diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-03-29 13:01:05 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-03-29 13:01:05 +0200 |
commit | 6309857565aa40244b1e7c99aed54c3da81846fc (patch) | |
tree | 9073ad68202c168565b9cd1a227697a7bda09369 | |
parent | support GTK2 apps in wusc (diff) | |
download | firejail-6309857565aa40244b1e7c99aed54c3da81846fc.tar.gz firejail-6309857565aa40244b1e7c99aed54c3da81846fc.tar.zst firejail-6309857565aa40244b1e7c99aed54c3da81846fc.zip |
more game profiles
- frogatto
- gnome_games-common.profile
- gnome-2048 (make redirect)
- gnome-mines
- gnome-nibbles
- lightsoff
- ts3client_runscript.sh (fix #3279)
- warmux (don't get confused with the warmux/wormux thing)
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/frogatto.profile | 47 | ||||
-rw-r--r-- | etc/gnome-2048.profile | 28 | ||||
-rw-r--r-- | etc/gnome-mines.profile | 18 | ||||
-rw-r--r-- | etc/gnome-nibbles.profile | 21 | ||||
-rw-r--r-- | etc/gnome_games-common.profile | 43 | ||||
-rw-r--r-- | etc/lightsoff.profile | 14 | ||||
-rw-r--r-- | etc/ts3client_runscript.sh.profile | 19 | ||||
-rw-r--r-- | etc/warmux.profile | 53 |
11 files changed, 231 insertions, 27 deletions
@@ -176,4 +176,4 @@ Run ./profstats -h for help. | |||
176 | ### New profiles: | 176 | ### New profiles: |
177 | 177 | ||
178 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | 178 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, |
179 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient | 179 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux |
@@ -2,6 +2,7 @@ firejail (0.9.63) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * DHCP client support | 3 | * DHCP client support |
4 | * SELinux labeling support | 4 | * SELinux labeling support |
5 | * 32-bit seccomp filter | ||
5 | * new condition: HAS_NOSOUND | 6 | * new condition: HAS_NOSOUND |
6 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 7 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
7 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 8 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
@@ -11,7 +12,9 @@ firejail (0.9.63) baseline; urgency=low | |||
11 | * new profiles: presentations18, presentations18free, textmaker18, teams | 12 | * new profiles: presentations18, presentations18free, textmaker18, teams |
12 | * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX | 13 | * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX |
13 | * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro | 14 | * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro |
14 | * new profiles: gnome-todo, x2goclient | 15 | * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command |
16 | * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux | ||
17 | * new profiles: ts3client_runscript.sh | ||
15 | 18 | ||
16 | firejail (0.9.62) baseline; urgency=low | 19 | firejail (0.9.62) baseline; urgency=low |
17 | * added file-copy-limit in /etc/firejail/firejail.config | 20 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 5b3fe475c..be8f0ff75 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -8,6 +8,8 @@ blacklist ${HOME}/Monero/wallets | |||
8 | blacklist ${HOME}/Nextcloud/Notes | 8 | blacklist ${HOME}/Nextcloud/Notes |
9 | blacklist ${HOME}/SoftMaker | 9 | blacklist ${HOME}/SoftMaker |
10 | blacklist ${HOME}/Standard Notes Backups | 10 | blacklist ${HOME}/Standard Notes Backups |
11 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
12 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
11 | blacklist ${HOME}/mps | 13 | blacklist ${HOME}/mps |
12 | blacklist ${HOME}/wallet.dat | 14 | blacklist ${HOME}/wallet.dat |
13 | blacklist ${HOME}/.*coin | 15 | blacklist ${HOME}/.*coin |
@@ -330,6 +332,7 @@ blacklist ${HOME}/.config/vivaldi | |||
330 | blacklist ${HOME}/.config/vivaldi-snapshot | 332 | blacklist ${HOME}/.config/vivaldi-snapshot |
331 | blacklist ${HOME}/.config/vlc | 333 | blacklist ${HOME}/.config/vlc |
332 | blacklist ${HOME}/.config/wesnoth | 334 | blacklist ${HOME}/.config/wesnoth |
335 | blacklist ${HOME}/.config/wormux | ||
