From 9c3bf8306b38297fc7f4c2f4f395b80ce2bee711 Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Sat, 8 Apr 2017 23:54:28 +0200 Subject: new baloo profile --- etc/baloo_file.profile | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 etc/baloo_file.profile (limited to 'etc/baloo_file.profile') diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile new file mode 100644 index 000000000..1acb5def2 --- /dev/null +++ b/etc/baloo_file.profile @@ -0,0 +1,39 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/baloo_file.local + +# KDE Baloo file daemon profile +noblacklist ${HOME}/.kde4/share/config/baloofilerc +noblacklist ${HOME}/.kde4/share/config/baloorc +noblacklist ${HOME}/.kde/share/config/baloofilerc +noblacklist ${HOME}/.kde/share/config/baloorc +noblacklist ${HOME}/.config/baloofilerc +noblacklist ${HOME}/.local/share/baloo +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +# Baloo makes ioprio_set system calls, which are blacklisted by default. +# That's why we need to disable seccomp +#seccomp + +private-dev +private-tmp + +# Experimental: make home directory read-only and allow writing only +# to Baloo configuration files and databases +#read-only ${HOME} +#read-write ${HOME}/.kde4/share/config/baloofilerc +#read-write ${HOME}/.kde4/share/config/baloorc +#read-write ${HOME}/.kde/share/config/baloofilerc +#read-write ${HOME}/.kde/share/config/baloorc +#read-write ${HOME}/.config/baloofilerc +#read-write ${HOME}/.local/share/baloo +#read-write ${HOME}/.local/share/akonadi/search_db -- cgit v1.2.3-54-g00ecf From e76037947da2fd60b3e54b88e191ad6fc768829b Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Sun, 9 Apr 2017 15:45:35 +0200 Subject: add x11 isolation --- etc/baloo_file.profile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'etc/baloo_file.profile') diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 1acb5def2..6696cbad2 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile @@ -20,9 +20,13 @@ nonewprivs noroot nosound protocol unix -# Baloo makes ioprio_set system calls, which are blacklisted by default. +# Baloo makes ioprio_set system calls, which are blacklisted by default. # That's why we need to disable seccomp #seccomp +# The Baloo file daemon can be isolated from X11. If there is an X11 +# abstract Unix socket, it must be disabled first by passing "-nolisten local" +# to the X server. See the Firejail manual for further instructions +#x11 none private-dev private-tmp -- cgit v1.2.3-54-g00ecf From 605453cb75120ca456e655ab15670ab7beed7fca Mon Sep 17 00:00:00 2001 From: SYN-cook Date: Sun, 9 Apr 2017 16:32:22 +0200 Subject: improve x11 isolation taken from tracker.profile --- etc/baloo_file.profile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'etc/baloo_file.profile') diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 6696cbad2..d9c37911b 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile @@ -23,10 +23,8 @@ protocol unix # Baloo makes ioprio_set system calls, which are blacklisted by default. # That's why we need to disable seccomp #seccomp -# The Baloo file daemon can be isolated from X11. If there is an X11 -# abstract Unix socket, it must be disabled first by passing "-nolisten local" -# to the X server. See the Firejail manual for further instructions -#x11 none + +blacklist /tmp/.X11-unix private-dev private-tmp -- cgit v1.2.3-54-g00ecf