From 0502ac9cb515a763fd31814b47f19a8f3147122d Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 17 Apr 2017 21:43:06 -0400 Subject: [PATCH] Harden some more profiles --- etc/arduino.profile | 1 + etc/audacity.profile | 1 + etc/brasero.profile | 7 ++++++- etc/deadbeef.profile | 1 + etc/keepass.profile | 1 + etc/keepassxc.profile | 1 + etc/kodi.profile | 1 + etc/meld.profile | 1 + etc/viking.profile | 1 + etc/youtube-dl.profile | 3 +++ 10 files changed, 17 insertions(+), 1 deletion(-) diff --git a/etc/arduino.profile b/etc/arduino.profile index e80222bb6..570006de5 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc caps.drop all +ipc-namespace netfilter no3d nogroups diff --git a/etc/audacity.profile b/etc/audacity.profile index 779cd8cdb..29ea34acf 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +ipc-namespace net none netfilter no3d diff --git a/etc/brasero.profile b/etc/brasero.profile index 6d84b0ca5..a15a54ddb 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace +net none nogroups nonewprivs noroot @@ -22,6 +24,9 @@ shell none tracelog # private-bin brasero -# private-tmp # private-dev # private-etc fonts +# private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index efd8b463b..8bdc2a8bb 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace netfilter no3d nogroups diff --git a/etc/keepass.profile b/etc/keepass.profile index abe52eca3..9cfe63d42 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace netfilter no3d nogroups diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 369d4a5ae..7180cab95 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc # To use KeePassHTTP, comment out `net none` caps.drop all +ipc-namespace net none no3d nogroups diff --git a/etc/kodi.profile b/etc/kodi.profile index b81b010bf..75098e908 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all +ipc-namespace netfilter nogroups nonewprivs diff --git a/etc/meld.profile b/etc/meld.profile index 4b95b866d..c87358671 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +ipc-namespace net none netfilter no3d diff --git a/etc/viking.profile b/etc/viking.profile index 2b68d731c..3eec5d823 100644 --- a/etc/viking.profile +++ b/etc/viking.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc caps.drop all +ipc-namespace netfilter no3d nogroups diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 720a27af2..2ba74105d 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -10,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc caps.drop all +ipc-namespace netfilter no3d nogroups @@ -19,6 +20,8 @@ nosound protocol unix,inet,inet6 seccomp shell none +tracelog +quiet private-dev