diff options
Diffstat (limited to 'etc')
34 files changed, 134 insertions, 37 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 264fc29b2..55aabbc73 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox | |||
| 192 | blacklist ${HOME}/VirtualBox VMs | 192 | blacklist ${HOME}/VirtualBox VMs |
| 193 | 193 | ||
| 194 | # GNOME Boxes | 194 | # GNOME Boxes |
| 195 | blacklist ${HOME}/.cache/gnome-boxes | ||
| 195 | blacklist ${HOME}/.config/gnome-boxes | 196 | blacklist ${HOME}/.config/gnome-boxes |
| 196 | blacklist ${HOME}/.local/share/gnome-boxes | 197 | blacklist ${HOME}/.local/share/gnome-boxes |
| 197 | 198 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e013872df..13b4b2078 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
| @@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid | |||
| 22 | blacklist ${HOME}/.TelegramDesktop | 22 | blacklist ${HOME}/.TelegramDesktop |
| 23 | blacklist ${HOME}/.VSCodium | 23 | blacklist ${HOME}/.VSCodium |
| 24 | blacklist ${HOME}/.ViberPC | 24 | blacklist ${HOME}/.ViberPC |
| 25 | blacklist ${HOME}/.VirtualBox | ||
| 26 | blacklist ${HOME}/.WebStorm* | 25 | blacklist ${HOME}/.WebStorm* |
| 27 | blacklist ${HOME}/.Wolfram Research | 26 | blacklist ${HOME}/.Wolfram Research |
| 28 | blacklist ${HOME}/.ZAP | 27 | blacklist ${HOME}/.ZAP |
| @@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie | |||
| 125 | blacklist ${HOME}/.cache/gegl-0.4 | 124 | blacklist ${HOME}/.cache/gegl-0.4 |
| 126 | blacklist ${HOME}/.cache/gfeeds | 125 | blacklist ${HOME}/.cache/gfeeds |
| 127 | blacklist ${HOME}/.cache/gimp | 126 | blacklist ${HOME}/.cache/gimp |
| 128 | blacklist ${HOME}/.cache/gnome-boxes | ||
| 129 | blacklist ${HOME}/.cache/gnome-builder | 127 | blacklist ${HOME}/.cache/gnome-builder |
| 130 | blacklist ${HOME}/.cache/gnome-control-center | 128 | blacklist ${HOME}/.cache/gnome-control-center |
| 131 | blacklist ${HOME}/.cache/gnome-recipes | 129 | blacklist ${HOME}/.cache/gnome-recipes |
| @@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart | |||
| 223 | blacklist ${HOME}/.cache/systemsettings | 221 | blacklist ${HOME}/.cache/systemsettings |
| 224 | blacklist ${HOME}/.cache/telepathy | 222 | blacklist ${HOME}/.cache/telepathy |
| 225 | blacklist ${HOME}/.cache/thunderbird | 223 | blacklist ${HOME}/.cache/thunderbird |
| 224 | blacklist ${HOME}/.cache/tiny-rdm | ||
| 226 | blacklist ${HOME}/.cache/torbrowser | 225 | blacklist ${HOME}/.cache/torbrowser |
| 227 | blacklist ${HOME}/.cache/transmission | 226 | blacklist ${HOME}/.cache/transmission |
| 228 | blacklist ${HOME}/.cache/ueberzugpp | 227 | blacklist ${HOME}/.cache/ueberzugpp |
| @@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack | |||
| 347 | blacklist ${HOME}/.config/Standard Notes | 346 | blacklist ${HOME}/.config/Standard Notes |
| 348 | blacklist ${HOME}/.config/SubDownloader | 347 | blacklist ${HOME}/.config/SubDownloader |
| 349 | blacklist ${HOME}/.config/Thunar | 348 | blacklist ${HOME}/.config/Thunar |
| 349 | blacklist ${HOME}/.config/TinyRDM | ||
| 350 | blacklist ${HOME}/.config/Twitch | 350 | blacklist ${HOME}/.config/Twitch |
| 351 | blacklist ${HOME}/.config/Unknown Organization | 351 | blacklist ${HOME}/.config/Unknown Organization |
| 352 | blacklist ${HOME}/.config/VSCodium | 352 | blacklist ${HOME}/.config/VSCodium |
| 353 | blacklist ${HOME}/.config/VirtualBox | ||
| 354 | blacklist ${HOME}/.config/Whalebird | 353 | blacklist ${HOME}/.config/Whalebird |
| 355 | blacklist ${HOME}/.config/Wire | 354 | blacklist ${HOME}/.config/Wire |
| 356 | blacklist ${HOME}/.config/Youtube | 355 | blacklist ${HOME}/.config/Youtube |
| @@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2 | |||
| 559 | blacklist ${HOME}/.config/mpd | 558 | blacklist ${HOME}/.config/mpd |
