diff options
author | 2023-05-19 11:04:23 -0400 | |
---|---|---|
committer | 2023-05-19 11:04:23 -0400 | |
commit | 250cb3a183d2364db028d2b701b783b630836815 (patch) | |
tree | 2a10045cd6b12e4ab8b79ed266ec223469d0919e /etc/profile-a-l | |
parent | email-common.profile: allow clamav plugin for claws-mail (diff) | |
parent | Merge pull request #5808 from Dieterbe/qutebrowser-qt6-mpris-change (diff) | |
download | firejail-250cb3a183d2364db028d2b701b783b630836815.tar.gz firejail-250cb3a183d2364db028d2b701b783b630836815.tar.zst firejail-250cb3a183d2364db028d2b701b783b630836815.zip |
Merge branch 'master' into clawsmail-clamav
Diffstat (limited to 'etc/profile-a-l')
53 files changed, 274 insertions, 106 deletions
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile new file mode 100644 index 000000000..4570f0103 --- /dev/null +++ b/etc/profile-a-l/DiscordPTB.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for DiscordPTB | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include DiscordPTB.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include discord-ptb.profile | ||
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 7a36302f1..9ebbf1cb0 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc | |||
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | hostname agetpkg | ||
32 | ipc-namespace | 31 | ipc-namespace |
33 | machine-id | 32 | machine-id |
34 | netfilter | 33 | netfilter |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile new file mode 100644 index 000000000..f05653719 --- /dev/null +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for ani-cli | ||
2 | # Description: Shell script to watch Anime from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ani-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.cache/ani-cli | ||
12 | noblacklist ${HOME}/.local/state/ani-cli | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/ani-cli | ||
21 | mkdir ${HOME}/.local/state/ani-cli | ||
22 | whitelist ${HOME}/.cache/ani-cli | ||
23 | whitelist ${HOME}/.local/state/ani-cli | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 0655c2e6f..cc9c893de 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for apostrophe | 1 | # Firejail profile for apostrophe |
2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK+ | 2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include apostrophe.local | 5 | include apostrophe.local |
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index ef875c5b7..487e0c5f8 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -23,7 +23,6 @@ include disable-shell.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | hostname archiver | ||
27 | ipc-namespace | 26 | ipc-namespace |
28 | machine-id | 27 | machine-id |
29 | net none | 28 | net none |
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
@@ -16,5 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
20 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile new file mode 100644 index 000000000..c092a9746 --- /dev/null +++ b/etc/profile-a-l/blink-common-hardened.inc.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include blink-common-hardened.inc.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile new file mode 100644 index 000000000..ff17dc479 --- /dev/null +++ b/etc/profile-a-l/blink-common.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for blink-common | ||
2 | # Description: Common profile for Blink-based applications | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blink-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | include whitelist-common.inc | ||
19 | #include whitelist-run-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | # If your kernel allows the creation of user namespaces by unprivileged users | ||
25 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | ||
26 | # can add the next line to your blink-common.local. | ||
27 | #include blink-common-hardened.inc.profile | ||
28 | |||
29 | apparmor | ||
30 | caps.keep sys_admin,sys_chroot | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | noinput | ||
35 | notv | ||
36 | |||
37 | disable-mnt | ||
38 | private-cache | ||
39 | |||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index d24f76262..e65f76a60 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for bluefish | 1 | # Firejail profile for bluefish |
2 | # Description: Advanced Gtk+ text editor for web and software development | 2 | # Description: Advanced GTK text editor for web and software development |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include bluefish.local | 5 | include bluefish.local |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 7b0f7bdf0..9f83b8232 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for celluloid | 1 | # Firejail profile for celluloid |
2 | # Description: Simple GTK+ frontend for mpv | 2 | # Description: Simple GTK frontend for mpv |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include celluloid.local | 5 | include celluloid.local |
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile index 72f79681d..f21a34f36 100644 --- a/etc/profile-a-l/chafa.profile +++ b/etc/profile-a-l/chafa.profile | |||
