diff options
| author |  SYN-cook <syncookongit@gmail.com> | 2017-04-09 16:32:22 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2017-04-09 16:32:22 +0200 |
| commit | 605453cb75120ca456e655ab15670ab7beed7fca (patch) | |
| tree | 0b67124121e10fdd6b689e023a4109dc410e8060 /etc/baloo_file.profile | |
| parent | add x11 isolation (diff) | |
| download | firejail-605453cb75120ca456e655ab15670ab7beed7fca.tar.gz firejail-605453cb75120ca456e655ab15670ab7beed7fca.tar.zst firejail-605453cb75120ca456e655ab15670ab7beed7fca.zip | |
improve x11 isolation
taken from tracker.profile
Diffstat (limited to 'etc/baloo_file.profile')
| -rw-r--r-- | etc/baloo_file.profile | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 6696cbad2..d9c37911b 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
| @@ -23,10 +23,8 @@ protocol unix | |||
| 23 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 23 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
| 24 | # That's why we need to disable seccomp | 24 | # That's why we need to disable seccomp |
| 25 | #seccomp | 25 | #seccomp |
| 26 | # The Baloo file daemon can be isolated from X11. If there is an X11 | 26 | |
| 27 | # abstract Unix socket, it must be disabled first by passing "-nolisten local" | 27 | blacklist /tmp/.X11-unix |
| 28 | # to the X server. See the Firejail manual for further instructions | ||
| 29 | #x11 none | ||
| 30 | 28 | ||
| 31 | private-dev | 29 | private-dev |
| 32 | private-tmp | 30 | private-tmp |