diff options
author | rusty-snake <print_hello_world+Public@protonmail.com> | 2020-02-10 09:18:57 +0100 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2020-02-10 09:24:06 +0100 |
commit | df1c73a00f68b3ee2503b75d3220e65f99a7f760 (patch) | |
tree | 683adf8f26858a3b8e6a2a99720c352abe4f22e6 | |
parent | improve baloo hardening suggestion (diff) | |
download | firejail-df1c73a00f68b3ee2503b75d3220e65f99a7f760.tar.gz firejail-df1c73a00f68b3ee2503b75d3220e65f99a7f760.tar.zst firejail-df1c73a00f68b3ee2503b75d3220e65f99a7f760.zip |
Add a lot of profiles
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 10 | ||||
-rw-r--r-- | etc/com.github.johnfactotum.Foliate.profile | 62 | ||||
-rw-r--r-- | etc/desktopeditors.profile | 43 | ||||
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/freeoffice-planmaker.profile | 36 | ||||
-rw-r--r-- | etc/freeoffice-presentations.profile | 36 | ||||
-rw-r--r-- | etc/freeoffice-textmaker.profile | 37 | ||||
-rw-r--r-- | etc/impressive.profile | 55 | ||||
-rw-r--r-- | etc/mupdf-gl.profile | 13 | ||||
-rw-r--r-- | etc/mupdf-x11-curl.profile | 18 | ||||
-rw-r--r-- | etc/mupdf-x11.profile | 14 | ||||
-rw-r--r-- | etc/mupdf.profile | 6 | ||||
-rw-r--r-- | etc/muraster.profile | 11 | ||||
-rw-r--r-- | etc/mutool.profile | 11 | ||||
-rw-r--r-- | etc/planmaker18.profile | 10 | ||||
-rw-r--r-- | etc/planmaker18free.profile | 10 | ||||
-rw-r--r-- | etc/presentations18.profile | 10 | ||||
-rw-r--r-- | etc/presentations18free.profile | 10 | ||||
-rw-r--r-- | etc/softmaker-common.inc | 44 | ||||
-rw-r--r-- | etc/textmaker18.profile | 10 | ||||
-rw-r--r-- | etc/textmaker18free.profile | 10 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 14 |
24 files changed, 370 insertions, 107 deletions
@@ -151,4 +151,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
151 | 151 | ||
152 | ### New profiles: | 152 | ### New profiles: |
153 | 153 | ||
154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl | 154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free |
@@ -1,10 +1,12 @@ | |||
1 | firejail (0.9.63) baseline; urgency=low | 1 | firejail (0.9.63) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * DHCP client support | 3 | * DHCP client support |
4 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab | 4 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
5 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex | 5 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
6 | * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc | 6 | * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 |
7 | * new profiles: gnome-hexgl | 7 | * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool |
8 | * new profiles: desktopeditors, impressive, planmaker18, planmaker18free | ||
9 | * new profiles: presentations18, presentations18free, textmaker18, textmaker18free | ||
8 | 10 | ||
9 | firejail (0.9.62) baseline; urgency=low | 11 | firejail (0.9.62) baseline; urgency=low |
10 | * added file-copy-limit in /etc/firejail/firejail.config | 12 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/etc/com.github.johnfactotum.Foliate.profile b/etc/com.github.johnfactotum.Foliate.profile new file mode 100644 index 000000000..39a9a360d --- /dev/null +++ b/etc/com.github.johnfactotum.Foliate.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for foliate | ||
2 | # Description: Simple and modern GTK eBook reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include foliate.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
11 | noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
12 | |||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
25 | mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
26 | whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
27 | whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
28 | whitelist ${DOCUMENTS} | ||
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist /usr/share/com.github.johnfactotum.Foliate | ||
31 | whitelist /usr/share/hyphen | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | machine-id | ||
39 | net none | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin com.github.johnfactotum.Foliate,gjs | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc dconf,fonts,gconf,gtk-3.0 | ||
58 | private-tmp | ||
59 | |||
60 | read-only ${HOME} | ||
61 | read-write ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
62 | read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
diff --git a/etc/desktopeditors.profile b/etc/desktopeditors.profile new file mode 100644 index 000000000..d0c727c5c --- /dev/null +++ b/etc/desktopeditors.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for desktopeditors | ||
2 | # Description: ONLYOFFICE DesktopEditors | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include desktopeditors.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/onlyoffice | ||
10 | noblacklist ${HOME}/.local/share/onlyoffice | ||
