diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
commit | 018d75775eab4a0f045949a9d069c57686ca2686 (patch) | |
tree | aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-m-z | |
parent | small fixes (diff) | |
download | firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip |
reorganize github etc directory
Diffstat (limited to 'etc/profile-m-z')
487 files changed, 14560 insertions, 0 deletions
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile new file mode 100644 index 000000000..5cf570f80 --- /dev/null +++ b/etc/profile-m-z/Maelstrom.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for Maelstrom | ||
2 | # Description: A space combat game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include Maelstrom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/lib/games/Maelstrom-Scores | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /var/lib/games | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | #nonewprivs | ||
29 | #noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | #protocol unix | ||
34 | #seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin Maelstrom | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile new file mode 100644 index 000000000..c52d2f2da --- /dev/null +++ b/etc/profile-m-z/Maps.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-maps | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-maps.profile | ||
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile new file mode 100644 index 000000000..c2734b1c1 --- /dev/null +++ b/etc/profile-m-z/Mathematica.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for Mathematica | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Mathematica.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Mathematica | ||
9 | noblacklist ${HOME}/.Wolfram Research | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.Mathematica | ||
18 | mkdir ${HOME}/.Wolfram Research | ||
19 | mkdir ${HOME}/Documents/Wolfram Mathematica | ||
20 | whitelist ${HOME}/.Mathematica | ||
21 | whitelist ${HOME}/.Wolfram Research | ||
22 | whitelist ${HOME}/Documents/Wolfram Mathematica | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | seccomp | ||
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile new file mode 100644 index 000000000..42c22bf67 --- /dev/null +++ b/etc/profile-m-z/Natron.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include natron.profile | ||
diff --git a/etc/profile-m-z/PPSSPPQt.profile b/etc/profile-m-z/PPSSPPQt.profile new file mode 100644 index 000000000..c5592f99c --- /dev/null +++ b/etc/profile-m-z/PPSSPPQt.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for PPSSPPQt | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include PPSSPPQt.local | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include ppsspp.profile | ||
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile new file mode 100644 index 000000000..d1548a864 --- /dev/null +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for QMediathekView | ||
2 | # Description: Search, download or stream files from mediathek.de | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include QMediathekView.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QMediathekView | ||
10 | noblacklist ${HOME}/.local/share/QMediathekView | ||
11 | |||
12 | noblacklist ${HOME}/.config/mpv | ||
13 | noblacklist ${HOME}/.config/smplayer | ||
14 | noblacklist ${HOME}/.config/totem | ||
15 | noblacklist ${HOME}/.config/vlc | ||
16 | noblacklist ${HOME}/.config/xplayer | ||
17 | noblacklist ${HOME}/.local/share/totem | ||
18 | noblacklist ${HOME}/.local/share/xplayer | ||
19 | noblacklist ${HOME}/.mplayer | ||
20 | noblacklist ${VIDEOS} | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-devel.inc | ||
24 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | ||
26 | include disable-passwdmgr.inc | ||
27 | include disable-programs.inc | ||
28 | include disable-xdg.inc | ||
29 | |||
30 | whitelist /usr/share/qtchooser | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | caps.drop all | ||
35 | netfilter | ||
36 | # no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-tmp | ||
54 | |||
55 | # dbus-user none | ||
56 | # dbus-system none | ||
57 | |||
58 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile new file mode 100644 index 000000000..8157cdff4 --- /dev/null +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for QOwnNotes | ||
2 | # Description: Plain-text file notepad with markdown support and ownCloud integration | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include QOwnNotes.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/Nextcloud/Notes | ||
11 | noblacklist ${HOME}/.config/PBE | ||
12 | noblacklist ${HOME}/.local/share/PBE | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/Nextcloud/Notes | ||
23 | mkdir ${HOME}/.config/PBE | ||
24 | mkdir ${HOME}/.local/share/PBE | ||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${HOME}/Nextcloud/Notes | ||
27 | whitelist ${HOME}/.config/PBE | ||
28 | whitelist ${HOME}/.local/share/PBE | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | machine-id | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin gio,QOwnNotes | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile new file mode 100644 index 000000000..d4b083736 --- /dev/null +++ b/etc/profile-m-z/Screenshot.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for gnome-screenshot | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
5 | # Redirect | ||
6 | include gnome-screenshot.profile | ||
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile new file mode 100644 index 000000000..310e0237e --- /dev/null +++ b/etc/profile-m-z/Telegram.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for telegram | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include telegram.profile | ||
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile new file mode 100644 index 000000000..761440ccc --- /dev/null +++ b/etc/profile-m-z/Thunar.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for Thunar | ||
2 | # Description: File Manager for Xfce | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include Thunar.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Trash | ||
10 | noblacklist ${HOME}/.config/Thunar | ||
11 | noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | # include disable-programs.inc | ||
18 | |||
19 | allusers | ||
20 | caps.drop all | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile new file mode 100644 index 000000000..3195e39fa --- /dev/null +++ b/etc/profile-m-z/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Viber.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.ViberPC | ||
9 | noblacklist ${PATH}/dig | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.ViberPC | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.ViberPC | ||
21 | include whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp !chroot | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin awk,bash,dig,sh,Viber | ||
37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | ||
38 | private-tmp | ||
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile new file mode 100644 index 000000000..4c99ae9a3 --- /dev/null +++ b/etc/profile-m-z/VirtualBox.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for virtualbox | ||
2 | # Description: x86 virtualization solution | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include virtualbox.profile | ||
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile new file mode 100644 index 000000000..7e7c0c3cd --- /dev/null +++ b/etc/profile-m-z/XMind.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for XMind | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include XMind.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.xmind | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.xmind | ||
18 | whitelist ${HOME}/.xmind | ||
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin cp,sh,XMind | ||
36 | private-tmp | ||
37 | private-dev | ||
38 | |||
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile new file mode 100644 index 000000000..ab5fdf942 --- /dev/null +++ b/etc/profile-m-z/Xephyr.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for Xephyr | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | quiet | ||
5 | include Xephyr.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # | ||
10 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | ||
11 | # To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | ||
12 | # | ||
13 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | ||
14 | # | ||
15 | # or run "sudo firecfg" | ||
16 | # | ||
17 | |||
18 | whitelist /var/lib/xkb | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | ||
27 | # noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | # using a private home directory | ||
37 | private | ||
38 | # private-bin sh,Xephyr,xkbcomp | ||
39 | # private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp | ||
40 | private-dev | ||
41 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | ||
42 | #private-tmp | ||
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile new file mode 100644 index 000000000..937d02d60 --- /dev/null +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for Xvfb | ||
2 | # Description: Virtual Framebuffer 'fake' X server | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include Xvfb.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # | ||
11 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | ||
12 | # The target program is sandboxed with its own profile. By default the this functionality | ||
13 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | ||
14 | # | ||
15 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | ||
16 | # | ||
17 | # We have this functionality disabled by default because it creates problems on | ||
18 | # some Linux distributions. Also, older versions of Xpra use Xvfb. | ||
19 | # | ||
20 | |||
21 | whitelist /var/lib/xkb | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | # using a private home directory | ||
41 | private | ||
42 | # private-bin sh,xkbcomp,Xvfb | ||
43 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb | ||
44 | private-dev | ||
45 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | ||
46 | private-tmp | ||
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile new file mode 100644 index 000000000..3eef22f98 --- /dev/null +++ b/etc/profile-m-z/macrofusion.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/mfusion | ||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python* | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile new file mode 100644 index 000000000..380a59957 --- /dev/null +++ b/etc/profile-m-z/magicor.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for magicor | ||
2 | # Description: Push ice blocks around to extinguish all fires | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include magicor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.magicor | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.magicor | ||
23 | whitelist ${HOME}/.magicor | ||
24 | whitelist /usr/share/magicor | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | net none | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin magicor,python2* | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc machine-id | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile new file mode 100644 index 000000000..513fcae55 --- /dev/null +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for makepkg | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include makepkg.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138 | ||
13 | # for potential issues and their solutions when Firejailing makepkg | ||
14 | |||
15 | # This profile could be significantly strengthened by adding the following to makepkg.local | ||
16 | # whitelist ${HOME}/<Your Build Folder> | ||
17 | # whitelist ${HOME}/.gnupg | ||
18 | |||
19 | # Enable severely restricted access to ${HOME}/.gnupg | ||
20 | noblacklist ${HOME}/.gnupg | ||
21 | read-only ${HOME}/.gnupg/gpg.conf | ||
22 | read-only ${HOME}/.gnupg/trustdb.gpg | ||
23 | read-only ${HOME}/.gnupg/pubring.kbx | ||
24 | blacklist ${HOME}/.gnupg/random_seed | ||
25 | blacklist ${HOME}/.gnupg/pubring.kbx~ | ||
26 | blacklist ${HOME}/.gnupg/private-keys-v1.d | ||
27 | blacklist ${HOME}/.gnupg/crls.d | ||
28 | blacklist ${HOME}/.gnupg/openpgp-revocs.d | ||
29 | |||
30 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | ||
31 | noblacklist /var/lib/pacman | ||
32 | |||
33 | include disable-common.inc | ||
34 | include disable-exec.inc | ||
35 | include disable-passwdmgr.inc | ||
36 | include disable-programs.inc | ||
37 | |||
38 | caps.drop all | ||
39 | machine-id | ||
40 | ipc-namespace | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | # noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD. | ||
47 | #noroot | ||
48 | nosound | ||
49 | nou2f | ||
50 | notv | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | disable-mnt | ||
58 | private-cache | ||
59 | private-tmp | ||
60 | |||
61 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile new file mode 100644 index 000000000..b29a489a6 --- /dev/null +++ b/etc/profile-m-z/manaplus.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for manaplus | ||
2 | # Description: 2D MMORPG client for Evol Online and The Mana World | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include manaplus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mana | ||
10 | noblacklist ${HOME}/.local/share/mana | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/mana | ||
21 | mkdir ${HOME}/.config/mana/mana | ||
22 | mkdir ${HOME}/.local/share/mana | ||
23 | whitelist ${HOME}/.config/mana | ||
24 | whitelist ${HOME}/.local/share/mana | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin manaplus | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile new file mode 100644 index 000000000..e4da0c66a --- /dev/null +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for masterpdfeditor | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Code Industry | ||
10 | noblacklist ${HOME}/.masterpdfeditor | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alternatives,fonts | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-m-z/masterpdfeditor4.profile b/etc/profile-m-z/masterpdfeditor4.profile new file mode 100644 index 000000000..84e78171f --- /dev/null +++ b/etc/profile-m-z/masterpdfeditor4.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for masterpdfeditor4 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor4.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include masterpdfeditor.profile | ||
diff --git a/etc/profile-m-z/masterpdfeditor5.profile b/etc/profile-m-z/masterpdfeditor5.profile new file mode 100644 index 000000000..057d343dd --- /dev/null +++ b/etc/profile-m-z/masterpdfeditor5.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for masterpdfeditor5 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor5.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include masterpdfeditor.profile | ||
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile new file mode 100644 index 000000000..ce418d68f --- /dev/null +++ b/etc/profile-m-z/mate-calc.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for mate-calc | ||
2 | # Description: MATE desktop calculator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mate-calc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mate-calc | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.cache/mate-calc | ||
19 | mkdir ${HOME}/.config/caja | ||
20 | mkdir ${HOME}/.config/mate-menu | ||
21 | whitelist ${HOME}/.cache/mate-calc | ||
22 | whitelist ${HOME}/.config/caja | ||
23 | whitelist ${HOME}/.config/mate-menu | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin mate-calc,mate-calculator | ||
45 | private-etc alternatives,dconf,fonts,gtk-3.0 | ||
46 | private-dev | ||
47 | private-opt none | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile new file mode 100644 index 000000000..bb438f5f0 --- /dev/null +++ b/etc/profile-m-z/mate-calculator.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for mate-calc | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include mate-calc.profile | ||
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile new file mode 100644 index 000000000..f1a7ca18f --- /dev/null +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for mate-color-select | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include mate-color-select.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | include disable-common.inc | ||
9 | include disable-devel.inc | ||
10 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | include whitelist-common.inc | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin mate-color-select | ||
34 | private-etc alternatives,fonts | ||
35 | private-dev | ||
36 | private-lib | ||
37 | private-tmp | ||
38 | |||
39 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile new file mode 100644 index 000000000..59f439c91 --- /dev/null +++ b/etc/profile-m-z/mate-dictionary.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for mate-dictionary | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include mate-dictionary.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/mate/mate-dictionary | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/mate/mate-dictionary | ||
18 | whitelist ${HOME}/.config/mate/mate-dictionary | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-bin mate-dictionary | ||
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | ||
40 | private-opt mate-dictionary | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile new file mode 100644 index 000000000..964060350 --- /dev/null +++ b/etc/profile-m-z/mathematica.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for Mathematica | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include Mathematica.profile | ||
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile new file mode 100644 index 000000000..134a6ae63 --- /dev/null +++ b/etc/profile-m-z/mcabber.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for mcabber | ||
2 | # Description: Small Jabber (XMPP) console client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mcabber.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mcabber | ||
10 | noblacklist ${HOME}/.mcabberrc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | private-bin mcabber | ||
32 | private-dev | ||
33 | private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile new file mode 100644 index 000000000..c62d3f6d5 --- /dev/null +++ b/etc/profile-m-z/mediainfo.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for mediainfo | ||
2 | # Description: Command-line utility for reading information from audio/video files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mediainfo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | machine-id | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | x11 none | ||
40 | |||
41 | private-bin mediainfo | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile new file mode 100644 index 000000000..95cd673c6 --- /dev/null +++ b/etc/profile-m-z/mediathekview.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for mediathekview | ||
2 | # Description: View streams from German public television stations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mediathekview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mpv | ||
10 | noblacklist ${HOME}/.config/smplayer | ||
11 | noblacklist ${HOME}/.config/totem | ||
12 | noblacklist ${HOME}/.config/vlc | ||
13 | noblacklist ${HOME}/.config/xplayer | ||
14 | noblacklist ${HOME}/.local/share/totem | ||
15 | noblacklist ${HOME}/.local/share/xplayer | ||
16 | noblacklist ${HOME}/.mediathek3 | ||
17 | noblacklist ${HOME}/.mplayer | ||
18 | noblacklist ${VIDEOS} | ||
19 | |||
20 | # Allow java (blacklisted by disable-devel.inc) | ||
21 | include allow-java.inc | ||
22 | |||
23 | include disable-common.inc | ||
24 | include disable-devel.inc | ||
25 | include disable-exec.inc | ||
26 | include disable-interpreters.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | tracelog | ||
45 | |||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile new file mode 100644 index 000000000..86e7f129e --- /dev/null +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for megaglest | ||
2 | # Description: 3D multi-player real time strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include megaglest.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.megaglest | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.megaglest | ||
20 | whitelist ${HOME}/.megaglest | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin megaglest,megaglest_editor,megaglest_g3dviewer | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile new file mode 100644 index 000000000..02aad8084 --- /dev/null +++ b/etc/profile-m-z/megaglest_editor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for megaglest | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include megaglest.profile | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile new file mode 100644 index 000000000..be13e9643 --- /dev/null +++ b/etc/profile-m-z/meld.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for meld | ||
2 | # Description: Graphical tool to diff and merge files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include meld.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need | ||
10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path | ||
11 | # Removing the symlink: | ||
12 | # sudo rm /usr/local/bin/meld | ||
13 | # Calling by its absolute path (example for git-mergetool): | ||
14 | # git config --global mergetool.meld.cmd /usr/bin/meld | ||
15 | |||
16 | noblacklist ${HOME}/.config/meld | ||
17 | noblacklist ${HOME}/.config/git | ||
18 | noblacklist ${HOME}/.gitconfig | ||
19 | noblacklist ${HOME}/.git-credentials | ||
20 | noblacklist ${HOME}/.local/share/meld | ||
21 | noblacklist ${HOME}/.ssh | ||
22 | noblacklist ${HOME}/.subversion | ||
23 | |||
24 | # Allow python (blacklisted by disable-interpreters.inc) | ||
25 | include allow-python3.inc | ||
26 | |||
27 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. | ||
28 | #include allow-python2.inc | ||
29 | |||
30 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | ||
31 | #include disable-common.inc | ||
32 | include disable-devel.inc | ||
33 | include disable-exec.inc | ||
34 | include disable-interpreters.inc | ||
35 | include disable-passwdmgr.inc | ||
36 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. | ||
37 | #include disable-programs.inc | ||
38 | |||
39 | include whitelist-runuser-common.inc | ||
40 | |||
41 | # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. | ||
42 | #whitelist /usr/share/meld | ||
43 | #include whitelist-usr-share-common.inc | ||
44 | |||
45 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. | ||
46 | #include whitelist-var-common.inc | ||
47 | |||
48 | apparmor | ||
49 | caps.drop all | ||
50 | ipc-namespace | ||
51 | machine-id | ||
52 | netfilter | ||
53 | no3d | ||
54 | nodvd | ||
55 | nogroups | ||
56 | nonewprivs | ||
57 | noroot | ||
58 | nosound | ||
59 | notv | ||
60 | nou2f | ||
61 | novideo | ||
62 | protocol unix,inet,inet6 | ||
63 | seccomp | ||
64 | shell none | ||
65 | tracelog | ||
66 | |||
67 | private-bin bzr,cvs,git,hg,meld,python*,svn | ||
68 | private-cache | ||
69 | private-dev | ||
70 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. | ||
71 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | ||
72 | private-tmp | ||
73 | |||
74 | read-only ${HOME}/.ssh | ||
diff --git a/etc/profile-m-z/mencoder.profile b/etc/profile-m-z/mencoder.profile new file mode 100644 index 000000000..caf238785 --- /dev/null +++ b/etc/profile-m-z/mencoder.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for mencoder | ||
2 | # Description: Free command line video decoding, encoding and filtering tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mencoder.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # added by included profile | ||
