1 files changed, 13 insertions, 16 deletions
diff --git a/etc/digikam.profile b/etc/digikam.profile
index d81d00ed3..35365984e 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -1,35 +1,32 @@
-# Persistent global definitions go here
+# Firejail profile for digikam
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/digikam.local
+# Persistent global definitions
+include /etc/firejail/globals.local
-noblacklist ${HOME}/.kde4/share/apps/digikam
-noblacklist ${HOME}/.kde/share/apps/digikam
 noblacklist ${HOME}/.config/digikamrc
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.kde4/share/apps/digikam
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-# This is a seccomp whitelist profile for  Debian jessie, Kubuntu 17.04.
-# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled.
-#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 seccomp
+# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
-nogroups
 shell none
 # private-bin program
-# private-etc none
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+# private-etc none
 private-tmp
 noexec ${HOME}

diff --git a/etc/digikam.profile b/etc/digikam.profile index d81d00ed3..35365984e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile
@@ -1,35 +1,32 @@
1	# Persistent global definitions go here	1	# Firejail profile for digikam
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/digikam.local	4	include /etc/firejail/digikam.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	noblacklist ${HOME}/.kde4/share/apps/digikam
9	noblacklist ${HOME}/.kde/share/apps/digikam
10	noblacklist ${HOME}/.config/digikamrc	8	noblacklist ${HOME}/.config/digikamrc
		9	noblacklist ${HOME}/.kde/share/apps/digikam
		10	noblacklist ${HOME}/.kde4/share/apps/digikam
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-programs.inc
14	include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-devel.inc	13	include /etc/firejail/disable-devel.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
16		16
17	caps.drop all	17	caps.drop all
18	netfilter	18	netfilter
		19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
21	protocol unix,inet,inet6,netlink	22	protocol unix,inet,inet6,netlink
22
23	# This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04.
24	# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled.
25	#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
26	seccomp	23	seccomp
27		24	# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
28	nogroups
29	shell none	25	shell none
		26
30	# private-bin program	27	# private-bin program
31	# private-etc none
32	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device	28	# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
		29	# private-etc none
33	private-tmp	30	private-tmp
34		31
35	noexec ${HOME}	32	noexec ${HOME}