Profile fixes and hardening

* cheese - fix: dbus-user.own org.gnome.Cheese - fix: whitelist /usr/share/gstreamer-1.0 - fix: include allow-python3.inc - hardening: include disable-shell.inc - hardening: include whitelist-run-common.inc and whitelist /run/udev/data - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner - hardening: noinput - hardening: nosound - hardening: seccomp.block-secondary - hardening: private-dev * geekbench (closes netblue30#4576) - fix: noblacklist /sbin and noblacklist /usr/sbin - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5 - fix: comment/remove private-bin, private-lib, private-opt * inkscape - add quiet for cli usage * musixmatch (netblue30#4518) - allow chroot * pandoc - fix: include allow-bin-sh.inc - fix: drop private-bin - hardening: include whitelist-runuser-common.inc - hardening: seccomp.block-secondary
rusty-snake · Sep 30, 2021 · f391291 · f391291
1 parent 6988a80
commit f391291
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 6 deletions.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -496,6 +496,7 @@ blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig

diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,24 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
 
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /run/udev/data
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,21 +37,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin cheese
 private-cache
+private-dev
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
 private-tmp
 
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
@@ -6,13 +6,19 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
 private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
 # Firejail profile for inkscape
 # Description: Vector-based drawing program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include inkscape.local
 # Persistent global definitions

diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
@@ -29,7 +29,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
 disable-mnt
 private-dev

diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
 
@@ -39,12 +42,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload,texlive,texmf