Added default seccomp blacklist policies for each profile.

9 years ago · 634df96977
parent 1b05e93908
commit 634df96977
9 changed files with 65 additions and 0 deletions
--- a/profiles/gajim.json
+++ b/profiles/gajim.json
@ -23,10 +23,17 @@
 	, {"path":"${HOME}/.cache/gajim"}
 	, {"path":"${HOME}/.config/gajim"}
 	, {"path":"${HOME}/.local/share/keyrings"}
+	, {"path":"/var/lib/oz/cells.d/gajim.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 	{"path":"/run/user/${UID}/keyring-*/ssh"}
 	, {"path":"/run/user/${UID}/keyring-*/pkcs11"}
 	, {"path":"/run/user/${UID}/keyring-*/gpg"}
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/icedove.json
+++ b/profiles/icedove.json
@ -22,6 +22,8 @@

 	, {"path":"${HOME}/.config/gtk-3.0"}
 	, {"path":"${HOME}/.config/gtk-2.0"}
+	, {"path":"/var/lib/oz/cells.d/icedove.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "_blacklist": [
 ]
@ -30,4 +32,9 @@
 	, {"name":"GNOME_KEYRING_CONTROL"}
 	, {"name":"GNOME_KEYRING_PID", "value":"1"}
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/iceweasel.json
+++ b/profiles/iceweasel.json
@ -19,9 +19,16 @@

 	, {"path":"${HOME}/.config/gtk-3.0"}
 	, {"path":"${HOME}/.config/gtk-2.0"}
+	, {"path":"/var/lib/oz/cells.d/iceweasel.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 ]
 , "environment": [
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/libreoffice.json
+++ b/profiles/libreoffice.json
@ -26,4 +26,13 @@
 , "networking":{
 	"type":"empty"
 }
+, "whitelist": [
+	        {"path":"/var/lib/oz/cells.d/libreoffice.json"}
+		,{"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
+]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/liferea.json
+++ b/profiles/liferea.json
@ -25,9 +25,16 @@
 	, {"path":"${HOME}/.config/dconf"}
 	, {"path":"${HOME}/.cache/dconf"}
 	, {"path":"/run/user/${UID}/dconf"}
+	, {"path":"/var/lib/oz/cells.d/liferea.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.json"}
 ]
 , "blacklist": [
 ]
 , "_environment": [
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/pidgin.json
+++ b/profiles/pidgin.json
@ -10,9 +10,16 @@
 }
 , "whitelist": [
 	{"path":"${HOME}/.purple"}
+	,{"path":"/var/lib/oz/cells.d/pidgin.json"}
+	,{"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 ]
 , "environment": [
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/pond.json
+++ b/profiles/pond.json
@ -16,6 +16,8 @@
 , "whitelist": [
 	{"path":"${HOME}/.pond"}
 	, {"path":"/opt/usr/share/gopkgs/pond"}
+	, {"path":"/var/lib/oz/cells.d/pond.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 ]
@ -25,4 +27,9 @@
 	, {"name":"TOR_SOCKS_HOST"}
 	, {"name":"TOR_SOCKS_PORT"}
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/torbrowser-launcher.json
+++ b/profiles/torbrowser-launcher.json
@ -18,6 +18,8 @@
 	, {"path":"${HOME}/.cache/torbrowser"}
 	, {"path":"${HOME}/.config/torbrowser"}
 	, {"path":"${HOME}/Downloads/TorBrowser"}
+	, {"path":"/var/lib/oz/cells.d/torbrowser-launcher.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 ]
@ -30,4 +32,9 @@
 	, {"name":"TOR_CONTROL_AUTHENTICATE"}
 	, {"name":"TOR_CONTROL_COOKIE_AUTH_FILE"}
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }
--- a/profiles/xchat.json
+++ b/profiles/xchat.json
@ -17,7 +17,14 @@

 	, {"path":"${HOME}/.config/gtk-3.0"}
 	, {"path":"${HOME}/.config/gtk-2.0"}
+	, {"path":"/var/lib/oz/cells.d/xchat.json"}
+	, {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 ]
 , "blacklist": [
 ]
+, "seccomp": {
+        "mode":"blacklist"
+        , "enforce": true
+        , "seccomp_whitelist":""
+        , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"}
 }