aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc/disable-common.inc
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2020-04-21 08:24:28 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2020-04-21 08:24:28 -0400
commit018d75775eab4a0f045949a9d069c57686ca2686 (patch)
treeaac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/inc/disable-common.inc
parentsmall fixes (diff)
downloadfirejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
reorganize github etc directory
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r--etc/inc/disable-common.inc497
1 files changed, 497 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
new file mode 100644
index 000000000..92c6cd2a8
--- /dev/null
+++ b/etc/inc/disable-common.inc
@@ -0,0 +1,497 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include disable-common.local
4
5# The following block breaks trash functionality in file managers
6#read-only ${HOME}/.local
7#read-write ${HOME}/.local/share
8blacklist ${HOME}/.local/share/Trash
9
10# History files in $HOME and clipboard managers
11blacklist-nolog ${HOME}/.*_history
12blacklist-nolog ${HOME}/.adobe
13blacklist-nolog ${HOME}/.cache/greenclip*
14blacklist-nolog ${HOME}/.histfile
15blacklist-nolog ${HOME}/.history
16blacklist-nolog ${HOME}/.kde/share/apps/klipper
17blacklist-nolog ${HOME}/.kde4/share/apps/klipper
18blacklist-nolog ${HOME}/.local/share/fish/fish_history
19blacklist-nolog ${HOME}/.local/share/klipper
20blacklist-nolog ${HOME}/.macromedia
21blacklist-nolog ${HOME}/.mupdf.history
22blacklist-nolog ${HOME}/.python-history
23blacklist-nolog ${HOME}/.python_history
24blacklist-nolog ${HOME}/.pythonhist
25blacklist-nolog ${HOME}/.lesshst
26blacklist-nolog ${HOME}/.viminfo
27blacklist-nolog /tmp/clipmenu*
28
29# X11 session autostart
30# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
31blacklist ${HOME}/.Xsession
32blacklist ${HOME}/.blackbox
33blacklist ${HOME}/.config/autostart
34blacklist ${HOME}/.config/autostart-scripts
35blacklist ${HOME}/.config/awesome
36blacklist ${HOME}/.config/i3
37blacklist ${HOME}/.config/lxsession/LXDE/autostart
38blacklist ${HOME}/.config/openbox
39blacklist ${HOME}/.config/plasma-workspace
40blacklist ${HOME}/.config/startupconfig
41blacklist ${HOME}/.config/startupconfigkeys
42blacklist ${HOME}/.fluxbox
43blacklist ${HOME}/.gnomerc
44blacklist ${HOME}/.kde/Autostart
45blacklist ${HOME}/.kde/env
46blacklist ${HOME}/.kde/share/autostart
47blacklist ${HOME}/.kde/share/config/startupconfig
48blacklist ${HOME}/.kde/share/config/startupconfigkeys
49blacklist ${HOME}/.kde/shutdown
50blacklist ${HOME}/.kde4/env
51blacklist ${HOME}/.kde4/Autostart
52blacklist ${HOME}/.kde4/share/autostart
53blacklist ${HOME}/.kde4/shutdown
54blacklist ${HOME}/.kde4/share/config/startupconfig
55blacklist ${HOME}/.kde4/share/config/startupconfigkeys
56blacklist ${HOME}/.local/share/autostart
57blacklist ${HOME}/.xinitrc
58blacklist ${HOME}/.xprofile
59blacklist ${HOME}/.xserverrc
60blacklist ${HOME}/.xsession
61blacklist ${HOME}/.xsessionrc
62blacklist /etc/X11/Xsession.d
63blacklist /etc/xdg/autostart
64read-only ${HOME}/.Xauthority
65
66# Session manager
67?HAS_X11: blacklist ${HOME}/.ICEauthority
68?HAS_X11: blacklist /tmp/.ICE-unix
69
70# KDE config
71blacklist ${HOME}/.config/khotkeysrc
72blacklist ${HOME}/.config/krunnerrc
73blacklist ${HOME}/.config/kscreenlockerrc
74blacklist ${HOME}/.config/ksslcertificatemanager
