Commit 00ea93e5 authored by Tad's avatar Tad

Fix comments in 88 profiles

There may actually be some other comments that were removed, but the bulk have been restored
parent 9e3ba319
......@@ -30,6 +30,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# nosound
......@@ -17,12 +17,10 @@ nogroups
nonewprivs
noroot
protocol unix,inet,inet6
# seccomp
shell none
# private-bin amarok
private-dev
# private-etc none
private-tmp
# CLOBBERED COMMENTS
# seccomp
......@@ -32,6 +32,3 @@ private-dev
# private-tmp
noexec /tmp
# CLOBBERED COMMENTS
# nosound
......@@ -5,6 +5,9 @@ include /etc/firejail/caja.local
# Persistent global definitions
include /etc/firejail/globals.local
# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
# is already a caja process running on MATE desktops firejail will have no effect.
noblacklist ~/.config/caja
noblacklist ~/.local/share/Trash
noblacklist ~/.local/share/caja-python
......@@ -24,12 +27,8 @@ seccomp
shell none
tracelog
# caja needs to be able to start arbitrary applications so we cannot blacklist their files
# private-bin caja
# private-dev
# private-etc fonts
# private-tmp
# CLOBBERED COMMENTS
# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
# caja needs to be able to start arbitrary applications so we cannot blacklist their files
# is already a caja process running on MATE desktops firejail will have no effect.
......@@ -5,6 +5,8 @@ include /etc/firejail/catfish.local
# Persistent global definitions
include /etc/firejail/globals.local
# We can't blacklist much since catfish
# is for finding files/content
noblacklist ~/.config/catfish
include /etc/firejail/disable-devel.inc
......@@ -22,12 +24,8 @@ seccomp
shell none
tracelog
# These options work but are disabled in case
# a users wants to search in these directories.
# private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
# private-dev
# private-tmp
# CLOBBERED COMMENTS
# These options work but are disabled in case
# We can't blacklist much since catfish
# a users wants to search in these directories.
# is for finding files/content
......@@ -32,6 +32,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# cherrytree note taking application
......@@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -34,8 +35,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# chromium is distributed with a perl script on Arch
# disable-mnt
# specific to Arch
......@@ -16,7 +16,5 @@ nonewprivs
noroot
novideo
protocol unix,inet,inet6
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
# CLOBBERED COMMENTS
# Clementine makes ioprio_set system calls, which are blacklisted by default.
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
......@@ -25,7 +25,3 @@ shell none
tracelog
private-dev
# CLOBBERED COMMENTS
# /boot is not visible and /var is heavily modified
# /sbin and /usr/sbin are visible inside the sandbox
......@@ -22,11 +22,9 @@ seccomp
shell none
tracelog
# clvc doesn't like private-bin
# private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
private-dev
private-tmp
memory-deny-write-execute
# CLOBBERED COMMENTS
# clvc doesn't like private-bin
......@@ -27,9 +27,7 @@ protocol unix,inet,inet6
seccomp
shell none
# deluge is using python on Debian
# private-bin deluge,sh,python,uname
private-dev
private-tmp
# CLOBBERED COMMENTS
# deluge is using python on Debian
......@@ -21,6 +21,7 @@ nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
shell none
# private-bin program
......@@ -30,6 +31,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
......@@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local
# Persistent global definitions
include /etc/firejail/globals.local
# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
noblacklist ${HOME}/.local/share/Trash
noblacklist ~/.config/dolphinrc
noblacklist ~/.local/share/dolphin
......@@ -23,11 +25,8 @@ protocol unix
seccomp
shell none
# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
# private-bin
# private-dev
# private-etc
# private-tmp
# CLOBBERED COMMENTS
# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
......@@ -28,7 +28,3 @@ shell none
private-dev
# private-etc none
private-tmp
# CLOBBERED COMMENTS
# depending on your usage, you can enable some of the commands below:
# nosound
......@@ -28,11 +28,9 @@ tracelog
private-bin evince,evince-previewer,evince-thumbnailer
private-dev
private-etc fonts
# evince needs access to /tmp/mozilla* to work in firefox
# private-tmp
memory-deny-write-execute
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# evince needs access to /tmp/mozilla* to work in firefox
