misc profile hardening (xdg blacklist, private-cache, netfilter)

author: smitsohu <smitsohu@gmail.com> 2019-01-30 16:12:49 +0100
committer: smitsohu <smitsohu@gmail.com> 2019-01-30 16:12:49 +0100
commit: 0f7636c1ca3ab81c4d1af13b548bc094d038dcbe (patch)
tree: b5b4badbccfe3c8c7cde9bdebae0508842e57829 /etc/baloo_file.profile
parent: Fixup qtox profile, closes #2374 (diff)
download: firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.tar.gz
firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.tar.zst
firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index e094945b7..875bc7989 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -26,6 +26,7 @@ include disable-programs.inc
 include whitelist-var-common.inc
 caps.drop all
+netfilter
 no3d
 nodvd
 nogroups
@@ -41,6 +42,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano
 shell none
 # x11 xorg
+private-cache
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-dev
 private-tmp
author	smitsohu <smitsohu@gmail.com>	2019-01-30 16:12:49 +0100
committer	smitsohu <smitsohu@gmail.com>	2019-01-30 16:12:49 +0100
commit	0f7636c1ca3ab81c4d1af13b548bc094d038dcbe (patch)
tree	b5b4badbccfe3c8c7cde9bdebae0508842e57829 /etc/baloo_file.profile
parent	Fixup qtox profile, closes #2374 (diff)
download	firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.tar.gz firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.tar.zst firejail-0f7636c1ca3ab81c4d1af13b548bc094d038dcbe.zip

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index e094945b7..875bc7989 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -26,6 +26,7 @@ include disable-programs.inc
26	include whitelist-var-common.inc	26	include whitelist-var-common.inc
27		27
28	caps.drop all	28	caps.drop all
		29	netfilter
29	no3d	30	no3d
30	nodvd	31	nodvd
31	nogroups	32	nogroups
@@ -41,6 +42,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano
41	shell none	42	shell none
42	# x11 xorg	43	# x11 xorg
43		44
		45	private-cache
44	private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4	46	private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
45	private-dev	47	private-dev
46	private-tmp	48	private-tmp