75blacklist ${HOME}/.config/kwalletrc
76blacklist ${HOME}/.config/kwinrc
77blacklist ${HOME}/.config/kwinrulesrc
78blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
79blacklist ${HOME}/.config/plasmashellrc
80blacklist ${HOME}/.config/plasmavaultrc
81blacklist ${HOME}/.kde/share/apps/kwin
82blacklist ${HOME}/.kde/share/apps/plasma
83blacklist ${HOME}/.kde/share/apps/solid
84blacklist ${HOME}/.kde/share/config/khotkeysrc
85blacklist ${HOME}/.kde/share/config/krunnerrc
86blacklist ${HOME}/.kde/share/config/kscreensaverrc
87blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
88blacklist ${HOME}/.kde/share/config/kwalletrc
89blacklist ${HOME}/.kde/share/config/kwinrc
90blacklist ${HOME}/.kde/share/config/kwinrulesrc
91blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
92blacklist ${HOME}/.kde4/share/apps/kwin
93blacklist ${HOME}/.kde4/share/apps/plasma
94blacklist ${HOME}/.kde4/share/apps/solid
95blacklist ${HOME}/.kde4/share/config/khotkeysrc
96blacklist ${HOME}/.kde4/share/config/krunnerrc
97blacklist ${HOME}/.kde4/share/config/kscreensaverrc
98blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
99blacklist ${HOME}/.kde4/share/config/kwalletrc
100blacklist ${HOME}/.kde4/share/config/kwinrc
101blacklist ${HOME}/.kde4/share/config/kwinrulesrc
102blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
103blacklist ${HOME}/.local/share/kglobalaccel
104blacklist ${HOME}/.local/share/kwin
105blacklist ${HOME}/.local/share/plasma
106blacklist ${HOME}/.local/share/plasmashell
107blacklist ${HOME}/.local/share/solid
108read-only ${HOME}/.cache/ksycoca5_*
109read-only ${HOME}/.config/*notifyrc
110read-only ${HOME}/.config/kdeglobals
111read-only ${HOME}/.config/kio_httprc
112read-only ${HOME}/.config/kiorc
113read-only ${HOME}/.config/kioslaverc
114read-only ${HOME}/.config/ksslcablacklist
115read-only ${HOME}/.kde/share/apps/konsole
116read-only ${HOME}/.kde/share/apps/kssl
117read-only ${HOME}/.kde/share/config/*notifyrc
118read-only ${HOME}/.kde/share/config/kdeglobals
119read-only ${HOME}/.kde/share/config/kio_httprc
120read-only ${HOME}/.kde/share/config/kioslaverc
121read-only ${HOME}/.kde/share/config/ksslcablacklist
122read-only ${HOME}/.kde/share/kde4/services
123read-only ${HOME}/.kde4/share/apps/konsole
124read-only ${HOME}/.kde4/share/apps/kssl
125read-only ${HOME}/.kde4/share/config/*notifyrc
126read-only ${HOME}/.kde4/share/config/kdeglobals
127read-only ${HOME}/.kde4/share/config/kio_httprc
128read-only ${HOME}/.kde4/share/config/kioslaverc
129read-only ${HOME}/.kde4/share/config/ksslcablacklist
130read-only ${HOME}/.kde4/share/kde4/services
131read-only ${HOME}/.local/share/konsole
132read-only ${HOME}/.local/share/kservices5
133read-only ${HOME}/.local/share/kssl
134
135# KDE sockets
136blacklist ${RUNUSER}/*.slave-socket
137blacklist ${RUNUSER}/kdeinit5__*
138blacklist ${RUNUSER}/kdesud_*
139?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
140?HAS_NODBUS: blacklist /tmp/ksocket-*
141
142# gnome
143# contains extensions, last used times of applications, and notifications
144blacklist ${HOME}/.local/share/gnome-shell
145# no direct modification of dconf database
146read-only ${HOME}/.config/dconf
147
148# systemd
149blacklist ${HOME}/.config/systemd
150blacklist ${HOME}/.local/share/systemd
151blacklist /var/lib/systemd
152# blacklist /var/run/systemd
153# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