11 | #include disable-common.inc | ||
12 | #include disable-devel.inc | ||
13 | #include disable-interpreters.inc | ||
14 | #include disable-passwdmgr.inc | ||
15 | #include disable-programs.inc | ||
16 | |||
17 | ipc-namespace | ||
18 | machine-id | ||
19 | net none | ||
20 | no3d | ||
21 | nosound | ||
22 | notv | ||
23 | protocol unix | ||
24 | tracelog | ||
25 | x11 none | ||
26 | |||
27 | private-bin mencoder | ||
28 | |||
29 | dbus-user none | ||
30 | dbus-system none | ||
31 | |||
32 | memory-deny-write-execute | ||
33 | |||
34 | # Redirect | ||
35 | include mplayer.profile | ||
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile new file mode 100644 index 000000000..6022b110a --- /dev/null +++ b/etc/profile-m-z/mendeleydesktop.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for Mendeley | ||
2 | # Description: Academic software for managing and sharing research papers. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mendeleydesktop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.cache/Mendeley Ltd. | ||
11 | noblacklist ${HOME}/.config/Mendeley Ltd. | ||
12 | noblacklist ${HOME}/.local/share/Mendeley Ltd. | ||
13 | noblacklist ${HOME}/.local/share/data/Mendeley Ltd. | ||
14 | noblacklist ${HOME}/.pki | ||
15 | noblacklist ${HOME}/.local/share/pki | ||
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | |||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6,netlink | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile new file mode 100644 index 000000000..f9466eb61 --- /dev/null +++ b/etc/profile-m-z/meteo-qt.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for meteo-qt | ||
2 | # Description: System tray application for weather status information | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include meteo-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/autostart | ||
10 | noblacklist ${HOME}/.config/meteo-qt | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/meteo-qt | ||
24 | whitelist ${HOME}/.config/autostart | ||
25 | whitelist ${HOME}/.config/meteo-qt | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin meteo-qt,python* | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile new file mode 100644 index 000000000..e15259608 --- /dev/null +++ b/etc/profile-m-z/midori.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for midori | ||
2 | # Description: Lightweight web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include midori.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/.cache/midori | ||
13 | noblacklist ${HOME}/.config/midori | ||
14 | noblacklist ${HOME}/.local/share/midori | ||
15 | # noblacklist ${HOME}/.local/share/webkit | ||
16 | # noblacklist ${HOME}/.local/share/webkitgtk | ||
17 | noblacklist ${HOME}/.pki | ||
18 | noblacklist ${HOME}/.local/share/pki | ||
19 | |||
20 | noblacklist ${HOME}/.cache/gnome-mplayer | ||
21 | noblacklist ${HOME}/.config/gnome-mplayer | ||
22 | noblacklist ${HOME}/.lastpass | ||
23 | |||
24 | include disable-common.inc | ||
25 | include disable-devel.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | #include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-xdg.inc | ||
31 | |||
32 | mkdir ${HOME}/.cache/midori | ||
33 | mkdir ${HOME}/.config/midori | ||
34 | mkdir ${HOME}/.local/share/midori | ||
35 | mkdir ${HOME}/.local/share/webkit | ||
36 | mkdir ${HOME}/.local/share/webkitgtk | ||
37 | mkdir ${HOME}/.pki | ||
38 | mkdir ${HOME}/.local/share/pki | ||
39 | whitelist ${DOWNLOADS} | ||
40 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
41 | whitelist ${HOME}/.cache/midori | ||
42 | whitelist ${HOME}/.config/gnome-mplayer | ||
43 | whitelist ${HOME}/.config/midori | ||
44 | whitelist ${HOME}/.lastpass | ||
45 | whitelist ${HOME}/.local/share/midori | ||
46 | whitelist ${HOME}/.local/share/webkit | ||
47 | whitelist ${HOME}/.local/share/webkitgtk | ||
48 | whitelist ${HOME}/.pki | ||
49 | whitelist ${HOME}/.local/share/pki | ||
50 | include whitelist-common.inc | ||
51 | include whitelist-var-common.inc | ||
52 | |||
53 | apparmor | ||
54 | caps.drop all | ||
55 | netfilter | ||
56 | nodvd | ||
57 | nonewprivs | ||
58 | # noroot - problems on Ubuntu 14.04 | ||
59 | notv | ||
60 | protocol unix,inet,inet6,netlink | ||
61 | seccomp | ||
62 | tracelog | ||
63 | |||
64 | disable-mnt | ||
65 | private-tmp | ||
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile new file mode 100644 index 000000000..7f3aeab44 --- /dev/null +++ b/etc/profile-m-z/min.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for min | ||
2 | # Description: A faster, smarter web browser. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include min.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Min | ||
10 | |||
11 | mkdir ${HOME}/.config/Min | ||
12 | whitelist ${HOME}/.config/Min | ||
13 | |||
14 | # Redirect | ||
15 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile new file mode 100644 index 000000000..e6ea54522 --- /dev/null +++ b/etc/profile-m-z/mindless.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for mindless | ||
2 | # Description: figure out the secret code | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mindless.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/mindless | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private | ||
41 | private-bin mindless | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile new file mode 100644 index 000000000..619173024 --- /dev/null +++ b/etc/profile-m-z/minetest.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for minetest | ||
2 | # Description: Multiplayer infinite-world block sandbox | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include minetest.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/minetest | ||
10 | noblacklist ${HOME}/.minetest | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/minetest | ||
21 | mkdir ${HOME}/.minetest | ||
22 | whitelist ${HOME}/.cache/minetest | ||
23 | whitelist ${HOME}/.minetest | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin minetest | ||
44 | private-cache | ||
45 | private-dev | ||
46 | # private-etc needs to be updated, see #1702 | ||
47 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile new file mode 100644 index 000000000..ef0748436 --- /dev/null +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for mirrormagic | ||
2 | # Description: Puzzle game where you steer a beam of light using mirrors | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mirrormagic.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mirrormagic | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.mirrormagic | ||
20 | whitelist ${HOME}/.mirrormagic | ||
21 | whitelist /usr/share/mirrormagic | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private | ||
43 | private-bin mirrormagic | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile new file mode 100644 index 000000000..868313c40 --- /dev/null +++ b/etc/profile-m-z/mousepad.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for mousepad | ||
2 | # Description: Simple Xfce oriented text editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mousepad.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Mousepad | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-bin mousepad | ||
37 | private-dev | ||
38 | private-lib | ||
39 | private-tmp | ||
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile new file mode 100644 index 000000000..bf6077395 --- /dev/null +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for mp3splt-gtk | ||
2 | # Description: Gtk utility for mp3/ogg splitting without decoding | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mp3splt-gtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mp3splt-gtk | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-bin mp3splt-gtk | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile new file mode 100644 index 000000000..c65754a03 --- /dev/null +++ b/etc/profile-m-z/mp3splt.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for mp3splt | ||
2 | # Description: utility for mp3 splitting without decoding | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mp3splt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/mp3wrap.profile b/etc/profile-m-z/mp3wrap.profile new file mode 100644 index 000000000..9e48f7807 --- /dev/null +++ b/etc/profile-m-z/mp3wrap.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mp3wrap | ||
2 | # This file is overwritten after every install/update | ||
3 | include mp3wrap.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mp3splt.profile | ||
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile new file mode 100644 index 000000000..fd0351db0 --- /dev/null +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for mpDris2 | ||
2 | # Description: MPRIS2 support for MPD | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mpDris2.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mpDris2 | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | noblacklist ${MUSIC} | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist ${MUSIC} | ||
26 | |||
27 | mkdir ${HOME}/.config/mpDris2 | ||
28 | whitelist ${HOME}/.config/mpDris2 | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | machine-id | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | |||
48 | private-bin mpDris2,notify-send,python* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives,hosts,nsswitch.conf | ||
52 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | ||
53 | private-tmp | ||
54 | |||
55 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
56 | |||
57 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile new file mode 100644 index 000000000..3fda87a48 --- /dev/null +++ b/etc/profile-m-z/mpd.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # Description: Music Player Daemon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mpd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mpd | ||
10 | noblacklist ${HOME}/.mpd | ||
11 | noblacklist ${HOME}/.mpdconf | ||
12 | noblacklist ${MUSIC} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | # blacklisting of ioprio_set system calls breaks auto-updating of | ||
36 | # MPD's database when files in music_directory are changed | ||
37 | seccomp !ioprio_set | ||
38 | shell none | ||
39 | |||
40 | #private-bin bash,mpd | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
diff --git a/etc/profile-m-z/mpg123-alsa.profile b/etc/profile-m-z/mpg123-alsa.profile new file mode 100644 index 000000000..378435af1 --- /dev/null +++ b/etc/profile-m-z/mpg123-alsa.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-alsa | ||
2 | # Persistent local customizations | ||
3 | include mpg123-alsa.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-id3dump.profile b/etc/profile-m-z/mpg123-id3dump.profile new file mode 100644 index 000000000..370a57b3c --- /dev/null +++ b/etc/profile-m-z/mpg123-id3dump.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for mpg123-id3dump | ||
2 | # Persistent local customizations | ||
3 | include mpg123-id3dump.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | machine-id | ||
9 | nosound | ||
10 | |||
11 | # Redirect | ||
12 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-jack.profile b/etc/profile-m-z/mpg123-jack.profile new file mode 100644 index 000000000..e36a2e5b3 --- /dev/null +++ b/etc/profile-m-z/mpg123-jack.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-jack | ||
2 | # Persistent local customizations | ||
3 | include mpg123-jack.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-nas.profile b/etc/profile-m-z/mpg123-nas.profile new file mode 100644 index 000000000..cdbf0b1d2 --- /dev/null +++ b/etc/profile-m-z/mpg123-nas.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-nas | ||
2 | # Persistent local customizations | ||
3 | include mpg123-nas.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-openal.profile b/etc/profile-m-z/mpg123-openal.profile new file mode 100644 index 000000000..e5585feaa --- /dev/null +++ b/etc/profile-m-z/mpg123-openal.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-openal | ||
2 | # Persistent local customizations | ||
3 | include mpg123-openal.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-oss.profile b/etc/profile-m-z/mpg123-oss.profile new file mode 100644 index 000000000..dcb92ecd6 --- /dev/null +++ b/etc/profile-m-z/mpg123-oss.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-oss | ||
2 | # Persistent local customizations | ||
3 | include mpg123-oss.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-portaudio.profile b/etc/profile-m-z/mpg123-portaudio.profile new file mode 100644 index 000000000..319843504 --- /dev/null +++ b/etc/profile-m-z/mpg123-portaudio.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-portaudio | ||
2 | # Persistent local customizations | ||
3 | include mpg123-portaudio.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-pulse.profile b/etc/profile-m-z/mpg123-pulse.profile new file mode 100644 index 000000000..31063a96b --- /dev/null +++ b/etc/profile-m-z/mpg123-pulse.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-pulse | ||
2 | # Persistent local customizations | ||
3 | include mpg123-pulse.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123-strip.profile b/etc/profile-m-z/mpg123-strip.profile new file mode 100644 index 000000000..62de57c22 --- /dev/null +++ b/etc/profile-m-z/mpg123-strip.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123-strip | ||
2 | # Persistent local customizations | ||
3 | include mpg123-strip.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123.bin.profile b/etc/profile-m-z/mpg123.bin.profile new file mode 100644 index 000000000..0a01d0829 --- /dev/null +++ b/etc/profile-m-z/mpg123.bin.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for mpg123.bin | ||
2 | # Persistent local customizations | ||
3 | include mpg123.bin.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile new file mode 100644 index 000000000..6e18aa401 --- /dev/null +++ b/etc/profile-m-z/mpg123.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for mpg123 | ||
2 | # Description: MPEG audio player/decoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mpg123.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${VIDEOS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | #private-bin mpg123* | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | memory-deny-write-execute | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile new file mode 100644 index 000000000..cd25d6c0b --- /dev/null +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for mplayer | ||
2 | # Description: Movie player for Unix-like systems | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mplayer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mplayer | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | # net none - mplayer can be used for streaming. | ||
27 | netfilter | ||
28 | # nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nou2f | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin mplayer | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile new file mode 100644 index 000000000..f30fd48eb --- /dev/null +++ b/etc/profile-m-z/mpsyt.profile | |||
@@ -0,0 +1,70 @@ | |||
1 | # Firejail profile for mpsyt | ||
2 | # Description: Terminal based YouTube player and downloader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mpsyt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mps-youtube | ||
10 | noblacklist ${HOME}/.config/mpv | ||
11 | noblacklist ${HOME}/.config/youtube-dl | ||
12 | noblacklist ${HOME}/.mplayer | ||
13 | noblacklist ${HOME}/.netrc | ||
14 | noblacklist ${HOME}/mps | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
20 | noblacklist ${MUSIC} | ||
21 | noblacklist ${VIDEOS} | ||
22 | |||
23 | include disable-common.inc | ||
24 | include disable-devel.inc | ||
25 | include disable-exec.inc | ||
26 | include disable-interpreters.inc | ||
27 | include disable-passwdmgr.inc | ||
28 | include disable-programs.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | mkdir ${HOME}/.config/mps-youtube | ||
32 | mkdir ${HOME}/.config/mpv | ||
33 | mkdir ${HOME}/.config/youtube-dl | ||
34 | mkdir ${HOME}/.mplayer | ||
35 | mkdir ${HOME}/mps | ||
36 | whitelist ${HOME}/.config/mps-youtube | ||
37 | whitelist ${HOME}/.config/mpv | ||
38 | whitelist ${HOME}/.config/youtube-dl | ||
39 | whitelist ${HOME}/.mplayer | ||
40 | whitelist ${HOME}/.netrc | ||
41 | whitelist ${HOME}/mps | ||
42 | whitelist ${DOWNLOADS} | ||
43 | whitelist ${MUSIC} | ||
44 | whitelist ${VIDEOS} | ||
45 | include whitelist-common.inc | ||
46 | include whitelist-var-common.inc | ||
47 | |||
48 | apparmor | ||
49 | caps.drop all | ||
50 | netfilter | ||
51 | nodvd | ||
52 | # Seems to cause issues with Nvidia drivers sometimes | ||
53 | nogroups | ||
54 | nonewprivs | ||
55 | noroot | ||
56 | notv | ||
57 | nou2f | ||
58 | novideo | ||
59 | protocol unix,inet,inet6 | ||
60 | seccomp | ||
61 | shell none | ||
62 | tracelog | ||
63 | |||
64 | private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl | ||
65 | #private-cache | ||
66 | private-dev | ||
67 | private-tmp | ||
68 | |||
69 | dbus-user none | ||
70 | dbus-system none | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile new file mode 100644 index 000000000..8c463e7db --- /dev/null +++ b/etc/profile-m-z/mpv.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for mpv | ||
2 | # Description: Video player based on MPlayer/mplayer2 | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include mpv.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/mpv | ||
11 | noblacklist ${HOME}/.config/youtube-dl | ||
12 | noblacklist ${HOME}/.netrc | ||
13 | |||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
15 | include allow-lua.inc | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python2.inc | ||
18 | include allow-python3.inc | ||
19 | |||
20 | noblacklist ${MUSIC} | ||
21 | noblacklist ${PICTURES} | ||
22 | noblacklist ${VIDEOS} | ||
23 | |||
24 | include disable-common.inc | ||
25 | include disable-devel.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-xdg.inc | ||
31 | |||
32 | whitelist /usr/share/vulkan | ||
33 | include whitelist-usr-share-common.inc | ||
34 | include whitelist-var-common.inc | ||
35 | |||
36 | apparmor | ||
37 | caps.drop all | ||
38 | netfilter | ||
39 | |||
40 | # Seems to cause issues with Nvidia drivers sometimes | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nou2f | ||
45 | protocol unix,inet,inet6,netlink | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | private-bin env,mpv,python*,youtube-dl | ||
51 | # Causes slow OSD, see #2838 | ||
52 | #private-cache | ||
53 | private-dev | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile new file mode 100644 index 000000000..f02a4f357 --- /dev/null +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for mrrescue | ||
2 | # Description: Arcade-style fire fighting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mrrescue.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/love | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.local/share/love | ||
20 | whitelist ${HOME}/.local/share/love | ||
21 | whitelist /usr/share/mrrescue | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin love,mrrescue,sh | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc machine-id | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile new file mode 100644 index 000000000..db24e8f9b --- /dev/null +++ b/etc/profile-m-z/ms-excel.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Excel | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-excel.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ms-excel-online | ||
10 | private-bin ms-excel | ||
11 | |||
12 | # Redirect | ||
13 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile new file mode 100644 index 000000000..a6892d698 --- /dev/null +++ b/etc/profile-m-z/ms-office.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for Microsoft Office Online | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-office.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/ms-office-online | ||
9 | noblacklist ${HOME}/.jak | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin bash,env,fonts,jak,ms-office,python*,sh | ||
38 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile new file mode 100644 index 000000000..9ea0637bd --- /dev/null +++ b/etc/profile-m-z/ms-onenote.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Onenote | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-onenote.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ms-onenote-online | ||
10 | private-bin ms-onenote | ||
11 | |||
12 | # Redirect | ||
13 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile new file mode 100644 index 000000000..fc3e7c009 --- /dev/null +++ b/etc/profile-m-z/ms-outlook.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Outlook | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-outlook.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ms-outlook-online | ||
10 | private-bin ms-outlook | ||
11 | |||
12 | # Redirect | ||
13 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile new file mode 100644 index 000000000..dadcd5b1e --- /dev/null +++ b/etc/profile-m-z/ms-powerpoint.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Powerpoint | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-powerpoint.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ms-powerpoint-online | ||
10 | private-bin ms-powerpoint | ||
11 | |||
12 | # Redirect | ||
13 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile new file mode 100644 index 000000000..df1618361 --- /dev/null +++ b/etc/profile-m-z/ms-skype.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Skype | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-skype.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore novideo | ||
10 | |||
11 | noblacklist ${HOME}/.cache/ms-skype-online | ||
12 | |||
13 | private-bin ms-skype | ||
14 | |||
15 | # Redirect | ||
16 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile new file mode 100644 index 000000000..5a617a893 --- /dev/null +++ b/etc/profile-m-z/ms-word.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Word | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ms-word.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ms-word-online | ||
10 | private-bin ms-word | ||
11 | |||
12 | # Redirect | ||
13 | include ms-office.profile | ||
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile new file mode 100644 index 000000000..338f494c9 --- /dev/null +++ b/etc/profile-m-z/multimc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for multimc5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include multimc5.profile | ||
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile new file mode 100644 index 000000000..475307418 --- /dev/null +++ b/etc/profile-m-z/multimc5.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for multimc5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include multimc5.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.local/share/multimc | ||
9 | noblacklist ${HOME}/.local/share/multimc5 | ||
10 | noblacklist ${HOME}/.multimc5 | ||
11 | |||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.local/share/multimc | ||
23 | mkdir ${HOME}/.local/share/multimc5 | ||
24 | mkdir ${HOME}/.multimc5 | ||
25 | whitelist ${HOME}/.local/share/multimc | ||
26 | whitelist ${HOME}/.local/share/multimc5 | ||
27 | whitelist ${HOME}/.multimc5 | ||
28 | include whitelist-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | # seccomp | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | # private-bin works, but causes weirdness | ||
45 | # private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile new file mode 100644 index 000000000..a16934806 --- /dev/null +++ b/etc/profile-m-z/mumble.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for mumble | ||
2 | # Description: Low latency encrypted VoIP client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mumble.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Mumble | ||
