aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2020-12-17 08:45:35 +0000
committerLibravatar GitHub <noreply@github.com>2020-12-17 08:45:35 +0000
commitf4f6767458208a127084e4c0103fab88761d9056 (patch)
treeff349c113ca4f3fc70cd9839a1775bb49092cab3
parentArchiver fixes - drop private-bin (#3832) (diff)
downloadfirejail-f4f6767458208a127084e4c0103fab88761d9056.tar.gz
firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.zst
firejail-f4f6767458208a127084e4c0103fab88761d9056.zip
Refactor electron.profile and electron based programs (#3807)
* Refactor electron.profile and electron based programs (1) * Refactor electron.profile and electron based programs (2) * Refactor electron.profile and electron based programs (3) * Refactor electron.profile and electron based programs (4) * Refactor electron.profile and electron based programs (5) * Refactor electron.profile and electron based programs (6) * Refactor electron.profile and electron based programs (7) * Refactor electron.profile and electron based programs (8)
Diffstat
-rw-r--r--etc/profile-a-l/atom.profile32
-rw-r--r--etc/profile-a-l/beaker.profile21
-rw-r--r--etc/profile-a-l/discord-common.profile37
-rw-r--r--etc/profile-a-l/electron.profile28
-rw-r--r--etc/profile-a-l/freetube.profile11
-rw-r--r--etc/profile-a-l/github-desktop.profile46
-rw-r--r--etc/profile-a-l/jitsi-meet-desktop.profile22
-rw-r--r--etc/profile-m-z/nuclear.profile15
-rw-r--r--etc/profile-m-z/riot-desktop.profile2
-rw-r--r--etc/profile-m-z/riot-web.profile8
-rw-r--r--etc/profile-m-z/rocketchat.profile20
-rw-r--r--etc/profile-m-z/signal-desktop.profile33
-rw-r--r--etc/profile-m-z/skypeforlinux.profile33
-rw-r--r--etc/profile-m-z/slack.profile33
-rw-r--r--etc/profile-m-z/teams-for-linux.profile22
-rw-r--r--etc/profile-m-z/teams.profile24
-rw-r--r--etc/profile-m-z/twitch.profile19
-rw-r--r--etc/profile-m-z/whalebird.profile22
-rw-r--r--etc/profile-m-z/wire-desktop.profile24
-rw-r--r--etc/profile-m-z/youtube.profile19
-rw-r--r--etc/profile-m-z/youtubemusic-nativefier.profile17
-rw-r--r--etc/profile-m-z/ytmdesktop.profile18
-rw-r--r--etc/profile-m-z/zoom.profile44
23 files changed, 199 insertions, 351 deletions
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index cf0a5a42b..f21a5febf 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -6,31 +6,27 @@ include atom.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Disabled until someone reported positive feedback
10ignore include disable-devel.inc
11ignore include disable-interpreters.inc
12ignore include disable-xdg.inc
13ignore whitelist ${DOWNLOADS}
14ignore include whitelist-common.inc
15ignore include whitelist-runuser-common.inc
16ignore include whitelist-usr-share-common.inc
17ignore include whitelist-var-common.inc
18ignore apparmor
19ignore disable-mnt
20
9noblacklist ${HOME}/.atom 21noblacklist ${HOME}/.atom
10noblacklist ${HOME}/.config/Atom 22noblacklist ${HOME}/.config/Atom
11 23
12# Allows files commonly used by IDEs 24# Allows files commonly used by IDEs
13include allow-common-devel.inc 25include allow-common-devel.inc
14 26
15include disable-common.inc
16include disable-exec.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19
20caps.keep sys_admin,sys_chroot
21# net none 27# net none
22netfilter 28netfilter
23nodvd
24nogroups
25nosound 29nosound
26notv
27nou2f
28novideo
29shell none
30
31private-cache
32private-dev
33private-tmp
34 30
35dbus-user none 31# Redirect
36dbus-system none 32include electron.profile
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..f3a9568bd 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -3,17 +3,26 @@
3# Persistent local customizations 3# Persistent local customizations
4include beaker.local 4include beaker.local
5# Persistent global definitions 5# Persistent global definitions
6# added by included profile 6include globals.local
7#include globals.local
8 7
9noblacklist ${HOME}/.config/Beaker Browser 8# Disabled until someone reported positive feedback
9ignore include disable-exec.inc
10ignore include disable-xdg.inc
11ignore include whitelist-runuser-common.inc
12ignore include whitelist-usr-share-common.inc
13ignore include whitelist-var-common.inc
14ignore nou2f
15ignore novideo
16ignore shell none
17ignore disable-mnt
18ignore private-cache
19ignore private-dev
20ignore private-tmp
10 21
11include disable-devel.inc 22noblacklist ${HOME}/.config/Beaker Browser
12include disable-interpreters.inc
13 23
