diff options
author | smitsohu <smitsohu@gmail.com> | 2018-03-30 12:25:48 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-30 12:25:48 +0200 |
commit | 093f3ccf3fdd48dc5d356730532128a6f4de0905 (patch) | |
tree | 80b8c3da7eb6a531a348c6327b57e4cdb7076e33 | |
parent | comment apparmor, net where they interfere with dconf - #1843 (diff) | |
parent | Further improve private-bin in steam (diff) | |
download | firejail-093f3ccf3fdd48dc5d356730532128a6f4de0905.tar.gz firejail-093f3ccf3fdd48dc5d356730532128a6f4de0905.tar.zst firejail-093f3ccf3fdd48dc5d356730532128a6f4de0905.zip |
Merge branch 'master' into nodbus
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/atril.profile | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 6 | ||||
-rw-r--r-- | etc/gnome-recipes.profile | 2 | ||||
-rw-r--r-- | etc/inkscape.profile | 4 | ||||
-rw-r--r-- | etc/kate.profile | 1 | ||||
-rw-r--r-- | etc/kmail.profile | 1 | ||||
-rw-r--r-- | etc/krunner.profile | 2 | ||||
-rw-r--r-- | etc/ncdu.profile | 29 | ||||
-rw-r--r-- | etc/steam.profile | 16 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
13 files changed, 60 insertions, 8 deletions
@@ -295,4 +295,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can | |||
295 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 295 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
296 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | 296 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
297 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | 297 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, |
298 | thunderbird-beta | 298 | thunderbird-beta, ncdu |
@@ -30,7 +30,7 @@ firejail (0.9.53) baseline; urgency=low | |||
30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 30 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes | 31 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes |
32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, | 32 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, |
33 | * new profiles: blender-2.8, thunderbird-beta | 33 | * new profiles: blender-2.8, thunderbird-beta, ncdu |
34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 34 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
35 | 35 | ||
36 | firejail (0.9.52) baseline; urgency=low | 36 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/atril.profile b/etc/atril.profile index b7e1e40e0..e08b70ac6 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/atril.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/atril | ||
8 | noblacklist ${HOME}/.config/atril | 9 | noblacklist ${HOME}/.config/atril |
9 | 10 | ||
10 | #noblacklist ${HOME}/.local/share | 11 | #noblacklist ${HOME}/.local/share |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 96cc9b48c..3842a46f1 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -138,6 +138,7 @@ blacklist ${HOME}/.config/itch | |||
138 | blacklist ${HOME}/.config/jd-gui.cfg | 138 | blacklist ${HOME}/.config/jd-gui.cfg |
139 | blacklist ${HOME}/.config/k3brc | 139 | blacklist ${HOME}/.config/k3brc |
140 | blacklist ${HOME}/.config/kaffeinerc | 140 | blacklist ${HOME}/.config/kaffeinerc |
141 | blacklist ${HOME}/.config/katemetainfos | ||
141 | blacklist ${HOME}/.config/katepartrc | 142 | blacklist ${HOME}/.config/katepartrc |
142 | blacklist ${HOME}/.config/katerc | 143 | blacklist ${HOME}/.config/katerc |
143 | blacklist ${HOME}/.config/kateschemarc | 144 | blacklist ${HOME}/.config/kateschemarc |
@@ -507,6 +508,7 @@ blacklist ${HOME}/.cache/INRIA | |||
507 | blacklist ${HOME}/.cache/MusicBrainz | 508 | blacklist ${HOME}/.cache/MusicBrainz |
508 | blacklist ${HOME}/.cache/QuiteRss | 509 | blacklist ${HOME}/.cache/QuiteRss |
509 | blacklist ${HOME}/.cache/akonadi* | 510 | blacklist ${HOME}/.cache/akonadi* |
511 | blacklist ${HOME}/.cache/atril | ||
510 | blacklist ${HOME}/.cache/attic | 512 | blacklist ${HOME}/.cache/attic |
511 | blacklist ${HOME}/.cache/borg | 513 | blacklist ${HOME}/.cache/borg |
512 | blacklist ${HOME}/.cache/calibre | 514 | blacklist ${HOME}/.cache/calibre |
@@ -529,11 +531,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable | |||
