diff options
| author |  Amin Vakil <info@aminvakil.com> | 2020-06-11 13:06:14 +0430 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-06-11 08:36:14 +0000 |
| commit | 89d77cc34191308681d49be5f4e7413e0f48e9b5 (patch) | |
| tree | ed0aafa2c2b369e87a096b7055099c3a03dc388c /etc/profile-m-z/strawberry.profile | |
| parent | Fix qt5ct colour schemes and QSS (#3463) (diff) | |
| download | firejail-89d77cc34191308681d49be5f4e7413e0f48e9b5.tar.gz firejail-89d77cc34191308681d49be5f4e7413e0f48e9b5.tar.zst firejail-89d77cc34191308681d49be5f4e7413e0f48e9b5.zip | |
Add strawberry profile (#3459)
* Add strawberry profile
* Fix comment
* Add to disable-programs.inc & firecfg.config
* Add /home/amin/.local/share/strawberry to profile and disable-programs
* Various hardening for strawberry profile
Signed-off-by: Amin Vakil <info@aminvakil.com>
* Change nodbus to dbus-system none in strawberry profile
* Add dbus-user none to strawberry profile
* Add whitelist-var-common, sort private-etc
* Sort, Add wruc, Add netlink to protocol in strawberry profile
* Remove dbus-user none to allow using gnome functions for various usage in strawberry profile
Diffstat (limited to 'etc/profile-m-z/strawberry.profile')
| -rw-r--r-- | etc/profile-m-z/strawberry.profile | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile new file mode 100644 index 000000000..cd36c0d41 --- /dev/null +++ b/etc/profile-m-z/strawberry.profile | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | # Firejail profile for strawberry | ||
| 2 | # Description: A music player and music collection organizer | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include strawberry.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.cache/strawberry | ||
| 10 | noblacklist ${HOME}/.config/strawberry | ||
| 11 | noblacklist ${HOME}/.local/share/strawberry | ||
| 12 | noblacklist ${MUSIC} | ||
| 13 | |||
| 14 | include disable-common.inc | ||
| 15 | include disable-devel.inc | ||
| 16 | include disable-exec.inc | ||
| 17 | include disable-interpreters.inc | ||
| 18 | include disable-passwdmgr.inc | ||
| 19 | include disable-programs.inc | ||
| 20 | include disable-xdg.inc | ||
| 21 | |||
| 22 | include whitelist-runuser-common.inc | ||
| 23 | include whitelist-usr-share-common.inc | ||
| 24 | include whitelist-var-common.inc | ||
| 25 | |||
| 26 | apparmor | ||
| 27 | caps.drop all | ||
| 28 | netfilter | ||
| 29 | nodvd | ||
| 30 | nogroups | ||
| 31 | nonewprivs | ||
| 32 | noroot | ||
| 33 | notv | ||
| 34 | nou2f | ||
| 35 | novideo | ||
| 36 | protocol unix,inet,inet6,netlink | ||
| 37 | # blacklisting of ioprio_set system calls breaks strawberry | ||
| 38 | seccomp !ioprio_set | ||
| 39 | shell none | ||
| 40 | tracelog | ||
| 41 | |||
| 42 | disable-mnt | ||
| 43 | private-bin strawberry,strawberry-tagreader | ||
| 44 | private-cache | ||
| 45 | private-dev | ||
| 46 | private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl | ||
| 47 | private-tmp | ||
| 48 | |||
| 49 | dbus-system none | ||