Commit 0dba3843 authored by Tad's avatar Tad

Harden profiles

- Added 'disable-devel.conf' to many profiles
- Added 'disable-mnt' to many profiles
- Added 'noexec' to many profiles
- Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
- Cleaned up profiles using defaults
parent 8ef01b38
......@@ -38,3 +38,6 @@ tracelog
private-dev
private-tmp
disable-mnt
noexec ${HOME}
noexec /tmp
......@@ -7,24 +7,25 @@ include /etc/firejail/2048-qt.local
noblacklist ~/.config/xiaoyong
noblacklist ~/.config/2048-qt
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
#ipc-namespace
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
novideo
protocol unix
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
# private-dev
# private-tmp
nosound
private-dev
private-tmp
disable-mnt
noexec ${HOME}
noexec /tmp
......@@ -16,20 +16,12 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
no3d
nonewprivs
noroot
nosound
novideo
protocol unix
seccomp
shell none
tracelog
#
# depending on your usage, you can enable some of the commands below:
#
# private-bin program
# private-etc none
# private-dev
# private-tmp
......@@ -21,7 +21,6 @@ private
caps.drop all
# Xephyr needs to be allowed access to the abstract Unix socket namespace.
#net none
nogroups
nonewprivs
# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
......
......@@ -22,7 +22,6 @@ private
caps.drop all
# Xvfb needs to be allowed access to the abstract Unix socket namespace.
#net none
nogroups
nonewprivs
# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
......
......@@ -5,28 +5,30 @@ include /etc/firejail/globals.local
# Persistent customizations should go in a .local file.
include /etc/firejail/akregator.local
################################
# Generic GUI application profile
################################
noblacklist ${HOME}/.config/akregatorrc
noblacklist ${HOME}/.local/share/akregator
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
netfilter
no3d
nogroups
nonewprivs
noroot
#nosound
novideo
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp
disable-mnt
#
# depending on your usage, you can enable some of the commands below:
#
# nogroups
# shell none
# private-bin program
# private-etc none
# private-dev
# private-tmp
noexec ${HOME}
noexec /tmp
......@@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
......
......@@ -19,8 +19,6 @@ nosound
novideo
protocol unix
seccomp
netfilter
net none
no3d
shell none
tracelog
......
......@@ -15,8 +15,6 @@ include /etc/firejail/disable-programs.inc
caps.drop all
#ipc-namespace
net none
netfilter
no3d
nogroups
nonewprivs
......
......@@ -9,13 +9,23 @@ include /etc/firejail/bitlbee.local
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
netfilter
no3d
nonewprivs
private
private-dev
protocol unix,inet,inet6
seccomp
nosound
novideo
read-write /var/lib/bitlbee
private-dev
private-tmp
disable-mnt
noexec /tmp
......@@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
net none
netfilter
no3d
nogroups
nonewprivs
......
......@@ -7,25 +7,21 @@ include /etc/firejail/blender.local
noblacklist ~/.config/blender
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
# private-dev
# private-tmp
# blender uses the sound system
# nosound
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
......@@ -21,8 +21,6 @@ include /etc/firejail/disable-devel.inc
#Options
caps.drop all
#ipc-namespace
net none
netfilter
no3d
nogroups
nonewprivs
......
......@@ -15,7 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
net none
nogroups
nonewprivs
noroot
......
......@@ -26,7 +26,6 @@ nonewprivs
noroot
protocol unix
seccomp
netfilter
shell none
tracelog
......
......@@ -13,7 +13,6 @@ noblacklist ~/.config/catfish
include /etc/firejail/disable-devel.inc
caps.drop all
net none
no3d
nogroups
nonewprivs
......
