Tighten multiple profiles.

This adds whitelist-var-common, machine-id, memory-deny-write-execute, and noexec home and tmp when possible.
author: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-04 16:24:36 -0500
committer: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-04 16:24:36 -0500
commit: c6259375dff79484b9f3d587da9fbfa76a3b68b9 (patch)
tree: 1b7c010c2f6b0886ccd7a537bb146f7f46cb1d7f /etc
parent: Tighten spotify profile (diff)
download: firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.gz
firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.zst
firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.zip
15 files changed, 48 insertions, 37 deletions
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 928006d08..5bf246d66 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -19,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -37,5 +38,6 @@ private-dev
 # private-etc fonts
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 0a47bf888..3e84455f1 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${DOWNLOADS}
+whitelist ~/.config/autostart
+whitelist ~/.config/Gitter
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+disable-mnt
 private-bin bash,env,gitter
+private-etc fonts,pulse,resolv.conf
 private-opt Gitter
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index a50e0e89d..6e5175989 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -21,6 +21,7 @@ whitelist ~/.cache/google-chrome
 whitelist ~/.config/google-chrome
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.keep sys_chroot,sys_admin
 netfilter
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index f5e7bc329..5235e91f2 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -19,7 +19,6 @@ netfilter
 nogroups
 nonewprivs
 noroot
-nosound
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index fc817d9f9..47d39e8c4 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -16,8 +16,10 @@ include /etc/firejail/disable-programs.inc
 mkdir ~/.config/hexchat
 whitelist ~/.config/hexchat
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 no3d
 nodvd
@@ -38,5 +40,6 @@ private-bin hexchat
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 9d943d89c..27ca408f5 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 machine-id
 net none
@@ -36,5 +38,6 @@ private-dev
 private-etc fonts,machine-id
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index e20e06b76..ba98df19d 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -1,38 +1,5 @@
 # Firejail profile for keepassx2
 # This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/keepassx2.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-noblacklist ${HOME}/*.kdb
+# Redirects
-noblacklist ${HOME}/*.kdbx
+include /etc/firejail/keepassx.profile
-noblacklist ${HOME}/.config/keepassx
-noblacklist ${HOME}/.keepassx
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-private-bin keepassx2
-private-dev
-private-etc fonts
-private-tmp
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index f79cda80d..a8c6d65f5 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 8d05a557c..214b49c65 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -29,6 +30,7 @@ shell none
 tracelog
 private-dev
+private-tmp
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 718dee440..56786fda7 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -32,5 +35,6 @@ private-dev
 # private-etc fonts
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 86db5c26c..aeb52b991 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -25,6 +25,7 @@ whitelist ~/.config/qBittorrentrc
 whitelist ~/.config/qt5ct
 whitelist ~/.local/share/data/qBittorrent
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 machine-id
@@ -44,3 +45,7 @@ seccomp
 private-dev
 # private-etc X11,fonts,xdg,resolv.conf
 private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 89e2d1a30..360b9f881 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -18,8 +18,10 @@ mkdir ~/.stellarium
 whitelist ~/.config/stellarium
 whitelist ~/.stellarium
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -36,3 +38,6 @@ disable-mnt
 private-bin stellarium
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 8e878eb1c..db944a2c0 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -22,9 +22,11 @@ whitelist ~/.gnupg
 whitelist ~/.icedove
 whitelist ~/.thunderbird
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 ignore private-tmp
+machine-id
+disable-mnt
 read-only ~/.config/mimeapps.list
 # allow browsers
diff --git a/etc/vlc.profile b/etc/vlc.profile
index c3a4d58d0..4e6d37fc5 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+machine-id
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/xed.profile b/etc/xed.profile
index 42a42ef5f..bb8b0bf23 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
+machine-id
 no3d
 nodvd
 nogroups
@@ -32,5 +35,6 @@ private-dev
 # private-etc fonts
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
author	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-04 16:24:36 -0500
committer	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-04 16:24:36 -0500
commit	c6259375dff79484b9f3d587da9fbfa76a3b68b9 (patch)
tree	1b7c010c2f6b0886ccd7a537bb146f7f46cb1d7f /etc
parent	Tighten spotify profile (diff)
download	firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.gz firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.tar.zst firejail-c6259375dff79484b9f3d587da9fbfa76a3b68b9.zip

diff --git a/etc/gedit.profile b/etc/gedit.profile index 928006d08..5bf246d66 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile
@@ -19,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
19		19
20	caps.drop all	20	caps.drop all
21	# net none - makes settings immutable	21	# net none - makes settings immutable
		22	machine-id
22	no3d	23	no3d
23	nodvd	24	nodvd
24	nogroups	25	nogroups
@@ -37,5 +38,6 @@ private-dev
37	# private-etc fonts	38	# private-etc fonts
38	private-tmp	39	private-tmp
39		40
		41	memory-deny-write-execute
40	noexec ${HOME}	42	noexec ${HOME}
41	noexec /tmp	43	noexec /tmp


