file managers refactoring (#3375)

* refactor caja.profile * refactor dolphin.profile * Create file-manager-common.profile * refactor nautilus.profile * refactor nemo.profile * refactor pcmanfm.profile * refactor ranger.profile * refactor Thunar.profile
author: glitsj16 <glitsj16@users.noreply.github.com> 2020-04-21 20:58:34 +0000
committer: GitHub <noreply@github.com> 2020-04-21 20:58:34 +0000
commit: b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4 (patch)
tree: 609778557c185bb7fabef76ac05a694f875d4f09
parent: update issue template + add ICEauthority to wruc (diff)
download: firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.tar.gz
firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.tar.zst
firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.zip
8 files changed, 70 insertions, 208 deletions
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
index 7bf901ae3..1af102ca8 100644
--- a/etc/profile-a-l/caja.profile
+++ b/etc/profile-a-l/caja.profile
@@ -9,35 +9,7 @@ include globals.local
 # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
 # is already a caja process running on MATE desktops firejail will have no effect.
-noblacklist ${HOME}/.local/share/Trash
+# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
-# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.local/share/caja-python
-# Allow python (blacklisted by disable-interpreters.inc)
+# Redirect
-include allow-python2.inc
+include file-manager-common.profile
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin caja
-# private-dev
-# private-tmp
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
index d264470af..e0300a577 100644
--- a/etc/profile-a-l/dolphin.profile
+++ b/etc/profile-a-l/dolphin.profile
@@ -6,37 +6,9 @@ include dolphin.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/Trash
+# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
-# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/dolphinrc
-# noblacklist ${HOME}/.local/share/dolphin
-# Allow lua (blacklisted by disable-interpreters.inc)
+# Redirect
-include allow-lua.inc
+include file-manager-common.profile
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# include disable-programs.inc
-allusers
-caps.drop all
-# net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-private-dev
-# private-tmp
 join-or-start dolphin
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
new file mode 100644
index 000000000..8551e713d
--- /dev/null
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,49 @@
+# Firejail profile for file managers
+# Description: Common profile for GUI file managers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-manager-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# File managers need to be able to see everything under ${HOME}
+# and be able to start arbitrary applications
+ignore noexec ${HOME}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+# Allow perl
+include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+#include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+allusers
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-dev
+#dbus-user none
+#dbus-system none
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile
index 761440ccc..28acb414b 100644
--- a/etc/profile-m-z/Thunar.profile
+++ b/etc/profile-m-z/Thunar.profile
@@ -6,28 +6,7 @@ include Thunar.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/Trash
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
-noblacklist ${HOME}/.config/Thunar
-noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-include disable-common.inc
+# Redirect
-include disable-devel.inc
+include file-manager-common.profile
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile
index e003488de..e54bea228 100644
--- a/etc/profile-m-z/nautilus.profile
+++ b/etc/profile-m-z/nautilus.profile
@@ -9,36 +9,7 @@ include globals.local
 # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
 # is already a nautilus process running on gnome desktops firejail will have no effect.
-noblacklist ${HOME}/.config/nautilus
+# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012)
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nautilus
-noblacklist ${HOME}/.local/share/nautilus-python
-# Allow python (blacklisted by disable-interpreters.inc)
+# Redirect
-include allow-python2.inc
+include file-manager-common.profile
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin nautilus
-# private-dev
-# private-tmp
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile
index 6a62a3a0c..1b3333e8c 100644
--- a/etc/profile-m-z/nemo.profile
+++ b/etc/profile-m-z/nemo.profile
@@ -6,33 +6,7 @@ include nemo.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/nemo
+# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012)
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nemo
-noblacklist ${HOME}/.local/share/nemo-python
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile
index 4e53f9d6e..5718ab164 100644
--- a/etc/profile-m-z/pcmanfm.profile
+++ b/etc/profile-m-z/pcmanfm.profile
@@ -6,30 +6,7 @@ include pcmanfm.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/Trash
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
-# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/pcmanfm
-include disable-common.inc
+# Redirect
-include disable-devel.inc
+include file-manager-common.profile
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-# net none - see issue #1467, computer:/// location broken
-no3d
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-# dbus-user none
-# dbus-system none
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile
index af033af1a..8b3fe97d8 100644
--- a/etc/profile-m-z/ranger.profile
+++ b/etc/profile-m-z/ranger.profile
@@ -6,39 +6,7 @@ include ranger.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/nano
+# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012)
-noblacklist ${HOME}/.config/ranger
-noblacklist ${HOME}/.nanorc
-# Allow python (blacklisted by disable-interpreters.inc)
+# Redirect
-include allow-python2.inc
+include file-manager-common.profile
-include allow-python3.inc
-# Allow perl
-include allow-perl.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-allusers
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-#x11 none
-private-dev
-dbus-user none
-dbus-system none
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-04-21 20:58:34 +0000
committer	GitHub <noreply@github.com>	2020-04-21 20:58:34 +0000
commit	b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4 (patch)
tree	609778557c185bb7fabef76ac05a694f875d4f09
parent	update issue template + add ICEauthority to wruc (diff)
download	firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.tar.gz firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.tar.zst firejail-b7bcc70d20a71daf5ba6dff670bbf90e7a09d2e4.zip

diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile index 7bf901ae3..1af102ca8 100644 --- a/etc/profile-a-l/caja.profile +++ b/etc/profile-a-l/caja.profile
@@ -9,35 +9,7 @@ include globals.local
9	# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there	9	# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
10	# is already a caja process running on MATE desktops firejail will have no effect.	10	# is already a caja process running on MATE desktops firejail will have no effect.
11		11
12	noblacklist ${HOME}/.local/share/Trash	12	# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
13	# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
14	# noblacklist ${HOME}/.local/share/caja-python
15		13
16	# Allow python (blacklisted by disable-interpreters.inc)	14	# Redirect
17	include allow-python2.inc	15	include file-manager-common.profile
18	include allow-python3.inc
19
20	include disable-common.inc
21	include disable-devel.inc
22	include disable-interpreters.inc
23	include disable-passwdmgr.inc
24	# include disable-programs.inc
25
26	allusers
27	caps.drop all
28	netfilter
29	nodvd
30	nogroups
31	nonewprivs
32	noroot
33	notv
34	novideo
35	protocol unix
36	seccomp
37	shell none
38	tracelog
39
40	# caja needs to be able to start arbitrary applications so we cannot blacklist their files
41	# private-bin caja
42	# private-dev
43	# private-tmp


diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile index d264470af..e0300a577 100644 --- a/etc/profile-a-l/dolphin.profile +++ b/etc/profile-a-l/dolphin.profile
@@ -6,37 +6,9 @@ include dolphin.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.local/share/Trash	9	# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
10	# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
11	# noblacklist ${HOME}/.config/dolphinrc
12	# noblacklist ${HOME}/.local/share/dolphin
13		10
14	# Allow lua (blacklisted by disable-interpreters.inc)	11	# Redirect
15	include allow-lua.inc	12	include file-manager-common.profile
16
17	include disable-common.inc
18	include disable-devel.inc
19	include disable-interpreters.inc
20	include disable-passwdmgr.inc
21	# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
22	# include disable-programs.inc
23
24	allusers
25	caps.drop all
26	# net none
27	netfilter
28	nodvd
29	nogroups
30	nonewprivs
31	# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
32	noroot
33	notv
34	novideo
35	protocol unix,inet,inet6,netlink
36	seccomp
37	shell none
38
39	private-dev
40	# private-tmp
41		13
42	join-or-start dolphin	14	join-or-start dolphin


diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile new file mode 100644 index 000000000..8551e713d --- /dev/null +++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for file managers
		2	# Description: Common profile for GUI file managers
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include file-manager-common.local
		6	# Persistent global definitions
		7	# added by caller profile
		8	#include globals.local
		9
		10	# File managers need to be able to see everything under ${HOME}
		11	# and be able to start arbitrary applications
		12
		13	ignore noexec ${HOME}
		14
		15	# Allow lua (blacklisted by disable-interpreters.inc)
		16	include allow-lua.inc
		17
		18	# Allow perl
		19	include allow-perl.inc
		20
		21	# Allow python (blacklisted by disable-interpreters.inc)
		22	include allow-python2.inc
		23	include allow-python3.inc
		24
		25	#include disable-common.inc
		26	include disable-devel.inc
		27	include disable-interpreters.inc
		28	include disable-passwdmgr.inc
		29	# include disable-programs.inc
		30
		31	allusers
		32	caps.drop all
		33	netfilter
		34	nodvd
		35	nogroups
		36	nonewprivs
		37	noroot
		38	notv
		39	nou2f
		40	novideo
		41	protocol unix,inet,inet6,netlink
		42	seccomp
		43	shell none
		44	tracelog
		45
		46	private-dev
		47
		48	#dbus-user none
		49	#dbus-system none


diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile index 761440ccc..28acb414b 100644 --- a/etc/profile-m-z/Thunar.profile +++ b/etc/profile-m-z/Thunar.profile
@@ -6,28 +6,7 @@ include Thunar.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.local/share/Trash	9	# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
10	noblacklist ${HOME}/.config/Thunar
11	noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
12		10
13	include disable-common.inc	11	# Redirect
14	include disable-devel.inc	12	include file-manager-common.profile
15	include disable-interpreters.inc
16	include disable-passwdmgr.inc
17	# include disable-programs.inc
18
19	allusers
20	caps.drop all
21	netfilter
22	no3d
23	nodvd
24	nogroups
25	nonewprivs
26	noroot
27	nosound
28	notv
29	novideo
30	protocol unix
31	seccomp
32	shell none
33	tracelog


diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile index e003488de..e54bea228 100644 --- a/etc/profile-m-z/nautilus.profile +++ b/etc/profile-m-z/nautilus.profile
@@ -9,36 +9,7 @@ include globals.local
9	# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there	9	# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
10	# is already a nautilus process running on gnome desktops firejail will have no effect.	10	# is already a nautilus process running on gnome desktops firejail will have no effect.
11		11
12	noblacklist ${HOME}/.config/nautilus	12	# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012)
13	noblacklist ${HOME}/.local/share/Trash
14	noblacklist ${HOME}/.local/share/nautilus
15	noblacklist ${HOME}/.local/share/nautilus-python
16		13
17	# Allow python (blacklisted by disable-interpreters.inc)	14	# Redirect
18	include allow-python2.inc	15	include file-manager-common.profile
19	include allow-python3.inc
20
21	include disable-common.inc
22	include disable-devel.inc
23	include disable-interpreters.inc
24	include disable-passwdmgr.inc
25	# include disable-programs.inc
26
27	allusers
28	caps.drop all
29	netfilter
30	nodvd
31	nogroups
32	nonewprivs
33	noroot
34	notv
35	novideo
36	protocol unix
37	seccomp
38	shell none
39	tracelog
40
41	# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
42	# private-bin nautilus
43	# private-dev
44	# private-tmp


diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile index 6a62a3a0c..1b3333e8c 100644 --- a/etc/profile-m-z/nemo.profile +++ b/etc/profile-m-z/nemo.profile
@@ -6,33 +6,7 @@ include nemo.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.config/nemo	9	# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012)
10	noblacklist ${HOME}/.local/share/Trash
11	noblacklist ${HOME}/.local/share/nemo
12	noblacklist ${HOME}/.local/share/nemo-python
13
14	# Allow python (blacklisted by disable-interpreters.inc)
15	include allow-python2.inc
16	include allow-python3.inc
17
18	include disable-common.inc
19	include disable-devel.inc
20	include disable-exec.inc
21	include disable-interpreters.inc
22	include disable-passwdmgr.inc
23
24	allusers
25	caps.drop all
26	netfilter
27	no3d
28	nodvd
29	nogroups
30	nonewprivs
31	noroot
32	nosound
33	notv
34	novideo
35	protocol unix,inet,inet6
36	seccomp
37	shell none
38		10
		11	# Redirect
		12	include file-manager-common.profile


diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile index 4e53f9d6e..5718ab164 100644 --- a/etc/profile-m-z/pcmanfm.profile +++ b/etc/profile-m-z/pcmanfm.profile
@@ -6,30 +6,7 @@ include pcmanfm.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.local/share/Trash	9	# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
10	# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
11	# noblacklist ${HOME}/.config/pcmanfm
12		10
13	include disable-common.inc	11	# Redirect
14	include disable-devel.inc	12	include file-manager-common.profile
15	include disable-interpreters.inc
16	include disable-passwdmgr.inc
17	# include disable-programs.inc
18
19	allusers
20	caps.drop all
21	# net none - see issue #1467, computer:/// location broken
22	no3d
23	nodvd
24	nonewprivs
25	noroot
26	nosound
27	notv
28	novideo
29	protocol unix
30	seccomp
31	shell none
32	tracelog
33
34	# dbus-user none
35	# dbus-system none


diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile index af033af1a..8b3fe97d8 100644 --- a/etc/profile-m-z/ranger.profile +++ b/etc/profile-m-z/ranger.profile
@@ -6,39 +6,7 @@ include ranger.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.config/nano	9	# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012)
10	noblacklist ${HOME}/.config/ranger
11	noblacklist ${HOME}/.nanorc
12		10
13	# Allow python (blacklisted by disable-interpreters.inc)	11	# Redirect
14	include allow-python2.inc	12	include file-manager-common.profile
15	include allow-python3.inc
16
17	# Allow perl
18	include allow-perl.inc
19
20	include disable-common.inc
21	include disable-devel.inc
22	include disable-interpreters.inc
23	include disable-passwdmgr.inc
24	include disable-programs.inc
25
26	allusers
27	caps.drop all
28	net none
29	nodvd
30	nogroups
31	nonewprivs
32	noroot
33	nosound
34	notv
35	nou2f
36	novideo
37	protocol unix
38	seccomp
39	#x11 none
40
41	private-dev
42
43	dbus-user none
44	dbus-system none