| 560 | blacklist ${HOME}/.config/mps-youtube | 559 | blacklist ${HOME}/.config/mps-youtube |
| 561 | blacklist ${HOME}/.config/mpv | 560 | blacklist ${HOME}/.config/mpv |
| 562 | blacklist ${HOME}/.config/msmtp | ||
| 563 | blacklist ${HOME}/.config/mullvad-browser-flags.conf | 561 | blacklist ${HOME}/.config/mullvad-browser-flags.conf |
| 564 | blacklist ${HOME}/.config/mupen64plus | 562 | blacklist ${HOME}/.config/mupen64plus |
| 565 | blacklist ${HOME}/.config/mutt | 563 | blacklist ${HOME}/.config/mutt |
| @@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie | |||
| 939 | blacklist ${HOME}/.local/share/ghostwriter | 937 | blacklist ${HOME}/.local/share/ghostwriter |
| 940 | blacklist ${HOME}/.local/share/gitg | 938 | blacklist ${HOME}/.local/share/gitg |
| 941 | blacklist ${HOME}/.local/share/gnome-2048 | 939 | blacklist ${HOME}/.local/share/gnome-2048 |
| 942 | blacklist ${HOME}/.local/share/gnome-boxes | ||
| 943 | blacklist ${HOME}/.local/share/gnome-builder | 940 | blacklist ${HOME}/.local/share/gnome-builder |
| 944 | blacklist ${HOME}/.local/share/gnome-chess | 941 | blacklist ${HOME}/.local/share/gnome-chess |
| 945 | blacklist ${HOME}/.local/share/gnome-klotski | 942 | blacklist ${HOME}/.local/share/gnome-klotski |
| @@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage | |||
| 1019 | blacklist ${HOME}/.local/share/org.kde.gwenview | 1016 | blacklist ${HOME}/.local/share/org.kde.gwenview |
| 1020 | blacklist ${HOME}/.local/share/pix | 1017 | blacklist ${HOME}/.local/share/pix |
| 1021 | blacklist ${HOME}/.local/share/plasma_notes | 1018 | blacklist ${HOME}/.local/share/plasma_notes |
| 1019 | blacklist ${HOME}/.local/share/pnpm | ||
| 1022 | blacklist ${HOME}/.local/share/profanity | 1020 | blacklist ${HOME}/.local/share/profanity |
| 1023 | blacklist ${HOME}/.local/share/psi | 1021 | blacklist ${HOME}/.local/share/psi |
| 1024 | blacklist ${HOME}/.local/share/psi+ | 1022 | blacklist ${HOME}/.local/share/psi+ |
| @@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk | |||
| 1084 | blacklist ${HOME}/.mpd | 1082 | blacklist ${HOME}/.mpd |
| 1085 | blacklist ${HOME}/.mpdconf | 1083 | blacklist ${HOME}/.mpdconf |
| 1086 | blacklist ${HOME}/.mplayer | 1084 | blacklist ${HOME}/.mplayer |
| 1087 | blacklist ${HOME}/.msmtprc | ||
| 1088 | blacklist ${HOME}/.mullvad/mullvadbrowser | 1085 | blacklist ${HOME}/.mullvad/mullvadbrowser |
| 1089 | blacklist ${HOME}/.multimc5 | 1086 | blacklist ${HOME}/.multimc5 |
| 1090 | blacklist ${HOME}/.nanorc | 1087 | blacklist ${HOME}/.nanorc |
| @@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox* | |||
| 1233 | blacklist ${RUNUSER}/akonadi | 1230 | blacklist ${RUNUSER}/akonadi |
| 1234 | blacklist ${RUNUSER}/psd/*firefox* | 1231 | blacklist ${RUNUSER}/psd/*firefox* |
| 1235 | blacklist ${RUNUSER}/qutebrowser | 1232 | blacklist ${RUNUSER}/qutebrowser |
| 1236 | blacklist /etc/msmtprc | ||
| 1237 | blacklist /etc/ssmtp | 1233 | blacklist /etc/ssmtp |
| 1238 | blacklist /tmp/.wine-* | 1234 | blacklist /tmp/.wine-* |
| 1239 | blacklist /tmp/akonadi-* | 1235 | blacklist /tmp/akonadi-* |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile index afd76282c..76db2986d 100644 --- a/etc/profile-a-l/ani-cli.profile +++ b/etc/profile-a-l/ani-cli.profile | |||
| @@ -33,7 +33,7 @@ notv | |||
| 33 | disable-mnt | 33 | disable-mnt |
| 34 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc | 34 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc |
| 35 | #private-cache | 35 | #private-cache |
| 36 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 36 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
| 37 | private-tmp | 37 | private-tmp |
| 38 | 38 | ||
| 39 | # Redirect | 39 | # Redirect |
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 9fc73ee55..7651c5d32 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile | |||