154
155# openrc
156blacklist /etc/runlevels/
157blacklist /etc/init.d/
158blacklist /etc/rc.conf
159
160# VirtualBox
161blacklist ${HOME}/.VirtualBox
162blacklist ${HOME}/.config/VirtualBox
163blacklist ${HOME}/VirtualBox VMs
164
165# GNOME Boxes
166blacklist ${HOME}/.config/gnome-boxes
167blacklist ${HOME}/.local/share/gnome-boxes
168
169# libvirt
170blacklist ${HOME}/.cache/libvirt
171blacklist ${HOME}/.config/libvirt
172blacklist ${RUNUSER}/libvirt
173blacklist /var/cache/libvirt
174blacklist /var/lib/libvirt
175blacklist /var/log/libvirt
176
177# VeraCrypt
178blacklist ${HOME}/.VeraCrypt
179blacklist ${PATH}/veracrypt
180blacklist ${PATH}/veracrypt-uninstall.sh
181blacklist /usr/share/applications/veracrypt.*
182blacklist /usr/share/pixmaps/veracrypt.*
183blacklist /usr/share/veracrypt
184
185# TrueCrypt
186blacklist ${HOME}/.TrueCrypt
187blacklist ${PATH}/truecrypt
188blacklist ${PATH}/truecrypt-uninstall.sh
189blacklist /usr/share/applications/truecrypt.*
190blacklist /usr/share/pixmaps/truecrypt.*
191blacklist /usr/share/truecrypt
192
193# zuluCrypt
194blacklist ${HOME}/.zuluCrypt
195blacklist ${HOME}/.zuluCrypt-socket
196blacklist ${PATH}/zuluCrypt-cli
197blacklist ${PATH}/zuluMount-cli
198
199# var
200blacklist /var/cache/apt
201blacklist /var/cache/pacman
202blacklist /var/lib/apt
203blacklist /var/lib/clamav
204blacklist /var/lib/dkms
205blacklist /var/lib/mysql/mysql.sock
206blacklist /var/lib/mysqld/mysql.sock
207blacklist /var/lib/pacman
208blacklist /var/lib/upower
209# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
210# every sandbox, unless --writable-var-log switch is activated
211blacklist /var/mail
212blacklist /var/opt
213blacklist /var/run/acpid.socket
214blacklist /var/run/docker.sock
215blacklist /var/run/minissdpd.sock
216blacklist /var/run/mysql/mysqld.sock
217blacklist /var/run/mysqld/mysqld.sock
218blacklist /var/run/rpcbind.sock
219blacklist /var/run/screens
220blacklist /var/spool/anacron
221blacklist /var/spool/cron
222blacklist /var/spool/mail
223
224# etc
225blacklist /etc/anacrontab
226blacklist /etc/cron*
227blacklist /etc/profile.d
228blacklist /etc/rc.local
229# rc1.d, rc2.d, ...
230blacklist /etc/rc?.d
231blacklist /etc/kernel*
232blacklist /etc/grub*
233blacklist /etc/dkms
234blacklist /etc/apparmor*
235blacklist /etc/selinux
236blacklist /etc/modules*
237blacklist /etc/logrotate*
238blacklist /etc/adduser.conf
239
240# Startup files
241read-only ${HOME}/.antigen
242read-only ${HOME}/.bash_aliases
243read-only ${HOME}/.bash_login
244read-only ${HOME}/.bash_logout
245read-only ${HOME}/.bash_profile
246read-only ${HOME}/.bashrc
247read-only ${HOME}/.config/environment.d
248read-only ${HOME}/.config/fish
249read-only ${HOME}/.csh_files
250read-only ${HOME}/.cshrc
251read-only ${HOME}/.forward
252read-only ${HOME}/.local/share/fish
253read-only ${HOME}/.login
254read-only ${HOME}/.logout
255read-only ${HOME}/.oh-my-zsh
256read-only ${HOME}/.pam_environment
257read-only ${HOME}/.pgpkey
258read-only ${HOME}/.plan
259read-only ${HOME}/.profile
260read-only ${HOME}/.project
261read-only ${HOME}/.tcshrc
262read-only ${HOME}/.zlogin
263read-only ${HOME}/.zlogout
264read-only ${HOME}/.zprofile
265read-only ${HOME}/.zsh.d
266read-only ${HOME}/.zsh_files
267read-only ${HOME}/.zshenv
268read-only ${HOME}/.zshrc
269read-only ${HOME}/.zshrc.local
270
271# Remote access
272read-only ${HOME}/.ssh/authorized_keys
273
274# Initialization files that allow arbitrary command execution
275read-only ${HOME}/.caffrc
276read-only ${HOME}/.cargo/env
277read-only ${HOME}/.dotfiles
278read-only ${HOME}/.emacs
279read-only ${HOME}/.emacs.d
280read-only ${HOME}/.exrc
281read-only ${HOME}/.gvimrc
282read-only ${HOME}/.homesick
283read-only ${HOME}/.iscreenrc
284read-only ${HOME}/.local/share/cool-retro-term
285read-only ${HOME}/.mailcap
286read-only ${HOME}/.msmtprc
287read-only ${HOME}/.mutt/muttrc
288read-only ${HOME}/.muttrc
289read-only ${HOME}/.nano
290read-only ${HOME}/.pythonrc.py
291read-only ${HOME}/.reportbugrc
292read-only ${HOME}/.tmux.conf
293read-only ${HOME}/.vim
294read-only ${HOME}/.viminfo
295read-only ${HOME}/.vimrc
296read-only ${HOME}/.xmonad
297read-only ${HOME}/.xscreensaver
298read-only ${HOME}/_exrc
299read-only ${HOME}/_gvimrc
300read-only ${HOME}/_vimrc
301read-only ${HOME}/dotfiles
302
303# Make directories commonly found in $PATH read-only
304read-only ${HOME}/.gem
305read-only ${HOME}/.luarocks
306read-only ${HOME}/.npm-packages
307read-only ${HOME}/bin
308read-only ${HOME}/.bin
309read-only ${HOME}/.local/bin
310read-only ${HOME}/.cargo/bin
311read-only ${HOME}/.cargo/env
312
313# Write-protection for desktop entries
314read-only ${HOME}/.config/menus
315read-only ${HOME}/.gnome/apps
316read-only ${HOME}/.local/share/applications
317
318# Write-protection for thumbnailer dir
319read-only ${HOME}/.local/share/thumbnailers
320
321# top secret
322blacklist ${HOME}/*.kdb
323blacklist ${HOME}/*.kdbx
324blacklist ${HOME}/*.key
325blacklist ${HOME}/.Private
326blacklist ${HOME}/.caff
327blacklist ${HOME}/.cargo/credentials
328blacklist ${HOME}/.cert
329blacklist ${HOME}/.config/keybase
330blacklist ${HOME}/.davfs2/secrets
331blacklist ${HOME}/.ecryptfs
332blacklist ${HOME}/.fetchmailrc
333blacklist ${HOME}/.fscrypt
334blacklist ${HOME}/.git-credential-cache
335blacklist ${HOME}/.git-credentials
336blacklist ${HOME}/.gnome2/keyrings
337blacklist ${HOME}/.gnupg
338blacklist ${HOME}/.config/hub
339blacklist ${HOME}/.kde/share/apps/kwallet
340blacklist ${HOME}/.kde4/share/apps/kwallet
341blacklist ${HOME}/.local/share/keyrings
342blacklist ${HOME}/.local/share/kwalletd
343blacklist ${HOME}/.local/share/plasma-vault
344blacklist ${HOME}/.msmtprc
345blacklist ${HOME}/.mutt
346blacklist ${HOME}/.muttrc
347blacklist ${HOME}/.netrc
348blacklist ${HOME}/.nyx
349blacklist ${HOME}/.pki
350blacklist ${HOME}/.local/share/pki
351blacklist ${HOME}/.smbcredentials
352blacklist ${HOME}/.ssh
353blacklist ${HOME}/.vaults
354blacklist /.fscrypt
355blacklist /etc/davfs2/secrets
356blacklist /etc/group+
357blacklist /etc/group-
358blacklist /etc/gshadow
359blacklist /etc/gshadow+
360blacklist /etc/gshadow-
361blacklist /etc/passwd+
362blacklist /etc/passwd-
363blacklist /etc/shadow
364blacklist /etc/shadow+
365blacklist /etc/shadow-
366blacklist /etc/ssh
367blacklist /home/.ecryptfs
368blacklist /home/.fscrypt
369blacklist /var/backup
370
371# cloud provider configuration
372blacklist ${HOME}/.aws
373blacklist ${HOME}/.boto
374blacklist ${HOME}/.config/gcloud
375blacklist ${HOME}/.kube
376blacklist ${HOME}/.passwd-s3fs
377blacklist ${HOME}/.s3cmd
378blacklist /etc/boto.cfg
379
380# system directories
381blacklist /sbin
382blacklist /usr/local/sbin
383blacklist /usr/sbin
384
385# system management
386blacklist ${PATH}/at
387blacklist ${PATH}/chage