14mkdir ${HOME}/.config/Beaker Browser 24mkdir ${HOME}/.config/Beaker Browser
15whitelist ${HOME}/.config/Beaker Browser 25whitelist ${HOME}/.config/Beaker Browser
16include whitelist-common.inc
17 26
18# Redirect 27# Redirect
19include electron.profile 28include electron.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 35bea4aaa..e6edbd7eb 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,33 +6,24 @@ include discord-common.local
6# added by caller profile 6# added by caller profile
7#include globals.local 7#include globals.local
8 8
9ignore noexec ${HOME} 9# Disabled until someone reported positive feedback
10ignore include disable-interpreters.inc
11ignore include disable-xdg.inc
12ignore include whitelist-runuser-common.inc
13ignore include whitelist-usr-share-common.inc
14ignore apparmor
15ignore disable-mnt
16ignore private-cache
17ignore dbus-user none
18ignore dbus-system none
10 19
11include disable-common.inc 20ignore noexec ${HOME}
12include disable-devel.inc
13include disable-exec.inc
14include disable-passwdmgr.inc
15include disable-programs.inc
16 21
17whitelist ${DOWNLOADS}
18whitelist ${HOME}/.config/BetterDiscord 22whitelist ${HOME}/.config/BetterDiscord
19whitelist ${HOME}/.local/share/betterdiscordctl 23whitelist ${HOME}/.local/share/betterdiscordctl
20include whitelist-common.inc
21include whitelist-var-common.inc
22
23caps.drop all
24netfilter
25nodvd
26nogroups
27nonewprivs
28noroot
29notv
30nou2f
31novideo
32protocol unix,inet,inet6,netlink
33seccomp !chroot
34 24
35private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh 25private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
36private-dev
37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl 26private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
38private-tmp 27
28# Redirect
29include electron.profile
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 9b99c7ffb..d3be07c9d 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -3,25 +3,39 @@
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include electron.local 5include electron.local
6# Persistent global definitions
7include globals.local
8 6
9include disable-common.inc 7include disable-common.inc
8include disable-devel.inc
9include disable-exec.inc
10include disable-interpreters.inc
10include disable-passwdmgr.inc 11include disable-passwdmgr.inc
11include disable-programs.inc 12include disable-programs.inc
13include disable-xdg.inc
12 14
13whitelist ${DOWNLOADS} 15whitelist ${DOWNLOADS}
16include whitelist-common.inc
17include whitelist-runuser-common.inc
18include whitelist-usr-share-common.inc
19include whitelist-var-common.inc
20
21# Uncomment the next line (or add it to your chromium-common.local)
22# if your kernel allows unprivileged userns clone.
23#include chromium-common-hardened.inc
14 24
15apparmor 25apparmor
16caps.drop all 26caps.keep sys_admin,sys_chroot
17netfilter 27netfilter
18nodvd 28nodvd
19nogroups 29nogroups
20nonewprivs
21noroot
22notv 30notv
23protocol unix,inet,inet6,netlink 31nou2f
24seccomp 32novideo
33shell none
34
35disable-mnt
36private-cache
37private-dev
38private-tmp
25 39
26dbus-user none 40dbus-user none
27dbus-system none 41dbus-system none
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 91f0caf87..20a5d609e 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,24 +8,13 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/FreeTube 9noblacklist ${HOME}/.config/FreeTube
10 10
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc 11include disable-shell.inc
15include disable-xdg.inc
16 12
17mkdir ${HOME}/.config/FreeTube 13mkdir ${HOME}/.config/FreeTube
18whitelist ${HOME}/.config/FreeTube 14whitelist ${HOME}/.config/FreeTube
19 15
20seccomp !chroot
21shell none
22
23disable-mnt
24private-bin freetube 16private-bin freetube
25private-cache
26private-dev
27private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
28private-tmp
29 18
30# Redirect 19# Redirect
31include electron.profile 20include electron.profile
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 152396553..325c54ced 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -6,43 +6,35 @@ include github-desktop.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Note: On debian-based distributions the binary might be located in
10# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
11# If that's the case you can start GitHub Desktop with firejail via
12# `firejail "/opt/GitHub Desktop/github-desktop"`.