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-bin desktopeditors,sh | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9f351a673..bf29cd137 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.kde4/share/apps/klipper | |||
18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
19 | blacklist-nolog ${HOME}/.local/share/klipper | 19 | blacklist-nolog ${HOME}/.local/share/klipper |
20 | blacklist-nolog ${HOME}/.macromedia | 20 | blacklist-nolog ${HOME}/.macromedia |
21 | blacklist-nolog ${HOME}/.mupdf.history | ||
21 | blacklist-nolog ${HOME}/.python-history | 22 | blacklist-nolog ${HOME}/.python-history |
22 | blacklist-nolog ${HOME}/.python_history | 23 | blacklist-nolog ${HOME}/.python_history |
23 | blacklist-nolog ${HOME}/.pythonhist | 24 | blacklist-nolog ${HOME}/.pythonhist |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 02751a818..7e4947e6f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -267,6 +267,7 @@ blacklist ${HOME}/.config/obs-studio | |||
267 | blacklist ${HOME}/.config/okularpartrc | 267 | blacklist ${HOME}/.config/okularpartrc |
268 | blacklist ${HOME}/.config/okularrc | 268 | blacklist ${HOME}/.config/okularrc |
269 | blacklist ${HOME}/.config/onionshare | 269 | blacklist ${HOME}/.config/onionshare |
270 | blacklist ${HOME}/.config/onlyoffice | ||
270 | blacklist ${HOME}/.config/opera | 271 | blacklist ${HOME}/.config/opera |
271 | blacklist ${HOME}/.config/opera-beta | 272 | blacklist ${HOME}/.config/opera-beta |
272 | blacklist ${HOME}/.config/orage | 273 | blacklist ${HOME}/.config/orage |
@@ -503,6 +504,7 @@ blacklist ${HOME}/.local/share/caja-python | |||
503 | blacklist ${HOME}/.local/share/cantata | 504 | blacklist ${HOME}/.local/share/cantata |
504 | blacklist ${HOME}/.local/share/cdprojektred | 505 | blacklist ${HOME}/.local/share/cdprojektred |
505 | blacklist ${HOME}/.local/share/clipit | 506 | blacklist ${HOME}/.local/share/clipit |
507 | blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate | ||
506 | blacklist ${HOME}/.local/share/contacts | 508 | blacklist ${HOME}/.local/share/contacts |
507 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. | 509 | blacklist ${HOME}/.local/share/data/Mendeley Ltd. |
508 | blacklist ${HOME}/.local/share/data/Mumble | 510 | blacklist ${HOME}/.local/share/data/Mumble |
@@ -571,6 +573,7 @@ blacklist ${HOME}/.local/share/nomacs | |||
571 | blacklist ${HOME}/.local/share/notes | 573 | blacklist ${HOME}/.local/share/notes |
572 | blacklist ${HOME}/.local/share/ocenaudio | 574 | blacklist ${HOME}/.local/share/ocenaudio |
573 | blacklist ${HOME}/.local/share/okular | 575 | blacklist ${HOME}/.local/share/okular |
576 | blacklist ${HOME}/.local/share/onlyoffice | ||
574 | blacklist ${HOME}/.local/share/orage | 577 | blacklist ${HOME}/.local/share/orage |
575 | blacklist ${HOME}/.local/share/org.kde.gwenview | 578 | blacklist ${HOME}/.local/share/org.kde.gwenview |
576 | blacklist ${HOME}/.local/share/pix | 579 | blacklist ${HOME}/.local/share/pix |
@@ -734,6 +737,7 @@ blacklist ${HOME}/.cache/champlain | |||
734 | blacklist ${HOME}/.cache/chromium | 737 | blacklist ${HOME}/.cache/chromium |
735 | blacklist ${HOME}/.cache/chromium-dev | 738 | blacklist ${HOME}/.cache/chromium-dev |
736 | blacklist ${HOME}/.cache/cliqz | 739 | blacklist ${HOME}/.cache/cliqz |
740 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
737 | blacklist ${HOME}/.cache/darktable | 741 | blacklist ${HOME}/.cache/darktable |
738 | blacklist ${HOME}/.cache/discover | 742 | blacklist ${HOME}/.cache/discover |
739 | blacklist ${HOME}/.cache/dnox | 743 | blacklist ${HOME}/.cache/dnox |
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile index 8a53c63e3..b6ca167eb 100644 --- a/etc/freeoffice-planmaker.profile +++ b/etc/freeoffice-planmaker.profile | |||
@@ -1,38 +1,10 @@ | |||
1 | # Firejail profile for freeoffice-planmaker | 1 | # Firejail profile alias for freeoffice-planmaker |
2 | # Description: SoftMaker FreeOffice - spreadsheet program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include freeoffice-planmaker.local | 5 | include freeoffice-planmaker.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | include globals.local |
7 | 8 | ||
8 | noblacklist ${HOME}/SoftMaker | 9 | # Redirect |
9 | 10 | include softmaker-common.profile | |
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | # include disable-xdg.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile index 63be4da7f..43661028c 100644 --- a/etc/freeoffice-presentations.profile +++ b/etc/freeoffice-presentations.profile | |||
@@ -1,38 +1,10 @@ | |||
1 | # Firejail profile for freeoffice-presentations | 1 | # Firejail profile alias for freeoffice-presentations |
2 | # Description: SoftMaker FreeOffice - presentations software | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include freeoffice-presentations.local | 5 | include freeoffice-presentations.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | include globals.local |
