diff options
author | Tad <tad@spotco.us> | 2017-09-16 13:47:31 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-09-18 18:24:13 -0400 |
commit | 60606c2d041dc08b0af10baff1b18dbf507f8d81 (patch) | |
tree | 75ca83f6148cf6e93e75df9be3b85ab702a5fb9c | |
parent | Add 5 profiles (diff) | |
download | firejail-60606c2d041dc08b0af10baff1b18dbf507f8d81.tar.gz firejail-60606c2d041dc08b0af10baff1b18dbf507f8d81.tar.zst firejail-60606c2d041dc08b0af10baff1b18dbf507f8d81.zip |
Fixup 36 profiles
36 files changed, 172 insertions, 353 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile index 5de92f36f..ee1ab6219 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -6,21 +6,15 @@ include /etc/firejail/Viber.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.ViberPC | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
9 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
10 | whitelist ${HOME}/.ViberPC | 17 | whitelist ${HOME}/.ViberPC |
11 | whitelist /dev/dri | ||
12 | whitelist /dev/full | ||
13 | whitelist /dev/null | ||
14 | whitelist /dev/ptmx | ||
15 | whitelist /dev/pts | ||
16 | whitelist /dev/random | ||
17 | whitelist /dev/shm | ||
18 | whitelist /dev/snd | ||
19 | whitelist /dev/tty | ||
20 | whitelist /dev/urandom | ||
21 | whitelist /dev/video0 | ||
22 | whitelist /dev/zero | ||
23 | whitelist /opt/viber | ||
24 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
25 | 19 | ||
26 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/amule.profile b/etc/amule.profile index 5cd6e613e..48aad759d 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -5,18 +5,16 @@ include /etc/firejail/amule.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | |
9 | blacklist /media | 9 | noblacklist ${HOME}/.aMule |
10 | blacklist /mnt | 10 | |
11 | blacklist /opt | 11 | include /etc/firejail/disable-common.inc |
12 | blacklist /usr/local/bin | 12 | include /etc/firejail/disable-devel.inc |
13 | blacklist /usr/local/sbin | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
14 | 15 | ||
15 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
16 | whitelist ${HOME}/.aMule | 17 | whitelist ${HOME}/.aMule |
17 | whitelist ${HOME}/.gtkrc-2.0 | ||
18 | whitelist ${HOME}/.gtkrc.mine | ||
19 | whitelist ${HOME}/.themes | ||
20 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
21 | 19 | ||
22 | caps.drop all | 20 | caps.drop all |
@@ -29,5 +27,4 @@ shell none | |||
29 | 27 | ||
30 | private-bin amule | 28 | private-bin amule |
31 | private-dev | 29 | private-dev |
32 | private-etc fonts,hosts | ||
33 | private-tmp | 30 | private-tmp |
diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 3a52edb66..095685364 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile | |||
@@ -1,34 +1,5 @@ | |||
1 | # Firejail profile for ardour4 | 1 | # Firejail profile alias for ardour5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour4.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 3 | ||
8 | noblacklist ~/.config/ardour4 | ||
9 | 4 | ||
10 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/ardour5.profile |
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ~/.config/ardour4 | ||
16 | whitelist ~/.config/ardour4 | ||
17 | whitelist ~/Music | ||
18 | whitelist ~/Música | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | tracelog | ||
30 | |||
31 | # private-bin ardour4 | ||
32 | private-dev | ||
33 | # private-etc ardour4 | ||
34 | private-tmp | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index f17c74e2b..42744f4dd 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -5,19 +5,16 @@ include /etc/firejail/ardour5.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | 8 | ||
14 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.config/ardour4 |
15 | whitelist ${HOME}/.config/ardour4 | 10 | noblacklist ${HOME}/.config/ardour5 |
16 | whitelist ${HOME}/.config/ardour5 | 11 | noblacklist ${HOME}/.lv2 |
