diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-08-09 20:17:00 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-08-09 20:17:00 +0200 |
commit | 9858975f9c0cd12c2daf2d0c2d08ec6a82d3f4f9 (patch) | |
tree | 6a4f9afb1b23ea4f70f049ce6727e569dc7df768 | |
parent | profile fixes (2) (diff) | |
download | firejail-9858975f9c0cd12c2daf2d0c2d08ec6a82d3f4f9.tar.gz firejail-9858975f9c0cd12c2daf2d0c2d08ec6a82d3f4f9.tar.zst firejail-9858975f9c0cd12c2daf2d0c2d08ec6a82d3f4f9.zip |
profile fixes (3)
-rw-r--r-- | etc/allow-common-devel.inc | 16 | ||||
-rw-r--r-- | etc/allow-java.inc | 7 | ||||
-rw-r--r-- | etc/allow-lua.inc | 4 | ||||
-rw-r--r-- | etc/allow-perl.inc | 6 | ||||
-rw-r--r-- | etc/allow-php.inc | 7 | ||||
-rw-r--r-- | etc/allow-python2.inc | 4 | ||||
-rw-r--r-- | etc/allow-python3.inc | 4 | ||||
-rw-r--r-- | etc/allow-ruby.inc | 4 | ||||
-rw-r--r-- | etc/aria2c.profile | 3 | ||||
-rw-r--r-- | etc/baobab.profile | 2 | ||||
-rw-r--r-- | etc/beaker.profile | 1 | ||||
-rw-r--r-- | etc/chromium-common.profile | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/ephemeral.profile | 2 | ||||
-rw-r--r-- | etc/ffmpeg.profile | 2 | ||||
-rw-r--r-- | etc/firefox-common.profile | 4 | ||||
-rw-r--r-- | etc/i2prouter.profile | 18 | ||||
-rw-r--r-- | etc/keepass.profile | 2 | ||||
-rw-r--r-- | etc/standardnotes-desktop.profile | 2 | ||||
-rw-r--r-- | etc/start-tor-browser.profile | 2 | ||||
-rw-r--r-- | etc/torbrowser-launcher.profile | 2 | ||||
-rw-r--r-- | etc/udiskie.profile | 2 | ||||
-rw-r--r-- | etc/wire-desktop.profile | 6 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
24 files changed, 68 insertions, 36 deletions
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc index 1d794462c..63174eda6 100644 --- a/etc/allow-common-devel.inc +++ b/etc/allow-common-devel.inc | |||
@@ -1,17 +1,21 @@ | |||
1 | # Rust | 1 | # This file is overwritten during software install. |
2 | noblacklist ${HOME}/.cargo/config | 2 | # Persistent customizations should go in a .local file. |
3 | noblacklist ${HOME}/.cargo/registry | 3 | include allow-common-devel.local |
4 | 4 | ||
5 | # Git | 5 | # Git |
6 | noblacklist ${HOME}/.config/git | 6 | noblacklist ${HOME}/.config/git |
7 | noblacklist ${HOME}/.gitconfig | 7 | noblacklist ${HOME}/.gitconfig |
8 | noblacklist ${HOME}/.git-credentials | 8 | noblacklist ${HOME}/.git-credentials |
9 | 9 | ||
10 | # Java | ||
11 | noblacklist ${HOME}/.gradle | ||
12 | noblacklist ${HOME}/.java | ||
13 | |||
10 | # Python | 14 | # Python |
11 | noblacklist ${HOME}/.python-history | 15 | noblacklist ${HOME}/.python-history |
12 | noblacklist ${HOME}/.python_history | 16 | noblacklist ${HOME}/.python_history |
13 | noblacklist ${HOME}/.pythonhist | 17 | noblacklist ${HOME}/.pythonhist |
14 | 18 | ||
15 | # Java | 19 | # Rust |
16 | noblacklist ${HOME}/.gradle | 20 | noblacklist ${HOME}/.cargo/config |
17 | noblacklist ${HOME}/.java | 21 | noblacklist ${HOME}/.cargo/registry |
diff --git a/etc/allow-java.inc b/etc/allow-java.inc index 5204d2dea..24d18fb77 100644 --- a/etc/allow-java.inc +++ b/etc/allow-java.inc | |||
@@ -1,6 +1,9 @@ | |||
1 | noblacklist ${HOME}/.java | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-java.local | ||
2 | 4 | ||
5 | noblacklist ${HOME}/.java | ||
3 | noblacklist ${PATH}/java | 6 | noblacklist ${PATH}/java |
4 | noblacklist /usr/lib/java | ||
5 | noblacklist /etc/java | 7 | noblacklist /etc/java |
8 | noblacklist /usr/lib/java | ||
6 | noblacklist /usr/share/java | 9 | noblacklist /usr/share/java |
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc index 51d76f9b1..fbdee22ee 100644 --- a/etc/allow-lua.inc +++ b/etc/allow-lua.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-lua.local | ||
4 | |||
1 | noblacklist ${PATH}/lua* | 5 | noblacklist ${PATH}/lua* |
2 | noblacklist /usr/include/lua* | 6 | noblacklist /usr/include/lua* |
