diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-04-12 19:01:38 +0200 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-04-12 19:01:38 +0200 |
commit | 53dff25d69ad0d1a83dea3ce19d2d54210025f20 (patch) | |
tree | 7fddb0caa3e97f2c9a0e416a318b653f0495f2b8 /etc | |
parent | adding disable-exec.inc to the remaining profiles (diff) | |
download | firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.gz firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.tar.zst firejail-53dff25d69ad0d1a83dea3ce19d2d54210025f20.zip |
Harden bibletime.profile
Diffstat (limited to 'etc')
-rw-r--r-- | etc/bibletime.profile | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 6e40054f7..c41aafd47 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/bibletime | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -25,7 +26,9 @@ whitelist ${HOME}/.bibletime | |||
25 | whitelist ${HOME}/.sword | 26 | whitelist ${HOME}/.sword |
26 | whitelist ${HOME}/.local/share/bibletime | 27 | whitelist ${HOME}/.local/share/bibletime |
27 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-var-common.inc | ||
28 | 30 | ||
31 | apparmor | ||
29 | caps.drop all | 32 | caps.drop all |
30 | machine-id | 33 | machine-id |
31 | netfilter | 34 | netfilter |
@@ -42,7 +45,9 @@ protocol unix,inet,inet6,netlink | |||
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
43 | shell none | 46 | shell none |
44 | 47 | ||
48 | disable-mnt | ||
45 | # private-bin bibletime,qt5ct | 49 | # private-bin bibletime,qt5ct |
50 | private-cache | ||
46 | private-dev | 51 | private-dev |
47 | private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies | 52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
48 | private-tmp | 53 | private-tmp |