10 | noblacklist ${HOME}/.local/share/data/Mumble | ||
11 | noblacklist ${HOME}/.local/share/Mumble | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Mumble | ||
21 | mkdir ${HOME}/.local/share/data/Mumble | ||
22 | mkdir ${HOME}/.local/share/Mumble | ||
23 | whitelist ${HOME}/.config/Mumble | ||
24 | whitelist ${HOME}/.local/share/data/Mumble | ||
25 | whitelist ${HOME}/.local/share/Mumble | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin mumble | ||
44 | private-tmp | ||
45 | |||
46 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile new file mode 100644 index 000000000..be94a9083 --- /dev/null +++ b/etc/profile-m-z/mupdf-gl.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for mupdf-gl | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-gl.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.mupdf.history | ||
11 | |||
12 | # Redirect | ||
13 | include mupdf.profile | ||
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile new file mode 100644 index 000000000..a04d386a2 --- /dev/null +++ b/etc/profile-m-z/mupdf-x11-curl.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for mupdf-x11-curl | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-x11-curl.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore net none | ||
11 | |||
12 | netfilter | ||
13 | protocol unix,inet,inet6 | ||
14 | |||
15 | private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl | ||
16 | |||
17 | # Redirect | ||
18 | include mupdf.profile | ||
diff --git a/etc/profile-m-z/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile new file mode 100644 index 000000000..256201d0c --- /dev/null +++ b/etc/profile-m-z/mupdf-x11.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for mupdf-x11 | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf-x11.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | read-only ${HOME} | ||
12 | |||
13 | # Redirect | ||
14 | include mupdf.profile | ||
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile new file mode 100644 index 000000000..a3e56170a --- /dev/null +++ b/etc/profile-m-z/mupdf.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for mupdf | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupdf.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-dev | ||
39 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile new file mode 100644 index 000000000..00983a8f3 --- /dev/null +++ b/etc/profile-m-z/mupen64plus.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for mupen64plus | ||
2 | # Description: Nintendo64 Emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mupen64plus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mupen64plus | ||
10 | noblacklist ${HOME}/.local/share/mupen64plus | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | # you'll need to manually whitelist ROM files | ||
19 | mkdir ${HOME}/.config/mupen64plus | ||
20 | mkdir ${HOME}/.local/share/mupen64plus | ||
21 | whitelist ${HOME}/.config/mupen64plus | ||
22 | whitelist ${HOME}/.local/share/mupen64plus | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | novideo | ||
32 | seccomp | ||
33 | |||
34 | dbus-user none | ||
35 | dbus-system none | ||
diff --git a/etc/profile-m-z/muraster.profile b/etc/profile-m-z/muraster.profile new file mode 100644 index 000000000..90e3f2050 --- /dev/null +++ b/etc/profile-m-z/muraster.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for muraster | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include muraster.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include mupdf.profile | ||
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile new file mode 100644 index 000000000..679e82ae8 --- /dev/null +++ b/etc/profile-m-z/musescore.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for musescore | ||
2 | # Description: Free music composition and notation software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include musescore.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/MusE | ||
10 | noblacklist ${HOME}/.config/MuseScore | ||
11 | noblacklist ${HOME}/.local/share/data/MusE | ||
12 | noblacklist ${HOME}/.local/share/data/MuseScore | ||
13 | noblacklist ${DOCUMENTS} | ||
14 | noblacklist ${MUSIC} | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | # QtWebengine needs chroot to set up its own sandbox | ||
38 | seccomp !chroot | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | # private-bin musescore,mscore | ||
43 | private-tmp | ||
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile new file mode 100644 index 000000000..a6b85a8e4 --- /dev/null +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for Musixmatch | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include musixmatch.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${MUSIC} | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nogroups | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | |||
33 | disable-mnt | ||
34 | private-dev | ||
35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl | ||
36 | |||
diff --git a/etc/profile-m-z/mutool.profile b/etc/profile-m-z/mutool.profile new file mode 100644 index 000000000..e61f4665d --- /dev/null +++ b/etc/profile-m-z/mutool.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for mutool | ||
2 | # Description: Lightweight PDF viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mutool.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include mupdf.profile | ||
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile new file mode 100644 index 000000000..8ff547b52 --- /dev/null +++ b/etc/profile-m-z/mutt.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for mutt | ||
2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mutt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.Mail | ||
12 | noblacklist ${HOME}/.bogofilter | ||
13 | noblacklist ${HOME}/.cache/mutt | ||
14 | noblacklist ${HOME}/.config/nano | ||
15 | noblacklist ${HOME}/.elinks | ||
16 | noblacklist ${HOME}/.emacs | ||
17 | noblacklist ${HOME}/.emacs.d | ||
18 | noblacklist ${HOME}/.gnupg | ||
19 | noblacklist ${HOME}/.mail | ||
20 | noblacklist ${HOME}/.msmtprc | ||
21 | noblacklist ${HOME}/.mutt | ||
22 | noblacklist ${HOME}/.muttrc | ||
23 | noblacklist ${HOME}/.nanorc | ||
24 | noblacklist ${HOME}/.signature | ||
25 | noblacklist ${HOME}/.vim | ||
26 | noblacklist ${HOME}/.viminfo | ||
27 | noblacklist ${HOME}/.vimrc | ||
28 | noblacklist ${HOME}/.w3m | ||
29 | noblacklist ${HOME}/Mail | ||
30 | noblacklist ${HOME}/mail | ||
31 | noblacklist ${HOME}/postponed | ||
32 | noblacklist ${HOME}/sent | ||
33 | |||
34 | blacklist /tmp/.X11-unix | ||
35 | blacklist ${RUNUSER}/wayland-* | ||
36 | |||
37 | include disable-common.inc | ||
38 | include disable-devel.inc | ||
39 | include disable-interpreters.inc | ||
40 | include disable-passwdmgr.inc | ||
41 | include disable-programs.inc | ||
42 | |||
43 | include whitelist-runuser-common.inc | ||
44 | |||
45 | caps.drop all | ||
46 | netfilter | ||
47 | no3d | ||
48 | nodvd | ||
49 | nogroups | ||
50 | nonewprivs | ||
51 | noroot | ||
52 | nosound | ||
53 | notv | ||
54 | nou2f | ||
55 | novideo | ||
56 | protocol unix,inet,inet6 | ||
57 | seccomp | ||
58 | shell none | ||
59 | |||
60 | private-dev | ||
61 | writable-run-user | ||
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile new file mode 100644 index 000000000..59b3024ed --- /dev/null +++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for mypaint-ora-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include mypaint.profile | ||
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile new file mode 100644 index 000000000..c592e8477 --- /dev/null +++ b/etc/profile-m-z/mypaint.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for mypaint | ||
2 | # Description: A fast and easy graphics application for digital painters | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mypaint.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/mypaint | ||
10 | noblacklist ${HOME}/.config/mypaint | ||
11 | noblacklist ${HOME}/.local/share/mypaint | ||
12 | noblacklist ${PICTURES} | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,dconf,fonts,gtk-3.0 | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile new file mode 100644 index 000000000..2a4625896 --- /dev/null +++ b/etc/profile-m-z/nano.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for nano | ||
2 | # Description: nano is an easy text editor for the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include nano.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${HOME}/.config/nano | ||
13 | noblacklist ${HOME}/.nanorc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | whitelist /usr/share/nano | ||
23 | include whitelist-usr-share-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | machine-id | ||
29 | net none | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | x11 none | ||
44 | |||
45 | # disable-mnt | ||
46 | private-bin nano,rnano | ||
47 | private-cache | ||
48 | private-dev | ||
49 | # Comment the next line if you want to edit files in /etc directly | ||
50 | private-etc alternatives,nanorc | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile new file mode 100644 index 000000000..5bf152f84 --- /dev/null +++ b/etc/profile-m-z/natron.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include natron.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Natron | ||
9 | noblacklist ${HOME}/.cache/INRIA/Natron | ||
10 | noblacklist ${HOME}/.config/INRIA | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | caps.drop all | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin natron,Natron,NatronRenderer | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile new file mode 100644 index 000000000..e003488de --- /dev/null +++ b/etc/profile-m-z/nautilus.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for nautilus | ||
2 | # Description: File manager and graphical shell for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nautilus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
10 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
11 | |||
12 | noblacklist ${HOME}/.config/nautilus | ||
13 | noblacklist ${HOME}/.local/share/Trash | ||
14 | noblacklist ${HOME}/.local/share/nautilus | ||
15 | noblacklist ${HOME}/.local/share/nautilus-python | ||
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | # include disable-programs.inc | ||
26 | |||
27 | allusers | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
42 | # private-bin nautilus | ||
43 | # private-dev | ||
44 | # private-tmp | ||
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile new file mode 100644 index 000000000..651804bf1 --- /dev/null +++ b/etc/profile-m-z/ncdu.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for ncdu | ||
2 | # Description: Ncurses disk usage viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ncdu.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | include disable-exec.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | net none | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | nou2f | ||
24 | novideo | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | x11 none | ||
29 | |||
30 | private-dev | ||
31 | # private-tmp | ||
32 | |||
33 | dbus-user none | ||
34 | dbus-system none | ||
35 | |||
36 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile new file mode 100644 index 000000000..6a62a3a0c --- /dev/null +++ b/etc/profile-m-z/nemo.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for nemo | ||
2 | # Description: File manager and graphical shell for Cinnamon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nemo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nemo | ||
10 | noblacklist ${HOME}/.local/share/Trash | ||
11 | noblacklist ${HOME}/.local/share/nemo | ||
12 | noblacklist ${HOME}/.local/share/nemo-python | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | |||
24 | allusers | ||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile new file mode 100644 index 000000000..cbf0d235d --- /dev/null +++ b/etc/profile-m-z/netactview.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for netactview | ||
2 | # Description: A graphical network connections viewer similar in functionality to netstat | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include netactview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.netactview | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkfile ${HOME}/.netactview | ||
20 | whitelist ${HOME}/.netactview | ||
21 | whitelist /usr/share/netactview | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin netactview,netactview_polkit | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-lib | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile new file mode 100644 index 000000000..4daa8054b --- /dev/null +++ b/etc/profile-m-z/nethack-vultures.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for nethack-vultures | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nethack.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.vultures | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.vultures | ||
19 | whitelist ${HOME}/.vultures | ||
20 | whitelist /var/log/vultures | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | #nonewprivs | ||
30 | #noroot | ||
31 | notv | ||
32 | novideo | ||
33 | #protocol unix,netlink | ||
34 | #seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | #private | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | writable-var | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile new file mode 100644 index 000000000..c8c927db2 --- /dev/null +++ b/etc/profile-m-z/nethack.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for nethack | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nethack.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/games/nethack | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /var/games/nethack | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | #nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | novideo | ||
33 | #protocol unix,netlink | ||
34 | #seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | #private | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | writable-var | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile new file mode 100644 index 000000000..0ddb7bbbe --- /dev/null +++ b/etc/profile-m-z/netsurf.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for netsurf | ||
2 | # Description: Lightweight and fast web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include netsurf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/netsurf | ||
10 | noblacklist ${HOME}/.config/netsurf | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.cache/netsurf | ||
18 | mkdir ${HOME}/.config/netsurf | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/netsurf | ||
21 | whitelist ${HOME}/.config/netsurf | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | tracelog | ||
33 | |||
34 | disable-mnt | ||
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile new file mode 100644 index 000000000..84c634549 --- /dev/null +++ b/etc/profile-m-z/neverball.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for neverball | ||
2 | # Description: 3D floor-tilting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include neverball.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.neverball | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.neverball | ||
19 | whitelist ${HOME}/.neverball | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin neverball | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/neverputt.profile b/etc/profile-m-z/neverputt.profile new file mode 100644 index 000000000..d370d1218 --- /dev/null +++ b/etc/profile-m-z/neverputt.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for neverputt | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include neverputt.local | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | private-bin neverputt | ||
9 | |||
10 | # Redirect | ||
11 | include neverball.profile | ||
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile new file mode 100644 index 000000000..85581a2f0 --- /dev/null +++ b/etc/profile-m-z/newsbeuter.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for Newsbeuter | ||
2 | # Description: Text based Atom/RSS feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsbeuter.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/newsbeuter | ||
11 | noblacklist ${HOME}/.newsbeuter | ||
12 | |||
13 | mkdir ${HOME}/.config/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | ||
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | |||
18 | private-bin newsbeuter | ||
19 | |||
20 | # Redirect | ||
21 | include newsboat.profile | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile new file mode 100644 index 000000000..a7bac6286 --- /dev/null +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for Newsboat | ||
2 | # Description: RSS program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include newsboat.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.newsboat | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.newsboat | ||
20 | whitelist ${HOME}/.newsboat | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin newsboat | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile new file mode 100644 index 000000000..119b30239 --- /dev/null +++ b/etc/profile-m-z/nheko.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for nheko | ||
2 | # Description: Desktop IM client for the Matrix protocol | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nheko.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nheko | ||
10 | noblacklist ${HOME}/.cache/nheko/nheko | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/nheko | ||
20 | mkdir ${HOME}/.cache/nheko/nheko | ||
21 | whitelist ${HOME}/.config/nheko | ||
22 | whitelist ${HOME}/.cache/nheko/nheko | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin nheko | ||
40 | private-tmp | ||
41 | |||
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile new file mode 100644 index 000000000..7764edffb --- /dev/null +++ b/etc/profile-m-z/nicotine.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for Nicotine Plus | ||
2 | # Description: Soulseek music-sharing client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nicotine.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.nicotine | ||
10 | |||
11 | include allow-python2.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.nicotine | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${HOME}/.nicotine | ||
24 | whitelist /usr/share/GeoIP | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | #ipc-namespace | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin nicotine,python2* | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile new file mode 100644 index 000000000..d9cb2edc5 --- /dev/null +++ b/etc/profile-m-z/nitroshare-cli.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include nitroshare.profile | ||
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile new file mode 100644 index 000000000..d9cb2edc5 --- /dev/null +++ b/etc/profile-m-z/nitroshare-nmh.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include nitroshare.profile | ||
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile new file mode 100644 index 000000000..d9cb2edc5 --- /dev/null +++ b/etc/profile-m-z/nitroshare-send.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include nitroshare.profile | ||
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile new file mode 100644 index 000000000..d9cb2edc5 --- /dev/null +++ b/etc/profile-m-z/nitroshare-ui.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include nitroshare.profile | ||
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile new file mode 100644 index 000000000..1743a771e --- /dev/null +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nitroshare.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Nathan Osman | ||
10 | noblacklist ${HOME}/.config/NitroShare | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | ||
46 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | ||
47 | private-tmp | ||
48 | |||
49 | # dbus-user none | ||
50 | # dbus-system none | ||
51 | |||
52 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile new file mode 100644 index 000000000..7a7ff504a --- /dev/null +++ b/etc/profile-m-z/nomacs.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for nomacs | ||
2 | # Description: a fast and small image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nomacs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nomacs | ||
10 | noblacklist ${HOME}/.local/share/nomacs | ||
11 | noblacklist ${HOME}/.local/share/data/nomacs | ||
12 | noblacklist ${PICTURES} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | #private-bin nomacs | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile new file mode 100644 index 000000000..a8e0ddd89 --- /dev/null +++ b/etc/profile-m-z/nslookup.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for nslookup | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include nslookup.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | noblacklist ${PATH}/nslookup | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist ${HOME}/.nslookuprc | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin bash,nslookup,sh | ||
50 | private-dev | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile new file mode 100644 index 000000000..c959eb991 --- /dev/null +++ b/etc/profile-m-z/nylas.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for nylas | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include nylas.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Nylas Mail | ||
9 | noblacklist ${HOME}/.nylas-mail | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/Nylas Mail | ||
18 | mkdir ${HOME}/.nylas-mail | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.config/Nylas Mail | ||
21 | whitelist ${HOME}/.nylas-mail | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-dev | ||
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile new file mode 100644 index 000000000..df214ff20 --- /dev/null +++ b/etc/profile-m-z/nyx.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for nyx | ||
2 | # Description: Command-line status monitor for tor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nyx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | noblacklist ${HOME}/.nyx | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.nyx | ||
24 | whitelist ${HOME}/.nyx | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin nyx,python* | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts,passwd,tor | ||
48 | private-opt none | ||
49 | private-srv none | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile new file mode 100644 index 000000000..4277bdab3 --- /dev/null +++ b/etc/profile-m-z/obs.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for obs | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include obs.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/obs-studio | ||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${PICTURES} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin bash,obs,obs-ffmpeg-mux,python*,sh | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile new file mode 100644 index 000000000..61fe14c08 --- /dev/null +++ b/etc/profile-m-z/ocenaudio.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for ocenaudio | ||
2 | # Description: Cross-platform, easy to use, fast and functional audio editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ocenaudio.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/ocenaudio | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | # net none - breaks update functionality and AppArmor on Ubuntu systems | ||
28 | # uncomment (or put 'net none' in your ocenaudio.local) when needed | ||
29 | #net none | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-bin ocenaudio | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | ||
48 | private-tmp | ||
49 | |||
50 | # breaks preferences | ||
51 | # dbus-user none | ||
52 | # dbus-system none | ||
53 | |||