@@ -39,6 +39,7 @@ nosound | |||
39 | notv | 39 | notv |
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | # block socket syscall to simulate empty protocol option (see #639) | ||
42 | seccomp socket | 43 | seccomp socket |
43 | seccomp.block-secondary | 44 | seccomp.block-secondary |
44 | tracelog | 45 | tracelog |
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index c3944bd65..0e0416de1 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # This file is overwritten during software install. | 1 | # Firejail profile alias for blink-common-hardened.inc |
2 | # Persistent customizations should go in a .local file. | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
3 | include chromium-common-hardened.inc.local | 4 | include chromium-common-hardened.inc.local |
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
4 | 8 | ||
5 | caps.drop all | 9 | # Redirect |
6 | nonewprivs | 10 | include blink-common-hardened.inc.profile |
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f1f2f5f68..878e0fe1d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox | |||
17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | 17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector |
18 | #include allow-python3.inc | 18 | #include allow-python3.inc |
19 | 19 | ||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.local/share/pki | 20 | mkdir ${HOME}/.local/share/pki |
28 | mkdir ${HOME}/.pki | 21 | mkdir ${HOME}/.pki |
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.local/share/pki | 22 | whitelist ${HOME}/.local/share/pki |
31 | whitelist ${HOME}/.pki | 23 | whitelist ${HOME}/.pki |
32 | whitelist /usr/share/mozilla/extensions | 24 | whitelist /usr/share/mozilla/extensions |
33 | whitelist /usr/share/webext | 25 | whitelist /usr/share/webext |
34 | include whitelist-common.inc | ||
35 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
36 | include whitelist-runuser-common.inc | ||
37 | include whitelist-usr-share-common.inc | ||
38 | include whitelist-var-common.inc | ||
39 | 27 | ||
40 | # If your kernel allows the creation of user namespaces by unprivileged users | 28 | # If your kernel allows the creation of user namespaces by unprivileged users |
41 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 29 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
42 | # can add the next line to your chromium-common.local. | 30 | # can add the next line to your chromium-common.local. |
43 | #include chromium-common-hardened.inc.profile | 31 | #include chromium-common-hardened.inc.profile |
44 | 32 | ||
45 | apparmor | ||
46 | caps.keep sys_admin,sys_chroot | ||
47 | netfilter | ||
48 | nodvd | ||
49 | nogroups | ||
50 | noinput | ||
51 | notv | ||
52 | ?BROWSER_DISABLE_U2F: nou2f | 33 | ?BROWSER_DISABLE_U2F: nou2f |
53 | 34 | ||
54 | disable-mnt | ||
55 | private-cache | ||
56 | ?BROWSER_DISABLE_U2F: private-dev | 35 | ?BROWSER_DISABLE_U2F: private-dev |
57 | #private-tmp - issues when using multiple browser sessions | 36 | #private-tmp - issues when using multiple browser sessions |
58 | 37 | ||
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget | |||
61 | blacklist ${PATH}/wget2 | 40 | blacklist ${PATH}/wget2 |
62 | 41 | ||
63 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 42 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
64 | dbus-system none | ||
65 | 43 | ||
66 | # The file dialog needs to work without d-bus. | 44 | # The file dialog needs to work without d-bus. |
67 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 45 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
46 | |||
47 | # Redirect | ||
48 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index e0f1bca94..7fefc68b1 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for claws-mail | 1 | # Firejail profile for claws-mail |
2 | # Description: Fast, lightweight and user-friendly GTK based email client | 2 | # Description: Fast, lightweight and user-friendly GTK-based email client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include claws-mail.local | 5 | include claws-mail.local |
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index 504bce0b1..321d59783 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for clipit | 1 | # Firejail profile for clipit |
2 | # Description: Lightweight GTK+ clipboard manager | 2 | # Description: Lightweight GTK clipboard manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include clipit.local | 5 | include clipit.local |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8b7d2317c..180282869 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for com.github.bleakgrey.tootle | 1 | # Firejail profile for com.github.bleakgrey.tootle |
2 | # Description: Gtk Mastodon client | 2 | # Description: GTK Mastodon client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include com.github.bleakgrey.tootle.local | 5 | include com.github.bleakgrey.tootle.local |
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index 1774669f1..09f80d7bb 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for corebird | 1 | # Firejail profile for corebird |