17 | whitelist ${HOME}/.lv2 | 12 | noblacklist ${HOME}/.vst |
18 | whitelist ${HOME}/.vst | 13 | |
19 | whitelist ${HOME}/Documents | 14 | include /etc/firejail/disable-common.inc |
20 | include /etc/firejail/whitelist-common.inc | 15 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
21 | 18 | ||
22 | caps.drop all | 19 | caps.drop all |
23 | ipc-namespace | 20 | ipc-namespace |
@@ -27,9 +24,9 @@ noroot | |||
27 | seccomp | 24 | seccomp |
28 | shell none | 25 | shell none |
29 | 26 | ||
30 | private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | 27 | #private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm |
31 | private-dev | 28 | private-dev |
32 | private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | 29 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts |
33 | private-tmp | 30 | private-tmp |
34 | 31 | ||
35 | noexec /home | 32 | noexec /home |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 3c7622435..151d88bdd 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -5,19 +5,13 @@ include /etc/firejail/brackets.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | noblacklist ${HOME}/.config/Brackets |
9 | blacklist /media | 9 | noblacklist /opt/brackets/ |
10 | blacklist /mnt | 10 | noblacklist /opt/google/ |
11 | 11 | ||
12 | whitelist ${DOWNLOADS} | 12 | include /etc/firejail/disable-common.inc |
13 | whitelist ${HOME}/.config/Brackets | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | whitelist ${HOME}/.gtkrc-2.0 | 14 | include /etc/firejail/disable-programs.inc |
15 | whitelist ${HOME}/.themes | ||
16 | whitelist ${HOME}/Documents | ||
17 | whitelist /opt/brackets/ | ||
18 | whitelist /opt/google/ | ||
19 | whitelist /tmp/.X11-unix | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | 15 | ||
22 | caps.drop all | 16 | caps.drop all |
23 | # Comment out or use --ignore=net if you want to install extensions or themes | 17 | # Comment out or use --ignore=net if you want to install extensions or themes |
diff --git a/etc/calligra.profile b/etc/calligra.profile index 260097560..58006f203 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -5,21 +5,10 @@ include /etc/firejail/calligra.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | include /etc/firejail/disable-common.inc |
9 | blacklist /media | 9 | include /etc/firejail/disable-devel.inc |
10 | blacklist /mnt | 10 | include /etc/firejail/disable-passwdmgr.inc |
11 | blacklist /opt | 11 | include /etc/firejail/disable-programs.inc |
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.config/Trolltech.conf | ||
15 | whitelist ${HOME}/.gtkrc-2.0 | ||
16 | whitelist ${HOME}/.kde | ||
17 | whitelist ${HOME}/.themes | ||
18 | whitelist ${HOME}/Documents | ||
19 | whitelist /tmp/.X11-unix | ||
20 | # DBus is forced to use an ordinary unix socket | ||
21 | whitelist /tmp/dbus_session_socket | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | 12 | ||
24 | caps.drop all | 13 | caps.drop all |
25 | ipc-namespace | 14 | ipc-namespace |
@@ -31,7 +20,7 @@ shell none | |||
31 | 20 | ||
32 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 21 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch |
33 | private-dev | 22 | private-dev |
34 | private-etc fonts,passwd,alternatives,X11 | 23 | #private-etc fonts,passwd,alternatives,X11 |
35 | 24 | ||
36 | noexec /home | 25 | noexec /home |
37 | noexec /tmp | 26 | noexec /tmp |
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/calligra.profile | 5 | include /etc/firejail/calligra.profile |
diff --git a/etc/cin.profile b/etc/cin.profile index 3a8a4d8de..e895805eb 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -5,16 +5,12 @@ include /etc/firejail/cin.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | noblacklist ${HOME}/.bcast5 |
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 9 | ||