333 | blacklist ${HOME}/.config/Whalebird | 336 | blacklist ${HOME}/.config/Whalebird |
334 | blacklist ${HOME}/.config/wireshark | 337 | blacklist ${HOME}/.config/wireshark |
335 | blacklist ${HOME}/.config/xchat | 338 | blacklist ${HOME}/.config/xchat |
@@ -378,6 +381,7 @@ blacklist ${HOME}/.fossamail | |||
378 | blacklist ${HOME}/.freeciv | 381 | blacklist ${HOME}/.freeciv |
379 | blacklist ${HOME}/.freecol | 382 | blacklist ${HOME}/.freecol |
380 | blacklist ${HOME}/.freemind | 383 | blacklist ${HOME}/.freemind |
384 | blacklist ${HOME}/.frogatto | ||
381 | blacklist ${HOME}/.frozen-bubble | 385 | blacklist ${HOME}/.frozen-bubble |
382 | blacklist ${HOME}/.gimp* | 386 | blacklist ${HOME}/.gimp* |
383 | blacklist ${HOME}/.gist | 387 | blacklist ${HOME}/.gist |
@@ -536,7 +540,9 @@ blacklist ${HOME}/.local/share/gnome-2048 | |||
536 | blacklist ${HOME}/.local/share/gnome-chess | 540 | blacklist ${HOME}/.local/share/gnome-chess |
537 | blacklist ${HOME}/.local/share/gnome-builder | 541 | blacklist ${HOME}/.local/share/gnome-builder |
538 | blacklist ${HOME}/.local/share/gnome-latex | 542 | blacklist ${HOME}/.local/share/gnome-latex |
543 | blacklist ${HOME}/.local/share/gnome-mines | ||
539 | blacklist ${HOME}/.local/share/gnome-music | 544 | blacklist ${HOME}/.local/share/gnome-music |
545 | blacklist ${HOME}/.local/share/gnome-nibbles | ||
540 | blacklist ${HOME}/.local/share/gnome-photos | 546 | blacklist ${HOME}/.local/share/gnome-photos |
541 | blacklist ${HOME}/.local/share/gnome-pomodoro | 547 | blacklist ${HOME}/.local/share/gnome-pomodoro |
542 | blacklist ${HOME}/.local/share/gnome-recipes | 548 | blacklist ${HOME}/.local/share/gnome-recipes |
@@ -610,6 +616,7 @@ blacklist ${HOME}/.local/share/vpltd | |||
610 | blacklist ${HOME}/.local/share/vulkan | 616 | blacklist ${HOME}/.local/share/vulkan |
611 | blacklist ${HOME}/.local/share/warsow-2.1 | 617 | blacklist ${HOME}/.local/share/warsow-2.1 |
612 | blacklist ${HOME}/.local/share/wesnoth | 618 | blacklist ${HOME}/.local/share/wesnoth |
619 | blacklist ${HOME}/.local/share/wormux | ||
613 | blacklist ${HOME}/.local/share/xplayer | 620 | blacklist ${HOME}/.local/share/xplayer |
614 | blacklist ${HOME}/.local/share/xreader | 621 | blacklist ${HOME}/.local/share/xreader |
615 | blacklist ${HOME}/.local/share/zathura | 622 | blacklist ${HOME}/.local/share/zathura |
@@ -706,6 +713,7 @@ blacklist ${HOME}/.widelands | |||
706 | blacklist ${HOME}/.wine | 713 | blacklist ${HOME}/.wine |
707 | blacklist ${HOME}/.wine64 | 714 | blacklist ${HOME}/.wine64 |
708 | blacklist ${HOME}/.wireshark | 715 | blacklist ${HOME}/.wireshark |
716 | blacklist ${HOME}/.wormux | ||
709 | blacklist ${HOME}/.xiphos | 717 | blacklist ${HOME}/.xiphos |
710 | blacklist ${HOME}/.xmind | 718 | blacklist ${HOME}/.xmind |
711 | blacklist ${HOME}/.xmms | 719 | blacklist ${HOME}/.xmms |
diff --git a/etc/frogatto.profile b/etc/frogatto.profile new file mode 100644 index 000000000..fd7c5fc16 --- /dev/null +++ b/etc/frogatto.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for frogatto | ||
2 | # Description: 2D platformer game starring a quixotic frog | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include frogatto.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.frogatto | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.frogatto | ||
20 | whitelist ${HOME}/.frogatto | ||
21 | whitelist /usr/share/frogatto | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin frogatto,sh | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 6fa23c92e..978a13244 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -8,32 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/gnome-2048 | 9 | noblacklist ${HOME}/.local/share/gnome-2048 |
10 | 10 | ||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/gnome-2048 | 11 | mkdir ${HOME}/.local/share/gnome-2048 |
21 | whitelist ${HOME}/.local/share/gnome-2048 | 12 | whitelist ${HOME}/.local/share/gnome-2048 |
22 | include whitelist-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | 13 | ||
36 | disable-mnt | 14 | private-bin gnome-2048 |
37 | private-dev | ||