13
14# Disabled until someone reported positive feedback
15ignore include disable-xdg.inc
16ignore whitelist ${DOWNLOADS}
17ignore include whitelist-common.inc
18ignore include whitelist-runuser-common.inc
19ignore include whitelist-usr-share-common.inc
20ignore include whitelist-var-common.inc
21ignore apparmor
22ignore dbus-user none
23ignore dbus-system none
24
9noblacklist ${HOME}/.config/GitHub Desktop 25noblacklist ${HOME}/.config/GitHub Desktop
10noblacklist ${HOME}/.config/git 26noblacklist ${HOME}/.config/git
11noblacklist ${HOME}/.gitconfig 27noblacklist ${HOME}/.gitconfig
12noblacklist ${HOME}/.git-credentials 28noblacklist ${HOME}/.git-credentials
13 29
14include disable-common.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20
21caps.drop all
22netfilter
23# no3d 30# no3d
24nodvd
25nogroups
26nonewprivs
27noroot
28nosound 31nosound
29notv
30nou2f
31novideo
32protocol unix,inet,inet6,netlink
33seccomp !chroot
34 32
35# Note: On debian-based distributions the binary might be located in
36# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
37# If that's the case you can start GitHub Desktop with firejail via
38# `firejail "/opt/GitHub Desktop/github-desktop"`.
39
40disable-mnt
41# private-bin github-desktop 33# private-bin github-desktop
42private-cache
43?HAS_APPIMAGE: ignore private-dev 34?HAS_APPIMAGE: ignore private-dev
44private-dev
45# private-lib 35# private-lib
46private-tmp
47 36
48# memory-deny-write-execute 37# memory-deny-write-execute
38
39# Redirect
40include electron.profile
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index c4121d835..e5beb741a 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Disabled until someone reported positive feedback
10ignore nou2f
11ignore novideo
12ignore shell none
13
9ignore noexec /tmp 14ignore noexec /tmp
10 15
11noblacklist ${HOME}/.config/Jitsi Meet 16noblacklist ${HOME}/.config/Jitsi Meet
12 17
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-xdg.inc
17
18nowhitelist ${DOWNLOADS} 18nowhitelist ${DOWNLOADS}
19 19
20mkdir ${HOME}/.config/Jitsi Meet 20mkdir ${HOME}/.config/Jitsi Meet
21
22whitelist ${HOME}/.config/Jitsi Meet 21whitelist ${HOME}/.config/Jitsi Meet
23 22
24include whitelist-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-runuser-common.inc
27include whitelist-var-common.inc
28
29seccomp !chroot
30
31disable-mnt
32private-bin bash,jitsi-meet-desktop 23private-bin bash,jitsi-meet-desktop
33private-cache
34private-dev
35private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg 24private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
36private-tmp
37 25
38# Redirect 26# Redirect
39include electron.profile 27include electron.profile
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 1b97eda9b..a7c091196 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -10,31 +10,16 @@ ignore dbus-user
10 10
11noblacklist ${HOME}/.config/nuclear 11noblacklist ${HOME}/.config/nuclear
12 12
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-shell.inc 13include disable-shell.inc
17include disable-xdg.inc
18 14
19mkdir ${HOME}/.config/nuclear 15mkdir ${HOME}/.config/nuclear
20whitelist ${HOME}/.config/nuclear 16whitelist ${HOME}/.config/nuclear
21include whitelist-common.inc
22include whitelist-runuser-common.inc
23include whitelist-usr-share-common.inc
24include whitelist-var-common.inc
25 17
26no3d 18no3d
27nou2f
28novideo
29shell none
30 19
31disable-mnt
32# private-bin nuclear 20# private-bin nuclear
33private-cache
34private-dev
35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
36private-opt nuclear 22private-opt nuclear
37private-tmp
38 23
39# Redirect 24# Redirect
40include electron.profile 25include electron.profile
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..e91d25196 100644
--- a/etc/profile-m-z/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -7,7 +7,5 @@ include riot-desktop.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10seccomp !chroot
11
12# Redirect 10# Redirect
13include riot-web.profile 11include riot-web.profile
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..c48fd1542 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -4,14 +4,16 @@
4# Persistent local customizations 4# Persistent local customizations
5include riot-web.local 5include riot-web.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local 8
9ignore noexec /tmp
9 10
