From d3c16bbaf2d912a057778b70595bb42a7f038553 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 15:23:36 -0400 Subject: Add a profile for Kodi --- etc/kodi.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/kodi.profile (limited to 'etc') diff --git a/etc/kodi.profile b/etc/kodi.profile new file mode 100644 index 000000000..1fcb1c502 --- /dev/null +++ b/etc/kodi.profile @@ -0,0 +1,27 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/kodi.local + +# Firejail profile for kodi +noblacklist ${HOME}/.kodi +mkdir ${HOME}/.kodi + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From 90cd669eba680369c6ba8d96af194b70c8cc8706 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 08:57:13 -0400 Subject: Harden some profiles --- etc/bless.profile | 14 +++++++++++++- etc/jd-gui.profile | 13 ++++++++++++- etc/lollypop.profile | 11 +++++++++++ etc/multimc5.profile | 11 ++++++++++- etc/pdfsam.profile | 13 ++++++++++++- etc/pithos.profile | 10 ++++++++++ etc/xonotic.profile | 9 +++++++++ 7 files changed, 77 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/bless.profile b/etc/bless.profile index b8325de39..08a756989 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -18,7 +18,19 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +protocol unix seccomp +shell none + +private-dev +private-etc fonts,mono +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +nosound diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 2ba1a4380..25b7b5bb1 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -17,7 +17,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +nosound diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 06ed415d6..4b51f69b0 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -18,7 +18,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b8946be3..8a6211984 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 37adabb39..92bad8751 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -15,7 +15,18 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +#protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d +#nosound diff --git a/etc/pithos.profile b/etc/pithos.profile index 500e35989..beb76909f 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -17,7 +17,17 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp + +no3d diff --git a/etc/xonotic.profile b/etc/xonotic.profile index f2690c6c3..6bfb26484 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-bin xonotic-sdl,xonotic-glx,blind-id +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From 2e307d89743249991ae4faf7b84f68d5da618aaf Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 10:04:58 -0400 Subject: Fix MultiMC5 --- etc/multimc5.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 8a6211984..3a553e211 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -30,7 +30,7 @@ nogroups nonewprivs noroot #protocol unix,inet,inet6 -seccomp +#seccomp shell none private-dev -- cgit v1.2.3-54-g00ecf From 4f47d300827a06afabdd94d409dc2ebb8d84e869 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 11:24:37 -0400 Subject: Add back protocol to profiles --- etc/jd-gui.profile | 2 +- etc/multimc5.profile | 2 +- etc/pdfsam.profile | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 25b7b5bb1..1802c59fd 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -20,7 +20,7 @@ netfilter nogroups nonewprivs noroot -#protocol unix +protocol unix seccomp shell none diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 3a553e211..12a7646ae 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -29,7 +29,7 @@ netfilter nogroups nonewprivs noroot -#protocol unix,inet,inet6 +protocol unix,inet,inet6 #seccomp shell none diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 92bad8751..c37ccba09 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -18,7 +18,7 @@ netfilter nogroups nonewprivs noroot -#protocol unix,inet,inet6 +protocol unix seccomp shell none @@ -29,4 +29,4 @@ noexec ${HOME} noexec /tmp no3d -#nosound +nosound -- cgit v1.2.3-54-g00ecf From 2d2662b8ac8a64e03c3257f3c57be9b056d0e697 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 15:25:37 -0400 Subject: Harden dino --- etc/dino.profile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/dino.profile b/etc/dino.profile index a71ab27d7..cec86812f 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -30,3 +30,6 @@ private-bin dino #private-etc fonts #breaks server connection private-dev private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From b7d51c2df6fb62d7830bdd3a873fff618adb00dc Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 16:07:25 -0400 Subject: Harden 19 more profiles --- etc/bless.profile | 1 + etc/eog.profile | 5 +++++ etc/evince.profile | 4 ++++ etc/evolution.profile | 5 +++++ etc/file-roller.profile | 7 ++++++- etc/gedit.profile | 9 +++++++-- etc/gimp.profile | 4 +++- etc/gnome-calculator.profile | 12 ++++++++++++ etc/hexchat.profile | 4 ++++ etc/jd-gui.profile | 1 + etc/keepass.profile | 8 ++++++-- etc/keepassx.profile | 4 ++++ etc/keepassx2.profile | 6 +++++- etc/keepassxc.profile | 6 +++++- etc/libreoffice.profile | 5 +++++ etc/mumble.profile | 4 ++++ etc/pdfsam.profile | 1 + etc/totem.profile | 12 +++++++++++- etc/vlc.profile | 3 +++ 19 files changed, 92 insertions(+), 9 deletions(-) (limited to 'etc') diff --git a/etc/bless.profile b/etc/bless.profile index 08a756989..ac4c08fb0 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/eog.profile b/etc/eog.profile index c5afec7fa..7c2cd557c 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none netfilter +no3d nogroups nonewprivs noroot @@ -24,3 +26,6 @@ private-bin eog private-dev private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/evince.profile b/etc/evince.profile index 94cefdd8b..ae50425b9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter #net none - creates some problems on some distributions +no3d nogroups nonewprivs noroot @@ -27,3 +28,6 @@ private-dev private-etc fonts # evince needs access to /tmp/mozilla* to work in firefox # private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/evolution.profile b/etc/evolution.profile index cb6615716..04bf480ff 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution noblacklist ~/.pki noblacklist ~/.pki/nssdb noblacklist ~/.gnupg +noblacklist ~/.bogofilter noblacklist /var/spool/mail noblacklist /var/mail @@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -30,3 +32,6 @@ shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 804d20ce1..a3f687651 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none tracelog @@ -23,3 +25,6 @@ tracelog # private-tmp private-dev # private-etc fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/gedit.profile