From b5f29f9c216615c39e6fe00508ea18a52a2fe88a Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 16 Apr 2017 07:14:01 -0400 Subject: Harden 9 more profiles --- etc/audacity.profile | 5 +++++ etc/bleachbit.profile | 8 ++++++-- etc/deadbeef.profile | 10 ++++++++++ etc/firefox.profile | 4 ++++ etc/gnome-calculator.profile | 1 + etc/ssh.profile | 11 +++++++++++ etc/steam.profile | 2 ++ etc/wget.profile | 8 +++++--- etc/wireshark.profile | 4 ++++ 9 files changed, 48 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/audacity.profile b/etc/audacity.profile index 4394416ff..779cd8cdb 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -11,7 +11,9 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +net none netfilter +no3d nogroups nonewprivs noroot @@ -23,3 +25,6 @@ tracelog private-bin audacity private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index b406b9985..7ea55f505 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -9,17 +9,21 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none netfilter +no3d nogroups nonewprivs noroot nosound -shell none -seccomp protocol unix +seccomp +shell none # private-bin # private-dev # private-tmp # private-etc +noexec ${HOME} +noexec /tmp diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 603d6345c..efd8b463b 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -11,7 +11,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +no3d +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bc3eb769..4d96c05c8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -21,6 +21,7 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog whitelist ${DOWNLOADS} @@ -59,3 +60,6 @@ include /etc/firejail/whitelist-common.inc #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index f5d952e3d..e9366f07d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -19,6 +19,7 @@ caps.drop all netfilter #net none no3d +nogroups nonewprivs noroot nosound diff --git a/etc/ssh.profile b/etc/ssh.profile index b1ef6b27e..425841399 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -14,7 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-dev +#private-tmp #Breaks when exiting + +noexec ${HOME} +noexec /tmp diff --git a/etc/steam.profile b/etc/steam.profile index c81836dfc..536588e4b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -12,11 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp shell none +tracelog private-dev private-tmp diff --git a/etc/wget.profile b/etc/wget.profile index cd156a376..3ba97d95d 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -10,11 +10,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot -nogroups nosound -no3d protocol unix,inet,inet6 seccomp shell none @@ -22,7 +22,9 @@ shell none blacklist /tmp/.X11-unix # private-bin wget -# private-etc resolv.conf private-dev +# private-etc resolv.conf private-tmp +noexec ${HOME} +noexec /tmp diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 90909edf1..dc224b31c 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc #protocol unix,inet,inet6,netlink netfilter +no3d nogroups nonewprivs nosound @@ -28,3 +29,6 @@ tracelog #private-bin wireshark private-dev private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2