various profile hardening

2026-05-21 06:45:29 -06:00 · 2018-03-25 14:11:05 +02:00 · 2018-03-25 14:11:05 +02:00 · 1a8ce98198
commit 1a8ce98198
parent 82f6ec926f
5 changed files with 11 additions and 1 deletions
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
 blacklist ${HOME}/.local/share/kglobalaccel
 blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feral-interactive
@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
--- a/etc/kate.profile
+++ b/etc/kate.profile
@ -42,4 +42,7 @@ private-dev
 # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp

+# noexec ${HOME}
+noexec /tmp
+
 join-or-start kate
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@ -5,7 +5,7 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local

-# if akonadi has a mysql backend, starting it inside this sandbox will fail
+# if akonadi has a mysql backend, starting it inside this sandbox will fail.
 # one solution is to have akonadi already running when kmail is launched

 noblacklist ${HOME}/.cache/akonadi*
@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities
 noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.local/share/akonadi/*
 noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
 noblacklist ${HOME}/.local/share/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.gnupg
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@ -43,4 +43,7 @@ private-dev
 private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp

+noexec ${HOME}
+noexec /tmp
+
 join-or-start kwrite