10noblacklist ${HOME}/.config/Riot 11noblacklist ${HOME}/.config/Riot
11 12
12mkdir ${HOME}/.config/Riot 13mkdir ${HOME}/.config/Riot
13whitelist ${HOME}/.config/Riot 14whitelist ${HOME}/.config/Riot
14include whitelist-common.inc 15whitelist /usr/share/chromium
16whitelist /usr/share/webapps/element
15 17
16# Redirect 18# Redirect
17include electron.profile 19include electron.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..8d3607c75 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -3,14 +3,28 @@
3# Persistent local customizations 3# Persistent local customizations
4include rocketchat.local 4include rocketchat.local
5# Persistent global definitions 5# Persistent global definitions
6# added by included profile 6include globals.local
7#include globals.local 7
8# Disabled until someone reported positive feedback
9ignore include disable-devel.inc
10ignore include disable-exec.inc
11ignore include disable-interpreters.inc
12ignore include disable-xdg.inc
13ignore include whitelist-runuser-common.inc
14ignore include whitelist-usr-share-common.inc
15ignore include whitelist-var-common.inc
16ignore nou2f
17ignore novideo
18ignore shell none
19ignore disable-mnt
20ignore private-cache
21ignore private-dev
22ignore private-tmp
8 23
9noblacklist ${HOME}/.config/Rocket.Chat 24noblacklist ${HOME}/.config/Rocket.Chat
10 25
11mkdir ${HOME}/.config/Rocket.Chat 26mkdir ${HOME}/.config/Rocket.Chat
12whitelist ${HOME}/.config/Rocket.Chat 27whitelist ${HOME}/.config/Rocket.Chat
13include whitelist-common.inc
14 28
15# Redirect 29# Redirect
16include electron.profile 30include electron.profile
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index c28571270..08e1c1f03 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -5,6 +5,13 @@ include signal-desktop.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# Disabled until someone reported positive feedback
9ignore include-xdg.inc
10ignore include whitelist-runuser-common.inc
11ignore include whitelist-usr-share-common.inc
12ignore private-cache
13ignore novideo
14
8ignore noexec /tmp 15ignore noexec /tmp
9 16
10noblacklist ${HOME}/.config/Signal 17noblacklist ${HOME}/.config/Signal
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla
14whitelist ${HOME}/.mozilla/firefox/profiles.ini 21whitelist ${HOME}/.mozilla/firefox/profiles.ini
15read-only ${HOME}/.mozilla/firefox/profiles.ini 22read-only ${HOME}/.mozilla/firefox/profiles.ini
16 23
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc 24include disable-exec.inc
20include disable-interpreters.inc
21include disable-programs.inc
22include disable-passwdmgr.inc
23 25
24mkdir ${HOME}/.config/Signal 26mkdir ${HOME}/.config/Signal
25whitelist ${DOWNLOADS}
26whitelist ${HOME}/.config/Signal 27whitelist ${HOME}/.config/Signal
27include whitelist-common.inc 28
28include whitelist-var-common.inc
29
30apparmor
31caps.keep sys_admin,sys_chroot
32netfilter
33nodvd
34nogroups
35notv
36nou2f
37shell none
38
39disable-mnt
40private-dev
41private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl 29private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
42private-tmp
43 30
44dbus-user none 31# Redirect
45dbus-system none 32include electron.profile
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..b39763981 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -5,27 +5,24 @@ include skypeforlinux.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# Disabled until someone reported positive feedback
9ignore whitelist ${DOWNLOADS}
10ignore include whitelist-common.inc
11ignore include whitelist-runuser-common.inc
12ignore include whitelist-usr-share-common.inc
13ignore include whitelist-var-common.inc
14ignore nou2f
15ignore novideo
16ignore private-dev
17ignore dbus-user none
18ignore dbus-system none
19
8# breaks Skype 20# breaks Skype
9ignore noexec /tmp 21ignore noexec /tmp
10 22
11noblacklist ${HOME}/.config/skypeforlinux 23noblacklist ${HOME}/.config/skypeforlinux
12 24
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21caps.keep sys_admin,sys_chroot
22netfilter
23nodvd
24nogroups
25notv
26shell none
27
28disable-mnt
29private-cache
30# private-dev - needs /dev/disk 25# private-dev - needs /dev/disk
31private-tmp 26
27# Redirect
28include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 8ab3edd63..9ad772cd5 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -5,31 +5,26 @@ include slack.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# Disabled until someone reported positive feedback
