diff options
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r-- | etc/disable-common.inc | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 22f54604a..79732b197 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/disable-common.local | ||
4 | |||
1 | # History files in $HOME | 5 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 6 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 7 | blacklist-nolog ${HOME}/.*_history |
@@ -72,12 +76,9 @@ blacklist /etc/profile.d | |||
72 | blacklist /etc/rc.local | 76 | blacklist /etc/rc.local |
73 | blacklist /etc/anacrontab | 77 | blacklist /etc/anacrontab |
74 | 78 | ||
75 | # General startup files | 79 | # Startup files |
76 | read-only ${HOME}/.xinitrc | 80 | read-only ${HOME}/.xinitrc |
77 | read-only ${HOME}/.xserverrc | 81 | read-only ${HOME}/.xserverrc |
78 | read-only ${HOME}/.profile | ||
79 | |||
80 | # Shell startup files | ||
81 | read-only ${HOME}/.antigen | 82 | read-only ${HOME}/.antigen |
82 | read-only ${HOME}/.bash_login | 83 | read-only ${HOME}/.bash_login |
83 | read-only ${HOME}/.bashrc | 84 | read-only ${HOME}/.bashrc |
@@ -96,12 +97,21 @@ read-only ${HOME}/.tcshrc | |||
96 | read-only ${HOME}/.cshrc | 97 | read-only ${HOME}/.cshrc |
97 | read-only ${HOME}/.csh_files | 98 | read-only ${HOME}/.csh_files |
98 | read-only ${HOME}/.profile | 99 | read-only ${HOME}/.profile |
100 | read-only ${HOME}/.forward | ||
101 | read-only ${HOME}/.login | ||
102 | read-only ${HOME}/.logout | ||
103 | read-only ${HOME}/.pgpkey | ||
104 | read-only ${HOME}/.plan | ||
105 | read-only ${HOME}/.project | ||
99 | 106 | ||
100 | # Initialization files that allow arbitrary command execution | 107 | # Initialization files that allow arbitrary command execution |
101 | read-only ${HOME}/.caffrc | 108 | read-only ${HOME}/.caffrc |
102 | read-only ${HOME}/.dotfiles | 109 | read-only ${HOME}/.dotfiles |
103 | read-only ${HOME}/dotfiles | 110 | read-only ${HOME}/dotfiles |
104 | read-only ${HOME}/.mailcap | 111 | read-only ${HOME}/.mailcap |
112 | read-only ${HOME}/.muttrc | ||
113 | read-only ${HOME}/.mutt/muttrc | ||
114 | read-only ${HOME}/.msmtprc | ||
105 | read-only ${HOME}/.exrc | 115 | read-only ${HOME}/.exrc |
106 | read-only ${HOME}/_exrc | 116 | read-only ${HOME}/_exrc |
107 | read-only ${HOME}/.vimrc | 117 | read-only ${HOME}/.vimrc |
@@ -118,8 +128,16 @@ read-only ${HOME}/.reportbugrc | |||
118 | read-only ${HOME}/.xmonad | 128 | read-only ${HOME}/.xmonad |
119 | read-only ${HOME}/.xscreensaver | 129 | read-only ${HOME}/.xscreensaver |
120 | 130 | ||
121 | # The user ~/bin directory can override commands such as ls | 131 | # Make directories commonly found in $PATH read-only |
122 | read-only ${HOME}/bin | 132 | read-only ${HOME}/bin |
133 | read-only ${HOME}/.gem | ||
134 | read-only ${HOME}/.luarocks | ||
135 | read-only ${HOME}/.npm-packages | ||
136 | |||
137 | # Make the contents of ~/.local read-only, | ||
138 | # except the commonly-used ~/.local/share | ||
139 | read-only ${HOME}/.local | ||
140 | read-write ${HOME}/.local/share | ||
123 | 141 | ||
124 | # top secret | 142 | # top secret |
125 | blacklist ${HOME}/.ecryptfs | 143 | blacklist ${HOME}/.ecryptfs |
@@ -197,6 +215,8 @@ blacklist /usr/lib64/virtualbox | |||
197 | 215 | ||
198 | # prevent lxterminal connecting to an existing lxterminal session | 216 | # prevent lxterminal connecting to an existing lxterminal session |
199 | blacklist /tmp/.lxterminal-socket* | 217 | blacklist /tmp/.lxterminal-socket* |
218 | # prevent tmux connecting to an existing session | ||
219 | blacklist /tmp/tmux-* | ||
200 | 220 | ||
201 | # disable terminals running as server resulting in sandbox escape | 221 | # disable terminals running as server resulting in sandbox escape |
202 | blacklist ${PATH}/gnome-terminal | 222 | blacklist ${PATH}/gnome-terminal |