diff options
| author |  Adrian L. Shaw <adrianlshaw@gmail.com> | 2019-11-24 16:06:27 +0000 |
|---|---|---|
| committer | Adrian L. Shaw <adrianlshaw@gmail.com> | 2019-11-24 16:06:27 +0000 |
| commit | 6041ee719a9496959ef820347ef5db0854efee50 (patch) | |
| tree | e86bea0701502a5b1b72ca2e41209cb94872e901 /etc/profanity.profile | |
| parent | Add profile for the Profanity chat client (diff) | |
| download | firejail-6041ee719a9496959ef820347ef5db0854efee50.tar.gz firejail-6041ee719a9496959ef820347ef5db0854efee50.tar.zst firejail-6041ee719a9496959ef820347ef5db0854efee50.zip | |
Sort and harden profanity profile
Diffstat (limited to 'etc/profanity.profile')
| -rw-r--r-- | etc/profanity.profile | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/etc/profanity.profile b/etc/profanity.profile index 9ad7d9f92..b6c5f8102 100644 --- a/etc/profanity.profile +++ b/etc/profanity.profile | |||
| @@ -1,33 +1,36 @@ | |||
| 1 | # Firejail profile for profanity | 1 | # Firejail profile for profanity |
| 2 | # Description: profanity is an XMPP-OTR chat client for the terminal | 2 | # Description: profanity is an XMPP chat client for the terminal |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | 4 | quiet |
| 5 | # Persistent local customizations | 5 | # Persistent local customizations |
| 6 | include unzip.local | 6 | include profanity.local |
| 7 | # Persistent global definitions | 7 | # Persistent global definitions |
| 8 | include globals.local | 8 | include globals.local |
| 9 | 9 | ||
| 10 | ignore net none | ||
| 11 | |||
| 12 | include disable-common.inc | 10 | include disable-common.inc |
| 13 | include disable-devel.inc | 11 | include disable-devel.inc |
| 12 | include disable-exec.inc | ||
| 14 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
| 15 | include disable-programs.inc | 14 | include disable-programs.inc |
| 16 | include disable-xdg.inc | 15 | include disable-xdg.inc |
| 16 | include whitelist-usr-share-common.inc | ||
| 17 | include whitelist-var-common.inc | ||
| 17 | 18 | ||
| 18 | mkdir ${HOME}/.config/profanity | ||
| 19 | mkdir ${HOME}/.local/share/profanity | ||
| 20 | noblacklist ${HOME}/.config/profanity | 19 | noblacklist ${HOME}/.config/profanity |
| 21 | noblacklist ${HOME}/.local/share/profanity | 20 | noblacklist ${HOME}/.local/share/profanity |
| 22 | 21 | ||
| 23 | caps.drop all | 22 | caps.drop all |
| 24 | netfilter | 23 | netfilter |
| 24 | no3d | ||
| 25 | nodbus | ||
| 25 | nodvd | 26 | nodvd |
| 26 | nogroups | 27 | nogroups |
| 27 | nonewprivs | 28 | nonewprivs |
| 28 | noroot | 29 | noroot |
| 30 | nosound | ||
| 29 | notv | 31 | notv |
| 30 | nou2f | 32 | nou2f |
| 33 | novideo | ||
| 31 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
| 32 | seccomp | 35 | seccomp |
| 33 | shell none | 36 | shell none |
| @@ -35,10 +38,7 @@ shell none | |||
| 35 | private-bin profanity | 38 | private-bin profanity |
| 36 | private-cache | 39 | private-cache |
| 37 | private-dev | 40 | private-dev |
| 38 | private-tmp | ||
| 39 | private-etc alternatives,localtime,mime.types,resolv.conf,ssl | 41 | private-etc alternatives,localtime,mime.types,resolv.conf,ssl |
| 42 | private-tmp | ||
| 40 | 43 | ||
| 41 | memory-deny-write-execute | 44 | memory-deny-write-execute |
| 42 | noexec ${HOME} | ||
| 43 | noexec /tmp | ||
| 44 | |||