diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-03-27 09:13:22 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-03-27 09:13:22 -0400 |
| commit | 570f845a012c8328fcd97839b728844ae1c640f2 (patch) | |
| tree | 90b7c3428eec20d294d83511db72e6a3394df6d6 | |
| parent | lxterinal profile fix (diff) | |
| download | firejail-570f845a012c8328fcd97839b728844ae1c640f2.tar.gz firejail-570f845a012c8328fcd97839b728844ae1c640f2.tar.zst firejail-570f845a012c8328fcd97839b728844ae1c640f2.zip | |
consolidated disable-terminals into disable-common
63 files changed, 61 insertions, 93 deletions
diff --git a/Makefile.in b/Makefile.in index 5951394d7..df010c199 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -145,7 +145,6 @@ realinstall: | |||
| 145 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 145 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 146 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 146 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 147 | install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 147 | install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
| 148 | install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
| 149 | install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 148 | install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 150 | install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 149 | install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
| 151 | install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 150 | install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index c3ce7b618..1ee50b4d4 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
| @@ -5,10 +5,11 @@ mkdir ~/.Wolfram Research | |||
| 5 | whitelist ~/.Wolfram Research | 5 | whitelist ~/.Wolfram Research |
| 6 | whitelist ~/Documents/Wolfram Mathematica | 6 | whitelist ~/Documents/Wolfram Mathematica |
| 7 | include /etc/firejail/whitelist-common.inc | 7 | include /etc/firejail/whitelist-common.inc |
| 8 | |||
| 8 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
| 9 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
| 10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-terminals.inc | 12 | |
| 12 | caps.drop all | 13 | caps.drop all |
| 13 | seccomp | 14 | seccomp |
| 14 | noroot | 15 | noroot |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 49417fbfe..690463a46 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 5 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 6 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 7 | blacklist ${HOME}/.keepassx |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index c3bd58298..753e42480 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
| @@ -3,7 +3,6 @@ noblacklist /sbin | |||
| 3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 7 | protocol unix,inet,inet6 | 6 | protocol unix,inet,inet6 |
| 8 | private | 7 | private |
| 9 | private-dev | 8 | private-dev |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 09e87f043..349cc7acf 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | 5 | ||
| 7 | whitelist ${HOME}/cherrytree | 6 | whitelist ${HOME}/cherrytree |
| 8 | mkdir ~/.config | 7 | mkdir ~/.config |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 751426db8..58f62daa2 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
| @@ -4,7 +4,6 @@ noblacklist ~/.cache/chromium | |||
| 4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/keepassx.kdbx |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 8 | 7 | ||
| 9 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 10 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 4737541db..cc0614551 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
| @@ -1,7 +1,6 @@ | |||
| 1 | # Clementine media player profile | 1 | # Clementine media player profile |
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-terminals.inc | ||
| 5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 6 | blacklist ${HOME}/.pki/nssdb | 5 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 6 | blacklist ${HOME}/.lastpass |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 57fedac61..67e529d0a 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | noblacklist ${HOME}/.conkeror.mozdev.org | 2 | noblacklist ${HOME}/.conkeror.mozdev.org |
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | caps.drop all | 5 | caps.drop all |
| 7 | seccomp | 6 | seccomp |
| 8 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 4f222947f..89661d83c 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 5 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 6 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 7 | blacklist ${HOME}/.keepassx |