388blacklist ${PATH}/chfn
389blacklist ${PATH}/chsh
390blacklist ${PATH}/crontab
391blacklist ${PATH}/evtest
392blacklist ${PATH}/expiry
393blacklist ${PATH}/fusermount
394blacklist ${PATH}/gksu
395blacklist ${PATH}/gksudo
396blacklist ${PATH}/gpasswd
397blacklist ${PATH}/kdesudo
398blacklist ${PATH}/ksu
399blacklist ${PATH}/mount
400blacklist ${PATH}/mount.ecryptfs_private
401blacklist ${PATH}/nc
402blacklist ${PATH}/ncat
403blacklist ${PATH}/newgidmap
404blacklist ${PATH}/newgrp
405blacklist ${PATH}/newuidmap
406blacklist ${PATH}/ntfs-3g
407blacklist ${PATH}/pkexec
408blacklist ${PATH}/procmail
409blacklist ${PATH}/sg
410blacklist ${PATH}/strace
411blacklist ${PATH}/su
412blacklist ${PATH}/sudo
413blacklist ${PATH}/umount
414blacklist ${PATH}/unix_chkpwd
415blacklist ${PATH}/xev
416blacklist ${PATH}/xinput
417
418# other SUID binaries
419blacklist /usr/lib/virtualbox
420blacklist /usr/lib64/virtualbox
421
422# prevent lxterminal connecting to an existing lxterminal session
423blacklist /tmp/.lxterminal-socket*
424# prevent tmux connecting to an existing session
425blacklist /tmp/tmux-*
426
427# disable terminals running as server resulting in sandbox escape
428blacklist ${PATH}/lxterminal
429blacklist ${PATH}/gnome-terminal
430blacklist ${PATH}/gnome-terminal.wrapper
431blacklist ${PATH}/lilyterm
432blacklist ${PATH}/mate-terminal
433blacklist ${PATH}/mate-terminal.wrapper
434blacklist ${PATH}/pantheon-terminal
435blacklist ${PATH}/roxterm
436blacklist ${PATH}/roxterm-config
437blacklist ${PATH}/terminix
438blacklist ${PATH}/tilix
439blacklist ${PATH}/urxvtc
440blacklist ${PATH}/urxvtcd
441blacklist ${PATH}/xfce4-terminal
442blacklist ${PATH}/xfce4-terminal.wrapper
443# blacklist ${PATH}/konsole
444# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
445
446# kernel files
447blacklist /initrd*
448blacklist /vmlinuz*
449
450# snapshot files
451blacklist /.snapshots
452
453# flatpak
454blacklist ${HOME}/.config/flatpak
455blacklist ${HOME}/.local/share/flatpak/app
456blacklist ${HOME}/.local/share/flatpak/appstream
457blacklist ${HOME}/.local/share/flatpak/db
458read-only ${HOME}/.local/share/flatpak/exports
459blacklist ${HOME}/.local/share/flatpak/oci
460blacklist ${HOME}/.local/share/flatpak/overrides
461blacklist ${HOME}/.local/share/flatpak/repo
462blacklist ${HOME}/.local/share/flatpak/runtime
463blacklist ${HOME}/.var
464blacklist ${RUNUSER}/app
465blacklist ${RUNUSER}/doc
466blacklist ${RUNUSER}/.dbus-proxy
467blacklist ${RUNUSER}/.flatpak
468blacklist ${RUNUSER}/.flatpak-helper
469blacklist /usr/share/flatpak
470blacklist /var/lib/flatpak
471# most of the time bwrap is SUID binary
472blacklist ${PATH}/bwrap
473
474# mail directories used by mutt
475blacklist ${HOME}/.Mail
476blacklist ${HOME}/.mail
477blacklist ${HOME}/.signature
478blacklist ${HOME}/Mail
479blacklist ${HOME}/mail
480blacklist ${HOME}/postponed
481blacklist ${HOME}/sent
482
483# kernel configuration
484blacklist /proc/config.gz
485
486# prevent DNS malware attempting to communicate with the server
487# using regular DNS tools
488blacklist ${PATH}/dig
489blacklist ${PATH}/kdig
490blacklist ${PATH}/nslookup
491blacklist ${PATH}/host
492blacklist ${PATH}/dlint
493blacklist ${PATH}/dnswalk
494blacklist ${PATH}/dns2tcp
495blacklist ${PATH}/iodine
496blacklist ${PATH}/knsupdate
497blacklist ${PATH}/resolvectl
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-21 08:21:17 +0000