54 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile new file mode 100644 index 000000000..3e4bd94b6 --- /dev/null +++ b/etc/profile-m-z/odt2txt.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for odt2txt | ||
2 | # Description: Simple converter from OpenDocument Text to plain text | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include odt2txt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | x11 none | ||
36 | |||
37 | private-bin odt2txt | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc alternatives | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
45 | |||
46 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/oggsplt.profile b/etc/profile-m-z/oggsplt.profile new file mode 100644 index 000000000..5aedadde9 --- /dev/null +++ b/etc/profile-m-z/oggsplt.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for oggsplt | ||
2 | # This file is overwritten after every install/update | ||
3 | include oggsplt.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mp3splt.profile | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile new file mode 100644 index 000000000..de82f8266 --- /dev/null +++ b/etc/profile-m-z/okular.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for okular | ||
2 | # Description: Universal document viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include okular.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/okular | ||
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.kde/share/apps/okular | ||
13 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
14 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
15 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
16 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
18 | noblacklist ${HOME}/.local/share/okular | ||
19 | noblacklist ${DOCUMENTS} | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | whitelist /usr/share/config.kcfg | ||
30 | whitelist /usr/share/okular | ||
31 | whitelist /usr/share/poppler | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | # net none | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | private-bin kbuildsycoca4,kdeinit4,lpr,okular | ||
54 | private-dev | ||
55 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg | ||
56 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | ||
57 | |||
58 | # dbus-user none | ||
59 | # dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute | ||
62 | |||
63 | join-or-start okular | ||
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile new file mode 100644 index 000000000..5bfcd0527 --- /dev/null +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for onionshare-gui | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include onionshare-gui.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/onionshare | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-m-z/ooffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-m-z/ooviewdoc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile new file mode 100644 index 000000000..de1ef7800 --- /dev/null +++ b/etc/profile-m-z/open-invaders.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for open-invaders | ||
2 | # Description: Space Invaders clone | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include open-invaders.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openinvaders | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.openinvaders | ||
19 | whitelist ${HOME}/.openinvaders | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-bin open-invaders | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile new file mode 100644 index 000000000..3b15a6e42 --- /dev/null +++ b/etc/profile-m-z/openarena.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for OpenArena | ||
2 | # Description: deathmatch FPS game based on GPL idTech3 technology | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openarena.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openarena | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | # ipc-namespace | ||
24 | # netfilter | ||
25 | # nodvd | ||
26 | # nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | # nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | # tracelog | ||
36 | |||
37 | # disable-mnt | ||
38 | # private-bin openarena | ||
39 | private-cache | ||
40 | private-dev | ||
41 | # private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg | ||
42 | private-tmp | ||
43 | |||
44 | # dbus-user none | ||
45 | # dbus-system none | ||
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile new file mode 100644 index 000000000..1fb93c79c --- /dev/null +++ b/etc/profile-m-z/openbox.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for openbox | ||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # all applications started in OpenBox will run in this profile | ||
10 | noblacklist ${HOME}/.config/openbox | ||
11 | include disable-common.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
18 | |||
19 | read-only ${HOME}/.config/openbox/autostart | ||
20 | read-only ${HOME}/.config/openbox/environment | ||
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile new file mode 100644 index 000000000..59a2d1055 --- /dev/null +++ b/etc/profile-m-z/opencity.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for opencity | ||
2 | # Description: Full 3D city simulator game project | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include opencity.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.opencity | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.opencity | ||
20 | whitelist ${HOME}/.opencity | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin opencity | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile new file mode 100644 index 000000000..37f046df2 --- /dev/null +++ b/etc/profile-m-z/openclonk.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for openclonk | ||
2 | # Description: Multiplayer action, tactics and skill game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openclonk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.clonk | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.clonk | ||
20 | whitelist ${HOME}/.clonk | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | # net none - networked game | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin c4group,openclonk | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-m-z/openoffice.org.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile new file mode 100644 index 000000000..2f886d2ac --- /dev/null +++ b/etc/profile-m-z/openshot-qt.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for openshot | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include openshot.profile | ||
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile new file mode 100644 index 000000000..e1839c724 --- /dev/null +++ b/etc/profile-m-z/openshot.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for openshot | ||
2 | # Description: Create and edit videos and movies | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openshot.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openshot | ||
10 | noblacklist ${HOME}/.openshot_qt | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile new file mode 100644 index 000000000..57e3787aa --- /dev/null +++ b/etc/profile-m-z/openttd.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for openttd | ||
2 | # Description: Transport system simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openttd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openttd | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.openttd | ||
20 | whitelist ${HOME}/.openttd | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openttd | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile new file mode 100644 index 000000000..8658d30c6 --- /dev/null +++ b/etc/profile-m-z/opera-beta.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for opera-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include opera-beta.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/opera | ||
9 | noblacklist ${HOME}/.config/opera-beta | ||
10 | |||
11 | mkdir ${HOME}/.cache/opera | ||
12 | mkdir ${HOME}/.config/opera-beta | ||
13 | whitelist ${HOME}/.cache/opera | ||
14 | whitelist ${HOME}/.config/opera-beta | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile new file mode 100644 index 000000000..b342b3961 --- /dev/null +++ b/etc/profile-m-z/opera.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for opera | ||
2 | # Description: A fast and secure web browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include opera.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/opera | ||
10 | noblacklist ${HOME}/.config/opera | ||
11 | noblacklist ${HOME}/.opera | ||
12 | |||
13 | mkdir ${HOME}/.cache/opera | ||
14 | mkdir ${HOME}/.config/opera | ||
15 | mkdir ${HOME}/.opera | ||
16 | whitelist ${HOME}/.cache/opera | ||
17 | whitelist ${HOME}/.config/opera | ||
18 | whitelist ${HOME}/.opera | ||
19 | |||
20 | # Redirect | ||
21 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile new file mode 100644 index 000000000..4e12892d6 --- /dev/null +++ b/etc/profile-m-z/orage.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for orage | ||
2 | # Description: Calendar for Xfce Desktop Environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include orage.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/orage | ||
10 | noblacklist ${HOME}/.local/share/orage | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | # nosound - calendar application, It must be able to play sound to wake you up. | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile new file mode 100644 index 000000000..378d267f6 --- /dev/null +++ b/etc/profile-m-z/ostrichriders.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for ostrichriders | ||
2 | # Description: Knights flying on ostriches compete against other riders | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ostrichriders.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ostrichriders | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.ostrichriders | ||
20 | whitelist ${HOME}/.ostrichriders | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin ostrichriders | ||
41 | private-cache | ||
42 | # private-dev should be commented for controllers | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-m-z/out123.profile b/etc/profile-m-z/out123.profile new file mode 100644 index 000000000..4754c05ba --- /dev/null +++ b/etc/profile-m-z/out123.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for out123 | ||
2 | # Persistent local customizations | ||
3 | include out123.local | ||
4 | # Persistent global definitions | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include mpg123.profile | ||
diff --git a/etc/profile-m-z/p7zip.profile b/etc/profile-m-z/p7zip.profile new file mode 100644 index 000000000..652fac7bd --- /dev/null +++ b/etc/profile-m-z/p7zip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for p7zip | ||
2 | # Description: File archiver with high compression ratio | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include p7zip.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include 7z.profile | ||
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile new file mode 100644 index 000000000..acb2ce176 --- /dev/null +++ b/etc/profile-m-z/palemoon.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for palemoon | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include palemoon.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon | ||
9 | noblacklist ${HOME}/.moonchild productions/pale moon | ||
10 | |||
11 | mkdir ${HOME}/.cache/moonchild productions/pale moon | ||
12 | mkdir ${HOME}/.moonchild productions | ||
13 | whitelist ${HOME}/.cache/moonchild productions/pale moon | ||
14 | whitelist ${HOME}/.moonchild productions | ||
15 | |||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | ||
17 | seccomp | ||
18 | ignore seccomp | ||
19 | |||
20 | #private-bin palemoon | ||
21 | # private-etc must first be enabled in firefox-common.profile | ||
22 | #private-etc palemoon | ||
23 | #private-opt palemoon | ||
24 | |||
25 | # Redirect | ||
26 | include firefox-common.profile | ||
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile new file mode 100644 index 000000000..354f6eab8 --- /dev/null +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for pandoc | ||
2 | # Description: general markup converter | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include pandoc.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | # breaks pdf output | ||
24 | #include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | x11 none | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,texlive | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile new file mode 100644 index 000000000..e7a0694ed --- /dev/null +++ b/etc/profile-m-z/parole.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for parole | ||
2 | # Description: Media player based on GStreamer framework | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include parole.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${VIDEOS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-bin dbus-launch,parole | ||
29 | private-cache | ||
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl | ||
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile new file mode 100644 index 000000000..2bb85e3c6 --- /dev/null +++ b/etc/profile-m-z/patch.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for patch | ||
2 | # Description: Apply a diff file to an original | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include patch.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | private-bin patch,red | ||
44 | private-dev | ||
45 | private-lib libfakeroot | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile new file mode 100644 index 000000000..f96ba14d2 --- /dev/null +++ b/etc/profile-m-z/pavucontrol-qt.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for pavucontrol-qt | ||
2 | # Description: PulseAudio Volume Control [Qt] | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pavucontrol-qt.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/pavucontrol-qt | ||
11 | |||
12 | mkdir ${HOME}/.config/pavucontrol-qt | ||
13 | whitelist ${HOME}/.config/pavucontrol-qt | ||
14 | |||
15 | private-bin pavucontrol-qt | ||
16 | ignore private-lib | ||
17 | |||
18 | # Redirect | ||
19 | include pavucontrol.profile | ||
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile new file mode 100644 index 000000000..f7d3576da --- /dev/null +++ b/etc/profile-m-z/pavucontrol.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for pavucontrol | ||
2 | # Description: PulseAudio Volume Control [GTK] | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pavucontrol.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/pavucontrol.ini | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | # whitelisting in ${HOME} is broken, see #3112 | ||
20 | #mkfile ${HOME}/.config/pavucontrol.ini | ||
21 | #whitelist ${HOME}/.config/pavucontrol.ini | ||
22 | whitelist /usr/share/pavucontrol | ||
23 | whitelist /usr/share/pavucontrol-qt | ||
24 | #include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin pavucontrol | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse | ||
49 | private-lib | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | # mdwe is broken under Wayland, but works under Xorg. | ||
56 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile new file mode 100644 index 000000000..4e53f9d6e --- /dev/null +++ b/etc/profile-m-z/pcmanfm.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for pcmanfm | ||
2 | # Description: Extremely fast and lightweight file manager | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pcmanfm.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/Trash | ||
10 | # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below | ||
11 | # noblacklist ${HOME}/.config/pcmanfm | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | # include disable-programs.inc | ||
18 | |||
19 | allusers | ||
20 | caps.drop all | ||
21 | # net none - see issue #1467, computer:/// location broken | ||
22 | no3d | ||
23 | nodvd | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | # dbus-user none | ||
35 | # dbus-system none | ||
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile new file mode 100644 index 000000000..4b6da4d6f --- /dev/null +++ b/etc/profile-m-z/pdfchain.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for pdfchain | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pdfchain.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${DOCUMENTS} | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | net none | ||
23 | no3d | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin pdfchain,pdftk,sh | ||
36 | private-dev | ||
37 | private-etc alternatives,dconf,fonts,gtk-3.0,xdg | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile new file mode 100644 index 000000000..caf980d4d --- /dev/null +++ b/etc/profile-m-z/pdflatex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for pdflatex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pdflatex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin pdflatex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile new file mode 100644 index 000000000..fb3c42526 --- /dev/null +++ b/etc/profile-m-z/pdfmod.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for pdfmod | ||
2 | # Description: Simple tool for modifying PDF documents | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pdfmod.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/pdfmod | ||
10 | noblacklist ${HOME}/.config/pdfmod | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile new file mode 100644 index 000000000..2f4227159 --- /dev/null +++ b/etc/profile-m-z/pdfsam.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for pdfsam | ||
2 | # Description: PDF Split and Merge | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pdfsam.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | # Allow java (blacklisted by disable-devel.inc) | ||
12 | include allow-java.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile new file mode 100644 index 000000000..d9e4aedfb --- /dev/null +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for pdftotext | ||
2 | # Description: Portable Document Format (PDF) to text converter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pdftotext.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | blacklist ${RUNUSER} | ||
11 | |||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist ${DOCUMENTS} | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist /usr/share/poppler | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | x11 none | ||
45 | |||
46 | private-bin pdftotext | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile new file mode 100644 index 000000000..66fdd6496 --- /dev/null +++ b/etc/profile-m-z/peek.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for peek | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include peek.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/peek | ||
9 | noblacklist ${PICTURES} | ||
10 | noblacklist ${VIDEOS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | # private-bin breaks gif mode, mp4 and webm mode work fine however | ||
36 | # private-bin convert,ffmpeg,peek | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile new file mode 100644 index 000000000..d4d3e914d --- /dev/null +++ b/etc/profile-m-z/penguin-command.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for open-invaders | ||
2 | # Description: Space Invaders clone | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include penguin-command.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.penguin-command | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist ${HOME}/.penguin-command | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin penguin-command | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile new file mode 100644 index 000000000..15fc7a454 --- /dev/null +++ b/etc/profile-m-z/picard.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for picard | ||
2 | # Description: Next-Generation MusicBrainz audio files tagger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include picard.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/MusicBrainz | ||
10 | noblacklist ${HOME}/.config/MusicBrainz | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile new file mode 100644 index 000000000..2e4215744 --- /dev/null +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for pidgin | ||
2 | # Description: Graphical multi-protocol instant messaging client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pidgin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${RUNUSER} | ||
10 | ignore noexec /dev/shm | ||
11 | |||
12 | noblacklist ${HOME}/.purple | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.purple | ||
23 | whitelist ${HOME}/.purple | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | # shell none | ||
40 | tracelog | ||
41 | |||
42 | # private-bin pidgin | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile new file mode 100644 index 000000000..3ef8ad64a --- /dev/null +++ b/etc/profile-m-z/ping.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for ping | ||
2 | # Description: send ICMP ECHO_REQUEST to network hosts | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ping.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.keep net_raw | ||
28 | ipc-namespace | ||
29 | #net tun0 | ||
30 | #netfilter /etc/firejail/ping.net | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | # ping needs to rise privileges, noroot and nonewprivs will kill it | ||
36 | #nonewprivs | ||
37 | #noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | # protocol command is built using seccomp; nonewprivs will kill it | ||
43 | #protocol unix,inet,inet6,netlink,packet | ||
44 | # killed by no-new-privs | ||
45 | #seccomp | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | #private-bin has mammoth problems with execvp: "No such file or directory" | ||
50 | private-dev | ||
51 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | ||
52 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | ||
56 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile new file mode 100644 index 000000000..cfe45b9c9 --- /dev/null +++ b/etc/profile-m-z/pingus.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for pingus | ||
2 | # Description: Free Lemmings(TM) clone | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pingus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.pingus | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.pingus | ||
19 | whitelist ${HOME}/.pingus | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | # private-bin pingus | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile new file mode 100644 index 000000000..7d94972c4 --- /dev/null +++ b/etc/profile-m-z/pinta.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for pinta | ||
2 | # Description: Simple drawing/painting program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pinta.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Pinta | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-dev | ||
37 | private-cache | ||
38 | private-tmp | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile new file mode 100644 index 000000000..8b1c5afb8 --- /dev/null +++ b/etc/profile-m-z/pioneer.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for pioneer | ||
2 | # Description: A game of lonely space adventure | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pioneer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.pioneer | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.pioneer | ||
20 | whitelist ${HOME}/.pioneer | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin modelcompiler,pioneer,savegamedump | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile new file mode 100644 index 000000000..ad56ce525 --- /dev/null +++ b/etc/profile-m-z/pithos.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for pithos | ||
