diff options
author | smitsohu <smitsohu@gmail.com> | 2017-08-22 01:54:31 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2017-08-22 01:54:31 +0200 |
commit | f12c7af205ddd6c0d75587702f01688dc62a86c5 (patch) | |
tree | 853df0cb54dee640560b1832c14644df0ec18293 /etc | |
parent | testing (diff) | |
download | firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.gz firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.zst firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.zip |
various profile fixes
Diffstat (limited to 'etc')
-rw-r--r-- | etc/atril.profile | 9 | ||||
-rw-r--r-- | etc/audacious.profile | 3 | ||||
-rw-r--r-- | etc/audacity.profile | 1 | ||||
-rw-r--r-- | etc/engrampa.profile | 7 | ||||
-rw-r--r-- | etc/eog.profile | 2 | ||||
-rw-r--r-- | etc/eom.profile | 4 | ||||
-rw-r--r-- | etc/file-roller.profile | 2 | ||||
-rw-r--r-- | etc/fossamail.profile | 5 | ||||
-rw-r--r-- | etc/gedit.profile | 3 | ||||
-rw-r--r-- | etc/goobox.profile | 2 | ||||
-rw-r--r-- | etc/handbrake.profile | 1 | ||||
-rw-r--r-- | etc/konversation.profile | 1 | ||||
-rw-r--r-- | etc/mediathekview.profile | 3 | ||||
-rw-r--r-- | etc/pluma.profile | 9 | ||||
-rw-r--r-- | etc/qpdfview.profile | 3 | ||||
-rw-r--r-- | etc/scribus.profile | 1 | ||||
-rw-r--r-- | etc/simple-scan.profile | 2 | ||||
-rw-r--r-- | etc/skanlite.profile | 2 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | etc/xed.profile | 9 | ||||
-rw-r--r-- | etc/xfburn.profile | 2 | ||||
-rw-r--r-- | etc/xplayer.profile | 5 | ||||
-rw-r--r-- | etc/xreader.profile | 12 | ||||
-rw-r--r-- | etc/xviewer.profile | 5 |
24 files changed, 76 insertions, 18 deletions
diff --git a/etc/atril.profile b/etc/atril.profile index 7109d343e..6b0eed2db 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
@@ -28,4 +29,10 @@ tracelog | |||
28 | 29 | ||
29 | private-bin atril, atril-previewer, atril-thumbnailer | 30 | private-bin atril, atril-previewer, atril-thumbnailer |
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-etc fonts |
33 | # atril needs access to /tmp/mozilla* to work in firefox | ||
34 | # private-tmp | ||
35 | |||
36 | memory-deny-write-execute | ||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index 3baa0ddba..eddc100ca 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -25,4 +25,7 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-bin audacious | 27 | private-bin audacious |
28 | private-dev | ||
28 | private-tmp | 29 | private-tmp |
30 | |||
31 | memory-deny-write-execute | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile index b5a15b04c..9fbc2b16d 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -30,5 +30,6 @@ private-bin audacity | |||
30 | private-dev | 30 | private-dev |
31 | private-tmp | 31 | private-tmp |
32 | 32 | ||
33 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index e10fd6084..7bc5e7481 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | # net none - makes settings immutable |
16 | no3d | ||
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
@@ -29,3 +30,7 @@ tracelog | |||
29 | private-dev | 30 | private-dev |
30 | # private-etc fonts | 31 | # private-etc fonts |
31 | # private-tmp | 32 | # private-tmp |
33 | |||
34 | memory-deny-write-execute | ||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 54d5a1a88..e5161b313 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | # net none - makes settings immutable |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
diff --git a/etc/eom.profile b/etc/eom.profile index 6fd069b5c..3fb1fcaf4 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none - makes settings immutable | ||
20 | no3d | ||
19 | nodvd | 21 | nodvd |
20 | nogroups | 22 | nogroups |
21 | nonewprivs | 23 | nonewprivs |
@@ -30,7 +32,9 @@ tracelog | |||
30 | 32 | ||
31 | private-bin eom | 33 | private-bin eom |
32 | private-dev | 34 | private-dev |
35 | private-etc fonts | ||
33 | private-tmp | 36 | private-tmp |
34 | 37 | ||
38 | memory-deny-write-execute | ||
35 | noexec ${HOME} | 39 | noexec ${HOME} |
36 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 1ecb3c632..8484aa162 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | # net none - makes settings immutable |
16 | no3d | 16 | no3d |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 74073d8d1..cef522c53 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile | |||
@@ -17,7 +17,6 @@ whitelist ~/.fossamail | |||
17 | whitelist ~/.gnupg | 17 | whitelist ~/.gnupg |
18 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
19 | 19 | ||
20 | nodvd | 20 | # allow browsers |
21 | notv | 21 | # Redirect |
22 | |||
23 | include /etc/firejail/firefox.profile | 22 | include /etc/firejail/firefox.profile |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 418575e09..3d7af1496 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | # net none - makes settings immutable |
19 | no3d | 19 | no3d |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/goobox.profile b/etc/goobox.profile index 9bedaa431..60ffe0594 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | nodvd | ||
17 | nogroups | 16 | nogroups |
18 | nonewprivs | 17 | nonewprivs |
19 | noroot | 18 | noroot |
20 | notv | 19 | notv |
20 | novideo | ||
21 | protocol unix | 21 | protocol unix |
22 | seccomp | 22 | seccomp |
23 | shell none | 23 | shell none |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b32abca6..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -18,7 +18,6 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | ||
22 | novideo | 21 | novideo |
23 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
24 | seccomp | 23 | seccomp |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 212aa8817..1a08c3d83 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -23,4 +23,5 @@ protocol unix,inet,inet6 | |||
23 | seccomp | 23 | seccomp |
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | private-dev | ||
26 | private-tmp | 27 | private-tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index b90e21e66..1cda5022d 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv | |||
