..2aaedd45e 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -25,6 +25,7 @@ seccomp
 shell none
 
 disable-mnt
+# private-bin pithos,python,python3,python3.6
 private-dev
 private-tmp
 
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 06889be33..578f623f0 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+# private-bin sdat2img,env,python,python3,python3.6
 private-dev
 
 noexec ${HOME}
diff --git a/etc/strings.profile b/etc/strings.profile
index 28f5598cf..d102cd445 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -17,7 +17,9 @@ novideo
 shell none
 tracelog
 
+private-bin strings
 private-dev
+private-lib
 
 memory-deny-write-execute
 
-- 
cgit v1.2.3-54-g00ecf


From be6a0765d131c3408c783895d4776b562ea2c5e0 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 8 Aug 2017 20:04:12 -0400
Subject: Chrom* on Arch Linux no longer uses a perl script

---
 etc/chromium.profile               | 3 +--
 etc/flashpeak-slimjet.profile      | 3 +--
 etc/google-chrome-beta.profile     | 3 +--
 etc/google-chrome-unstable.profile | 3 +--
 etc/google-chrome.profile          | 3 +--
 5 files changed, 5 insertions(+), 10 deletions(-)

(limited to 'etc')

diff --git a/etc/chromium.profile b/etc/chromium.profile
index 3ccc8e4cb..e28606054 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,8 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
 mkdir ~/.cache/chromium
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index a661c179a..1a4c8dea6 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,8 +15,7 @@ noblacklist ~/.config/slimjet
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
 mkdir ~/.cache/slimjet
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 9c8574d3f..031a43504 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
 mkdir ~/.cache/google-chrome-beta
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index b7ed33703..4dcdef578 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
 mkdir ~/.cache/google-chrome-unstable
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 6a3c54468..2caa3c4ec 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -10,8 +10,7 @@ noblacklist ~/.config/google-chrome
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-# chromium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
 mkdir ~/.cache/google-chrome
-- 
cgit v1.2.3-54-g00ecf