diff options
| author |  SYN-cook <syncookongit@gmail.com> | 2017-04-09 15:45:35 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2017-04-09 15:45:35 +0200 |
| commit | e76037947da2fd60b3e54b88e191ad6fc768829b (patch) | |
| tree | 4306b7b33f944c0c8c68cc38514a6d6e895ab2cc /etc | |
| parent | complete baloo blacklist (diff) | |
| download | firejail-e76037947da2fd60b3e54b88e191ad6fc768829b.tar.gz firejail-e76037947da2fd60b3e54b88e191ad6fc768829b.tar.zst firejail-e76037947da2fd60b3e54b88e191ad6fc768829b.zip | |
add x11 isolation
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/baloo_file.profile | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 1acb5def2..6696cbad2 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
| @@ -20,9 +20,13 @@ nonewprivs | |||
| 20 | noroot | 20 | noroot |
| 21 | nosound | 21 | nosound |
| 22 | protocol unix | 22 | protocol unix |
| 23 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 23 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
| 24 | # That's why we need to disable seccomp | 24 | # That's why we need to disable seccomp |
| 25 | #seccomp | 25 | #seccomp |
| 26 | # The Baloo file daemon can be isolated from X11. If there is an X11 | ||
| 27 | # abstract Unix socket, it must be disabled first by passing "-nolisten local" | ||
| 28 | # to the X server. See the Firejail manual for further instructions | ||
| 29 | #x11 none | ||
| 26 | 30 | ||
| 27 | private-dev | 31 | private-dev |
| 28 | private-tmp | 32 | private-tmp |