2 | # Description: Pandora Radio client for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pithos.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-bin env,pithos,python* | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile new file mode 100644 index 000000000..c722e29b4 --- /dev/null +++ b/etc/profile-m-z/pitivi.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for pitivi | ||
2 | # Description: Non-linear audio/video editor using GStreamer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pitivi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/pitivi | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile new file mode 100644 index 000000000..9864ed718 --- /dev/null +++ b/etc/profile-m-z/pix.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for pix | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pix.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/pix | ||
9 | noblacklist ${HOME}/.local/share/pix | ||
10 | noblacklist ${HOME}/.Steam | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | private-bin pix | ||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile new file mode 100644 index 000000000..2ba8e86c0 --- /dev/null +++ b/etc/profile-m-z/planmaker18.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for planmaker18 | ||
2 | # Description: SoftMaker Office - spreadsheet program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include planmaker18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile new file mode 100644 index 000000000..d0bce44f5 --- /dev/null +++ b/etc/profile-m-z/planmaker18free.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for planmaker18free | ||
2 | # Description: SoftMaker FreeOffice - spreadsheet program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include planmaker18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile new file mode 100644 index 000000000..03091af6d --- /dev/null +++ b/etc/profile-m-z/playonlinux.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for playonlinux | ||
2 | # Description: Front-end for Wine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include playonlinux.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.local/share/Steam | ||
11 | noblacklist ${HOME}/.local/share/steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | noblacklist ${HOME}/.PlayOnLinux | ||
14 | |||
15 | # nc is needed to run playonlinux | ||
16 | noblacklist ${PATH}/nc | ||
17 | |||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
19 | include allow-python2.inc | ||
20 | include allow-python3.inc | ||
21 | |||
22 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
23 | include allow-perl.inc | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-devel.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-programs.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | seccomp | ||
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile new file mode 100644 index 000000000..ea8550bda --- /dev/null +++ b/etc/profile-m-z/pluma.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for pluma | ||
2 | # Description: Official text editor of the MATE desktop environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pluma.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/enchant | ||
10 | noblacklist ${HOME}/.config/pluma | ||
11 | |||
12 | # Allows files commonly used by IDEs | ||
13 | include allow-common-devel.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | # apparmor - makes settings immutable | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | # net none - makes settings immutable | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin pluma | ||
43 | private-dev | ||
44 | private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma | ||
45 | private-tmp | ||
46 | |||
47 | # makes settings immutable | ||
48 | # dbus-user none | ||
49 | # dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
52 | |||
53 | join-or-start pluma | ||
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile new file mode 100644 index 000000000..e9338d4b9 --- /dev/null +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for pngquant | ||
2 | # Description: PNG converter and lossy image compressor | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include pngquant.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | # protocol can be empty, but this is not yet supported see #639 | ||
38 | protocol inet | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | private-bin pngquant | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile new file mode 100644 index 000000000..87a53775f --- /dev/null +++ b/etc/profile-m-z/polari.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for polari | ||
2 | # Description: Internet Relay Chat (IRC) client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include polari.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
10 | include allow-gjs.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.cache/telepathy | ||
19 | mkdir ${HOME}/.config/telepathy-account-widgets | ||
20 | mkdir ${HOME}/.local/share/Empathy | ||
21 | mkdir ${HOME}/.local/share/TpLogger | ||
22 | mkdir ${HOME}/.local/share/telepathy | ||
23 | mkdir ${HOME}/.purple | ||
24 | whitelist ${HOME}/.cache/telepathy | ||
25 | whitelist ${HOME}/.config/telepathy-account-widgets | ||
26 | whitelist ${HOME}/.local/share/Empathy | ||
27 | whitelist ${HOME}/.local/share/TpLogger | ||
28 | whitelist ${HOME}/.local/share/telepathy | ||
29 | whitelist ${HOME}/.purple | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | |||
33 | caps.drop all | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile new file mode 100644 index 000000000..c62e53151 --- /dev/null +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for ppsspp | ||
2 | # Description: A PSP emulator written in C++ | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ppsspp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ppsspp | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | # private-dev is disabled to allow controller support | ||
36 | #private-dev | ||
37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | ||
38 | private-opt ppsspp | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile new file mode 100644 index 000000000..019c1a547 --- /dev/null +++ b/etc/profile-m-z/pragha.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for pragha | ||
2 | # Description: A lightweight GTK music player | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pragha.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/pragha | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | no3d | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-dev | ||
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | ||
37 | private-tmp | ||
38 | |||
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile new file mode 100644 index 000000000..d4f531060 --- /dev/null +++ b/etc/profile-m-z/presentations18.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for presentations18 | ||
2 | # Description: SoftMaker Office - presentations software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include presentations18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
11 | |||
diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile new file mode 100644 index 000000000..e2319f13f --- /dev/null +++ b/etc/profile-m-z/presentations18free.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for presentations18free | ||
2 | # Description: SoftMaker FreeOffice - presentations software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include presentations18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile new file mode 100644 index 000000000..b7aa2bf52 --- /dev/null +++ b/etc/profile-m-z/profanity.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for profanity | ||
2 | # Description: profanity is an XMPP chat client for the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include profanity.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/profanity | ||
11 | noblacklist ${HOME}/.local/share/profanity | ||
12 | |||
13 | # Allow Python | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | private-bin profanity | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile new file mode 100644 index 000000000..16fffe517 --- /dev/null +++ b/etc/profile-m-z/psi-plus.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for psi-plus | ||
2 | # Description: Qt-based XMPP/Jabber client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include psi-plus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/psi+ | ||
10 | noblacklist ${HOME}/.local/share/psi+ | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/psi+ | ||
20 | mkdir ${HOME}/.config/psi+ | ||
21 | mkdir ${HOME}/.local/share/psi+ | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${HOME}/.cache/psi+ | ||
24 | whitelist ${HOME}/.config/psi+ | ||
25 | whitelist ${HOME}/.local/share/psi+ | ||
26 | include whitelist-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | # QtWebengine needs chroot to set up its own sandbox | ||
40 | seccomp !chroot | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile new file mode 100644 index 000000000..034c144c7 --- /dev/null +++ b/etc/profile-m-z/pybitmessage.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for pybitmessage | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pybitmessage.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist /sbin | ||
9 | noblacklist /usr/local/sbin | ||
10 | noblacklist /usr/sbin | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-interpreters.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat | ||
43 | private-dev | ||
44 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg | ||
45 | private-tmp | ||
46 | |||
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile new file mode 100644 index 000000000..9ee426a95 --- /dev/null +++ b/etc/profile-m-z/pycharm-community.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for pycharm-community | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pycharm-community.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.PyCharmCE* | ||
9 | |||
10 | # Allow java (blacklisted by disable-devel.inc) | ||
11 | include allow-java.inc | ||
12 | |||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | caps.drop all | ||
22 | machine-id | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | # private-etc alternatives,fonts,passwd - minimal required to run but will probably break | ||
33 | # program! | ||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec /tmp | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile new file mode 100644 index 000000000..a14d0268b --- /dev/null +++ b/etc/profile-m-z/pycharm-professional.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profilen alias for pycharm-professional | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.PyCharm* | ||
5 | |||
6 | # Redirect | ||
7 | include pycharm-community.profile | ||
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/pzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile new file mode 100644 index 000000000..820dc7214 --- /dev/null +++ b/etc/profile-m-z/qbittorrent.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for qbittorrent | ||
2 | # Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qbittorrent.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/qBittorrent | ||
10 | noblacklist ${HOME}/.config/qBittorrent | ||
11 | noblacklist ${HOME}/.config/qBittorrentrc | ||
12 | noblacklist ${HOME}/.local/share/data/qBittorrent | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | |||
25 | mkdir ${HOME}/.cache/qBittorrent | ||
26 | mkdir ${HOME}/.config/qBittorrent | ||
27 | mkfile ${HOME}/.config/qBittorrentrc | ||
28 | mkdir ${HOME}/.local/share/data/qBittorrent | ||
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.cache/qBittorrent | ||
31 | whitelist ${HOME}/.config/qBittorrent | ||
32 | whitelist ${HOME}/.config/qBittorrentrc | ||
33 | whitelist ${HOME}/.local/share/data/qBittorrent | ||
34 | include whitelist-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | machine-id | ||
40 | netfilter | ||
41 | nodvd | ||
42 | nogroups | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | seccomp | ||
51 | shell none | ||
52 | |||
53 | private-bin python*,qbittorrent | ||
54 | private-dev | ||
55 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | ||
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile new file mode 100644 index 000000000..ac60384fd --- /dev/null +++ b/etc/profile-m-z/qemu-launcher.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for qemu-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include qemu-launcher.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.qemu-launcher | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-passwdmgr.inc | ||
12 | include disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | |||
26 | private-cache | ||
27 | private-tmp | ||
28 | |||
29 | noexec /tmp | ||
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile new file mode 100644 index 000000000..d7d7905dd --- /dev/null +++ b/etc/profile-m-z/qemu-system-x86_64.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for qemu-system-x86_64 | ||
2 | # Description: QEMU system emulator for x86_64 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qemu-system-x86_64.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-passwdmgr.inc | ||
11 | include disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | private-cache | ||
26 | private-tmp | ||
27 | |||
28 | noexec /tmp | ||
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile new file mode 100644 index 000000000..eee538383 --- /dev/null +++ b/etc/profile-m-z/qgis.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for qgis | ||
2 | # Description: GIS application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qgis.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QGIS | ||
10 | noblacklist ${HOME}/.local/share/QGIS | ||
11 | noblacklist ${HOME}/.qgis2 | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.local/share/QGIS | ||
26 | mkdir ${HOME}/.qgis2 | ||
27 | mkdir ${HOME}/.config/QGIS | ||
28 | whitelist ${HOME}/.local/share/QGIS | ||
29 | whitelist ${HOME}/.qgis2 | ||
30 | whitelist ${HOME}/.config/QGIS | ||
31 | whitelist ${DOCUMENTS} | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | machine-id | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | # blacklisting of mbind system calls breaks old version | ||
47 | seccomp !mbind | ||
48 | protocol unix,inet,inet6,netlink | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile new file mode 100644 index 000000000..fb9dca48f --- /dev/null +++ b/etc/profile-m-z/qlipper.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for qlipper | ||
2 | # Description: Lightweight and cross-platform clipboard history applet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qlipper.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Qlipper | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-cache | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile new file mode 100644 index 000000000..4dc6b6784 --- /dev/null +++ b/etc/profile-m-z/qmmp.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for qmmp | ||
2 | # Description: Feature-rich audio player with support of many formats | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qmmp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.qmmp | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | # no3d | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | private-bin bzip2,gzip,qmmp,tar,unzip | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile new file mode 100644 index 000000000..c082762ad --- /dev/null +++ b/etc/profile-m-z/qpdfview.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for qpdfview | ||
2 | # Description: Tabbed document viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qpdfview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/qpdfview | ||
10 | noblacklist ${HOME}/.local/share/qpdfview | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin qpdfview | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | # needs D-Bus when started from a file manager | ||
44 | # dbus-user none | ||
45 | # dbus-system none | ||
diff --git a/etc/profile-m-z/qt-faststart.profile b/etc/profile-m-z/qt-faststart.profile new file mode 100644 index 000000000..2cdff33a6 --- /dev/null +++ b/etc/profile-m-z/qt-faststart.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for qt-faststart | ||
2 | # Description: FFmpeg-based media utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include qt-faststart.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin qt-faststart | ||
12 | |||
13 | # Redirect | ||
14 | include ffmpeg.profile | ||
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile new file mode 100644 index 000000000..c8b77123d --- /dev/null +++ b/etc/profile-m-z/qtox.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for qtox | ||
2 | # Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qtox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Tox | ||
10 | noblacklist ${HOME}/.config/tox | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/tox | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/tox | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin qtox | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile new file mode 100644 index 000000000..c65089e20 --- /dev/null +++ b/etc/profile-m-z/quassel.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for quassel | ||
2 | # Description: Distributed IRC client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include quassel.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nodvd | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | # QtWebengine needs chroot to set up its own sandbox | ||
23 | seccomp !chroot | ||
24 | |||
25 | private-cache | ||
26 | private-tmp | ||
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile new file mode 100644 index 000000000..8dbdffdc8 --- /dev/null +++ b/etc/profile-m-z/quiterss.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for quiterss | ||
2 | # Description: RSS/Atom news feeds reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include quiterss.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/QuiteRss | ||
10 | noblacklist ${HOME}/.config/QuiteRss | ||
11 | noblacklist ${HOME}/.config/QuiteRssrc | ||
12 | noblacklist ${HOME}/.local/share/QuiteRss | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/QuiteRss | ||
22 | mkdir ${HOME}/.config/QuiteRss | ||
23 | mkdir ${HOME}/.local/share/data | ||
24 | mkdir ${HOME}/.local/share/data/QuiteRss | ||
25 | mkdir ${HOME}/.local/share/QuiteRss | ||
26 | mkfile ${HOME}/quiterssfeeds.opml | ||
27 | whitelist ${HOME}/.cache/QuiteRss | ||
28 | whitelist ${HOME}/.config/QuiteRss | ||
29 | whitelist ${HOME}/.config/QuiteRssrc | ||
30 | whitelist ${HOME}/.local/share/data/QuiteRss | ||
31 | whitelist ${HOME}/.local/share/QuiteRss | ||
32 | whitelist ${HOME}/quiterssfeeds.opml | ||
33 | include whitelist-common.inc | ||
34 | |||
35 | caps.drop all | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin quiterss | ||
52 | private-dev | ||
53 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 | ||
54 | |||
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile new file mode 100644 index 000000000..7aa71c848 --- /dev/null +++ b/etc/profile-m-z/qupzilla.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for qupzilla | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include qupzilla.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/qupzilla | ||
10 | noblacklist ${HOME}/.config/qupzilla | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/qupzilla | ||
20 | mkdir ${HOME}/.config/qupzilla | ||
21 | whitelist ${HOME}/.cache/qupzilla | ||
22 | whitelist ${HOME}/.config/qupzilla | ||
23 | |||
24 | # Redirect | ||
25 | include falkon.profile | ||
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile new file mode 100644 index 000000000..fc910b589 --- /dev/null +++ b/etc/profile-m-z/qutebrowser.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for qutebrowser | ||
2 | # Description: Keyboard-driven, vim-like browser based on PyQt5 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qutebrowser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/qutebrowser | ||
10 | noblacklist ${HOME}/.config/qutebrowser | ||
11 | noblacklist ${HOME}/.local/share/qutebrowser | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/qutebrowser | ||
23 | mkdir ${HOME}/.config/qutebrowser | ||
24 | mkdir ${HOME}/.local/share/qutebrowser | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.cache/qutebrowser | ||
27 | whitelist ${HOME}/.config/qutebrowser | ||
28 | whitelist ${HOME}/.local/share/qutebrowser | ||
29 | include whitelist-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | # blacklisting of chroot system calls breaks qt webengine | ||
39 | seccomp !chroot,!name_to_handle_at | ||
40 | # tracelog | ||
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile new file mode 100644 index 000000000..ffa2022ee --- /dev/null +++ b/etc/profile-m-z/rambox.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for rambox | ||
2 | # Description: Free and Open Source messaging and emailing app that combines common web applications into one (Electron-based) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rambox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Rambox | ||
10 | noblacklist ${HOME}/.pki | ||
11 | noblacklist ${HOME}/.local/share/pki | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/Rambox | ||
19 | mkdir ${HOME}/.pki | ||
20 | mkdir ${HOME}/.local/share/pki | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/Rambox | ||
23 | whitelist ${HOME}/.pki | ||
24 | whitelist ${HOME}/.local/share/pki | ||
25 | include whitelist-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | # electron-based application, needing chroot | ||
36 | #seccomp | ||
37 | seccomp !chroot | ||
38 | # tracelog | ||
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile new file mode 100644 index 000000000..af033af1a --- /dev/null +++ b/etc/profile-m-z/ranger.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for ranger | ||
2 | # Description: File manager with an ncurses frontend written in Python | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ranger.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nano | ||
10 | noblacklist ${HOME}/.config/ranger | ||
11 | noblacklist ${HOME}/.nanorc | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | # Allow perl | ||
18 | include allow-perl.inc | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | |||
26 | allusers | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | #x11 none | ||
40 | |||
41 | private-dev | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile new file mode 100644 index 000000000..bb1ad56d3 --- /dev/null +++ b/etc/profile-m-z/redeclipse.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for redeclipse | ||
2 | # Description: Free, casual arena shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include redeclipse.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.redeclipse | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.redeclipse | ||
19 | whitelist ${HOME}/.redeclipse | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile new file mode 100644 index 000000000..298ab1902 --- /dev/null +++ b/etc/profile-m-z/redshift.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for redshift | ||
2 | # Description: Adjusts the color temperature of your screen according to your surroundings | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include redshift.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/redshift | ||
11 | noblacklist ${HOME}/.config/redshift.conf | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/redshift | ||
22 | whitelist ${HOME}/.config/redshift | ||
23 | whitelist ${HOME}/.config/redshift.conf | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile new file mode 100644 index 000000000..207156ba5 --- /dev/null +++ b/etc/profile-m-z/regextester.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for regextester | ||
