profile fixes for 0.9.52 (Ubuntu 18.04) in etc-fixes directory

author: netblue30 <netblue30@yahoo.com> 2018-05-13 12:23:16 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-05-13 12:23:16 -0400
commit: 92be701355d9c25e4c5fc0e80a15874fb1b69ea0 (patch)
tree: 45e28e86f273e50244e31278c862ee4e9c57f697 /etc-fixes
parent: moving to 0.9.54~rc3 (diff)
download: firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.tar.gz
firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.tar.zst
firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.zip
3 files changed, 176 insertions, 0 deletions
diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile
new file mode 100644
index 000000000..6b19b14df
--- /dev/null
+++ b/etc-fixes/0.9.52/firefox.profile
@@ -0,0 +1,96 @@
+# Firejail profile for firefox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+#seccomp - replaced with seccomp.drop for Firefox 60
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+shell none
+#tracelog - disabled for Firefox 60
+disable-mnt
+# firefox requires a shell to launch on Arch.
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile
new file mode 100644
index 000000000..2646233cf
--- /dev/null
+++ b/etc-fixes/0.9.52/gedit.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gedit
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gedit.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklist /run/user/*/bus - makes settings immutable
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+noblacklist ${HOME}/.gitconfig
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# net none - makes settings immutable
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin gedit
+private-dev
+# private-etc fonts
+#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.52/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile
new file mode 100644
index 000000000..bbc52ff5e
--- /dev/null
+++ b/etc-fixes/0.9.52/libreoffice.profile
@@ -0,0 +1,36 @@
+# Firejail profile for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/libreoffice.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.java
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+#nonewprivs
+noroot
+notv
+#protocol unix,inet,inet6
+#seccomp
+shell none
+#tracelog
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
author	netblue30 <netblue30@yahoo.com>	2018-05-13 12:23:16 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-05-13 12:23:16 -0400
commit	92be701355d9c25e4c5fc0e80a15874fb1b69ea0 (patch)
tree	45e28e86f273e50244e31278c862ee4e9c57f697 /etc-fixes
parent	moving to 0.9.54~rc3 (diff)
download	firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.tar.gz firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.tar.zst firejail-92be701355d9c25e4c5fc0e80a15874fb1b69ea0.zip

diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile new file mode 100644 index 000000000..6b19b14df --- /dev/null +++ b/etc-fixes/0.9.52/firefox.profile
@@ -0,0 +1,96 @@
	1	# Firejail profile for firefox
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/firefox.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	noblacklist ${HOME}/.cache/mozilla
	9	noblacklist ${HOME}/.config/okularpartrc
	10	noblacklist ${HOME}/.config/okularrc
	11	noblacklist ${HOME}/.config/qpdfview
	12	noblacklist ${HOME}/.kde/share/apps/kget
	13	noblacklist ${HOME}/.kde/share/apps/okular
	14	noblacklist ${HOME}/.kde/share/config/kgetrc
	15	noblacklist ${HOME}/.kde/share/config/okularpartrc
	16	noblacklist ${HOME}/.kde/share/config/okularrc
	17	noblacklist ${HOME}/.kde4/share/apps/kget
	18	noblacklist ${HOME}/.kde4/share/apps/okular
	19	noblacklist ${HOME}/.kde4/share/config/kgetrc
	20	noblacklist ${HOME}/.kde4/share/config/okularpartrc
	21	noblacklist ${HOME}/.kde4/share/config/okularrc
	22	# noblacklist ${HOME}/.local/share/gnome-shell/extensions
	23	noblacklist ${HOME}/.local/share/okular
	24	noblacklist ${HOME}/.local/share/qpdfview
	25	noblacklist ${HOME}/.mozilla
	26	noblacklist ${HOME}/.pki
	27
	28	include /etc/firejail/disable-common.inc
	29	include /etc/firejail/disable-devel.inc
	30	include /etc/firejail/disable-programs.inc
	31
	32	mkdir ${HOME}/.cache/mozilla/firefox
	33	mkdir ${HOME}/.mozilla
	34	mkdir ${HOME}/.pki
	35	whitelist ${DOWNLOADS}
	36	whitelist ${HOME}/.cache/gnome-mplayer/plugin
	37	whitelist ${HOME}/.cache/mozilla/firefox
	38	whitelist ${HOME}/.config/gnome-mplayer
	39	whitelist ${HOME}/.config/okularpartrc
	40	whitelist ${HOME}/.config/okularrc
	41	whitelist ${HOME}/.config/pipelight-silverlight5.1
	42	whitelist ${HOME}/.config/pipelight-widevine
	43	whitelist ${HOME}/.config/qpdfview
	44	whitelist ${HOME}/.kde/share/apps/kget
	45	whitelist ${HOME}/.kde/share/apps/okular
	46	whitelist ${HOME}/.kde/share/config/kgetrc
	47	whitelist ${HOME}/.kde/share/config/okularpartrc
	48	whitelist ${HOME}/.kde/share/config/okularrc
	49	whitelist ${HOME}/.kde4/share/apps/kget
	50	whitelist ${HOME}/.kde4/share/apps/okular
	51	whitelist ${HOME}/.kde4/share/config/kgetrc
	52	whitelist ${HOME}/.kde4/share/config/okularpartrc
	53	whitelist ${HOME}/.kde4/share/config/okularrc
	54	whitelist ${HOME}/.keysnail.js
	55	whitelist ${HOME}/.lastpass
	56	whitelist ${HOME}/.local/share/gnome-shell/extensions
	57	whitelist ${HOME}/.local/share/okular
	58	whitelist ${HOME}/.local/share/qpdfview
	59	whitelist ${HOME}/.mozilla
	60	whitelist ${HOME}/.pentadactyl
	61	whitelist ${HOME}/.pentadactylrc
	62	whitelist ${HOME}/.pki
	63	whitelist ${HOME}/.vimperator
	64	whitelist ${HOME}/.vimperatorrc
	65	whitelist ${HOME}/.wine-pipelight
	66	whitelist ${HOME}/.wine-pipelight64
	67	whitelist ${HOME}/.zotero
	68	whitelist ${HOME}/dwhelper
	69	include /etc/firejail/whitelist-common.inc
	70	include /etc/firejail/whitelist-var-common.inc
	71
	72	caps.drop all
	73	# machine-id breaks pulse audio; it should work fine in setups where sound is not required
	74	#machine-id
	75	netfilter
	76	nodvd
	77	nogroups
	78	nonewprivs
	79	noroot
	80	notv
	81	protocol unix,inet,inet6,netlink
	82	#seccomp - replaced with seccomp.drop for Firefox 60
	83	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
	84	shell none
	85	#tracelog - disabled for Firefox 60
	86
	87	disable-mnt
	88	# firefox requires a shell to launch on Arch.
	89	# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
	90	private-dev
	91	# private-etc below works fine on most distributions. There are some problems on CentOS.
	92	# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
	93	private-tmp
	94
	95	noexec ${HOME}
	96	noexec /tmp


diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile new file mode 100644 index 000000000..2646233cf --- /dev/null +++ b/etc-fixes/0.9.52/gedit.profile
@@ -0,0 +1,44 @@
	1	# Firejail profile for gedit
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/gedit.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	# blacklist /run/user/*/bus - makes settings immutable
	9
	10	noblacklist ${HOME}/.config/enchant
	11	noblacklist ${HOME}/.config/gedit
	12	noblacklist ${HOME}/.gitconfig
	13
	14	include /etc/firejail/disable-common.inc
	15	# include /etc/firejail/disable-devel.inc
	16	include /etc/firejail/disable-passwdmgr.inc
	17	include /etc/firejail/disable-programs.inc
	18
	19	include /etc/firejail/whitelist-var-common.inc
	20
	21	caps.drop all
	22	# net none - makes settings immutable
	23	machine-id
	24	no3d
	25	nodvd
	26	nogroups
	27	nonewprivs
	28	noroot
	29	nosound
	30	notv
	31	novideo
	32	protocol unix
	33	seccomp
	34	shell none
	35	tracelog
	36
	37	# private-bin gedit
	38	private-dev
	39	# private-etc fonts
	40	#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
	41	private-tmp
	42
	43	noexec ${HOME}
	44	noexec /tmp


diff --git a/etc-fixes/0.9.52/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile new file mode 100644 index 000000000..bbc52ff5e --- /dev/null +++ b/etc-fixes/0.9.52/libreoffice.profile
@@ -0,0 +1,36 @@
	1	# Firejail profile for libreoffice
	2	# This file is overwritten after every install/update
	3	# Persistent local customizations
	4	include /etc/firejail/libreoffice.local
	5	# Persistent global definitions
	6	include /etc/firejail/globals.local
	7
	8	noblacklist ${HOME}/.java
	9	noblacklist /usr/local/sbin
	10	noblacklist ${HOME}/.config/libreoffice
	11
	12	include /etc/firejail/disable-common.inc
	13	include /etc/firejail/disable-devel.inc
	14	include /etc/firejail/disable-passwdmgr.inc
	15	include /etc/firejail/disable-programs.inc
	16
	17	include /etc/firejail/whitelist-var-common.inc
	18
	19	caps.drop all
	20	machine-id
	21	netfilter
	22	nodvd
	23	nogroups
	24	#nonewprivs
	25	noroot
	26	notv
	27	#protocol unix,inet,inet6
	28	#seccomp
	29	shell none
	30	#tracelog
	31
	32	private-dev
	33	private-tmp
	34
	35	noexec ${HOME}
	36	noexec /tmp