1 files changed, 54 insertions, 0 deletions
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
new file mode 100644
index 000000000..785e37a16
--- /dev/null
+++ b/etc/profile-a-l/baloo_file.profile
@@ -0,0 +1,54 @@
+# Firejail profile for baloo_file
+# This file is overwritten after every install/update
+# Persistent local customizations
+include baloo_file.local
+# Persistent global definitions
+include globals.local
+# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
+# Note: Baloo will not be able to update the "first run" key in its configuration files.
+# mkdir ${HOME}/.local/share/baloo
+# read-only ${HOME}
+# read-write ${HOME}/.local/share/baloo
+# ignore read-write
+noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloorc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.local/share/baloo
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+# blacklisting of ioprio_set system calls breaks baloo_file
+seccomp !ioprio_set
+shell none
+# x11 xorg
+private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
+private-cache
+private-dev
+private-tmp

diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile new file mode 100644 index 000000000..785e37a16 --- /dev/null +++ b/etc/profile-a-l/baloo_file.profile
@@ -0,0 +1,54 @@
	1	# Firejail profile for baloo_file
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include baloo_file.local
	5	# Persistent global definitions
	6	include globals.local
	7
	8	# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
	9	# Note: Baloo will not be able to update the "first run" key in its configuration files.
	10	# mkdir ${HOME}/.local/share/baloo
	11	# read-only ${HOME}
	12	# read-write ${HOME}/.local/share/baloo
	13	# ignore read-write
	14
	15	noblacklist ${HOME}/.config/baloofilerc
	16	noblacklist ${HOME}/.kde/share/config/baloofilerc
	17	noblacklist ${HOME}/.kde/share/config/baloorc
	18	noblacklist ${HOME}/.kde4/share/config/baloofilerc
	19	noblacklist ${HOME}/.kde4/share/config/baloorc
	20	noblacklist ${HOME}/.local/share/baloo
	21
	22	include disable-common.inc
	23	include disable-devel.inc
	24	include disable-exec.inc
	25	include disable-interpreters.inc
	26	include disable-passwdmgr.inc
	27	include disable-programs.inc
	28
	29	include whitelist-var-common.inc
	30
	31	apparmor
	32	caps.drop all
	33	machine-id
	34	# net none
	35	netfilter
	36	no3d
	37	nodvd
	38	nogroups
	39	nonewprivs
	40	noroot
	41	nosound
	42	notv
	43	nou2f
	44	novideo
	45	protocol unix
	46	# blacklisting of ioprio_set system calls breaks baloo_file
	47	seccomp !ioprio_set
	48	shell none
	49	# x11 xorg
	50
	51	private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
	52	private-cache
	53	private-dev
	54	private-tmp