diff --git a/etc/deluge.profile b/etc/deluge.profile index aeafb7a4a..eef2a42ee 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.pki/nssdb | 5 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 6 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 7 | blacklist ${HOME}/.keepassx |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index cb356dcf7..71439e10d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -125,3 +125,9 @@ blacklist /usr/local/sbin | |||
| 125 | 125 | ||
| 126 | # prevent lxterminal connecting to an existing lxterminal session | 126 | # prevent lxterminal connecting to an existing lxterminal session |
| 127 | blacklist /tmp/.lxterminal-socket* | 127 | blacklist /tmp/.lxterminal-socket* |
| 128 | |||
| 129 | # disable terminals running as server | ||
| 130 | blacklist ${PATH}/gnome-terminal | ||
| 131 | blacklist ${PATH}/gnome-terminal.wrapper | ||
| 132 | blacklist ${PATH}/xfce4-terminal | ||
| 133 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc deleted file mode 100644 index e69de29bb..000000000 --- a/etc/disable-mgmt.inc +++ /dev/null | |||
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc deleted file mode 100644 index 7d29cda31..000000000 --- a/etc/disable-secret.inc +++ /dev/null | |||
| @@ -1,23 +0,0 @@ | |||
| 1 | # HOME directory | ||
| 2 | blacklist ${HOME}/.ssh | ||
| 3 | blacklist ${HOME}/.gnome2/keyrings | ||
| 4 | blacklist ${HOME}/kde4/share/apps/kwallet | ||
| 5 | blacklist ${HOME}/kde/share/apps/kwallet | ||
| 6 | blacklist ${HOME}/.local/share/kwalletd | ||
| 7 | blacklist ${HOME}/.netrc | ||
| 8 | blacklist ${HOME}/.gnupg | ||
| 9 | blacklist ${HOME}/*.kdbx | ||
| 10 | blacklist ${HOME}/*.kdb | ||
| 11 | blacklist ${HOME}/*.key | ||
| 12 | blacklist /etc/shadow | ||
| 13 | blacklist /etc/gshadow | ||
| 14 | blacklist /etc/passwd- | ||
| 15 | blacklist /etc/group- | ||
| 16 | blacklist /etc/shadow- | ||
| 17 | blacklist /etc/gshadow- | ||
| 18 | blacklist /etc/passwd+ | ||
| 19 | blacklist /etc/group+ | ||
| 20 | blacklist /etc/shadow+ | ||
| 21 | blacklist /etc/gshadow+ | ||
| 22 | blacklist /etc/ssh | ||
| 23 | blacklist /var/backup | ||
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc deleted file mode 100644 index c9db48087..000000000 --- a/etc/disable-terminals.inc +++ /dev/null | |||
| @@ -1,5 +0,0 @@ | |||
| 1 | # disable terminals running as server | ||
| 2 | blacklist ${PATH}/gnome-terminal | ||
| 3 | blacklist ${PATH}/gnome-terminal.wrapper | ||
| 4 | blacklist ${PATH}/xfce4-terminal | ||
| 5 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 368830f15..dc6b783ee 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
| @@ -4,7 +4,6 @@ noblacklist /usr/sbin | |||
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 8 | private | 7 | private |
| 9 | private-dev | 8 | private-dev |
| 10 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 9 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index d31d1be8f..3b48f0d49 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
| @@ -1,7 +1,6 @@ | |||
| 1 | # dropbox profile | 1 | # dropbox profile |
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-terminals.inc | ||
| 5 | blacklist ${HOME}/.pki/nssdb | 4 | blacklist ${HOME}/.pki/nssdb |
| 6 | blacklist ${HOME}/.lastpass | 5 | blacklist ${HOME}/.lastpass |
| 7 | blacklist ${HOME}/.keepassx | 6 | blacklist ${HOME}/.keepassx |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 46a69120b..1c46f8b3e 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | ||
| 6 | blacklist ${HOME}/.wine | 5 | blacklist ${HOME}/.wine |
| 7 | caps.drop all | 6 | caps.drop all |
| 8 | seccomp | 7 | seccomp |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index b06e6ea78..319d2b177 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | whitelist ${DOWNLOADS} | 6 | whitelist ${DOWNLOADS} |
| 7 | mkdir ${HOME}/.local | 7 | mkdir ${HOME}/.local |
| 8 | mkdir ${HOME}/.local/share | 8 | mkdir ${HOME}/.local/share |
diff --git a/etc/evince.profile b/etc/evince.profile index 7b81c0453..13b342f06 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index e7d61160e..4b45208d7 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
| @@ -3,7 +3,7 @@ noblacklist ${HOME}/.FBReader | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 39689e717..09e56b1ce 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
| @@ -4,7 +4,7 @@ noblacklist ${HOME}/.config/filezilla | |||
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | 7 | |
| 8 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
| 9 | caps.drop all | 9 | caps.drop all |
| 10 | seccomp | 10 | seccomp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index f23f84097..2d2716256 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -6,7 +6,6 @@ noblacklist ~/keepassx.kdbx | |||
| 6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
| 7 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
| 8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
| 9 | include /etc/firejail/disable-terminals.inc | ||
| 10 | 9 | ||
| 11 | caps.drop all | 10 | caps.drop all |
| 12 | seccomp | 11 | seccomp |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 613ef6652..3f6af42b1 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
| @@ -10,7 +10,6 @@ noblacklist ~/.cache/slimjet | |||
| 10 | noblacklist ~/keepassx.kdbx | 10 | noblacklist ~/keepassx.kdbx |
| 11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
| 13 | include /etc/firejail/disable-terminals.inc | ||
| 14 | 13 | ||
| 15 | # chromium is distributed with a perl script on Arch | 14 | # chromium is distributed with a perl script on Arch |
| 16 | # include /etc/firejail/disable-devel.inc | 15 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/generic.profile b/etc/generic.profile index ae42c8a3b..2bf7a0703 100644 --- a/etc/generic.profile +++ b/etc/generic.profile | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | ################################ | 3 | ################################ |
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 2313f36fc..1138a73bd 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 57c224191..8ca049778 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
| @@ -4,7 +4,6 @@ noblacklist ~/.cache/google-chrome-beta | |||
| 4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/keepassx.kdbx |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 8 | 7 | ||
| 9 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 10 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index e222ccf54..3e238d8f8 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
| @@ -4,7 +4,6 @@ noblacklist ~/.cache/google-chrome-unstable | |||
| 4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/keepassx.kdbx |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 8 | 7 | ||
| 9 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 10 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 767f73f88..afc57f948 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
| @@ -4,7 +4,6 @@ noblacklist ~/.cache/google-chrome | |||
| 4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/keepassx.kdbx |
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-terminals.inc | ||
| 8 | 7 | ||
| 9 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
| 10 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index a9f1da373..13a311070 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
| @@ -3,12 +3,10 @@ | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 7 | 6 | ||
| 8 | caps.drop all | 7 | caps.drop all |
| 9 | noroot | 8 | noroot |
| 10 | private-dev | 9 | private-dev |
| 11 | whitelist /tmp/.X11-unix | ||
| 12 | seccomp | 10 | seccomp |
| 13 | tracelog | 11 | tracelog |
| 14 | 12 | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 6ceeaefce..8f6fd6217 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
| @@ -3,7 +3,7 @@ noblacklist ${HOME}/.config/hexchat | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | caps.drop all | 7 | caps.drop all |
| 8 | seccomp | 8 | seccomp |
| 9 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 35a1a15a0..78e72a7a7 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
| @@ -3,12 +3,13 @@ noblacklist ${HOME}/.gnupg | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
| 10 | blacklist ${HOME}/.password-store | 10 | blacklist ${HOME}/.password-store |
| 11 | blacklist ${HOME}/.wine | 11 | blacklist ${HOME}/.wine |
| 12 | |||
| 12 | caps.drop all | 13 | caps.drop all |
| 13 | seccomp | 14 | seccomp |
| 14 | protocol unix,inet,inet6,netlink | 15 | protocol unix,inet,inet6,netlink |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index e98ac0b83..88a7a8c7a 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
| @@ -2,14 +2,14 @@ | |||
| 2 | 2 | ||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | |||
| 5 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 6 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 7 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 8 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | |||
| 9 | caps.drop all | 11 | caps.drop all |