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | 2 | # Description: Native GTK Twitter client for the Linux desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include corebird.local | 5 | include corebird.local |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -45,5 +45,4 @@ private-dev | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
49 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 4eb89503a..71afecd7a 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for deadbeef | 1 | # Firejail profile for deadbeef |
2 | # Description: A GTK+ audio player for GNU/Linux | 2 | # Description: A GTK audio player for GNU/Linux |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include deadbeef.local | 5 | include deadbeef.local |
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile index ae0549d3e..3f4e3a381 100644 --- a/etc/profile-a-l/dino-im.profile +++ b/etc/profile-a-l/dino-im.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino-im | 1 | # Firejail profile for dino-im |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name | 2 | # Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino-im.local | 5 | include dino-im.local |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 1f7134ff2..fe2b59a1e 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | 2 | # Description: Modern XMPP Chat Client using GTK/Vala |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino.local | 5 | include dino.local |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile new file mode 100644 index 000000000..c39c0d843 --- /dev/null +++ b/etc/profile-a-l/discord-ptb.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for discord-ptb | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord-ptb.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discordptb | ||
9 | |||
10 | mkdir ${HOME}/.config/discordptb | ||
11 | whitelist ${HOME}/.config/discordptb | ||
12 | |||
13 | private-bin discord-ptb,DiscordPTB | ||
14 | private-opt discord-ptb,DiscordPTB | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile index 73b6d1067..bb48d6332 100644 --- a/etc/profile-a-l/electron-common.profile +++ b/etc/profile-a-l/electron-common.profile | |||
@@ -7,40 +7,21 @@ include electron-common.local | |||
7 | noblacklist ${HOME}/.config/Electron | 7 | noblacklist ${HOME}/.config/Electron |
8 | noblacklist ${HOME}/.config/electron*-flag*.conf | 8 | noblacklist ${HOME}/.config/electron*-flag*.conf |
9 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/Electron | 10 | whitelist ${HOME}/.config/Electron |
19 | whitelist ${HOME}/.config/electron*-flag*.conf | 11 | whitelist ${HOME}/.config/electron*-flag*.conf |
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | 12 | ||
25 | # If your kernel allows the creation of user namespaces by unprivileged users | 13 | # If your kernel allows the creation of user namespaces by unprivileged users |
26 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 14 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
27 | # can add the next line to your electron-common.local. | 15 | # can add the next line to your electron-common.local. |
28 | #include electron-common-hardened.inc.profile | 16 | #include electron-common-hardened.inc.profile |
29 | 17 | ||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | noinput | ||
36 | notv | ||
37 | nou2f | 18 | nou2f |
38 | novideo | 19 | novideo |
39 | 20 | ||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | 21 | private-dev |
43 | private-tmp | 22 | private-tmp |
44 | 23 | ||
45 | dbus-user none | 24 | dbus-user none |
46 | dbus-system none | 25 | |
26 | # Redirect | ||
27 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | machine-id | 28 | machine-id |
30 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 48a826f2e..7b4994a85 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -18,6 +18,7 @@ whitelist /opt/Element | |||
18 | private-opt Element | 18 | private-opt Element |
19 | 19 | ||
20 | dbus-user filter | 20 | dbus-user filter |
21 | dbus-user.talk org.freedesktop.Notifications | ||
21 | dbus-user.talk org.freedesktop.secrets | 22 | dbus-user.talk org.freedesktop.secrets |
22 | 23 | ||
23 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index bf5b67255..8eee662ad 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -8,6 +8,7 @@ include email-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.bogofilter | 10 | noblacklist ${HOME}/.bogofilter |
11 | noblacklist ${HOME}/.bsfilter | ||
11 | noblacklist ${HOME}/.gnupg | 12 | noblacklist ${HOME}/.gnupg |
12 | noblacklist ${HOME}/.mozilla | 13 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 14 | noblacklist ${HOME}/.signature |
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail | |||
20 | 21 | ||
21 | noblacklist ${DOCUMENTS} | 22 | noblacklist ${DOCUMENTS} |
22 | 23 | ||
24 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
25 | include allow-perl.inc | ||
26 | |||
23 | include disable-common.inc | 27 | include disable-common.inc |
24 | include disable-devel.inc | 28 | include disable-devel.inc |
25 | include disable-exec.inc | 29 | include disable-exec.inc |
