diff options
author | Tad <tad@spotco.us> | 2018-03-28 22:24:20 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2018-03-28 22:24:20 -0400 |
commit | 4c35ba3d383e1b749a61f245425cdf29812c1e0e (patch) | |
tree | 5b6140f693ef56244cd1b82b1437a10b7dadea2b | |
parent | various blacklist additions (diff) | |
download | firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.gz firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.zst firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.zip |
Add a profile for ncdu, enable private-etc in Steam again, and fixup gnome-recipes
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/gnome-recipes.profile | 2 | ||||
-rw-r--r-- | etc/ncdu.profile | 29 | ||||
-rw-r--r-- | etc/steam.profile | 8 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
6 files changed, 38 insertions, 6 deletions
@@ -294,4 +294,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can | |||
294 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 294 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
295 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | 295 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
296 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | 296 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, |
297 | thunderbird-beta \ No newline at end of file | 297 | thunderbird-beta, ncdu |
@@ -30,7 +30,7 @@ firejail (0.9.53) baseline; urgency=low | |||
30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes | 31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, | 32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, |
33 | * new profiles: blender-2.8, thunderbird-beta | 33 | * new profiles: blender-2.8, thunderbird-beta, ncdu |
34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
35 | 35 | ||
36 | firejail (0.9.52) baseline; urgency=low | 36 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index 2392440a6..2f7657c0c 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin gnome-recipes,tar | 36 | private-bin gnome-recipes,tar |
37 | private-dev | 37 | private-dev |
38 | private-etc ca-certificates,fonts,ssl | 38 | private-etc ca-certificates,fonts,ssl,crypto-policies,pki |
39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) | 39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) |
40 | # not widely tested though, leaving it to devs discretion to enable it later | 40 | # not widely tested though, leaving it to devs discretion to enable it later |
41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 | 41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile new file mode 100644 index 000000000..ab79a325e --- /dev/null +++ b/etc/ncdu.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for ncdu | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ncdu.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | caps.drop all | ||
9 | ipc-namespace | ||
10 | nodbus | ||
11 | net none | ||
12 | no3d | ||
13 | nodvd | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix | ||
21 | seccomp | ||
22 | shell none | ||
23 | |||
24 | private-dev | ||
25 | # private-tmp | ||
26 | |||
27 | memory-deny-write-execute | ||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 4965d3a54..e6449aa97 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -32,7 +32,9 @@ include /etc/firejail/disable-programs.inc | |||
32 | include /etc/firejail/whitelist-var-common.inc | 32 | include /etc/firejail/whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | #ipc-namespace | ||
35 | netfilter | 36 | netfilter |
37 | #nodbus | ||
36 | nodvd | 38 | nodvd |
37 | nogroups | 39 | nogroups |
38 | nonewprivs | 40 | nonewprivs |
@@ -44,10 +46,10 @@ protocol unix,inet,inet6,netlink | |||
44 | seccomp | 46 | seccomp |
45 | shell none | 47 | shell none |
46 | # tracelog disabled as it breaks integrated browser | 48 | # tracelog disabled as it breaks integrated browser |
47 | # tracelog | 49 | #tracelog |
48 | 50 | ||
49 | # private-dev should be commented for controllers | 51 | # private-dev should be commented for controllers |
50 | private-dev | 52 | private-dev |
51 | # private-etc breaks some games | 53 | # private-etc breaks a small selection of games on some systems, comment to support those |
52 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies | 54 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives |
53 | private-tmp | 55 | private-tmp |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f2409d67b..2f4884105 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -263,6 +263,7 @@ musescore | |||
263 | mutt | 263 | mutt |
264 | natron | 264 | natron |
265 | nautilus | 265 | nautilus |
266 | ncdu | ||
266 | netsurf | 267 | netsurf |
267 | neverball | 268 | neverball |
268 | nheko | 269 | nheko |