diff options
| -rw-r--r-- | etc/disable-common.inc | 3 | ||||
| -rw-r--r-- | etc/kwin_x11.profile | 7 | ||||
| -rw-r--r-- | etc/okular.profile | 3 | ||||
| -rw-r--r-- | etc/steam.profile | 2 |
4 files changed, 12 insertions, 3 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3344c3a1f..91c554f2e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -194,6 +194,9 @@ read-only ${HOME}/.zshenv | |||
| 194 | read-only ${HOME}/.zshrc | 194 | read-only ${HOME}/.zshrc |
| 195 | read-only ${HOME}/.zshrc.local | 195 | read-only ${HOME}/.zshrc.local |
| 196 | 196 | ||
| 197 | # Remote access | ||
| 198 | read-only ${HOME}/.ssh/authorized_keys | ||
| 199 | |||
| 197 | # Initialization files that allow arbitrary command execution | 200 | # Initialization files that allow arbitrary command execution |
| 198 | read-only ${HOME}/.caffrc | 201 | read-only ${HOME}/.caffrc |
| 199 | read-only ${HOME}/.dotfiles | 202 | read-only ${HOME}/.dotfiles |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 8a578f3f3..3ce4fe80d 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
| @@ -33,8 +33,11 @@ tracelog | |||
| 33 | disable-mnt | 33 | disable-mnt |
| 34 | private-bin kwin_x11 | 34 | private-bin kwin_x11 |
| 35 | private-dev | 35 | private-dev |
| 36 | private-etc drirc,ld.so.cache,machine-id,xdg | 36 | private-etc drirc,fonts,ld.so.cache,machine-id,xdg |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | # noexec ${HOME} | 39 | # disable QML disk caching as it conflicts with the noexec constraints below |
| 40 | env QML_DISABLE_DISK_CACHE=1 | ||
| 41 | |||
| 42 | noexec ${HOME} | ||
| 40 | noexec /tmp | 43 | noexec /tmp |
diff --git a/etc/okular.profile b/etc/okular.profile index e71cd1880..59c93bdb0 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
| @@ -45,6 +45,9 @@ private-dev | |||
| 45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id | 45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id |
| 46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird | 46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird |
| 47 | 47 | ||
| 48 | # disable QML disk caching as it conflicts with the noexec constraints below | ||
| 49 | env QML_DISABLE_DISK_CACHE=1 | ||
| 50 | |||
| 48 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
| 49 | noexec ${HOME} | 52 | noexec ${HOME} |
| 50 | noexec /tmp | 53 | noexec /tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 33c082533..a683bcc19 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
| @@ -47,5 +47,5 @@ shell none | |||
| 47 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
| 48 | private-dev | 48 | private-dev |
| 49 | # private-etc breaks some games | 49 | # private-etc breaks some games |
| 50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,services |
| 51 | private-tmp | 51 | private-tmp |