3 | noblacklist /usr/lib/lua | 7 | noblacklist /usr/lib/lua |
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc index d37328936..f44e1e3cc 100644 --- a/etc/allow-perl.inc +++ b/etc/allow-perl.inc | |||
@@ -1,5 +1,9 @@ | |||
1 | noblacklist ${PATH}/cpan* | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-perl.local | ||
4 | |||
2 | noblacklist ${PATH}/core_perl | 5 | noblacklist ${PATH}/core_perl |
6 | noblacklist ${PATH}/cpan* | ||
3 | noblacklist ${PATH}/perl | 7 | noblacklist ${PATH}/perl |
4 | noblacklist ${PATH}/site_perl | 8 | noblacklist ${PATH}/site_perl |
5 | noblacklist ${PATH}/vendor_perl | 9 | noblacklist ${PATH}/vendor_perl |
diff --git a/etc/allow-php.inc b/etc/allow-php.inc new file mode 100644 index 000000000..a0950dc26 --- /dev/null +++ b/etc/allow-php.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-php.local | ||
4 | |||
5 | noblacklist ${PATH}/php* | ||
6 | noblacklist /usr/lib/php* | ||
7 | noblacklist /usr/share/php* | ||
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc index 8ea61648b..b0525e2e1 100644 --- a/etc/allow-python2.inc +++ b/etc/allow-python2.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-python2.local | ||
4 | |||
1 | noblacklist ${PATH}/python2* | 5 | noblacklist ${PATH}/python2* |
2 | noblacklist /usr/include/python2* | 6 | noblacklist /usr/include/python2* |
3 | noblacklist /usr/lib/python2* | 7 | noblacklist /usr/lib/python2* |
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc index 91c7ffca4..c5660a97d 100644 --- a/etc/allow-python3.inc +++ b/etc/allow-python3.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-python3.local | ||
4 | |||
1 | noblacklist ${PATH}/python3* | 5 | noblacklist ${PATH}/python3* |
2 | noblacklist /usr/include/python3* | 6 | noblacklist /usr/include/python3* |
3 | noblacklist /usr/lib/python3* | 7 | noblacklist /usr/lib/python3* |
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc index 3165a981a..a8c701219 100644 --- a/etc/allow-ruby.inc +++ b/etc/allow-ruby.inc | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-ruby.local | ||
4 | |||
1 | noblacklist ${PATH}/ruby | 5 | noblacklist ${PATH}/ruby |
2 | noblacklist /usr/lib/ruby | 6 | noblacklist /usr/lib/ruby |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 72e577d56..c478bbae9 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -7,6 +7,8 @@ include aria2c.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.aria2 | 9 | noblacklist ${HOME}/.aria2 |
10 | noblacklist ${HOME}/.config/aria2 | ||
11 | noblacklist ${HOME}/.netrc | ||
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -35,6 +37,7 @@ seccomp | |||
35 | shell none | 37 | shell none |
36 | 38 | ||
37 | # disable-mnt | 39 | # disable-mnt |
40 | # Add your custom event hook commands to 'private-bin' in your aria2c.local | ||
38 | private-bin aria2c,gzip | 41 | private-bin aria2c,gzip |
39 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 42 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
40 | #private-cache | 43 | #private-cache |
diff --git a/etc/baobab.profile b/etc/baobab.profile index eb0064115..e8287b448 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -6,7 +6,7 @@ include baobab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-common.inc | 9 | # include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
diff --git a/etc/beaker.profile b/etc/beaker.profile index 21eeac4b3..cc1886a49 100644 --- a/etc/beaker.profile +++ b/etc/beaker.profile | |||
@@ -13,7 +13,6 @@ include disable-interpreters.inc | |||
13 | 13 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 14 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 15 | whitelist ${HOME}/.config/Beaker Browser |
16 | whitelist ${DOWNLOADS} | ||
17 | include whitelist-common.inc | 16 | include whitelist-common.inc |
18 | 17 | ||