| @@ -1,4 +1,5 @@ | |||
| 1 | # Firejail profile for clamtk | 1 | # Firejail profile for clamtk |
| 2 | # Description: Easy to use, light-weight, on-demand virus scanner for Linux systems | ||
| 2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 3 | # Persistent local customizations | 4 | # Persistent local customizations |
| 4 | include clamtk.local | 5 | include clamtk.local |
| @@ -7,15 +8,22 @@ include globals.local | |||
| 7 | 8 | ||
| 8 | include disable-exec.inc | 9 | include disable-exec.inc |
| 9 | 10 | ||
| 11 | # Add the below lines to your clamtk.local if you update signatures databases per-user: | ||
| 12 | #ignore net none | ||
| 13 | #netfilter | ||
| 14 | #protocol inet,inet6 | ||
| 15 | |||
| 10 | caps.drop all | 16 | caps.drop all |
| 11 | ipc-namespace | 17 | ipc-namespace |
| 12 | net none | 18 | net none |
| 13 | no3d | 19 | no3d |
| 14 | nodvd | 20 | nodvd |
| 15 | nogroups | 21 | # nogroups breaks scanning |
| 22 | #nogroups | ||
| 16 | noinput | 23 | noinput |
| 17 | nonewprivs | 24 | nonewprivs |
| 18 | noroot | 25 | # noroot breaks scanning |
| 26 | #noroot | ||
| 19 | nosound | 27 | nosound |
| 20 | notv | 28 | notv |
| 21 | nou2f | 29 | nou2f |
| @@ -25,7 +33,9 @@ seccomp | |||
| 25 | 33 | ||
| 26 | private-dev | 34 | private-dev |
| 27 | 35 | ||
| 28 | dbus-user none | 36 | dbus-user filter |
| 37 | dbus-user.talk ca.desrt.dconf | ||
| 38 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
| 29 | dbus-system none | 39 | dbus-system none |
| 30 | 40 | ||
| 31 | restrict-namespaces | 41 | restrict-namespaces |
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index b67729301..acf0281d9 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile | |||
| @@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordcanary | |||
| 12 | whitelist /opt/DiscordCanary | 12 | whitelist /opt/DiscordCanary |
| 13 | whitelist /opt/discord-canary | 13 | whitelist /opt/discord-canary |
| 14 | 14 | ||
| 15 | private-bin discord-canary,DiscordCanary | 15 | private-bin DiscordCanary,discord-canary |
| 16 | 16 | ||
| 17 | # Redirect | 17 | # Redirect |
| 18 | include discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile index a657c52b5..82b33174c 100644 --- a/etc/profile-a-l/discord-ptb.profile +++ b/etc/profile-a-l/discord-ptb.profile | |||
| @@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordptb | |||
| 12 | whitelist /opt/DiscordPTB | 12 | whitelist /opt/DiscordPTB |
| 13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
| 14 | 14 | ||
| 15 | private-bin discord-ptb,DiscordPTB | 15 | private-bin DiscordPTB,discord-ptb |
| 16 | 16 | ||
| 17 | # Redirect | 17 | # Redirect |
| 18 | include discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile index a4fcae5b8..9776b41d5 100644 --- a/etc/profile-a-l/discord.profile +++ b/etc/profile-a-l/discord.profile | |||
| @@ -11,8 +11,9 @@ mkdir ${HOME}/.config/discord | |||
| 11 | whitelist ${HOME}/.config/discord | 11 | whitelist ${HOME}/.config/discord |
| 12 | whitelist /opt/Discord | 12 | whitelist /opt/Discord |
| 13 | whitelist /opt/discord | 13 | whitelist /opt/discord |
| 14 | whitelist /usr/share/discord | ||
| 14 | 15 | ||
| 15 | private-bin discord,Discord | 16 | private-bin Discord,discord |
| 16 | 17 | ||
| 17 | # Redirect | 18 | # Redirect |
| 18 | include discord-common.profile | 19 | include discord-common.profile |
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 40e19dfc3..53ed90e9c 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
| @@ -40,7 +40,7 @@ private-bin display,python* | |||
| 40 | private-dev | 40 | private-dev |
| 41 | # On Debian-based systems, display is a symlink in /etc/alternatives | 41 | # On Debian-based systems, display is a symlink in /etc/alternatives |
