Merge pull request #1201 from SYN-cook/patch-2

new baloo profile
author: netblue30 <netblue30@yahoo.com> 2017-04-09 11:22:07 -0400
committer: GitHub <noreply@github.com> 2017-04-09 11:22:07 -0400
commit: 7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9 (patch)
tree: 0b67124121e10fdd6b689e023a4109dc410e8060 /etc/baloo_file.profile
parent: Doc update after merging #1198 (diff)
parent: improve x11 isolation (diff)
download: firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.tar.gz
firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.tar.zst
firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.zip
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
new file mode 100644
index 000000000..d9c37911b
--- /dev/null
+++ b/etc/baloo_file.profile
@@ -0,0 +1,41 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/baloo_file.local
+# KDE Baloo file daemon profile
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.kde/share/config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloorc
+noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.local/share/baloo
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+# Baloo makes ioprio_set system calls, which are blacklisted by default.
+# That's why we need to disable seccomp
+#seccomp
+blacklist /tmp/.X11-unix
+private-dev
+private-tmp
+# Experimental: make home directory read-only and allow writing only
+# to Baloo configuration files and databases
+#read-only  ${HOME}
+#read-write ${HOME}/.kde4/share/config/baloofilerc
+#read-write ${HOME}/.kde4/share/config/baloorc
+#read-write ${HOME}/.kde/share/config/baloofilerc
+#read-write ${HOME}/.kde/share/config/baloorc
+#read-write ${HOME}/.config/baloofilerc
+#read-write ${HOME}/.local/share/baloo
+#read-write ${HOME}/.local/share/akonadi/search_db
author	netblue30 <netblue30@yahoo.com>	2017-04-09 11:22:07 -0400
committer	GitHub <noreply@github.com>	2017-04-09 11:22:07 -0400
commit	7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9 (patch)
tree	0b67124121e10fdd6b689e023a4109dc410e8060 /etc/baloo_file.profile
parent	Doc update after merging #1198 (diff)
parent	improve x11 isolation (diff)
download	firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.tar.gz firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.tar.zst firejail-7bec8bf8e8f93ce1d6700aeccb5aecf93865b0b9.zip

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile new file mode 100644 index 000000000..d9c37911b --- /dev/null +++ b/etc/baloo_file.profile
@@ -0,0 +1,41 @@
	1	# This file is overwritten during software install.
	2	# Persistent customizations should go in a .local file.
	3	include /etc/firejail/baloo_file.local
	4
	5	# KDE Baloo file daemon profile
	6	noblacklist ${HOME}/.kde4/share/config/baloofilerc
	7	noblacklist ${HOME}/.kde4/share/config/baloorc
	8	noblacklist ${HOME}/.kde/share/config/baloofilerc
	9	noblacklist ${HOME}/.kde/share/config/baloorc
	10	noblacklist ${HOME}/.config/baloofilerc
	11	noblacklist ${HOME}/.local/share/baloo
	12	include /etc/firejail/disable-common.inc
	13	include /etc/firejail/disable-programs.inc
	14	include /etc/firejail/disable-devel.inc
	15	include /etc/firejail/disable-passwdmgr.inc
	16
	17	caps.drop all
	18	nogroups
	19	nonewprivs
	20	noroot
	21	nosound
	22	protocol unix
	23	# Baloo makes ioprio_set system calls, which are blacklisted by default.
	24	# That's why we need to disable seccomp
	25	#seccomp
	26
	27	blacklist /tmp/.X11-unix
	28
	29	private-dev
	30	private-tmp
	31
	32	# Experimental: make home directory read-only and allow writing only
	33	# to Baloo configuration files and databases
	34	#read-only ${HOME}
	35	#read-write ${HOME}/.kde4/share/config/baloofilerc
	36	#read-write ${HOME}/.kde4/share/config/baloorc
	37	#read-write ${HOME}/.kde/share/config/baloofilerc
	38	#read-write ${HOME}/.kde/share/config/baloorc
	39	#read-write ${HOME}/.config/baloofilerc
	40	#read-write ${HOME}/.local/share/baloo
	41	#read-write ${HOME}/.local/share/akonadi/search_db