diff options
author | netblue30 <netblue30@protonmail.com> | 2023-04-06 10:40:37 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-06 10:40:37 -0400 |
commit | 92a7ad7ee973c109e4d37f1b54fa2e3e07640e33 (patch) | |
tree | b6f8f7b8325aac36554a5bfc9cebb17b31c59781 | |
parent | standardnotes-desktop: custom (cursor) theme support (#5768) (diff) | |
parent | profile.template: note to put read-only entries in dc (diff) | |
download | firejail-92a7ad7ee973c109e4d37f1b54fa2e3e07640e33.tar.gz firejail-92a7ad7ee973c109e4d37f1b54fa2e3e07640e33.tar.zst firejail-92a7ad7ee973c109e4d37f1b54fa2e3e07640e33.zip |
Merge pull request #5763 from kmk3/profiles-mv-readonly
profiles: move read-only config entries to disable-common.inc
24 files changed, 20 insertions, 29 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 5f4233363..cf712a07e 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc | |||
69 | blacklist /etc/X11/Xsession.d | 69 | blacklist /etc/X11/Xsession.d |
70 | blacklist /etc/xdg/autostart | 70 | blacklist /etc/xdg/autostart |
71 | read-only ${HOME}/.Xauthority | 71 | read-only ${HOME}/.Xauthority |
72 | read-only ${HOME}/.config/awesome/autorun.sh | ||
73 | read-only ${HOME}/.config/openbox/autostart | ||
74 | read-only ${HOME}/.config/openbox/environment | ||
72 | 75 | ||
73 | # Session manager | 76 | # Session manager |
74 | # see #3358 | 77 | # see #3358 |
@@ -329,6 +332,7 @@ read-only ${HOME}/.ssh/config.d | |||
329 | # Initialization files that allow arbitrary command execution | 332 | # Initialization files that allow arbitrary command execution |
330 | read-only ${HOME}/.caffrc | 333 | read-only ${HOME}/.caffrc |
331 | read-only ${HOME}/.cargo/env | 334 | read-only ${HOME}/.cargo/env |
335 | read-only ${HOME}/.config/mpv | ||
332 | read-only ${HOME}/.config/nano | 336 | read-only ${HOME}/.config/nano |
333 | read-only ${HOME}/.config/nvim | 337 | read-only ${HOME}/.config/nvim |
334 | read-only ${HOME}/.config/pkcs11 | 338 | read-only ${HOME}/.config/pkcs11 |
@@ -337,6 +341,7 @@ read-only ${HOME}/.elinks | |||
337 | read-only ${HOME}/.emacs | 341 | read-only ${HOME}/.emacs |
338 | read-only ${HOME}/.emacs.d | 342 | read-only ${HOME}/.emacs.d |
339 | read-only ${HOME}/.exrc | 343 | read-only ${HOME}/.exrc |
344 | read-only ${HOME}/.gnupg/gpg.conf | ||
340 | read-only ${HOME}/.gvimrc | 345 | read-only ${HOME}/.gvimrc |
341 | read-only ${HOME}/.homesick | 346 | read-only ${HOME}/.homesick |
342 | read-only ${HOME}/.iscreenrc | 347 | read-only ${HOME}/.iscreenrc |
@@ -345,6 +350,7 @@ read-only ${HOME}/.local/share/cool-retro-term | |||
345 | read-only ${HOME}/.local/share/nvim | 350 | read-only ${HOME}/.local/share/nvim |
346 | read-only ${HOME}/.local/state/nvim | 351 | read-only ${HOME}/.local/state/nvim |
347 | read-only ${HOME}/.mailcap | 352 | read-only ${HOME}/.mailcap |
353 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
348 | read-only ${HOME}/.msmtprc | 354 | read-only ${HOME}/.msmtprc |
349 | read-only ${HOME}/.mutt/muttrc | 355 | read-only ${HOME}/.mutt/muttrc |
350 | read-only ${HOME}/.muttrc | 356 | read-only ${HOME}/.muttrc |
@@ -366,6 +372,10 @@ read-only ${HOME}/_gvimrc | |||
366 | read-only ${HOME}/_vimrc | 372 | read-only ${HOME}/_vimrc |
367 | read-only ${HOME}/dotfiles | 373 | read-only ${HOME}/dotfiles |
368 | 374 | ||
375 | # System package managers and AUR helpers | ||
376 | blacklist ${HOME}/.config/cower | ||
377 | read-only ${HOME}/.config/cower/config | ||
378 | |||
369 | # Make directories commonly found in $PATH read-only | 379 | # Make directories commonly found in $PATH read-only |
370 | read-only ${HOME}/.bin | 380 | read-only ${HOME}/.bin |
371 | read-only ${HOME}/.cargo/bin | 381 | read-only ${HOME}/.cargo/bin |
@@ -391,6 +401,11 @@ read-only ${HOME}/.config/user-dirs.dirs | |||
391 | read-only ${HOME}/.config/user-dirs.locale | 401 | read-only ${HOME}/.config/user-dirs.locale |
392 | read-only ${HOME}/.local/share/mime | 402 | read-only ${HOME}/.local/share/mime |
393 | 403 | ||
404 | # Configuration files that do not allow arbitrary command execution but that | ||
405 | # are intended to be modified manually (in a text editor and/or by a program | ||
406 | # dedicated to managing them) | ||
407 | read-only ${HOME}/.config/MangoHud | ||
408 | |||
394 | # Write-protection for thumbnailer dir | 409 | # Write-protection for thumbnailer dir |
395 | read-only ${HOME}/.local/share/thumbnailers | 410 | read-only ${HOME}/.local/share/thumbnailers |
396 | 411 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index c7e2f2ca9..211111aaa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -402,7 +402,6 @@ blacklist ${HOME}/.config/cmus | |||
402 | blacklist ${HOME}/.config/cointop | 402 | blacklist ${HOME}/.config/cointop |
403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
404 | blacklist ${HOME}/.config/corebird | 404 | blacklist ${HOME}/.config/corebird |