| 42 | private-etc ImageMagick-6,ImageMagick-7 | 42 | private-etc ImageMagick-6,ImageMagick-7 |
| 43 | private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.* | 43 | private-lib ImageMagick*,gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libXext.so.*,libfreetype.so.*,libltdl.so.* |
| 44 | private-tmp | 44 | private-tmp |
| 45 | 45 | ||
| 46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 93929c6ea..62e9d42ac 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile | |||
| @@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink | |||
| 52 | seccomp | 52 | seccomp |
| 53 | tracelog | 53 | tracelog |
| 54 | 54 | ||
| 55 | private-bin dirname,Enpass,importer_enpass,readlink,sh | 55 | private-bin Enpass,dirname,importer_enpass,readlink,sh |
| 56 | ?HAS_APPIMAGE: ignore private-dev | 56 | ?HAS_APPIMAGE: ignore private-dev |
| 57 | private-dev | 57 | private-dev |
| 58 | private-opt Enpass | 58 | private-opt Enpass |
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile index 434371aee..5906085de 100644 --- a/etc/profile-a-l/fbreader.profile +++ b/etc/profile-a-l/fbreader.profile | |||
| @@ -33,7 +33,7 @@ novideo | |||
| 33 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
| 34 | seccomp | 34 | seccomp |
| 35 | 35 | ||
| 36 | private-bin fbreader,FBReader | 36 | private-bin FBReader,fbreader |
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile index abc5979da..1c5db09e9 100644 --- a/etc/profile-a-l/fluffychat.profile +++ b/etc/profile-a-l/fluffychat.profile | |||
| @@ -60,7 +60,7 @@ disable-mnt | |||
| 60 | private-bin firefox,fluffychat,sh,which,zenity | 60 | private-bin firefox,fluffychat,sh,which,zenity |
| 61 | private-cache | 61 | private-cache |
| 62 | private-dev | 62 | private-dev |
| 63 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 63 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
| 64 | private-tmp | 64 | private-tmp |
| 65 | 65 | ||
| 66 | dbus-user filter | 66 | dbus-user filter |
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 133d66f0d..f59094567 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
| 3 | quiet | 3 | quiet |
| 4 | # Persistent local customizations | 4 | # Persistent local customizations |
| 5 | include clamav.local | 5 | include freshclam.local |
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index c4085cf9c..683e1b5f7 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile | |||
| @@ -38,7 +38,7 @@ novideo | |||
| 38 | protocol unix | 38 | protocol unix |
| 39 | seccomp | 39 | seccomp |
| 40 | 40 | ||
| 41 | private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize | 41 | private-bin PTBatcherGUI,align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize |
| 42 | private-cache | 42 | private-cache |
| 43 | private-dev | 43 | private-dev |
| 44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile index f9dc4f60c..367f69743 100644 --- a/etc/profile-a-l/lobster.profile +++ b/etc/profile-a-l/lobster.profile | |||
| @@ -44,7 +44,7 @@ notv | |||
| 44 | disable-mnt | 44 | disable-mnt |
| 45 | private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc | 45 | private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc |
| 46 | #private-cache | 46 | #private-cache |
| 47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 47 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
| 48 | private-tmp | 48 | private-tmp |
| 49 | 49 | ||
| 50 | # Redirect | 50 | # Redirect |
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index c3497c3bd..0462cb503 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile | |||
| @@ -11,6 +11,7 @@ noblacklist ${HOME}/Games | |||
| 11 | noblacklist ${HOME}/.cache/lutris | 11 | noblacklist ${HOME}/.cache/lutris |
| 12 | noblacklist ${HOME}/.cache/wine | 12 | noblacklist ${HOME}/.cache/wine |
| 13 | noblacklist ${HOME}/.cache/winetricks | 13 | noblacklist ${HOME}/.cache/winetricks |
