diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-10-12 19:55:55 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-10-12 19:55:55 +0200 |
| commit | bcf53870f3dab1d1a813337886bd0965976875bd (patch) | |
| tree | bb6017c2bf2574690ceae4fd6da3238632261810 /etc | |
| parent | clean homedir pathname (diff) | |
| download | firejail-bcf53870f3dab1d1a813337886bd0965976875bd.tar.gz firejail-bcf53870f3dab1d1a813337886bd0965976875bd.tar.zst firejail-bcf53870f3dab1d1a813337886bd0965976875bd.zip | |
consolidate cloud blacklisting, alphabetize, other nitpicks
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/disable-common.inc | 18 | ||||
| -rw-r--r-- | etc/disable-programs.inc | 2 | ||||
| -rw-r--r-- | etc/krunner.profile | 4 |
3 files changed, 13 insertions, 11 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0f6e6bd19..ceca17826 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -317,9 +317,11 @@ blacklist /var/backup | |||
| 317 | # cloud provider configuration | 317 | # cloud provider configuration |
| 318 | blacklist ${HOME}/.aws | 318 | blacklist ${HOME}/.aws |
| 319 | blacklist ${HOME}/.boto | 319 | blacklist ${HOME}/.boto |
| 320 | blacklist /etc/boto.cfg | ||
| 321 | blacklist ${HOME}/.config/gcloud | 320 | blacklist ${HOME}/.config/gcloud |
| 322 | blacklist ${HOME}/.kube | 321 | blacklist ${HOME}/.kube |
| 322 | blacklist ${HOME}/.passwd-s3fs | ||
| 323 | blacklist ${HOME}/.s3cmd | ||
| 324 | blacklist /etc/boto.cfg | ||
| 323 | 325 | ||
| 324 | # system directories | 326 | # system directories |
| 325 | blacklist /sbin | 327 | blacklist /sbin |
| @@ -391,14 +393,14 @@ blacklist /vmlinuz* | |||
| 391 | # snapshot files | 393 | # snapshot files |
| 392 | blacklist /.snapshots | 394 | blacklist /.snapshots |
| 393 | 395 | ||
| 394 | # complement noexec ${HOME} and noexec /tmp | ||
| 395 | noexec /tmp/.X11-unix | ||
| 396 | |||
| 397 | # flatpak | 396 | # flatpak |
| 398 | blacklist ${HOME}/*.config/flatpak | 397 | blacklist ${HOME}/.config/flatpak |
| 399 | blacklist ${HOME}/*.var | 398 | blacklist ${HOME}/.local/share/flatpak |
| 400 | blacklist ${HOME}/*.local/share/flatpak | 399 | blacklist ${HOME}/.var |
| 401 | blacklist /var/lib/flatpak | ||
| 402 | blacklist /usr/share/flatpak | 400 | blacklist /usr/share/flatpak |
| 401 | blacklist /var/lib/flatpak | ||
| 403 | # most of the time bwrap is SUID binary | 402 | # most of the time bwrap is SUID binary |
| 404 | blacklist ${PATH}/bwrap | 403 | blacklist ${PATH}/bwrap |
| 404 | |||
| 405 | # complement noexec ${HOME} and noexec /tmp | ||
| 406 | noexec /tmp/.X11-unix | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6fa0eed26..251362b77 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -478,7 +478,6 @@ blacklist ${HOME}/.openshot | |||
| 478 | blacklist ${HOME}/.openshot_qt | 478 | blacklist ${HOME}/.openshot_qt |
| 479 | blacklist ${HOME}/.opera | 479 | blacklist ${HOME}/.opera |
| 480 | blacklist ${HOME}/.opera-beta | 480 | blacklist ${HOME}/.opera-beta |
| 481 | blacklist ${HOME}/.passwd-s3fs | ||
| 482 | blacklist ${HOME}/.pingus | 481 | blacklist ${HOME}/.pingus |
| 483 | blacklist ${HOME}/.purple | 482 | blacklist ${HOME}/.purple |
| 484 | blacklist ${HOME}/.qemu-launcher | 483 | blacklist ${HOME}/.qemu-launcher |
| @@ -488,7 +487,6 @@ blacklist ${HOME}/.remmina | |||
| 488 | blacklist ${HOME}/.repo_.gitconfig.json | 487 | blacklist ${HOME}/.repo_.gitconfig.json |
| 489 | blacklist ${HOME}/.repoconfig | 488 | blacklist ${HOME}/.repoconfig |
| 490 | blacklist ${HOME}/.retroshare | 489 | blacklist ${HOME}/.retroshare |
| 491 | blacklist ${HOME}/.s3cmd | ||
| 492 | blacklist ${HOME}/.scribus | 490 | blacklist ${HOME}/.scribus |
| 493 | blacklist ${HOME}/.scribusrc | 491 | blacklist ${HOME}/.scribusrc |
| 494 | blacklist ${HOME}/.simutrans | 492 | blacklist ${HOME}/.simutrans |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 6b84e2c7c..0b1b9e5de 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
| @@ -11,7 +11,7 @@ include /etc/firejail/globals.local | |||
| 11 | # with its own profile, if it is sandboxed automatically. | 11 | # with its own profile, if it is sandboxed automatically. |
| 12 | 12 | ||
| 13 | # noblacklist ${HOME}/.cache/krunner | 13 | # noblacklist ${HOME}/.cache/krunner |
| 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
| 15 | # noblacklist ${HOME}/.config/chromium | 15 | # noblacklist ${HOME}/.config/chromium |
| 16 | noblacklist ${HOME}/.config/krunnerrc | 16 | noblacklist ${HOME}/.config/krunnerrc |
| 17 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 17 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
| @@ -34,3 +34,5 @@ nonewprivs | |||
| 34 | noroot | 34 | noroot |
| 35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
| 36 | seccomp | 36 | seccomp |
| 37 | |||
| 38 | # private-cache | ||