38 | private-tmp | ||
39 | 15 | ||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-mines.profile b/etc/gnome-mines.profile new file mode 100644 index 000000000..9cae75524 --- /dev/null +++ b/etc/gnome-mines.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for gnome-mines | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-mines.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-mines | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-mines | ||
12 | whitelist ${HOME}/.local/share/gnome-mines | ||
13 | whitelist /usr/share/gnome-mines | ||
14 | |||
15 | private-bin gnome-mines | ||
16 | |||
17 | # Redirect | ||
18 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-nibbles.profile b/etc/gnome-nibbles.profile new file mode 100644 index 000000000..4e42b6b15 --- /dev/null +++ b/etc/gnome-nibbles.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for gnome-nibbles | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-nibbles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore machine-id | ||
10 | ignore nosound | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/gnome-nibbles | ||
13 | |||
14 | mkdir ${HOME}/.local/share/gnome-nibbles | ||
15 | whitelist ${HOME}/.local/share/gnome-nibbles | ||
16 | whitelist /usr/share/gnome-nibbles | ||
17 | |||
18 | private-bin gnome-nibbles | ||
19 | |||
20 | # Redirect | ||
21 | include gnome_games-common.profile | ||
diff --git a/etc/gnome_games-common.profile b/etc/gnome_games-common.profile new file mode 100644 index 000000000..0b75c5e92 --- /dev/null +++ b/etc/gnome_games-common.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome_games-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gnome_games-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-common.inc | ||
18 | include whitelist-runuser-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | machine-id | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,X11 | ||
43 | private-tmp | ||
diff --git a/etc/lightsoff.profile b/etc/lightsoff.profile new file mode 100644 index 000000000..65c8bd78d --- /dev/null +++ b/etc/lightsoff.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for lightsoff | ||
2 | # Description: Sliding tile puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lightsoff.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | whitelist /usr/share/lightsoff | ||
10 | |||
11 | private-bin lightsoff | ||
12 | |||
13 | # Redirect | ||
14 | include gnome_games-common.profile | ||
diff --git a/etc/ts3client_runscript.sh.profile b/etc/ts3client_runscript.sh.profile new file mode 100644 index 000000000..8d4675454 --- /dev/null +++ b/etc/ts3client_runscript.sh.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile alias for teamspeak3 | ||
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ts3client_runscript.sh.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
13 | noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
14 | |||
15 | whitelist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
16 | whitelist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
17 | |||
18 | # Redirect | ||
19 | include teamspeak3.profile | ||
diff --git a/etc/warmux.profile b/etc/warmux.profile new file mode 100644 index 000000000..df7af49c4 --- /dev/null +++ b/etc/warmux.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for warmux | ||
2 | # Description: a convivial mass murder game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warmux.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/wormux | ||
10 | noblacklist ${HOME}/.local/share/wormux | ||
11 | noblacklist ${HOME}/.wormux | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/wormux | ||
22 | mkdir ${HOME}/.local/share/wormux | ||
23 | mkdir ${HOME}/.wormux | ||
24 | whitelist ${HOME}/.config/wormux | ||
25 | whitelist ${HOME}/.local/share/wormux | ||
26 | whitelist ${HOME}/.wormux | ||
27 | whitelist /usr/share/warmux | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodbus | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin warmux | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
53 | private-tmp | ||