2 | # Description: A simple regex tester built for Pantheon Shell | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include regextester.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/com.github.artemanufrij.regextester | ||
18 | include whitelist-usr-share-common.inc | ||
19 | |||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin regextester | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,fonts | ||
47 | private-lib libgranite.so.* | ||
48 | private-tmp | ||
49 | |||
50 | # makes settings immutable | ||
51 | # dbus-user none | ||
52 | # dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
55 | |||
56 | # never write anything | ||
57 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile new file mode 100644 index 000000000..6311c91df --- /dev/null +++ b/etc/profile-m-z/remmina.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for remmina | ||
2 | # Description: GTK+ Remote Desktop Client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include remmina.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.remmina | ||
10 | noblacklist ${HOME}/.config/remmina | ||
11 | noblacklist ${HOME}/.local/share/remmina | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | private-cache | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-m-z/rhythmbox-client.profile b/etc/profile-m-z/rhythmbox-client.profile new file mode 100644 index 000000000..29e65d716 --- /dev/null +++ b/etc/profile-m-z/rhythmbox-client.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for rhythmbox-client | ||
2 | # Description: controls a running instance of rhythmbox | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rhythmbox-client.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include rhythmbox.profile | ||
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile new file mode 100644 index 000000000..e8f964383 --- /dev/null +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for rhythmbox | ||
2 | # Description: Music player and organizer for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rhythmbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.cache/rhythmbox | ||
11 | noblacklist ${HOME}/.local/share/rhythmbox | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist /usr/share/rhythmbox | ||
26 | whitelist /usr/share/lua | ||
27 | whitelist /usr/share/libquvi-scripts | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | private-bin rhythmbox,rhythmbox-client | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | # makes settings immutable | ||
51 | # dbus-user none | ||
52 | # dbus-system none | ||
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile new file mode 100644 index 000000000..1b8fbbc97 --- /dev/null +++ b/etc/profile-m-z/ricochet.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.local/share/Ricochet | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.local/share/Ricochet | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.local/share/Ricochet | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-bin ricochet,tor | ||
39 | private-dev | ||
40 | #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11 | ||
41 | |||
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile new file mode 100644 index 000000000..4372fabe1 --- /dev/null +++ b/etc/profile-m-z/riot-desktop.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for riot-desktop | ||
2 | # Description: A glossy Matrix collaboration client for the desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include riot-desktop.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | seccomp !chroot | ||
11 | |||
12 | # Redirect | ||
13 | include riot-web.profile | ||
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile new file mode 100644 index 000000000..b930adf2b --- /dev/null +++ b/etc/profile-m-z/riot-web.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for riot-web | ||
2 | # Description: A glossy Matrix collaboration client for the web | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include riot-web.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/Riot | ||
11 | |||
12 | mkdir ${HOME}/.config/Riot | ||
13 | whitelist ${HOME}/.config/Riot | ||
14 | include whitelist-common.inc | ||
15 | |||
16 | # Redirect | ||
17 | include electron.profile | ||
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile new file mode 100644 index 000000000..cf6daada5 --- /dev/null +++ b/etc/profile-m-z/ripperx.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for mpv | ||
2 | # Description: Graphical audio CD ripper and encoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ripperx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ripperXrc | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nou2f | ||
31 | notv | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile new file mode 100644 index 000000000..a1cbdf16c --- /dev/null +++ b/etc/profile-m-z/ristretto.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for ristretto | ||
2 | # Description: Lightweight picture-viewer for the Xfce desktop environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ristretto.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ristretto | ||
10 | noblacklist ${HOME}/.Steam | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-m-z/rnano.profile b/etc/profile-m-z/rnano.profile new file mode 100644 index 000000000..d9048982a --- /dev/null +++ b/etc/profile-m-z/rnano.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for rnano | ||
2 | # Description: A restricted nano | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include rnano.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include nano.profile | ||
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile new file mode 100644 index 000000000..a574e4e8b --- /dev/null +++ b/etc/profile-m-z/rocketchat.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for rocketchat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include rocketchat.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Rocket.Chat | ||
10 | |||
11 | mkdir ${HOME}/.config/Rocket.Chat | ||
12 | whitelist ${HOME}/.config/Rocket.Chat | ||
13 | include whitelist-common.inc | ||
14 | |||
15 | # Redirect | ||
16 | include electron.profile | ||
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile new file mode 100644 index 000000000..a39ff759a --- /dev/null +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for rsync | ||
2 | # Description: a fast, versatile, remote (and local) file-copying tool | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include rsync.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Warning: This profile is writte to use rsync as an client for downloading, | ||
11 | # it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. | ||
12 | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | ||
14 | |||
15 | blacklist /tmp/.X11-unix | ||
16 | blacklist ${RUNUSER}/wayland-* | ||
17 | blacklist ${RUNUSER} | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | # Uncomment or add to rsync.local to enable extra hardening | ||
28 | #whitelist ${DOWNLOADS} | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | machine-id | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin rsync | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile new file mode 100644 index 000000000..0b4d6e1b1 --- /dev/null +++ b/etc/profile-m-z/rtorrent.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for rtorrent | ||
2 | # Description: Ncurses BitTorrent client based on LibTorrent from rakshasa | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rtorrent.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | machine-id | ||
18 | netfilter | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | nou2f | ||
25 | novideo | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin rtorrent | ||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile new file mode 100644 index 000000000..14740e05f --- /dev/null +++ b/etc/profile-m-z/rtv.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for rtv | ||
2 | # Description: Browse Reddit from your terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rtv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${HOME}/.config/rtv | ||
13 | noblacklist ${HOME}/.local/share/rtv | ||
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.config/rtv | ||
28 | mkdir ${HOME}/.local/share/rtv | ||
29 | whitelist ${HOME}/.config/rtv | ||
30 | whitelist ${HOME}/.local/share/rtv | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin python*,rtv,sh,xdg-settings | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile new file mode 100644 index 000000000..64432c171 --- /dev/null +++ b/etc/profile-m-z/runenpass.sh.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail alias profile for enpass | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include enpass.profile | ||
diff --git a/etc/profile-m-z/rview.profile b/etc/profile-m-z/rview.profile new file mode 100644 index 000000000..fb72a00de --- /dev/null +++ b/etc/profile-m-z/rview.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for rview | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include rview.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vim.profile | ||
diff --git a/etc/profile-m-z/rvim.profile b/etc/profile-m-z/rvim.profile new file mode 100644 index 000000000..7c6465d3c --- /dev/null +++ b/etc/profile-m-z/rvim.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for rvim | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include rvim.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vim.profile | ||
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile new file mode 100644 index 000000000..8f0544f33 --- /dev/null +++ b/etc/profile-m-z/sayonara.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for sayonara player | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include sayonara.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Sayonara | ||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | private-bin sayonara | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile new file mode 100644 index 000000000..0f67d4d09 --- /dev/null +++ b/etc/profile-m-z/scallion.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for scallion | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include scallion.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PATH}/llvm* | ||
10 | noblacklist ${PATH}/openssl | ||
11 | noblacklist ${PATH}/openssl-1.0 | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile new file mode 100644 index 000000000..9cbb19bff --- /dev/null +++ b/etc/profile-m-z/scorched3d-wrapper.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for scorched3d | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include scorched3d-wrapper.local | ||
5 | |||
6 | # Redirect | ||
7 | include scorched3d.profile | ||
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile new file mode 100644 index 000000000..b5e51198b --- /dev/null +++ b/etc/profile-m-z/scorched3d.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for scorched3d | ||
2 | # Description: Game based loosely on the classic DOS game Scorched Earth | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scorched3d.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.scorched3d | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.scorched3d | ||
20 | whitelist ${HOME}/.scorched3d | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile new file mode 100644 index 000000000..7cb57edce --- /dev/null +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for scorchwentbonkers | ||
2 | # Description: Realtime remake of Scorched Earth | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scorchwentbonkers.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.swb.ini | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.swb.ini | ||
20 | whitelist ${HOME}/.swb.ini | ||
21 | whitelist /usr/share/scorchwentbonkers | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin scorchwentbonkers | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alsa,asound.conf,machine-id,pulse | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/scp.profile b/etc/profile-m-z/scp.profile new file mode 100644 index 000000000..287b8029a --- /dev/null +++ b/etc/profile-m-z/scp.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for scp | ||
2 | # Description: Secure shell copy | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include scp.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include ssh.profile | ||
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile new file mode 100644 index 000000000..22cd10737 --- /dev/null +++ b/etc/profile-m-z/scribus.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for scribus | ||
2 | # Description: Open Source Desktop Page Layout | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scribus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Support for PDF readers comes with Scribus 1.5 and higher | ||
10 | noblacklist ${HOME}/.cache/okular | ||
11 | noblacklist ${HOME}/.config/GIMP | ||
12 | noblacklist ${HOME}/.config/okularpartrc | ||
13 | noblacklist ${HOME}/.config/okularrc | ||
14 | noblacklist ${HOME}/.config/scribus | ||
15 | noblacklist ${HOME}/.config/scribusrc | ||
16 | noblacklist ${HOME}/.gimp* | ||
17 | noblacklist ${HOME}/.kde/share/apps/okular | ||
18 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
19 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
20 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
21 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
22 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
23 | noblacklist ${HOME}/.local/share/okular | ||
24 | noblacklist ${HOME}/.local/share/scribus | ||
25 | noblacklist ${HOME}/.scribus | ||
26 | noblacklist ${DOCUMENTS} | ||
27 | noblacklist ${PICTURES} | ||
28 | |||
29 | # Allow python (blacklisted by disable-interpreters.inc) | ||
30 | include allow-python2.inc | ||
31 | include allow-python3.inc | ||
32 | |||
33 | include disable-common.inc | ||
34 | include disable-devel.inc | ||
35 | include disable-exec.inc | ||
36 | include disable-interpreters.inc | ||
37 | include disable-passwdmgr.inc | ||
38 | include disable-programs.inc | ||
39 | include disable-xdg.inc | ||
40 | |||
41 | include whitelist-var-common.inc | ||
42 | |||
43 | apparmor | ||
44 | caps.drop all | ||
45 | net none | ||
46 | nodvd | ||
47 | nogroups | ||
48 | nonewprivs | ||
49 | noroot | ||
50 | nosound | ||
51 | notv | ||
52 | nou2f | ||
53 | novideo | ||
54 | protocol unix | ||
55 | seccomp | ||
56 | shell none | ||
57 | tracelog | ||
58 | |||
59 | # private-bin gimp*,gs,scribus | ||
60 | private-dev | ||
61 | private-tmp | ||
62 | |||
63 | dbus-user none | ||
64 | dbus-system none | ||
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile new file mode 100644 index 000000000..b45eff4cd --- /dev/null +++ b/etc/profile-m-z/sdat2img.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for sdat2img | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include sdat2img.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin env,python*,sdat2img | ||
39 | private-cache | ||
40 | private-dev | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile new file mode 100644 index 000000000..895724844 --- /dev/null +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for seahorse-adventures | ||
2 | # Description: Help barbie the seahorse float on bubbles to the moon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-adventures.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist /usr/share/seahorse-adventures | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private | ||
43 | private-bin python*,seahorse-adventures | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile new file mode 100644 index 000000000..6410da4d8 --- /dev/null +++ b/etc/profile-m-z/seahorse-daemon.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for seahorse-daemon | ||
2 | # Description: PGP encryption and signing | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include seahorse-daemon.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | memory-deny-write-execute | ||
12 | |||
13 | # Redirect | ||
14 | include seahorse.profile | ||
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile new file mode 100644 index 000000000..96ff74edf --- /dev/null +++ b/etc/profile-m-z/seahorse-tool.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for seahorse-tool | ||
2 | # Description: PGP encryption and signing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-tool.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # private-etc workaround for: #2877 | ||
11 | private-etc firejail,login.defs,passwd | ||
12 | private-tmp | ||
13 | |||
14 | # Redirect | ||
15 | include seahorse.profile | ||
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile new file mode 100644 index 000000000..3a69086b5 --- /dev/null +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for seahorse | ||
2 | # Description: GNOME application for managing PGP keys | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | |||
11 | noblacklist ${HOME}/.gnupg | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | noblacklist /tmp/ssh-* | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | # whitelisting in ${HOME} breaks file encryption feature of nautilus. | ||
24 | # once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile | ||
25 | #mkdir ${HOME}/.gnupg | ||
26 | #mkdir ${HOME}/.ssh | ||
27 | #whitelist ${HOME}/.gnupg | ||
28 | #whitelist ${HOME}/.ssh | ||
29 | whitelist /tmp/ssh-* | ||
30 | whitelist /usr/share/gnupg | ||
31 | whitelist /usr/share/gnupg2 | ||
32 | whitelist /usr/share/seahorse | ||
33 | whitelist /usr/share/seahorse-nautilus | ||
34 | whitelist ${RUNUSER}/gnupg | ||
35 | whitelist ${RUNUSER}/keyring | ||
36 | #include whitelist-common.inc | ||
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | apparmor | ||
42 | caps.drop all | ||
43 | machine-id | ||
44 | netfilter | ||
45 | no3d | ||
46 | nodvd | ||
47 | nogroups | ||
48 | nonewprivs | ||
49 | noroot | ||
50 | nosound | ||
51 | notv | ||
52 | nou2f | ||
53 | novideo | ||
54 | protocol unix,inet,inet6 | ||
55 | seccomp | ||
56 | shell none | ||
57 | tracelog | ||
58 | |||
59 | disable-mnt | ||
60 | private-cache | ||
61 | private-dev | ||
62 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | ||
63 | writable-run-user | ||
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile new file mode 100644 index 000000000..532294950 --- /dev/null +++ b/etc/profile-m-z/seamonkey-bin.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for seamonkey | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include seamonkey.profile | ||
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile new file mode 100644 index 000000000..807effbeb --- /dev/null +++ b/etc/profile-m-z/seamonkey.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for seamonkey | ||
2 | # Description: SeaMonkey internet suite | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seamonkey.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/mozilla | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.pki | ||
12 | noblacklist ${HOME}/.local/share/pki | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/mozilla | ||
20 | mkdir ${HOME}/.mozilla | ||
21 | mkdir ${HOME}/.pki | ||
22 | mkdir ${HOME}/.local/share/pki | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
25 | whitelist ${HOME}/.cache/mozilla | ||
26 | whitelist ${HOME}/.config/gnome-mplayer | ||
27 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
28 | whitelist ${HOME}/.config/pipelight-widevine | ||
29 | whitelist ${HOME}/.keysnail.js | ||
30 | whitelist ${HOME}/.lastpass | ||
31 | whitelist ${HOME}/.mozilla | ||
32 | whitelist ${HOME}/.pentadactyl | ||
33 | whitelist ${HOME}/.pentadactylrc | ||
34 | whitelist ${HOME}/.pki | ||
35 | whitelist ${HOME}/.local/share/pki | ||
36 | whitelist ${HOME}/.vimperator | ||
37 | whitelist ${HOME}/.vimperatorrc | ||
38 | whitelist ${HOME}/.wine-pipelight | ||
39 | whitelist ${HOME}/.wine-pipelight64 | ||
40 | whitelist ${HOME}/.zotero | ||
41 | whitelist ${HOME}/dwhelper | ||
42 | include whitelist-common.inc | ||
43 | |||
44 | caps.drop all | ||
45 | netfilter | ||
46 | nodvd | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | notv | ||
50 | protocol unix,inet,inet6,netlink | ||
51 | seccomp | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl | ||
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile new file mode 100644 index 000000000..70d9a5b1d --- /dev/null +++ b/etc/profile-m-z/secret-tool.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for secret-tool | ||
2 | # Description: Library for storing and retrieving passwords and other secrets | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include secret-tool.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gnome-keyring.profile | ||
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile new file mode 100644 index 000000000..5bc4735ae --- /dev/null +++ b/etc/profile-m-z/server.profile | |||
@@ -0,0 +1,77 @@ | |||
1 | # Generic Firejail profile for servers started as root | ||
2 | # | ||
3 | # This profile is used as a default when starting the sandbox as root. | ||
4 | # Example: | ||
5 | # | ||
6 | # $ sudo firejail | ||
7 | # [sudo] password for netblue: | ||
8 | # Reading profile /etc/firejail/server.profile | ||
9 | # Reading profile /etc/firejail/disable-common.inc | ||
10 | # Reading profile /etc/firejail/disable-passwdmgr.inc | ||
11 | # Reading profile /etc/firejail/disable-programs.inc | ||
12 | # | ||
13 | # ** Note: you can use --noprofile to disable server.profile ** | ||
14 | # | ||
15 | # Parent pid 5347, child pid 5348 | ||
16 | # The new log directory is /proc/5348/root/var/log | ||
17 | # Child process initialized in 64.43 ms | ||
18 | # root@debian:~# | ||
19 | # | ||
20 | # Customize the profile as usual. Examples: unbound.profile, fdns.profile. | ||
21 | # All the rules for regular user profiles apply with the exception of | ||
22 | # /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled | ||
23 | # by default for root user. | ||
24 | |||
25 | # This file is overwritten after every install/update | ||
26 | # Persistent local customizations | ||
27 | include server.local | ||
28 | # Persistent global definitions | ||
29 | include globals.local | ||
30 | |||
31 | # generic server profile | ||
32 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | |||
35 | noblacklist /sbin | ||
36 | noblacklist /usr/sbin | ||
37 | # noblacklist /var/opt | ||
38 | |||
39 | blacklist /tmp/.X11-unix | ||
40 | blacklist ${RUNUSER}/wayland-* | ||
41 | |||
42 | include disable-common.inc | ||
43 | # include disable-devel.inc | ||
44 | # include disable-exec.inc | ||
45 | # include disable-interpreters.inc | ||
46 | include disable-passwdmgr.inc | ||
47 | include disable-programs.inc | ||
48 | # include disable-xdg.inc | ||
49 | |||
50 | caps | ||
51 | # ipc-namespace | ||
52 | # netfilter /etc/firejail/webserver.net | ||
53 | no3d | ||
54 | nodvd | ||
55 | # nogroups | ||
56 | # nonewprivs | ||
57 | # noroot | ||
58 | nosound | ||
59 | notv | ||
60 | nou2f | ||
61 | novideo | ||
62 | seccomp | ||
63 | # shell none | ||
64 | |||
65 | # disable-mnt | ||
66 | private | ||
67 | # private-bin program | ||
68 | # private-cache | ||
69 | private-dev | ||
70 | # private-etc alternatives | ||
71 | # private-lib | ||
72 | private-tmp | ||
73 | |||
74 | # dbus-user none | ||
75 | # dbus-system none | ||
76 | |||
77 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/sftp.profile b/etc/profile-m-z/sftp.profile new file mode 100644 index 000000000..66dc2a57b --- /dev/null +++ b/etc/profile-m-z/sftp.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for sftp | ||
2 | # Description: Secure file transport protocol | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sftp.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include ssh.profile | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile new file mode 100644 index 000000000..6cd70c2ea --- /dev/null +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for shellcheck | ||
