peek: hardening and private-bin improvements

The hardening (whitelisting profile) was tested to be working fine.
netblue30 · Feb 11, 2023 · a7a0bc4 · a7a0bc4
1 parent 358fce3
commit a7a0bc4
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
@@ -1,4 +1,5 @@
 # Firejail profile for peek
+# Description: Simple screen recorder with an easy to use interface
 # This file is overwritten after every install/update
 # Persistent local customizations
 include peek.local
@@ -9,18 +10,24 @@ noblacklist ${HOME}/.cache/peek
 noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-#mkdir ${HOME}/.cache/peek
-#whitelist ${HOME}/.cache/peek
-#whitelist ${PICTURES}
-#whitelist ${VIDEOS}
-#include whitelist-common.inc
+mkdir ${HOME}/.cache/peek
+whitelist ${HOME}/.cache/peek
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -34,6 +41,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -45,7 +53,7 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
+private-bin bash,convert,ffmpeg,firejail,fish,gst-*-1.0,orcc,peek,python3*,sh,which,zsh
 private-dev
 private-etc @x11,firejail
 private-tmp