diff options
author | smitsohu <smitsohu@gmail.com> | 2018-04-04 14:31:28 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-04-04 14:31:28 +0200 |
commit | 5b841b615dcec9bd93168f3061be68dbdb35e708 (patch) | |
tree | 4794d7641149dbf40fbc6d49be5ca83b4f2c6cff | |
parent | deprecated --git-install and --git-uninstall (diff) | |
download | firejail-5b841b615dcec9bd93168f3061be68dbdb35e708.tar.gz firejail-5b841b615dcec9bd93168f3061be68dbdb35e708.tar.zst firejail-5b841b615dcec9bd93168f3061be68dbdb35e708.zip |
fix a0502dc5144185b6d346e92944e3359a833d2378, various enhancements
-rw-r--r-- | etc/basilisk.profile | 50 | ||||
-rw-r--r-- | etc/dex2jar.profile | 6 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/display.profile | 6 | ||||
-rw-r--r-- | etc/kate.profile | 2 | ||||
-rw-r--r-- | etc/kmail.profile | 1 | ||||
-rw-r--r-- | etc/knotes.profile | 11 | ||||
-rw-r--r-- | etc/palemoon.profile | 1 |
9 files changed, 16 insertions, 66 deletions
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index c13be364b..ac7f30c04 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -8,54 +8,16 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/moonchild productions/basilisk | 8 | noblacklist ${HOME}/.cache/moonchild productions/basilisk |
9 | noblacklist ${HOME}/.moonchild productions/basilisk | 9 | noblacklist ${HOME}/.moonchild productions/basilisk |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
17 | # want to uncomment (some of) them. | ||
18 | #whitelist ${HOME}/dwhelper | ||
19 | #whitelist ${HOME}/.zotero | ||
20 | #whitelist ${HOME}/.vimperatorrc | ||
21 | #whitelist ${HOME}/.vimperator | ||
22 | #whitelist ${HOME}/.pentadactylrc | ||
23 | #whitelist ${HOME}/.pentadactyl | ||
24 | #whitelist ${HOME}/.keysnail.js | ||
25 | #whitelist ${HOME}/.config/gnome-mplayer | ||
26 | #whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
27 | #whitelist ${HOME}/.pki | ||
28 | #whitelist ${HOME}/.lastpass | ||
29 | |||
30 | # For silverlight | ||
31 | #whitelist ${HOME}/.wine-pipelight | ||
32 | #whitelist ${HOME}/.wine-pipelight64 | ||
33 | #whitelist ${HOME}/.config/pipelight-widevine | ||
34 | #whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
35 | |||
36 | mkdir ${HOME}/.cache/moonchild productions/basilisk | 11 | mkdir ${HOME}/.cache/moonchild productions/basilisk |
37 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
38 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
39 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 14 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
40 | whitelist ${HOME}/.moonchild productions | 15 | whitelist ${HOME}/.moonchild productions |
41 | include /etc/firejail/whitelist-common.inc | ||
42 | |||
43 | caps.drop all | ||
44 | netfilter | ||
45 | nodvd | ||
46 | nogroups | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | notv | ||
50 | protocol unix,inet,inet6,netlink | ||
51 | seccomp | ||
52 | shell none | ||
53 | tracelog | ||
54 | 16 | ||
55 | # private-bin basilisk | 17 | #private-bin basilisk |
56 | # private-dev (disabled for now as it will interfere with webcam use in basilisk) | 18 | # private-etc must first be enabled in firefox-common.profile |
57 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 19 | #private-etc basilisk |
58 | # private-opt basilisk | 20 | #private-opt basilisk |
59 | private-tmp | ||
60 | 21 | ||
61 | disable-mnt | 22 | # Redirect |
23 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index f01675186..0634c0eaf 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -12,12 +12,6 @@ noblacklist /usr/lib/java | |||
12 | noblacklist /etc/java | 12 | noblacklist /etc/java |
13 | noblacklist /usr/share/java | 13 | noblacklist /usr/share/java |
14 | 14 | ||
15 | # Allow access to java | ||
16 | noblacklist ${PATH}/java | ||
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
22 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
23 | include /etc/firejail/disable-interpreters.inc | 17 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0f605b933..c5c434186 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -48,6 +48,7 @@ read-only ${HOME}/.Xauthority | |||
48 | # KDE config | 48 | # KDE config |
49 | blacklist ${HOME}/.config/khotkeysrc | 49 | blacklist ${HOME}/.config/khotkeysrc |
50 | blacklist ${HOME}/.config/krunnerrc | 50 | blacklist ${HOME}/.config/krunnerrc |
51 | blacklist ${HOME}/.config/kscreenlockerrc | ||
51 | blacklist ${HOME}/.config/ksslcertificatemanager | 52 | blacklist ${HOME}/.config/ksslcertificatemanager |
52 | blacklist ${HOME}/.config/kwinrc | 53 | blacklist ${HOME}/.config/kwinrc |
53 | blacklist ${HOME}/.config/kwinrulesrc | 54 | blacklist ${HOME}/.config/kwinrulesrc |
@@ -59,6 +60,7 @@ blacklist ${HOME}/.kde/share/apps/plasma | |||
59 | blacklist ${HOME}/.kde/share/apps/solid | 60 | blacklist ${HOME}/.kde/share/apps/solid |
60 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 61 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
61 | blacklist ${HOME}/.kde/share/config/krunnerrc | 62 | blacklist ${HOME}/.kde/share/config/krunnerrc |
63 | blacklist ${HOME}/.kde/share/config/kscreensaverrc | ||
62 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | 64 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
63 | blacklist ${HOME}/.kde/share/config/kwinrc | 65 | blacklist ${HOME}/.kde/share/config/kwinrc |