9ignore include disable-exec.inc
10ignore include disable-xdg.inc
11ignore include whitelist-runuser-common.inc
12ignore include whitelist-usr-share-common.inc
13ignore apparmor
14ignore novideo
15ignore private-tmp
16ignore dbus-user none
17ignore dbus-system none
18
8noblacklist ${HOME}/.config/Slack 19noblacklist ${HOME}/.config/Slack
9 20
10include disable-common.inc
11include disable-devel.inc
12include disable-interpreters.inc
13include disable-passwdmgr.inc
14include disable-programs.inc
15include disable-shell.inc 21include disable-shell.inc
16 22
17mkdir ${HOME}/.config/Slack 23mkdir ${HOME}/.config/Slack
18whitelist ${HOME}/.config/Slack 24whitelist ${HOME}/.config/Slack
19whitelist ${DOWNLOADS}
20include whitelist-common.inc
21include whitelist-var-common.inc
22
23caps.keep sys_admin,sys_chroot
24netfilter
25nodvd
26nogroups
27notv
28nou2f
29shell none
30 25
31disable-mnt
32private-bin locale,slack 26private-bin locale,slack
33private-cache
34private-dev
35private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe 27private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
28
29# Redirect
30include electron.profile
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index a13c92bc3..eee083332 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -4,33 +4,23 @@
4# Persistent local customizations 4# Persistent local customizations
5include teams-for-linux.local 5include teams-for-linux.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local 8
9# Disabled until someone reported positive feedback
10ignore include disable-xdg.inc
11ignore include whitelist-runuser-common.inc
12ignore include whitelist-usr-share-common.inc
9 13
10ignore dbus-user none 14ignore dbus-user none
11ignore dbus-system none 15ignore dbus-system none
12 16
13noblacklist ${HOME}/.config/teams-for-linux 17noblacklist ${HOME}/.config/teams-for-linux
14 18
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18
19mkdir ${HOME}/.config/teams-for-linux 19mkdir ${HOME}/.config/teams-for-linux
20whitelist ${HOME}/.config/teams-for-linux 20whitelist ${HOME}/.config/teams-for-linux
21include whitelist-common.inc
22include whitelist-var-common.inc
23
24nou2f
25novideo
26shell none
27 21
28disable-mnt
29private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh 22private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
30private-cache
31private-dev
32private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl 23private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
33private-tmp
34 24
35# Redirect 25# Redirect
36include electron.profile 26include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index af1365571..c8d98cbaa 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -4,8 +4,14 @@
4# Persistent local customizations 4# Persistent local customizations
5include teams.local 5include teams.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local 8
9# Disabled until someone reported positive feedback
10ignore include disable-xdg.inc
11ignore include whitelist-runuser-common.inc
12ignore include whitelist-usr-share-common.inc
13ignore novideo
14ignore private-tmp
9 15
10# see #3404 16# see #3404
11ignore apparmor 17ignore apparmor
@@ -15,24 +21,10 @@ ignore dbus-system none
15noblacklist ${HOME}/.config/teams 21noblacklist ${HOME}/.config/teams
16noblacklist ${HOME}/.config/Microsoft 22noblacklist ${HOME}/.config/Microsoft
17 23
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21
22mkdir ${HOME}/.config/teams 24mkdir ${HOME}/.config/teams
23mkdir ${HOME}/.config/Microsoft 25mkdir ${HOME}/.config/Microsoft
24whitelist ${HOME}/.config/teams 26whitelist ${HOME}/.config/teams
25whitelist ${HOME}/.config/Microsoft 27whitelist ${HOME}/.config/Microsoft
26include whitelist-common.inc
27include whitelist-var-common.inc
28
29nou2f
30seccomp !chroot
31shell none
32
33disable-mnt
34private-cache
35private-dev
36 28
37# Redirect 29# Redirect
38include electron.profile 30include electron.profile
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 3c50344f1..dcf7ee88b 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -6,31 +6,20 @@ include twitch.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Disabled until someone reported positive feedback
10ignore nou2f
11ignore novideo
12
9noblacklist ${HOME}/.config/Twitch 13noblacklist ${HOME}/.config/Twitch