13 | whitelist ${DOWNLOADS} | 10 | include /etc/firejail/disable-common.inc |
14 | whitelist ${HOME}/.bcast5 | 11 | include /etc/firejail/disable-devel.inc |
15 | whitelist ${HOME}/Videos | 12 | include /etc/firejail/disable-passwdmgr.inc |
16 | whitelist /tmp/.X11-unix | 13 | include /etc/firejail/disable-programs.inc |
17 | include /etc/firejail/whitelist-common.inc | ||
18 | 14 | ||
19 | caps.drop all | 15 | caps.drop all |
20 | ipc-namespace | 16 | ipc-namespace |
@@ -26,7 +22,7 @@ shell none | |||
26 | 22 | ||
27 | private-bin cin | 23 | private-bin cin |
28 | private-dev | 24 | private-dev |
29 | private-etc fonts,pulse | 25 | #private-etc fonts,pulse |
30 | 26 | ||
31 | noexec /home | 27 | noexec /home |
32 | noexec /tmp | 28 | noexec /tmp |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index ec85c7b58..67df7ce36 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile | |||
@@ -1,33 +1,5 @@ | |||
1 | # Firejail profile for dooble-qt4 | 1 | # Firejail profile alias for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include /etc/firejail/dooble-qt4.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 3 | ||
8 | noblacklist ~/.dooble | ||
9 | 4 | ||
10 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/dooble.profile |
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ~/.dooble | ||
15 | mkdir ~/usr/lib/dooble-qt4 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ~/.config/keepassx | ||
18 | whitelist ~/.config/lastpass | ||
19 | whitelist ~/.dooble | ||
20 | whitelist ~/.keepassx | ||
21 | whitelist ~/.lastpass | ||
22 | whitelist ~/keepassx.kdbx | ||
23 | whitelist ~/usr/lib/dooble | ||
24 | whitelist ~/usr/lib/dooble-qt4 | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | tracelog | ||
diff --git a/etc/dooble.profile b/etc/dooble.profile index 13e4ead96..cbb0f96b8 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -1,27 +1,21 @@ | |||
1 | # Firejail profile for dooble | 1 | # Firejail profile for dooble-qt4 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/dooble.local | 4 | include /etc/firejail/dooble-qt4.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | |||
8 | noblacklist ~/.dooble | 9 | noblacklist ~/.dooble |
9 | 10 | ||
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
13 | 15 | ||
14 | mkdir ~/.dooble | 16 | mkdir ${HOME}/.dooble |
15 | mkdir ~/usr/lib/dooble-qt4 | ||
16 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
17 | whitelist ~/.config/keepassx | ||
18 | whitelist ~/.config/lastpass | ||
19 | whitelist ~/.dooble | 18 | whitelist ~/.dooble |
20 | whitelist ~/.keepassx | ||
21 | whitelist ~/.lastpass | ||
22 | whitelist ~/keepassx.kdbx | ||
23 | whitelist ~/usr/lib/dooble | ||
24 | whitelist ~/usr/lib/dooble-qt4 | ||
25 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
26 | 20 | ||
27 | caps.drop all | 21 | caps.drop all |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index dc7f4abc3..2b2be4c16 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -5,26 +5,17 @@ include /etc/firejail/fetchmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | # Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc | 9 | include /etc/firejail/disable-common.inc |
14 | # whitelist ${HOME}/.fetchmailrc.gpg | 10 | include /etc/firejail/disable-devel.inc |
15 | whitelist ${HOME}/.procmailrc.brown | 11 | include /etc/firejail/disable-passwdmgr.inc |
16 | whitelist ${HOME}/.procmailrc.gmail | 12 | include /etc/firejail/disable-programs.inc |
17 | whitelist ${HOME}/Mail | ||
18 | whitelist ${HOME}/scripts/fetchmail-real.sh | ||
19 | whitelist /tmp/fetchmailrc | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | 13 | ||
22 | caps.drop all | 14 | caps.drop all |
23 | nogroups | 15 | nogroups |
24 | noroot | 16 | noroot |
25 | nosound | 17 | nosound |
26 | seccomp | 18 | seccomp |
27 | x11 none | ||
28 | 19 | ||
29 | # private-bin fetchmail,procmail,bash,chmod | 20 | # private-bin fetchmail,procmail,bash,chmod |
