diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-12-17 08:45:35 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-12-17 08:45:35 +0000 |
| commit | f4f6767458208a127084e4c0103fab88761d9056 (patch) | |
| tree | ff349c113ca4f3fc70cd9839a1775bb49092cab3 /etc/profile-a-l | |
| parent | Archiver fixes - drop private-bin (#3832) (diff) | |
| download | firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.gz firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.zst firejail-f4f6767458208a127084e4c0103fab88761d9056.zip | |
Refactor electron.profile and electron based programs (#3807)
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
Diffstat (limited to 'etc/profile-a-l')
| -rw-r--r-- | etc/profile-a-l/atom.profile | 32 | ||||
| -rw-r--r-- | etc/profile-a-l/beaker.profile | 21 | ||||
| -rw-r--r-- | etc/profile-a-l/discord-common.profile | 37 | ||||
| -rw-r--r-- | etc/profile-a-l/electron.profile | 28 | ||||
| -rw-r--r-- | etc/profile-a-l/freetube.profile | 11 | ||||
| -rw-r--r-- | etc/profile-a-l/github-desktop.profile | 46 | ||||
| -rw-r--r-- | etc/profile-a-l/jitsi-meet-desktop.profile | 22 |
7 files changed, 88 insertions, 109 deletions
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
| @@ -6,31 +6,27 @@ include atom.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # Disabled until someone reported positive feedback | ||
| 10 | ignore include disable-devel.inc | ||
| 11 | ignore include disable-interpreters.inc | ||
| 12 | ignore include disable-xdg.inc | ||
| 13 | ignore whitelist ${DOWNLOADS} | ||
| 14 | ignore include whitelist-common.inc | ||
| 15 | ignore include whitelist-runuser-common.inc | ||
| 16 | ignore include whitelist-usr-share-common.inc | ||
| 17 | ignore include whitelist-var-common.inc | ||
| 18 | ignore apparmor | ||
| 19 | ignore disable-mnt | ||
| 20 | |||
| 9 | noblacklist ${HOME}/.atom | 21 | noblacklist ${HOME}/.atom |
| 10 | noblacklist ${HOME}/.config/Atom | 22 | noblacklist ${HOME}/.config/Atom |
| 11 | 23 | ||
| 12 | # Allows files commonly used by IDEs | 24 | # Allows files commonly used by IDEs |
| 13 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
| 14 | 26 | ||
| 15 | include disable-common.inc | ||
| 16 | include disable-exec.inc | ||
| 17 | include disable-passwdmgr.inc | ||
| 18 | include disable-programs.inc | ||
| 19 | |||
| 20 | caps.keep sys_admin,sys_chroot | ||
| 21 | # net none | 27 | # net none |
| 22 | netfilter | 28 | netfilter |
| 23 | nodvd | ||
| 24 | nogroups | ||
| 25 | nosound | 29 | nosound |
| 26 | notv | ||
| 27 | nou2f | ||
| 28 | novideo | ||
| 29 | shell none | ||
| 30 | |||
| 31 | private-cache | ||
| 32 | private-dev | ||
| 33 | private-tmp | ||
| 34 | 30 | ||
| 35 | dbus-user none | 31 | # Redirect |
| 36 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
| @@ -3,17 +3,26 @@ | |||
| 3 | # Persistent local customizations | 3 | # Persistent local customizations |
| 4 | include beaker.local | 4 | include beaker.local |
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | # added by included profile | 6 | include globals.local |
| 7 | #include globals.local | ||
| 8 | 7 | ||
| 9 | noblacklist ${HOME}/.config/Beaker Browser | 8 | # Disabled until someone reported positive feedback |
| 9 | ignore include disable-exec.inc | ||
| 10 | ignore include disable-xdg.inc | ||
| 11 | ignore include whitelist-runuser-common.inc | ||
| 12 | ignore include whitelist-usr-share-common.inc | ||
| 13 | ignore include whitelist-var-common.inc | ||
| 14 | ignore nou2f | ||
| 15 | ignore novideo | ||
| 16 | ignore shell none | ||
| 17 | ignore disable-mnt | ||
| 18 | ignore private-cache | ||
| 19 | ignore private-dev | ||
| 20 | ignore private-tmp | ||
| 10 | 21 | ||
| 11 | include disable-devel.inc | 22 | noblacklist ${HOME}/.config/Beaker Browser |
| 12 | include disable-interpreters.inc | ||
| 13 | 23 | ||
| 14 | mkdir ${HOME}/.config/Beaker Browser | 24 | mkdir ${HOME}/.config/Beaker Browser |
| 15 | whitelist ${HOME}/.config/Beaker Browser | 25 | whitelist ${HOME}/.config/Beaker Browser |
| 16 | include whitelist-common.inc | ||
| 17 | 26 | ||
| 18 | # Redirect | 27 | # Redirect |
| 19 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
| @@ -6,33 +6,24 @@ include discord-common.local | |||