405 | blacklist ${HOME}/.config/cower | ||
406 | blacklist ${HOME}/.config/coyim | 405 | blacklist ${HOME}/.config/coyim |
407 | blacklist ${HOME}/.config/d-feet | 406 | blacklist ${HOME}/.config/d-feet |
408 | blacklist ${HOME}/.config/darktable | 407 | blacklist ${HOME}/.config/darktable |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index c9f21b2dc..5d1e75319 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc | |||
10 | whitelist ${HOME}/.config/ibus | 10 | whitelist ${HOME}/.config/ibus |
11 | whitelist ${HOME}/.config/mimeapps.list | 11 | whitelist ${HOME}/.config/mimeapps.list |
12 | whitelist ${HOME}/.config/pkcs11 | 12 | whitelist ${HOME}/.config/pkcs11 |
13 | read-only ${HOME}/.config/pkcs11 | ||
14 | whitelist ${HOME}/.config/user-dirs.dirs | 13 | whitelist ${HOME}/.config/user-dirs.dirs |
15 | read-only ${HOME}/.config/user-dirs.dirs | ||
16 | whitelist ${HOME}/.config/user-dirs.locale | 14 | whitelist ${HOME}/.config/user-dirs.locale |
17 | read-only ${HOME}/.config/user-dirs.locale | ||
18 | whitelist ${HOME}/.drirc | 15 | whitelist ${HOME}/.drirc |
19 | whitelist ${HOME}/.icons | 16 | whitelist ${HOME}/.icons |
20 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit | 17 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit |
21 | whitelist ${HOME}/.local/share/applications | 18 | whitelist ${HOME}/.local/share/applications |
22 | read-only ${HOME}/.local/share/applications | ||
23 | whitelist ${HOME}/.local/share/icons | 19 | whitelist ${HOME}/.local/share/icons |
24 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
25 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile index 231b5bca0..f05653719 100644 --- a/etc/profile-a-l/ani-cli.profile +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -35,7 +35,5 @@ private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohu | |||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | read-only ${HOME}/.config/mpv | ||
39 | |||
40 | # Redirect | 38 | # Redirect |
41 | include mpv.profile | 39 | include mpv.profile |
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
@@ -16,5 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
20 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -45,5 +45,4 @@ private-dev | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
49 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | machine-id | 28 | machine-id |
30 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 0a44a62a3..7d5c859e9 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.* | |||
85 | dbus-user.talk org.mozilla.* | 85 | dbus-user.talk org.mozilla.* |
86 | dbus-system none | 86 | dbus-system none |
87 | 87 | ||
88 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
89 | read-only ${HOME}/.signature | 88 | read-only ${HOME}/.signature |
90 | restrict-namespaces | 89 | restrict-namespaces |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,9 @@ include globals.local | |||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | 14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox |
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | 15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 |
16 | 16 | ||
17 | # (Ignore entry from disable-common.inc) | ||
18 | ignore read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | |||
17 | noblacklist ${HOME}/.cache/mozilla | 20 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 21 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 22 | noblacklist ${RUNUSER}/*firefox* |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
91 | dbus-user.talk org.mozilla.* | 91 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 92 | dbus-system none |
93 | 93 | ||
94 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
95 | restrict-namespaces | 94 | restrict-namespaces |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets | |||
77 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-system none | 78 | dbus-system none |
79 | 79 | ||
80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
81 | restrict-namespaces | 80 | restrict-namespaces |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor | |||
37 | dbus-user.talk org.mozilla.* | 37 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 38 | ignore dbus-user none |
39 | 39 | ||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | 40 | # Redirect |
43 | include electron-common.profile | 41 | include electron-common.profile |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile index 01928c775..2b0fc5275 100644 --- a/etc/profile-a-l/lobster.profile +++ b/etc/profile-a-l/lobster.profile | |||
@@ -35,7 +35,5 @@ private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname | |||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | 36 | private-tmp |
37 | 37 | ||
38 | read-only ${HOME}/.config/mpv | ||
39 | |||
40 | # Redirect | 38 | # Redirect |
41 | include mpv.profile | 39 | include mpv.profile |
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* | |||
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
22 | read-only ${HOME}/.gnupg/gpg.conf | ||
23 | read-only ${HOME}/.gnupg/trustdb.gpg | 22 | read-only ${HOME}/.gnupg/trustdb.gpg |
24 | read-only ${HOME}/.gnupg/pubring.kbx | 23 | read-only ${HOME}/.gnupg/pubring.kbx |
25 | blacklist ${HOME}/.gnupg/random_seed | 24 | blacklist ${HOME}/.gnupg/random_seed |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8ad94b949..74d630e24 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli | |||
25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | read-only ${HOME}/.config/mpv | ||
29 | |||
30 | # Redirect | 28 | # Redirect |
31 | include mpv.profile | 29 | include mpv.profile |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -16,6 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/openbox/autostart | ||
20 | read-only ${HOME}/.config/openbox/environment | ||
21 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index a26b41524..3e1899ef3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal | |||
14 | # These lines are needed to allow Firefox to open links | 14 | # These lines are needed to allow Firefox to open links |
15 | noblacklist ${HOME}/.mozilla | 15 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
18 | 17 | ||
19 | mkdir ${HOME}/.config/Signal | 18 | mkdir ${HOME}/.config/Signal |
20 | whitelist ${HOME}/.config/Signal | 19 | whitelist ${HOME}/.config/Signal |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -181,5 +181,4 @@ private-tmp | |||
181 | #dbus-user none | 181 | #dbus-user none |
182 | #dbus-system none | 182 | #dbus-system none |
183 | 183 | ||
184 | read-only ${HOME}/.config/MangoHud | ||
185 | #restrict-namespaces | 184 | #restrict-namespaces |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 1ac80bc9a..5df207e25 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -24,7 +24,6 @@ writable-run-user | |||
24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email | 24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | noblacklist ${HOME}/.cache/thunderbird | 28 | noblacklist ${HOME}/.cache/thunderbird |
30 | noblacklist ${HOME}/.gnupg | 29 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b7..ba68ccb53 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -60,5 +60,4 @@ dbus-user filter | |||
60 | dbus-user.talk org.freedesktop.secrets | 60 | dbus-user.talk org.freedesktop.secrets |
61 | dbus-system none | 61 | dbus-system none |
62 | 62 | ||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
64 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 4793e9dbb..55e4a4392 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop | |||
28 | # there isn't a Firefox instance running with the default profile; see #5352) | 28 | # there isn't a Firefox instance running with the default profile; see #5352) |
29 | noblacklist ${HOME}/.mozilla | 29 | noblacklist ${HOME}/.mozilla |
30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
31 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
32 | 31 | ||
33 | machine-id | 32 | machine-id |
34 | nosound | 33 | nosound |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92..d2b73ec4c 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -24,7 +24,6 @@ include allow-python3.inc | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | include disable-common.inc | 28 | include disable-common.inc |
30 | include disable-devel.inc | 29 | include disable-devel.inc |
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab63..09a1d37a3 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -23,7 +23,6 @@ include disable-xdg.inc | |||
23 | # This also requires dbus-user filtering (see below). | 23 | # This also requires dbus-user filtering (see below). |
24 | noblacklist ${HOME}/.mozilla | 24 | noblacklist ${HOME}/.mozilla |
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
26 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | 26 | ||
28 | mkdir ${HOME}/.cache/Zeal | 27 | mkdir ${HOME}/.cache/Zeal |
29 | mkdir ${HOME}/.config/Zeal | 28 | mkdir ${HOME}/.config/Zeal |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fd328f36c..b88566f54 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -221,6 +221,8 @@ include globals.local | |||
221 | #dbus-user.talk org.freedesktop.Notifications | 221 | #dbus-user.talk org.freedesktop.Notifications |
222 | #dbus-system none | 222 | #dbus-system none |
223 | 223 | ||
224 | # Note: read-only entries should usually go in disable-common.inc (especially | ||
225 | # entries for configuration files that allow arbitrary command execution). | ||
224 | ##deterministic-shutdown | 226 | ##deterministic-shutdown |
225 | ##env VAR=VALUE | 227 | ##env VAR=VALUE |
226 | ##join-or-start NAME | 228 | ##join-or-start NAME |