blob: b637614e288dd3f43c1251691aeaac05d0d4e475 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# Limited access to homedir contents
whitelist ~/.config/firefox
whitelist ~/.config/gtk-3.0
whitelist ~/.mozilla/firefox
whitelist ~/documents
whitelist ~/downloads
whitelist ~/pictures
read-only ~/.config/gtk-3.0
read-only ~/documents
read-only ~/downloads
read-only ~/pictures
read-write ~/downloads/firefox
# Use private system resources
private-tmp
# Remove executable bits
noexec /tmp
caps.drop all
|