From 871dfe351fd8cf19c8c7f330187c994b911ec995 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 31 Oct 2017 02:24:39 +0100 Subject: harden kde and whitelist kioslaverc because we don't know if kdeinit will run outside or inside the sandbox. --- etc/gwenview.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'etc/gwenview.profile') diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 76b77ef1c..891c9865e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,6 +5,8 @@ include /etc/firejail/gwenview.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus + noblacklist ~/.config/gwenviewrc noblacklist ~/.config/org.kde.gwenviewrc noblacklist ~/.gimp* @@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc caps.drop all +# net none nodvd nogroups nonewprivs @@ -34,7 +37,7 @@ seccomp shell none tracelog -private-bin gwenview,kbuildsycoca4,gimp* +private-bin gwenview,gimp*,kbuildsycoca4 private-dev # private-etc X11 -- cgit v1.2.3-70-g09d2