aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Fred Barclay <Fred-Barclay@users.noreply.github.com>2017-08-02 09:37:20 -0500
committerLibravatar GitHub <noreply@github.com>2017-08-02 09:37:20 -0500
commitcaaac4417bd9b4116681c96fa1127b3f78c33d1d (patch)
tree0c1fd52865432943dff536a7679408bec47df683
parentget_mempolicy syscall was temporarily removed from the default seccomp list. ... (diff)
parentFixes (diff)
downloadfirejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.gz
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.tar.zst
firejail-caaac4417bd9b4116681c96fa1127b3f78c33d1d.zip
Merge pull request #1367 from SpotComms/mh
Harden profiles
Diffstat
-rw-r--r--etc/0ad.profile3
-rw-r--r--etc/2048-qt.profile25
-rw-r--r--etc/Thunar.profile10
-rw-r--r--etc/Xephyr.profile1
-rw-r--r--etc/Xvfb.profile1
-rw-r--r--etc/akregator.profile26
-rw-r--r--etc/atool.profile3
-rw-r--r--etc/audacity.profile1
-rw-r--r--etc/bitlbee.profile10
-rw-r--r--etc/bleachbit.profile2
-rw-r--r--etc/blender.profile18
-rw-r--r--etc/bless.profile1
-rw-r--r--etc/brasero.profile2
-rw-r--r--etc/caja.profile2
-rw-r--r--etc/cherrytree.profile12
-rw-r--r--etc/clipit.profile23
-rw-r--r--etc/cvlc.profile2
-rw-r--r--etc/darktable.profile19
-rw-r--r--etc/dia.profile18
-rw-r--r--etc/digikam.profile3
-rw-r--r--etc/display.profile7
-rw-r--r--etc/dragon.profile3
-rw-r--r--etc/dropbox.profile25
-rw-r--r--etc/enchant.profile2
-rw-r--r--etc/engrampa.profile2
-rw-r--r--etc/eog.profile2
-rw-r--r--etc/evince.profile2
-rw-r--r--etc/exiftool.profile3
-rw-r--r--etc/feh.profile1
-rw-r--r--etc/file-roller.profile2
-rw-r--r--etc/file.profile1
-rw-r--r--etc/flowblade.profile10
-rw-r--r--etc/fontforge.profile18
-rw-r--r--etc/franz.profile26
-rw-r--r--etc/geany.profile12
-rw-r--r--etc/gedit.profile1
-rw-r--r--etc/gimp.profile1
-rw-r--r--etc/globaltime.profile19
-rw-r--r--etc/gnome-books.profile2
-rw-r--r--etc/gnome-calculator.profile2
-rw-r--r--etc/gnome-documents.profile2
-rw-r--r--etc/gnome-music.profile2
-rw-r--r--etc/gnome-photos.profile2
-rw-r--r--etc/goobox.profile2
-rw-r--r--etc/google-chrome-beta.profile15
-rw-r--r--etc/google-chrome-unstable.profile15
-rw-r--r--etc/google-chrome.profile16
-rw-r--r--etc/google-play-music-desktop-player.profile20
-rw-r--r--etc/guayadeque.profile3
-rw-r--r--etc/gucharmap.profile32
-rw-r--r--etc/gwenview.profile3
-rw-r--r--etc/handbrake.profile19
-rw-r--r--etc/highlight.profile3
-rw-r--r--etc/hugin.profile19
-rw-r--r--etc/icecat.profile3
-rw-r--r--etc/img2txt.profile3
-rw-r--r--etc/inkscape.profile9
-rw-r--r--etc/jd-gui.profile1
-rw-r--r--etc/kate.profile2
-rw-r--r--etc/kcalc.profile24
-rw-r--r--etc/keepassxc.profile2
-rw-r--r--etc/kino.profile26
-rw-r--r--etc/knotes.profile2
-rw-r--r--etc/ktorrent.profile22
-rw-r--r--etc/kwrite.profile2
-rw-r--r--etc/leafpad.profile25
-rw-r--r--etc/less.profile1
-rw-r--r--etc/liferea.profile20
-rw-r--r--etc/luminance-hdr.profile9
-rw-r--r--etc/lximage-qt.profile26
-rw-r--r--etc/lxmusic.profile25
-rw-r--r--etc/mate-calc.profile27
-rw-r--r--etc/mate-color-select.profile34
-rw-r--r--etc/mate-dictionary.profile25
-rw-r--r--etc/mediainfo.profile5
-rw-r--r--etc/meld.profile1
-rw-r--r--etc/mumble.profile1
-rw-r--r--etc/mupdf.profile3
-rw-r--r--etc/nautilus.profile2
-rw-r--r--etc/nemo.profile17
-rw-r--r--etc/odt2txt.profile3
-rw-r--r--etc/okular.profile3
-rw-r--r--etc/openshot.profile12
-rw-r--r--etc/orage.profile23
-rw-r--r--etc/pcmanfm.profile14
-rw-r--r--etc/pdfsam.profile1
-rw-r--r--etc/pdftotext.profile3
-rw-r--r--etc/peek.profile1
-rw-r--r--etc/psi-plus.profile16
-rw-r--r--etc/qemu-launcher.profile2
-rw-r--r--etc/qemu-system-x86_64.profile2
-rw-r--r--etc/qlipper.profile27
-rw-r--r--etc/quiterss.profile3
-rw-r--r--etc/ranger.profile2
-rw-r--r--etc/ristretto.profile22
-rw-r--r--etc/skype.profile5
-rw-r--r--etc/skypeforlinux.profile8
-rw-r--r--etc/ssh.profile1
-rw-r--r--etc/strings.profile2
-rw-r--r--etc/synfigstudio.profile14
-rw-r--r--etc/tracker.profile2
-rw-r--r--etc/transmission-cli.profile2
-rw-r--r--etc/transmission-gtk.profile2
-rw-r--r--etc/transmission-show.profile1
-rw-r--r--etc/vivaldi.profile14
-rw-r--r--etc/vlc.profile1
-rw-r--r--etc/vym.profile22
-rw-r--r--etc/xfburn.profile2
-rw-r--r--etc/xfce4-dict.profile21
-rw-r--r--etc/xfce4-notes.profile24
-rw-r--r--etc/xonotic.profile1
-rw-r--r--etc/xpdf.profile13
-rw-r--r--etc/xpra.profile1
-rw-r--r--etc/zathura.profile1
114 files changed, 640 insertions, 424 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index a564d0a09..9f33af806 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -38,3 +38,6 @@ tracelog
38private-dev 38private-dev
39private-tmp 39private-tmp
40disable-mnt 40disable-mnt
41
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 0dc54e675..2f3efe743 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -7,24 +7,27 @@ include /etc/firejail/2048-qt.local
7 7
8noblacklist ~/.config/xiaoyong 8noblacklist ~/.config/xiaoyong
9noblacklist ~/.config/2048-qt 9noblacklist ~/.config/2048-qt
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13 15
14caps.drop all 16caps.drop all
17#ipc-namespace
15netfilter 18netfilter
19nogroups
16nonewprivs 20nonewprivs
17noroot 21noroot
18protocol unix,inet,inet6 22nosound
23novideo
24protocol unix
19seccomp 25seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 26shell none
26# private-bin program 27
27# private-etc none 28private-dev
28# private-dev 29private-tmp
29# private-tmp 30disable-mnt
30nosound 31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
index ed8a37add..30db6f023 100644
--- a/etc/Thunar.profile
+++ b/etc/Thunar.profile
@@ -17,19 +17,13 @@ include /etc/firejail/disable-passwdmgr.inc
17 17
18caps.drop all 18caps.drop all
19netfilter 19netfilter
20no3d
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
25novideo
24protocol unix 26protocol unix
25seccomp 27seccomp
26shell none 28shell none
27tracelog 29tracelog
28
29#
30# depending on your usage, you can enable some of the commands below:
31#
32# private-bin program
33# private-etc none
34# private-dev
35# private-tmp
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 4b14b8ad2..22c0202ee 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -21,7 +21,6 @@ private
21 21
22caps.drop all 22caps.drop all
23# Xephyr needs to be allowed access to the abstract Unix socket namespace. 23# Xephyr needs to be allowed access to the abstract Unix socket namespace.
