[PR #1367] [MERGED] Harden profiles #3929

New issue

Closed

opened 2026-05-05 10:10:34 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:10:34 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/1367
Author: @SkewedZeppelin
Created: 7/5/2017
Status: ✅ Merged
Merged: 8/2/2017
Merged by: @Fred-Barclay

Base: master ← Head: mh

📝 Commits (6)

0dba384 Harden profiles
b18f42a Initial adding of memory-deny-write-execute to profiles
0e7b0bd Add noexec to more profiles as tested by @curiosity-seeker
55b200c Partially synchronize Chromium-based profiles
5e21195 Add back net none/netfilter as needed
b1c7c36 Fixes

📊 Changes

114 files changed (+640 additions, -424 deletions)

View changed files

📝 etc/0ad.profile (+3 -0)
📝 etc/2048-qt.profile (+14 -11)
📝 etc/Thunar.profile (+2 -8)
📝 etc/Xephyr.profile (+0 -1)
📝 etc/Xvfb.profile (+0 -1)
📝 etc/akregator.profile (+14 -12)
📝 etc/atool.profile (+1 -2)
📝 etc/audacity.profile (+0 -1)
📝 etc/bitlbee.profile (+10 -0)
📝 etc/bleachbit.profile (+1 -1)
📝 etc/blender.profile (+7 -11)
📝 etc/bless.profile (+0 -1)
📝 etc/brasero.profile (+1 -1)
📝 etc/caja.profile (+1 -1)
📝 etc/cherrytree.profile (+11 -1)
📝 etc/clipit.profile (+11 -12)
📝 etc/cvlc.profile (+2 -0)
📝 etc/darktable.profile (+10 -9)
📝 etc/dia.profile (+10 -8)
📝 etc/digikam.profile (+3 -0)

...and 80 more files

📄 Description

Added 'disable-devel.conf' to many profiles
Added 'disable-mnt' to many profiles
Added 'noexec' to many profiles
Added 'memory-deny-write-execute' to some profiles
Removed 'netfilter' and 'net none' from profiles with 'protocol unix'
Cleaned up profiles using defaults
Partially synchronized Chromium-based profiles

Only somewhat tested. I've looked over it a few times, but would like some more eyes to go over it. Looking back I should've broken it up, but it got out of hand pretty quickly.

Commands used

List all profiles with incorrect .local: grep -l "default.local" *.profile
List all profiles with defaults: grep -l "depending on your usage" *.profile
List all 'disable-mnt' candidates: grep -L "disable-mnt" $(grep -l "whitelist-common" *.profile)
List all profiles with 'net none' and 'netfilter': grep -l netfilter $(grep -l "net none" *.profile)
List all profiles with 'disable-*.inc' but without 'disable-devel.inc': grep -L "disable-devel" $(grep -l "disable" *.profile)
List all profiles with 'net none' and 'protocol unix': grep -l "net none" $(grep -l "protocol unix" $(grep -L "protocol unix,inet" *.profile))

Also I'm not going to make a pull request just yet, but review on https://github.com/SpotComms/firejail/tree/pr/etc would be nice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/1367 **Author:** [@SkewedZeppelin](https://github.com/SkewedZeppelin) **Created:** 7/5/2017 **Status:** ✅ Merged **Merged:** 8/2/2017 **Merged by:** [@Fred-Barclay](https://github.com/Fred-Barclay) **Base:** `master` ← **Head:** `mh` --- ### 📝 Commits (6) - [`0dba384`](https://github.com/netblue30/firejail/commit/0dba38435ef92ccc01cc9ff23b69df55489ec983) Harden profiles - [`b18f42a`](https://github.com/netblue30/firejail/commit/b18f42ab0236de7eed5888f43ba36cdaf990cbca) Initial adding of memory-deny-write-execute to profiles - [`0e7b0bd`](https://github.com/netblue30/firejail/commit/0e7b0bd52e7bc26d7407a5f6f756b474e52dbaf1) Add noexec to more profiles as tested by @curiosity-seeker - [`55b200c`](https://github.com/netblue30/firejail/commit/55b200c440fe49e3a2dadb2634025587083f774b) Partially synchronize Chromium-based profiles - [`5e21195`](https://github.com/netblue30/firejail/commit/5e211950f7396f9daa893e1233f87bc789c625b0) Add back net none/netfilter as needed - [`b1c7c36`](https://github.com/netblue30/firejail/commit/b1c7c360efd5b2ae749b5d4bb3612774ef716ec6) Fixes ### 📊 Changes **114 files changed** (+640 additions, -424 deletions) <details> <summary>View changed files</summary> 📝 `etc/0ad.profile` (+3 -0) 📝 `etc/2048-qt.profile` (+14 -11) 📝 `etc/Thunar.profile` (+2 -8) 📝 `etc/Xephyr.profile` (+0 -1) 📝 `etc/Xvfb.profile` (+0 -1) 📝 `etc/akregator.profile` (+14 -12) 📝 `etc/atool.profile` (+1 -2) 📝 `etc/audacity.profile` (+0 -1) 📝 `etc/bitlbee.profile` (+10 -0) 📝 `etc/bleachbit.profile` (+1 -1) 📝 `etc/blender.profile` (+7 -11) 📝 `etc/bless.profile` (+0 -1) 📝 `etc/brasero.profile` (+1 -1) 📝 `etc/caja.profile` (+1 -1) 📝 `etc/cherrytree.profile` (+11 -1) 📝 `etc/clipit.profile` (+11 -12) 📝 `etc/cvlc.profile` (+2 -0) 📝 `etc/darktable.profile` (+10 -9) 📝 `etc/dia.profile` (+10 -8) 📝 `etc/digikam.profile` (+3 -0) _...and 80 more files_ </details> ### 📄 Description - Added 'disable-devel.conf' to many profiles - Added 'disable-mnt' to many profiles - Added 'noexec' to many profiles - Added 'memory-deny-write-execute' to some profiles - Removed 'netfilter' and 'net none' from profiles with 'protocol unix' - Cleaned up profiles using defaults - Partially synchronized Chromium-based profiles **Only somewhat tested**. I've looked over it a few times, but would like some more eyes to go over it. Looking back I should've broken it up, but it got out of hand pretty quickly. Commands used ``` List all profiles with incorrect .local: grep -l "default.local" *.profile List all profiles with defaults: grep -l "depending on your usage" *.profile List all 'disable-mnt' candidates: grep -L "disable-mnt" $(grep -l "whitelist-common" *.profile) List all profiles with 'net none' and 'netfilter': grep -l netfilter $(grep -l "net none" *.profile) List all profiles with 'disable-*.inc' but without 'disable-devel.inc': grep -L "disable-devel" $(grep -l "disable" *.profile) List all profiles with 'net none' and 'protocol unix': grep -l "net none" $(grep -l "protocol unix" $(grep -L "protocol unix,inet" *.profile)) ``` Also I'm not going to make a pull request just yet, but review on https://github.com/SpotComms/firejail/tree/pr/etc would be nice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>