diff options
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/gwenview.profile | 2 | ||||
-rw-r--r-- | etc/kdenlive.profile | 2 | ||||
-rw-r--r-- | etc/krunner.profile | 8 | ||||
-rw-r--r-- | etc/kwin_x11.profile | 2 | ||||
-rw-r--r-- | etc/okular.profile | 2 |
7 files changed, 13 insertions, 6 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 1dd500c12..5b66de4b7 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -8,6 +8,7 @@ blacklist-nolog ${HOME}/.adobe | |||
8 | blacklist-nolog ${HOME}/.cache/greenclip* | 8 | blacklist-nolog ${HOME}/.cache/greenclip* |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
11 | blacklist-nolog ${HOME}/.local/share/klipper | ||
11 | blacklist-nolog ${HOME}/.macromedia | 12 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | 13 | blacklist-nolog /tmp/clipmenu* |
13 | 14 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6a8e580a3..7e20b040b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -483,6 +483,7 @@ blacklist ${HOME}/.cache/chromium | |||
483 | blacklist ${HOME}/.cache/chromium-dev | 483 | blacklist ${HOME}/.cache/chromium-dev |
484 | blacklist ${HOME}/.cache/cliqz | 484 | blacklist ${HOME}/.cache/cliqz |
485 | blacklist ${HOME}/.cache/darktable | 485 | blacklist ${HOME}/.cache/darktable |
486 | blacklist ${HOME}/.cache/discover | ||
486 | blacklist ${HOME}/.cache/epiphany | 487 | blacklist ${HOME}/.cache/epiphany |
487 | blacklist ${HOME}/.cache/evolution | 488 | blacklist ${HOME}/.cache/evolution |
488 | blacklist ${HOME}/.cache/fossamail | 489 | blacklist ${HOME}/.cache/fossamail |
@@ -496,6 +497,7 @@ blacklist ${HOME}/.cache/icedove | |||
496 | blacklist ${HOME}/.cache/INRIA/Natron | 497 | blacklist ${HOME}/.cache/INRIA/Natron |
497 | blacklist ${HOME}/.cache/inox | 498 | blacklist ${HOME}/.cache/inox |
498 | blacklist ${HOME}/.cache/iridium | 499 | blacklist ${HOME}/.cache/iridium |
500 | blacklist ${HOME}/.cache/krunner | ||
499 | blacklist ${HOME}/.cache/kscreenlocker_greet | 501 | blacklist ${HOME}/.cache/kscreenlocker_greet |
500 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | 502 | blacklist ${HOME}/.cache/ksmserver-logout-greeter |
501 | blacklist ${HOME}/.cache/ksplashqml | 503 | blacklist ${HOME}/.cache/ksplashqml |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 8ad3ac5f3..b6304c812 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | 39 | ||
40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 | 40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 |
41 | private-dev | 41 | private-dev |
42 | # private-etc X11 | 42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | 43 | ||
44 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
45 | noexec ${HOME} | 45 | noexec ${HOME} |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 871706b02..4d34c82d3 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -25,7 +25,7 @@ shell none | |||
25 | 25 | ||
26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
27 | private-dev | 27 | private-dev |
28 | # private-etc fonts,alternatives,X11,pulse,passwd | 28 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg,X11 |
29 | 29 | ||
30 | # noexec ${HOME} | 30 | # noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 606b67677..1e97f4290 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -5,12 +5,15 @@ include /etc/firejail/krunner.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # start a program in krunner: program will run with this generic profile | 8 | # - programs started in krunner run with this generic profile. |
9 | # open a file in krunner: file viewer will run with its own profile (if firejailed automatically) | 9 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
10 | # with its own profile, if it is sandboxed automatically. | ||
10 | 11 | ||
12 | # noblacklist ${HOME}/.cache/krunner | ||
11 | noblacklist ${HOME}/.config/krunnerrc | 13 | noblacklist ${HOME}/.config/krunnerrc |
12 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 14 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
13 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 15 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
16 | # noblacklist ${HOME}/.local/share/baloo | ||
14 | 17 | ||
15 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
16 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
@@ -21,6 +24,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
21 | 24 | ||
22 | caps.drop all | 25 | caps.drop all |
23 | netfilter | 26 | netfilter |
27 | nogroups | ||
24 | nonewprivs | 28 | nonewprivs |
25 | noroot | 29 | noroot |
26 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 92d2e38ae..534e7cd51 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin kwin_x11 | 35 | private-bin kwin_x11 |
36 | private-dev | 36 | private-dev |
37 | private-etc drirc,fonts,ld.so.cache,machine-id,xdg | 37 | private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/okular.profile b/etc/okular.profile index 31b773852..da82d2622 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | private-bin okular,kbuildsycoca4,kdeinit4,lpr | 43 | private-bin okular,kbuildsycoca4,kdeinit4,lpr |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id | 45 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
47 | 47 | ||
48 | # memory-deny-write-execute | 48 | # memory-deny-write-execute |