@@ -30,15 +34,18 @@ include disable-xdg.inc | |||
30 | mkdir ${HOME}/.gnupg | 34 | mkdir ${HOME}/.gnupg |
31 | mkfile ${HOME}/.config/mimeapps.list | 35 | mkfile ${HOME}/.config/mimeapps.list |
32 | mkfile ${HOME}/.signature | 36 | mkfile ${HOME}/.signature |
37 | whitelist ${HOME}/.bogofilter | ||
38 | whitelist ${HOME}/.bsfilter | ||
33 | whitelist ${HOME}/.config/mimeapps.list | 39 | whitelist ${HOME}/.config/mimeapps.list |
34 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
35 | whitelist ${HOME}/.gnupg | 40 | whitelist ${HOME}/.gnupg |
41 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
36 | whitelist ${HOME}/.signature | 42 | whitelist ${HOME}/.signature |
37 | whitelist ${DOCUMENTS} | 43 | whitelist ${DOCUMENTS} |
38 | whitelist ${DOWNLOADS} | 44 | whitelist ${DOWNLOADS} |
39 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | 45 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local |
40 | whitelist ${HOME}/Mail | 46 | whitelist ${HOME}/Mail |
41 | whitelist ${RUNUSER}/gnupg | 47 | whitelist ${RUNUSER}/gnupg |
48 | whitelist /usr/share/bogofilter | ||
42 | whitelist /usr/share/gnupg | 49 | whitelist /usr/share/gnupg |
43 | whitelist /usr/share/gnupg2 | 50 | whitelist /usr/share/gnupg2 |
44 | whitelist /var/lib/clamav | 51 | whitelist /var/lib/clamav |
@@ -71,7 +78,7 @@ tracelog | |||
71 | # disable-mnt | 78 | # disable-mnt |
72 | private-cache | 79 | private-cache |
73 | private-dev | 80 | private-dev |
74 | private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone | 81 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone |
75 | private-tmp | 82 | private-tmp |
76 | # encrypting and signing email | 83 | # encrypting and signing email |
77 | writable-run-user | 84 | writable-run-user |
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.* | |||
86 | dbus-user.talk org.mozilla.* | 93 | dbus-user.talk org.mozilla.* |
87 | dbus-system none | 94 | dbus-system none |
88 | 95 | ||
89 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
90 | read-only ${HOME}/.signature | 96 | read-only ${HOME}/.signature |
91 | restrict-namespaces | 97 | restrict-namespaces |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 1118c3bf0..e1d107dc7 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -10,18 +10,21 @@ include disable-common.inc | |||
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-proc.inc | ||
13 | include disable-programs.inc | 14 | include disable-programs.inc |
14 | 15 | ||
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||
17 | apparmor | 18 | apparmor |
18 | caps.drop all | 19 | caps.drop all |
20 | machine-id | ||
19 | net none | 21 | net none |
20 | no3d | 22 | no3d |
21 | nodvd | 23 | nodvd |
22 | nogroups | 24 | nogroups |
23 | noinput | 25 | noinput |
24 | nonewprivs | 26 | nonewprivs |
27 | noprinters | ||
25 | noroot | 28 | noroot |
26 | nosound | 29 | nosound |
27 | notv | 30 | notv |
@@ -29,6 +32,7 @@ nou2f | |||
29 | novideo | 32 | novideo |
30 | protocol unix | 33 | protocol unix |
31 | seccomp | 34 | seccomp |
35 | seccomp.block-secondary | ||
32 | tracelog | 36 | tracelog |
33 | 37 | ||
34 | # private-bin engrampa | 38 | # private-bin engrampa |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 4f39bec55..78e2751b3 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -29,6 +29,7 @@ nodvd | |||
29 | nogroups | 29 | nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noprinters | ||
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
34 | notv | 35 | notv |
@@ -45,6 +46,10 @@ private-dev | |||
45 | private-etc @x11 | 46 | private-etc @x11 |
46 | # private-tmp | 47 | # private-tmp |
47 | 48 | ||
49 | dbus-user filter | ||
50 | dbus-user.own org.gnome.ArchiveManager1 | ||
51 | dbus-user.own org.gnome.FileRoller | ||
52 | dbus-user.talk ca.desrt.dconf | ||
48 | dbus-system none | 53 | dbus-system none |
49 | 54 | ||
50 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index a5fd05bc7..78f1327c5 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -15,7 +15,6 @@ include disable-programs.inc | |||
15 | 15 | ||
16 | apparmor | 16 | apparmor |
17 | caps.drop all | 17 | caps.drop all |
18 | hostname file | ||
19 | ipc-namespace | 18 | ipc-namespace |
20 | machine-id | 19 | machine-id |
21 | net none | 20 | net none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,9 @@ include globals.local | |||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | 14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox |
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | 15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 |
16 | 16 | ||
17 | # (Ignore entry from disable-common.inc) | ||
18 | ignore read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | |||
17 | noblacklist ${HOME}/.cache/mozilla | 20 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 21 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 22 | noblacklist ${RUNUSER}/*firefox* |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index c8414ad1b..7cef2dbbb 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gajim | 1 | # Firejail profile for gajim |
