diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/apparmor/firejail-local | 3 | ||||
-rw-r--r-- | etc/profile-a-l/jitsi-meet-desktop.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/kdiff3.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/start-tor-browser.profile | 40 | ||||
-rw-r--r-- | etc/profile-m-z/torbrowser-launcher.profile | 4 |
5 files changed, 16 insertions, 37 deletions
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index f086653f8..893a1ce46 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -1,2 +1,5 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default'. | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | 2 | # For more details, please see /etc/apparmor.d/local/README. |
3 | |||
4 | # Uncomment to opt-in to apparmor for torbrowser-launcher | ||
5 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index e5beb741a..edb7ed840 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -20,7 +20,7 @@ nowhitelist ${DOWNLOADS} | |||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
22 | 22 | ||
23 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh |
24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 41840e3b0..5786a4687 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -10,7 +10,11 @@ noblacklist ${HOME}/.config/kdiff3fileitemactionrc | |||
10 | noblacklist ${HOME}/.config/kdiff3rc | 10 | noblacklist ${HOME}/.config/kdiff3rc |
11 | 11 | ||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | 12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. |
13 | # by default we deny access only to .ssh and .gnupg | ||
13 | #include disable-common.inc | 14 | #include disable-common.inc |
15 | blacklist ${HOME}/.ssh | ||
16 | blacklist ${HOME}/.gnupg | ||
17 | |||
14 | include disable-devel.inc | 18 | include disable-devel.inc |
15 | include disable-exec.inc | 19 | include disable-exec.inc |
16 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile index b62b19101..17ceedee7 100644 --- a/etc/profile-m-z/start-tor-browser.profile +++ b/etc/profile-m-z/start-tor-browser.profile | |||
@@ -3,40 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.local | 4 | include start-tor-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | ignore noexec ${HOME} | 9 | # Redirect |
9 | 10 | include start-tor-browser.desktop.profile | |
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp !chroot | ||
31 | shell none | ||
32 | # tracelog may cause issues, see github issue #1930 | ||
33 | #tracelog | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity | ||
37 | private-dev | ||
38 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 6bcc51f4d..1045fa02a 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -31,6 +31,10 @@ whitelist ${HOME}/.local/share/torbrowser | |||
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. | ||
35 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | ||
36 | # to be uncommented too for this to work as expected. | ||
37 | #apparmor | ||
34 | caps.drop all | 38 | caps.drop all |
35 | netfilter | 39 | netfilter |
36 | nodvd | 40 | nodvd |