| 10 | seccomp | 12 | seccomp |
| 11 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
| 12 | netfilter | 14 | netfilter |
| 13 | |||
| 14 | #noroot - somehow this breaks on Debian Jessie! | 15 | #noroot - somehow this breaks on Debian Jessie! |
| 15 | |||
diff --git a/etc/midori.profile b/etc/midori.profile index 1cd686bfe..7fc27e07c 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
| @@ -3,7 +3,7 @@ noblacklist ${HOME}/.config/midori | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | caps.drop all | 7 | caps.drop all |
| 8 | seccomp | 8 | seccomp |
| 9 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 5a4ad4f24..45dc4757f 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | mkdir ${HOME}/.local | 7 | mkdir ${HOME}/.local |
| 8 | mkdir ${HOME}/.local/share | 8 | mkdir ${HOME}/.local/share |
| 9 | mkdir ${HOME}/.local/share/mupen64plus | 9 | mkdir ${HOME}/.local/share/mupen64plus |
| @@ -11,6 +11,7 @@ whitelist ${HOME}/.local/share/mupen64plus/ | |||
| 11 | mkdir ${HOME}/.config | 11 | mkdir ${HOME}/.config |
| 12 | mkdir ${HOME}/.config/mupen64plus | 12 | mkdir ${HOME}/.config/mupen64plus |
| 13 | whitelist ${HOME}/.config/mupen64plus/ | 13 | whitelist ${HOME}/.config/mupen64plus/ |
| 14 | |||
| 14 | noroot | 15 | noroot |
| 15 | caps.drop all | 16 | caps.drop all |
| 16 | seccomp | 17 | seccomp |
diff --git a/etc/openbox.profile b/etc/openbox.profile index 42eb5e9fa..8a46e6841 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
| @@ -1,12 +1,15 @@ | |||
| 1 | ################################ | 1 | ################################ |
| 2 | # Generic GUI application profile | 2 | # OpenBox window manager profile |
| 3 | # - all applications started in OpenBox will run in | ||
| 4 | # this profile | ||
| 3 | ################################ | 5 | ################################ |
| 4 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 7 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 11 | blacklist ${HOME}/.password-store |
| 12 | |||
| 10 | caps.drop all | 13 | caps.drop all |
| 11 | seccomp | 14 | seccomp |
| 12 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 9659b30de..7b74d6dd1 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
| @@ -5,7 +5,6 @@ noblacklist ~/keepassx.kdbx | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 9 | 8 | ||
| 10 | netfilter | 9 | netfilter |
| 11 | 10 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index 3c8868896..2d7a9ca06 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
| @@ -5,7 +5,6 @@ noblacklist ~/keepassx.kdbx | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 9 | 8 | ||
| 10 | netfilter | 9 | netfilter |
| 11 | 10 | ||
diff --git a/etc/parole.profile b/etc/parole.profile index 3369b191c..9f63e5b16 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
| @@ -2,13 +2,15 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | private-etc passwd,group,fonts | 6 | private-etc passwd,group,fonts |
| 7 | private-bin parole,dbus-launch | 7 | private-bin parole,dbus-launch |
| 8 | |||
| 8 | blacklist ${HOME}/.pki/nssdb | 9 | blacklist ${HOME}/.pki/nssdb |
| 9 | blacklist ${HOME}/.lastpass | 10 | blacklist ${HOME}/.lastpass |
| 10 | blacklist ${HOME}/.keepassx | 11 | blacklist ${HOME}/.keepassx |
| 11 | blacklist ${HOME}/.password-store | 12 | blacklist ${HOME}/.password-store |
| 13 | |||
| 12 | caps.drop all | 14 | caps.drop all |
| 13 | seccomp | 15 | seccomp |
| 14 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 8080a8905..ea5d82103 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
| @@ -3,8 +3,9 @@ noblacklist ${HOME}/.purple | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
| 8 | |||
| 8 | caps.drop all | 9 | caps.drop all |
| 9 | seccomp | 10 | seccomp |
| 10 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
diff --git a/etc/polari.profile b/etc/polari.profile index 5e40aedf5..0bc46f3f7 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | mkdir ${HOME}/.local | 6 | mkdir ${HOME}/.local |
| 7 | mkdir ${HOME}/.local/share/ | 7 | mkdir ${HOME}/.local/share/ |
| 8 | mkdir ${HOME}/.local/share/Empathy | 8 | mkdir ${HOME}/.local/share/Empathy |
| @@ -20,6 +20,7 @@ whitelist ${HOME}/.cache/telepathy | |||
| 20 | mkdir ${HOME}/.purple | 20 | mkdir ${HOME}/.purple |
| 21 | whitelist ${HOME}/.purple | 21 | whitelist ${HOME}/.purple |
| 22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
| 23 | |||
| 23 | caps.drop all | 24 | caps.drop all |
| 24 | seccomp | 25 | seccomp |
