diff options
Diffstat (limited to 'etc/mupdf.profile')
-rw-r--r-- | etc/mupdf.profile | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/etc/mupdf.profile b/etc/mupdf.profile new file mode 100644 index 000000000..7f9261d8b --- /dev/null +++ b/etc/mupdf.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # mupdf reader profile | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | |||
7 | caps.drop all | ||
8 | nogroups | ||
9 | nonewprivs | ||
10 | noroot | ||
11 | nosound | ||
12 | protocol unix | ||
13 | seccomp | ||
14 | netfilter | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-tmp | ||
20 | private-dev | ||
21 | private-etc fonts | ||
22 | |||
23 | # mupdf will never write anything | ||
24 | read-only ${HOME} | ||
25 | |||
26 | # | ||
27 | # Experimental: | ||
28 | # | ||
29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
30 | # private-bin mupdf,sh,tempfile,rm | ||