diff options
author | SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com> | 2018-03-25 10:28:16 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-25 10:28:16 -0400 |
commit | 2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43 (patch) | |
tree | fd5d4e62ae678dbd8b5bd5a41f6bc6c1fd100df8 /etc | |
parent | Fixup blender-2.8 and thunderbird-beta (diff) | |
parent | various profile hardening (diff) | |
download | firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.gz firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.tar.zst firejail-2fd9dcda31740ebf6a02ae3ffd7407c95ed5cb43.zip |
Merge branch 'master' into master
Diffstat (limited to 'etc')
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/evince-previewer.profile | 10 | ||||
-rw-r--r-- | etc/evince-thumbnailer.profile | 10 | ||||
-rw-r--r-- | etc/kate.profile | 3 | ||||
-rw-r--r-- | etc/kmail.profile | 3 | ||||
-rw-r--r-- | etc/kwrite.profile | 3 |
7 files changed, 31 insertions, 1 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19be56f86..e5de0b61f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | |||
75 | blacklist ${HOME}/.local/share/kglobalaccel | 75 | blacklist ${HOME}/.local/share/kglobalaccel |
76 | blacklist ${HOME}/.local/share/kwin | 76 | blacklist ${HOME}/.local/share/kwin |
77 | blacklist ${HOME}/.local/share/plasma | 77 | blacklist ${HOME}/.local/share/plasma |
78 | blacklist ${HOME}/.local/share/plasmashell | ||
78 | blacklist ${HOME}/.local/share/solid | 79 | blacklist ${HOME}/.local/share/solid |
79 | read-only ${HOME}/.cache/ksycoca5_* | 80 | read-only ${HOME}/.cache/ksycoca5_* |
80 | read-only ${HOME}/.config/*notifyrc | 81 | read-only ${HOME}/.config/*notifyrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3f0d7b337..de88cbc24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore | |||
363 | blacklist ${HOME}/.local/share/data/qBittorrent | 363 | blacklist ${HOME}/.local/share/data/qBittorrent |
364 | blacklist ${HOME}/.local/share/dino | 364 | blacklist ${HOME}/.local/share/dino |
365 | blacklist ${HOME}/.local/share/dolphin | 365 | blacklist ${HOME}/.local/share/dolphin |
366 | blacklist ${HOME}/.local/share/emailidentities | ||
366 | blacklist ${HOME}/.local/share/epiphany | 367 | blacklist ${HOME}/.local/share/epiphany |
367 | blacklist ${HOME}/.local/share/evolution | 368 | blacklist ${HOME}/.local/share/evolution |
368 | blacklist ${HOME}/.local/share/feral-interactive | 369 | blacklist ${HOME}/.local/share/feral-interactive |
@@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular | |||
405 | blacklist ${HOME}/.local/share/orage | 406 | blacklist ${HOME}/.local/share/orage |
406 | blacklist ${HOME}/.local/share/org.kde.gwenview | 407 | blacklist ${HOME}/.local/share/org.kde.gwenview |
407 | blacklist ${HOME}/.local/share/pix | 408 | blacklist ${HOME}/.local/share/pix |
409 | blacklist ${HOME}/.local/share/plasma_notes | ||
408 | blacklist ${HOME}/.local/share/psi+ | 410 | blacklist ${HOME}/.local/share/psi+ |
409 | blacklist ${HOME}/.local/share/qpdfview | 411 | blacklist ${HOME}/.local/share/qpdfview |
410 | blacklist ${HOME}/.local/share/qutebrowser | 412 | blacklist ${HOME}/.local/share/qutebrowser |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile new file mode 100644 index 000000000..d5bc6db33 --- /dev/null +++ b/etc/evince-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile new file mode 100644 index 000000000..abc21632d --- /dev/null +++ b/etc/evince-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/kate.profile b/etc/kate.profile index a3d2be6b2..5042077e5 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -42,4 +42,7 @@ private-dev | |||
42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
45 | join-or-start kate | 48 | join-or-start kate |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 3ee8370cb..952af55c8 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,7 +5,7 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail | 8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail. |
9 | # one solution is to have akonadi already running when kmail is launched | 9 | # one solution is to have akonadi already running when kmail is launched |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/akonadi* | 11 | noblacklist ${HOME}/.cache/akonadi* |
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities | |||
15 | noblacklist ${HOME}/.config/kmail2rc | 15 | noblacklist ${HOME}/.config/kmail2rc |
16 | noblacklist ${HOME}/.local/share/akonadi/* | 16 | noblacklist ${HOME}/.local/share/akonadi/* |
17 | noblacklist ${HOME}/.local/share/contacts | 17 | noblacklist ${HOME}/.local/share/contacts |
18 | noblacklist ${HOME}/.local/share/emailidentities | ||
18 | noblacklist ${HOME}/.local/share/kmail2 | 19 | noblacklist ${HOME}/.local/share/kmail2 |
19 | noblacklist ${HOME}/.local/share/local-mail | 20 | noblacklist ${HOME}/.local/share/local-mail |
20 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index a785f3541..1c4e50b77 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -43,4 +43,7 @@ private-dev | |||
43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
48 | |||
46 | join-or-start kwrite | 49 | join-or-start kwrite |