30 | private-dev | 21 | private-dev |
diff --git a/etc/freecad.profile b/etc/freecad.profile index 0467edb6d..c2d4661e8 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -5,17 +5,13 @@ include /etc/firejail/freecad.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /usr/local/sbin | ||
14 | 8 | ||
15 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.config/FreeCAD |
16 | whitelist ${HOME}/.config/FreeCAD | 10 | |
17 | whitelist ${HOME}/Documents | 11 | include /etc/firejail/disable-common.inc |
18 | include /etc/firejail/whitelist-common.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
19 | 15 | ||
20 | caps.drop all | 16 | caps.drop all |
21 | ipc-namespace | 17 | ipc-namespace |
@@ -29,7 +25,7 @@ shell none | |||
29 | 25 | ||
30 | private-bin freecad,freecadcmd | 26 | private-bin freecad,freecadcmd |
31 | private-dev | 27 | private-dev |
32 | private-etc fonts,passwd,alternatives,X11 | 28 | #private-etc fonts,passwd,alternatives,X11 |
33 | private-tmp | 29 | private-tmp |
34 | 30 | ||
35 | noexec ${HOME} | 31 | noexec ${HOME} |
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 41cfd3fab..82ce8fcaa 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | 4 | ||
5 | include ${HOME}/.config/firejail/freecad.profile | 5 | include /etc/firejail/freecad.profile |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile index a339402e2..11d55281a 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile | |||
@@ -5,16 +5,18 @@ include /etc/firejail/google-earth.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | noblacklist ${HOME}/.config/Google |
9 | blacklist /media | 9 | noblacklist ${HOME}/.googleearth |
10 | blacklist /mnt | ||
11 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.config/Google | ||
17 | mkdir ${HOME}/.googleearth | ||
12 | whitelist ${HOME}/.config/Google | 18 | whitelist ${HOME}/.config/Google |
13 | whitelist ${HOME}/.googleearth/Cache/ | 19 | whitelist ${HOME}/.googleearth |
14 | whitelist ${HOME}/.googleearth/Temp/ | ||
15 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
16 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
17 | whitelist /tmp/.X11-unix | ||
18 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
19 | 21 | ||
20 | caps.drop all | 22 | caps.drop all |
@@ -26,7 +28,7 @@ shell none | |||
26 | 28 | ||
27 | private-bin google-earth,sh,grep,sed,ls,dirname | 29 | private-bin google-earth,sh,grep,sed,ls,dirname |
28 | private-dev | 30 | private-dev |
29 | private-etc fonts,resolv.conf,X11,alternatives,pulse | 31 | #private-etc fonts,resolv.conf,X11,alternatives,pulse |
30 | 32 | ||
31 | noexec /home | 33 | noexec ${HOME} |
32 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 4404cc9a2..4613e378f 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -5,20 +5,13 @@ include /etc/firejail/imagej.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /usr/local/sbin | ||
14 | 8 | ||
15 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.imagej |
16 | whitelist ${HOME}/.gtkrc-2.0 | 10 | |
17 | whitelist ${HOME}/.gtkrc.mine | 11 | include /etc/firejail/disable-common.inc |
18 | whitelist ${HOME}/.imagej | 12 | include /etc/firejail/disable-devel.inc |
19 | whitelist ${HOME}/.themes | 13 | include /etc/firejail/disable-passwdmgr.inc |
20 | whitelist ${HOME}/Pictures | 14 | include /etc/firejail/disable-programs.inc |
21 | include /etc/firejail/whitelist-common.inc | ||
22 | 15 | ||
23 | caps.drop all | 16 | caps.drop all |
24 | ipc-namespace | 17 | ipc-namespace |
diff --git a/etc/karbon.profile b/etc/karbon.profile index da72432f7..7d7f25ad0 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile | |||
@@ -5,21 +5,11 @@ include /etc/firejail/karbon.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | whitelist ${DOWNLOADS} | 9 | include /etc/firejail/disable-common.inc |
