diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/kwin_x11.profile | 7 | ||||
-rw-r--r-- | etc/okular.profile | 3 | ||||
-rw-r--r-- | etc/steam.profile | 2 |
4 files changed, 12 insertions, 3 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3344c3a1f..91c554f2e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -194,6 +194,9 @@ read-only ${HOME}/.zshenv | |||
194 | read-only ${HOME}/.zshrc | 194 | read-only ${HOME}/.zshrc |
195 | read-only ${HOME}/.zshrc.local | 195 | read-only ${HOME}/.zshrc.local |
196 | 196 | ||
197 | # Remote access | ||
198 | read-only ${HOME}/.ssh/authorized_keys | ||
199 | |||
197 | # Initialization files that allow arbitrary command execution | 200 | # Initialization files that allow arbitrary command execution |
198 | read-only ${HOME}/.caffrc | 201 | read-only ${HOME}/.caffrc |
199 | read-only ${HOME}/.dotfiles | 202 | read-only ${HOME}/.dotfiles |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 8a578f3f3..3ce4fe80d 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -33,8 +33,11 @@ tracelog | |||
33 | disable-mnt | 33 | disable-mnt |
34 | private-bin kwin_x11 | 34 | private-bin kwin_x11 |
35 | private-dev | 35 | private-dev |
36 | private-etc drirc,ld.so.cache,machine-id,xdg | 36 | private-etc drirc,fonts,ld.so.cache,machine-id,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
39 | # noexec ${HOME} | 39 | # disable QML disk caching as it conflicts with the noexec constraints below |
40 | env QML_DISABLE_DISK_CACHE=1 | ||
41 | |||
42 | noexec ${HOME} | ||
40 | noexec /tmp | 43 | noexec /tmp |
diff --git a/etc/okular.profile b/etc/okular.profile index e71cd1880..59c93bdb0 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -45,6 +45,9 @@ private-dev | |||
45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id | 45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id |
46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird | 46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird |
47 | 47 | ||
48 | # disable QML disk caching as it conflicts with the noexec constraints below | ||
49 | env QML_DISABLE_DISK_CACHE=1 | ||
50 | |||
48 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
49 | noexec ${HOME} | 52 | noexec ${HOME} |
50 | noexec /tmp | 53 | noexec /tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 33c082533..a683bcc19 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -47,5 +47,5 @@ shell none | |||
47 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
48 | private-dev | 48 | private-dev |
49 | # private-etc breaks some games | 49 | # private-etc breaks some games |
50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,services |
51 | private-tmp | 51 | private-tmp |