Refactor electron.profile and electron based programs (#3807)

* Refactor electron.profile and electron based programs (1) * Refactor electron.profile and electron based programs (2) * Refactor electron.profile and electron based programs (3) * Refactor electron.profile and electron based programs (4) * Refactor electron.profile and electron based programs (5) * Refactor electron.profile and electron based programs (6) * Refactor electron.profile and electron based programs (7) * Refactor electron.profile and electron based programs (8)
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-12-17 08:45:35 +0000
committer: GitHub <noreply@github.com> 2020-12-17 08:45:35 +0000
commit: f4f6767458208a127084e4c0103fab88761d9056 (patch)
tree: ff349c113ca4f3fc70cd9839a1775bb49092cab3 /etc/profile-m-z
parent: Archiver fixes - drop private-bin (#3832) (diff)
download: firejail-f4f676745.tar.gz
firejail-f4f676745.tar.zst
firejail-f4f676745.zip
16 files changed, 111 insertions, 242 deletions
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 1b97eda9b..a7c091196 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -10,31 +10,16 @@ ignore dbus-user
 noblacklist ${HOME}/.config/nuclear
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 no3d
-nou2f
-novideo
-shell none
-disable-mnt
 # private-bin nuclear
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..e91d25196 100644
--- a/etc/profile-m-z/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -7,7 +7,5 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
-seccomp !chroot
 # Redirect
 include riot-web.profile
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..c48fd1542 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -4,14 +4,16 @@
 # Persistent local customizations
 include riot-web.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Riot
 mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include whitelist-common.inc
+whitelist /usr/share/chromium
+whitelist /usr/share/webapps/element
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..8d3607c75 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -3,14 +3,28 @@
 # Persistent local customizations
 include rocketchat.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 noblacklist ${HOME}/.config/Rocket.Chat
 mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
-include whitelist-common.inc
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index c28571270..08e1c1f03 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -5,6 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore private-cache
+ignore novideo
 ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
-include disable-common.inc
-include disable-devel.inc
 include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 mkdir ${HOME}/.config/Signal
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Signal
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
-disable-mnt
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
-dbus-user none
+# Redirect
-dbus-system none
+include electron.profile
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..b39763981 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -5,27 +5,24 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore private-dev
+ignore dbus-user none
+ignore dbus-system none
 # breaks Skype
 ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
-private-cache
 # private-dev - needs /dev/disk
-private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 8ab3edd63..9ad772cd5 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -5,31 +5,26 @@ include slack.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore novideo
+ignore private-tmp
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/Slack
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
-disable-mnt
 private-bin locale,slack
-private-cache
-private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index a13c92bc3..eee083332 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -4,33 +4,23 @@
 # Persistent local customizations
 include teams-for-linux.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/teams-for-linux
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
-include whitelist-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-shell none
-disable-mnt
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-cache
-private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index af1365571..c8d98cbaa 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -4,8 +4,14 @@
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore novideo
+ignore private-tmp
 # see #3404
 ignore apparmor
@@ -15,24 +21,10 @@ ignore dbus-system none
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
 whitelist ${HOME}/.config/teams
 whitelist ${HOME}/.config/Microsoft
-include whitelist-common.inc
-include whitelist-var-common.inc
-nou2f
-seccomp !chroot
-shell none
-disable-mnt
-private-cache
-private-dev
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 3c50344f1..dcf7ee88b 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -6,31 +6,20 @@ include twitch.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
 noblacklist ${HOME}/.config/Twitch
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-seccomp !chroot
-shell none
-disable-mnt
 private-bin twitch
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 187c49ed8..22a84274d 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -4,36 +4,24 @@
 # Persistent local customizations
 include whalebird.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/Whalebird
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/Whalebird
 whitelist ${HOME}/.config/Whalebird
-include whitelist-common.inc
-include whitelist-var-common.inc
 no3d
-nou2f
-novideo
-protocol unix,inet,inet6
-shell none
-disable-mnt
 private-bin whalebird
-private-cache
-private-dev
 private-etc fonts,machine-id
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index d265c6bae..151cd2adb 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -4,33 +4,29 @@
 # Persistent local customizations
 include wire-desktop.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore novideo
+ignore private-cache
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/Wire
-include disable-devel.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
-include whitelist-common.inc
-nou2f
-ignore seccomp
-seccomp !chroot
-shell none
-disable-mnt
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index a6c7750a9..92890a3a8 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -6,32 +6,19 @@ include youtube.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore nou2f
 noblacklist ${HOME}/.config/Youtube
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 private-bin youtube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 3a94a5707..10ff1616a 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -8,31 +8,14 @@ include globals.local
 noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 private-bin youtubemusic-nativefier
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 5c37b838b..3f6dd9694 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -10,30 +10,12 @@ ignore dbus-user none
 noblacklist ${HOME}/.config/youtube-music-desktop-app
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 # private-bin env,ytmdesktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 # private-opt 
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 889e8c02e..e8cd64c93 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -6,16 +6,20 @@ include zoom.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore novideo
+ignore dbus-user none
+ignore dbus-system none
+# nogroups breaks webcam access on non-systemd systems (see #3711).
+# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
+#ignore nogroups
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
-include disable-common.inc
+nowhitelist ${DOWNLOADS}
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -23,29 +27,9 @@ mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-# nogroups breaks webcam access on non-systemd systems (see #3711).
-# If you use such a system comment the line below or put 'ignore nogroups' in your zoom.local
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-tracelog
-disable-mnt
-private-cache
-private-dev
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
+# Redirect
+include electron.profile
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-12-17 08:45:35 +0000
committer	GitHub <noreply@github.com>	2020-12-17 08:45:35 +0000
commit	f4f6767458208a127084e4c0103fab88761d9056 (patch)
tree	ff349c113ca4f3fc70cd9839a1775bb49092cab3 /etc/profile-m-z
parent	Archiver fixes - drop private-bin (#3832) (diff)
download	firejail-f4f676745.tar.gz firejail-f4f676745.tar.zst firejail-f4f676745.zip