| 14 | noblacklist ${HOME}/.config/MangoHud | ||
| 14 | noblacklist ${HOME}/.config/lutris | 15 | noblacklist ${HOME}/.config/lutris |
| 15 | noblacklist ${HOME}/.local/share/lutris | 16 | noblacklist ${HOME}/.local/share/lutris |
| 16 | #noblacklist ${HOME}/.wine | 17 | #noblacklist ${HOME}/.wine |
| @@ -45,6 +46,7 @@ whitelist ${HOME}/Games | |||
| 45 | whitelist ${HOME}/.cache/lutris | 46 | whitelist ${HOME}/.cache/lutris |
| 46 | whitelist ${HOME}/.cache/wine | 47 | whitelist ${HOME}/.cache/wine |
| 47 | whitelist ${HOME}/.cache/winetricks | 48 | whitelist ${HOME}/.cache/winetricks |
| 49 | whitelist ${HOME}/.config/MangoHud | ||
| 48 | whitelist ${HOME}/.config/lutris | 50 | whitelist ${HOME}/.config/lutris |
| 49 | whitelist ${HOME}/.local/share/lutris | 51 | whitelist ${HOME}/.local/share/lutris |
| 50 | #whitelist ${HOME}/.wine | 52 | #whitelist ${HOME}/.wine |
| @@ -69,7 +71,7 @@ notv | |||
| 69 | nou2f | 71 | nou2f |
| 70 | novideo | 72 | novideo |
| 71 | protocol unix,inet,inet6,netlink | 73 | protocol unix,inet,inet6,netlink |
| 72 | seccomp !modify_ldt | 74 | seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace |
| 73 | seccomp.32 !modify_ldt | 75 | seccomp.32 !modify_ldt |
| 74 | 76 | ||
| 75 | # Add the next line to your lutris.local if you do not need controller support. | 77 | # Add the next line to your lutris.local if you do not need controller support. |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index dd5639268..853b6ae52 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
| @@ -72,7 +72,7 @@ seccomp | |||
| 72 | tracelog | 72 | tracelog |
| 73 | 73 | ||
| 74 | disable-mnt | 74 | disable-mnt |
| 75 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 75 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer |
| 76 | private-cache | 76 | private-cache |
| 77 | private-dev | 77 | private-dev |
| 78 | private-etc @tls-ca | 78 | private-etc @tls-ca |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index eed839041..e7dba9cd5 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
| @@ -47,7 +47,7 @@ seccomp | |||
| 47 | tracelog | 47 | tracelog |
| 48 | 48 | ||
| 49 | disable-mnt | 49 | disable-mnt |
| 50 | private-bin gio,QOwnNotes | 50 | private-bin QOwnNotes,gio |
| 51 | private-dev | 51 | private-dev |
| 52 | private-etc @tls-ca,host.conf | 52 | private-etc @tls-ca,host.conf |
| 53 | private-tmp | 53 | private-tmp |
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index fe1f9b877..ea7d8bfa7 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
| @@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
| 31 | seccomp !chroot | 31 | seccomp !chroot |
| 32 | 32 | ||
| 33 | disable-mnt | 33 | disable-mnt |
| 34 | private-bin awk,bash,dig,sh,Viber | 34 | private-bin Viber,awk,bash,dig,sh |
| 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf | 35 | private-etc @tls-ca,@x11,mailcap,proxychains.conf |
| 36 | private-tmp | 36 | private-tmp |
| 37 | 37 | ||
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 97b9d2898..5b8747825 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile | |||
| @@ -31,7 +31,7 @@ protocol unix,inet,inet6 | |||
| 31 | seccomp | 31 | seccomp |
| 32 | 32 | ||
| 33 | disable-mnt | 33 | disable-mnt |
| 34 | private-bin cp,sh,XMind | 34 | private-bin XMind,cp,sh |
| 35 | private-tmp | 35 | private-tmp |
| 36 | private-dev | 36 | private-dev |
| 37 | 37 | ||
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index 8007b887a..1efd1e8f9 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
| @@ -26,7 +26,7 @@ notv | |||
| 26 | disable-mnt | 26 | disable-mnt |
| 27 | private-bin ffmpeg,fzf,mov-cli | 27 | private-bin ffmpeg,fzf,mov-cli |
| 28 | #private-cache | 28 | #private-cache |
