diff options
author | netblue30 <netblue30@protonmail.com> | 2021-12-28 18:48:13 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-28 18:48:13 +0000 |
commit | 92f438cf87234236939ed90db86162f4ae8bac76 (patch) | |
tree | 4f6f8fd560ca3c3ef978ce809d32213f1264a0c3 /etc/profile-a-l | |
parent | Implement a `whitelist-ro` command (diff) | |
parent | Merge pull request #4755 from kmk3/mpv-add-yt-dlp (diff) | |
download | firejail-92f438cf87234236939ed90db86162f4ae8bac76.tar.gz firejail-92f438cf87234236939ed90db86162f4ae8bac76.tar.zst firejail-92f438cf87234236939ed90db86162f4ae8bac76.zip |
Merge branch 'master' into whitelist-ro
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/cachy-browser.profile | 56 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/clipgrab.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/com.github.tchx84.Flatseal.profile | 65 | ||||
-rw-r--r-- | etc/profile-a-l/dino.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/elinks.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/highlight.profile | 3 |
8 files changed, 138 insertions, 1 deletions
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile new file mode 100644 index 000000000..7a14d9464 --- /dev/null +++ b/etc/profile-a-l/cachy-browser.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for Cachy-Browser | ||
2 | # Description: Librewolf fork based on enhanced privacy with gentoo patchset | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cachy-browser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/cachy | ||
10 | noblacklist ${HOME}/.cachy | ||
11 | |||
12 | mkdir ${HOME}/.cache/cachy | ||
13 | mkdir ${HOME}/.cachy | ||
14 | whitelist ${HOME}/.cache/cachy | ||
15 | whitelist ${HOME}/.cachy | ||
16 | |||
17 | # Add the next lines to your cachy-browser.local if you want to use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | ||
19 | #whitelist ${HOME}/.mozilla | ||
20 | |||
21 | # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. | ||
22 | # NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them. | ||
23 | #whitelist ${RUNUSER}/kpxc_server | ||
24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
25 | |||
26 | whitelist /usr/share/doc | ||
27 | whitelist /usr/share/gtk-doc/html | ||
28 | whitelist /usr/share/mozilla | ||
29 | whitelist /usr/share/webext | ||
30 | include whitelist-usr-share-common.inc | ||
31 | |||
32 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). | ||
33 | #private-bin dbus-launch,dbus-send,cachy-browser,sh | ||
34 | # Add the next line to your cachy-browser.local to enable private-etc. | ||
35 | # NOTE: private-etc must first be enabled in firefox-common.local. | ||
36 | #private-etc cachy-browser | ||
37 | |||
38 | dbus-user filter | ||
39 | dbus-user.own org.mozilla.cachybrowser.* | ||
40 | # Add the next line to your cachy-browser.local to enable native notifications. | ||
41 | #dbus-user.talk org.freedesktop.Notifications | ||
42 | # Add the next line to your cachy-browser.local to allow inhibiting screensavers. | ||
43 | #dbus-user.talk org.freedesktop.ScreenSaver | ||
44 | # Add the next lines to your cachy-browser.local for plasma browser integration. | ||
45 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | ||
46 | #dbus-user.talk org.kde.JobViewServer | ||
47 | #dbus-user.talk org.kde.kuiserver | ||
48 | # Add the next line to your cachy-browser.local to allow screensharing under Wayland. | ||
49 | #dbus-user.talk org.freedesktop.portal.Desktop | ||
50 | # Also add the next line to your cachy-browser.local if screensharing does not work with | ||
51 | # the above lines (depends on the portal implementation). | ||
52 | #ignore noroot | ||
53 | ignore dbus-user none | ||
54 | |||
55 | # Redirect | ||
56 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 7bfb61688..2992a2d6f 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -53,6 +53,9 @@ private-cache | |||
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | #private-tmp - issues when using multiple browser sessions | 54 | #private-tmp - issues when using multiple browser sessions |
55 | 55 | ||
56 | blacklist ${PATH}/curl | ||
57 | blacklist ${PATH}/wget | ||
58 | |||
56 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 59 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | dbus-system none | 60 | dbus-system none |
58 | 61 | ||
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index f3c77fa77..084f0ccad 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -6,10 +6,14 @@ include clipgrab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ClipGrab | ||
9 | noblacklist ${HOME}/.config/Philipp Schmieder | 10 | noblacklist ${HOME}/.config/Philipp Schmieder |
10 | noblacklist ${HOME}/.pki | 11 | noblacklist ${HOME}/.pki |
11 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
12 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python3.inc | ||
16 | |||
13 | include disable-common.inc | 17 | include disable-common.inc |
14 | include disable-devel.inc | 18 | include disable-devel.inc |
15 | include disable-exec.inc | 19 | include disable-exec.inc |
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile new file mode 100644 index 000000000..a095104f0 --- /dev/null +++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for flatseal | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include com.github.tchx84.Flatseal.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.local/share/flatpak/overrides | ||
9 | noblacklist /var/lib/flatpak/app | ||
10 | |||
11 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
12 | include allow-gjs.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-proc.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.local/share/flatpak/overrides | ||
24 | whitelist ${HOME}/.local/share/flatpak/overrides | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noprinters | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin com.github.tchx84.Flatseal,gjs | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user filter | ||
59 | dbus-user.own com.github.tchx84.Flatseal | ||
60 | dbus-user.talk ca.desrt.dconf | ||
61 | dbus-user.talk org.freedesktop.impl.portal.PermissionStore | ||
62 | dbus-user.talk org.gnome.Software | ||
63 | dbus-system none | ||
64 | |||
65 | read-write ${HOME}/.local/share/flatpak/overrides | ||
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index b1a9550f1..3c5a64215 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -32,7 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | 37 | seccomp.block-secondary |
38 | shell none | 38 | shell none |
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 5a29eb24b..a3596bb5e 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile | |||
@@ -9,6 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.elinks | 10 | noblacklist ${HOME}/.elinks |
11 | 11 | ||
12 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | ||
14 | |||
12 | mkdir ${HOME}/.elinks | 15 | mkdir ${HOME}/.elinks |
13 | whitelist ${HOME}/.elinks | 16 | whitelist ${HOME}/.elinks |
14 | 17 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index ef647b5a0..e7d438b46 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -59,6 +59,9 @@ disable-mnt | |||
59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | blacklist ${PATH}/curl | ||
63 | blacklist ${PATH}/wget | ||
64 | |||
62 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, | 65 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
63 | # Gnome connector, KDE connect and power management on KDE Plasma. | 66 | # Gnome connector, KDE connect and power management on KDE Plasma. |
64 | dbus-user none | 67 | dbus-user none |
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 0145f7ceb..97f190723 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |