firejailed-tor-browser.profile enhancements

[rusty-snake]

trafficstars

• [x] harden seccomp.drop by using @default-nodebuggers instead of @default as base. (40be2b8b)
• [x] improve private-bin (40be2b8b)

private-bin bash,grep,sed,tail,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr

https://github.com/chiraag-nataraj/firejail-profiles/blob/master/tor-browser-en.profile
https://github.com/nyancat18/fe/blob/master/tor-browser.profile https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.profile

• [x] other improvements https://github.com/netblue30/firejail/blob/master/etc/firefox-common.profile
• [x] improve private-etc https://github.com/chiraag-nataraj/firejail-profiles/blob/master/tor-browser-en.profile
  https://github.com/nyancat18/fe/blob/master/tor-browser.profile https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.profile https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template https://github.com/netblue30/firejail/blob/f15e7bac430a6762b936aa68e2bfa2374c2af863/etc/templates/profile.template firefox-common:

alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg

• [x] prevent other firejailed applications from accessing ${HOME}/.tor-browser. (2b17cea)

tor-browser.local:
noblacklist ${HOME}/.tor-browser

disbale-programs.local:
blacklist ${HOME}/.tor-browser

• [x] minimize private-bin (6969aac)
• [x] minimize private-etc (6969aac) ; 9b360a3 removed private-etc because /etc is now blacklisted
• [x] use seccomp.block-secondary (6969aac)
• [x] comment include whitelist-common.inc (6969aac)
• [x] remove python ?? (6969aac)
• [x] blacklist /usr/{srv, games, local} (6969aac)
• [x] hostname host (9f458dba) reverted in (4296c458) re-enabled in 9b360a37
• [x] use private (6969aac)
  • [x] fix tor-browser.desktop (6969aac)
• [x] whitelist /usr/share/... (b841e16, 4fc1e856, 89272d3c)
• [ ] Consider also: env LANG=en_US.UTF-8 env LC_ALL=en_US.UTF-8
• [x] suggest net IFACE (a8891a7)
• [x] ~seccomp.keep (~will have much breaktages~) (with syscall-groups)~ overrides seccomp.drop
• [ ] ~overlay-tmpfs (see #5, #14)~ disabled in firejail
• [x] Harden seccomp with new groups from netblue30/firejail#2928 (33b0141)
• [x] blacklist
  • [x] /run/… done by whitelisting in it (3540eebc)
  • [x] /var/…
  • [x] /proc/… (d60c68735)
  • [x] /sys…
  • [x] /usr/libexec (3540eebc)
  • [x] /etc (debafd32)
  • [x] /tmp (9b360a37)
• [x] whitelist ${RUNUSER}, /var (31f4b3c)
• [x] minimize whitelist-usr-share (9b360a37)
• [x] minimize whitelist-var (we have blacklist /var)
• [ ] what can be done with tmpfs as it is now allowed inside $HOME?
• [x] read-only /tmp (03deae79) (remove in 9b360a37 because /tmp is blacklisted)
• [x] read-only ${HOME} (03deae79)
• [x] read-only ${RUNUSER} (9b360a37)
• [x] Disable X11 :champagne: (76c4226b)
• [x] disable-shell (543b23cb)
• [x] seccomp-error-action kill (543b23cb)
• [x] machine-id (9b360a37)
• [x] private-lib (9b360a37) is still to experimental (72a6c0f)
• [x] env GTK_THEME=Adwaita (d60c68735)
• [ ] noprinters
• [x] ~restrict-namespaces (at least user and mount namespace are required for firefox' sandbox)~ almost all are used
• [x] drop private-lib
• [x] drop shell none from git
• [ ] oom
• [ ] netlock guide?