14 | whitelist ${HOME}/.config/Trolltech.conf | 10 | include /etc/firejail/disable-devel.inc |
15 | whitelist ${HOME}/.gtkrc-2.0 | 11 | include /etc/firejail/disable-passwdmgr.inc |
16 | whitelist ${HOME}/.kde4 | 12 | include /etc/firejail/disable-programs.inc |
17 | whitelist ${HOME}/.themes | ||
18 | whitelist ${HOME}/Images | ||
19 | whitelist /tmp/.X11-unix | ||
20 | # DBus has been forced to use an ordinary unix socket | ||
21 | whitelist /tmp/dbus_session_socket | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | 13 | ||
24 | caps.drop all | 14 | caps.drop all |
25 | ipc-namespace | 15 | ipc-namespace |
@@ -29,9 +19,7 @@ noroot | |||
29 | seccomp | 19 | seccomp |
30 | shell none | 20 | shell none |
31 | 21 | ||
32 | # private-bin krita,dbus-launch | ||
33 | private-dev | 22 | private-dev |
34 | # private-etc fonts,passwd,alternatives,X11 | ||
35 | 23 | ||
36 | noexec /home | 24 | noexec /home |
37 | noexec /tmp | 25 | noexec /tmp |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b982bd045..b91bd9c41 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -5,20 +5,11 @@ include /etc/firejail/kdenlive.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | # Apparently these break kdenlive for some people - they work for me though? | 9 | include /etc/firejail/disable-common.inc |
14 | # whitelist ${DOWNLOADS} | 10 | include /etc/firejail/disable-devel.inc |
15 | # whitelist ${HOME}/.config/ | 11 | include /etc/firejail/disable-passwdmgr.inc |
16 | # whitelist ${HOME}/Videos | 12 | include /etc/firejail/disable-programs.inc |
17 | # whitelist ${HOME}/kdenlive | ||
18 | whitelist /tmp/.X11-unix | ||
19 | # DBus is forced to use an ordinary unix socket | ||
20 | whitelist /tmp/dbus_session_socket | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | 13 | ||
23 | caps.drop all | 14 | caps.drop all |
24 | net none | 15 | net none |
@@ -29,4 +20,4 @@ shell none | |||
29 | 20 | ||
30 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 21 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
31 | private-dev | 22 | private-dev |
32 | private-etc fonts,alternatives,X11,pulse,passwd | 23 | #private-etc fonts,alternatives,X11,pulse,passwd |
diff --git a/etc/krita.profile b/etc/krita.profile index f6e62e387..d60ef2fa7 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -5,21 +5,11 @@ include /etc/firejail/krita.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | whitelist ${DOWNLOADS} | 9 | include /etc/firejail/disable-common.inc |
14 | whitelist ${HOME}/.config/Trolltech.conf | 10 | include /etc/firejail/disable-devel.inc |
15 | whitelist ${HOME}/.gtkrc-2.0 | 11 | include /etc/firejail/disable-passwdmgr.inc |
16 | whitelist ${HOME}/.kde4 | 12 | include /etc/firejail/disable-programs.inc |
17 | whitelist ${HOME}/.themes | ||
18 | whitelist ${HOME}/Images | ||
19 | whitelist /tmp/.X11-unix | ||
20 | # DBus has been forced to use an ordinary unix socket | ||
21 | whitelist /tmp/dbus_session_socket | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | 13 | ||
24 | caps.drop all | 14 | caps.drop all |
25 | ipc-namespace | 15 | ipc-namespace |
@@ -29,9 +19,7 @@ noroot | |||
29 | seccomp | 19 | seccomp |
30 | shell none | 20 | shell none |
31 | 21 | ||
32 | # private-bin krita,dbus-launch | ||
33 | private-dev | 22 | private-dev |
34 | # private-etc fonts,passwd,alternatives,X11 | ||
35 | 23 | ||
36 | noexec /home | 24 | noexec /home |
37 | noexec /tmp | 25 | noexec /tmp |
diff --git a/etc/linphone.profile b/etc/linphone.profile index 850fcb320..8763b348a 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile | |||
@@ -5,13 +5,16 @@ include /etc/firejail/linphone.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | noblacklist ${HOME}/.linphone-history.db |
9 | blacklist /media | 9 | noblacklist ${HOME}/.linphonerc |
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 10 | ||
