diff options
Diffstat (limited to 'etc/digikam.profile')
-rw-r--r-- | etc/digikam.profile | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/etc/digikam.profile b/etc/digikam.profile index d81d00ed3..0ff437608 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -1,36 +1,35 @@ | |||
1 | # Persistent global definitions go here | 1 | # Firejail profile for digikam |
2 | include /etc/firejail/globals.local | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/digikam.local | 4 | include /etc/firejail/digikam.local |
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 7 | ||
8 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
10 | noblacklist ${HOME}/.config/digikamrc | 8 | noblacklist ${HOME}/.config/digikamrc |
9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
10 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
19 | nogroups | ||
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
22 | |||
23 | # This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04. | ||
24 | # Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled. | ||
25 | #seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
26 | seccomp | 23 | seccomp |
27 | |||
28 | nogroups | ||
29 | shell none | 24 | shell none |
25 | |||
30 | # private-bin program | 26 | # private-bin program |
31 | # private-etc none | ||
32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 27 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
28 | # private-etc none | ||
33 | private-tmp | 29 | private-tmp |
34 | 30 | ||
35 | noexec ${HOME} | 31 | noexec ${HOME} |
36 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||