10 14
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc 15include disable-shell.inc
15include disable-xdg.inc
16 16
17mkdir ${HOME}/.config/Twitch 17mkdir ${HOME}/.config/Twitch
18whitelist ${HOME}/.config/Twitch 18whitelist ${HOME}/.config/Twitch
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23
24seccomp !chroot
25shell none
26 19
27disable-mnt
28private-bin twitch 20private-bin twitch
29private-cache
30private-dev
31private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 21private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
32private-opt Twitch 22private-opt Twitch
33private-tmp
34 23
35# Redirect 24# Redirect
36include electron.profile 25include electron.profile
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 187c49ed8..22a84274d 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -4,36 +4,24 @@
4# Persistent local customizations 4# Persistent local customizations
5include whalebird.local 5include whalebird.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local 8
9# Disabled until someone reported positive feedback
10ignore include whitelist-runuser-common.inc
11ignore include whitelist-usr-share-common.inc
9 12
10ignore dbus-user none 13ignore dbus-user none
11ignore dbus-system none 14ignore dbus-system none
12 15
13noblacklist ${HOME}/.config/Whalebird 16noblacklist ${HOME}/.config/Whalebird
14 17
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.config/Whalebird 18mkdir ${HOME}/.config/Whalebird
21whitelist ${HOME}/.config/Whalebird 19whitelist ${HOME}/.config/Whalebird
22include whitelist-common.inc
23include whitelist-var-common.inc
24 20
25no3d 21no3d
26nou2f
27novideo
28protocol unix,inet,inet6
29shell none
30 22
31disable-mnt
32private-bin whalebird 23private-bin whalebird
33private-cache
34private-dev
35private-etc fonts,machine-id 24private-etc fonts,machine-id
36private-tmp
37 25
38# Redirect 26# Redirect
39include electron.profile 27include electron.profile
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index d265c6bae..151cd2adb 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -4,33 +4,29 @@
4# Persistent local customizations 4# Persistent local customizations
5include wire-desktop.local 5include wire-desktop.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local
9 8
10# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. 9# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
11 10
11# Disabled until someone reported positive feedback
12ignore include disable-exec.inc
13ignore include disable-xdg.inc
14ignore include whitelist-runuser-common.inc
15ignore include whitelist-usr-share-common.inc
16ignore include whitelist-var-common.inc
17ignore novideo
18ignore private-cache
19
12ignore dbus-user none 20ignore dbus-user none
13ignore dbus-system none 21ignore dbus-system none
14 22
15noblacklist ${HOME}/.config/Wire 23noblacklist ${HOME}/.config/Wire
16 24
17include disable-devel.inc
18include disable-interpreters.inc
19
20mkdir ${HOME}/.config/Wire 25mkdir ${HOME}/.config/Wire
21whitelist ${HOME}/.config/Wire 26whitelist ${HOME}/.config/Wire
22include whitelist-common.inc
23
24nou2f
25ignore seccomp
26seccomp !chroot
27shell none
28 27
29disable-mnt
30private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop 28private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
31private-dev
32private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl 29private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
33private-tmp
34 30
35# Redirect 31# Redirect
36include electron.profile 32include electron.profile
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index a6c7750a9..92890a3a8 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -6,32 +6,19 @@ include youtube.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Disabled until someone reported positive feedback
10ignore nou2f
11
9noblacklist ${HOME}/.config/Youtube 12noblacklist ${HOME}/.config/Youtube
10 13
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc 14include disable-shell.inc
15include disable-xdg.inc
16 15
17mkdir ${HOME}/.config/Youtube 16mkdir ${HOME}/.config/Youtube
18whitelist ${HOME}/.config/Youtube 17whitelist ${HOME}/.config/Youtube
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23
24novideo
25seccomp !chroot
26shell none
27 18
28disable-mnt
29private-bin youtube 19private-bin youtube
30private-cache
31private-dev