24#net none
25nogroups 24nogroups
26nonewprivs 25nonewprivs
27# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. 26# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 46f06871c..8eba82db1 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -22,7 +22,6 @@ private
22 22
23caps.drop all 23caps.drop all
24# Xvfb needs to be allowed access to the abstract Unix socket namespace. 24# Xvfb needs to be allowed access to the abstract Unix socket namespace.
25#net none
26nogroups 25nogroups
27nonewprivs 26nonewprivs
28# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. 27# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 10279890e..ed79f0e94 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -5,28 +5,30 @@ include /etc/firejail/globals.local
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/akregator.local 6include /etc/firejail/akregator.local
7 7
8################################
9# Generic GUI application profile
10################################
11noblacklist ${HOME}/.config/akregatorrc 8noblacklist ${HOME}/.config/akregatorrc
12noblacklist ${HOME}/.local/share/akregator 9noblacklist ${HOME}/.local/share/akregator
10
13include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
15include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
16 15
17caps.drop all 16caps.drop all
17#ipc-namespace
18netfilter 18netfilter
19no3d
20nogroups
19nonewprivs 21nonewprivs
20noroot 22noroot
23#nosound
24novideo
21protocol unix,inet,inet6 25protocol unix,inet,inet6
22seccomp 26seccomp
27shell none
28
29private-dev
30private-tmp
31disable-mnt
23 32
24# 33noexec ${HOME}
25# depending on your usage, you can enable some of the commands below: 34noexec /tmp
26#
27# nogroups
28# shell none
29# private-bin program
30# private-etc none
31# private-dev
32# private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
index a66b4b1c5..49637aa21 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15netfilter
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
@@ -19,8 +20,6 @@ nosound
19novideo 20novideo
20protocol unix 21protocol unix
21seccomp 22seccomp
22netfilter
23net none
24no3d 23no3d
25shell none 24shell none
26tracelog 25tracelog
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 5b38d84e8..7c2072960 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17#ipc-namespace 17#ipc-namespace
18net none 18net none
19netfilter
20no3d 19no3d
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 055be09a1..2ecc0c425 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -9,13 +9,23 @@ include /etc/firejail/bitlbee.local
9noblacklist /sbin 9noblacklist /sbin
10noblacklist /usr/sbin 10noblacklist /usr/sbin
11include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
13 15
14netfilter 16netfilter
17no3d
15nonewprivs 18nonewprivs
16private 19private
17private-dev 20private-dev
18protocol unix,inet,inet6 21protocol unix,inet,inet6
19seccomp 22seccomp
20nosound 23nosound
24novideo
21read-write /var/lib/bitlbee 25read-write /var/lib/bitlbee
26
27private-dev
28private-tmp
29disable-mnt
30
31noexec /tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 345dd119a..f2553cd9c 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc
14caps.drop all 14caps.drop all
15#ipc-namespace 15#ipc-namespace
16net none 16net none
17netfilter
18no3d 17no3d
19nogroups 18nogroups
20nonewprivs 19nonewprivs
@@ -30,5 +29,6 @@ shell none
30# private-tmp 29# private-tmp
31# private-etc 30# private-etc
32 31
32memory-deny-write-execute
33noexec ${HOME} 33noexec ${HOME}
34noexec /tmp 34noexec /tmp
diff --git a/etc/blender.profile b/etc/blender.profile
index 6ee874ad0..b9757913d 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -7,25 +7,21 @@ include /etc/firejail/blender.local
7 7
8noblacklist ~/.config/blender 8noblacklist ~/.config/blender
9include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
12 13
13caps.drop all 14caps.drop all
14netfilter 15netfilter
16nogroups
15nonewprivs 17nonewprivs
16noroot 18noroot
17protocol unix,inet,inet6,netlink 19protocol unix,inet,inet6,netlink
18seccomp 20seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 21shell none
25# private-bin program
26# private-etc none
27# private-dev
28# private-tmp
29 22
30# blender uses the sound system 23private-dev
31# nosound 24private-tmp
25
26noexec ${HOME}
27noexec /tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index c9ccfc02e..25881fa3d 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc
22caps.drop all 22caps.drop all
23#ipc-namespace 23#ipc-namespace
24net none 24net none
25netfilter
26no3d 25no3d
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/brasero.profile b/etc/brasero.profile
index d013e0b8e..cafb9f39a 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -15,7 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17#ipc-namespace 17#ipc-namespace
18net none
19nogroups 18nogroups
20nonewprivs 19nonewprivs
21noroot 20noroot
@@ -31,5 +30,6 @@ tracelog
31# private-etc fonts 30# private-etc fonts
32# private-tmp 31# private-tmp
33 32
33memory-deny-write-execute
34noexec ${HOME} 34noexec ${HOME}
35noexec /tmp 35noexec /tmp
diff --git a/etc/caja.profile b/etc/caja.profile
index 3a098379b..a724e76b1 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -21,12 +21,12 @@ include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-passwdmgr.inc 21include /etc/firejail/disable-passwdmgr.inc
22 22
23caps.drop all 23caps.drop all
24netfilter
24nogroups 25nogroups
25nonewprivs 26nonewprivs
26noroot 27noroot
27protocol unix 28protocol unix
28seccomp 29seccomp
29netfilter
30shell none 30shell none
31tracelog 31tracelog
32 32
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 0ac71ca3c..b1acd78f2 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -9,18 +9,28 @@ include /etc/firejail/cherrytree.local
9noblacklist /usr/bin/python2* 9noblacklist /usr/bin/python2*
10noblacklist /usr/lib/python3* 10noblacklist /usr/lib/python3*
11noblacklist ${HOME}/.config/cherrytree 11noblacklist ${HOME}/.config/cherrytree
12
12include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
14include /etc/firejail/disable-devel.inc 15include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 16include /etc/firejail/disable-passwdmgr.inc
16 17
17caps.drop all 18caps.drop all
19#ipc-namespace
18netfilter 20netfilter
21no3d
19nogroups 22nogroups
20nonewprivs 23nonewprivs
21noroot 24noroot
22nosound 25nosound
23novideo 26novideo
24seccomp
25protocol unix,inet,inet6,netlink 27protocol unix,inet,inet6,netlink
28seccomp
29shell none
26tracelog 30tracelog
31
32private-dev
33private-tmp
34
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/clipit.profile b/etc/clipit.profile
index b671b253b..b44041cbf 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -8,26 +8,25 @@ include /etc/firejail/clipit.local
8noblacklist ${HOME}/.local/share/clipit 8noblacklist ${HOME}/.local/share/clipit
9noblacklist ${HOME}/.config/clipit 9noblacklist ${HOME}/.config/clipit
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
13 14
14caps.drop all 15caps.drop all
15netfilter 16netfilter
17no3d
18nogroups
16nonewprivs 19nonewprivs
17noroot 20noroot
21nosound
18novideo 22novideo
19protocol unix,inet,inet6 23protocol unix
20seccomp 24seccomp
25shell none
21 26
27private-dev
28private-tmp
29disable-mnt
22 30
23 31noexec ${HOME}
24# 32noexec /tmp
25# depending on your usage, you can enable some of the commands below:
26#
27nogroups
28shell none
29# private-bin program
30# private-etc none
31# private-dev
32# private-tmp
33nosound
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index a52d62f83..921d505a9 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -27,3 +27,5 @@ tracelog
27#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc 27#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
28private-dev 28private-dev
29private-tmp 29private-tmp
30
31memory-deny-write-execute
diff --git a/etc/darktable.profile b/etc/darktable.profile
index 29630a746..eca2ae6c5 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -8,23 +8,24 @@ include /etc/firejail/darktable.local
8noblacklist ~/.cache/darktable 8noblacklist ~/.cache/darktable
9noblacklist ~/.config/darktable 9noblacklist ~/.config/darktable
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
13 14
14caps.drop all 15caps.drop all
16#ipc-namespace
15netfilter 17netfilter
18nogroups
16nonewprivs 19nonewprivs
17noroot 20noroot
21nosound
22novideo
18protocol unix,inet,inet6 23protocol unix,inet,inet6
19seccomp 24seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24# nogroups
25shell none 25shell none
26# private-bin program 26
27# private-etc none 27private-dev
28# private-dev
29private-tmp 28private-tmp
30nosound 29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index 4e009afd7..71d8a249b 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -7,23 +7,25 @@ include /etc/firejail/dia.local
7 7
8noblacklist ~/.dia 8noblacklist ~/.dia
