diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-26 11:34:23 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-26 11:34:23 -0400 |
commit | 76b6fa1656b985606d5ac93787697c9c097dfbda (patch) | |
tree | bedd7d7d3b330d87b1ac79d8f0e9430cdc763bff | |
parent | Merge pull request #1159 from irregulator/master (diff) | |
parent | undo netlink addition (diff) | |
download | firejail-76b6fa1656b985606d5ac93787697c9c097dfbda.tar.gz firejail-76b6fa1656b985606d5ac93787697c9c097dfbda.tar.zst firejail-76b6fa1656b985606d5ac93787697c9c097dfbda.zip |
Merge pull request #1156 from SYN-cook/master
profile enhancements
-rw-r--r-- | etc/audacious.profile | 8 | ||||
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-passwdmgr.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 5 | ||||
-rw-r--r-- | etc/gwenview.profile | 6 | ||||
-rw-r--r-- | etc/scribus.profile | 6 |
6 files changed, 23 insertions, 4 deletions
diff --git a/etc/audacious.profile b/etc/audacious.profile index 63ba9af9c..d12032166 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -4,13 +4,21 @@ include /etc/firejail/audacious.local | |||
4 | 4 | ||
5 | # Audacious media player profile | 5 | # Audacious media player profile |
6 | noblacklist ~/.config/audacious | 6 | noblacklist ~/.config/audacious |
7 | noblacklist ~/.config/Audaciousrc | ||
7 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-programs.inc | 9 | include /etc/firejail/disable-programs.inc |
9 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
11 | 12 | ||
12 | caps.drop all | 13 | caps.drop all |
14 | netfilter | ||
13 | nonewprivs | 15 | nonewprivs |
14 | noroot | 16 | noroot |
15 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
16 | seccomp | 18 | seccomp |
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | private-bin audacious | ||
23 | private-dev | ||
24 | private-tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index be3144133..78b41371a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -165,6 +165,7 @@ blacklist ${HOME}/*.key | |||
165 | blacklist ${HOME}/.muttrc | 165 | blacklist ${HOME}/.muttrc |
166 | blacklist ${HOME}/.mutt/muttrc | 166 | blacklist ${HOME}/.mutt/muttrc |
167 | blacklist ${HOME}/.msmtprc | 167 | blacklist ${HOME}/.msmtprc |
168 | blacklist ${HOME}/.pki | ||
168 | blacklist /etc/shadow | 169 | blacklist /etc/shadow |
169 | blacklist /etc/gshadow | 170 | blacklist /etc/gshadow |
170 | blacklist /etc/passwd- | 171 | blacklist /etc/passwd- |
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index c4112d4d5..b5260e897 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -2,7 +2,6 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-passwdmgr.local | 3 | include /etc/firejail/disable-passwdmgr.local |
4 | 4 | ||
5 | blacklist ${HOME}/.pki/nssdb | ||
6 | blacklist ${HOME}/.lastpass | 5 | blacklist ${HOME}/.lastpass |
7 | blacklist ${HOME}/.keepassx | 6 | blacklist ${HOME}/.keepassx |
8 | blacklist ${HOME}/.keepass | 7 | blacklist ${HOME}/.keepass |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 00c6e195a..39a8ed4f5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -20,6 +20,7 @@ blacklist ${HOME}/.bcast5 | |||
20 | blacklist ${HOME}/.claws-mail | 20 | blacklist ${HOME}/.claws-mail |
21 | blacklist ${HOME}/.config/0ad | 21 | blacklist ${HOME}/.config/0ad |
22 | blacklist ${HOME}/.config/Atom | 22 | blacklist ${HOME}/.config/Atom |
23 | blacklist ${HOME}/.config/Audaciousrc | ||
23 | blacklist ${HOME}/.config/Brackets | 24 | blacklist ${HOME}/.config/Brackets |
24 | blacklist ${HOME}/.config/Cryptocat | 25 | blacklist ${HOME}/.config/Cryptocat |
25 | blacklist ${HOME}/.config/Franz | 26 | blacklist ${HOME}/.config/Franz |
@@ -71,6 +72,7 @@ blacklist ${HOME}/.config/google-chrome | |||
71 | blacklist ${HOME}/.config/google-chrome-beta | 72 | blacklist ${HOME}/.config/google-chrome-beta |