7 | 8 | ||
8 | noblacklist ${HOME}/SoftMaker | 9 | # Redirect |
9 | 10 | include softmaker-common.profile | |
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | # include disable-xdg.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile index 4bca5a98c..f7d30eaed 100644 --- a/etc/freeoffice-textmaker.profile +++ b/etc/freeoffice-textmaker.profile | |||
@@ -1,38 +1,9 @@ | |||
1 | # Firejail profile for freeoffice-textmaker | 1 | # Firejail profile alias for freeoffice-textmaker |
2 | # Description: SoftMaker Office - word processor | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include freeoffice-textmaker.local | 4 | include freeoffice-textmaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/SoftMaker | 8 | # Redirect |
9 | 9 | include softmaker-common.profile | |
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | # include disable-xdg.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/impressive.profile b/etc/impressive.profile new file mode 100644 index 000000000..0bfe5de5a --- /dev/null +++ b/etc/impressive.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for impressive | ||
2 | # Description: presentation tool with eye candy | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include impressive.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | #include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.cache/mesa_shader_cache | ||
26 | whitelist /usr/share/opengl-games-utils | ||
27 | whitelist /usr/share/zenity | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | ipc-namespace | ||
34 | machine-id | ||
35 | net none | ||
36 | nodbus | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | private-cache | ||
51 | private-dev | ||
52 | private-tmp | ||
53 | |||
54 | read-only ${HOME} | ||
55 | read-write ${HOME}/.cache/mesa_shader_cache | ||
diff --git a/etc/mupdf-gl.profile b/etc/mupdf-gl.profile new file mode 100644 index 000000000..be94a9083 --- /dev/null +++ b/etc/mupdf-gl.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for mupdf-gl | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-gl.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.mupdf.history | ||
11 | |||
12 | # Redirect | ||
13 | include mupdf.profile | ||
diff --git a/etc/mupdf-x11-curl.profile b/etc/mupdf-x11-curl.profile new file mode 100644 index 000000000..a04d386a2 --- /dev/null +++ b/etc/mupdf-x11-curl.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for mupdf-x11-curl | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-x11-curl.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore net none | ||
11 | |||
12 | netfilter | ||
13 | protocol unix,inet,inet6 | ||
14 | |||
15 | private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl | ||
16 | |||
17 | # Redirect | ||
18 | include mupdf.profile | ||
diff --git a/etc/mupdf-x11.profile b/etc/mupdf-x11.profile new file mode 100644 index 000000000..256201d0c --- /dev/null +++ b/etc/mupdf-x11.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for mupdf-x11 | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-x11.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | read-only ${HOME} | ||
12 | |||
13 | # Redirect | ||
14 | include mupdf.profile | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 99945bdc9..43afbc859 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -4,7 +4,7 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include mupdf.local | 5 | include mupdf.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
@@ -35,10 +35,6 @@ seccomp | |||
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | 37 | ||
38 | # private-bin mupdf,rm,sh,tempfile | ||
39 | private-dev | 38 | private-dev |
40 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | 39 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
41 | private-tmp | 40 | private-tmp |
42 | |||
43 | # memory-deny-write-execute | ||
44 | read-only ${HOME} | ||
diff --git a/etc/muraster.profile b/etc/muraster.profile new file mode 100644 index 000000000..90e3f2050 --- /dev/null +++ b/etc/muraster.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for muraster | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include muraster.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include mupdf.profile | ||
diff --git a/etc/mutool.profile b/etc/mutool.profile new file mode 100644 index 000000000..e61f4665d --- /dev/null +++ b/etc/mutool.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for mutool | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mutool.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include mupdf.profile | ||
diff --git a/etc/planmaker18.profile b/etc/planmaker18.profile new file mode 100644 index 000000000..4cf1efb7f --- /dev/null +++ b/etc/planmaker18.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for planmaker18 | ||