9include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
12 13
13caps.drop all 14caps.drop all
14netfilter 15netfilter
16no3d
17nogroups
15nonewprivs 18nonewprivs
16noroot 19noroot
20nosound
17novideo 21novideo
18protocol unix,inet,inet6 22protocol unix
19seccomp 23seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 24shell none
26# private-bin program 25
27# private-etc none
28private-dev 26private-dev
29private-tmp 27private-tmp
28disable-mnt
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/digikam.profile b/etc/digikam.profile
index fd19953a0..d81d00ed3 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -31,3 +31,6 @@ shell none
31# private-etc none 31# private-etc none
32# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device 32# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
33private-tmp 33private-tmp
34
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/display.profile b/etc/display.profile
index 7cde8bd54..c2c46cba3 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15seccomp
16protocol unix
17netfilter
18net none 15net none
19nonewprivs 16nonewprivs
20noroot
21nogroups 17nogroups
18noroot
22nosound 19nosound
20protocol unix
21seccomp
23shell none 22shell none
24x11 xorg 23x11 xorg
25 24
diff --git a/etc/dragon.profile b/etc/dragon.profile
index d099f1d9d..47d2c593a 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -27,3 +27,6 @@ private-bin dragon
27private-dev 27private-dev
28private-tmp 28private-tmp
29# private-etc 29# private-etc
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index f1d7fad82..2319b337b 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local
9noblacklist ~/.config/autostart 9noblacklist ~/.config/autostart
10noblacklist ~/.dropbox-dist 10noblacklist ~/.dropbox-dist
11include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
14 15
15caps
16nonewprivs
17noroot
18novideo
19protocol unix,inet,inet6
20seccomp
21
22mkdir ~/Dropbox 16mkdir ~/Dropbox
23whitelist ~/Dropbox 17whitelist ~/Dropbox
24mkdir ~/.dropbox 18mkdir ~/.dropbox
@@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist
28 22
29mkfile ~/.config/autostart/dropbox.desktop 23mkfile ~/.config/autostart/dropbox.desktop
30whitelist ~/.config/autostart/dropbox.desktop 24whitelist ~/.config/autostart/dropbox.desktop
25
26caps.drop all
27netfilter
28no3d
29nogroups
30nonewprivs
31noroot
32nosound
33novideo
34protocol unix,inet,inet6
35seccomp
36shell none
37
38private-dev
39private-tmp
40
41noexec /tmp
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 9e2dee045..554ed5e28 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -14,13 +14,13 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17netfilter
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
21protocol unix 22protocol unix
22seccomp 23seccomp
23netfilter
24shell none 24shell none
25tracelog 25tracelog
26 26
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 081a5f6b0..605643472 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15netfilter
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
@@ -19,7 +20,6 @@ nosound
19novideo 20novideo
20protocol unix 21protocol unix
21seccomp 22seccomp
22netfilter
23shell none 23shell none
24tracelog 24tracelog
25 25
diff --git a/etc/eog.profile b/etc/eog.profile
index 3abaaacef..e272a1935 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -19,7 +19,6 @@ include /etc/firejail/disable-passwdmgr.inc
19caps.drop all 19caps.drop all
20#ipc-namespace 20#ipc-namespace
21net none 21net none
22netfilter
23no3d 22no3d
24nogroups 23nogroups
25nonewprivs 24nonewprivs
@@ -35,5 +34,6 @@ private-dev
35private-etc fonts 34private-etc fonts
36private-tmp 35private-tmp
37 36
37memory-deny-write-execute
38noexec ${HOME} 38noexec ${HOME}
39noexec /tmp 39noexec /tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index 6719244da..9f1ebbf76 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -16,7 +16,6 @@ include /etc/firejail/disable-passwdmgr.inc
16caps.drop all 16caps.drop all
17#ipc-namespace 17#ipc-namespace
18netfilter 18netfilter
19#net none - creates some problems on some distributions
20no3d 19no3d
21nogroups 20nogroups
22nonewprivs 21nonewprivs
@@ -34,5 +33,6 @@ private-etc fonts
34# evince needs access to /tmp/mozilla* to work in firefox 33# evince needs access to /tmp/mozilla* to work in firefox
35# private-tmp 34# private-tmp
36 35
36memory-deny-write-execute
37noexec ${HOME} 37noexec ${HOME}
38noexec /tmp 38noexec /tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index aba484718..e69a6206e 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,14 +17,13 @@ include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18 18
19caps.drop all 19caps.drop all
20net none
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
24protocol unix 25protocol unix
25seccomp 26seccomp
26netfilter
27net none
28no3d 27no3d
29shell none 28shell none
30tracelog 29tracelog
diff --git a/etc/feh.profile b/etc/feh.profile
index f71999155..8f40a0c3e 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -12,7 +12,6 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15netfilter
16net none 15net none
17nogroups 16nogroups
18nonewprivs 17nonewprivs
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 72d00b4ce..15d8d36c6 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc
14caps.drop all 14caps.drop all
15#ipc-namespace 15#ipc-namespace
16net none 16net none
17netfilter
18no3d 17no3d
19nogroups 18nogroups
20nonewprivs 19nonewprivs
@@ -31,5 +30,6 @@ tracelog
31private-dev 30private-dev
32# private-etc fonts 31# private-etc fonts
33 32
33memory-deny-write-execute
34noexec ${HOME} 34noexec ${HOME}
35noexec /tmp 35noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
index 915bf1088..51e35007f 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -13,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15hostname file 15hostname file
16netfilter
17net none 16net none
18no3d 17no3d
19nogroups 18nogroups
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 7f29a8719..f8d45424f 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -8,13 +8,23 @@ include /etc/firejail/flowblade.local
8# FlowBlade profile 8# FlowBlade profile
9noblacklist ${HOME}/.flowblade 9noblacklist ${HOME}/.flowblade
10noblacklist ${HOME}/.config/flowblade 10noblacklist ${HOME}/.config/flowblade
11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
14 16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
19nogroups
17nonewprivs 20nonewprivs
18noroot 21noroot
19protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
20seccomp 23seccomp
24shell none
25
26private-dev
27private-tmp
28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index 967a617e2..e8e3df62b 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -6,23 +6,25 @@ include /etc/firejail/globals.local
6include /etc/firejail/fontforge.local 6include /etc/firejail/fontforge.local
7 7
8noblacklist ${HOME}/.FontForge 8noblacklist ${HOME}/.FontForge
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17nogroups
15nonewprivs 18nonewprivs
16noroot 19noroot
17protocol unix,inet,inet6 20nosound
21novideo
22protocol unix
18seccomp 23seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 24shell none
25# private-bin program 25
26# private-etc none
27private-dev 26private-dev
28private-tmp 27private-tmp
28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/franz.profile b/etc/franz.profile
index c68b47d80..c5e019947 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
15 15
16caps.drop all
17netfilter
18nonewprivs
19noroot
20protocol unix,inet,inet6,netlink
21seccomp
22#tracelog
23
24whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
25mkdir ~/.config/Franz 17mkdir ~/.config/Franz
26whitelist ~/.config/Franz 18whitelist ~/.config/Franz
@@ -30,3 +22,21 @@ mkdir ~/.pki
30whitelist ~/.pki 22whitelist ~/.pki
31 23
32include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
25
26caps.drop all
27#ipc-namespace
28netfilter
29nogroups
30nonewprivs
31noroot
32protocol unix,inet,inet6,netlink
33seccomp
34shell none
35#tracelog
36
37private-dev
38private-tmp
39disable-mnt
40
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/geany.profile b/etc/geany.profile
index 7e0c6d2ad..083e9423f 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -12,17 +12,15 @@ include /etc/firejail/disable-passwdmgr.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15no3d
16nogroups
15nonewprivs 17nonewprivs
16noroot 18noroot
19nosound
20novideo
17protocol unix,inet,inet6 21protocol unix,inet,inet6
18seccomp 22seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 23shell none
25# private-bin program 24
26# private-etc none
27private-dev 25private-dev
28private-tmp 26private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index d871a9bed..3e78d939e 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -18,7 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc
18 18