| 29 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 29 | private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg |
| 30 | private-tmp | 30 | private-tmp |
| 31 | 31 | ||
| 32 | # Redirect | 32 | # Redirect |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index ab1e0ab02..097ce6e83 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
| @@ -127,7 +127,7 @@ tracelog | |||
| 127 | #disable-mnt | 127 | #disable-mnt |
| 128 | private-cache | 128 | private-cache |
| 129 | private-dev | 129 | private-dev |
| 130 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo | 130 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo |
| 131 | private-tmp | 131 | private-tmp |
| 132 | writable-run-user | 132 | writable-run-user |
| 133 | writable-var | 133 | writable-var |
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile index b979e1aee..30dd164b6 100644 --- a/etc/profile-m-z/natron.profile +++ b/etc/profile-m-z/natron.profile | |||
| @@ -30,7 +30,7 @@ nou2f | |||
| 30 | protocol unix | 30 | protocol unix |
| 31 | seccomp | 31 | seccomp |
| 32 | 32 | ||
| 33 | private-bin natron,Natron,NatronRenderer | 33 | private-bin Natron,NatronRenderer,natron |
| 34 | 34 | ||
| 35 | dbus-user none | 35 | dbus-user none |
| 36 | dbus-system none | 36 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index b15e98424..51e2e43bf 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
| @@ -119,7 +119,7 @@ tracelog | |||
| 119 | #disable-mnt | 119 | #disable-mnt |
| 120 | private-cache | 120 | private-cache |
| 121 | private-dev | 121 | private-dev |
| 122 | private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver | 122 | private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver |
| 123 | private-tmp | 123 | private-tmp |
| 124 | writable-run-user | 124 | writable-run-user |
| 125 | writable-var | 125 | writable-var |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4c463521c..f301196c6 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
| @@ -7,7 +7,7 @@ include nodejs-common.local | |||
| 7 | # added by caller profile | 7 | # added by caller profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts |
| 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
| 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
| 13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
| @@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc | |||
| 22 | ignore read-only ${HOME}/.nvm | 22 | ignore read-only ${HOME}/.nvm |
| 23 | ignore read-only ${HOME}/.yarnrc | 23 | ignore read-only ${HOME}/.yarnrc |
| 24 | 24 | ||
| 25 | noblacklist ${HOME}/.local/share/pnpm | ||
| 25 | noblacklist ${HOME}/.node-gyp | 26 | noblacklist ${HOME}/.node-gyp |
| 26 | noblacklist ${HOME}/.npm | 27 | noblacklist ${HOME}/.npm |
| 27 | noblacklist ${HOME}/.npmrc | 28 | noblacklist ${HOME}/.npmrc |
| @@ -43,6 +44,7 @@ include disable-xdg.inc | |||
| 43 | 44 | ||
| 44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 45 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
| 45 | # and add the next lines to your nodejs-common.local. | 46 | # and add the next lines to your nodejs-common.local. |
| 47 | #mkdir ${HOME}/.local/share/pnpm | ||
| 46 | #mkdir ${HOME}/.node-gyp | 48 | #mkdir ${HOME}/.node-gyp |
| 47 | #mkdir ${HOME}/.npm | 49 | #mkdir ${HOME}/.npm |
| 48 | #mkdir ${HOME}/.npm-packages | 50 | #mkdir ${HOME}/.npm-packages |
| @@ -52,6 +54,7 @@ include disable-xdg.inc | |||
| 52 | #mkdir ${HOME}/.yarn-config | 54 | #mkdir ${HOME}/.yarn-config |
| 53 | #mkdir ${HOME}/.yarncache | 55 | #mkdir ${HOME}/.yarncache |
| 54 | #mkfile ${HOME}/.yarnrc | 56 | #mkfile ${HOME}/.yarnrc |
| 57 | #whitelist ${HOME}/.local/share/pnpm | ||
| 55 | #whitelist ${HOME}/.node-gyp | 58 | #whitelist ${HOME}/.node-gyp |
| 56 | #whitelist ${HOME}/.npm | 59 | #whitelist ${HOME}/.npm |
| 57 | #whitelist ${HOME}/.npm-packages | 60 | #whitelist ${HOME}/.npm-packages |
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile new file mode 100644 index 000000000..08f88be43 --- /dev/null +++ b/etc/profile-m-z/pnpm.profile | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | # Firejail profile for pnpm | ||
| 2 | # Description: Fast, disk space efficient package manager | ||
| 3 | quiet | ||
| 4 | # This file is overwritten after every install/update | ||
| 5 | # Persistent local customizations | ||
| 6 | include pnpm.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | # Redirect | ||
| 11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile new file mode 100644 index 000000000..a99d1232a --- /dev/null +++ b/etc/profile-m-z/pnpx.profile | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | # Firejail profile for pnpx | ||
| 2 | # Description: Part of the Node.js stack | ||
| 3 | quiet | ||
| 4 | # This file is overwritten after every install/update | ||
| 5 | # Persistent local customizations | ||
| 6 | include pnpx.local | ||
| 7 | # Persistent global definitions | ||
| 8 | include globals.local | ||
| 9 | |||
| 10 | # Redirect | ||
| 11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile index c8f00584d..a74b72695 100644 --- a/etc/profile-m-z/postman.profile +++ b/etc/profile-m-z/postman.profile | |||
| @@ -17,7 +17,7 @@ include whitelist-run-common.inc | |||
| 17 | 17 | ||
| 18 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
| 19 | 19 | ||
| 20 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh | 20 | private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh |
| 21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | 21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
| 22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM | 22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM |
| 23 | # https://github.com/netblue30/firejail/discussions/5307 | 23 | # https://github.com/netblue30/firejail/discussions/5307 |
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index da16ae912..5ae6ccf04 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
| @@ -39,7 +39,7 @@ novideo | |||
| 39 | protocol unix,netlink | 39 | protocol unix,netlink |
| 40 | seccomp | 40 | seccomp |
| 41 | 41 | ||
| 42 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | 42 | private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp |
| 43 | # Add the next line to your ppsspp.local if you do not need controller support. | 43 | # Add the next line to your ppsspp.local if you do not need controller support. |
| 44 | #private-dev | 44 | #private-dev |
| 45 | private-etc @tls-ca,@x11,host.conf | 45 | private-etc @tls-ca,@x11,host.conf |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index 7ce6748d1..3a3a9062e 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
| @@ -42,7 +42,7 @@ tracelog | |||
| 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
| 43 | private-cache | 43 | private-cache |
| 44 | private-dev | 44 | private-dev |
| 45 | private-etc @tls-ca,fstab,SoftMaker | 45 | private-etc @tls-ca,SoftMaker,fstab |
| 46 | private-tmp | 46 | private-tmp |
| 47 | 47 | ||
| 48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 34cb3631a..41de746dd 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
| @@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink | |||
| 163 | # Add 'ignore seccomp' to your steam.local if you experience this. | 163 | # Add 'ignore seccomp' to your steam.local if you experience this. |
| 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 164 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
| 165 | # (see #4366). | 165 | # (see #4366). |
| 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 166 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2 |