72 | blacklist ${HOME}/.config/google-chrome-unstable | 73 | blacklist ${HOME}/.config/google-chrome-unstable |
73 | blacklist ${HOME}/.config/gthumb | 74 | blacklist ${HOME}/.config/gthumb |
75 | blacklist ${HOME}/.config/gwenviewrc | ||
74 | blacklist ${HOME}/.config/hexchat | 76 | blacklist ${HOME}/.config/hexchat |
75 | blacklist ${HOME}/.config/inox | 77 | blacklist ${HOME}/.config/inox |
76 | blacklist ${HOME}/.config/jd-gui.cfg | 78 | blacklist ${HOME}/.config/jd-gui.cfg |
@@ -88,6 +90,7 @@ blacklist ${HOME}/.config/nautilus | |||
88 | blacklist ${HOME}/.config/netsurf | 90 | blacklist ${HOME}/.config/netsurf |
89 | blacklist ${HOME}/.config/opera | 91 | blacklist ${HOME}/.config/opera |
90 | blacklist ${HOME}/.config/opera-beta | 92 | blacklist ${HOME}/.config/opera-beta |
93 | blacklist ${HOME}/.config/org.kde.gwenviewrc | ||
91 | blacklist ${HOME}/.config/pix | 94 | blacklist ${HOME}/.config/pix |
92 | blacklist ${HOME}/.config/pluma | 95 | blacklist ${HOME}/.config/pluma |
93 | blacklist ${HOME}/.config/psi+ | 96 | blacklist ${HOME}/.config/psi+ |
@@ -224,12 +227,12 @@ blacklist ${HOME}/.openshot | |||
224 | blacklist ${HOME}/.openshot_qt | 227 | blacklist ${HOME}/.openshot_qt |
225 | blacklist ${HOME}/.opera | 228 | blacklist ${HOME}/.opera |
226 | blacklist ${HOME}/.opera-beta | 229 | blacklist ${HOME}/.opera-beta |
227 | blacklist ${HOME}/.pki | ||
228 | blacklist ${HOME}/.purple | 230 | blacklist ${HOME}/.purple |
229 | blacklist ${HOME}/.qemu-launcher | 231 | blacklist ${HOME}/.qemu-launcher |
230 | blacklist ${HOME}/.remmina | 232 | blacklist ${HOME}/.remmina |
231 | blacklist ${HOME}/.retroshare | 233 | blacklist ${HOME}/.retroshare |
232 | blacklist ${HOME}/.scribus | 234 | blacklist ${HOME}/.scribus |
235 | blacklist ${HOME}/.scribusrc | ||
233 | blacklist ${HOME}/.steam | 236 | blacklist ${HOME}/.steam |
234 | blacklist ${HOME}/.steampath | 237 | blacklist ${HOME}/.steampath |
235 | blacklist ${HOME}/.steampid | 238 | blacklist ${HOME}/.steampid |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index f636792f0..b8067866c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gwenview.local | |||
5 | # KDE gwenview profile | 5 | # KDE gwenview profile |
6 | noblacklist ~/.kde/share/apps/gwenview | 6 | noblacklist ~/.kde/share/apps/gwenview |
7 | noblacklist ~/.kde/share/config/gwenviewrc | 7 | noblacklist ~/.kde/share/config/gwenviewrc |
8 | noblacklist ~/.config/gwenviewrc | ||
9 | noblacklist ~/.config/org.kde.gwenviewrc | ||
8 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
9 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
10 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
@@ -16,11 +18,11 @@ nonewprivs | |||
16 | noroot | 18 | noroot |
17 | protocol unix | 19 | protocol unix |
18 | seccomp | 20 | seccomp |
19 | nosound | 21 | tracelog |
20 | 22 | ||
21 | private-dev | 23 | private-dev |
22 | 24 | ||
23 | #Experimental: | 25 | # Experimental: |
24 | #shell none | 26 | #shell none |
25 | #private-bin gwenview | 27 | #private-bin gwenview |
26 | #private-etc X11 | 28 | #private-etc X11 |
diff --git a/etc/scribus.profile b/etc/scribus.profile index da2076286..5d0dc5af9 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -5,9 +5,15 @@ include /etc/firejail/scribus.local | |||
5 | # Firejail profile for Scribus | 5 | # Firejail profile for Scribus |
6 | noblacklist ~/.scribus | 6 | noblacklist ~/.scribus |
7 | noblacklist ~/.config/scribus | 7 | noblacklist ~/.config/scribus |
8 | noblacklist ~/.config/scribusrc | ||
8 | noblacklist ~/.local/share/scribus | 9 | noblacklist ~/.local/share/scribus |
9 | noblacklist ~/.gimp* | 10 | noblacklist ~/.gimp* |
10 | 11 | ||
12 | # Support for PDF readers (Scribus 1.5 and higher) | ||
13 | noblacklist ~/.kde/share/apps/okular | ||
14 | noblacklist ~/.kde/share/config/okularrc | ||
15 | noblacklist ~/.kde/share/config/okularpartrc | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |