From 871dfe351fd8cf19c8c7f330187c994b911ec995 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 31 Oct 2017 02:24:39 +0100
Subject: harden kde

and whitelist kioslaverc because we don't know if kdeinit
will run outside or inside the sandbox.
---
 etc/okular.profile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'etc/okular.profile')

diff --git a/etc/okular.profile b/etc/okular.profile
index 53148add5..89f76cda1 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -5,6 +5,8 @@ include /etc/firejail/okular.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# blacklist /run/user/*/bus
+
 noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.kde/share/apps/okular
@@ -23,6 +25,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+# net none
 netfilter
 nodvd
 nogroups
@@ -36,9 +39,9 @@ seccomp
 shell none
 tracelog
 
-# private-bin okular,kbuildsycoca4,kdeinit4,lpr
+private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
-# private-etc fonts,X11
+private-etc cups,fonts
 # private-tmp - on KDE we need access to the real /tmp for data exchange with thunderbird
 
 # memory-deny-write-execute
-- 
cgit v1.2.3-70-g09d2