529 | blacklist ${HOME}/.cache/gnome-twitch | 531 | blacklist ${HOME}/.cache/gnome-twitch |
530 | blacklist ${HOME}/.cache/icedove | 532 | blacklist ${HOME}/.cache/icedove |
531 | blacklist ${HOME}/.cache/INRIA/Natron | 533 | blacklist ${HOME}/.cache/INRIA/Natron |
534 | blacklist ${HOME}/.cache/inkscape | ||
532 | blacklist ${HOME}/.cache/inox | 535 | blacklist ${HOME}/.cache/inox |
533 | blacklist ${HOME}/.cache/iridium | 536 | blacklist ${HOME}/.cache/iridium |
534 | blacklist ${HOME}/.cache/kdenlive | 537 | blacklist ${HOME}/.cache/kdenlive |
535 | blacklist ${HOME}/.cache/kinfocenter | 538 | blacklist ${HOME}/.cache/kinfocenter |
539 | blacklist ${HOME}/.cache/kmail2 | ||
536 | blacklist ${HOME}/.cache/krunner | 540 | blacklist ${HOME}/.cache/krunner |
541 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | ||
537 | blacklist ${HOME}/.cache/kscreenlocker_greet | 542 | blacklist ${HOME}/.cache/kscreenlocker_greet |
538 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | 543 | blacklist ${HOME}/.cache/ksmserver-logout-greeter |
539 | blacklist ${HOME}/.cache/ksplashqml | 544 | blacklist ${HOME}/.cache/ksplashqml |
@@ -566,6 +571,7 @@ blacklist ${HOME}/.cache/torbrowser | |||
566 | blacklist ${HOME}/.cache/transmission | 571 | blacklist ${HOME}/.cache/transmission |
567 | blacklist ${HOME}/.cache/vivaldi | 572 | blacklist ${HOME}/.cache/vivaldi |
568 | blacklist ${HOME}/.cache/vivaldi-snapshot | 573 | blacklist ${HOME}/.cache/vivaldi-snapshot |
574 | blacklist ${HOME}/.cache/vlc | ||
569 | blacklist ${HOME}/.cache/waterfox | 575 | blacklist ${HOME}/.cache/waterfox |
570 | blacklist ${HOME}/.cache/wesnoth | 576 | blacklist ${HOME}/.cache/wesnoth |
571 | blacklist ${HOME}/.cache/xmms2 | 577 | blacklist ${HOME}/.cache/xmms2 |
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index 2392440a6..2f7657c0c 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | disable-mnt | 35 | disable-mnt |
36 | private-bin gnome-recipes,tar | 36 | private-bin gnome-recipes,tar |
37 | private-dev | 37 | private-dev |
38 | private-etc ca-certificates,fonts,ssl | 38 | private-etc ca-certificates,fonts,ssl,crypto-policies,pki |
39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) | 39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) |
40 | # not widely tested though, leaving it to devs discretion to enable it later | 40 | # not widely tested though, leaving it to devs discretion to enable it later |
41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 | 41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index d573cc706..af24bc3e9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -5,9 +5,9 @@ include /etc/firejail/inkscape.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.inkscape | 8 | noblacklist ${HOME}/.cache/inkscape |
9 | noblacklist ${HOME}/.config/inkscape | 9 | noblacklist ${HOME}/.config/inkscape |
10 | 10 | noblacklist ${HOME}/.inkscape | |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/kate.profile b/etc/kate.profile index df9643fee..b3c1e81d8 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/kate.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/katemetainfos | ||
8 | noblacklist ${HOME}/.config/katepartrc | 9 | noblacklist ${HOME}/.config/katepartrc |
9 | noblacklist ${HOME}/.config/katerc | 10 | noblacklist ${HOME}/.config/katerc |
10 | noblacklist ${HOME}/.config/kateschemarc | 11 | noblacklist ${HOME}/.config/kateschemarc |
diff --git a/etc/kmail.profile b/etc/kmail.profile index e33eae84f..f095b5853 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/globals.local | |||
9 | # one solution is to have akonadi already running when kmail is started | 9 | # one solution is to have akonadi already running when kmail is started |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/akonadi* | 11 | noblacklist ${HOME}/.cache/akonadi* |
12 | noblacklist ${HOME}/.cache/kmail2 | ||
12 | noblacklist ${HOME}/.config/akonadi* | 13 | noblacklist ${HOME}/.config/akonadi* |
13 | noblacklist ${HOME}/.config/baloorc | 14 | noblacklist ${HOME}/.config/baloorc |