| 6 | # added by caller profile | 6 | # added by caller profile |
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | ignore noexec ${HOME} | 9 | # Disabled until someone reported positive feedback |
| 10 | ignore include disable-interpreters.inc | ||
| 11 | ignore include disable-xdg.inc | ||
| 12 | ignore include whitelist-runuser-common.inc | ||
| 13 | ignore include whitelist-usr-share-common.inc | ||
| 14 | ignore apparmor | ||
| 15 | ignore disable-mnt | ||
| 16 | ignore private-cache | ||
| 17 | ignore dbus-user none | ||
| 18 | ignore dbus-system none | ||
| 10 | 19 | ||
| 11 | include disable-common.inc | 20 | ignore noexec ${HOME} |
| 12 | include disable-devel.inc | ||
| 13 | include disable-exec.inc | ||
| 14 | include disable-passwdmgr.inc | ||
| 15 | include disable-programs.inc | ||
| 16 | 21 | ||
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | whitelist ${HOME}/.config/BetterDiscord | 22 | whitelist ${HOME}/.config/BetterDiscord |
| 19 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
| 20 | include whitelist-common.inc | ||
| 21 | include whitelist-var-common.inc | ||
| 22 | |||
| 23 | caps.drop all | ||
| 24 | netfilter | ||
| 25 | nodvd | ||
| 26 | nogroups | ||
| 27 | nonewprivs | ||
| 28 | noroot | ||
| 29 | notv | ||
| 30 | nou2f | ||
| 31 | novideo | ||
| 32 | protocol unix,inet,inet6,netlink | ||
| 33 | seccomp !chroot | ||
| 34 | 24 | ||
| 35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
| 36 | private-dev | ||
| 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
| 38 | private-tmp | 27 | |
| 28 | # Redirect | ||
| 29 | include electron.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
| @@ -3,25 +3,39 @@ | |||
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | # Persistent local customizations | 4 | # Persistent local customizations |
| 5 | include electron.local | 5 | include electron.local |
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | 6 | ||
| 9 | include disable-common.inc | 7 | include disable-common.inc |
| 8 | include disable-devel.inc | ||
| 9 | include disable-exec.inc | ||
| 10 | include disable-interpreters.inc | ||
| 10 | include disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
| 11 | include disable-programs.inc | 12 | include disable-programs.inc |
| 13 | include disable-xdg.inc | ||
| 12 | 14 | ||
| 13 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
| 16 | include whitelist-common.inc | ||
| 17 | include whitelist-runuser-common.inc | ||
| 18 | include whitelist-usr-share-common.inc | ||
| 19 | include whitelist-var-common.inc | ||
| 20 | |||
| 21 | # Uncomment the next line (or add it to your chromium-common.local) | ||
| 22 | # if your kernel allows unprivileged userns clone. | ||
| 23 | #include chromium-common-hardened.inc | ||
| 14 | 24 | ||
| 15 | apparmor | 25 | apparmor |
| 16 | caps.drop all | 26 | caps.keep sys_admin,sys_chroot |
| 17 | netfilter | 27 | netfilter |
| 18 | nodvd | 28 | nodvd |
| 19 | nogroups | 29 | nogroups |
| 20 | nonewprivs | ||
| 21 | noroot | ||
| 22 | notv | 30 | notv |
| 23 | protocol unix,inet,inet6,netlink | 31 | nou2f |
| 24 | seccomp | 32 | novideo |
| 33 | shell none | ||
| 34 | |||
| 35 | disable-mnt | ||
| 36 | private-cache | ||
| 37 | private-dev | ||
| 38 | private-tmp | ||
| 25 | 39 | ||
| 26 | dbus-user none | 40 | dbus-user none |
| 27 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..20a5d609e 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
| @@ -8,24 +8,13 @@ include globals.local | |||
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.config/FreeTube | 9 | noblacklist ${HOME}/.config/FreeTube |
| 10 | 10 | ||
| 11 | include disable-devel.inc | ||
| 12 | include disable-exec.inc | ||
| 13 | include disable-interpreters.inc | ||
| 14 | include disable-shell.inc | 11 | include disable-shell.inc |
| 15 | include disable-xdg.inc | ||
| 16 | 12 | ||
| 17 | mkdir ${HOME}/.config/FreeTube | 13 | mkdir ${HOME}/.config/FreeTube |
| 18 | whitelist ${HOME}/.config/FreeTube | 14 | whitelist ${HOME}/.config/FreeTube |
| 19 | 15 | ||
| 20 | seccomp !chroot | ||
| 21 | shell none | ||
| 22 | |||
| 23 | disable-mnt | ||
| 24 | private-bin freetube | 16 | private-bin freetube |
| 25 | private-cache | ||
| 26 | private-dev | ||