diff --git a/etc/gitter.profile b/etc/gitter.profile index 0a47bf888..3e84455f1 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile
@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	whitelist ${DOWNLOADS}
		17	whitelist ~/.config/autostart
		18	whitelist ~/.config/Gitter
		19	include /etc/firejail/whitelist-var-common.inc
		20
16	caps.drop all	21	caps.drop all
		22	machine-id
17	netfilter	23	netfilter
18	nodvd	24	nodvd
19	nogroups	25	nogroups
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink
25	seccomp	31	seccomp
26	shell none	32	shell none
27		33
		34	disable-mnt
28	private-bin bash,env,gitter	35	private-bin bash,env,gitter
		36	private-etc fonts,pulse,resolv.conf
29	private-opt Gitter	37	private-opt Gitter
30	private-dev	38	private-dev
31	private-tmp	39	private-tmp
		40
		41	noexec ${HOME}
		42	noexec /tmp


diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index a50e0e89d..6e5175989 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile
@@ -21,6 +21,7 @@ whitelist ~/.cache/google-chrome
21	whitelist ~/.config/google-chrome	21	whitelist ~/.config/google-chrome
22	whitelist ~/.pki	22	whitelist ~/.pki
23	include /etc/firejail/whitelist-common.inc	23	include /etc/firejail/whitelist-common.inc
		24	include /etc/firejail/whitelist-var-common.inc
24		25
25	caps.keep sys_chroot,sys_admin	26	caps.keep sys_chroot,sys_admin
26	netfilter	27	netfilter


diff --git a/etc/handbrake.profile b/etc/handbrake.profile index f5e7bc329..5235e91f2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile
@@ -19,7 +19,6 @@ netfilter
19	nogroups	19	nogroups
20	nonewprivs	20	nonewprivs
21	noroot	21	noroot
22	nosound
23	novideo	22	novideo
24	protocol unix,inet,inet6,netlink	23	protocol unix,inet,inet6,netlink
25	seccomp	24	seccomp


diff --git a/etc/hexchat.profile b/etc/hexchat.profile index fc817d9f9..47d39e8c4 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile
@@ -16,8 +16,10 @@ include /etc/firejail/disable-programs.inc
16	mkdir ~/.config/hexchat	16	mkdir ~/.config/hexchat
17	whitelist ~/.config/hexchat	17	whitelist ~/.config/hexchat
18	include /etc/firejail/whitelist-common.inc	18	include /etc/firejail/whitelist-common.inc
		19	include /etc/firejail/whitelist-var-common.inc
19		20
20	caps.drop all	21	caps.drop all
		22	machine-id
21	netfilter	23	netfilter
22	no3d	24	no3d
23	nodvd	25	nodvd
@@ -38,5 +40,6 @@ private-bin hexchat
38	private-dev	40	private-dev
39	private-tmp	41	private-tmp
40		42
		43	memory-deny-write-execute
41	noexec ${HOME}	44	noexec ${HOME}
42	noexec /tmp	45	noexec /tmp


diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 9d943d89c..27ca408f5 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	machine-id	21	machine-id
20	net none	22	net none
@@ -36,5 +38,6 @@ private-dev
36	private-etc fonts,machine-id	38	private-etc fonts,machine-id
37	private-tmp	39	private-tmp
38		40
		41	memory-deny-write-execute
39	noexec ${HOME}	42	noexec ${HOME}
40	noexec /tmp	43	noexec /tmp


diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index e20e06b76..ba98df19d 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile
@@ -1,38 +1,5 @@
1	# Firejail profile for keepassx2	1	# Firejail profile for keepassx2
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	# Persistent local customizations
4	include /etc/firejail/keepassx2.local
5	# Persistent global definitions
6	include /etc/firejail/globals.local
7		3
8	noblacklist ${HOME}/*.kdb	4	# Redirects
9	noblacklist ${HOME}/*.kdbx	5	include /etc/firejail/keepassx.profile
10	noblacklist ${HOME}/.config/keepassx
11	noblacklist ${HOME}/.keepassx
12
13	include /etc/firejail/disable-common.inc
14	include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc
17
18	caps.drop all
19	net none
20	no3d
21	nodvd
22	nogroups
23	nonewprivs
24	noroot
25	nosound
26	notv
27	novideo
28	protocol unix
29	seccomp
30	shell none
31
32	private-bin keepassx2
33	private-dev
34	private-etc fonts
35	private-tmp
36
37	noexec ${HOME}
38	noexec /tmp


diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index f79cda80d..a8c6d65f5 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	net none	21	net none
20	no3d	22	no3d


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8d05a557c..214b49c65 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc
17	include /etc/firejail/whitelist-var-common.inc	17	include /etc/firejail/whitelist-var-common.inc
18		18
19	caps.drop all	19	caps.drop all
		20	machine-id
20	netfilter	21	netfilter
21	nodvd	22	nodvd
22	nogroups	23	nogroups
@@ -29,6 +30,7 @@ shell none
29	tracelog	30	tracelog
30		31
31	private-dev	32	private-dev
		33	private-tmp
32		34
33	noexec ${HOME}	35	noexec ${HOME}
34	noexec /tmp	36	noexec /tmp


diff --git a/etc/pluma.profile b/etc/pluma.profile index 718dee440..56786fda7 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	# net none - makes settings immutable	18	# net none - makes settings immutable
		19	machine-id
17	no3d	20	no3d
18	nodvd	21	nodvd
19	nogroups	22	nogroups
@@ -32,5 +35,6 @@ private-dev
32	# private-etc fonts	35	# private-etc fonts
33	private-tmp	36	private-tmp
34		37
		38	memory-deny-write-execute
35	noexec ${HOME}	39	noexec ${HOME}
36	noexec /tmp	40	noexec /tmp


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 86db5c26c..aeb52b991 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -25,6 +25,7 @@ whitelist ~/.config/qBittorrentrc
25	whitelist ~/.config/qt5ct	25	whitelist ~/.config/qt5ct
26	whitelist ~/.local/share/data/qBittorrent	26	whitelist ~/.local/share/data/qBittorrent
27	include /etc/firejail/whitelist-common.inc	27	include /etc/firejail/whitelist-common.inc
		28	include /etc/firejail/whitelist-var-common.inc
28		29
29	caps.drop all	30	caps.drop all
30	machine-id	31	machine-id
@@ -44,3 +45,7 @@ seccomp
44	private-dev	45	private-dev
45	# private-etc X11,fonts,xdg,resolv.conf	46	# private-etc X11,fonts,xdg,resolv.conf
46	private-tmp	47	private-tmp
		48
		49	memory-deny-write-execute
		50	noexec ${HOME}
		51	noexec /tmp


diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 89e2d1a30..360b9f881 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile
@@ -18,8 +18,10 @@ mkdir ~/.stellarium
18	whitelist ~/.config/stellarium	18	whitelist ~/.config/stellarium
19	whitelist ~/.stellarium	19	whitelist ~/.stellarium
20	include /etc/firejail/whitelist-common.inc	20	include /etc/firejail/whitelist-common.inc
		21	include /etc/firejail/whitelist-var-common.inc
21		22
22	caps.drop all	23	caps.drop all
		24	machine-id
23	netfilter	25	netfilter
24	nodvd	26	nodvd
25	nogroups	27	nogroups
@@ -36,3 +38,6 @@ disable-mnt
36	private-bin stellarium	38	private-bin stellarium
37	private-dev	39	private-dev
38	private-tmp	40	private-tmp
		41
		42	noexec ${HOME}
		43	noexec /tmp


diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 8e878eb1c..db944a2c0 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile
@@ -22,9 +22,11 @@ whitelist ~/.gnupg
22	whitelist ~/.icedove	22	whitelist ~/.icedove
23	whitelist ~/.thunderbird	23	whitelist ~/.thunderbird
24	include /etc/firejail/whitelist-common.inc	24	include /etc/firejail/whitelist-common.inc
		25	include /etc/firejail/whitelist-var-common.inc
25		26
26	ignore private-tmp	27	ignore private-tmp
27		28	machine-id
		29	disable-mnt
28	read-only ~/.config/mimeapps.list	30	read-only ~/.config/mimeapps.list
29		31
30	# allow browsers	32	# allow browsers


diff --git a/etc/vlc.profile b/etc/vlc.profile index c3a4d58d0..4e6d37fc5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15	include /etc/firejail/whitelist-var-common.inc	15	include /etc/firejail/whitelist-var-common.inc
16		16
17	caps.drop all	17	caps.drop all
		18	machine-id
18	netfilter	19	netfilter
19	# nogroups	20	# nogroups
20	nonewprivs	21	nonewprivs


diff --git a/etc/xed.profile b/etc/xed.profile index 42a42ef5f..bb8b0bf23 100644 --- a/etc/xed.profile +++ b/etc/xed.profile
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	# net none - makes settings immutable	18	# net none - makes settings immutable
		19	machine-id
17	no3d	20	no3d
18	nodvd	21	nodvd
19	nogroups	22	nogroups
@@ -32,5 +35,6 @@ private-dev
32	# private-etc fonts	35	# private-etc fonts
33	private-tmp	36	private-tmp
34		37
		38	memory-deny-write-execute
35	noexec ${HOME}	39	noexec ${HOME}
36	noexec /tmp	40	noexec /tmp