aboutsummaryrefslogtreecommitdiffstats
path: root/etc/disable-common.inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r--etc/disable-common.inc30
1 files changed, 25 insertions, 5 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 22f54604a..79732b197 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,3 +1,7 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include /etc/firejail/disable-common.local
4
1# History files in $HOME 5# History files in $HOME
2blacklist-nolog ${HOME}/.history 6blacklist-nolog ${HOME}/.history
3blacklist-nolog ${HOME}/.*_history 7blacklist-nolog ${HOME}/.*_history
@@ -72,12 +76,9 @@ blacklist /etc/profile.d
72blacklist /etc/rc.local 76blacklist /etc/rc.local
73blacklist /etc/anacrontab 77blacklist /etc/anacrontab
74 78
75# General startup files 79# Startup files
76read-only ${HOME}/.xinitrc 80read-only ${HOME}/.xinitrc
77read-only ${HOME}/.xserverrc 81read-only ${HOME}/.xserverrc
78read-only ${HOME}/.profile
79
80# Shell startup files
81read-only ${HOME}/.antigen 82read-only ${HOME}/.antigen
82read-only ${HOME}/.bash_login 83read-only ${HOME}/.bash_login
83read-only ${HOME}/.bashrc 84read-only ${HOME}/.bashrc
@@ -96,12 +97,21 @@ read-only ${HOME}/.tcshrc
96read-only ${HOME}/.cshrc 97read-only ${HOME}/.cshrc
97read-only ${HOME}/.csh_files 98read-only ${HOME}/.csh_files
98read-only ${HOME}/.profile 99read-only ${HOME}/.profile
100read-only ${HOME}/.forward
101read-only ${HOME}/.login
102read-only ${HOME}/.logout
103read-only ${HOME}/.pgpkey
104read-only ${HOME}/.plan
105read-only ${HOME}/.project
99 106
100# Initialization files that allow arbitrary command execution 107# Initialization files that allow arbitrary command execution
101read-only ${HOME}/.caffrc 108read-only ${HOME}/.caffrc
102read-only ${HOME}/.dotfiles 109read-only ${HOME}/.dotfiles
103read-only ${HOME}/dotfiles 110read-only ${HOME}/dotfiles
104read-only ${HOME}/.mailcap 111read-only ${HOME}/.mailcap
112read-only ${HOME}/.muttrc
113read-only ${HOME}/.mutt/muttrc
114read-only ${HOME}/.msmtprc
105read-only ${HOME}/.exrc 115read-only ${HOME}/.exrc
106read-only ${HOME}/_exrc 116read-only ${HOME}/_exrc
107read-only ${HOME}/.vimrc 117read-only ${HOME}/.vimrc
@@ -118,8 +128,16 @@ read-only ${HOME}/.reportbugrc
118read-only ${HOME}/.xmonad 128read-only ${HOME}/.xmonad
119read-only ${HOME}/.xscreensaver 129read-only ${HOME}/.xscreensaver
120 130
121# The user ~/bin directory can override commands such as ls 131# Make directories commonly found in $PATH read-only
122read-only ${HOME}/bin 132read-only ${HOME}/bin
133read-only ${HOME}/.gem
134read-only ${HOME}/.luarocks
135read-only ${HOME}/.npm-packages
136
137# Make the contents of ~/.local read-only,
138# except the commonly-used ~/.local/share
139read-only ${HOME}/.local
140read-write ${HOME}/.local/share
123 141
124# top secret 142# top secret
125blacklist ${HOME}/.ecryptfs 143blacklist ${HOME}/.ecryptfs
@@ -197,6 +215,8 @@ blacklist /usr/lib64/virtualbox
197 215
198# prevent lxterminal connecting to an existing lxterminal session 216# prevent lxterminal connecting to an existing lxterminal session
199blacklist /tmp/.lxterminal-socket* 217blacklist /tmp/.lxterminal-socket*
218# prevent tmux connecting to an existing session
219blacklist /tmp/tmux-*
200 220
201# disable terminals running as server resulting in sandbox escape 221# disable terminals running as server resulting in sandbox escape
202blacklist ${PATH}/gnome-terminal 222blacklist ${PATH}/gnome-terminal
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-11 12:38:21 +0000