harden makepkg.profile

author: glitsj16 <glitsj16@users.noreply.github.com> 2020-02-08 00:40:34 +0000
committer: GitHub <noreply@github.com> 2020-02-08 00:40:34 +0000
commit: a5870f43a0a7217fcadb090c07daa6dc03acab83 (patch)
tree: 33fb06de8eb30dac7448a6d113ce53c99e101116
parent: fix video play in liferea.profile (diff)
download: firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.tar.gz
firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.tar.zst
firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/etc/makepkg.profile b/etc/makepkg.profile
index 0120fc2cd..513fcae55 100644
--- a/etc/makepkg.profile
+++ b/etc/makepkg.profile
@@ -6,6 +6,9 @@ include makepkg.local
 # Persistent global definitions
 include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
 # for potential issues and their solutions when Firejailing makepkg
@@ -33,6 +36,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 caps.drop all
+machine-id
 ipc-namespace
 netfilter
 no3d
@@ -42,13 +46,16 @@ nonewprivs
 # noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
 #noroot
 nosound
+nou2f
 notv
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
+private-cache
 private-tmp
 memory-deny-write-execute
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-02-08 00:40:34 +0000
committer	GitHub <noreply@github.com>	2020-02-08 00:40:34 +0000
commit	a5870f43a0a7217fcadb090c07daa6dc03acab83 (patch)
tree	33fb06de8eb30dac7448a6d113ce53c99e101116
parent	fix video play in liferea.profile (diff)
download	firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.tar.gz firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.tar.zst firejail-a5870f43a0a7217fcadb090c07daa6dc03acab83.zip

diff --git a/etc/makepkg.profile b/etc/makepkg.profile index 0120fc2cd..513fcae55 100644 --- a/etc/makepkg.profile +++ b/etc/makepkg.profile
@@ -6,6 +6,9 @@ include makepkg.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
		9	blacklist /tmp/.X11-unix
		10	blacklist ${RUNUSER}/wayland-*
		11
9	# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138	12	# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
10	# for potential issues and their solutions when Firejailing makepkg	13	# for potential issues and their solutions when Firejailing makepkg
11		14
@@ -33,6 +36,7 @@ include disable-passwdmgr.inc
33	include disable-programs.inc	36	include disable-programs.inc
34		37
35	caps.drop all	38	caps.drop all
		39	machine-id
36	ipc-namespace	40	ipc-namespace
37	netfilter	41	netfilter
38	no3d	42	no3d
@@ -42,13 +46,16 @@ nonewprivs
42	# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.	46	# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
43	#noroot	47	#noroot
44	nosound	48	nosound
		49	nou2f
45	notv	50	notv
46	novideo	51	novideo
47	protocol unix,inet,inet6	52	protocol unix,inet,inet6
48	seccomp	53	seccomp
49	shell none	54	shell none
		55	tracelog
50		56
51	disable-mnt	57	disable-mnt
		58	private-cache
52	private-tmp	59	private-tmp
53		60
54	memory-deny-write-execute	61	memory-deny-write-execute