From 8d0bde2b85542e1f3385a104ac105d2ed8e795e1 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 8 Aug 2017 19:45:44 -0400 Subject: Harden 17 profiles using private-bin --- etc/apktool.profile | 1 + etc/arm.profile | 2 +- etc/baobab.profile | 1 + etc/bless.profile | 1 + etc/chromium.profile | 1 + etc/dex2jar.profile | 1 + etc/gitg.profile | 1 + etc/hashcat.profile | 3 +++ etc/jd-gui.profile | 1 + etc/meld.profile | 1 + etc/multimc5.profile | 2 ++ etc/obs.profile | 1 + etc/pdfsam.profile | 1 + etc/peek.profile | 1 + etc/pithos.profile | 1 + etc/sdat2img.profile | 1 + etc/strings.profile | 2 ++ 17 files changed, 21 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/apktool.profile b/etc/apktool.profile index 58854df3b..0ca0ea0b0 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile @@ -24,6 +24,7 @@ protocol unix seccomp shell none +private-bin apktool,bash,java,dirname,basename,expr private-dev noexec ${HOME} diff --git a/etc/arm.profile b/etc/arm.profile index a75130e4d..4e6bb9b1c 100644 --- a/etc/arm.profile +++ b/etc/arm.profile @@ -32,7 +32,7 @@ shell none tracelog disable-mnt -# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig +# private-bin arm,tor,sh,bash,python2,python2.7,ps,lsof,ldconfig private-dev private-etc tor,passwd private-tmp diff --git a/etc/baobab.profile b/etc/baobab.profile index 5eef557bc..c67f01503 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -24,6 +24,7 @@ protocol unix seccomp shell none +private-bin baobab private-dev private-tmp diff --git a/etc/bless.profile b/etc/bless.profile index 6da8187b1..8c7cc5fe5 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +# private-bin bless,sh,bash,mono private-dev private-etc fonts,mono private-tmp diff --git a/etc/chromium.profile b/etc/chromium.profile index 7637b8ea5..3ccc8e4cb 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -31,6 +31,7 @@ nogroups notv shell none +# private-bin chromium,chromium-browser,chromedriver private-dev # private-tmp - problems with multiple browser sessions diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index a3a1c4ad5..fab7ccb13 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep private-dev noexec ${HOME} diff --git a/etc/gitg.profile b/etc/gitg.profile index f28fbe03f..273cc006c 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile @@ -26,6 +26,7 @@ protocol unix,inet,inet6 seccomp shell none +private-bin gitg,git,ssh private-dev private-tmp diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 677c47b13..189f364f8 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile @@ -7,8 +7,10 @@ include /etc/firejail/hashcat.local include /etc/firejail/globals.local noblacklist ${HOME}/.hashcat +noblacklist /usr/include include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -25,6 +27,7 @@ seccomp shell none disable-mnt +private-bin hashcat private-dev private-tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2422d5b48..8df805895 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -26,6 +26,7 @@ protocol unix seccomp shell none +private-bin jd-gui,sh,bash private-dev private-tmp diff --git a/etc/meld.profile b/etc/meld.profile index 92aefaf78..280004f49 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +# private-bin meld,python2,python2.7 private-dev private-tmp diff --git a/etc/multimc5.profile b/etc/multimc5.profile index a51defafa..e99876447 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -32,6 +32,8 @@ protocol unix,inet,inet6 shell none disable-mnt +# private-bin works, but causes weirdness +# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname private-dev private-tmp diff --git a/etc/obs.profile b/etc/obs.profile index f7d7ac310..11c18e0b6 100644 --- a/etc/obs.profile +++ b/etc/obs.profile @@ -22,6 +22,7 @@ seccomp shell none tracelog +private-bin obs private-dev private-tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 4dbc05413..e2fbd81ae 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config private-dev private-tmp diff --git a/etc/peek.profile b/etc/peek.profile index 0157ca9d4..e65d3f172 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +# private-bin breaks gif mode, mp4 and webm mode work fine however # private-bin peek,convert,ffmpeg private-dev private-tmp diff --git a/etc/pithos.profile b/etc/pithos.profile index be6e1b72a..2aaedd45e 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -25,6 +25,7 @@ seccomp shell none disable-mnt +# private-bin pithos,python,python3,python3.6 private-dev private-tmp diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 06889be33..578f623f0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -25,6 +25,7 @@ protocol unix seccomp shell none +# private-bin sdat2img,env,python,python3,python3.6 private-dev noexec ${HOME} diff --git a/etc/strings.profile b/etc/strings.profile index 28f5598cf..d102cd445 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -17,7 +17,9 @@ novideo shell none tracelog +private-bin strings private-dev +private-lib memory-deny-write-execute -- cgit v1.2.3-54-g00ecf