......@@ -9,18 +9,28 @@ include /etc/firejail/cherrytree.local
noblacklist /usr/bin/python2*
noblacklist /usr/lib/python3*
noblacklist ${HOME}/.config/cherrytree
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
seccomp
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
......@@ -8,26 +8,24 @@ include /etc/firejail/clipit.local
noblacklist ${HOME}/.local/share/clipit
noblacklist ${HOME}/.config/clipit
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
protocol unix
seccomp
shell none
private-dev
private-tmp
disable-mnt
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
# private-dev
# private-tmp
nosound
noexec ${HOME}
noexec /tmp
......@@ -8,23 +8,24 @@ include /etc/firejail/darktable.local
noblacklist ~/.cache/darktable
noblacklist ~/.config/darktable
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
netfilter
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
# nogroups
shell none
# private-bin program
# private-etc none
# private-dev
private-dev
private-tmp
nosound
noexec ${HOME}
noexec /tmp
......@@ -7,23 +7,24 @@ include /etc/firejail/dia.local
noblacklist ~/.dia
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
protocol unix
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
private-dev
private-tmp
disable-mnt
noexec ${HOME}
noexec /tmp
......@@ -14,8 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nonewprivs
noroot
nogroups
......
......@@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
......
......@@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local
noblacklist ~/.config/autostart
noblacklist ~/.dropbox-dist
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps
nonewprivs
noroot
novideo
protocol unix,inet,inet6
seccomp
mkdir ~/Dropbox
whitelist ~/Dropbox
mkdir ~/.dropbox
......@@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist
mkfile ~/.config/autostart/dropbox.desktop
whitelist ~/.config/autostart/dropbox.desktop
caps.drop all
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp
noexec /tmp
......@@ -20,7 +20,6 @@ noroot
nosound
protocol unix
seccomp
netfilter
shell none
tracelog
......
......@@ -19,7 +19,6 @@ nosound
novideo
protocol unix
seccomp
netfilter
shell none
tracelog
......
......@@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
net none
netfilter
no3d
nogroups
nonewprivs
......
......@@ -15,8 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
netfilter
#net none - creates some problems on some distributions
no3d
nogroups
nonewprivs
......
......@@ -23,8 +23,6 @@ noroot
nosound
protocol unix
seccomp
netfilter
net none
no3d
shell none
tracelog
......
......@@ -12,8 +12,6 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
net none
nogroups
nonewprivs
noroot
......
......@@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
net none
netfilter
no3d
nogroups
nonewprivs
......
......@@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
hostname file
netfilter
net none
no3d
nogroups
nonewprivs
......
......@@ -8,13 +8,23 @@ include /etc/firejail/flowblade.local
# FlowBlade profile
noblacklist ${HOME}/.flowblade
noblacklist ${HOME}/.config/flowblade
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
......@@ -6,23 +6,24 @@ include /etc/firejail/globals.local
include /etc/firejail/fontforge.local
noblacklist ${HOME}/.FontForge
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
nosound
novideo
protocol unix
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
......@@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
#tracelog
whitelist ${DOWNLOADS}
mkdir ~/.config/Franz
whitelist ~/.config/Franz
......@@ -30,3 +22,21 @@ mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc
caps.drop all
#ipc-namespace
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog
private-dev
private-tmp
disable-mnt
noexec ${HOME}
noexec /tmp
......@@ -17,7 +17,6 @@ mkdir ~/.config/galculator
whitelist ~/.config/galculator
caps.drop all
net none
nogroups
nonewprivs
noroot
......
......@@ -12,17 +12,15 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
private-dev
private-tmp
......@@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
#ipc-namespace
netfilter
net none
no3d
nogroups
nonewprivs
......
......@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
net none
nogroups
nonewprivs
noroot
......
......@@ -7,22 +7,25 @@ include /etc/firejail/globaltime.local
noblacklist ${HOME}/.config/globaltime
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
novideo
protocol unix,inet,inet6
seccomp
#
# depending on your usage, you can enable some of the commands below:
#
nogroups
shell none
# private-bin program
# private-etc none
private-dev
# private-tmp
private-tmp
disable-mnt
noexec ${HOME}
noexec /tmp
......@@ -24,7 +24,6 @@ nosound
novideo
protocol unix
seccomp
netfilter
shell none
tracelog
......
......@@ -30,6 +30,7 @@ protocol unix,inet,inet6
seccomp
shell none
private