2 | # Description: Lint tool for shell scripts | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include shellcheck.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | whitelist /usr/share/shellcheck | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | x11 none | ||
46 | |||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile new file mode 100644 index 000000000..ee2314833 --- /dev/null +++ b/etc/profile-m-z/shortwave.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for shortwave | ||
2 | # Description: Listen to internet radio | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include shortwave.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Shortwave | ||
10 | noblacklist ${HOME}/.local/share/Shortwave | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/Shortwave | ||
21 | mkdir ${HOME}/.local/share/Shortwave | ||
22 | whitelist ${HOME}/.cache/Shortwave | ||
23 | whitelist ${HOME}/.local/share/Shortwave | ||
24 | whitelist /usr/share/shortwave | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin shortwave | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | ||
50 | private-tmp | ||
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile new file mode 100644 index 000000000..bec0bfbb0 --- /dev/null +++ b/etc/profile-m-z/shotcut.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # Description: A free, open source, cross-platform video editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include shotcut.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.config/Meltytech | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | net none | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | #private-bin melt,nice,qmelt,shotcut | ||
34 | private-cache | ||
35 | private-dev | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile new file mode 100644 index 000000000..6a2f5c434 --- /dev/null +++ b/etc/profile-m-z/signal-cli.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for signal-cli | ||
2 | # Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include signal-cli.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/signal-cli | ||
13 | |||
14 | include allow-java.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.local/share/signal-cli | ||
25 | whitelist ${HOME}/.local/share/signal-cli | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin java,sh,signal-cli | ||
47 | private-cache | ||
48 | private-dev | ||
49 | # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try | ||
50 | #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl | ||
51 | private-tmp | ||
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile new file mode 100644 index 000000000..5d9225705 --- /dev/null +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for signal-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include signal-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec /tmp | ||
9 | |||
10 | noblacklist ${HOME}/.config/Signal | ||
11 | |||
12 | # These lines are needed to allow Firefox to open links | ||
13 | noblacklist ${HOME}/.mozilla | ||
14 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
15 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | |||
24 | mkdir ${HOME}/.config/Signal | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.config/Signal | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | nou2f | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile new file mode 100644 index 000000000..cfc33d074 --- /dev/null +++ b/etc/profile-m-z/silentarmy.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for silentarmy | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include silentarmy.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | |||
9 | include disable-common.inc | ||
10 | # include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private | ||
35 | private-bin python*,sa-solver,silentarmy | ||
36 | private-dev | ||
37 | private-opt none | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile new file mode 100644 index 000000000..40fe8c566 --- /dev/null +++ b/etc/profile-m-z/simple-scan.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for simple-scan | ||
2 | # Description: Simple Scanning Utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include simple-scan.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/simple-scan | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /usr/share/simple-scan | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | # novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | # blacklisting of ioperm system calls breaks simple-scan | ||
34 | seccomp !ioperm | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | # private-bin simple-scan | ||
39 | # private-dev | ||
40 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | ||
41 | # private-tmp | ||
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile new file mode 100644 index 000000000..edcc2a0f4 --- /dev/null +++ b/etc/profile-m-z/simplescreenrecorder.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for simplescreenrecorder | ||
2 | # Description: A feature-rich screen recorder that supports X11 and OpenGL | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include simplescreenrecorder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${VIDEOS} | ||
10 | noblacklist ${HOME}/.ssr | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /usr/share/simplescreenrecorder | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-cache | ||
38 | private-dev | ||
39 | private-tmp | ||
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile new file mode 100644 index 000000000..1b81f2ea1 --- /dev/null +++ b/etc/profile-m-z/simutrans.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for simutrans | ||
2 | # Description: Transportation simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include simutrans.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.simutrans | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.simutrans | ||
19 | whitelist ${HOME}/.simutrans | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | # private-bin simutrans | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile new file mode 100644 index 000000000..093a61398 --- /dev/null +++ b/etc/profile-m-z/skanlite.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for skanlite | ||
2 | # Description: Image scanner based on the KSane backend | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include skanlite.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | # novideo | ||
27 | protocol unix,inet,inet6,netlink | ||
28 | # blacklisting of ioperm system calls breaks skanlite | ||
29 | seccomp !ioperm | ||
30 | shell none | ||
31 | |||
32 | # private-bin kbuildsycoca4,kdeinit4,skanlite | ||
33 | # private-dev | ||
34 | # private-tmp | ||
35 | |||
36 | # dbus-user none | ||
37 | # dbus-system none | ||
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile new file mode 100644 index 000000000..341c25a95 --- /dev/null +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for skypeforlinux | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include skypeforlinux.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # breaks Skype | ||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/skypeforlinux | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.keep sys_admin,sys_chroot | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | notv | ||
26 | shell none | ||
27 | |||
28 | disable-mnt | ||
29 | private-cache | ||
30 | # private-dev - needs /dev/disk | ||
31 | private-tmp | ||
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile new file mode 100644 index 000000000..b2828fcb1 --- /dev/null +++ b/etc/profile-m-z/slack.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for slack | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include slack.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Slack | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.config/Slack | ||
17 | whitelist ${HOME}/.config/Slack | ||
18 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.keep sys_admin,sys_chroot | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | notv | ||
27 | nou2f | ||
28 | shell none | ||
29 | |||
30 | disable-mnt | ||
31 | private-bin locale,slack | ||
32 | private-cache | ||
33 | private-dev | ||
34 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | ||
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile new file mode 100644 index 000000000..ca0516e65 --- /dev/null +++ b/etc/profile-m-z/slashem.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for slashem | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include slashem.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/games/slashem | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /var/games/slashem | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | #nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | novideo | ||
33 | #protocol unix,netlink | ||
34 | #seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | #private | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | writable-var | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile new file mode 100644 index 000000000..ac01c675b --- /dev/null +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for smplayer | ||
2 | # Description: Complete front-end for MPlayer and mpv | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include smplayer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/smplayer | ||
10 | noblacklist ${HOME}/.config/youtube-dl | ||
11 | noblacklist ${HOME}/.mplayer | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | noblacklist ${MUSIC} | ||
18 | noblacklist ${VIDEOS} | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | whitelist /usr/share/smplayer | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | # nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nou2f | ||
39 | protocol unix,inet,inet6,netlink | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | # problems with KDE | ||
48 | # dbus-user none | ||
49 | # dbus-system none | ||
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile new file mode 100644 index 000000000..79bc02979 --- /dev/null +++ b/etc/profile-m-z/smtube.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for smtube | ||
2 | # Description: YouTube videos browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include smtube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/smplayer | ||
10 | noblacklist ${HOME}/.config/smtube | ||
11 | noblacklist ${HOME}/.config/mpv | ||
12 | noblacklist ${HOME}/.mplayer | ||
13 | noblacklist ${HOME}/.config/vlc | ||
14 | noblacklist ${HOME}/.local/share/vlc | ||
15 | noblacklist ${MUSIC} | ||
16 | noblacklist ${VIDEOS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | whitelist /usr/share/smplayer | ||
27 | whitelist /usr/share/smtube | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp | ||
43 | shell none | ||
44 | |||
45 | #no private-bin because users can add their own players to smtube and that would prevent that | ||
46 | private-dev | ||
47 | private-tmp | ||
48 | |||
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile new file mode 100644 index 000000000..3b3fd1ae1 --- /dev/null +++ b/etc/profile-m-z/snox.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for snox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include snox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/snox | ||
9 | noblacklist ${HOME}/.config/snox | ||
10 | |||
11 | #mkdir ${HOME}/.cache/dnox | ||
12 | #mkdir ${HOME}/.config/dnox | ||
13 | mkdir ${HOME}/.cache/snox | ||
14 | mkdir ${HOME}/.config/snox | ||
15 | whitelist ${HOME}/.cache/snox | ||
16 | whitelist ${HOME}/.config/snox | ||
17 | |||
18 | # Redirect | ||
19 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile new file mode 100644 index 000000000..8348a57fe --- /dev/null +++ b/etc/profile-m-z/soffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for libreoffice | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include libreoffice.profile | ||
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile new file mode 100644 index 000000000..8519de6df --- /dev/null +++ b/etc/profile-m-z/sol.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for default | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include sol.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | include disable-common.inc | ||
9 | include disable-devel.inc | ||
10 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | include disable-xdg.inc | ||
15 | |||
16 | # all necessary files in $HOME are in whitelist-common.inc | ||
17 | include whitelist-common.inc | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | # no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | # nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-bin sol | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
45 | |||
46 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile new file mode 100644 index 000000000..b9f3768be --- /dev/null +++ b/etc/profile-m-z/sound-juicer.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for mpv | ||
2 | # Description: Graphical audio CD ripper and encoder | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sound-juicer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/sound-juicer | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | nou2f | ||
31 | notv | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | # dbus-user none | ||
43 | # dbus-system none | ||
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile new file mode 100644 index 000000000..bdd6eb7f5 --- /dev/null +++ b/etc/profile-m-z/soundconverter.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for soundconverter | ||
2 | # Description: GNOME application to convert audio files into other formats | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include soundconverter.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | noblacklist ${MUSIC} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${MUSIC} | ||
25 | whitelist /usr/share/soundconverter | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | machine-id | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | |||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
50 | |||
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile new file mode 100644 index 000000000..a0b99abcf --- /dev/null +++ b/etc/profile-m-z/spectre-meltdown-checker.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for spectre-meltdown-checker | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include spectre-meltdown-checker.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
11 | noblacklist ${PATH}/mount | ||
12 | noblacklist ${PATH}/umount | ||
13 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
15 | include allow-perl.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist /usr/share/perl5 | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | allow-debuggers | ||
30 | caps.keep sys_rawio | ||
31 | ipc-namespace | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | nosound | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap | ||
42 | shell none | ||
43 | x11 none | ||
44 | |||
45 | disable-mnt | ||
46 | private | ||
47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | ||
48 | private-cache | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile new file mode 100644 index 000000000..1a34cb86d --- /dev/null +++ b/etc/profile-m-z/spotify.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for spotify | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include spotify.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/spotify | ||
9 | noblacklist ${HOME}/.config/spotify | ||
10 | noblacklist ${HOME}/.local/share/spotify | ||
11 | |||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/spotify | ||
22 | mkdir ${HOME}/.config/spotify | ||
23 | mkdir ${HOME}/.local/share/spotify | ||
24 | whitelist ${HOME}/.cache/spotify | ||
25 | whitelist ${HOME}/.config/spotify | ||
26 | whitelist ${HOME}/.local/share/spotify | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | protocol unix,inet,inet6,netlink | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity | ||
45 | private-dev | ||
46 | # Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio | ||
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | ||
48 | private-opt spotify | ||
49 | private-srv none | ||
50 | private-tmp | ||
51 | |||
52 | # dbus needed for MPRIS | ||
53 | # dbus-user none | ||
54 | # dbus-system none | ||
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile new file mode 100644 index 000000000..017120811 --- /dev/null +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for sqlitebrowser | ||
2 | # Description: GUI editor for SQLite databases | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sqlitebrowser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/sqlitebrowser | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-bin sqlitebrowser | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | ||
43 | private-tmp | ||
44 | |||
45 | # breaks proxy creation | ||
46 | # dbus-user none | ||
47 | # dbus-system none | ||
48 | |||
49 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile new file mode 100644 index 000000000..01b63d3ce --- /dev/null +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for ssh-agent | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include ssh-agent.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /etc/ssh | ||
10 | noblacklist /tmp/ssh-* | ||
11 | noblacklist ${HOME}/.ssh | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | tracelog | ||
34 | |||
35 | writable-run-user | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile new file mode 100644 index 000000000..5d3458c29 --- /dev/null +++ b/etc/profile-m-z/ssh.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for ssh | ||
2 | # Description: Secure shell client and server | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ssh.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist /etc/ssh | ||
11 | noblacklist /tmp/ssh-* | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | # nc can be used as ProxyCommand, e.g. when using tor | ||
14 | noblacklist ${PATH}/nc | ||
15 | noblacklist ${PATH}/ncat | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | whitelist ${RUNUSER}/keyring/ssh | ||
23 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | # noroot - see issue #1543 | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-cache | ||
45 | private-dev | ||
46 | # private-tmp # Breaks when exiting | ||
47 | writable-run-user | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile new file mode 100644 index 000000000..1292b806b --- /dev/null +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for standardnotes-desktop | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include standardnotes-desktop.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/Standard Notes Backups | ||
9 | noblacklist ${HOME}/.config/Standard Notes | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/Standard Notes Backups | ||
19 | mkdir ${HOME}/.config/Standard Notes | ||
20 | whitelist ${HOME}/Standard Notes Backups | ||
21 | whitelist ${HOME}/.config/Standard Notes | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp !chroot | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile new file mode 100644 index 000000000..2f73c9fee --- /dev/null +++ b/etc/profile-m-z/start-tor-browser.desktop.profile | |||
@@ -0,0 +1,76 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include start-tor-browser.desktop.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.tor-browser* | ||
10 | |||
11 | whitelist ${HOME}/.tor-browser-ar | ||
12 | whitelist ${HOME}/.tor-browser-ca | ||
13 | whitelist ${HOME}/.tor-browser-cs | ||
14 | whitelist ${HOME}/.tor-browser-da | ||
15 | whitelist ${HOME}/.tor-browser-de | ||
16 | whitelist ${HOME}/.tor-browser-el | ||
17 | whitelist ${HOME}/.tor-browser-en | ||
18 | whitelist ${HOME}/.tor-browser-en-us | ||
19 | whitelist ${HOME}/.tor-browser-es | ||
20 | whitelist ${HOME}/.tor-browser-es-es | ||
21 | whitelist ${HOME}/.tor-browser-fa | ||
22 | whitelist ${HOME}/.tor-browser-fr | ||
23 | whitelist ${HOME}/.tor-browser-ga-ie | ||
24 | whitelist ${HOME}/.tor-browser-he | ||
25 | whitelist ${HOME}/.tor-browser-hu | ||
26 | whitelist ${HOME}/.tor-browser-id | ||
27 | whitelist ${HOME}/.tor-browser-is | ||
28 | whitelist ${HOME}/.tor-browser-it | ||
29 | whitelist ${HOME}/.tor-browser-ja | ||
30 | whitelist ${HOME}/.tor-browser-ka | ||
31 | whitelist ${HOME}/.tor-browser-ko | ||
32 | whitelist ${HOME}/.tor-browser-nb | ||
33 | whitelist ${HOME}/.tor-browser-nl | ||
34 | whitelist ${HOME}/.tor-browser-pl | ||
35 | whitelist ${HOME}/.tor-browser-pt-br | ||
36 | whitelist ${HOME}/.tor-browser-ru | ||
37 | whitelist ${HOME}/.tor-browser-sv-se | ||
38 | whitelist ${HOME}/.tor-browser-tr | ||
39 | whitelist ${HOME}/.tor-browser-vi | ||
40 | whitelist ${HOME}/.tor-browser-zh-cn | ||
41 | whitelist ${HOME}/.tor-browser-zh-tw | ||
42 | |||
43 | whitelist ${HOME}/.tor-browser_ar | ||
44 | whitelist ${HOME}/.tor-browser_ca | ||
45 | whitelist ${HOME}/.tor-browser_cs | ||
46 | whitelist ${HOME}/.tor-browser_da | ||
47 | whitelist ${HOME}/.tor-browser_de | ||
48 | whitelist ${HOME}/.tor-browser_el | ||
49 | whitelist ${HOME}/.tor-browser_en | ||
50 | whitelist ${HOME}/.tor-browser_en_US | ||
51 | whitelist ${HOME}/.tor-browser_es | ||
52 | whitelist ${HOME}/.tor-browser_es-ES | ||
53 | whitelist ${HOME}/.tor-browser_fa | ||
54 | whitelist ${HOME}/.tor-browser_fr | ||
55 | whitelist ${HOME}/.tor-browser_ga-IE | ||
56 | whitelist ${HOME}/.tor-browser_he | ||
57 | whitelist ${HOME}/.tor-browser_hu | ||
58 | whitelist ${HOME}/.tor-browser_id | ||
59 | whitelist ${HOME}/.tor-browser_is | ||
60 | whitelist ${HOME}/.tor-browser_it | ||
61 | whitelist ${HOME}/.tor-browser_ja | ||
62 | whitelist ${HOME}/.tor-browser_ka | ||
63 | whitelist ${HOME}/.tor-browser_ko | ||
64 | whitelist ${HOME}/.tor-browser_nb | ||
65 | whitelist ${HOME}/.tor-browser_nl | ||
66 | whitelist ${HOME}/.tor-browser_pl | ||
67 | whitelist ${HOME}/.tor-browser_pt-BR | ||
68 | whitelist ${HOME}/.tor-browser_ru | ||
69 | whitelist ${HOME}/.tor-browser_sv-SE | ||
70 | whitelist ${HOME}/.tor-browser_tr | ||
71 | whitelist ${HOME}/.tor-browser_vi | ||
72 | whitelist ${HOME}/.tor-browser_zh-CN | ||
73 | whitelist ${HOME}/.tor-browser_zh-TW | ||
74 | |||
75 | # Redirect | ||
76 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile new file mode 100644 index 000000000..b62b19101 --- /dev/null +++ b/etc/profile-m-z/start-tor-browser.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for start-tor-browser | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include start-tor-browser.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec ${HOME} | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp !chroot | ||
31 | shell none | ||
32 | # tracelog may cause issues, see github issue #1930 | ||
33 | #tracelog | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity | ||
37 | private-dev | ||
38 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile new file mode 100644 index 000000000..47608ad28 --- /dev/null +++ b/etc/profile-m-z/steam-native.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for steam | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include steam.profile | ||
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile new file mode 100644 index 000000000..2463764a7 --- /dev/null +++ b/etc/profile-m-z/steam.profile | |||
@@ -0,0 +1,112 @@ | |||
1 | # Firejail profile for steam | ||
2 | # Description: Valve's Steam digital software delivery system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include steam.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.killingfloor | ||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | ||
11 | noblacklist ${HOME}/.local/share/aspyr-media | ||
12 | noblacklist ${HOME}/.local/share/cdprojektred | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | ||