19 | # Redirect | 18 | # Redirect |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 7b88e417a..c54fb0e19 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -37,7 +37,7 @@ notv | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | ?BROWSER_DISABLE_U2F: private-dev |
41 | # private-tmp - problems with multiple browser sessions | 41 | # private-tmp - problems with multiple browser sessions |
42 | 42 | ||
43 | # the file dialog needs to work without d-bus | 43 | # the file dialog needs to work without d-bus |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a489a8fbb..207ee32e5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -119,6 +119,7 @@ blacklist ${HOME}/.config/akonadi* | |||
119 | blacklist ${HOME}/.config/akregatorrc | 119 | blacklist ${HOME}/.config/akregatorrc |
120 | blacklist ${HOME}/.config/ardour4 | 120 | blacklist ${HOME}/.config/ardour4 |
121 | blacklist ${HOME}/.config/ardour5 | 121 | blacklist ${HOME}/.config/ardour5 |
122 | blacklist ${HOME}/.config/aria2 | ||
122 | blacklist ${HOME}/.config/arkrc | 123 | blacklist ${HOME}/.config/arkrc |
123 | blacklist ${HOME}/.config/artha.conf | 124 | blacklist ${HOME}/.config/artha.conf |
124 | blacklist ${HOME}/.config/asunder | 125 | blacklist ${HOME}/.config/asunder |
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile index fa7746da5..c688c2324 100644 --- a/etc/ephemeral.profile +++ b/etc/ephemeral.profile | |||
@@ -55,7 +55,7 @@ tracelog | |||
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | ?BROWSER_DISABLE_U2F: private-dev |
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 59 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
61 | private-tmp | 61 | private-tmp |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 67c0ed311..b392087e8 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin ffmpeg | 47 | private-bin ffmpeg |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 53 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 7777d07ce..323070289 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -52,7 +52,7 @@ shell none | |||
52 | #tracelog | 52 | #tracelog |
53 | 53 | ||
54 | disable-mnt | 54 | disable-mnt |
55 | private-dev | 55 | ?BROWSER_DISABLE_U2F: private-dev |
56 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 56 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
58 | private-tmp | 58 | private-tmp |
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile index e46fb3317..d9e7f1c8f 100644 --- a/etc/i2prouter.profile +++ b/etc/i2prouter.profile | |||
@@ -6,19 +6,19 @@ include i2prouter.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Notice: default browser will not be able to automatically open, due to sandbox. | 9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. |
10 | # Auto-opening default browser can be disabled in the I2P router console. | 10 | # Auto-opening default browser can be disabled in the I2P router console. |
11 | # This profile will not currently work with any Arch User Repository i2p packages, | 11 | # This profile will not currently work with any Arch User Repository I2P packages, |
12 | # use the distro-independent official java installer instead | 12 | # use the distro-independent official I2P java installer instead |
13 | 13 | ||
14 | # Only needed if i2prouter binary is in home directory, java installer does this | 14 | # Only needed if i2prouter binary is in home directory, official I2P java installer does this |
15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
16 | 16 | ||
17 | noblacklist ${HOME}/.config/i2p | 17 | noblacklist ${HOME}/.config/i2p |
18 | noblacklist ${HOME}/.i2p | 18 | noblacklist ${HOME}/.i2p |
19 | noblacklist ${HOME}/.local/share/i2p | 19 | noblacklist ${HOME}/.local/share/i2p |
20 | noblacklist ${HOME}/i2p | 20 | noblacklist ${HOME}/i2p |
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | 21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this |