| 25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 87afb78a6..9ad073b05 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | blacklist ${HOME}/.wine | 10 | blacklist ${HOME}/.wine |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 976e80c31..80acc3873 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
| @@ -3,11 +3,12 @@ noblacklist ${HOME}/.config/tox | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | mkdir ${HOME}/.config/tox | 7 | mkdir ${HOME}/.config/tox |
| 8 | whitelist ${HOME}/.config/tox | 8 | whitelist ${HOME}/.config/tox |
| 9 | whitelist ${DOWNLOADS} | 9 | whitelist ${DOWNLOADS} |
| 10 | include /etc/firejail/whitelist-common.inc | 10 | include /etc/firejail/whitelist-common.inc |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/quassel.profile b/etc/quassel.profile index 073b50623..1fba23784 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
| @@ -2,8 +2,9 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.wine | 6 | blacklist ${HOME}/.wine |
| 7 | |||
| 7 | caps.drop all | 8 | caps.drop all |
| 8 | seccomp | 9 | seccomp |
| 9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 31b075c7a..3b7bf2d55 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
| @@ -5,8 +5,6 @@ noblacklist ~/.cache/qutebrowser | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 9 | |||
| 10 | 8 | ||
| 11 | caps.drop all | 9 | caps.drop all |
| 12 | seccomp | 10 | seccomp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 3215063fa..50838a15b 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | blacklist ${HOME}/.wine | 10 | blacklist ${HOME}/.wine |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 2c6689811..5575dcd63 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-terminals.inc | 3 | include /etc/firejail/disable-terminals.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | caps.drop all | 6 | caps.drop all |
| 7 | seccomp | 7 | seccomp |
| 8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 08a6ad521..71a52b3bb 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
| @@ -5,7 +5,6 @@ noblacklist ~/keepassx.kdbx | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 9 | 8 | ||
| 10 | caps.drop all | 9 | caps.drop all |
| 11 | seccomp | 10 | seccomp |
| @@ -48,8 +47,6 @@ whitelist ~/.wine-pipelight64 | |||
| 48 | whitelist ~/.config/pipelight-widevine | 47 | whitelist ~/.config/pipelight-widevine |
| 49 | whitelist ~/.config/pipelight-silverlight5.1 | 48 | whitelist ~/.config/pipelight-silverlight5.1 |
| 50 | 49 | ||
| 51 | |||
| 52 | |||
| 53 | # experimental features | 50 | # experimental features |
| 54 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
| 55 | 52 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 77f10e644..26feac1a4 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
| @@ -3,7 +3,7 @@ noblacklist ${HOME}/.Skype | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | caps.drop all | 7 | caps.drop all |
| 8 | netfilter | 8 | netfilter |
| 9 | noroot | 9 | noroot |
diff --git a/etc/ssh.profile b/etc/ssh.profile index f0e33540a..32536c0a7 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
| @@ -2,11 +2,12 @@ | |||
| 2 | noblacklist ~/.ssh | 2 | noblacklist ~/.ssh |
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | |||
| 10 | caps.drop all | 11 | caps.drop all |
| 11 | seccomp | 12 | seccomp |
| 12 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
diff --git a/etc/steam.profile b/etc/steam.profile index 7cfa21028..31ebf543e 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
| @@ -4,7 +4,7 @@ noblacklist ${HOME}/.local/share/steam | |||
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | 7 | |
| 8 | caps.drop all | 8 | caps.drop all |
| 9 | netfilter | 9 | netfilter |
| 10 | noroot | 10 | noroot |
diff --git a/etc/telegram.profile b/etc/telegram.profile index acafdda00..df6b6a270 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
| @@ -3,7 +3,6 @@ noblacklist ${HOME}/.TelegramDesktop | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 7 | 6 | ||
| 8 | caps.drop all | 7 | caps.drop all |
| 9 | seccomp | 8 | seccomp |
diff --git a/etc/totem.profile b/etc/totem.profile index 2cff319a7..ad55e320a 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | blacklist ${HOME}/.wine | 10 | blacklist ${HOME}/.wine |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 269686fa1..ac685aee4 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | blacklist ${HOME}/.wine | 10 | blacklist ${HOME}/.wine |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index d032752b4..b8dffbece 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
| 7 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