32private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 20private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
33private-opt Youtube 21private-opt Youtube
34private-tmp
35 22
36# Redirect 23# Redirect
37include electron.profile 24include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 3a94a5707..10ff1616a 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -8,31 +8,14 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 9noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
10 10
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc 11include disable-shell.inc
15include disable-xdg.inc
16 12
17mkdir ${HOME}/.config/youtubemusic-nativefier-040164 13mkdir ${HOME}/.config/youtubemusic-nativefier-040164
18whitelist ${HOME}/.config/youtubemusic-nativefier-040164 14whitelist ${HOME}/.config/youtubemusic-nativefier-040164
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23 15
24nou2f
25novideo
26seccomp !chroot
27shell none
28
29disable-mnt
30private-bin youtubemusic-nativefier 16private-bin youtubemusic-nativefier
31private-cache
32private-dev
33private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
34private-opt youtubemusic-nativefier 18private-opt youtubemusic-nativefier
35private-tmp
36 19
37# Redirect 20# Redirect
38include electron.profile 21include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 5c37b838b..3f6dd9694 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -10,30 +10,12 @@ ignore dbus-user none
10 10
11noblacklist ${HOME}/.config/youtube-music-desktop-app 11noblacklist ${HOME}/.config/youtube-music-desktop-app
12 12
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-xdg.inc
17
18mkdir ${HOME}/.config/youtube-music-desktop-app 13mkdir ${HOME}/.config/youtube-music-desktop-app
19whitelist ${HOME}/.config/youtube-music-desktop-app 14whitelist ${HOME}/.config/youtube-music-desktop-app
20include whitelist-common.inc
21include whitelist-runuser-common.inc
22include whitelist-usr-share-common.inc
23include whitelist-var-common.inc
24
25nou2f
26novideo
27seccomp !chroot
28shell none
29 15
30disable-mnt
31# private-bin env,ytmdesktop 16# private-bin env,ytmdesktop
32private-cache
33private-dev
34private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 17private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
35# private-opt 18# private-opt
36private-tmp
37 19
38# Redirect 20# Redirect
39include electron.profile 21include electron.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 889e8c02e..e8cd64c93 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -6,16 +6,20 @@ include zoom.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Disabled until someone reported positive feedback
10ignore apparmor
11ignore novideo
12ignore dbus-user none
13ignore dbus-system none
14
15# nogroups breaks webcam access on non-systemd systems (see #3711).
16# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
17#ignore nogroups
18
9noblacklist ${HOME}/.config/zoomus.conf 19noblacklist ${HOME}/.config/zoomus.conf
10noblacklist ${HOME}/.zoom 20noblacklist ${HOME}/.zoom
11 21
12include disable-common.inc 22nowhitelist ${DOWNLOADS}
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19 23
20mkdir ${HOME}/.cache/zoom 24mkdir ${HOME}/.cache/zoom
21mkfile ${HOME}/.config/zoomus.conf 25mkfile ${HOME}/.config/zoomus.conf
@@ -23,29 +27,9 @@ mkdir ${HOME}/.zoom
23whitelist ${HOME}/.cache/zoom 27whitelist ${HOME}/.cache/zoom
24whitelist ${HOME}/.config/zoomus.conf 28whitelist ${HOME}/.config/zoomus.conf
25whitelist ${HOME}/.zoom 29whitelist ${HOME}/.zoom
26include whitelist-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30 30
31caps.drop all
32netfilter
33nodvd
34# nogroups breaks webcam access on non-systemd systems (see #3711).
35# If you use such a system comment the line below or put 'ignore nogroups' in your zoom.local
36nogroups
37nonewprivs
38noroot
39notv
40nou2f
41protocol unix,inet,inet6,netlink
42seccomp !chroot
43shell none
44tracelog
45
46disable-mnt
47private-cache
48private-dev
49# Disable for now, see https://github.com/netblue30/firejail/issues/3726 31# Disable for now, see https://github.com/netblue30/firejail/issues/3726
50#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl 32#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
51private-tmp 33
34# Redirect
35include electron.profile
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 07:56:11 +0000