64 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 66 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
@@ -68,6 +70,7 @@ blacklist ${HOME}/.kde4/share/apps/plasma | |||
68 | blacklist ${HOME}/.kde4/share/apps/solid | 70 | blacklist ${HOME}/.kde4/share/apps/solid |
69 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | 71 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
70 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 72 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
73 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc | ||
71 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | 74 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
72 | blacklist ${HOME}/.kde4/share/config/kwinrc | 75 | blacklist ${HOME}/.kde4/share/config/kwinrc |
73 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 76 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c40935e15..38b66f175 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -48,6 +48,7 @@ blacklist ${HOME}/.config/Cryptocat | |||
48 | blacklist ${HOME}/.config/Franz | 48 | blacklist ${HOME}/.config/Franz |
49 | blacklist ${HOME}/.config/FreeCAD | 49 | blacklist ${HOME}/.config/FreeCAD |
50 | blacklist ${HOME}/.config/Fritzing | 50 | blacklist ${HOME}/.config/Fritzing |
51 | blacklist ${HOME}/.config/GIMP | ||
51 | blacklist ${HOME}/.config/Gitter | 52 | blacklist ${HOME}/.config/Gitter |
52 | blacklist ${HOME}/.config/Google | 53 | blacklist ${HOME}/.config/Google |
53 | blacklist ${HOME}/.config/Google Play Music Desktop Player | 54 | blacklist ${HOME}/.config/Google Play Music Desktop Player |
@@ -149,6 +150,7 @@ blacklist ${HOME}/.config/kdenliverc | |||
149 | blacklist ${HOME}/.config/kgetrc | 150 | blacklist ${HOME}/.config/kgetrc |
150 | blacklist ${HOME}/.config/klipperrc | 151 | blacklist ${HOME}/.config/klipperrc |
151 | blacklist ${HOME}/.config/kmail2rc | 152 | blacklist ${HOME}/.config/kmail2rc |
153 | blacklist ${HOME}/.config/kmailsearchindexingrc | ||
152 | blacklist ${HOME}/.config/kritarc | 154 | blacklist ${HOME}/.config/kritarc |
153 | blacklist ${HOME}/.config/kwriterc | 155 | blacklist ${HOME}/.config/kwriterc |
154 | blacklist ${HOME}/.config/kdeconnect | 156 | blacklist ${HOME}/.config/kdeconnect |
diff --git a/etc/display.profile b/etc/display.profile index ca776a5d1..01196f5ac 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -11,12 +11,6 @@ noblacklist ${PATH}/python3* | |||
11 | noblacklist /usr/lib/python2* | 11 | noblacklist /usr/lib/python2* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | noblacklist ${PATH}/python2* | ||
16 | noblacklist ${PATH}/python3* | ||
17 | noblacklist /usr/lib/python2* | ||
18 | noblacklist /usr/lib/python3* | ||
19 | |||
20 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 15 | include /etc/firejail/disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 16 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/kate.profile b/etc/kate.profile index 7408ee0ef..240bdb62a 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -15,7 +15,7 @@ noblacklist ${HOME}/.local/share/kate | |||
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
17 | # include /etc/firejail/disable-devel.inc | 17 | # include /etc/firejail/disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | # include /etc/firejail/disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
21 | 21 | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 748780218..202faeb16 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/baloorc | |||
15 | noblacklist ${HOME}/.config/emaildefaults | 15 | noblacklist ${HOME}/.config/emaildefaults |
16 | noblacklist ${HOME}/.config/emailidentities | 16 | noblacklist ${HOME}/.config/emailidentities |
17 | noblacklist ${HOME}/.config/kmail2rc | 17 | noblacklist ${HOME}/.config/kmail2rc |
18 | noblacklist ${HOME}/.config/kmailsearchindexingrc | ||
18 | noblacklist ${HOME}/.config/mailtransports | 19 | noblacklist ${HOME}/.config/mailtransports |
19 | noblacklist ${HOME}/.config/specialmailcollectionsrc | 20 | noblacklist ${HOME}/.config/specialmailcollectionsrc |
20 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/knotes.profile b/etc/knotes.profile index 35e2699bd..4bbbd332d 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -5,15 +5,8 @@ include /etc/firejail/knotes.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/akonadi* | 8 | # knotes has problems launching akonadi in debian and ubuntu. |
9 | noblacklist ${HOME}/.config/knotesrc | 9 | # one solution is to have akonadi already running when knotes is started |
10 | noblacklist ${HOME}/.local/share/akonadi/* | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | 10 | ||
18 | noblacklist ${HOME}/.config/knotesrc | 11 | noblacklist ${HOME}/.config/knotesrc |
19 | noblacklist ${HOME}/.local/share/knotes | 12 | noblacklist ${HOME}/.local/share/knotes |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ff7087e55..c59ef9126 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.moonchild productions/pale moon | |||
10 | 10 | ||
11 | mkdir ${HOME}/.cache/moonchild productions/pale moon | 11 | mkdir ${HOME}/.cache/moonchild productions/pale moon |
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${DOWNLOADS} | ||
13 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 14 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
14 | whitelist ${HOME}/.moonchild productions | 15 | whitelist ${HOME}/.moonchild productions |
15 | 16 | ||