22 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
23 | 23 | ||
24 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
@@ -40,13 +40,13 @@ whitelist ${HOME}/.config/i2p | |||
40 | whitelist ${HOME}/.i2p | 40 | whitelist ${HOME}/.i2p |
41 | whitelist ${HOME}/.local/share/i2p | 41 | whitelist ${HOME}/.local/share/i2p |
42 | whitelist ${HOME}/i2p | 42 | whitelist ${HOME}/i2p |
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | 43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this |
44 | whitelist /usr/sbin/wrapper* | 44 | whitelist /usr/sbin/wrapper* |
45 | 45 | ||
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | 47 | ||
48 | # May break I2P if wrapper is placed in the home directory | 48 | # May break I2P if wrapper is placed in the home directory; official I2P java installer does this |
49 | # If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | 49 | # If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ |
50 | #apparmor | 50 | #apparmor |
51 | caps.drop all | 51 | caps.drop all |
52 | ipc-namespace | 52 | ipc-namespace |
@@ -67,5 +67,5 @@ shell none | |||
67 | disable-mnt | 67 | disable-mnt |
68 | private-cache | 68 | private-cache |
69 | private-dev | 69 | private-dev |
70 | private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl | 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-8-openjdk,java-9-openjdk,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
71 | private-tmp | 71 | private-tmp |
diff --git a/etc/keepass.profile b/etc/keepass.profile index 57a24d821..9852f8a79 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | shell none | 39 | shell none |
40 | 40 | ||
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index aa6902854..a402aca5a 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -39,5 +39,5 @@ seccomp !chroot | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg |
43 | 43 | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index a8b5d109e..f9daf8f09 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -36,5 +36,5 @@ shell none | |||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity | 37 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity |
38 | private-dev | 38 | private-dev |
39 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 39 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 1183cd2f7..b40a18fa3 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -50,5 +50,5 @@ shell none | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
52 | private-dev | 52 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/udiskie.profile b/etc/udiskie.profile index f6e85d60e..265f6429d 100644 --- a/etc/udiskie.profile +++ b/etc/udiskie.profile | |||
@@ -31,7 +31,7 @@ notv | |||
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp !request_key |
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | 37 | ||
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 490255fa6..a56ecef1b 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -18,16 +18,12 @@ whitelist ${HOME}/.config/Wire | |||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.keep sys_admin,sys_chroot |
22 | netfilter | 22 | netfilter |
23 | nodvd | 23 | nodvd |
24 | nogroups | 24 | nogroups |
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | 25 | notv |
28 | nou2f | 26 | nou2f |
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | 27 | shell none |
32 | 28 | ||
33 | # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore | 29 | # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 97148c6b6..e3d7a35a1 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -295,7 +295,6 @@ hedgewars | |||
295 | hexchat | 295 | hexchat |
296 | highlight | 296 | highlight |
297 | hugin | 297 | hugin |
298 | i2prouter | ||
299 | icecat | 298 | icecat |
300 | icedove | 299 | icedove |
301 | iceweasel | 300 | iceweasel |