diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/falkon.profile | 7 | ||||
-rw-r--r-- | etc/qupzilla.profile | 15 |
2 files changed, 16 insertions, 6 deletions
diff --git a/etc/falkon.profile b/etc/falkon.profile index 03484382a..a86c83329 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -27,11 +27,12 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
30 | seccomp | 30 | # blacklisting of chroot system calls breaks falkon |
31 | tracelog | 31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | # tracelog | ||
32 | 33 | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | # private-tmp - interferes with the opening of downloaded files |
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |
37 | noexec /tmp | 38 | noexec /tmp |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 74c7355b6..e59a94bf8 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -17,14 +17,23 @@ whitelist ${DOWNLOADS} | |||
17 | whitelist ${HOME}/.cache/qupzilla | 17 | whitelist ${HOME}/.cache/qupzilla |
18 | whitelist ${HOME}/.config/qupzilla | 18 | whitelist ${HOME}/.config/qupzilla |
19 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | ||
20 | 21 | ||
21 | caps.drop all | 22 | caps.drop all |
22 | netfilter | 23 | netfilter |
23 | nodvd | 24 | nodvd |
25 | nogroups | ||
26 | nonewprivs | ||
24 | noroot | 27 | noroot |
25 | notv | 28 | notv |
26 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
27 | seccomp | 30 | # blacklisting of chroot system calls breaks qupzilla |
28 | tracelog | 31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
32 | # tracelog | ||
29 | 33 | ||
30 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 34 | private-dev |
35 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse | ||
36 | # private-tmp - interferes with the opening of downloaded files | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||