various profile enhancements

* okular needs kdeinit4 for open file dialog since recently * memory-deny-write-execute should be a safe addition for desktop use of dnscrypt and unbound * cleanup works
author: smitsohu <smitsohu@gmail.com> 2017-09-25 15:57:50 +0200
committer: smitsohu <smitsohu@gmail.com> 2017-09-25 15:57:50 +0200
commit: 9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 (patch)
tree: 632cecd6b845ecc93c5024170671a9894c2cda49 /etc/baloo_file.profile
parent: fix nginx and apache2, possible fix for #1534 (diff)
download: firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.gz
firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.zst
firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
@@ -29,8 +31,10 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+shell none
 x11 xorg
+private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
 private-dev
 private-tmp
author	smitsohu <smitsohu@gmail.com>	2017-09-25 15:57:50 +0200
committer	smitsohu <smitsohu@gmail.com>	2017-09-25 15:57:50 +0200
commit	9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2 (patch)
tree	632cecd6b845ecc93c5024170671a9894c2cda49 /etc/baloo_file.profile
parent	fix nginx and apache2, possible fix for #1534 (diff)
download	firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.gz firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.tar.zst firejail-9b99215a1eb2ac5ff8fddeff3e43b725fee18ca2.zip

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
17	include /etc/firejail/disable-passwdmgr.inc	17	include /etc/firejail/disable-passwdmgr.inc
18	include /etc/firejail/disable-programs.inc	18	include /etc/firejail/disable-programs.inc
19		19
		20	include /etc/firejail/whitelist-var-common.inc
		21
20	caps.drop all	22	caps.drop all
21	no3d	23	no3d
22	nodvd	24	nodvd
@@ -29,8 +31,10 @@ novideo
29	protocol unix	31	protocol unix
30	# Baloo makes ioprio_set system calls, which are blacklisted by default.	32	# Baloo makes ioprio_set system calls, which are blacklisted by default.
31	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	33	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
		34	shell none
32	x11 xorg	35	x11 xorg
33		36
		37	private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
34	private-dev	38	private-dev
35	private-tmp	39	private-tmp
36		40