diff options
Diffstat (limited to 'etc/skanlite.profile')
-rw-r--r-- | etc/skanlite.profile | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 0338bc452..1d590a142 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | # net none | ||
15 | netfilter | 16 | netfilter |
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
@@ -19,11 +20,13 @@ nonewprivs | |||
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | notv | 22 | notv |
22 | # protocol unix,inet,inet6 | 23 | novideo |
23 | seccomp | 24 | protocol unix,netlink |
25 | # skanlite makes ioperm system calls, which are blacklisted by default. | ||
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
24 | shell none | 27 | shell none |
25 | 28 | ||
26 | # private-bin skanlite | 29 | # private-bin skanlite,kbuildsycoca4 |
27 | # private-dev | 30 | # private-dev |
28 | # private-etc | 31 | # private-etc |
29 | # private-tmp | 32 | # private-tmp |