From bcb2a2f0a8d597a281156f6bb2b9c2785644ed0e Mon Sep 17 00:00:00 2001
From: rusty-snake <print_hello_world+GitHub@protonmail.com>
Date: Wed, 13 Mar 2019 17:35:00 +0000
Subject: Harden youtube-dl.profile (#2584)

* Harden youtube-dl.profile

* Add dis-exec to ytdl

* Comment mdwe in ytdl
---
 etc/youtube-dl.profile | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'etc')

diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 0878c91ef..621ffb2b0 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3*
 noblacklist /usr/local/lib/python2*
 noblacklist /usr/local/lib/python3*
 
+# breaks when installed via pip
+ignore noexec ${HOME}
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,10 +32,13 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
+machine-id
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,8 +52,11 @@ seccomp
 shell none
 tracelog
 
+disable-mnt
+private-bin youtube-dl,python*,ffmpeg
+private-cache
 private-dev
+private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types
+private-tmp
 
-# breaks when installed via pip
-#noexec ${HOME}
-noexec /tmp
+# memory-deny-write-execute - breaks on Arch
-- 
cgit v1.2.3-54-g00ecf