......@@ -28,6 +28,3 @@ x11 none
private-bin file
private-dev
private-etc magic.mgc,magic,localtime
# CLOBBERED COMMENTS
# noroot
......@@ -68,6 +68,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# disable-mnt
......@@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local
# Persistent global definitions
include /etc/firejail/globals.local
# This is a whitelisted profile, the internal browser sandbox
# is disabled because it requires sudo password. The command
# to run it is as follows:
# firejail flashpeak-slimjet --no-sandbox
noblacklist ~/.cache/slimjet
noblacklist ~/.config/slimjet
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -28,9 +34,3 @@ nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
# CLOBBERED COMMENTS
# firejail flashpeak-slimjet --no-sandbox
# chromium is distributed with a perl script on Arch
# is disabled because it requires sudo password. The command
# to run it is as follows:
......@@ -37,6 +37,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# tracelog
......@@ -28,7 +28,3 @@ shell none
private-dev
# private-etc none
private-tmp
# CLOBBERED COMMENTS
# depending on your usage, you can enable some of the commands below:
# nosound
......@@ -40,7 +40,5 @@ disable-mnt
private-dev
# private-etc fonts
# private-tmp
read-only ${HOME}/.local/lib/python2.7/site-packages/
# CLOBBERED COMMENTS
# Allow the local python 2.7 site packages, in case any plugins are using these
read-only ${HOME}/.local/lib/python2.7/site-packages/
......@@ -5,6 +5,9 @@ include /etc/firejail/geary.local
# Persistent global definitions
include /etc/firejail/globals.local
# Users have Geary set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories
noblacklist ~/.gnupg
noblacklist ~/.local/share/geary
......@@ -21,9 +24,5 @@ ignore private-tmp
read-only ~/.config/mimeapps.list
read-only ~/.local/share/applications
include /etc/firejail/firefox.profile
# CLOBBERED COMMENTS
# Users have Geary set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories
# allow browsers
include /etc/firejail/firefox.profile
......@@ -5,6 +5,8 @@ include /etc/firejail/gedit.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
noblacklist ~/.config/gedit
include /etc/firejail/disable-common.inc
......@@ -31,6 +33,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
......@@ -26,6 +26,3 @@ shell none
# private-bin geeqie
private-dev
# private-etc X11
# CLOBBERED COMMENTS
# Experimental:
......@@ -3,6 +3,3 @@
include /etc/firejail/handbrake.profile
# CLOBBERED COMMENTS
# HandBrake
......@@ -24,10 +24,7 @@ shell none
private-dev
private-tmp
noexec /tmp
# CLOBBERED COMMENTS
# gimp
# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
# if you are not using external plugins, you can enable noexec statement below
# noexec ${HOME}
noexec /tmp
......@@ -5,6 +5,8 @@ include /etc/firejail/gjs.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ~/.cache/libgweather
noblacklist ~/.cache/org.gnome.Books
noblacklist ~/.config/libreoffice
......@@ -29,6 +31,3 @@ tracelog
private-dev
# private-etc fonts
private-tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -31,6 +31,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# nosound
......@@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ~/.cache/org.gnome.Books
include /etc/firejail/disable-common.inc
......@@ -32,6 +34,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -33,6 +33,3 @@ private-tmp
memory-deny-write-execute
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# net none
......@@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ~/.config/libreoffice
include /etc/firejail/disable-common.inc
......@@ -30,6 +32,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ${HOME}/.cache/champlain
include /etc/firejail/disable-common.inc
......@@ -32,6 +34,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ~/.local/share/gnome-photos
include /etc/firejail/disable-common.inc
......@@ -30,6 +32,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local
# Persistent global definitions
include /etc/firejail/globals.local
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
noblacklist ~/.cache/libgweather
include /etc/firejail/disable-common.inc
......@@ -33,6 +35,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
......@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -32,7 +33,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# chromium is distributed with a perl script on Arch
# disable-mnt
......@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -32,7 +33,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# chromium is distributed with a perl script on Arch