19caps.drop all 19caps.drop all
20#ipc-namespace 20#ipc-namespace
21netfilter
22net none 21net none
23no3d 22no3d
24nogroups 23nogroups
diff --git a/etc/gimp.profile b/etc/gimp.profile
index da521aa6c..0fe462912 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -12,7 +12,6 @@ include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15netfilter
16net none 15net none
17nogroups 16nogroups
18nonewprivs 17nonewprivs
diff --git a/etc/globaltime.profile b/etc/globaltime.profile
index 5662dba69..b9b2c008d 100644
--- a/etc/globaltime.profile
+++ b/etc/globaltime.profile
@@ -7,22 +7,25 @@ include /etc/firejail/globaltime.local
7 7
8noblacklist ${HOME}/.config/globaltime 8noblacklist ${HOME}/.config/globaltime
9include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
12 13
13caps.drop all 14caps.drop all
14netfilter 15netfilter
16no3d
17nogroups
15nonewprivs 18nonewprivs
16noroot 19noroot
20nosound
21novideo
17protocol unix,inet,inet6 22protocol unix,inet,inet6
18seccomp 23seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 24shell none
25# private-bin program 25
26# private-etc none
27private-dev 26private-dev
28# private-tmp 27private-tmp
28disable-mnt
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index af6da6cd4..e36294930 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc 16include /etc/firejail/disable-passwdmgr.inc
17 17
18caps.drop all 18caps.drop all
19netfilter
19no3d 20no3d
20nogroups 21nogroups
21nonewprivs 22nonewprivs
@@ -24,7 +25,6 @@ nosound
24novideo 25novideo
25protocol unix 26protocol unix
26seccomp 27seccomp
27netfilter
28shell none 28shell none
29tracelog 29tracelog
30 30
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index e64f62b70..40328e5c3 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -30,11 +30,13 @@ protocol unix,inet,inet6
30seccomp 30seccomp
31shell none 31shell none
32 32
33private
33private-bin gnome-calculator 34private-bin gnome-calculator
34private-dev 35private-dev
35#private-etc fonts 36#private-etc fonts
36private-tmp 37private-tmp
37disable-mnt 38disable-mnt
38 39
40memory-deny-write-execute
39noexec ${HOME} 41noexec ${HOME}
40noexec /tmp 42noexec /tmp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 5d2a90b64..2d70bf7ef 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18 18
19caps.drop all 19caps.drop all
20netfilter
20no3d 21no3d
21nogroups 22nogroups
22nonewprivs 23nonewprivs
@@ -25,7 +26,6 @@ nosound
25novideo 26novideo
26protocol unix 27protocol unix
27seccomp 28seccomp
28netfilter
29shell none 29shell none
30tracelog 30tracelog
31 31
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index abdb6bfb5..8b569e563 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17netfilter
17no3d 18no3d
18nogroups 19nogroups
19nonewprivs 20nonewprivs
@@ -21,7 +22,6 @@ noroot
21novideo 22novideo
22protocol unix 23protocol unix
23seccomp 24seccomp
24netfilter
25shell none 25shell none
26tracelog 26tracelog
27 27
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 93823d0f4..ed9dc0a03 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -17,13 +17,13 @@ include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18 18
19caps.drop all 19caps.drop all
20netfilter
20nogroups 21nogroups
21nonewprivs 22nonewprivs
22noroot 23noroot
23nosound 24nosound
24protocol unix 25protocol unix
25seccomp 26seccomp
26netfilter
27shell none 27shell none
28tracelog 28tracelog
29 29
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 0ba059365..129d17ae7 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -12,12 +12,12 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15netfilter
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18protocol unix 19protocol unix
19seccomp 20seccomp
20netfilter
21shell none 21shell none
22tracelog 22tracelog
23 23
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3b884bd64..22a2e8f88 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc
16# include /etc/firejail/disable-devel.inc 16# include /etc/firejail/disable-devel.inc
17# 17#
18 18
19netfilter
20
21whitelist ${DOWNLOADS} 19whitelist ${DOWNLOADS}
22mkdir ~/.config/google-chrome-beta 20mkdir ~/.config/google-chrome-beta
23whitelist ~/.config/google-chrome-beta 21whitelist ~/.config/google-chrome-beta
@@ -26,3 +24,16 @@ whitelist ~/.cache/google-chrome-beta
26mkdir ~/.pki 24mkdir ~/.pki
27whitelist ~/.pki 25whitelist ~/.pki
28include /etc/firejail/whitelist-common.inc 26include /etc/firejail/whitelist-common.inc
27
28caps.keep sys_chroot,sys_admin
29#ipc-namespace
30netfilter
31nogroups
32shell none
33
34private-dev
35#private-tmp - problems with multiple browser sessions
36#disable-mnt
37
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 18bcb94a6..0675d7b49 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc
16# include /etc/firejail/disable-devel.inc 16# include /etc/firejail/disable-devel.inc
17# 17#
18 18
19netfilter
20
21whitelist ${DOWNLOADS} 19whitelist ${DOWNLOADS}
22mkdir ~/.config/google-chrome-unstable 20mkdir ~/.config/google-chrome-unstable
23whitelist ~/.config/google-chrome-unstable 21whitelist ~/.config/google-chrome-unstable
@@ -26,3 +24,16 @@ whitelist ~/.cache/google-chrome-unstable
26mkdir ~/.pki 24mkdir ~/.pki
27whitelist ~/.pki 25whitelist ~/.pki
28include /etc/firejail/whitelist-common.inc 26include /etc/firejail/whitelist-common.inc
27
28caps.keep sys_chroot,sys_admin
29#ipc-namespace
30netfilter
31nogroups
32shell none
33
34private-dev
35#private-tmp - problems with multiple browser sessions
36#disable-mnt
37
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 84e0c6cdc..e6fceadec 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -16,9 +16,6 @@ include /etc/firejail/disable-programs.inc
16# include /etc/firejail/disable-devel.inc 16# include /etc/firejail/disable-devel.inc
17# 17#
18 18
19caps.keep sys_chroot,sys_admin
20netfilter
21
22whitelist ${DOWNLOADS} 19whitelist ${DOWNLOADS}
23mkdir ~/.config/google-chrome 20mkdir ~/.config/google-chrome
24whitelist ~/.config/google-chrome 21whitelist ~/.config/google-chrome
@@ -27,3 +24,16 @@ whitelist ~/.cache/google-chrome
27mkdir ~/.pki 24mkdir ~/.pki
28whitelist ~/.pki 25whitelist ~/.pki
29include /etc/firejail/whitelist-common.inc 26include /etc/firejail/whitelist-common.inc
27
28caps.keep sys_chroot,sys_admin
29#ipc-namespace
30netfilter
31nogroups
32shell none
33
34private-dev
35#private-tmp - problems with multiple browser sessions
36#disable-mnt
37
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index ed6b11002..c373cc34c 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -13,13 +13,25 @@ include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16#whitelist ~/.pulse
17#whitelist ~/.config/pulse
18whitelist ~/.config/Google Play Music Desktop Player
19
16caps.drop all 20caps.drop all
21#ipc-namespace
22netfilter
23no3d
24nogroups
17nonewprivs 25nonewprivs
18noroot 26noroot
19netfilter 27novideo
20protocol unix,inet,inet6,netlink 28protocol unix,inet,inet6,netlink
21seccomp 29seccomp
30shell none
22 31
23#whitelist ~/.pulse 32private-dev
24#whitelist ~/.config/pulse 33private-tmp
25whitelist ~/.config/Google Play Music Desktop Player 34disable-mnt
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 5b3bc11f2..86f3d7838 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -24,3 +24,6 @@ shell none
24private-bin guayadeque 24private-bin guayadeque
25private-dev 25private-dev
26private-tmp 26private-tmp
27
28noexec ${HOME}
29noexec /tmp
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index 929888e88..4d6237067 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -5,25 +5,27 @@ include /etc/firejail/globals.local
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/gucharmap.local 6include /etc/firejail/gucharmap.local
7 7
8private 8include /etc/firejail/disable-common.inc
9#include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-devel.inc
10#include /etc/firejail/disable-programs.inc 10include /etc/firejail/disable-passwdmgr.inc
11#include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15no3d
16nogroups
15nonewprivs 17nonewprivs
16noroot 18noroot
17protocol unix,inet,inet6 19nosound
20novideo
21protocol unix
18seccomp 22seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 23shell none
25# private-bin program 24
26# private-etc none 25private
27# private-dev 26private-dev
28# private-tmp 27private-tmp
29nosound 28disable-mnt
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 97227186a..047d2e32e 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -32,3 +32,6 @@ private-dev
32 32
33# Experimental: 33# Experimental:
34#private-etc X11 34#private-etc X11
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 0f3f32250..ccff63708 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -7,24 +7,23 @@ include /etc/firejail/handbrake.local
7 7
8noblacklist ~/.config/ghb 8noblacklist ~/.config/ghb
9include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
