From f9c9c469a23dbb6d484f82f6ba719d662b784753 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 17 Jan 2020 23:31:46 +0000 Subject: hardenings for various profiles (#3160) * harden devilspie * harden devilspie2 * harden curl * harden wget * harden curl * harden dig * harden claws-mail * harden dnscrypt-proxy * harden dnscrypt-proxy * harden dnscrypt-proxy * harden exfalso * refactor easystroke as whitelist profile * refactor enchant as whitelist profile * safeguard ${DOCUMENTS} Thanks @rusty-snake for the suggestion. * drop x11-none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for saving the bacon... * drop x11 none Thanks @rusty-snake for catching this. * drop x11 none Thanks @rusty-snake for preventing breakage! * drop ipc-namespace Better safe than sorry... --- etc/claws-mail.profile | 3 +++ etc/curl.profile | 4 ++++ etc/devilspie.profile | 3 +++ etc/devilspie2.profile | 3 +++ etc/dig.profile | 5 ++++- etc/dnscrypt-proxy.profile | 7 +++++++ etc/easystroke.profile | 5 +++++ etc/enchant.profile | 6 ++++++ etc/exfalso.profile | 1 + 9 files changed, 36 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index f07e2039b..44124f4a3 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -13,11 +13,14 @@ noblacklist ${HOME}/.signature # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications noblacklist ${HOME}/Mail +noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc whitelist /usr/share/doc/claws-mail whitelist /usr/share/gnupg diff --git a/etc/curl.profile b/etc/curl.profile index 679f5a152..3f93e5f7e 100644 --- a/etc/curl.profile +++ b/etc/curl.profile @@ -9,10 +9,14 @@ include globals.local noblacklist ${HOME}/.curlrc +blacklist /tmp/.X11-unix + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc +# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local +#include disable-xdg.inc include whitelist-usr-share-common.inc diff --git a/etc/devilspie.profile b/etc/devilspie.profile index ad891ffaf..bbbdfd702 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile @@ -8,6 +8,8 @@ include globals.local noblacklist ${HOME}/.devilspie +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -41,6 +43,7 @@ protocol unix seccomp shell none tracelog +x11 none disable-mnt private-bin devilspie diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index f2bacda9a..253e3856c 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile @@ -8,6 +8,8 @@ include globals.local noblacklist ${HOME}/.config/devilspie2 +blacklist /tmp/.X11-unix + # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc @@ -44,6 +46,7 @@ protocol unix seccomp shell none tracelog +x11 none disable-mnt private-bin devilspie2 diff --git a/etc/dig.profile b/etc/dig.profile index af71ff17f..054e4891d 100644 --- a/etc/dig.profile +++ b/etc/dig.profile @@ -9,6 +9,8 @@ include globals.local noblacklist ${HOME}/.digrc +blacklist /tmp/.X11-unix + include disable-common.inc # include disable-devel.inc include disable-exec.inc @@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all -# ipc-namespace +ipc-namespace machine-id netfilter no3d @@ -40,6 +42,7 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog disable-mnt private diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d0430d5ca..65722b3ef 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -7,6 +7,8 @@ include dnscrypt-proxy.local # Persistent global definitions include globals.local +blacklist /tmp/.X11-unix + noblacklist /sbin noblacklist /usr/sbin @@ -20,10 +22,13 @@ include disable-xdg.inc whitelist /usr/share/dnscrypt-proxy include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot ipc-namespace machine-id +netfilter no3d nodbus nodvd @@ -34,6 +39,8 @@ nou2f novideo protocol inet,inet6 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice +shell none +tracelog disable-mnt private diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 623a4cadc..1297f5f40 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile @@ -16,7 +16,11 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.easystroke +whitelist ${HOME}/.easystroke +include whitelist-common.inc include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.drop all @@ -35,6 +39,7 @@ novideo protocol unix seccomp shell none +tracelog disable-mnt # breaks custom shell command functionality diff --git a/etc/enchant.profile b/etc/enchant.profile index d276cec84..e2811a955 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -8,6 +8,8 @@ include globals.local noblacklist ${HOME}/.config/enchant +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -16,7 +18,11 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/enchant +whitelist ${HOME}/.config/enchant +include whitelist-common.inc include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.drop all diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 7d91f2854..04bafdde4 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile @@ -31,6 +31,7 @@ include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all +ipc-namespace machine-id netfilter no3d -- cgit v1.2.3-70-g09d2