2 | # Description: GTK+-based Jabber client | 2 | # Description: GTK-based Jabber client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gajim.local | 5 | include gajim.local |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 96ded592d..44d62cc86 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -23,7 +23,6 @@ include whitelist-var-common.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | #hostname galculator - breaks Arch Linux | ||
27 | #ipc-namespace | 26 | #ipc-namespace |
28 | net none | 27 | net none |
29 | nodvd | 28 | nodvd |
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4..9643820e7 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -15,4 +15,4 @@ private-bin gallery-dl | |||
15 | private-etc gallery-dl.conf | 15 | private-etc gallery-dl.conf |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include yt-dlp.profile |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile index 4eb94edf4..4066a1ebf 100644 --- a/etc/profile-a-l/gdu.profile +++ b/etc/profile-a-l/gdu.profile | |||
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | 29 | # block socket syscall to simulate empty protocol option (see #639) |
30 | seccomp socket | 30 | seccomp socket |
31 | seccomp.block-secondary | 31 | seccomp.block-secondary |
32 | x11 none | 32 | x11 none |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
91 | dbus-user.talk org.mozilla.* | 91 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 92 | dbus-system none |
93 | 93 | ||
94 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
95 | restrict-namespaces | 94 | restrict-namespaces |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 3a929774a..e8d4c013f 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -25,7 +25,6 @@ include whitelist-var-common.inc | |||
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
28 | hostname geekbench | ||
29 | ipc-namespace | 28 | ipc-namespace |
30 | machine-id | 29 | machine-id |
31 | netfilter | 30 | netfilter |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 95adc6840..f81a49e4f 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for geeqie | 1 | # Firejail profile for geeqie |
2 | # Description: Image viewer using GTK+ | 2 | # Description: Image viewer using GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geeqie.local | 5 | include geeqie.local |
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile index e1fb53b16..6d143bbe0 100644 --- a/etc/profile-a-l/gtk-lbry-viewer.profile +++ b/etc/profile-a-l/gtk-lbry-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-lbry-viewer | 1 | # Firejail profile for gtk-lbry-viewer |
2 | # Description: Gtk front-end to lbry-viewer | 2 | # Description: GTK front-end to lbry-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-lbry-viewer.local | 5 | include gtk-lbry-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-lbry-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include lbry-viewer.profile | 14 | include lbry-viewer.profile |
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile index 9c212ff6e..059961742 100644 --- a/etc/profile-a-l/gtk-pipe-viewer.profile +++ b/etc/profile-a-l/gtk-pipe-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-pipe-viewer | 1 | # Firejail profile for gtk-pipe-viewer |
2 | # Description: Gtk front-end to pipe-viewer | 2 | # Description: GTK front-end to pipe-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-pipe-viewer.local | 5 | include gtk-pipe-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-pipe-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include pipe-viewer.profile | 14 | include pipe-viewer.profile |
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile index 978b3d896..5f1933258 100644 --- a/etc/profile-a-l/gtk-straw-viewer.profile +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | 1 | # Firejail profile for gtk-straw-viewer |
2 | # Description: Gtk front-end to straw-viewer | 2 | # Description: GTK front-end to straw-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-straw-viewer.local | 5 | include gtk-straw-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-straw-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include straw-viewer.profile | 14 | include straw-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile index c814f0fef..2bbd8910e 100644 --- a/etc/profile-a-l/gtk-youtube-viewer.profile +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer | 1 | # Firejail profile for gtk-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-youtube-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile new file mode 100644 index 000000000..049448a23 --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer clones | ||
2 | # Description: common profile for Trizen's gtk Youtube viewers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-youtube-viewers-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore quiet | ||
11 | |||
12 | # The lines below are needed to find the default Firefox profile name, to allow | ||
13 | # opening links in an existing instance of Firefox (note that it still fails if | ||
14 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | ||
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
17 | |||
18 | private-bin firefox,xterm | ||
19 | |||
20 | dbus-user filter | ||
21 | # allow D-Bus communication with firefox for opening links | ||
22 | dbus-user.talk org.mozilla.* | ||
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile index 787c7bd90..8ff09f4d2 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer.profile +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk2-youtube-viewer | 1 | # Firejail profile for gtk2-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk2-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile index 988882622..fdcb438de 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer.profile +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk3-youtube-viewer | 1 | # Firejail profile for gtk3-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk3-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index 467bee3a0..0e4125791 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for guvcview | 1 | # Firejail profile for guvcview |
2 | # Description: GTK+ base UVC Viewer | 2 | # Description: GTK-based UVC Viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include guvcview.local | 5 | include guvcview.local |
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 488665154..e0ef23cce 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for handbrake | 1 | # Firejail profile for handbrake |
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | 2 | # Description: Versatile DVD ripper and video transcoder (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include handbrake.local | 5 | include handbrake.local |
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile new file mode 100644 index 000000000..deff54bcd --- /dev/null +++ b/etc/profile-a-l/jami.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for jami | ||
2 | # Description: An encrypted peer-to-peer messenger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jami.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/jami.net | ||
11 | |||
12 | mkdir ${HOME}/.config/jami.net | ||
13 | mkdir ${HOME}/Videos/Jami | ||
14 | whitelist ${HOME}/.config/jami.net | ||
15 | whitelist ${HOME}/Videos/Jami | ||
16 | |||
17 | # Redirect | ||
18 | include jami-gnome.profile | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index f7959ca81..4e8c8e449 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -93,6 +93,7 @@ private-etc | |||
93 | private-tmp | 93 | private-tmp |
94 | 94 | ||
95 | dbus-user filter | 95 | dbus-user filter |
96 | dbus-user.own org.freedesktop.secrets | ||
96 | dbus-user.own org.keepassxc.KeePassXC.* | 97 | dbus-user.own org.keepassxc.KeePassXC.* |
97 | dbus-user.talk com.canonical.Unity | 98 | dbus-user.talk com.canonical.Unity |
98 | dbus-user.talk org.freedesktop.ScreenSaver | 99 | dbus-user.talk org.freedesktop.ScreenSaver |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets | |||
77 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-system none | 78 | dbus-system none |
79 | 79 | ||
80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
81 | restrict-namespaces | 80 | restrict-namespaces |
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile index f6a02ac83..aad1330e0 100644 --- a/etc/profile-a-l/lbry-viewer.profile +++ b/etc/profile-a-l/lbry-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer | |||
15 | whitelist ${HOME}/.cache/lbry-viewer | 15 | whitelist ${HOME}/.cache/lbry-viewer |
16 | whitelist ${HOME}/.config/lbry-viewer | 16 | whitelist ${HOME}/.config/lbry-viewer |
17 | 17 | ||
18 | private-bin gtk-lbry-viewer,lbry-viewer | 18 | private-bin lbry-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index 27b27a20b..ef0029c73 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for leafpad | 1 | # Firejail profile for leafpad |
2 | # Description: GTK+ based simple text editor | 2 | # Description: GTK-based simple text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include leafpad.local | 5 | include leafpad.local |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor | |||
37 | dbus-user.talk org.mozilla.* | 37 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 38 | ignore dbus-user none |
39 | 39 | ||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | 40 | # Redirect |
43 | include electron-common.profile | 41 | include electron-common.profile |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile new file mode 100644 index 000000000..2b0fc5275 --- /dev/null +++ b/etc/profile-a-l/lobster.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for lobster | ||
2 | # Description: Shell script to watch Movies/Webseries/Shows from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lobster.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/lobster | ||
12 | noblacklist ${HOME}/.local/share/lobster | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/lobster | ||
21 | mkdir ${HOME}/.local/share/lobster | ||
22 | whitelist ${HOME}/.config/lobster | ||
23 | whitelist ${HOME}/.local/share/lobster | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||