1 files changed, 37 insertions, 19 deletions
diff --git a/test/poi.profile b/test/poi.profile
index 9af4461..94305e2 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -1,52 +1,70 @@
-################################
-# Based on the Generic GUI application profile
-################################
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/poi.local
+
 noblacklist ~/.cache/smolbote
-noblacklist ~/.local/share/smolbote
+noblacklist ~/.config/smolbote
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
 whitelist ${DOWNLOADS}
 mkdir ~/.cache/smolbote
 whitelist ~/.cache/smolbote
-mkdir ~/.local/share/smolbote
-whitelist ~/.local/share/smolbote
+mkdir ~/.config/smolbote/
+whitelist ~/.config/smolbote/
+
 
 ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
 caps.drop all
 
 ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
 ## Commented out because netfliter somehow breaks smolbote if used alone.
-#netfilter
+netfilter
+
+## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
+nogroups
 
-##  newnewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
+##  nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant.
 nonewprivs
 
 ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
 noroot
 
-## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
-nogroups
-
 ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 
 ## seccomp - Blacklists a large swath of syscalls from being accessible.
 seccomp
 
+## shell - Run the program directly, without a user shell.
+shell none
+
+## tracelog - Log all viloations to syslog
+tracelog
+
+
 ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
-## Commened out until an actually package is made.
-#private-bin poi
+# bash required to launch from kde kickoff menu
+#private-bin bash,poi
+
+## private-dev - Create a virtual /dev directory. Only dri,  null,  full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+private-dev
 
 ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
-private-etc nsswitch.conf,resolv.conf
+#private-etc nsswitch.conf,resolv.conf
 
 ## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
 private-tmp
 
-## tracelog - Log all viloations to syslog
-tracelog
+
+## noexec - Prevent execution of files in the specified locations
+noexec ${HOME}
+noexec /tmp
+
 
 include /etc/firejail/whitelist-common.inc