From 90cd669eba680369c6ba8d96af194b70c8cc8706 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 08:57:13 -0400 Subject: Harden some profiles --- etc/bless.profile | 14 +++++++++++++- etc/jd-gui.profile | 13 ++++++++++++- etc/lollypop.profile | 11 +++++++++++ etc/multimc5.profile | 11 ++++++++++- etc/pdfsam.profile | 13 ++++++++++++- etc/pithos.profile | 10 ++++++++++ etc/xonotic.profile | 9 +++++++++ 7 files changed, 77 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/bless.profile b/etc/bless.profile index b8325de39..08a756989 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -18,7 +18,19 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +protocol unix seccomp +shell none + +private-dev +private-etc fonts,mono +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +nosound diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2ba1a4380..25b7b5bb1 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -17,7 +17,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +nosound diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 06ed415d6..4b51f69b0 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -18,7 +18,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b8946be3..8a6211984 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 37adabb39..92bad8751 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -15,7 +15,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +#nosound diff --git a/etc/pithos.profile b/etc/pithos.profile index 500e35989..beb76909f 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -17,7 +17,17 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d diff --git a/etc/xonotic.profile b/etc/xonotic.profile index f2690c6c3..6bfb26484 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-bin xonotic-sdl,xonotic-glx,blind-id +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf