blob: 2f684349db04aea1605199cee8e4233badb4a627 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include hasher-common.local
# common profile for hasher/checksum tools
blacklist ${RUNUSER}
# WARNING:
# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed
# include file(s) here or by putting those into hasher-common.local.
# Another option is to do this **per hasher** in the relevant <hasher>.local.
# Just beware that things tend to break when overtightening profiles. For example, because you only
# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
#include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
#include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
#include disable-xdg.inc
apparmor
caps.drop all
ipc-namespace
machine-id
net none
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
shell none
tracelog
x11 none
# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
#private-cache
private-dev
# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
#private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
read-only ${HOME}
|
