aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc/disable-common.inc
diff options
context:
space:
mode:
authorLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2020-05-02 17:58:02 +0000
committerLibravatar GitHub <noreply@github.com>2020-05-02 17:58:02 +0000
commit49280197ccf830b708b1b7c4d6fb8b3590f44da2 (patch)
tree76ae21d4faa96a2970738aedc693b6b9ed3183c8 /etc/inc/disable-common.inc
parentfixes for zeal.profile (diff)
downloadfirejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.gz
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.tar.zst
firejail-49280197ccf830b708b1b7c4d6fb8b3590f44da2.zip
various hardening (#3394)
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r--etc/inc/disable-common.inc10
1 files changed, 8 insertions, 2 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 92c6cd2a8..3fd3cc7b2 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -149,8 +149,9 @@ read-only ${HOME}/.config/dconf
149blacklist ${HOME}/.config/systemd 149blacklist ${HOME}/.config/systemd
150blacklist ${HOME}/.local/share/systemd 150blacklist ${HOME}/.local/share/systemd
151blacklist /var/lib/systemd 151blacklist /var/lib/systemd
152# blacklist /var/run/systemd 152blacklist ${PATH}/systemd-run
153# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf 153# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
154#blacklist /var/run/systemd
154 155
155# openrc 156# openrc
156blacklist /etc/runlevels/ 157blacklist /etc/runlevels/
@@ -308,13 +309,17 @@ read-only ${HOME}/bin
308read-only ${HOME}/.bin 309read-only ${HOME}/.bin
309read-only ${HOME}/.local/bin 310read-only ${HOME}/.local/bin
310read-only ${HOME}/.cargo/bin 311read-only ${HOME}/.cargo/bin
311read-only ${HOME}/.cargo/env
312 312
313# Write-protection for desktop entries 313# Write-protection for desktop entries
314read-only ${HOME}/.config/menus 314read-only ${HOME}/.config/menus
315read-only ${HOME}/.gnome/apps 315read-only ${HOME}/.gnome/apps
316read-only ${HOME}/.local/share/applications 316read-only ${HOME}/.local/share/applications
317 317
318read-only ${HOME}/.config/mimeapps.list
319read-only ${HOME}/.config/user-dirs.dirs
320read-only ${HOME}/.config/user-dirs.locale
321read-only ${HOME}/.local/share/mime
322
318# Write-protection for thumbnailer dir 323# Write-protection for thumbnailer dir
319read-only ${HOME}/.local/share/thumbnailers 324read-only ${HOME}/.local/share/thumbnailers
320 325
@@ -451,6 +456,7 @@ blacklist /vmlinuz*
451blacklist /.snapshots 456blacklist /.snapshots
452 457
453# flatpak 458# flatpak
459blacklist ${HOME}/.cache/flatpak
454blacklist ${HOME}/.config/flatpak 460blacklist ${HOME}/.config/flatpak
455blacklist ${HOME}/.local/share/flatpak/app 461blacklist ${HOME}/.local/share/flatpak/app
456blacklist ${HOME}/.local/share/flatpak/appstream 462blacklist ${HOME}/.local/share/flatpak/appstream
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 19:25:59 +0000