From f843166a6c56aca547cc1213a95c24cf16788cc4 Mon Sep 17 00:00:00 2001
From: rusty-snake <print_hello_world+GitHub@protonmail.com>
Date: Wed, 6 Mar 2019 20:07:09 +0000
Subject: Update ffmpeg.profile (#2529)

* Harden ffmpeg.profile

* Review #2529
---
 etc/ffmpeg.profile | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 44b5d5530..aa7a91928 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -7,28 +7,35 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+ipc-namespace
 machine-id
-net none
+netfilter
+# no3d might break HW accelerated de/encoding - comment when appropriate
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
-nonewprivs
-noroot
-# protocol none - needs to be implemented!
+protocol inet,inet6
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
@@ -37,6 +44,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
+private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
 private-tmp
 
 # memory-deny-write-execute - it breaks old versions of ffmpeg
-- 
cgit v1.2.3-54-g00ecf