diff options
-rw-r--r-- | etc/cvlc.profile | 2 | ||||
-rw-r--r-- | etc/konversation.profile | 3 | ||||
-rw-r--r-- | etc/skanlite.profile | 9 | ||||
-rw-r--r-- | etc/tracker.profile | 1 | ||||
-rw-r--r-- | etc/tuxguitar.profile | 1 |
5 files changed, 11 insertions, 5 deletions
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index ee1346617..460966321 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -14,11 +14,9 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nodvd | ||
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | notv | ||
22 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
23 | seccomp | 21 | seccomp |
24 | shell none | 22 | shell none |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 8bc263d4d..212aa8817 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -15,9 +15,12 @@ caps.drop all | |||
15 | netfilter | 15 | netfilter |
16 | nodvd | 16 | nodvd |
17 | nogroups | 17 | nogroups |
18 | nonewprivs | ||
18 | noroot | 19 | noroot |
19 | notv | 20 | notv |
21 | novideo | ||
20 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
21 | seccomp | 23 | seccomp |
24 | tracelog | ||
22 | 25 | ||
23 | private-tmp | 26 | private-tmp |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 0338bc452..1d590a142 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | # net none | ||
15 | netfilter | 16 | netfilter |
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
@@ -19,11 +20,13 @@ nonewprivs | |||
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | notv | 22 | notv |
22 | # protocol unix,inet,inet6 | 23 | novideo |
23 | seccomp | 24 | protocol unix,netlink |
25 | # skanlite makes ioperm system calls, which are blacklisted by default. | ||
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
24 | shell none | 27 | shell none |
25 | 28 | ||
26 | # private-bin skanlite | 29 | # private-bin skanlite,kbuildsycoca4 |
27 | # private-dev | 30 | # private-dev |
28 | # private-etc | 31 | # private-etc |
29 | # private-tmp | 32 | # private-tmp |
diff --git a/etc/tracker.profile b/etc/tracker.profile index ded2ae2e5..f3dfb2d4e 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index ddbcce3f6..5b6a257f6 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
17 | no3d | 18 | no3d |
18 | nodvd | 19 | nodvd |
19 | nonewprivs | 20 | nonewprivs |