b/etc/gedit.profile index 9f4eee9b3..07bdb1bbe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -netfilter shell none tracelog # private-bin gedit -private-tmp private-dev # private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/gimp.profile b/etc/gimp.profile index 4088bd680..5f8ccb4fb 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nogroups nonewprivs noroot nosound protocol unix seccomp +shell none # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory # if you are not using external plugins, you can enable noexec statement below -# noexec ${HOME} +# noexec ${HOME} noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 714a97650..f5d952e3d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -17,7 +17,19 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +#net none +no3d nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none + +private-bin gnome-calculator +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 53f447f7e..d24f492d8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -30,3 +31,6 @@ private-bin hexchat #debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 1802c59fd..e0184908b 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/keepass.profile b/etc/keepass.profile index d269c3e8a..abe52eca3 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix,inet,inet6 seccomp -netfilter shell none -private-tmp private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 379b8a668..845a1bcc9 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none +no3d nogroups nonewprivs noroot @@ -28,3 +29,6 @@ private-bin keepassx private-etc fonts private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index a21caf3f1..32dddc2fe 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none +no3d nogroups nonewprivs noroot @@ -24,6 +25,9 @@ seccomp shell none private-bin keepassx2 -private-etc fonts private-dev +private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 654a30682..369d4a5ae 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc # To use KeePassHTTP, comment out `net none` caps.drop all net none +no3d nogroups nonewprivs noroot @@ -25,6 +26,9 @@ seccomp shell none private-bin keepassxc -private-etc fonts private-dev +private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 685073e7c..dda4e6ab9 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -17,7 +17,12 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none tracelog private-dev # whitelist /tmp/.X11-unix/ + +noexec ${HOME} +noexec /tmp + diff --git a/etc/mumble.profile b/etc/mumble.profile index d5405a6ae..c5c6a4d1a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +no3d nonewprivs nogroups noroot @@ -28,3 +29,6 @@ tracelog private-bin mumble private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index c37ccba09..523c11f26 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all +net none netfilter nogroups nonewprivs diff --git a/etc/totem.profile b/etc/totem.profile index 0b3942cf0..fadfbb00b 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot -netfilter protocol unix,inet,inet6 seccomp +shell none + +private-bin totem +private-dev +private-etc fonts +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/vlc.profile b/etc/vlc.profile index 0c96f0108..21282dfbd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -22,3 +22,6 @@ shell none private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc # private-dev private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From ba934b70f9ba0ba5ec10275f007fd784b16da91c Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 16:13:13 -0400 Subject: Cleanup --- etc/bless.profile | 5 ++--- etc/jd-gui.profile | 5 ++--- etc/libreoffice.profile | 1 - etc/lollypop.profile | 3 +-- etc/pdfsam.profile | 5 ++--- etc/pithos.profile | 3 +-- 6 files changed, 8 insertions(+), 14 deletions(-) (limited to 'etc') diff --git a/etc/bless.profile b/etc/bless.profile index ac4c08fb0..869f13cc0 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -19,9 +19,11 @@ include /etc/firejail/disable-devel.inc caps.drop all net none netfilter +no3d nogroups nonewprivs noroot +nosound protocol unix seccomp shell none @@ -32,6 +34,3 @@ private-tmp noexec ${HOME} noexec /tmp - -no3d -nosound diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index e0184908b..6ff618187 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -18,9 +18,11 @@ include /etc/firejail/disable-devel.inc caps.drop all net none netfilter +no3d nogroups nonewprivs noroot +nosound protocol unix seccomp shell none @@ -30,6 +32,3 @@ private-tmp noexec ${HOME} noexec /tmp - -no3d -nosound diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index dda4e6ab9..fb82195b3 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -25,4 +25,3 @@ private-dev noexec ${HOME} noexec /tmp - diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 4b51f69b0..e84118b9e 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -31,5 +32,3 @@ private-tmp noexec ${HOME} noexec /tmp - -no3d diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 523c11f26..dfe463c98 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -16,9 +16,11 @@ include /etc/firejail/disable-devel.inc caps.drop all net none netfilter +no3d nogroups nonewprivs noroot +nosound protocol unix seccomp shell none @@ -28,6 +30,3 @@ private-tmp noexec ${HOME} noexec /tmp - -no3d -nosound diff --git a/etc/pithos.profile b/etc/pithos.profile index beb76909f..c25b5772b 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -17,6 +17,7 @@ include /etc/firejail/whitelist-common.inc #Options caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -29,5 +30,3 @@ private-tmp noexec ${HOME} noexec /tmp - -no3d -- cgit v1.2.3-54-g00ecf From bc0787e4bf8a93d89f15125b33381d75c46d9414 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 15 Apr 2017 16:27:14 -0400 Subject: Harden Steam --- etc/steam.profile | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/steam.profile b/etc/steam.profile index b527589de..c81836dfc 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -16,3 +16,7 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-dev +private-tmp -- cgit v1.2.3-54-g00ecf From 8b2fd4f6e2ff602f27eddd66ee87a3c69bd00d63 Mon Sep 17 00:00:00 2001 From: SpotComms Date: Sat, 15 Apr 2017 17:17:37 -0400 Subject: Add 'tracelog' to Kodi profile --- etc/kodi.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/kodi.profile b/etc/kodi.profile index 1fcb1c502..45a8430f1 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -19,6 +19,7 @@ noroot protocol unix,inet,inet6,netlink seccomp shell none +tracelog private-dev private-tmp -- cgit v1.2.3-54-g00ecf