diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2019-03-16 17:49:01 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-16 17:49:01 +0000 |
commit | 0ea4ed8408f6fc506f9e4bef0f9e94fe14ea8d9c (patch) | |
tree | f95e3eb3c3e9680ecab513c8d6be3736d372c3c5 /etc/seahorse.profile | |
parent | Fix assogiate's private-bin (#2603) (diff) | |
download | firejail-0ea4ed8408f6fc506f9e4bef0f9e94fe14ea8d9c.tar.gz firejail-0ea4ed8408f6fc506f9e4bef0f9e94fe14ea8d9c.tar.zst firejail-0ea4ed8408f6fc506f9e4bef0f9e94fe14ea8d9c.zip |
Seahorse revisited (#2600)
* Refactor seahorse into a whitelist profile
* Refactor seahorse-tool as a whitelist profile
* Create seahorse-daemon.profile
* Add seahorse-daemon to firecfg
* Drop blacklist /tmp/.X11-unix from seahorse.profile
Thanks to @rusty-snake for pointing out blacklisting /tmp/.X11-unix is ridiculous for GUI's.
* Add non-GUI option to seahorse-daemon
Diffstat (limited to 'etc/seahorse.profile')
-rw-r--r-- | etc/seahorse.profile | 45 |
1 files changed, 40 insertions, 5 deletions
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 83aeb6aec..cd9f6c767 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -4,22 +4,57 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include seahorse.local | 5 | include seahorse.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # dconf | 9 | # dconf |
11 | noblacklist ${HOME}/.config/dconf | 10 | noblacklist ${HOME}/.config/dconf |
11 | whitelist ${HOME}/.config/dconf | ||
12 | |||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | ||
16 | whitelist ${HOME}/.gnupg | ||
12 | 17 | ||
13 | # ssh | 18 | # ssh |
19 | whitelist /etc/ld.so.preload | ||
14 | noblacklist /etc/ssh | 20 | noblacklist /etc/ssh |
21 | whitelist /etc/ssh | ||
15 | noblacklist /tmp/ssh-* | 22 | noblacklist /tmp/ssh-* |
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
16 | noblacklist ${HOME}/.ssh | 25 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | ||
17 | 27 | ||
28 | include disable-common.inc | ||
29 | include disable-devel.inc | ||
18 | include disable-exec.inc | 30 | include disable-exec.inc |
31 | include disable-interpreters.inc | ||
32 | include disable-passwdmgr.inc | ||
33 | include disable-programs.inc | ||
34 | include disable-xdg.inc | ||
35 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
20 | 37 | ||
21 | apparmor | 38 | apparmor |
22 | ipc-namespace | 39 | caps.drop all |
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6 | ||
52 | seccomp | ||
53 | # shell none - causes gpg to hang | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
23 | 59 | ||
24 | # Redirect | 60 | writable-run-user |
25 | include gpg.profile | ||