Merge branch 'master' of http://github.com/netblue30/firejail

author: netblue30 <netblue30@yahoo.com> 2017-09-25 11:20:40 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-25 11:20:40 -0400
commit: 96fcbcbbbfb360937197c95f2b7b85d09bdb95d9 (patch)
tree: 9ac73467d1cf964a7c75b9658dbe5457960c9f41
parent: fix firecfg (diff)
parent: add whitelist-var-common to some profiles (diff)
download: firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.tar.gz
firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.tar.zst
firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.zip
25 files changed, 49 insertions, 12 deletions
diff --git a/etc/ark.profile b/etc/ark.profile
index 38bd5246e..ba9cb1134 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/atril.profile b/etc/atril.profile
index 2e4af9086..052b41655 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 52e701821..7e2b91773 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 9fbc2b16d..88aea243e 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
@@ -29,8 +31,10 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+shell none
 x11 xorg
+private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
 private-dev
 private-tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ad589890c..4779b0aae 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser-en
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknow-horizons
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 86af9c7b3..6d4f6349a 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index d4cd0530e..2a1302adb 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 7bc5e7481..c198adba9 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/eog.profile b/etc/eog.profile
index e5161b313..5ff926371 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/eom.profile b/etc/eom.profile
index 3fb1fcaf4..802578959 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/evince.profile b/etc/evince.profile
index 2c7c754d8..466260c49 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+# net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
@@ -28,7 +29,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-# net none breaks AppArmor on Ubuntu systems
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index e098c95e3..5db39cf61 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
-# Firejail profile for default
+# Firejail profile for ffmpeg
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
@@ -23,11 +25,11 @@ noroot
 # protocol none - needs to be implemented!
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
-# memory-deny-write-execute - it breaks old versions of ffmpeg
 shell none
 tracelog
-private-tmp
-private-dev
 private-bin ffmpeg
-include /etc/firejail/whitelist-var-common.inc
+private-dev
+private-tmp
+# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 8484aa162..01e689b9d 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 7f1577afe..2b025e56c 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 nodvd
 nogroups
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 8ffc43487..7d09857ba 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index c0b37df3c..e95bc23ca 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent
 whitelist ~/.kde4/share/config/ktorrentrc
 whitelist ~/.local/share/ktorrent
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 1cda5022d..dc9946794 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/musescore.profile b/etc/musescore.profile
index b039d07b2..b3d04c08f 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/okular.profile b/etc/okular.profile
index 94736fbae..60390e4d8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-# private-bin okular,kbuildsycoca4,lpr
+# private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
 # private-etc fonts,X11
 private-tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 38f1e5b3c..1b2d0c0b8 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -26,6 +26,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 nodvd
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index fbc198cc3..30e2a619d 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 2a38aa7c6..d380b5698 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
diff --git a/etc/xreader.profile b/etc/xreader.profile
index c02b9a014..bebcb262f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b9ff3948a..53f2a0c82 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
author	netblue30 <netblue30@yahoo.com>	2017-09-25 11:20:40 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-25 11:20:40 -0400
commit	96fcbcbbbfb360937197c95f2b7b85d09bdb95d9 (patch)
tree	9ac73467d1cf964a7c75b9658dbe5457960c9f41
parent	fix firecfg (diff)
parent	add whitelist-var-common to some profiles (diff)
download	firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.tar.gz firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.tar.zst firejail-96fcbcbbbfb360937197c95f2b7b85d09bdb95d9.zip

diff --git a/etc/ark.profile b/etc/ark.profile index 38bd5246e..ba9cb1134 100644 --- a/etc/ark.profile +++ b/etc/ark.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	netfilter	18	netfilter
17	nodvd	19	nodvd


diff --git a/etc/atril.profile b/etc/atril.profile index 2e4af9086..052b41655 100644 --- a/etc/atril.profile +++ b/etc/atril.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	no3d	19	no3d
18	nodvd	20	nodvd


diff --git a/etc/audacious.profile b/etc/audacious.profile index 52e701821..7e2b91773 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	netfilter	19	netfilter
18	nogroups	20	nogroups


diff --git a/etc/audacity.profile b/etc/audacity.profile index 9fbc2b16d..88aea243e 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	net none	18	net none
17	no3d	19	no3d


diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
17	include /etc/firejail/disable-passwdmgr.inc	17	include /etc/firejail/disable-passwdmgr.inc
18	include /etc/firejail/disable-programs.inc	18	include /etc/firejail/disable-programs.inc
19		19
		20	include /etc/firejail/whitelist-var-common.inc
		21
20	caps.drop all	22	caps.drop all
21	no3d	23	no3d
22	nodvd	24	nodvd
@@ -29,8 +31,10 @@ novideo
29	protocol unix	31	protocol unix
30	# Baloo makes ioprio_set system calls, which are blacklisted by default.	32	# Baloo makes ioprio_set system calls, which are blacklisted by default.
31	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice	33	seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
		34	shell none
32	x11 xorg	35	x11 xorg
33		36
		37	private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
34	private-dev	38	private-dev
35	private-tmp	39	private-tmp
36		40