12 13
13caps.drop all 14caps.drop all
14netfilter 15netfilter
16nogroups
15nonewprivs 17nonewprivs
16noroot 18noroot
17# netlink required! 19nosound
20novideo
18protocol unix,inet,inet6,netlink 21protocol unix,inet,inet6,netlink
19seccomp 22seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 23shell none
26# private-bin program 24
27# private-etc none 25private-dev
28#private-dev
29private-tmp 26private-tmp
30nosound 27
28noexec ${HOME}
29noexec /tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 58e7f89f5..fefbcc55d 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15net none
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
19protocol unix 20protocol unix
20seccomp 21seccomp
21netfilter
22net none
23no3d 22no3d
24shell none 23shell none
25tracelog 24tracelog
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 97a9cb1fd..26e696f0d 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -6,24 +6,25 @@ include /etc/firejail/globals.local
6include /etc/firejail/hugin.local 6include /etc/firejail/hugin.local
7 7
8noblacklist ${HOME}/.hugin 8noblacklist ${HOME}/.hugin
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17nogroups
15nonewprivs 18nonewprivs
16noroot 19noroot
17protocol unix,inet,inet6 20nosound
21novideo
22protocol unix
18seccomp 23seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 24shell none
25# private-bin program 25
26# private-etc none
27private-dev 26private-dev
28private-tmp 27private-tmp
29nosound 28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 7684cedbe..600263a2a 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -48,3 +48,6 @@ include /etc/firejail/whitelist-common.inc
48 48
49# experimental features 49# experimental features
50#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 50#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
51
52noexec ${HOME}
53noexec /tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 00d172f55..2ea359e72 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15net none
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
19protocol unix 20protocol unix
20seccomp 21seccomp
21netfilter
22net none
23shell none 22shell none
24tracelog 23tracelog
25 24
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 0a9d409b9..af1be565b 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -8,6 +8,7 @@ include /etc/firejail/inkscape.local
8# inkscape 8# inkscape
9noblacklist ${HOME}/.inkscape 9noblacklist ${HOME}/.inkscape
10include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
13 14
@@ -17,11 +18,13 @@ nogroups
17nonewprivs 18nonewprivs
18noroot 19noroot
19nosound 20nosound
21novideo
20protocol unix 22protocol unix
21seccomp 23seccomp
22 24shell none
23noexec ${HOME}
24noexec /tmp
25 25
26private-dev 26private-dev
27private-tmp 27private-tmp
28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 32b43cdf1..9cb845b50 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc
22caps.drop all 22caps.drop all
23#ipc-namespace 23#ipc-namespace
24net none 24net none
25netfilter
26no3d 25no3d
27nogroups 26nogroups
28nonewprivs 27nonewprivs
diff --git a/etc/kate.profile b/etc/kate.profile
index 832f3614f..97372f752 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -19,13 +19,13 @@ include /etc/firejail/disable-programs.inc
19include /etc/firejail/disable-passwdmgr.inc 19include /etc/firejail/disable-passwdmgr.inc
20 20
21caps.drop all 21caps.drop all
22netfilter
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25nosound 26nosound
26protocol unix 27protocol unix
27seccomp 28seccomp
28netfilter
29shell none 29shell none
30tracelog 30tracelog
31 31
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 0ea5dbcb3..1d425cf47 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -5,27 +5,27 @@ include /etc/firejail/globals.local
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/kcalc.local 6include /etc/firejail/kcalc.local
7 7
8################################
9# Generic GUI application profile
10################################
11include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 9include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 10include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-programs.inc
14 12
15caps.drop all 13caps.drop all
16netfilter 14netfilter
15no3d
16nogroups
17nonewprivs 17nonewprivs
18noroot 18noroot
19protocol unix,inet,inet6 19nosound
20novideo
21protocol unix
20seccomp 22seccomp
23shell none
21 24
22#
23# depending on your usage, you can enable some of the commands below:
24#
25private 25private
26nogroups
27shell none
28# private-bin program
29# private-etc none
30private-dev 26private-dev
31private-tmp 27private-tmp
28disable-mnt
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 4a5503944..3ab4115e6 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc
16include /etc/firejail/disable-devel.inc 16include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18 18
19# To use KeePassHTTP, comment out `net none`
20caps.drop all 19caps.drop all
21#ipc-namespace 20#ipc-namespace
22net none 21net none
@@ -35,5 +34,6 @@ private-dev
35private-etc fonts,ld.so.cache 34private-etc fonts,ld.so.cache
36private-tmp 35private-tmp
37 36
37memory-deny-write-execute
38noexec ${HOME} 38noexec ${HOME}
39noexec /tmp 39noexec /tmp
diff --git a/etc/kino.profile b/etc/kino.profile
index b37569340..bb37d56ab 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -5,28 +5,26 @@ include /etc/firejail/globals.local
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/kino.local 6include /etc/firejail/kino.local
7 7
8################################
9# Generic GUI application profile
10################################
11noblacklist ~/.kinorc 8noblacklist ~/.kinorc
12noblacklist ~/.kino-history 9noblacklist ~/.kino-history
10
13include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
16 15
17caps.drop all 16caps.drop all
18netfilter 17netfilter
18nogroups
19nonewprivs 19nonewprivs
20noroot 20noroot
21protocol unix,inet,inet6 21novideo
22protocol unix
22seccomp 23seccomp
24shell none
25
26private-dev
27private-tmp
23 28
24# 29noexec ${HOME}
25# depending on your usage, you can enable some of the commands below: 30noexec /tmp
26#
27# nogroups
28# shell none
29# private-bin program
30# private-etc none
31# private-dev
32# private-tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index e7da44215..b1883112c 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -14,13 +14,13 @@ include /etc/firejail/disable-programs.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17netfilter
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
21protocol unix 22protocol unix
22seccomp 23seccomp
23netfilter
24shell none 24shell none
25tracelog 25tracelog
26 26
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 59c2827cd..c19f1c5ef 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -5,16 +5,15 @@ include /etc/firejail/globals.local
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/ktorrent.local 6include /etc/firejail/ktorrent.local
7 7
8################################
9# Generic GUI application profile
10################################
11noblacklist ~/.config/ktorrentrc 8noblacklist ~/.config/ktorrentrc
12noblacklist ~/.local/share/ktorrent 9noblacklist ~/.local/share/ktorrent
13noblacklist ~/.kde/share/config/ktorrentrc 10noblacklist ~/.kde/share/config/ktorrentrc
14noblacklist ~/.kde4/share/config/ktorrentrc 11noblacklist ~/.kde4/share/config/ktorrentrc
15noblacklist ~/.kde/share/apps/ktorrent 12noblacklist ~/.kde/share/apps/ktorrent
16noblacklist ~/.kde4/share/apps/ktorrent 13noblacklist ~/.kde4/share/apps/ktorrent
14
17include /etc/firejail/disable-common.inc 15include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-devel.inc
18include /etc/firejail/disable-programs.inc 17include /etc/firejail/disable-programs.inc
19include /etc/firejail/disable-passwdmgr.inc 18include /etc/firejail/disable-passwdmgr.inc
20 19
@@ -36,17 +35,18 @@ include /etc/firejail/whitelist-common.inc
36 35
37caps.drop all 36caps.drop all
38netfilter 37netfilter
38no3d
39nogroups
39nonewprivs 40nonewprivs
40noroot 41noroot
42nosound
43novideo
41protocol unix,inet,inet6 44protocol unix,inet,inet6
42seccomp 45seccomp
43
44#
45# depending on your usage, you can enable some of the commands below:
46#
47nogroups
48shell none 46shell none
49# private-bin program 47
50# private-etc none
51private-dev 48private-dev
52# private-tmp 49private-tmp
50
51noexec ${HOME}
52noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 1c4d09f67..7ac881f6a 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -19,13 +19,13 @@ include /etc/firejail/disable-programs.inc
19include /etc/firejail/disable-passwdmgr.inc 19include /etc/firejail/disable-passwdmgr.inc
20 20
21caps.drop all 21caps.drop all
22netfilter
22nogroups 23nogroups
23nonewprivs 24nonewprivs
24noroot 25noroot
25#nosound - KWrite is using ALSA! 26#nosound - KWrite is using ALSA!