2 | # Description: SoftMaker Office - spreadsheet program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include planmaker18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/etc/planmaker18free.profile b/etc/planmaker18free.profile new file mode 100644 index 000000000..bb85f1fc7 --- /dev/null +++ b/etc/planmaker18free.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for planmaker18free | ||
2 | # Description: SoftMaker FreeOffice - spreadsheet program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include planmaker18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/etc/presentations18.profile b/etc/presentations18.profile new file mode 100644 index 000000000..ac844d1af --- /dev/null +++ b/etc/presentations18.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for presentations18 | ||
2 | # Description: SoftMaker Office - presentations software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include presentations18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/etc/presentations18free.profile b/etc/presentations18free.profile new file mode 100644 index 000000000..218747224 --- /dev/null +++ b/etc/presentations18free.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for presentations18free | ||
2 | # Description: SoftMaker FreeOffice - presentations software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include presentations18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/etc/softmaker-common.inc b/etc/softmaker-common.inc new file mode 100644 index 000000000..6eaadee12 --- /dev/null +++ b/etc/softmaker-common.inc | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for softmaker-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include softmaker-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/SoftMaker | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /usr/share/office2018 | ||
19 | whitelist /usr/share/freeoffice2018 | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl | ||
44 | private-tmp | ||
diff --git a/etc/textmaker18.profile b/etc/textmaker18.profile new file mode 100644 index 000000000..8284df791 --- /dev/null +++ b/etc/textmaker18.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for textmaker18 | ||
2 | # Description: SoftMaker Office - word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include textmaker18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/etc/textmaker18free.profile b/etc/textmaker18free.profile new file mode 100644 index 000000000..ad945ca55 --- /dev/null +++ b/etc/textmaker18free.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for textmaker18free | ||
2 | # Description: SoftMaker Office - word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include textmaker18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 51ec06402..5fdc60af6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -128,6 +128,7 @@ clocks | |||
128 | cmus | 128 | cmus |
129 | code | 129 | code |
130 | code-oss | 130 | code-oss |
131 | com.github.johnfactotum.Foliate | ||
131 | conkeror | 132 | conkeror |
132 | conky | 133 | conky |
133 | conplay | 134 | conplay |
@@ -143,6 +144,7 @@ dconf-editor | |||
143 | ddgtk | 144 | ddgtk |
144 | deadbeef | 145 | deadbeef |
145 | deluge | 146 | deluge |
147 | desktopeditors | ||
146 | devhelp | 148 | devhelp |
147 | dex2jar | 149 | dex2jar |
148 | dia | 150 | dia |
@@ -310,6 +312,7 @@ ideaIC | |||
310 | idea.sh | 312 | idea.sh |
311 | imagej | 313 | imagej |
312 | img2txt | 314 | img2txt |
315 | impressive | ||
313 | inkscape | 316 | inkscape |
314 | inkview | 317 | inkview |
315 | inox | 318 | inox |
@@ -436,9 +439,14 @@ multimc | |||
436 | multimc5 | 439 | multimc5 |
437 | mumble | 440 | mumble |
438 | mupdf | 441 | mupdf |
442 | mupdf-gl | ||
443 | mupdf-x11 | ||
444 | mupdf-x11-curl | ||
439 | mupen64plus | 445 | mupen64plus |
446 | muraster | ||
440 | musescore | 447 | musescore |
441 | musixmatch | 448 | musixmatch |
449 | mutool | ||
442 | mutt | 450 | mutt |
443 | mypaint | 451 | mypaint |
444 | mypaint-ora-thumbnailer | 452 | mypaint-ora-thumbnailer |
@@ -500,12 +508,16 @@ pioneer | |||
500 | pithos | 508 | pithos |
501 | pitivi | 509 | pitivi |
502 | pix | 510 | pix |
511 | planmaker18 | ||
512 | planmaker18free | ||
503 | playonlinux | 513 | playonlinux |
504 | pluma | 514 | pluma |
505 | pngquant | 515 | pngquant |
506 | polari | 516 | polari |
507 | ppsspp | 517 | ppsspp |
508 | pragha | 518 | pragha |
519 | presentations18 | ||
520 | presentations18free | ||
509 | profanity | 521 | profanity |
510 | psi-plus | 522 | psi-plus |
511 | pybitmessage | 523 | pybitmessage |
@@ -593,6 +605,8 @@ teeworlds | |||
593 | telegram | 605 | telegram |
594 | telegram-desktop | 606 | telegram-desktop |
595 | terasology | 607 | terasology |
608 | textmaker18 | ||
609 | textmaker18free | ||
596 | thunderbird | 610 | thunderbird |
597 | thunderbird-beta | 611 | thunderbird-beta |
598 | thunderbird-wayland | 612 | thunderbird-wayland |