| 8 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
| 9 | blacklist ${HOME}/.password-store | 9 | blacklist ${HOME}/.password-store |
| 10 | blacklist ${HOME}/.wine | 10 | blacklist ${HOME}/.wine |
| 11 | |||
| 11 | caps.drop all | 12 | caps.drop all |
| 12 | seccomp | 13 | seccomp |
| 13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 4a6544a12..6593075c8 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
| @@ -2,12 +2,13 @@ | |||
| 2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 4 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | caps.drop all | 6 | caps.drop all |
| 7 | seccomp | 7 | seccomp |
| 8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
| 9 | netfilter | 9 | netfilter |
| 10 | noroot | 10 | noroot |
| 11 | |||
| 11 | whitelist ${DOWNLOADS} | 12 | whitelist ${DOWNLOADS} |
| 12 | mkdir ~/.config | 13 | mkdir ~/.config |
| 13 | mkdir ~/.config/uGet | 14 | mkdir ~/.config/uGet |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 594d67cf9..24ca88b03 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
| @@ -4,7 +4,7 @@ noblacklist /usr/sbin | |||
| 4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
| 7 | include /etc/firejail/disable-terminals.inc | 7 | |
| 8 | private | 8 | private |
| 9 | private-dev | 9 | private-dev |
| 10 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 10 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index e039c4676..a4ab60e6c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
| @@ -5,7 +5,6 @@ noblacklist ~/keepassx.kdbx | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | ||
| 9 | 8 | ||
| 10 | netfilter | 9 | netfilter |
| 11 | 10 | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 980d2816f..7cd913040 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
| @@ -3,12 +3,13 @@ noblacklist ${HOME}/.config/vlc | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
| 8 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
| 9 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
| 10 | blacklist ${HOME}/.password-store | 10 | blacklist ${HOME}/.password-store |
| 11 | blacklist ${HOME}/.wine | 11 | blacklist ${HOME}/.wine |
| 12 | |||
| 12 | caps.drop all | 13 | caps.drop all |
| 13 | seccomp | 14 | seccomp |
| 14 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
diff --git a/etc/weechat.profile b/etc/weechat.profile index ec305b45b..280a5f9d8 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | noblacklist ${HOME}/.weechat | 2 | noblacklist ${HOME}/.weechat |
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-terminals.inc | 5 | |
| 6 | caps.drop all | 6 | caps.drop all |
| 7 | seccomp | 7 | seccomp |
| 8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 7a2ade1fe..4075232d2 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
| @@ -3,7 +3,6 @@ | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | ||
| 7 | 6 | ||
| 8 | caps.drop all | 7 | caps.drop all |
| 9 | seccomp | 8 | seccomp |
diff --git a/etc/wine.profile b/etc/wine.profile index 993037794..f93fa6dc2 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
| @@ -5,7 +5,7 @@ noblacklist ${HOME}/.wine | |||
| 5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
| 6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
| 7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
| 8 | include /etc/firejail/disable-terminals.inc | 8 | |
| 9 | caps.drop all | 9 | caps.drop all |
| 10 | netfilter | 10 | netfilter |
| 11 | noroot | 11 | noroot |
diff --git a/etc/xchat.profile b/etc/xchat.profile index 552918750..ae1a6de53 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
| @@ -3,7 +3,7 @@ noblacklist ${HOME}/.config/xchat | |||
| 3 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
| 6 | include /etc/firejail/disable-terminals.inc | 6 | |
| 7 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
| 8 | caps.drop all | 8 | caps.drop all |
| 9 | seccomp | 9 | seccomp |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 0d37a464b..64a7006a3 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
| @@ -63,7 +63,6 @@ | |||
| 63 | /etc/firejail/Mathematica.profile | 63 | /etc/firejail/Mathematica.profile |
| 64 | /etc/firejail/uget-gtk.profile | 64 | /etc/firejail/uget-gtk.profile |
| 65 | /etc/firejail/mupen64plus.profile | 65 | /etc/firejail/mupen64plus.profile |
| 66 | /etc/firejail/disable-terminals.inc | ||
| 67 | /etc/firejail/lxterminal.profile | 66 | /etc/firejail/lxterminal.profile |
| 68 | /etc/firejail/cherrytree.profile | 67 | /etc/firejail/cherrytree.profile |
| 69 | /etc/firejail/wesnoth.profile | 68 | /etc/firejail/wesnoth.profile |