| 27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
| 28 | private-tmp | ||
| 29 | 18 | ||
| 30 | # Redirect | 19 | # Redirect |
| 31 | include electron.profile | 20 | include electron.profile |
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
| @@ -6,43 +6,35 @@ include github-desktop.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # Note: On debian-based distributions the binary might be located in | ||
| 10 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
| 11 | # If that's the case you can start GitHub Desktop with firejail via | ||
| 12 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
| 13 | |||
| 14 | # Disabled until someone reported positive feedback | ||
| 15 | ignore include disable-xdg.inc | ||
| 16 | ignore whitelist ${DOWNLOADS} | ||
| 17 | ignore include whitelist-common.inc | ||
| 18 | ignore include whitelist-runuser-common.inc | ||
| 19 | ignore include whitelist-usr-share-common.inc | ||
| 20 | ignore include whitelist-var-common.inc | ||
| 21 | ignore apparmor | ||
| 22 | ignore dbus-user none | ||
| 23 | ignore dbus-system none | ||
| 24 | |||
| 9 | noblacklist ${HOME}/.config/GitHub Desktop | 25 | noblacklist ${HOME}/.config/GitHub Desktop |
| 10 | noblacklist ${HOME}/.config/git | 26 | noblacklist ${HOME}/.config/git |
| 11 | noblacklist ${HOME}/.gitconfig | 27 | noblacklist ${HOME}/.gitconfig |
| 12 | noblacklist ${HOME}/.git-credentials | 28 | noblacklist ${HOME}/.git-credentials |
| 13 | 29 | ||
| 14 | include disable-common.inc | ||
| 15 | include disable-passwdmgr.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-devel.inc | ||
| 18 | include disable-exec.inc | ||
| 19 | include disable-interpreters.inc | ||
| 20 | |||
| 21 | caps.drop all | ||
| 22 | netfilter | ||
| 23 | # no3d | 30 | # no3d |
| 24 | nodvd | ||
| 25 | nogroups | ||
| 26 | nonewprivs | ||
| 27 | noroot | ||
| 28 | nosound | 31 | nosound |
| 29 | notv | ||
| 30 | nou2f | ||
| 31 | novideo | ||
| 32 | protocol unix,inet,inet6,netlink | ||
| 33 | seccomp !chroot | ||
| 34 | 32 | ||
| 35 | # Note: On debian-based distributions the binary might be located in | ||
| 36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
| 37 | # If that's the case you can start GitHub Desktop with firejail via | ||
| 38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
| 39 | |||
| 40 | disable-mnt | ||
| 41 | # private-bin github-desktop | 33 | # private-bin github-desktop |
| 42 | private-cache | ||
| 43 | ?HAS_APPIMAGE: ignore private-dev | 34 | ?HAS_APPIMAGE: ignore private-dev |
| 44 | private-dev | ||
| 45 | # private-lib | 35 | # private-lib |
| 46 | private-tmp | ||
| 47 | 36 | ||
| 48 | # memory-deny-write-execute | 37 | # memory-deny-write-execute |
| 38 | |||
| 39 | # Redirect | ||
| 40 | include electron.profile | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
| @@ -6,34 +6,22 @@ include jitsi-meet-desktop.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # Disabled until someone reported positive feedback | ||
| 10 | ignore nou2f | ||
| 11 | ignore novideo | ||
| 12 | ignore shell none | ||
| 13 | |||
| 9 | ignore noexec /tmp | 14 | ignore noexec /tmp |
| 10 | 15 | ||
| 11 | noblacklist ${HOME}/.config/Jitsi Meet | 16 | noblacklist ${HOME}/.config/Jitsi Meet |
| 12 | 17 | ||
| 13 | include disable-devel.inc | ||
| 14 | include disable-exec.inc | ||
| 15 | include disable-interpreters.inc | ||
| 16 | include disable-xdg.inc | ||
| 17 | |||
| 18 | nowhitelist ${DOWNLOADS} | 18 | nowhitelist ${DOWNLOADS} |
| 19 | 19 | ||
| 20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
| 21 | |||
| 22 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
| 23 | 22 | ||
| 24 | include whitelist-common.inc | ||
| 25 | include whitelist-usr-share-common.inc | ||
| 26 | include whitelist-runuser-common.inc | ||
| 27 | include whitelist-var-common.inc | ||
| 28 | |||
| 29 | seccomp !chroot | ||
| 30 | |||
| 31 | disable-mnt | ||
| 32 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,jitsi-meet-desktop |
| 33 | private-cache | ||
| 34 | private-dev | ||
| 35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
| 36 | private-tmp | ||
| 37 | 25 | ||
| 38 | # Redirect | 26 | # Redirect |
| 39 | include electron.profile | 27 | include electron.profile |