From 21717840fa72c25d57f1b283e12b9fb6c6e1a092 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Mon, 11 Sep 2017 05:03:09 -0700
Subject: Updated firejail profile

---
 test/poi.profile | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

(limited to 'test')

diff --git a/test/poi.profile b/test/poi.profile
index 94305e2..9e28868 100644
--- a/test/poi.profile
+++ b/test/poi.profile
@@ -1,31 +1,38 @@
-# Persistent global definitions go here
+# Firejail profile for poi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/poi.local
+# Persistent global definitions
 include /etc/firejail/globals.local
 
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/poi.local
 
 noblacklist ~/.cache/smolbote
 noblacklist ~/.config/smolbote
+noblacklist ~/.local/share/smolbote
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+
 whitelist ${DOWNLOADS}
 mkdir ~/.cache/smolbote
 whitelist ~/.cache/smolbote
-mkdir ~/.config/smolbote/
-whitelist ~/.config/smolbote/
+mkdir ~/.config/smolbote
+whitelist ~/.config/smolbote
+mkdir ~/.local/share/smolbote
+whitelist ~/.local/share/smolbote
 
 
 ## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
 caps.drop all
 
 ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
-## Commented out because netfliter somehow breaks smolbote if used alone.
 netfilter
 
+## nodvd - Disable access to optical disk drives.
+nodvd
+
 ## nogroups - The program can only see the current user's main group. Always applied if the program is run as root.
 nogroups
 
@@ -35,6 +42,9 @@ nonewprivs
 ## noroot - The program can only see the current user. Requires kernel 3.8 or higher. Mutually exclusive with --chroot or --overlay or running as root.
 noroot
 
+## notv - Disable access to DVB TV devices.
+notv
+
 ## protocol - Only allows sockets of the following types. Not supported on i386 architecture.
 protocol unix,inet,inet6,netlink
 
@@ -48,6 +58,9 @@ shell none
 tracelog
 
 
+## disable-mnt - Deny access to /mnt, /media, /run/mount, and /run/media
+disable-mnt
+
 ## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
 # bash required to launch from kde kickoff menu
 #private-bin bash,poi
-- 
cgit v1.2.1