summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjc_gargma <jc_gargma@iserlohn-fortress.net>2023-04-08 15:36:00 -0700
committerjc_gargma <jc_gargma@iserlohn-fortress.net>2023-04-08 15:36:00 -0700
commit76eccc893d8164ea384fee2d7bf82e3dcb245ae2 (patch)
tree07a51708838fb2e0f61714ba702ec779e0372233
parentshell none no longer exists. (diff)
downloadfirejail-profiles-76eccc893d8164ea384fee2d7bf82e3dcb245ae2.tar.xz
Add restrict-namespace wherever possible.
-Also commit the .inc files with shell none removed.
-rw-r--r--profiles/abook.profile1
-rw-r--r--profiles/antichamber.profile1
-rw-r--r--profiles/calcurse.profile1
-rw-r--r--profiles/digikam.local1
-rw-r--r--profiles/generic-game.inc2
-rw-r--r--profiles/generic-java-game.inc2
-rw-r--r--profiles/generic-wine-game.inc2
-rw-r--r--profiles/kmymoney.profile1
-rw-r--r--profiles/konqueror.profile1
-rw-r--r--profiles/kristall.profile1
-rw-r--r--profiles/lgogdownloader.profile1
-rw-r--r--profiles/monero-wallet-gui.profile1
-rw-r--r--profiles/poi.profile3
-rw-r--r--profiles/toxic.profile1
14 files changed, 16 insertions, 3 deletions
diff --git a/profiles/abook.profile b/profiles/abook.profile
index 9d3baa2..d2fb562 100644
--- a/profiles/abook.profile
+++ b/profiles/abook.profile
@@ -32,6 +32,7 @@ notv
nou2f
novideo
protocol unix
+restrict-namespaces
seccomp
tracelog
diff --git a/profiles/antichamber.profile b/profiles/antichamber.profile
index f6ee5eb..d2d387c 100644
--- a/profiles/antichamber.profile
+++ b/profiles/antichamber.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.local/share/AlexanderBruce/Antichamber
# # Something to do with the game being 32 bit
#seccomp !name_to_handle_at
ignore seccomp
+ignore restrict-namespaces
ignore memory-deny-write-execute
diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile
index 061e9b1..12aed0c 100644
--- a/profiles/calcurse.profile
+++ b/profiles/calcurse.profile
@@ -38,6 +38,7 @@ notv
nou2f
novideo
protocol unix
+restrict-namespaces
seccomp
tracelog
diff --git a/profiles/digikam.local b/profiles/digikam.local
index 1658d72..fed5ac5 100644
--- a/profiles/digikam.local
+++ b/profiles/digikam.local
@@ -8,5 +8,6 @@ protocol unix
# # due to syscall name_to_handle_at
ignore seccomp !chroot
seccomp !name_to_handle_at
+restrict-namespaces
private-dev
diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc
index 554f910..df5b445 100644
--- a/profiles/generic-game.inc
+++ b/profiles/generic-game.inc
@@ -30,8 +30,8 @@ notv
nou2f
novideo
protocol unix
+restrict-namespaces
seccomp
-shell none
tracelog
disable-mnt
diff --git a/profiles/generic-java-game.inc b/profiles/generic-java-game.inc
index b92ef76..0b7d281 100644
--- a/profiles/generic-java-game.inc
+++ b/profiles/generic-java-game.inc
@@ -3,7 +3,7 @@
include generic-java-game.local
# # # Examples for creating profiles
-# See slay-the-spire-profile
+# See slay-the-spire.profile
# See starsector.profile
# # Java games require the ? folder to store data
diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc
index fe72355..b89997d 100644
--- a/profiles/generic-wine-game.inc
+++ b/profiles/generic-wine-game.inc
@@ -45,8 +45,8 @@ notv
nou2f
novideo
protocol unix
+restrict-namespaces
seccomp
-shell none
tracelog
disable-mnt
diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile
index f41ca2a..a32c368 100644
--- a/profiles/kmymoney.profile
+++ b/profiles/kmymoney.profile
@@ -50,6 +50,7 @@ notv
nou2f
novideo
protocol unix
+restrict-namespaces
# # seccomp breaks integrated file manager on kde applications
# # due to syscall name_to_handle_at
seccomp !name_to_handle_at
diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile
index 8f61675..48b76b8 100644
--- a/profiles/konqueror.profile
+++ b/profiles/konqueror.profile
@@ -55,6 +55,7 @@ noroot
notv
nou2f
protocol unix,inet,inet6,netlink
+restrict-namespaces
# # seccomp breaks integrated file manager on kde applications
# # due to syscall name_to_handle_at
seccomp !name_to_handle_at
diff --git a/profiles/kristall.profile b/profiles/kristall.profile
index 70bb8b0..e9bacb5 100644
--- a/profiles/kristall.profile
+++ b/profiles/kristall.profile
@@ -40,6 +40,7 @@ notv
nou2f
novideo
protocol unix,inet,inet6,netlink
+restrict-namespaces
seccomp !name_to_handle_at
tracelog
diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile
index a473973..0ba9930 100644
--- a/profiles/lgogdownloader.profile
+++ b/profiles/lgogdownloader.profile
@@ -40,6 +40,7 @@ nosound
notv
novideo
protocol inet,inet6
+restrict-namespaces
seccomp
tracelog
diff --git a/profiles/monero-wallet-gui.profile b/profiles/monero-wallet-gui.profile
index 99be289..8b3b1e3 100644
--- a/profiles/monero-wallet-gui.profile
+++ b/profiles/monero-wallet-gui.profile
@@ -36,6 +36,7 @@ nosound
notv
nou2f
novideo
+restrict-namespaces
protocol unix,inet,inet6
seccomp
tracelog
diff --git a/profiles/poi.profile b/profiles/poi.profile
index f9369dd..1835413 100644
--- a/profiles/poi.profile
+++ b/profiles/poi.profile
@@ -74,6 +74,9 @@ novideo
## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
protocol unix,inet,inet6,netlink
+## restrict-namespaces - Install a seccomp filter that blocks attempts to create new cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+restrict-namespaces
+
## seccomp - Blacklists a large swath of syscalls from being accessible.
# QtWebEngine require chroot syscall on AMD CPUS and/or ATI Graphics for some bizarre reason
seccomp !name_to_handle_at,!chroot
diff --git a/profiles/toxic.profile b/profiles/toxic.profile
index c0439bf..cda5522 100644
--- a/profiles/toxic.profile
+++ b/profiles/toxic.profile
@@ -38,6 +38,7 @@ notv
nou2f
novideo
protocol unix,inet,inet6
+restrict-namespaces
seccomp
tracelog