26protocol unix 27protocol unix
27seccomp 28seccomp
28netfilter
29shell none 29shell none
30tracelog 30tracelog
31 31
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 5ae025d6d..fc2cc7e09 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -6,24 +6,25 @@ include /etc/firejail/globals.local
6include /etc/firejail/leafpad.local 6include /etc/firejail/leafpad.local
7 7
8noblacklist ${HOME}/.config/leafpad 8noblacklist ${HOME}/.config/leafpad
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
17protocol unix,inet,inet6 21nosound
22novideo
23protocol unix
18seccomp 24seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 25shell none
25# private-bin program 26
26# private-etc none 27private-dev
27# private-dev 28
28# private-tmp 29noexec ${HOME}
29nosound 30noexec /tmp
diff --git a/etc/less.profile b/etc/less.profile
index 9d4eb3fcf..f8c26879e 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -21,5 +21,6 @@ blacklist /tmp/.X11-unix
21 21
22private-dev 22private-dev
23 23
24memory-deny-write-execute
24noexec ${HOME} 25noexec ${HOME}
25noexec /tmp 26noexec /tmp
diff --git a/etc/liferea.profile b/etc/liferea.profile
index 92b3b8f88..f11137cdd 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -20,10 +20,28 @@ noblacklist ~/.cache/liferea
20mkdir ~/.cache/liferea 20mkdir ~/.cache/liferea
21whitelist ~/.cache/liferea 21whitelist ~/.cache/liferea
22 22
23include /etc/firejail/disable-common.inc
24include /etc/firejail/disable-devel.inc
25include /etc/firejail/disable-passwdmgr.inc
26include /etc/firejail/disable-programs.inc
23include /etc/firejail/whitelist-common.inc 27include /etc/firejail/whitelist-common.inc
24include /etc/firejail/default.profile
25 28
29caps.drop all
30#ipc-namespace
31netfilter
32#no3d
26nogroups 33nogroups
34nonewprivs
35noroot
36#nosound
37novideo
38protocol unix,inet,inet6
39seccomp
27shell none 40shell none
41
28private-dev 42private-dev
29private-tmp 43private-tmp
44disable-mnt
45
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 6ee118f76..f73c83cbd 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -7,7 +7,9 @@ include /etc/firejail/luminance-hdr.local
7 7
8# luminance-hdr 8# luminance-hdr
9noblacklist ${HOME}/.config/Luminance 9noblacklist ${HOME}/.config/Luminance
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13 15
@@ -18,13 +20,14 @@ nogroups
18nonewprivs 20nonewprivs
19noroot 21noroot
20nosound 22nosound
23novideo
21protocol unix 24protocol unix
22seccomp 25seccomp
23shell none 26shell none
24tracelog 27tracelog
25 28
26noexec ${HOME}
27noexec /tmp
28
29private-tmp 29private-tmp
30private-dev 30private-dev
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index 28e674ebf..42996af04 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -6,24 +6,26 @@ include /etc/firejail/globals.local
6include /etc/firejail/lximage-qt.local 6include /etc/firejail/lximage-qt.local
7 7
8noblacklist .config/lximage-qt 8noblacklist .config/lximage-qt
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
17protocol unix,inet,inet6 21nosound
22novideo
23protocol unix
18seccomp 24seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 25shell none
25# private-bin program 26
26# private-etc none 27private-dev
27# private-dev 28private-tmp
28# private-tmp 29
29nosound 30noexec ${HOME}
31noexec /tmp
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index fd5136578..eac72c6db 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -7,24 +7,25 @@ include /etc/firejail/lxmusic.local
7 7
8noblacklist ~/.cache/xmms2 8noblacklist ~/.cache/xmms2
9noblacklist ~/.config/xmms2 9noblacklist ~/.config/xmms2
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
13 15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
18no3d
19nogroups
16nonewprivs 20nonewprivs
17noroot 21noroot
18protocol unix,inet,inet6 22novideo
23protocol unix
19seccomp 24seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 25shell none
26# private-bin program 26
27# private-etc none 27private-dev
28# private-dev 28private-tmp
29# private-tmp 29
30# nosound 30noexec ${HOME}
31noexec /tmp
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 76593df0b..e083e8b88 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local
6include /etc/firejail/mate-calc.local 6include /etc/firejail/mate-calc.local
7 7
8noblacklist ${HOME}/.config/mate-calc 8noblacklist ${HOME}/.config/mate-calc
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
17protocol unix,inet,inet6 21nosound
22novideo
23protocol unix
18seccomp 24seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 25shell none
25# private-bin program 26
26# private-etc none 27private-dev
27# private-dev 28private-tmp
28# private-tmp 29disable-mnt
29nosound 30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 6db3dd624..74fe4bd69 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -3,27 +3,29 @@ include /etc/firejail/globals.local
3 3
4# This file is overwritten during software install. 4# This file is overwritten during software install.
5# Persistent customizations should go in a .local file. 5# Persistent customizations should go in a .local file.
6include /etc/firejail/default.local 6include /etc/firejail/mate-color-select.local
7 7
8private 8include /etc/firejail/disable-common.inc
9#include /etc/firejail/disable-common.inc 9include /etc/firejail/disable-devel.inc
10#include /etc/firejail/disable-programs.inc 10include /etc/firejail/disable-passwdmgr.inc
11#include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14netfilter 14netfilter
15no3d
16nogroups
15nonewprivs 17nonewprivs
16noroot 18noroot
17protocol unix,inet,inet6 19nosound
20novideo
21protocol unix
18seccomp 22seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 23shell none
25# private-bin program 24
26# private-etc none 25private
27# private-dev 26private-dev
28# private-tmp 27private-tmp
29nosound 28disable-mnt
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index fc4c1c425..4fe0795d2 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local
6include /etc/firejail/mate-dictionary.local 6include /etc/firejail/mate-dictionary.local
7 7
8noblacklist ${HOME}/.config/mate/mate-dictionary 8noblacklist ${HOME}/.config/mate/mate-dictionary
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
21nosound
22novideo
17protocol unix,inet,inet6 23protocol unix,inet,inet6
18seccomp 24seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 25shell none
25# private-bin program 26
26# private-etc none 27private-dev
27# private-dev 28private-tmp
28# private-tmp 29disable-mnt
29nosound 30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 59cb080d3..8758d66b9 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -12,15 +12,14 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15nogroups 15net none
16nonewprivs 16nonewprivs
17nogroups
17noroot 18noroot
18nosound 19nosound
19no3d 20no3d
20protocol unix 21protocol unix
21seccomp 22seccomp
22netfilter
23net none
24shell none 23shell none
25tracelog 24tracelog
26 25
diff --git a/etc/meld.profile b/etc/meld.profile
index bc4cd8356..503f6d07c 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -16,7 +16,6 @@ include /etc/firejail/disable-programs.inc
16caps.drop all 16caps.drop all
17#ipc-namespace 17#ipc-namespace
18net none 18net none
19netfilter
20no3d 19no3d
21nogroups 20nogroups
22nonewprivs 21nonewprivs
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 7303ac65a..a2104957d 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -35,5 +35,6 @@ private-bin mumble
35private-tmp 35private-tmp
36disable-mnt 36disable-mnt
37 37
38memory-deny-write-execute
38noexec ${HOME} 39noexec ${HOME}
39noexec /tmp 40noexec /tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index e6652e688..ca61edfdd 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15net none
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
19protocol unix 20protocol unix
20seccomp 21seccomp
21netfilter
22net none
23shell none 22shell none
24tracelog 23tracelog
25 24
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index ef3203eb5..4f2f50d9f 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -22,12 +22,12 @@ include /etc/firejail/disable-devel.inc
22include /etc/firejail/disable-passwdmgr.inc 22include /etc/firejail/disable-passwdmgr.inc
23 23
24caps.drop all 24caps.drop all
25netfilter
25nogroups 26nogroups
26nonewprivs 27nonewprivs
27noroot 28noroot
28protocol unix 29protocol unix
29seccomp 30seccomp
30netfilter
31shell none 31shell none
32tracelog 32tracelog
33 33
diff --git a/etc/nemo.profile b/etc/nemo.profile
index 1d9124d19..5e6f4936f 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -16,18 +16,15 @@ include /etc/firejail/disable-devel.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18netfilter
19no3d
20nogroups
19nonewprivs 21nonewprivs
20noroot 22noroot
23nosound
24novideo
21protocol unix,inet,inet6 25protocol unix,inet,inet6
22seccomp 26seccomp
23
24#
25# depending on your usage, you can enable some of the commands below:
