1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
#include <tunables/global>
profile qutebrowser /usr/{local/,}bin/qutebrowser {
#include <abstractions/base>
#include <abstractions/python>
#include <abstractions/audio>
#include <abstractions/dri-common>
#include <abstractions/mesa>
#include <abstractions/X>
#include <abstractions/wayland>
#include <abstractions/qt5>
#include <abstractions/fonts>
#include <abstractions/dbus-session-strict>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
#include <abstractions/freedesktop.org>
#include <abstractions/user-download>
#include <abstractions/user-tmp>
# not nice but required for chromium sandbox
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
/dev/ r,
/dev/video* r,
/etc/mime.types r,
/usr/bin/ r,
/usr/bin/ldconfig ix,
/usr/bin/uname ix,
/usr/bin/qutebrowser rix,
/usr/lib/qt/libexec/QtWebEngineProcess mrix,
/usr/share/pdf.js/** r,
/usr/share/qt/translations/qtwebengine_locales/* r,
/usr/share/qt/qtwebengine_dictionaries r,
/usr/share/qt/qtwebengine_dictionaries/* r,
/usr/share/qt/resources/* r,
owner @{HOME}/ r,
owner /dev/shm/.org.chromium* rw,
owner @{HOME}/.cache/{qtshadercache,qutebrowser}/** rwlk,
owner @{HOME}/.cache/qtshadercache** rwl,
owner @{HOME}/.config/qutebrowser/** rwlk,
owner @{HOME}/.local/share/.org.chromium.Chromium* rw,
owner @{HOME}/.local/share/mime/generic-icons r,
owner @{HOME}/.local/share/qutebrowser/ r,
owner @{HOME}/.local/share/qutebrowser/** rwkl,
owner @{HOME}/.pki/nssdb/* rwk,
owner @{HOME}/#[0-9]* rwm,
owner /run/user/*/qutebrowser/ rw,
owner /run/user/*/qutebrowser/* rw,
owner /run/user/*/qutebrowser*slave-socket rwl,
owner /run/user/*/#* rw,
# qt/kde
@{PROC} r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
/sys/{class,bus}/ r,
/sys/bus/pci/devices/ r,
/sys/devices/**/{class,config,device,resource,revision,removable,uevent} r,
/sys/devices/**/{vendor,subsystem_device,subsystem_vendor} r,
owner @{PROC}/@{pid}/{fd,stat,task,mounts}/ r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{pid}/status r,
owner @{PROC}/@{pid}/{setgroups,gid_map,oom_score_adj,uid_map} rw,
owner @{PROC}/@{pid}/{oom_score_adj,uid_map} rw,
# allow execution of userscripts
/usr/share/qutebrowser/userscripts/* Ux,
}
|
