Unify all profiles

author: Tad <tad@spotco.us> 2017-08-07 01:22:08 -0400
committer: Tad <tad@spotco.us> 2017-08-07 01:22:08 -0400
commit: 9e3ba319be6b9546d7e8f450ca419ee2f3f4040b (patch)
tree: 0aebe82de78a61877c267f4dcb2ebcc13a2e37c9 /etc/mupdf.profile
parent: various profile fixes (#1433) (diff)
download: firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.tar.gz
firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.tar.zst
firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.zip
1 files changed, 11 insertions, 13 deletions
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index ca61edfdd..a55a01206 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -1,15 +1,15 @@
-# Persistent global definitions go here
+# Firejail profile for mupdf
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/mupdf.local
+# Persistent global definitions
 include /etc/firejail/globals.local
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/mupdf.local
-# mupdf reader profile
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
@@ -22,15 +22,13 @@ seccomp
 shell none
 tracelog
-private-tmp
+# private-bin mupdf,sh,tempfile,rm
 private-dev
 private-etc fonts
+private-tmp
-# mupdf will never write anything
 read-only ${HOME}
-#
+# CLOBBERED COMMENTS
 # Experimental:
-#
+# mupdf will never write anything
-#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
-# private-bin mupdf,sh,tempfile,rm
author	Tad <tad@spotco.us>	2017-08-07 01:22:08 -0400
committer	Tad <tad@spotco.us>	2017-08-07 01:22:08 -0400
commit	9e3ba319be6b9546d7e8f450ca419ee2f3f4040b (patch)
tree	0aebe82de78a61877c267f4dcb2ebcc13a2e37c9 /etc/mupdf.profile
parent	various profile fixes (#1433) (diff)
download	firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.tar.gz firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.tar.zst firejail-9e3ba319be6b9546d7e8f450ca419ee2f3f4040b.zip

diff --git a/etc/mupdf.profile b/etc/mupdf.profile index ca61edfdd..a55a01206 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile
@@ -1,15 +1,15 @@
1	# Persistent global definitions go here	1	# Firejail profile for mupdf
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/mupdf.local
		5	# Persistent global definitions
2	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
3		7
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/mupdf.local
7		8
8	# mupdf reader profile
9	include /etc/firejail/disable-common.inc	9	include /etc/firejail/disable-common.inc
10	include /etc/firejail/disable-programs.inc
11	include /etc/firejail/disable-devel.inc	10	include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
		12	include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
15	net none	15	net none
@@ -22,15 +22,13 @@ seccomp
22	shell none	22	shell none
23	tracelog	23	tracelog
24		24
25	private-tmp	25	# private-bin mupdf,sh,tempfile,rm
26	private-dev	26	private-dev
27	private-etc fonts	27	private-etc fonts
28		28	private-tmp
29	# mupdf will never write anything
30	read-only ${HOME}	29	read-only ${HOME}
31		30
32	#	31	# CLOBBERED COMMENTS
33	# Experimental:	32	# Experimental:
34	#	33	# mupdf will never write anything
35	#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev	34	# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
36	# private-bin mupdf,sh,tempfile,rm