9 | noblacklist ~/.config/smplayer | 9 | noblacklist ~/.config/smplayer |
10 | noblacklist ~/.config/totem | 10 | noblacklist ~/.config/totem |
11 | noblacklist ~/.config/vlc | 11 | noblacklist ~/.config/vlc |
12 | noblacklist ~/.config/xplayer | ||
12 | noblacklist ~/.java | 13 | noblacklist ~/.java |
13 | noblacklist ~/.local/share/totem | 14 | noblacklist ~/.local/share/totem |
15 | noblacklist ~/.local/share/xplayer | ||
14 | noblacklist ~/.mediathek3 | 16 | noblacklist ~/.mediathek3 |
15 | noblacklist ~/.mplayer | 17 | noblacklist ~/.mplayer |
16 | 18 | ||
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc | |||
22 | caps.drop all | 24 | caps.drop all |
23 | netfilter | 25 | netfilter |
24 | nodvd | 26 | nodvd |
27 | nogroups | ||
25 | nonewprivs | 28 | nonewprivs |
26 | noroot | 29 | noroot |
27 | notv | 30 | notv |
diff --git a/etc/pluma.profile b/etc/pluma.profile index d17a64d1d..718dee440 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | # net none - makes settings immutable |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | nosound | 22 | nosound |
22 | notv | 23 | notv |
24 | novideo | ||
25 | protocol unix | ||
23 | seccomp | 26 | seccomp |
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
27 | private-bin pluma | 30 | private-bin pluma |
28 | private-dev | 31 | private-dev |
32 | # private-etc fonts | ||
29 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 2c652c688..7d69f38f9 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
@@ -29,3 +30,5 @@ tracelog | |||
29 | private-bin qpdfview | 30 | private-bin qpdfview |
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
33 | |||
34 | memory-deny-write-execute | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index acd6b2239..e4c88be49 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc | |||
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | nodvd | 30 | nodvd |
31 | nogroups | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index de43f2a56..edd4db861 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -20,7 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | 23 | # novideo |
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | # simple-scan makes ioperm system calls, which are blacklisted by default. | 25 | # simple-scan makes ioperm system calls, which are blacklisted by default. |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 1d590a142..1a53cc71c 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -20,7 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | 23 | # novideo |
24 | protocol unix,netlink | 24 | protocol unix,netlink |
25 | # skanlite makes ioperm system calls, which are blacklisted by default. | 25 | # skanlite makes ioperm system calls, which are blacklisted by default. |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/vlc.profile b/etc/vlc.profile index a41f367dd..01ddfa8a9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -25,5 +25,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | # memory-deny-write-execute | ||
28 | noexec ${HOME} | 29 | noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/xed.profile b/etc/xed.profile index 758fb5526..42a42ef5f 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | # net none - makes settings immutable |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | nosound | 22 | nosound |
22 | notv | 23 | notv |
24 | novideo | ||
25 | protocol unix | ||
23 | seccomp | 26 | seccomp |
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
27 | private-bin xed | 30 | private-bin xed |
28 | private-dev | 31 | private-dev |
32 | # private-etc fonts | ||
29 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index e80685f0e..ec1aca75f 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nodvd | ||
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | nosound | 20 | nosound |
22 | notv | 21 | notv |
22 | novideo | ||
23 | protocol unix | 23 | protocol unix |
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0722768d1..5c845e977 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -18,7 +18,6 @@ netfilter | |||
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | ||
22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
23 | seccomp | 22 | seccomp |
24 | shell none | 23 | shell none |
@@ -26,4 +25,8 @@ tracelog | |||
26 | 25 | ||
27 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 26 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
28 | private-dev | 27 | private-dev |
28 | # private-etc fonts | ||
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile index 107cefe5e..615256102 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | no3d | ||
18 | nodvd | 19 | nodvd |
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
23 | notv | 24 | notv |
25 | novideo | ||
24 | protocol unix | 26 | protocol unix |
25 | seccomp | 27 | seccomp |
26 | shell none | 28 | shell none |
27 | tracelog | 29 | tracelog |
28 | 30 | ||
29 | private-bin xreader, xreader-previewer, xreader-thumbnailer | 31 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
30 | private-dev | 32 | private-dev |
31 | private-tmp | 33 | private-etc fonts |
34 | # xreader needs access to /tmp/mozilla* to work in firefox | ||
35 | # private-tmp | ||
36 | |||
37 | memory-deny-write-execute | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 70ad3b895..b9ff3948a 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none - makes settings immutable | ||
20 | no3d | ||
19 | nodvd | 21 | nodvd |
20 | nogroups | 22 | nogroups |
21 | nonewprivs | 23 | nonewprivs |
22 | noroot | 24 | noroot |
23 | nosound | 25 | nosound |
24 | notv | 26 | notv |
27 | novideo | ||
25 | protocol unix | 28 | protocol unix |
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
@@ -29,7 +32,9 @@ tracelog | |||
29 | 32 | ||
30 | private-bin xviewer | 33 | private-bin xviewer |
31 | private-dev | 34 | private-dev |
35 | private-etc fonts | ||
32 | private-tmp | 36 | private-tmp |
33 | 37 | ||
38 | memory-deny-write-execute | ||
34 | noexec ${HOME} | 39 | noexec ${HOME} |
35 | noexec /tmp | 40 | noexec /tmp |