13 | whitelist ${HOME}/.gtkrc-2.0 | 11 | include /etc/firejail/disable-common.inc |
14 | whitelist ${HOME}/.gtkrc.mine | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkfile ${HOME}/.linphone-history.db | ||
17 | mkfile ${HOME}/.linphonerc | ||
15 | whitelist ${HOME}/.linphone-history.db | 18 | whitelist ${HOME}/.linphone-history.db |
16 | whitelist ${HOME}/.linphonerc | 19 | whitelist ${HOME}/.linphonerc |
17 | whitelist ${HOME}/Downloads | 20 | whitelist ${HOME}/Downloads |
diff --git a/etc/lmms.profile b/etc/lmms.profile index 8ac039cc0..14a7209a9 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile | |||
@@ -5,17 +5,13 @@ include /etc/firejail/lmms.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.lmmsrc.xml |
14 | whitelist ${HOME}/.lmmsrc.xml | 10 | |
15 | whitelist ${HOME}/Music | 11 | include /etc/firejail/disable-common.inc |
16 | whitelist ${HOME}/lmms | 12 | include /etc/firejail/disable-devel.inc |
17 | whitelist /tmp/.X11-unix | 13 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/whitelist-common.inc | 14 | include /etc/firejail/disable-programs.inc |
19 | 15 | ||
20 | caps.drop all | 16 | caps.drop all |
21 | ipc-namespace | 17 | ipc-namespace |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 287a5ea85..e53f175f8 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/macrofusion.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | ||
9 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.config/mfusion |
10 | whitelist ${HOME}/.config/gtk-3.0 | 10 | |
11 | whitelist ${HOME}/.config/mfusion | 11 | include /etc/firejail/disable-common.inc |
12 | whitelist ${HOME}/.themes | 12 | include /etc/firejail/disable-devel.inc |
13 | whitelist ${HOME}/Pictures | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/whitelist-common.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
@@ -22,7 +22,7 @@ noroot | |||
22 | seccomp | 22 | seccomp |
23 | shell none | 23 | shell none |
24 | 24 | ||
25 | private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | 25 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack |
26 | private-dev | 26 | private-dev |
27 | private-etc fonts | 27 | #private-etc fonts |
28 | private-tmp | 28 | private-tmp |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 44baab7e9..ebcdca443 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -5,22 +5,17 @@ include /etc/firejail/mpd.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | 8 | ||
13 | whitelist ${HOME}/.config/pulse/ | 9 | noblacklist ${HOME}/.mpdconf |
14 | whitelist ${HOME}/.mpdconf | 10 | |
15 | whitelist ${HOME}/.pulse/ | 11 | include /etc/firejail/disable-common.inc |
16 | whitelist ${HOME}/Music | 12 | include /etc/firejail/disable-devel.inc |
17 | whitelist ${HOME}/mpd | 13 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/whitelist-common.inc | 14 | include /etc/firejail/disable-programs.inc |
19 | 15 | ||
20 | caps.drop all | 16 | caps.drop all |
21 | noroot | 17 | noroot |
22 | seccomp | 18 | seccomp |
23 | 19 | ||
24 | private-bin mpd,bash | 20 | #private-bin mpd,bash |
25 | private-dev | 21 | private-dev |
26 | read-only ${HOME}/Music/ | ||
diff --git a/etc/natron.profile b/etc/natron.profile index 6101d1331..8f266f56c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,30 +5,22 @@ include /etc/firejail/natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Contributed by triceratops1 (https://github.com/triceratops1) | ||
9 | 8 | ||
10 | blacklist /boot | 9 | noblacklist ${HOME}/.Natron |
11 | blacklist /media | 10 | noblacklist ${HOME}/.cache/INRIA/Natron/ |
12 | blacklist /mnt | 11 | noblacklist ${HOME}/.config/INRIA/ |
13 | blacklist /usr/local/bin | 12 | noblacklist /opt/natron/ |
14 | blacklist /usr/local/sbin | ||
15 | 13 | ||
16 | whitelist ${DOWNLOADS} | 14 | include /etc/firejail/disable-common.inc |
17 | whitelist ${HOME}/.Natron | 15 | include /etc/firejail/disable-devel.inc |
