various little profile fixes and enhancements (#1442)

* add novideo * add novideo * add novideo * put noexec last * blacklist Clementine configuration and database * blacklist Clementine configuration and database * add novideo * add novideo, permit access to ~/.java * add novideo * spoof machine-id * mimeapps.list is already in whitelist-common.inc * ~/.local/share/applications is already read-only see disable-common.inc * mimeapps.list is already in whitelist-common.inc * ~/.local/share/applications is already read-only see disable-common.inc * drop machine-id option private-etc hides it anyway
author: smitsohu <smitsohu@gmail.com> 2017-08-08 21:31:50 +0200
committer: Fred Barclay <Fred-Barclay@users.noreply.github.com> 2017-08-08 14:31:50 -0500
commit: 40a51e179d90f54a20c539567adeed1ea0b94d78 (patch)
tree: 48f41f500a4a4cbdd1744365919dd0c2dc99931a
parent: Merges (diff)
download: firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.gz
firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.zst
firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.zip
11 files changed, 11 insertions, 6 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index 7c8574973..4884b4a0f 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 15bf6c013..0300f6777 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -17,6 +17,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9c2909b0f..66c552dd6 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -36,6 +36,6 @@ noexec /tmp
 # Make home directory read-only and allow writing only to ~/.local/share
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# noexec     ${HOME}/.local/share
 # read-only  ${HOME}
 # read-write ${HOME}/.local/share
+# noexec     ${HOME}/.local/share
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 13a14af3b..adcf9414a 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ~/.config/Clementine
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c67a0b378..0868fa10b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Brackets
+blacklist ${HOME}/.config/Clementine
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/Gitter
diff --git a/etc/geary.profile b/etc/geary.profile
index 3f9faf058..353d00124 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -13,7 +13,6 @@ noblacklist ~/.local/share/geary
 mkdir ~/.gnupg
 mkdir ~/.local/share/geary
-whitelist ~/.config/mimeapps.list
 whitelist ~/.gnupg
 whitelist ~/.local/share/applications
 whitelist ~/.local/share/geary
@@ -22,7 +21,6 @@ include /etc/firejail/whitelist-common.inc
 ignore private-tmp
 read-only ~/.config/mimeapps.list
-read-only ~/.local/share/applications
 # allow browsers
 include /etc/firejail/firefox.profile
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 0f2be604b..0bc47d301 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -23,6 +23,7 @@ caps.drop all
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 5e980909b..bebe95a72 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -6,6 +6,7 @@ include /etc/firejail/mediathekview.local
 include /etc/firejail/globals.local
 noblacklist ~/.config/vlc
+noblacklist ~/.java
 noblacklist ~/.mediathek3
 include /etc/firejail/disable-common.inc
@@ -17,6 +18,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 tracelog
diff --git a/etc/okular.profile b/etc/okular.profile
index 331b625b8..cf747417c 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -26,6 +26,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 7e117dcd1..2ccb5126b 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,7 +5,7 @@ include /etc/firejail/scribus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# Support for PDF readers (Scribus 1.5 and higher)
+# Support for PDF readers comes with Scribus 1.5 and higher
 noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.config/scribus
@@ -30,6 +30,7 @@ caps.drop all
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 tracelog
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index d3b7ee871..c3dc0366b 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -18,7 +18,6 @@ mkdir ~/.gnupg
 mkdir ~/.icedove
 mkdir ~/.thunderbird
 whitelist ~/.cache/thunderbird
-whitelist ~/.config/mimeapps.list
 whitelist ~/.gnupg
 whitelist ~/.icedove
 whitelist ~/.local/share/applications
@@ -28,7 +27,6 @@ include /etc/firejail/whitelist-common.inc
 ignore private-tmp
 read-only ~/.config/mimeapps.list
-read-only ~/.local/share/applications
 # allow browsers
 include /etc/firejail/firefox.profile
author	smitsohu <smitsohu@gmail.com>	2017-08-08 21:31:50 +0200
committer	Fred Barclay <Fred-Barclay@users.noreply.github.com>	2017-08-08 14:31:50 -0500
commit	40a51e179d90f54a20c539567adeed1ea0b94d78 (patch)
tree	48f41f500a4a4cbdd1744365919dd0c2dc99931a
parent	Merges (diff)
download	firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.gz firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.tar.zst firejail-40a51e179d90f54a20c539567adeed1ea0b94d78.zip