26#
27nogroups
28shell none 27shell none
29# private-bin program 28
30# private-etc none 29noexec ${HOME}
31# private-dev 30noexec /tmp
32# private-tmp
33# nosound
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index abec7dde2..8cfadd9ac 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15net none
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
19protocol unix 20protocol unix
20seccomp 21seccomp
21netfilter
22net none
23no3d 22no3d
24shell none 23shell none
25tracelog 24tracelog
diff --git a/etc/okular.profile b/etc/okular.profile
index 982f524fa..578f01915 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -35,3 +35,6 @@ tracelog
35# private-etc fonts,X11 35# private-etc fonts,X11
36private-dev 36private-dev
37private-tmp 37private-tmp
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/openshot.profile b/etc/openshot.profile
index bc4ccc46a..25c803512 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -8,13 +8,23 @@ include /etc/firejail/openshot.local
8# OpenShot profile 8# OpenShot profile
9noblacklist ${HOME}/.openshot 9noblacklist ${HOME}/.openshot
10noblacklist ${HOME}/.openshot_qt 10noblacklist ${HOME}/.openshot_qt
11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
14 16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
19nogroups
17nonewprivs 20nonewprivs
18noroot 21noroot
19protocol unix,inet,inet6,netlink 22protocol unix,inet,inet6,netlink
20seccomp 23seccomp
24shell none
25
26private-dev
27private-tmp
28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/orage.profile b/etc/orage.profile
index ea577f873..c9977d002 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -7,24 +7,27 @@ include /etc/firejail/orage.local
7 7
8noblacklist ${HOME}/.config/orage 8noblacklist ${HOME}/.config/orage
9noblacklist ${HOME}/.local/share/orage 9noblacklist ${HOME}/.local/share/orage
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
13 15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
18no3d
19nogroups
16nonewprivs 20nonewprivs
17noroot 21noroot
18protocol unix,inet,inet6 22nosound
23novideo
24protocol unix
19seccomp 25seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 26shell none
26# private-bin program 27
27# private-etc none
28private-dev 28private-dev
29# private-tmp 29private-tmp
30disable-mnt
30 31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 68d002f2d..654904f17 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -15,21 +15,13 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16 16
17caps.drop all 17caps.drop all
18netfilter 18net none
19nogroups 19no3d
20nonewprivs 20nonewprivs
21noroot 21noroot
22nosound 22nosound
23novideo
23protocol unix 24protocol unix
24seccomp 25seccomp
25shell none 26shell none
26tracelog 27tracelog
27
28#
29# depending on your usage, you can enable some of the commands below:
30#
31# private-bin program
32# private-etc none
33# private-dev
34# private-tmp
35
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index b46ac9294..2465be252 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -20,7 +20,6 @@ include /etc/firejail/disable-devel.inc
20caps.drop all 20caps.drop all
21#ipc-namespace 21#ipc-namespace
22net none 22net none
23netfilter
24no3d 23no3d
25nogroups 24nogroups
26nonewprivs 25nonewprivs
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index a6b2b2f78..e5dab840f 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -12,14 +12,13 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13 13
14caps.drop all 14caps.drop all
15net none
15nogroups 16nogroups
16nonewprivs 17nonewprivs
17noroot 18noroot
18nosound 19nosound
19protocol unix 20protocol unix
20seccomp 21seccomp
21netfilter
22net none
23no3d 22no3d
24shell none 23shell none
25tracelog 24tracelog
diff --git a/etc/peek.profile b/etc/peek.profile
index bac3e0a99..811eb701b 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -29,5 +29,6 @@ shell none
29private-dev 29private-dev
30private-tmp 30private-tmp
31 31
32memory-deny-write-execute
32noexec ${HOME} 33noexec ${HOME}
33noexec /tmp 34noexec /tmp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index e3ffad9a1..9500731fe 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local
8# Firejail profile for Psi+ 8# Firejail profile for Psi+
9noblacklist ${HOME}/.config/psi+ 9noblacklist ${HOME}/.config/psi+
10noblacklist ${HOME}/.local/share/psi+ 10noblacklist ${HOME}/.local/share/psi+
11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
14 16
@@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+
20mkdir ~/.cache/psi+ 22mkdir ~/.cache/psi+
21whitelist ~/.cache/psi+ 23whitelist ~/.cache/psi+
22 24
25include /etc/firejail/whitelist-common.inc
26
23caps.drop all 27caps.drop all
24netfilter 28netfilter
29no3d
30nogroups
31nonewprivs
25noroot 32noroot
33novideo
26protocol unix,inet,inet6 34protocol unix,inet,inet6
27seccomp 35seccomp
36shell none
28 37
29include /etc/firejail/whitelist-common.inc 38private-dev
39private-tmp
40disable-mnt
41
42noexec ${HOME}
43noexec /tmp
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
index bc92e50ea..f6458de86 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/qemu-launcher.profile
@@ -23,3 +23,5 @@ shell none
23tracelog 23tracelog
24 24
25private-tmp 25private-tmp
26
27noexec /tmp
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 907de5e8f..fdfd7ab72 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -21,3 +21,5 @@ shell none
21tracelog 21tracelog
22 22
23private-tmp 23private-tmp
24
25noexec /tmp
diff --git a/etc/qlipper.profile b/etc/qlipper.profile
index a5ef53112..d57856c1a 100644
--- a/etc/qlipper.profile
+++ b/etc/qlipper.profile
@@ -6,26 +6,27 @@ include /etc/firejail/globals.local
6include /etc/firejail/qlipper.local 6include /etc/firejail/qlipper.local
7 7
8noblacklist ${HOME}/.config/Qlipper 8noblacklist ${HOME}/.config/Qlipper
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
17protocol unix,inet,inet6 21nosound
22novideo
23protocol unix
18seccomp 24seccomp
25shell none
19 26
27private-dev
28private-tmp
29disable-mnt
20 30
21 31noexec ${HOME}
22# 32noexec /tmp
23# depending on your usage, you can enable some of the commands below:
24#
25nogroups
26shell none
27# private-bin program
28# private-etc none
29# private-dev
30# private-tmp
31nosound
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index c8112f064..aa17693cd 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -42,3 +42,6 @@ private-dev
42disable-mnt 42disable-mnt
43 43
44include /etc/firejail/whitelist-common.inc 44include /etc/firejail/whitelist-common.inc
45
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 7103f821d..ab0545aaf 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -18,7 +18,6 @@ include /etc/firejail/disable-devel.inc
18include /etc/firejail/disable-passwdmgr.inc 18include /etc/firejail/disable-passwdmgr.inc
19 19
20caps.drop all 20caps.drop all
21netfilter
22net none 21net none
23nogroups 22nogroups
24nonewprivs 23nonewprivs
@@ -27,5 +26,4 @@ protocol unix
27seccomp 26seccomp
28nosound 27nosound
29 28
30private-tmp
31private-dev 29private-dev
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index ca4b1a64d..3d3491658 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -10,22 +10,24 @@ noblacklist ~/.Steam
10noblacklist ~/.steam 10noblacklist ~/.steam
11 11
12include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
15 16
16caps.drop all 17caps.drop all
17netfilter 18netfilter
19no3d
20nogroups
18nonewprivs 21nonewprivs
19noroot 22noroot
20protocol unix,inet,inet6 23nosound
24novideo
25protocol unix
21seccomp 26seccomp
22
23#
24# depending on your usage, you can enable some of the commands below:
25#
26nogroups
27shell none 27shell none
28# private-bin program 28
29# private-etc none
30private-dev 29private-dev
31# private-tmp 30private-tmp
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 8b97c7152..7c7a4eb17 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -7,17 +7,22 @@ include /etc/firejail/skype.local
7 7
8# Skype profile 8# Skype profile
9noblacklist ${HOME}/.Skype 9noblacklist ${HOME}/.Skype
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
13 15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
18nogroups
16nonewprivs 19nonewprivs
17noroot 20noroot
18protocol unix,inet,inet6 21protocol unix,inet,inet6
19seccomp 22seccomp
23shell none
20 24
25private-dev
21private-tmp 26private-tmp
22disable-mnt 27disable-mnt
23 28
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 71bc1b9a6..a2f693945 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -7,16 +7,22 @@ include /etc/firejail/skypeforlinux.local
7 7
8# skypeforlinux profile 8# skypeforlinux profile
9noblacklist ${HOME}/.config/skypeforlinux 9noblacklist ${HOME}/.config/skypeforlinux
10
10include /etc/firejail/disable-common.inc 11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13 15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
18nogroups
19nonewprivs
16noroot 20noroot
17seccomp
