Move apparmor option to the top of the options list in all profiles

author: Tad <tad@spotco.us> 2018-03-17 15:56:06 -0400
committer: Tad <tad@spotco.us> 2018-03-17 15:56:06 -0400
commit: 68fd00cfe4033a0299c481825373df696b7acdb5 (patch)
tree: 12024f283fcf8a54dfe7750df69f90b420d1c512
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-68fd00cfe4033a0299c481825373df696b7acdb5.tar.gz
firejail-68fd00cfe4033a0299c481825373df696b7acdb5.tar.zst
firejail-68fd00cfe4033a0299c481825373df696b7acdb5.zip
31 files changed, 31 insertions, 32 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index f3e366854..beeb652cf 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # net none
 netfilter
@@ -29,7 +30,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor
 private-dev
 private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index 5d8cc54bd..a05f11076 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 no3d
@@ -31,7 +32,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 818d4455b..93ba5a45d 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
@@ -26,7 +27,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 # private-bin audacious
 private-dev
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 3575e297a..8c85dd6be 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 #net none
 no3d
@@ -29,7 +30,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin audacity
 private-dev
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 0e7e185d0..a11947334 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -17,13 +17,13 @@ whitelist ${HOME}/.pki
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.keep sys_chroot,sys_admin
 netfilter
 nodvd
 nogroups
 notv
 shell none
-apparmor
 disable-mnt
 private-dev
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 179204036..516876c6b 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -28,7 +29,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
-apparmor
 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
diff --git a/etc/electron.profile b/etc/electron.profile
index 2ff61914e..222beada0 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-programs.inc
 whitelist ${DOWNLOADS}
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -20,4 +21,3 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
-apparmor
diff --git a/etc/eog.profile b/etc/eog.profile
index e5302a84f..545a6e432 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # net none - makes settings immutable
 no3d
@@ -32,7 +33,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor
 private-bin eog
 private-dev
diff --git a/etc/eom.profile b/etc/eom.profile
index e5024a2bf..c7c92db0e 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # net none - makes settings immutable
 no3d
@@ -33,7 +34,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin eom
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 021c9b6a4..12d160155 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -20,6 +20,7 @@ whitelist ${HOME}/.pki
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required
 #machine-id
@@ -33,7 +34,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
-apparmor
 disable-mnt
 private-dev
diff --git a/etc/galculator.profile b/etc/galculator.profile
index c851e7038..b28c7943f 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -19,6 +19,7 @@ whitelist ${HOME}/.config/galculator
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 nodvd
@@ -32,7 +33,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin galculator
 private-dev
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 1f15677a1..3cc012a88 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 nodvd
@@ -26,7 +27,6 @@ notv
 protocol unix
 seccomp
 shell none
-apparmor
 private-dev
 private-tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index b6fcb0668..d13208a1e 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -27,7 +28,6 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-apparmor
 disable-mnt
 private-bin gnome-calculator
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index dd814222b..b99842d60 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
@@ -23,7 +24,6 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor
 private-dev
 private-tmp
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 924691743..6e669ea2c 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -28,7 +29,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor
 # private-bin inkscape,potrace - problems on Debian stretch
 private-dev
diff --git a/etc/kate.profile b/etc/kate.profile
index d1cfef49b..43f38d7e6 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -21,6 +21,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # net none
 netfilter
@@ -35,7 +36,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 # private-bin kate
 private-dev
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index a52cd832f..424ad767e 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+apparmor
 caps.drop all
 # net none
 nodvd
@@ -25,7 +26,6 @@ notv
 protocol unix,netlink
 seccomp
 shell none
-apparmor
 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
diff --git a/etc/kodi.profile b/etc/kodi.profile
index 4eb2c9df1..dfe019641 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
@@ -21,7 +22,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
-apparmor
 private-dev
 private-tmp
diff --git a/etc/krita.profile b/etc/krita.profile
index 9fddf2214..0f4c5210b 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+apparmor
 caps.drop all
 ipc-namespace
 # net none
@@ -27,7 +28,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor
 private-dev
 private-tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 386ef142c..6e8e33cb3 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -22,6 +22,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 # net none
 netfilter
@@ -36,7 +37,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin kwrite,kbuildsycoca4,kdeinit4
 private-dev
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index a67fafa30..8b801f11e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -28,7 +29,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 private-dev
 private-tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index e864d5d45..a4dc679f4 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
@@ -24,7 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 private-bin mpv,youtube-dl,python*,env
 private-dev
diff --git a/etc/okular.profile b/etc/okular.profile
index 016316b29..ffe0d2bfb 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -25,6 +25,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 # net none
@@ -40,7 +41,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor
 private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 5d81df193..ca9110be6 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -25,7 +26,6 @@ notv
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor
 private-dev
 private-tmp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 60bcc73d2..8df8177eb 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.local/share/data/qBittorrent
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -39,7 +40,6 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor
 private-bin qbittorrent,python*
 private-dev
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index b6f16cecf..a20bdb883 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # no3d
@@ -25,7 +26,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 private-bin rhythmbox
 private-dev
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index d0180e185..64eff5670 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # nogroups
@@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor
 private-bin smplayer,smtube,mplayer,mpv
 private-dev
diff --git a/etc/totem.profile b/etc/totem.profile
index 2b591cc69..6dbc5f0c2 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
@@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
 shell none
-apparmor
 private-bin totem
 private-dev
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index d67bda4cc..3d249748d 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -34,7 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 private-bin transmission-gtk
 private-dev
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index f2bfd1ff6..4f4d9bac1 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
@@ -34,7 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor
 private-bin transmission-qt
 private-dev
@@ -42,4 +42,3 @@ private-dev
 private-tmp
 # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
diff --git a/etc/vlc.profile b/etc/vlc.profile
index c244be08b..dad9a9ae1 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # nogroups
@@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
author	Tad <tad@spotco.us>	2018-03-17 15:56:06 -0400
committer	Tad <tad@spotco.us>	2018-03-17 15:56:06 -0400
commit	68fd00cfe4033a0299c481825373df696b7acdb5 (patch)
tree	12024f283fcf8a54dfe7750df69f90b420d1c512
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-68fd00cfe4033a0299c481825373df696b7acdb5.tar.gz firejail-68fd00cfe4033a0299c481825373df696b7acdb5.tar.zst firejail-68fd00cfe4033a0299c481825373df696b7acdb5.zip