From 9e3ba319be6b9546d7e8f450ca419ee2f3f4040b Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 7 Aug 2017 01:22:08 -0400 Subject: Unify all profiles --- etc/spotify.profile | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'etc/spotify.profile') diff --git a/etc/spotify.profile b/etc/spotify.profile index 07103b112..64805153c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -1,26 +1,35 @@ -# Persistent global definitions go here +# Firejail profile for spotify +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/spotify.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/spotify.local +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys -# Spotify media player profile -noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.cache/spotify +noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.local/share/spotify + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -# Whitelist the folders needed by Spotify +mkdir ${HOME}/.cache/spotify mkdir ${HOME}/.config/spotify -whitelist ${HOME}/.config/spotify mkdir ${HOME}/.local/share/spotify -whitelist ${HOME}/.local/share/spotify -mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify +whitelist ${HOME}/.config/spotify +whitelist ${HOME}/.local/share/spotify +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -31,20 +40,11 @@ protocol unix,inet,inet6,netlink seccomp shell none -noexec ${HOME} -noexec /tmp - +disable-mnt private-bin spotify,bash,sh,dash -private-etc fonts,machine-id,pulse,resolv.conf private-dev +private-etc fonts,machine-id,pulse,resolv.conf private-tmp -disable-mnt -blacklist ${HOME}/.bashrc -blacklist /boot -blacklist /lost+found -blacklist /opt -blacklist /root -blacklist /sbin -blacklist /srv -blacklist /sys +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf