From 81c570e8e975c8ff3f62c45caffa4e5749296e9d Mon Sep 17 00:00:00 2001
From: Fred-Barclay <Fred-Barclay@users.noreply.github.com>
Date: Sun, 23 Oct 2016 14:31:56 -0500
Subject: tightened Spotify profile

---
 etc/spotify.profile | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

(limited to 'etc')

diff --git a/etc/spotify.profile b/etc/spotify.profile
index 73d427db3..24e5c1023 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-# Whitelist the folders needed by Spotify - This is more restrictive
-# than a blacklist though, but this is all spotify requires for
-# streaming audio
+# Whitelist the folders needed by Spotify
 mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
 mkdir ${HOME}/.cache/spotify
 whitelist ${HOME}/.cache/spotify
-include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
@@ -27,5 +24,24 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
-#private-bin spotify
+private-bin spotify
+private-etc fonts,machine-id,pulse,resolv.conf
 private-dev
+private-tmp
+
+blacklist ${HOME}/.Xauthority
+blacklist ${HOME}/.bashrc
+blacklist /boot
+blacklist /lost+found
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /root
+blacklist /sbin
+blacklist /srv
+blacklist /sys
+blacklist /var
+blacklist /initrd.img
+blacklist /initrd.img.old
+blacklist /vmlinuz
+blacklist /vmlinuz.old
-- 
cgit v1.2.3-54-g00ecf