diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | etc/profile-a-l/cargo.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 3 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 2 |
6 files changed, 12 insertions, 4 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index f5b3d5efa..43db49422 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -113,6 +113,10 @@ | |||
113 | # Enable or disable seccomp support, default enabled. | 113 | # Enable or disable seccomp support, default enabled. |
114 | # seccomp yes | 114 | # seccomp yes |
115 | 115 | ||
116 | # Add rules to the default seccomp filter. Same syntax as for --seccomp= | ||
117 | # None by default; this is an example. | ||
118 | # seccomp-filter-add !chroot,kcmp,mincore | ||
119 | |||
116 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 120 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
117 | # seccomp-error-action EPERM | 121 | # seccomp-error-action EPERM |
118 | 122 | ||
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index 043fd6718..7cf04c550 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile | |||
@@ -34,6 +34,7 @@ include disable-xdg.inc | |||
34 | #whitelist ${HOME}/.cargo | 34 | #whitelist ${HOME}/.cargo |
35 | #whitelist ${HOME}/.rustup | 35 | #whitelist ${HOME}/.rustup |
36 | #include whitelist-common.inc | 36 | #include whitelist-common.inc |
37 | whitelist /usr/share/pkgconfig | ||
37 | include whitelist-runuser-common.inc | 38 | include whitelist-runuser-common.inc |
38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f7493aa82..b0e0254d4 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -37,8 +37,9 @@ include whitelist-var-common.inc | |||
37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
38 | #include chromium-common-hardened.inc.profile | 38 | #include chromium-common-hardened.inc.profile |
39 | 39 | ||
40 | # Add the next line to your chromium-common.local to allow screen sharing under wayland. | 40 | # Add the next two lines to your chromium-common.local to allow screen sharing under wayland. |
41 | #whitelist ${RUNUSER}/pipewire-0 | 41 | #whitelist ${RUNUSER}/pipewire-0 |
42 | #whitelist /usr/share/pipewire/client.conf | ||
42 | 43 | ||
43 | apparmor | 44 | apparmor |
44 | caps.keep sys_admin,sys_chroot | 45 | caps.keep sys_admin,sys_chroot |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 7874c882f..3ad67734d 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
56 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 56 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
57 | #dbus-user.talk org.kde.JobViewServer | 57 | #dbus-user.talk org.kde.JobViewServer |
58 | #dbus-user.talk org.kde.kuiserver | 58 | #dbus-user.talk org.kde.kuiserver |
59 | # Add the next two lines to your firefox.local to allow screen sharing under wayland. | 59 | # Add the next three lines to your firefox.local to allow screen sharing under wayland. |
60 | #whitelist ${RUNUSER}/pipewire-0 | 60 | #whitelist ${RUNUSER}/pipewire-0 |
61 | #whitelist /usr/share/pipewire/client.conf | ||
61 | #dbus-user.talk org.freedesktop.portal.* | 62 | #dbus-user.talk org.freedesktop.portal.* |
62 | # Add the next line to your firefox.local if screen sharing sharing still does not work | 63 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
63 | # with the above lines (might depend on the portal implementation). | 64 | # with the above lines (might depend on the portal implementation). |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 8e3e58f19..da047357a 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -44,8 +44,9 @@ dbus-user filter | |||
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 45 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 46 | #dbus-user.talk org.kde.kuiserver |
47 | # Add the next lines to your librewolf.local to allow screensharing under Wayland. | 47 | # Add the next three lines to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 48 | #whitelist ${RUNUSER}/pipewire-0 |
49 | #whitelist /usr/share/pipewire/client.conf | ||
49 | #dbus-user.talk org.freedesktop.portal.* | 50 | #dbus-user.talk org.freedesktop.portal.* |
50 | # Also add the next line to your librewolf.local if screensharing does not work with | 51 | # Also add the next line to your librewolf.local if screensharing does not work with |
51 | # the above lines (depends on the portal implementation). | 52 | # the above lines (depends on the portal implementation). |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 0775f60ff..3992c984a 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -33,7 +33,7 @@ Definition of groups | |||
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execveat,execve,prctl | 38 | @default-keep=execveat,execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |