From 0e31d0203569604998d8b640901773b19ada2d98 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Feb 2021 07:57:02 -0500 Subject: [PATCH] hardening ssh, tor --- etc/profile-m-z/ssh.profile | 1 + etc/profile-m-z/torbrowser-launcher.profile | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 641c3a79d46..7bc731333a6 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh include whitelist-usr-share-common.inc include whitelist-runuser-common.inc +apparmor caps.drop all ipc-namespace netfilter diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 1045fa02aa4..8b1ed16459a 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile @@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser include allow-python2.inc include allow-python3.inc +blacklist /opt +blacklist /srv + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -30,6 +33,8 @@ whitelist ${HOME}/.config/torbrowser whitelist ${HOME}/.local/share/torbrowser include whitelist-common.inc include whitelist-var-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need