From 634df969771b28b82f14d60a6c6c969fc829ae49 Mon Sep 17 00:00:00 2001 From: dma Date: Sun, 19 Jul 2015 01:01:11 -0400 Subject: [PATCH] Added default seccomp blacklist policies for each profile. --- profiles/gajim.json | 7 +++++++ profiles/icedove.json | 7 +++++++ profiles/iceweasel.json | 7 +++++++ profiles/libreoffice.json | 9 +++++++++ profiles/liferea.json | 7 +++++++ profiles/pidgin.json | 7 +++++++ profiles/pond.json | 7 +++++++ profiles/torbrowser-launcher.json | 7 +++++++ profiles/xchat.json | 7 +++++++ 9 files changed, 65 insertions(+) diff --git a/profiles/gajim.json b/profiles/gajim.json index b41e658..3e23b95 100644 --- a/profiles/gajim.json +++ b/profiles/gajim.json @@ -23,10 +23,17 @@ , {"path":"${HOME}/.cache/gajim"} , {"path":"${HOME}/.config/gajim"} , {"path":"${HOME}/.local/share/keyrings"} + , {"path":"/var/lib/oz/cells.d/gajim.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ {"path":"/run/user/${UID}/keyring-*/ssh"} , {"path":"/run/user/${UID}/keyring-*/pkcs11"} , {"path":"/run/user/${UID}/keyring-*/gpg"} ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/icedove.json b/profiles/icedove.json index b10cfd6..f997518 100644 --- a/profiles/icedove.json +++ b/profiles/icedove.json @@ -22,6 +22,8 @@ , {"path":"${HOME}/.config/gtk-3.0"} , {"path":"${HOME}/.config/gtk-2.0"} + , {"path":"/var/lib/oz/cells.d/icedove.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "_blacklist": [ ] @@ -30,4 +32,9 @@ , {"name":"GNOME_KEYRING_CONTROL"} , {"name":"GNOME_KEYRING_PID", "value":"1"} ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/iceweasel.json b/profiles/iceweasel.json index d7181c1..29d3589 100644 --- a/profiles/iceweasel.json +++ b/profiles/iceweasel.json @@ -19,9 +19,16 @@ , {"path":"${HOME}/.config/gtk-3.0"} , {"path":"${HOME}/.config/gtk-2.0"} + , {"path":"/var/lib/oz/cells.d/iceweasel.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ ] , "environment": [ ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/libreoffice.json b/profiles/libreoffice.json index 22f5ef7..61d3c5d 100644 --- a/profiles/libreoffice.json +++ b/profiles/libreoffice.json @@ -26,4 +26,13 @@ , "networking":{ "type":"empty" } +, "whitelist": [ + {"path":"/var/lib/oz/cells.d/libreoffice.json"} + ,{"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} +] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/liferea.json b/profiles/liferea.json index b783d66..ccd02c3 100644 --- a/profiles/liferea.json +++ b/profiles/liferea.json @@ -25,9 +25,16 @@ , {"path":"${HOME}/.config/dconf"} , {"path":"${HOME}/.cache/dconf"} , {"path":"/run/user/${UID}/dconf"} + , {"path":"/var/lib/oz/cells.d/liferea.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.json"} ] , "blacklist": [ ] , "_environment": [ ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/pidgin.json b/profiles/pidgin.json index d2c5417..37c0ead 100644 --- a/profiles/pidgin.json +++ b/profiles/pidgin.json @@ -10,9 +10,16 @@ } , "whitelist": [ {"path":"${HOME}/.purple"} + ,{"path":"/var/lib/oz/cells.d/pidgin.json"} + ,{"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ ] , "environment": [ ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/pond.json b/profiles/pond.json index 8be6548..bb1c957 100644 --- a/profiles/pond.json +++ b/profiles/pond.json @@ -16,6 +16,8 @@ , "whitelist": [ {"path":"${HOME}/.pond"} , {"path":"/opt/usr/share/gopkgs/pond"} + , {"path":"/var/lib/oz/cells.d/pond.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ ] @@ -25,4 +27,9 @@ , {"name":"TOR_SOCKS_HOST"} , {"name":"TOR_SOCKS_PORT"} ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/torbrowser-launcher.json b/profiles/torbrowser-launcher.json index 65d1550..5f62ac5 100644 --- a/profiles/torbrowser-launcher.json +++ b/profiles/torbrowser-launcher.json @@ -18,6 +18,8 @@ , {"path":"${HOME}/.cache/torbrowser"} , {"path":"${HOME}/.config/torbrowser"} , {"path":"${HOME}/Downloads/TorBrowser"} + , {"path":"/var/lib/oz/cells.d/torbrowser-launcher.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ ] @@ -30,4 +32,9 @@ , {"name":"TOR_CONTROL_AUTHENTICATE"} , {"name":"TOR_CONTROL_COOKIE_AUTH_FILE"} ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} } diff --git a/profiles/xchat.json b/profiles/xchat.json index c69cce9..8c3c4db 100644 --- a/profiles/xchat.json +++ b/profiles/xchat.json @@ -17,7 +17,14 @@ , {"path":"${HOME}/.config/gtk-3.0"} , {"path":"${HOME}/.config/gtk-2.0"} + , {"path":"/var/lib/oz/cells.d/xchat.json"} + , {"path":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} ] , "blacklist": [ ] +, "seccomp": { + "mode":"blacklist" + , "enforce": true + , "seccomp_whitelist":"" + , "seccomp_blacklist":"/var/lib/oz/cells.d/generic-blacklist.seccomp"} }