18 | whitelist ${HOME}/.cache/INRIA/Natron/ | 16 | include /etc/firejail/disable-passwdmgr.inc |
19 | whitelist ${HOME}/.config/INRIA/ | 17 | include /etc/firejail/disable-programs.inc |
20 | whitelist ${HOME}/.gtkrc-2.0 | ||
21 | whitelist ${HOME}/.themes | ||
22 | whitelist ${HOME}/Videos | ||
23 | whitelist /opt/natron/ | ||
24 | whitelist /tmp/.X11-unix/ | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | 18 | ||
27 | ipc-namespace | 19 | ipc-namespace |
28 | shell none | 20 | shell none |
29 | 21 | ||
30 | private-bin natron | 22 | private-bin natron |
31 | private-etc fonts,X11,pulse | 23 | #private-etc fonts,X11,pulse |
32 | 24 | ||
33 | noexec ${HOME} | 25 | noexec ${HOME} |
34 | noexec /tmp | 26 | noexec /tmp |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 47b16b30e..423dfb887 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -5,14 +5,16 @@ include /etc/firejail/ricochet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | |
9 | blacklist /media | 9 | noblacklist ${HOME}/.local/share/Ricochet |
10 | blacklist /mnt | 10 | |
11 | blacklist /opt | 11 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
12 | 15 | ||
13 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
14 | whitelist ${HOME}/.local/share/Ricochet | 17 | whitelist ${HOME}/.local/share/Ricochet |
15 | whitelist /tmp/.X11-unix | ||
16 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
17 | 19 | ||
18 | caps.drop all | 20 | caps.drop all |
@@ -24,7 +26,7 @@ shell none | |||
24 | 26 | ||
25 | private-bin ricochet,tor | 27 | private-bin ricochet,tor |
26 | private-dev | 28 | private-dev |
27 | private-etc fonts,tor,X11,alternatives | 29 | #private-etc fonts,tor,X11,alternatives |
28 | 30 | ||
29 | noexec /home | 31 | noexec /home |
30 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 2bf3cc2e0..1a7ce6bce 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -5,13 +5,13 @@ include /etc/firejail/shotcut.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /usr/local/bin | ||
9 | 8 | ||
10 | whitelist ${DOWNLOADS} | 9 | noblacklist ${HOME}/.config/Meltytech |
11 | whitelist ${HOME}/.config/Meltytech | 10 | |
12 | whitelist ${HOME}/Videos | 11 | include /etc/firejail/disable-common.inc |
13 | whitelist /tmp/.X11-unix | 12 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
@@ -22,7 +22,7 @@ shell none | |||
22 | 22 | ||
23 | private-bin shotcut,melt,qmelt,nice | 23 | private-bin shotcut,melt,qmelt,nice |
24 | private-dev | 24 | private-dev |
25 | private-etc X11,alternatives,pulse,fonts | 25 | #private-etc X11,alternatives,pulse,fonts |
26 | 26 | ||
27 | noexec ${HOME} | 27 | noexec ${HOME} |
28 | noexec /tmp | 28 | noexec /tmp |
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 1f0b61c75..65ea41e18 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile | |||
@@ -5,26 +5,15 @@ include /etc/firejail/tor-browser-en.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | blacklist /boot | 8 | |
9 | blacklist /media | 9 | noblacklist ${HOME}/.tor-browser-en |
10 | blacklist /mnt | 10 | |
11 | blacklist /opt | 11 | include /etc/firejail/disable-common.inc |
12 | blacklist /usr/local/bin | 12 | include /etc/firejail/disable-devel.inc |
13 | blacklist /var | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | ||
14 | 15 | ||
15 | whitelist ${HOME}/.tor-browser-en | 16 | whitelist ${HOME}/.tor-browser-en |
16 | whitelist /dev/dri | ||
17 | whitelist /dev/full | ||
18 | whitelist /dev/null | ||
19 | whitelist /dev/ptmx | ||
20 | whitelist /dev/pts | ||
21 | whitelist /dev/random | ||
22 | whitelist /dev/shm | ||
23 | whitelist /dev/snd | ||
24 | whitelist /dev/tty | ||
25 | whitelist /dev/urandom | ||
26 | whitelist /dev/video0 | ||
27 | whitelist /dev/zero | ||
28 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
29 | 18 | ||
30 | caps.drop all | 19 | caps.drop all |
@@ -33,9 +22,6 @@ seccomp | |||
33 | shell none | 22 | shell none |
34 | 23 | ||
35 | private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr | 24 | private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr |
36 | # FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) | ||
37 | # https://github.com/netblue30/firejail/issues/955 | ||
38 | private-etc X11,pulse,machine-id | ||
39 | private-tmp | 25 | private-tmp |
40 | 26 | ||
41 | noexec /tmp | 27 | noexec /tmp |
diff --git a/etc/tor.profile b/etc/tor.profile index 2e2172cad..73577825a 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
8 | # How to use: | 8 | # How to use: |
9 | # Create a script called anything (e.g. mytor) | 9 | # Create a script called anything (e.g. mytor) |
10 | # with the following contents: | 10 | # with the following contents: |
11 | |||
11 | # #!/bin/bash | 12 | # #!/bin/bash |
12 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | 13 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" |
13 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | 14 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD |
@@ -15,10 +16,10 @@ include /etc/firejail/globals.local | |||
15 | # You'll also likely want to disable the system service (if it exists) | 16 | # You'll also likely want to disable the system service (if it exists) |
16 | # Run mytor (or whatever you called the script above) whenever you want to start tor | 17 | # Run mytor (or whatever you called the script above) whenever you want to start tor |
17 | 18 | ||
18 | blacklist /boot | 19 | include /etc/firejail/disable-common.inc |
19 | blacklist /media | 20 | include /etc/firejail/disable-devel.inc |
20 | blacklist /mnt | 21 | include /etc/firejail/disable-passwdmgr.inc |
21 | blacklist /opt | 22 | include /etc/firejail/disable-programs.inc |
22 | 23 | ||
23 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 24 | caps.keep setuid,setgid,net_bind_service,dac_read_search |
24 | ipc-namespace | 25 | ipc-namespace |
@@ -29,7 +30,6 @@ nosound | |||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | writable-var | 32 | writable-var |
32 | x11 none | ||
33 | 33 | ||
34 | private | 34 | private |
35 | private-bin tor,bash | 35 | private-bin tor,bash |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index eb4c58480..aca0d7144 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile | |||
@@ -6,13 +6,7 @@ include /etc/firejail/x-terminal-emulator.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | ||
9 | whitelist /tmp/.X11-unix/X470 | ||
10 | whitelist /tmp/fcitx-socket-:0 | ||
11 | whitelist /tmp/user/1000/ | ||
12 | include /etc/firejail/whitelist-common.inc | ||
13 | |||
14 | caps.drop all | 9 | caps.drop all |
15 | env DISPLAY=:470 | ||
16 | ipc-namespace | 10 | ipc-namespace |
17 | net none | 11 | net none |
18 | netfilter | 12 | netfilter |
diff --git a/etc/zart.profile b/etc/zart.profile index 654679174..6022e8260 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -5,12 +5,11 @@ include /etc/firejail/zart.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Contributed by triceratops1 (https://github.com/triceratops1) | ||
9 | 8 | ||
10 | whitelist ${DOWNLOADS} | 9 | include /etc/firejail/disable-common.inc |
11 | whitelist ${HOME}/Videos | 10 | include /etc/firejail/disable-devel.inc |
12 | whitelist /tmp/.X11-unix | 11 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/whitelist-common.inc | 12 | include /etc/firejail/disable-programs.inc |
14 | 13 | ||
15 | caps.drop all | 14 | caps.drop all |
16 | ipc-namespace | 15 | ipc-namespace |
@@ -21,7 +20,6 @@ shell none | |||
21 | 20 | ||
22 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | 21 | private-bin zart,ffmpeg,melt,ffprobe,ffplay |
23 | private-dev | 22 | private-dev |
24 | private-etc fonts,X11 | ||
25 | 23 | ||
26 | noexec ${HOME} | 24 | noexec ${HOME} |
27 | noexec /tmp | 25 | noexec /tmp |