various profile hardening

author: smitsohu <smitsohu@gmail.com> 2018-03-25 14:11:05 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-03-25 14:11:05 +0200
commit: 1a8ce98198a0a5098d88c81116ef1ccbc3764b8e (patch)
tree: 059897b3b741d4c6f72cfe7dd217201d8df1a523 /etc
parent: evince-previewer, evince-thumbnailer (diff)
download: firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.tar.gz
firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.tar.zst
firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.zip
5 files changed, 11 insertions, 1 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..e5de0b61f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
 blacklist ${HOME}/.local/share/kglobalaccel
 blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3f0d7b337..de88cbc24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feral-interactive
@@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..5042077e5 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,4 +42,7 @@ private-dev
 # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
+# noexec ${HOME}
+noexec /tmp
 join-or-start kate
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 3ee8370cb..952af55c8 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,7 +5,7 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# if akonadi has a mysql backend, starting it inside this sandbox will fail
+# if akonadi has a mysql backend, starting it inside this sandbox will fail.
 # one solution is to have akonadi already running when kmail is launched
 noblacklist ${HOME}/.cache/akonadi*
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities
 noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.local/share/akonadi/*
 noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
 noblacklist ${HOME}/.local/share/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.gnupg
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..1c4e50b77 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -43,4 +43,7 @@ private-dev
 private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
+noexec ${HOME}
+noexec /tmp
 join-or-start kwrite
author	smitsohu <smitsohu@gmail.com>	2018-03-25 14:11:05 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-03-25 14:11:05 +0200
commit	1a8ce98198a0a5098d88c81116ef1ccbc3764b8e (patch)
tree	059897b3b741d4c6f72cfe7dd217201d8df1a523 /etc
parent	evince-previewer, evince-thumbnailer (diff)
download	firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.tar.gz firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.tar.zst firejail-1a8ce98198a0a5098d88c81116ef1ccbc3764b8e.zip