18protocol unix,inet,inet6,netlink 21protocol unix,inet,inet6,netlink
22seccomp
23shell none
19 24
25private-dev
20private-tmp 26private-tmp
21disable-mnt 27disable-mnt
22 28
diff --git a/etc/ssh.profile b/etc/ssh.profile
index e592841a1..466abdc88 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -31,5 +31,6 @@ tracelog
31private-dev 31private-dev
32#private-tmp #Breaks when exiting 32#private-tmp #Breaks when exiting
33 33
34memory-deny-write-execute
34noexec ${HOME} 35noexec ${HOME}
35noexec /tmp 36noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index af49feb04..a83e3a801 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -18,3 +18,5 @@ shell none
18tracelog 18tracelog
19private-dev 19private-dev
20blacklist /tmp/.X11-unix 20blacklist /tmp/.X11-unix
21
22memory-deny-write-execute
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index ffabdef76..bcb42f624 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -8,19 +8,25 @@ include /etc/firejail/synfigstudio.local
8# synfigstudio 8# synfigstudio
9noblacklist ${HOME}/.config/synfig 9noblacklist ${HOME}/.config/synfig
10noblacklist ${HOME}/.synfig 10noblacklist ${HOME}/.synfig
11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
14 16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
19nogroups
17nonewprivs 20nonewprivs
18noroot 21noroot
22nosound
23novideo
19protocol unix 24protocol unix
20seccomp 25seccomp
21 26shell none
22noexec ${HOME}
23noexec /tmp
24 27
25private-dev 28private-dev
26private-tmp 29private-tmp
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/tracker.profile b/etc/tracker.profile
index f2c91be86..b87bebf43 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16 16
17caps.drop all 17caps.drop all
18netfilter
18nogroups 19nogroups
19nonewprivs 20nonewprivs
20noroot 21noroot
@@ -22,7 +23,6 @@ nosound
22no3d 23no3d
23protocol unix 24protocol unix
24seccomp 25seccomp
25netfilter
26shell none 26shell none
27tracelog 27tracelog
28 28
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 0502bbfb4..5b7e6e7c8 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -28,3 +28,5 @@ tracelog
28private-tmp 28private-tmp
29private-dev 29private-dev
30private-etc none 30private-etc none
31
32memory-deny-write-execute
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 84d01179c..7f85aa69c 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -34,3 +34,5 @@ tracelog
34private-bin transmission-gtk 34private-bin transmission-gtk
35private-dev 35private-dev
36private-tmp 36private-tmp
37
38memory-deny-write-execute
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 8d1e1eac2..743f9ff4f 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -15,7 +15,6 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16 16
17caps.drop all 17caps.drop all
18netfilter
19net none 18net none
20nonewprivs 19nonewprivs
21noroot 20noroot
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 25d78439d..fab620499 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -14,7 +14,6 @@ include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15include /etc/firejail/disable-devel.inc 15include /etc/firejail/disable-devel.inc
16 16
17netfilter
18 17
19whitelist ${DOWNLOADS} 18whitelist ${DOWNLOADS}
20mkdir ~/.config/vivaldi 19mkdir ~/.config/vivaldi
@@ -22,3 +21,16 @@ whitelist ~/.config/vivaldi
22mkdir ~/.cache/vivaldi 21mkdir ~/.cache/vivaldi
23whitelist ~/.cache/vivaldi 22whitelist ~/.cache/vivaldi
24include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
24
25caps.keep sys_chroot,sys_admin
26#ipc-namespace
27netfilter
28nogroups
29shell none
30
31private-dev
32#private-tmp - problems with multiple browser sessions
33#disable-mnt
34
35noexec ${HOME}
36noexec /tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index b36e844ff..34f4aa5ff 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -27,5 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
27private-dev 27private-dev
28private-tmp 28private-tmp
29 29
30memory-deny-write-execute
30noexec ${HOME} 31noexec ${HOME}
31noexec /tmp 32noexec /tmp
diff --git a/etc/vym.profile b/etc/vym.profile
index 4139ea901..d3058fa64 100644
--- a/etc/vym.profile
+++ b/etc/vym.profile
@@ -6,25 +6,27 @@ include /etc/firejail/globals.local
6include /etc/firejail/vym.local 6include /etc/firejail/vym.local
7 7
8noblacklist ./.config/InSilmaril 8noblacklist ./.config/InSilmaril
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
17# no network connectivity 21nosound
22novideo
18protocol unix 23protocol unix
19seccomp 24seccomp
20
21#
22# depending on your usage, you can enable some of the commands below:
23#
24nogroups
25shell none 25shell none
26# private-bin vym 26
27# private-etc none
28private-dev 27private-dev
29private-tmp 28private-tmp
30nosound 29disable-mnt
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 7a6d620cf..7bfeba2b1 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -14,13 +14,13 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17netfilter
17nogroups 18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20nosound 21nosound
21protocol unix 22protocol unix
22seccomp 23seccomp
23netfilter
24shell none 24shell none
25tracelog 25tracelog
26 26
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index 4e466352d..08ae17a55 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -6,24 +6,27 @@ include /etc/firejail/globals.local
6include /etc/firejail/xfce4-dict.local 6include /etc/firejail/xfce4-dict.local
7 7
8noblacklist ${HOME}/.config/xfce4-dict 8noblacklist ${HOME}/.config/xfce4-dict
9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
12 14
13caps.drop all 15caps.drop all
14netfilter 16netfilter
17no3d
18nogroups
15nonewprivs 19nonewprivs
16noroot 20noroot
21nosound
22novideo
17protocol unix,inet,inet6 23protocol unix,inet,inet6
18seccomp 24seccomp
19
20#
21# depending on your usage, you can enable some of the commands below:
22#
23nogroups
24shell none 25shell none
25# private-bin program 26
26# private-etc none
27private-dev 27private-dev
28# private-tmp 28private-tmp
29disable-mnt
29 30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 737bb0a23..e3215d6ea 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -8,23 +8,27 @@ include /etc/firejail/xfce4-notes.local
8noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc 8noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
9noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc 9noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
10noblacklist ${HOME}/.local/share/notes 10noblacklist ${HOME}/.local/share/notes
11
11include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
14 16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
19no3d
20nogroups
17nonewprivs 21nonewprivs
18noroot 22noroot
19protocol unix,inet,inet6 23nosound
24novideo
25protocol unix
20seccomp 26seccomp
21
22#
23# depending on your usage, you can enable some of the commands below:
24#
25nogroups
26shell none 27shell none
27# private-bin program 28
28# private-etc none
29private-dev 29private-dev
30# private-tmp 30private-tmp
31disable-mnt
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 611c7b379..957636124 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -30,6 +30,7 @@ netfilter
30nogroups 30nogroups
31nonewprivs 31nonewprivs
32noroot 32noroot
33novideo
33protocol unix,inet,inet6 34protocol unix,inet,inet6
34seccomp 35seccomp
35shell none 36shell none
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 5b3018ce8..ce8cd2459 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -9,17 +9,26 @@ include /etc/firejail/xpdf.local
9# xpdf application profile 9# xpdf application profile
10################################ 10################################
11noblacklist ${HOME}/.xpdfrc 11noblacklist ${HOME}/.xpdfrc
12
12include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc
15 17
16caps.drop all 18caps.drop all
17net none 19net none
20no3d
21nogroups
18nonewprivs 22nonewprivs
19noroot 23noroot
24nosound
25novideo
20protocol unix 26protocol unix
21shell none
22seccomp 27seccomp
28shell none
23 29
24private-dev 30private-dev
25private-tmp 31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/xpra.profile b/etc/xpra.profile
index a41ee2613..c8bb3ef52 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -23,7 +23,6 @@ include /etc/firejail/disable-passwdmgr.inc
23 23
24caps.drop all 24caps.drop all
25# xpra needs to be allowed access to the abstract Unix socket namespace. 25# xpra needs to be allowed access to the abstract Unix socket namespace.
26#net none
27nogroups 26nogroups
28nonewprivs 27nonewprivs
29# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. 28# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 18afe3bfa..502e066c8 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15 15
16caps.drop all 16caps.drop all
17netfilter
18net none 17net none
19nogroups 18nogroups
20nonewprivs 19nonewprivs
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 10:35:12 +0000