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ad589890c..4779b0aae 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -378,6 +378,7 @@ blacklist ${HOME}/.synfig
378	blacklist ${HOME}/.tconn	378	blacklist ${HOME}/.tconn
379	blacklist ${HOME}/.thunderbird	379	blacklist ${HOME}/.thunderbird
380	blacklist ${HOME}/.tooling	380	blacklist ${HOME}/.tooling
		381	blacklist ${HOME}/.tor-browser-en
381	blacklist ${HOME}/.ts3client	382	blacklist ${HOME}/.ts3client
382	blacklist ${HOME}/.tuxguitar*	383	blacklist ${HOME}/.tuxguitar*
383	blacklist ${HOME}/.unknow-horizons	384	blacklist ${HOME}/.unknow-horizons


diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 86af9c7b3..6d4f6349a 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9		9
10	noblacklist /sbin	10	noblacklist /sbin
11	noblacklist /usr/sbin	11	noblacklist /usr/sbin
12	noblacklist /var/log
13		12
14	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
15	include /etc/firejail/disable-devel.inc	14	include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31	private-dev	30	private-dev
32		31
33	# mdwe can break modules/plugins	32	# mdwe can break modules/plugins
34	# memory-deny-write-execute	33	memory-deny-write-execute


diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d4cd0530e..2a1302adb 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9		9
10	noblacklist /sbin	10	noblacklist /sbin
11	noblacklist /usr/sbin	11	noblacklist /usr/sbin
12	noblacklist /var/log
13		12
14	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
15	include /etc/firejail/disable-devel.inc	14	include /etc/firejail/disable-devel.inc


diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 7bc5e7481..c198adba9 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	# net none - makes settings immutable	17	# net none - makes settings immutable
16	no3d	18	no3d


diff --git a/etc/eog.profile b/etc/eog.profile index e5161b313..5ff926371 100644 --- a/etc/eog.profile +++ b/etc/eog.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	# net none - makes settings immutable	21	# net none - makes settings immutable
20	no3d	22	no3d


diff --git a/etc/eom.profile b/etc/eom.profile index 3fb1fcaf4..802578959 100644 --- a/etc/eom.profile +++ b/etc/eom.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	# net none - makes settings immutable	21	# net none - makes settings immutable
20	no3d	22	no3d


diff --git a/etc/evince.profile b/etc/evince.profile index 2c7c754d8..466260c49 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15	include /etc/firejail/whitelist-var-common.inc	15	include /etc/firejail/whitelist-var-common.inc
16		16
17	caps.drop all	17	caps.drop all
		18	# net none breaks AppArmor on Ubuntu systems
18	netfilter	19	netfilter
19	no3d	20	no3d
20	nodvd	21	nodvd
@@ -28,7 +29,6 @@ protocol unix
28	seccomp	29	seccomp
29	shell none	30	shell none
30	tracelog	31	tracelog
31	# net none breaks AppArmor on Ubuntu systems
32		32
33	private-bin evince,evince-previewer,evince-thumbnailer	33	private-bin evince,evince-previewer,evince-thumbnailer
34	private-dev	34	private-dev


diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index e098c95e3..5db39cf61 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
1	# Firejail profile for default	1	# Firejail profile for ffmpeg
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	quiet	3	quiet
4	# Persistent local customizations	4	# Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	net none	17	net none
16	no3d	18	no3d
@@ -23,11 +25,11 @@ noroot
23	# protocol none - needs to be implemented!	25	# protocol none - needs to be implemented!
24	seccomp	26	seccomp
25	# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom	27	# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
26	# memory-deny-write-execute - it breaks old versions of ffmpeg
27	shell none	28	shell none
28	tracelog	29	tracelog
29		30
30	private-tmp
31	private-dev
32	private-bin ffmpeg	31	private-bin ffmpeg
33	include /etc/firejail/whitelist-var-common.inc	32	private-dev
		33	private-tmp
		34
		35	# memory-deny-write-execute - it breaks old versions of ffmpeg


diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 8484aa162..01e689b9d 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	# net none - makes settings immutable	17	# net none - makes settings immutable
16	no3d	18	no3d


diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 7f1577afe..2b025e56c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc
19	include /etc/firejail/disable-passwdmgr.inc	19	include /etc/firejail/disable-passwdmgr.inc
20	include /etc/firejail/disable-programs.inc	20	include /etc/firejail/disable-programs.inc
21		21
		22	include /etc/firejail/whitelist-var-common.inc
		23
22	caps.drop all	24	caps.drop all
23	nodvd	25	nodvd
24	nogroups	26	nogroups


diff --git a/etc/konversation.profile b/etc/konversation.profile index 8ffc43487..7d09857ba 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
		14	include /etc/firejail/whitelist-var-common.inc
		15
14	caps.drop all	16	caps.drop all
15	netfilter	17	netfilter
16	nodvd	18	nodvd


diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c0b37df3c..e95bc23ca 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent
31	whitelist ~/.kde4/share/config/ktorrentrc	31	whitelist ~/.kde4/share/config/ktorrentrc
32	whitelist ~/.local/share/ktorrent	32	whitelist ~/.local/share/ktorrent
33	include /etc/firejail/whitelist-common.inc	33	include /etc/firejail/whitelist-common.inc
		34	include /etc/firejail/whitelist-var-common.inc
34		35
35	caps.drop all	36	caps.drop all
36	netfilter	37	netfilter


diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 1cda5022d..dc9946794 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc
21	include /etc/firejail/disable-passwdmgr.inc	21	include /etc/firejail/disable-passwdmgr.inc
22	include /etc/firejail/disable-programs.inc	22	include /etc/firejail/disable-programs.inc
23		23
		24	include /etc/firejail/whitelist-var-common.inc
		25
24	caps.drop all	26	caps.drop all
25	netfilter	27	netfilter
26	nodvd	28	nodvd


diff --git a/etc/musescore.profile b/etc/musescore.profile index b039d07b2..b3d04c08f 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	netfilter	21	netfilter
20	no3d	22	no3d


diff --git a/etc/okular.profile b/etc/okular.profile index 94736fbae..60390e4d8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
36	shell none	36	shell none
37	tracelog	37	tracelog
38		38
39	# private-bin okular,kbuildsycoca4,lpr	39	# private-bin okular,kbuildsycoca4,kdeinit4,lpr
40	private-dev	40	private-dev
41	# private-etc fonts,X11	41	# private-etc fonts,X11
42	private-tmp	42	private-tmp


diff --git a/etc/scribus.profile b/etc/scribus.profile index 38f1e5b3c..1b2d0c0b8 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile
@@ -26,6 +26,8 @@ include /etc/firejail/disable-devel.inc
26	include /etc/firejail/disable-passwdmgr.inc	26	include /etc/firejail/disable-passwdmgr.inc
27	include /etc/firejail/disable-programs.inc	27	include /etc/firejail/disable-programs.inc
28		28
		29	include /etc/firejail/whitelist-var-common.inc
		30
29	caps.drop all	31	caps.drop all
30	net none	32	net none
31	nodvd	33	nodvd


diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index fbc198cc3..30e2a619d 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	netfilter	19	netfilter
18	no3d	20	no3d


diff --git a/etc/unbound.profile b/etc/unbound.profile index 2a38aa7c6..d380b5698 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9		9
10	noblacklist /sbin	10	noblacklist /sbin
11	noblacklist /usr/sbin	11	noblacklist /usr/sbin
12	noblacklist /var/log
13		12
14	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
15	include /etc/firejail/disable-devel.inc	14	include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31	private-dev	30	private-dev
32		31
33	# mdwe can break modules/plugins	32	# mdwe can break modules/plugins
34	# memory-deny-write-execute	33	memory-deny-write-execute


diff --git a/etc/xreader.profile b/etc/xreader.profile index c02b9a014..bebcb262f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
14	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
16		16
		17	include /etc/firejail/whitelist-var-common.inc
		18
17	caps.drop all	19	caps.drop all
18	no3d	20	no3d
19	nodvd	21	nodvd


diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b9ff3948a..53f2a0c82 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	# net none - makes settings immutable	21	# net none - makes settings immutable
20	no3d	22	no3d