diff --git a/etc/ark.profile b/etc/ark.profile index 7c8574973..4884b4a0f 100644 --- a/etc/ark.profile +++ b/etc/ark.profile
@@ -18,6 +18,7 @@ nogroups
18	nonewprivs	18	nonewprivs
19	noroot	19	noroot
20	nosound	20	nosound
		21	novideo
21	protocol unix	22	protocol unix
22	seccomp	23	seccomp
23	shell none	24	shell none


diff --git a/etc/audacious.profile b/etc/audacious.profile index 15bf6c013..0300f6777 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile
@@ -17,6 +17,7 @@ caps.drop all
17	netfilter	17	netfilter
18	nonewprivs	18	nonewprivs
19	noroot	19	noroot
		20	novideo
20	protocol unix,inet,inet6	21	protocol unix,inet,inet6
21	seccomp	22	seccomp
22	shell none	23	shell none


diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 9c2909b0f..66c552dd6 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -36,6 +36,6 @@ noexec /tmp
36		36
37	# Make home directory read-only and allow writing only to ~/.local/share	37	# Make home directory read-only and allow writing only to ~/.local/share
38	# Note: Baloo will not be able to update the "first run" key in its configuration files.	38	# Note: Baloo will not be able to update the "first run" key in its configuration files.
39	# noexec ${HOME}/.local/share
40	# read-only ${HOME}	39	# read-only ${HOME}
41	# read-write ${HOME}/.local/share	40	# read-write ${HOME}/.local/share
		41	# noexec ${HOME}/.local/share


diff --git a/etc/clementine.profile b/etc/clementine.profile index 13a14af3b..adcf9414a 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
		8	noblacklist ~/.config/Clementine
8		9
9	include /etc/firejail/disable-common.inc	10	include /etc/firejail/disable-common.inc
10	include /etc/firejail/disable-devel.inc	11	include /etc/firejail/disable-devel.inc


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c67a0b378..0868fa10b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.config/akregatorrc
32	blacklist ${HOME}/.config/Atom	32	blacklist ${HOME}/.config/Atom
33	blacklist ${HOME}/.config/Audaciousrc	33	blacklist ${HOME}/.config/Audaciousrc
34	blacklist ${HOME}/.config/Brackets	34	blacklist ${HOME}/.config/Brackets
		35	blacklist ${HOME}/.config/Clementine
35	blacklist ${HOME}/.config/Cryptocat	36	blacklist ${HOME}/.config/Cryptocat
36	blacklist ${HOME}/.config/Franz	37	blacklist ${HOME}/.config/Franz
37	blacklist ${HOME}/.config/Gitter	38	blacklist ${HOME}/.config/Gitter


diff --git a/etc/geary.profile b/etc/geary.profile index 3f9faf058..353d00124 100644 --- a/etc/geary.profile +++ b/etc/geary.profile
@@ -13,7 +13,6 @@ noblacklist ~/.local/share/geary
13		13
14	mkdir ~/.gnupg	14	mkdir ~/.gnupg
15	mkdir ~/.local/share/geary	15	mkdir ~/.local/share/geary
16	whitelist ~/.config/mimeapps.list
17	whitelist ~/.gnupg	16	whitelist ~/.gnupg
18	whitelist ~/.local/share/applications	17	whitelist ~/.local/share/applications
19	whitelist ~/.local/share/geary	18	whitelist ~/.local/share/geary
@@ -22,7 +21,6 @@ include /etc/firejail/whitelist-common.inc
22	ignore private-tmp	21	ignore private-tmp
23		22
24	read-only ~/.config/mimeapps.list	23	read-only ~/.config/mimeapps.list
25	read-only ~/.local/share/applications
26		24
27	# allow browsers	25	# allow browsers
28	include /etc/firejail/firefox.profile	26	include /etc/firejail/firefox.profile


diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 0f2be604b..0bc47d301 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile
@@ -23,6 +23,7 @@ caps.drop all
23	nogroups	23	nogroups
24	nonewprivs	24	nonewprivs
25	noroot	25	noroot
		26	novideo
26	protocol unix	27	protocol unix
27	seccomp	28	seccomp
28	shell none	29	shell none


diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 5e980909b..bebe95a72 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile
@@ -6,6 +6,7 @@ include /etc/firejail/mediathekview.local
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
8	noblacklist ~/.config/vlc	8	noblacklist ~/.config/vlc
		9	noblacklist ~/.java
9	noblacklist ~/.mediathek3	10	noblacklist ~/.mediathek3
10		11
11	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
@@ -17,6 +18,7 @@ caps.drop all
17	netfilter	18	netfilter
18	nonewprivs	19	nonewprivs
19	noroot	20	noroot
		21	novideo
20	protocol unix,inet,inet6	22	protocol unix,inet,inet6
21	seccomp	23	seccomp
22	tracelog	24	tracelog


diff --git a/etc/okular.profile b/etc/okular.profile index 331b625b8..cf747417c 100644 --- a/etc/okular.profile +++ b/etc/okular.profile
@@ -26,6 +26,7 @@ nogroups
26	nonewprivs	26	nonewprivs
27	noroot	27	noroot
28	nosound	28	nosound
		29	novideo
29	protocol unix	30	protocol unix
30	seccomp	31	seccomp
31	shell none	32	shell none


diff --git a/etc/scribus.profile b/etc/scribus.profile index 7e117dcd1..2ccb5126b 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile
@@ -5,7 +5,7 @@ include /etc/firejail/scribus.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
8	# Support for PDF readers (Scribus 1.5 and higher)	8	# Support for PDF readers comes with Scribus 1.5 and higher
9	noblacklist ~/.config/okularpartrc	9	noblacklist ~/.config/okularpartrc
10	noblacklist ~/.config/okularrc	10	noblacklist ~/.config/okularrc
11	noblacklist ~/.config/scribus	11	noblacklist ~/.config/scribus
@@ -30,6 +30,7 @@ caps.drop all
30	nonewprivs	30	nonewprivs
31	noroot	31	noroot
32	nosound	32	nosound
		33	novideo
33	protocol unix	34	protocol unix
34	seccomp	35	seccomp
35	tracelog	36	tracelog


diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index d3b7ee871..c3dc0366b 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile
@@ -18,7 +18,6 @@ mkdir ~/.gnupg
18	mkdir ~/.icedove	18	mkdir ~/.icedove
19	mkdir ~/.thunderbird	19	mkdir ~/.thunderbird
20	whitelist ~/.cache/thunderbird	20	whitelist ~/.cache/thunderbird
21	whitelist ~/.config/mimeapps.list
22	whitelist ~/.gnupg	21	whitelist ~/.gnupg
23	whitelist ~/.icedove	22	whitelist ~/.icedove
24	whitelist ~/.local/share/applications	23	whitelist ~/.local/share/applications
@@ -28,7 +27,6 @@ include /etc/firejail/whitelist-common.inc
28	ignore private-tmp	27	ignore private-tmp
29		28
30	read-only ~/.config/mimeapps.list	29	read-only ~/.config/mimeapps.list
31	read-only ~/.local/share/applications
32		30
33	# allow browsers	31	# allow browsers
34	include /etc/firejail/firefox.profile	32	include /etc/firejail/firefox.profile