1 files changed, 13 insertions, 14 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 2fe6d1927..9c2909b0f 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -1,21 +1,21 @@
-# Persistent global definitions go here
+# Firejail profile for baloo_file
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/baloo_file.local
+# Persistent global definitions
+include /etc/firejail/globals.local
-# KDE Baloo file daemon profile
+noblacklist ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
 noblacklist ${HOME}/.local/share/baloo
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 nogroups
@@ -26,7 +26,6 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
 x11 xorg
 private-dev
@@ -37,6 +36,6 @@ noexec /tmp
 # Make home directory read-only and allow writing only to ~/.local/share
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-#read-only  ${HOME}
+# noexec     ${HOME}/.local/share
-#read-write ${HOME}/.local/share
+# read-only  ${HOME}
-#noexec     ${HOME}/.local/share
+# read-write ${HOME}/.local/share

diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 2fe6d1927..9c2909b0f 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -1,21 +1,21 @@
1	# Persistent global definitions go here	1	# Firejail profile for baloo_file
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/baloo_file.local	4	include /etc/firejail/baloo_file.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	# KDE Baloo file daemon profile	8	noblacklist ${HOME}/.config/baloofilerc
9	noblacklist ${HOME}/.kde4/share/config/baloofilerc
10	noblacklist ${HOME}/.kde4/share/config/baloorc
11	noblacklist ${HOME}/.kde/share/config/baloofilerc	9	noblacklist ${HOME}/.kde/share/config/baloofilerc
12	noblacklist ${HOME}/.kde/share/config/baloorc	10	noblacklist ${HOME}/.kde/share/config/baloorc
13	noblacklist ${HOME}/.config/baloofilerc	11	noblacklist ${HOME}/.kde4/share/config/baloofilerc
		12	noblacklist ${HOME}/.kde4/share/config/baloorc
14	noblacklist ${HOME}/.local/share/baloo	13	noblacklist ${HOME}/.local/share/baloo
		14
15	include /etc/firejail/disable-common.inc	15	include /etc/firejail/disable-common.inc
16	include /etc/firejail/disable-programs.inc
17	include /etc/firejail/disable-devel.inc	16	include /etc/firejail/disable-devel.inc
18	include /etc/firejail/disable-passwdmgr.inc	17	include /etc/firejail/disable-passwdmgr.inc
		18	include /etc/firejail/disable-programs.inc
19		19
20	caps.drop all	20	caps.drop all
21	nogroups	21	nogroups
@@ -26,7 +26,6 @@ novideo
26	protocol unix	26	protocol unix
27	# Baloo makes ioprio_set system calls, which are blacklisted by default.	27	# Baloo makes ioprio_set system calls, which are blacklisted by default.
28	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old	28	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
29
30	x11 xorg	29	x11 xorg
31		30
32	private-dev	31	private-dev
@@ -37,6 +36,6 @@ noexec /tmp
37		36
38	# Make home directory read-only and allow writing only to ~/.local/share	37	# Make home directory read-only and allow writing only to ~/.local/share
39	# Note: Baloo will not be able to update the "first run" key in its configuration files.	38	# Note: Baloo will not be able to update the "first run" key in its configuration files.
40	#read-only ${HOME}	39	# noexec ${HOME}/.local/share
41	#read-write ${HOME}/.local/share	40	# read-only ${HOME}
42	#noexec ${HOME}/.local/share	41	# read-write ${HOME}/.local/share