diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-25 09:31:47 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-25 09:31:47 -0400 |
commit | fd501585fec03dd70c5808e214db5d92b2f39fc7 (patch) | |
tree | ad7e22f5a3f841f4e08dbd271ec51a4dc7192416 /etc | |
parent | appimage fixes (diff) | |
parent | blacklisted kernel files (diff) | |
download | firejail-fd501585fec03dd70c5808e214db5d92b2f39fc7.tar.gz firejail-fd501585fec03dd70c5808e214db5d92b2f39fc7.tar.zst firejail-fd501585fec03dd70c5808e214db5d92b2f39fc7.zip |
Merge pull request #870 from Fred-Barclay/spotify-tighten
Tightened Spotify profile
Diffstat (limited to 'etc')
-rw-r--r-- | etc/disable-common.inc | 4 | ||||
-rw-r--r-- | etc/spotify.profile | 22 |
2 files changed, 21 insertions, 5 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config | |||
172 | blacklist ${PATH}/terminix | 172 | blacklist ${PATH}/terminix |
173 | blacklist ${PATH}/urxvtc | 173 | blacklist ${PATH}/urxvtc |
174 | blacklist ${PATH}/urxvtcd | 174 | blacklist ${PATH}/urxvtcd |
175 | |||
176 | # kernel files | ||
177 | blacklist /vmlinuz* | ||
178 | blacklist /initrd* | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify |
11 | # than a blacklist though, but this is all spotify requires for | ||
12 | # streaming audio | ||
13 | mkdir ${HOME}/.config/spotify | 11 | mkdir ${HOME}/.config/spotify |
14 | whitelist ${HOME}/.config/spotify | 12 | whitelist ${HOME}/.config/spotify |
15 | mkdir ${HOME}/.local/share/spotify | 13 | mkdir ${HOME}/.local/share/spotify |
16 | whitelist ${HOME}/.local/share/spotify | 14 | whitelist ${HOME}/.local/share/spotify |
17 | mkdir ${HOME}/.cache/spotify | 15 | mkdir ${HOME}/.cache/spotify |
18 | whitelist ${HOME}/.cache/spotify | 16 | whitelist ${HOME}/.cache/spotify |
19 | include /etc/firejail/whitelist-common.inc | ||
20 | 17 | ||
21 | caps.drop all | 18 | caps.drop all |
22 | netfilter | 19 | netfilter |
@@ -27,5 +24,20 @@ protocol unix,inet,inet6,netlink | |||
27 | seccomp | 24 | seccomp |
28 | shell none | 25 | shell none |
29 | 26 | ||
30 | #private-bin spotify | 27 | private-bin spotify |
28 | private-etc fonts,machine-id,pulse,resolv.conf | ||
31 | private-dev | 29 | private-dev |
30 | private-tmp | ||
31 | |||
32 | blacklist ${HOME}/.Xauthority | ||
33 | blacklist ${HOME}/.bashrc | ||
34 | blacklist /boot | ||
35 | blacklist /lost+found | ||
36 | blacklist /media | ||
37 | blacklist /mnt | ||
38 | blacklist /opt | ||
39 | blacklist /root | ||
40 | blacklist /sbin | ||
41 | blacklist /srv | ||
42 | blacklist /sys | ||
43 | blacklist /var | ||