From 064bd8610f87c5c50d73fa8afb5332db34b1e771 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 13 Jun 2019 13:47:43 +0200 Subject: hardening & fixing --- etc/disable-common.inc | 1 + etc/inkscape.profile | 2 ++ etc/meld.profile | 10 +++++++++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b3d4b710a..a900263ff 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -299,6 +299,7 @@ blacklist ${HOME}/.ecryptfs blacklist ${HOME}/.fetchmailrc blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg +blacklist ${HOME}/.config/hub blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.local/share/keyrings diff --git a/etc/inkscape.profile b/etc/inkscape.profile index bc0377e53..a1b3bce23 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -43,8 +43,10 @@ novideo protocol unix seccomp shell none +tracelog # private-bin inkscape,potrace,python* - problems on Debian stretch +private-cache private-dev private-tmp diff --git a/etc/meld.profile b/etc/meld.profile index 34b1f22de..321b92cd5 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -6,6 +6,13 @@ include meld.local # Persistent global definitions include globals.local +# If you want to use meld as git-mergetool (and may some other VCS integrations) you need +# to bypass firejail, you can do this by removing the symlink or call it by its absolut path +# Removing the symlink: +# sudo rm /usr/local/bin/meld +# Calling by its absolut path (example for git-mergetoll): +# git config --global mergetool.meld.cmd /usr/bin/meld + noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials @@ -26,7 +33,8 @@ include disable-passwdmgr.inc # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. #include disable-programs.inc -include whitelist-var-common.inc +# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. +#include whitelist-var-common.inc apparmor caps.drop all -- cgit v1.2.3-70-g09d2