# disable-mnt
......@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -32,7 +33,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# chromium is distributed with a perl script on Arch
# disable-mnt
......@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# whitelist ~/.config/pulse
# whitelist ~/.pulse
whitelist ~/.config/Google Play Music Desktop Player
include /etc/firejail/whitelist-common.inc
......@@ -32,7 +34,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# whitelist ~/.config/pulse
# whitelist ~/.pulse
......@@ -34,6 +34,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# Experimental:
......@@ -3,6 +3,3 @@
include /etc/firejail/handbrake.profile
# CLOBBERED COMMENTS
# HandBrake
......@@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local
include /etc/firejail/globals.local
noblacklist ${HOME}/.config/hexchat
# noblacklist /usr/lib/python2*
# noblacklist /usr/lib/python3*
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......@@ -29,15 +31,10 @@ shell none
tracelog
disable-mnt
# debug note: private-bin requires perl, python, etc on some systems
private-bin hexchat
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# Currently in testing (may not work for all users)
# debug note: private-bin requires perl, python, etc on some systems
# noblacklist /usr/lib/python2*
# noblacklist /usr/lib/python3*
......@@ -5,6 +5,9 @@ include /etc/firejail/icedove.local
# Persistent global definitions
include /etc/firejail/globals.local
# Users have icedove set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories
noblacklist ~/.cache/icedove
noblacklist ~/.gnupg
noblacklist ~/.icedove
......@@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc
ignore private-tmp
include /etc/firejail/firefox.profile
# CLOBBERED COMMENTS
# Users have icedove set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories
# allow browsers
include /etc/firejail/firefox.profile
......@@ -32,6 +32,3 @@ private-dev
# private-tmp
noexec /tmp
# CLOBBERED COMMENTS
# nosound
......@@ -28,6 +28,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# inkscape
......@@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium
noblacklist ~/.config/iridium
include /etc/firejail/disable-common.inc
# chromium/iridium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
......@@ -22,6 +23,3 @@ whitelist ~/.pki
include /etc/firejail/whitelist-common.inc
netfilter
# CLOBBERED COMMENTS
# chromium/iridium is distributed with a perl script on Arch
......@@ -27,6 +27,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# novideo
......@@ -22,6 +22,7 @@ netfilter
nogroups
nonewprivs
noroot
# nosound - KWrite is using ALSA!
protocol unix
seccomp
shell none
......@@ -31,6 +32,3 @@ tracelog
private-dev
# private-etc fonts
private-tmp
# CLOBBERED COMMENTS
# nosound - KWrite is using ALSA!
......@@ -28,6 +28,3 @@ private-dev
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# whitelist /tmp/.X11-unix/
......@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
# no3d
nogroups
nonewprivs
noroot
# nosound
novideo
protocol unix,inet,inet6
seccomp
......@@ -38,7 +40,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# no3d
# nosound
......@@ -29,6 +29,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# luminance-hdr
......@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
# noroot - somehow this breaks on Debian Jessie!
protocol unix,inet,inet6
seccomp
# CLOBBERED COMMENTS
# noroot - somehow this breaks on Debian Jessie!
......@@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nonewprivs
# noroot - problems on Ubuntu 14.04
protocol unix,inet,inet6,netlink
seccomp
tracelog
# CLOBBERED COMMENTS
# noroot - porblems on Ubuntu 14.04
......@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
# nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
......@@ -26,6 +27,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# nogroups
......@@ -25,6 +25,3 @@ tracelog
private-bin mpv,youtube-dl,python,python2.7,python3.6,env
private-dev
# CLOBBERED COMMENTS
# to test
......@@ -27,6 +27,7 @@ nonewprivs
noroot
novideo
protocol unix,inet,inet6
# seccomp
shell none
disable-mnt
......@@ -35,6 +36,3 @@ private-tmp
noexec ${HOME}
noexec /tmp
# CLOBBERED COMMENTS
# seccomp
......@@ -19,6 +19,7 @@ noroot
nosound
protocol unix
seccomp
# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
shell none
tracelog
......@@ -26,9 +27,5 @@ tracelog
private-dev
private-etc fonts
private-tmp
read-only ${HOME}