| 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | 167 | # process_vm_readv is used by GE-Proton7-18 (see #5185). |
| 168 | seccomp.32 !process_vm_readv | 168 | seccomp.32 !process_vm_readv |
| 169 | # tracelog breaks integrated browser | 169 | # tracelog breaks integrated browser |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fa992ad1a..7ed3d98d4 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
| @@ -46,7 +46,7 @@ seccomp | |||
| 46 | seccomp.block-secondary | 46 | seccomp.block-secondary |
| 47 | 47 | ||
| 48 | disable-mnt | 48 | disable-mnt |
| 49 | private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open | 49 | private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open |
| 50 | private-cache | 50 | private-cache |
| 51 | private-dev | 51 | private-dev |
| 52 | private-etc @tls-ca,@x11,os-release | 52 | private-etc @tls-ca,@x11,os-release |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 5babfb8d2..c0293406d 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
| @@ -26,6 +26,7 @@ include whitelist-common.inc | |||
| 26 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
| 27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
| 28 | whitelist /usr/share/tessdata | 28 | whitelist /usr/share/tessdata |
| 29 | whitelist /usr/share/tesseract-ocr | ||
| 29 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
| 30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
| 31 | 32 | ||
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile new file mode 100644 index 000000000..4134d666c --- /dev/null +++ b/etc/profile-m-z/tiny-rdm.profile | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | # Firejail profile for tiny-rdm | ||
| 2 | # Description: A Modern Redis GUI Client | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include tiny-rdm.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.cache/tiny-rdm | ||
| 10 | noblacklist ${HOME}/.config/TinyRDM | ||
| 11 | |||
| 12 | include disable-common.inc | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-proc.inc | ||
| 18 | include disable-shell.inc | ||
| 19 | include disable-xdg.inc | ||
| 20 | |||
| 21 | mkdir ${HOME}/.cache/tiny-rdm | ||
| 22 | mkdir ${HOME}/.config/TinyRDM | ||
| 23 | whitelist ${HOME}/.cache/tiny-rdm | ||
| 24 | whitelist ${HOME}/.config/TinyRDM | ||
| 25 | include whitelist-common.inc | ||
| 26 | include whitelist-run-common.inc | ||
| 27 | include whitelist-runuser-common.inc | ||
| 28 | include whitelist-usr-share-common.inc | ||
| 29 | include whitelist-var-common.inc | ||
| 30 | |||
| 31 | apparmor | ||
| 32 | caps.drop all | ||
| 33 | ipc-namespace | ||
| 34 | netfilter | ||
| 35 | no3d | ||
| 36 | nodvd | ||
| 37 | nogroups | ||
| 38 | noinput | ||
| 39 | nonewprivs | ||
| 40 | noprinters | ||
| 41 | noroot | ||
| 42 | notv | ||
| 43 | nou2f | ||
| 44 | novideo | ||
| 45 | nosound | ||
| 46 | protocol unix,inet,inet6 | ||
| 47 | seccomp | ||
| 48 | seccomp.block-secondary | ||
| 49 | tracelog | ||
| 50 | |||
| 51 | disable-mnt | ||
| 52 | private-bin tiny-rdm | ||
| 53 | private-cache | ||
| 54 | private-dev | ||
| 55 | private-etc @network,@tls-ca,@x11 | ||
| 56 | private-tmp | ||
| 57 | |||
| 58 | dbus-user none | ||
| 59 | dbus-system none | ||
| 60 | |||
| 61 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 9f1f1c241..bac48805c 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
| @@ -49,7 +49,7 @@ private-bin geoiplookup,geoiplookup6,transgui | |||
| 49 | private-cache | 49 | private-cache |
| 50 | private-dev | 50 | private-dev |
| 51 | private-etc @network,@tls-ca,@x11 | 51 | private-etc @network,@tls-ca,@x11 |
| 52 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 52 | private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.* |
| 53 | private-tmp | 53 | private-tmp |
| 54 | 54 | ||
| 55 | dbus-user none | 55 | dbus-user none |