14 | noblacklist ${HOME}/.config/emailidentities | 15 | noblacklist ${HOME}/.config/emailidentities |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 1e97f4290..8382a5c66 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -10,10 +10,12 @@ include /etc/firejail/globals.local | |||
10 | # with its own profile, if it is sandboxed automatically. | 10 | # with its own profile, if it is sandboxed automatically. |
11 | 11 | ||
12 | # noblacklist ${HOME}/.cache/krunner | 12 | # noblacklist ${HOME}/.cache/krunner |
13 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | ||
13 | noblacklist ${HOME}/.config/krunnerrc | 14 | noblacklist ${HOME}/.config/krunnerrc |
14 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 15 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
15 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 16 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
16 | # noblacklist ${HOME}/.local/share/baloo | 17 | # noblacklist ${HOME}/.local/share/baloo |
18 | # noblacklist ${HOME}/.mozilla | ||
17 | 19 | ||
18 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
19 | # include /etc/firejail/disable-devel.inc | 21 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile new file mode 100644 index 000000000..ab79a325e --- /dev/null +++ b/etc/ncdu.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for ncdu | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ncdu.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | caps.drop all | ||
9 | ipc-namespace | ||
10 | nodbus | ||
11 | net none | ||
12 | no3d | ||
13 | nodvd | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix | ||
21 | seccomp | ||
22 | shell none | ||
23 | |||
24 | private-dev | ||
25 | # private-tmp | ||
26 | |||
27 | memory-deny-write-execute | ||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 4965d3a54..bcdea9bc7 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -32,7 +32,10 @@ include /etc/firejail/disable-programs.inc | |||
32 | include /etc/firejail/whitelist-var-common.inc | 32 | include /etc/firejail/whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | #ipc-namespace | ||
35 | netfilter | 36 | netfilter |
37 | # nodbus disabled as it breaks appindicator support | ||
38 | #nodbus | ||
36 | nodvd | 39 | nodvd |
37 | nogroups | 40 | nogroups |
38 | nonewprivs | 41 | nonewprivs |
@@ -44,10 +47,17 @@ protocol unix,inet,inet6,netlink | |||
44 | seccomp | 47 | seccomp |
45 | shell none | 48 | shell none |
46 | # tracelog disabled as it breaks integrated browser | 49 | # tracelog disabled as it breaks integrated browser |
47 | # tracelog | 50 | #tracelog |
51 | |||
52 | # private-bin is disabled while in testing, but has been tested working with multiple games | ||
53 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | ||
54 | # extra programs are available which might be needed for select games | ||
55 | #private-bin java,java-config,mono,python* | ||
56 | # picture viewers are are needed for viewing screenshots | ||
57 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | ||
48 | 58 | ||
49 | # private-dev should be commented for controllers | 59 | # private-dev should be commented for controllers |
50 | private-dev | 60 | private-dev |
51 | # private-etc breaks some games | 61 | # private-etc breaks a small selection of games on some systems, comment to support those |
52 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies | 62 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives |
53 | private-tmp | 63 | private-tmp |
diff --git a/etc/vlc.profile b/etc/vlc.profile index c36a1f238..0b362eb32 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/vlc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/vlc | ||
8 | noblacklist ${HOME}/.config/vlc | 9 | noblacklist ${HOME}/.config/vlc |
9 | noblacklist ${HOME}/.local/share/vlc | 10 | noblacklist ${HOME}/.local/share/vlc |
10 | 11 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f2409d67b..2f4884105 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -263,6 +263,7 @@ musescore | |||
263 | mutt | 263 | mutt |
264 | natron | 264 | natron |
265 | nautilus | 265 | nautilus |
266 | ncdu | ||
266 | netsurf | 267 | netsurf |
267 | neverball | 268 | neverball |
268 | nheko | 269 | nheko |