14 | noblacklist ${HOME}/.local/share/Steam | ||
15 | noblacklist ${HOME}/.local/share/SuperHexagon | ||
16 | noblacklist ${HOME}/.local/share/Terraria | ||
17 | noblacklist ${HOME}/.local/share/vpltd | ||
18 | noblacklist ${HOME}/.local/share/vulkan | ||
19 | noblacklist ${HOME}/.steam | ||
20 | noblacklist ${HOME}/.steampath | ||
21 | noblacklist ${HOME}/.steampid | ||
22 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | ||
23 | noblacklist /sbin | ||
24 | noblacklist /usr/sbin | ||
25 | |||
26 | # Allow java (blacklisted by disable-devel.inc) | ||
27 | include allow-java.inc | ||
28 | |||
29 | # Allow python (blacklisted by disable-interpreters.inc) | ||
30 | include allow-python2.inc | ||
31 | include allow-python3.inc | ||
32 | |||
33 | include disable-common.inc | ||
34 | include disable-devel.inc | ||
35 | include disable-interpreters.inc | ||
36 | include disable-passwdmgr.inc | ||
37 | include disable-programs.inc | ||
38 | |||
39 | mkdir ${HOME}/.config/unity3d | ||
40 | mkdir ${HOME}/.killingfloor | ||
41 | mkdir ${HOME}/.local/share/3909/PapersPlease | ||
42 | mkdir ${HOME}/.local/share/aspyr-media | ||
43 | mkdir ${HOME}/.local/share/cdprojektred | ||
44 | mkdir ${HOME}/.local/share/feral-interactive | ||
45 | mkdir ${HOME}/.local/share/Paradox Interactive | ||
46 | mkdir ${HOME}/.local/share/Steam | ||
47 | mkdir ${HOME}/.local/share/SuperHexagon | ||
48 | mkdir ${HOME}/.local/share/Terraria | ||
49 | mkdir ${HOME}/.local/share/vpltd | ||
50 | mkdir ${HOME}/.local/share/vulkan | ||
51 | mkdir ${HOME}/.mbwarband | ||
52 | mkdir ${HOME}/.paradoxinteractive | ||
53 | mkdir ${HOME}/.steam | ||
54 | mkfile ${HOME}/.steampath | ||
55 | mkfile ${HOME}/.steampid | ||
56 | whitelist ${HOME}/.config/unity3d | ||
57 | whitelist ${HOME}/.killingfloor | ||
58 | whitelist ${HOME}/.local/share/3909/PapersPlease | ||
59 | whitelist ${HOME}/.local/share/aspyr-media | ||
60 | whitelist ${HOME}/.local/share/cdprojektred | ||
61 | whitelist ${HOME}/.local/share/feral-interactive | ||
62 | whitelist ${HOME}/.local/share/Paradox Interactive | ||
63 | whitelist ${HOME}/.local/share/Steam | ||
64 | whitelist ${HOME}/.local/share/SuperHexagon | ||
65 | whitelist ${HOME}/.local/share/Terraria | ||
66 | whitelist ${HOME}/.local/share/vpltd | ||
67 | whitelist ${HOME}/.local/share/vulkan | ||
68 | whitelist ${HOME}/.mbwarband | ||
69 | whitelist ${HOME}/.paradoxinteractive | ||
70 | whitelist ${HOME}/.steam | ||
71 | whitelist ${HOME}/.steampath | ||
72 | whitelist ${HOME}/.steampid | ||
73 | whitelist ${HOME}/.steampid | ||
74 | include whitelist-common.inc | ||
75 | include whitelist-var-common.inc | ||
76 | |||
77 | caps.drop all | ||
78 | #ipc-namespace | ||
79 | netfilter | ||
80 | nodvd | ||
81 | # nVidia user may need to comment / ignore nogroups and noroot | ||
82 | nogroups | ||
83 | nonewprivs | ||
84 | noroot | ||
85 | notv | ||
86 | nou2f | ||
87 | # novideo should be commented for VR | ||
88 | novideo | ||
89 | protocol unix,inet,inet6,netlink | ||
90 | # seccomp cause sometimes issues (see #2951, #3267), | ||
91 | # comment it or add 'ignore seccomp' to steam.local if so. | ||
92 | seccomp !kcmp,!ptrace | ||
93 | shell none | ||
94 | # tracelog disabled as it breaks integrated browser | ||
95 | #tracelog | ||
96 | |||
97 | # private-bin is disabled while in testing, but has been tested working with multiple games | ||
98 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | ||
99 | # extra programs are available which might be needed for select games | ||
100 | #private-bin java,java-config,mono | ||
101 | # picture viewers are needed for viewing screenshots | ||
102 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | ||
103 | |||
104 | # private-dev should be commented for controllers | ||
105 | private-dev | ||
106 | # private-etc breaks a small selection of games on some systems, comment to support those | ||
107 | private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl | ||
108 | private-tmp | ||
109 | |||
110 | # breaks appindicator support | ||
111 | # dbus-user none | ||
112 | # dbus-system none | ||
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile new file mode 100644 index 000000000..d6df2e0ad --- /dev/null +++ b/etc/profile-m-z/stellarium.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for stellarium | ||
2 | # Description: Real-time photo-realistic sky generator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include stellarium.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/stellarium | ||
10 | noblacklist ${HOME}/.stellarium | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/stellarium | ||
20 | mkdir ${HOME}/.stellarium | ||
21 | whitelist ${HOME}/.config/stellarium | ||
22 | whitelist ${HOME}/.stellarium | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | machine-id | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin stellarium | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile new file mode 100644 index 000000000..31ed5dd3f --- /dev/null +++ b/etc/profile-m-z/strings.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for strings | ||
2 | # Description: print the strings of printable characters in files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include strings.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | #include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | #include disable-programs.inc | ||
19 | #include disable-xdg.inc | ||
20 | |||
21 | #include whitelist-usr-share-common.inc | ||
22 | #include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | #noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | #private | ||
45 | #private-bin strings | ||
46 | private-cache | ||
47 | private-dev | ||
48 | #private-etc alternatives | ||
49 | #private-lib libfakeroot | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
56 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile new file mode 100644 index 000000000..79e879f36 --- /dev/null +++ b/etc/profile-m-z/studio.sh.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for Android Studio | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include android-studio.profile | ||
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile new file mode 100644 index 000000000..428af3737 --- /dev/null +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for subdownloader | ||
2 | # Description: Automatic download/upload of subtitles using fast hashing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include subdownloader.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/SubDownloader | ||
10 | noblacklist ${VIDEOS} | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile new file mode 100644 index 000000000..e1cdb114c --- /dev/null +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for supertux2 | ||
2 | # Description: Jump'n run like game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include supertux2.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/supertux2 | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.local/share/supertux2 | ||
19 | whitelist ${HOME}/.local/share/supertux2 | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | net none | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | # private-bin supertux2 | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile new file mode 100644 index 000000000..73877b1b5 --- /dev/null +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for supertuxkart | ||
2 | # Description: Free kart racing game. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include supertuxkart.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/supertuxkart | ||
10 | noblacklist ${HOME}/.cache/supertuxkart | ||
11 | noblacklist ${HOME}/.local/share/supertuxkart | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/supertuxkart | ||
22 | mkdir ${HOME}/.cache/supertuxkart | ||
23 | mkdir ${HOME}/.local/share/supertuxkart | ||
24 | whitelist ${HOME}/.config/supertuxkart | ||
25 | whitelist ${HOME}/.cache/supertuxkart | ||
26 | whitelist ${HOME}/.local/share/supertuxkart | ||
27 | whitelist /usr/share/supertuxkart | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin supertuxkart | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl | ||
52 | private-tmp | ||
53 | private-opt none | ||
54 | private-srv none | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile new file mode 100644 index 000000000..d4c6d9afc --- /dev/null +++ b/etc/profile-m-z/surf.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for surf | ||
2 | # Description: Simple web browser by suckless community | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include surf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.surf | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.surf | ||
18 | whitelist ${HOME}/.surf | ||
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop | ||
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile new file mode 100644 index 000000000..9efae815d --- /dev/null +++ b/etc/profile-m-z/swell-foop.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for swell-foop | ||
2 | # Description: GNOME colored tiles puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include swell-foop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/swell-foop | ||
10 | |||
11 | mkdir ${HOME}/.local/share/swell-foop | ||
12 | whitelist ${HOME}/.local/share/swell-foop | ||
13 | |||
14 | whitelist /usr/share/swell-foop | ||
15 | |||
16 | private-bin swell-foop | ||
17 | |||
18 | dbus-user.own org.gnome.SwellFoop | ||
19 | |||
20 | # Redirect | ||
21 | include gnome_games-common.profile | ||
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile new file mode 100644 index 000000000..4344fe73a --- /dev/null +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for sylpheed | ||
2 | # Description: Light weight e-mail client with GTK+ | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sylpheed.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.sylpheed-2.0 | ||
10 | |||
11 | mkdir ${HOME}/.sylpheed-2.0 | ||
12 | whitelist ${HOME}/.sylpheed-2.0 | ||
13 | |||
14 | whitelist /usr/share/sylpheed | ||
15 | |||
16 | # Redirect | ||
17 | include email-common.profile | ||
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile new file mode 100644 index 000000000..a83080cc3 --- /dev/null +++ b/etc/profile-m-z/synfigstudio.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for synfigstudio | ||
2 | # Description: Vector-based 2D animation package | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include synfigstudio.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/synfig | ||
10 | noblacklist ${HOME}/.synfig | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | net none | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | #private-bin ffmpeg,synfig,synfigstudio | ||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | dbus-user none | ||
39 | dbus-system none | ||
diff --git a/etc/profile-m-z/sysprof-cli.profile b/etc/profile-m-z/sysprof-cli.profile new file mode 100644 index 000000000..8f4de130b --- /dev/null +++ b/etc/profile-m-z/sysprof-cli.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for sysprof-cli | ||
2 | # Description: Kernel based performance profiler (CLI) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sysprof-cli.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # There is no GUI help menu to break in the CLI version | ||
11 | private-bin sysprof-cli | ||
12 | private-lib | ||
13 | |||
14 | dbus-user none | ||
15 | dbus-system none | ||
16 | |||
17 | memory-deny-write-execute | ||
18 | |||
19 | # Redirect | ||
20 | include sysprof.profile | ||
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile new file mode 100644 index 000000000..ad3346285 --- /dev/null +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for sysprof | ||
2 | # Description: Kernel based performance profiler (GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sysprof.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | include whitelist-usr-share-common.inc | ||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | # Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,netlink | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | #private-bin sysprof - breaks GUI help menu | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | ||
44 | # private-lib breaks GUI help menu | ||
45 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | ||
46 | private-tmp | ||
47 | |||
48 | # makes settings immutable | ||
49 | # dbus-user none | ||
50 | # dbus-system none | ||
51 | |||
52 | # memory-deny-write-execute - Breaks GUI on Arch | ||
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile new file mode 100644 index 000000000..3a7405305 --- /dev/null +++ b/etc/profile-m-z/tar.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for tar | ||
2 | # Description: GNU version of the tar archiving utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include tar.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | ||
13 | noblacklist /var/lib/pacman | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname tar | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | # support compressed archives | ||
44 | private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,group,localtime,login.defs,passwd | ||
48 | private-lib libfakeroot | ||
49 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | ||
50 | writable-var | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile new file mode 100644 index 000000000..ffe9605b6 --- /dev/null +++ b/etc/profile-m-z/tb-starter-wrapper.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for tb-starter-wrapper | ||
2 | # Description: wrapper-script used by whonix to start the tor browser | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include tb-starter-wrapper.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.tb | ||
12 | |||
13 | mkdir ${HOME}/.tb | ||
14 | whitelist ${HOME}/.tb | ||
15 | |||
16 | private-bin tb-starter-wrapper | ||
17 | |||
18 | # Redirect | ||
19 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile new file mode 100644 index 000000000..881fbf49e --- /dev/null +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for tcpdump | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tcpdump.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /sbin | ||
10 | noblacklist /usr/sbin | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.keep net_raw | ||
24 | ipc-namespace | ||
25 | #net tun0 | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | #nogroups | ||
30 | nonewprivs | ||
31 | #noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink,packet | ||
37 | seccomp | ||
38 | |||
39 | disable-mnt | ||
40 | #private | ||
41 | #private-bin tcpdump | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile new file mode 100644 index 000000000..a13c92bc3 --- /dev/null +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for teams-for-linux | ||
2 | # Description: Unofficial Microsoft Teams client for Linux using Electron. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teams-for-linux.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore dbus-user none | ||
11 | ignore dbus-system none | ||
12 | |||
13 | noblacklist ${HOME}/.config/teams-for-linux | ||
14 | |||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/teams-for-linux | ||
20 | whitelist ${HOME}/.config/teams-for-linux | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | nou2f | ||
25 | novideo | ||
26 | shell none | ||
27 | |||
28 | disable-mnt | ||
29 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | ||
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | ||
33 | private-tmp | ||
34 | |||
35 | # Redirect | ||
36 | include electron.profile | ||
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile new file mode 100644 index 000000000..326b97e4b --- /dev/null +++ b/etc/profile-m-z/teams.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for teams | ||
2 | # Description: Official Microsoft Teams client for Linux using Electron. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Known issues: | ||
5 | # * if Teams crashes on startup try using "ignore apparmor" in your local config | ||
6 | # Persistent local customizations | ||
7 | include teams.local | ||
8 | # Persistent global definitions | ||
9 | # added by included profile | ||
10 | #include globals.local | ||
11 | |||
12 | ignore dbus-user none | ||
13 | ignore dbus-system none | ||
14 | |||
15 | noblacklist ${HOME}/.config/teams | ||
16 | noblacklist ${HOME}/.config/Microsoft | ||
17 | |||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/teams | ||
23 | mkdir ${HOME}/.config/Microsoft | ||
24 | whitelist ${HOME}/.config/teams | ||
25 | whitelist ${HOME}/.config/Microsoft | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | nou2f | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | disable-mnt | ||
34 | private-cache | ||
35 | private-dev | ||
36 | |||
37 | # Redirect | ||
38 | include electron.profile | ||
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile new file mode 100644 index 000000000..c1c666f58 --- /dev/null +++ b/etc/profile-m-z/teamspeak3.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for teamspeak3 | ||
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teamspeak3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ts3client | ||
10 | noblacklist ${PATH}/openssl | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.ts3client | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.ts3client | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp !chroot | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile new file mode 100644 index 000000000..7765703de --- /dev/null +++ b/etc/profile-m-z/teeworlds.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for teeworlds | ||
2 | # Description: Online multi-player platform 2D shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teeworlds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.teeworlds | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.teeworlds | ||
20 | whitelist ${HOME}/.teeworlds | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin teeworlds | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile new file mode 100644 index 000000000..0cfa7114b --- /dev/null +++ b/etc/profile-m-z/telegram-desktop.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for telegram | ||
2 | # Description: Official Telegram Desktop client | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include telegram.profile | ||
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile new file mode 100644 index 000000000..e3af5600a --- /dev/null +++ b/etc/profile-m-z/telegram.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for telegram | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include telegram.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.TelegramDesktop | ||
9 | noblacklist ${HOME}/.local/share/TelegramDesktop | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix,inet,inet6 | ||
24 | seccomp | ||
25 | |||
26 | disable-mnt | ||
27 | private-cache | ||
28 | private-tmp | ||
29 | |||
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile new file mode 100644 index 000000000..36ce6d469 --- /dev/null +++ b/etc/profile-m-z/terasology.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for terasology | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include terasology.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | ignore noexec /tmp | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/terasology | ||
11 | |||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | mkdir ${HOME}/.java | ||
23 | mkdir ${HOME}/.local/share/terasology | ||
24 | whitelist ${HOME}/.java | ||
25 | whitelist ${HOME}/.local/share/terasology | ||
26 | include whitelist-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-dev | ||
44 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile new file mode 100644 index 000000000..f56c3038e --- /dev/null +++ b/etc/profile-m-z/tex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for tex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include tex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin tex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile new file mode 100644 index 000000000..d28947394 --- /dev/null +++ b/etc/profile-m-z/textmaker18.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for textmaker18 | ||
2 | # Description: SoftMaker Office - word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include textmaker18.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
11 | |||
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile new file mode 100644 index 000000000..7b4fd5b08 --- /dev/null +++ b/etc/profile-m-z/textmaker18free.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for textmaker18free | ||
2 | # Description: SoftMaker Office - word processor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include textmaker18free.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include softmaker-common.inc | ||
11 | |||
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile new file mode 100644 index 000000000..19993016a --- /dev/null +++ b/etc/profile-m-z/thunar.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for Thunar | ||
2 | # Description: Modern file manager for Xfce | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include Thunar.profile | ||
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile new file mode 100644 index 000000000..6450e40d6 --- /dev/null +++ b/etc/profile-m-z/thunderbird-beta.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for thunderbird-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | private-opt thunderbird-beta | ||
5 | |||
6 | # Redirect | ||
7 | include thunderbird.profile | ||
diff --git a/etc/profile-m-z/thunderbird-wayland.profile b/etc/profile-m-z/thunderbird-wayland.profile new file mode 100644 index 000000000..9fbb80d29 --- /dev/null +++ b/etc/profile-m-z/thunderbird-wayland.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for thunderbird-wayland | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include thunderbird-wayland.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include thunderbird.profile | ||
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile new file mode 100644 index 000000000..44ed6e5e0 --- /dev/null +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for thunderbird | ||
2 | # Description: Email, RSS and newsgroup client with integrated spam filter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include thunderbird.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # writable-run-user and dbus are needed by enigmail | ||
10 | ignore dbus-user none | ||
11 | ignore dbus-system none | ||
12 | writable-run-user | ||
13 | |||
14 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: | ||
15 | #noblacklist /var/mail | ||
16 | #noblacklist /var/spool/mail | ||
17 | #whitelist /var/mail | ||
18 | #whitelist /var/spool/mail | ||
19 | #writable-var | ||
20 | |||
21 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email | ||
22 | noblacklist ${HOME}/.mozilla | ||
23 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
24 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
25 | |||
26 | noblacklist ${HOME}/.cache/thunderbird | ||
27 | noblacklist ${HOME}/.gnupg | ||
28 | # noblacklist ${HOME}/.icedove | ||
29 | noblacklist ${HOME}/.thunderbird | ||
30 | |||
31 | include disable-passwdmgr.inc | ||
32 | include disable-xdg.inc | ||
33 | |||
34 | # If you have setup Thunderbird to archive emails to a local folder, | ||
35 | # make sure you add the path to that folder to the mkdir and whitelist | ||
36 | # rules below. Otherwise they will be deleted when you close Thunderbird. | ||
37 | # See https://github.com/netblue30/firejail/issues/2357 | ||
38 | mkdir ${HOME}/.cache/thunderbird | ||
39 | mkdir ${HOME}/.gnupg | ||
40 | # mkdir ${HOME}/.icedove | ||
41 | mkdir ${HOME}/.thunderbird | ||
42 | whitelist ${HOME}/.cache/thunderbird | ||
43 | whitelist ${HOME}/.gnupg | ||
44 | # whitelist ${HOME}/.icedove | ||
45 | whitelist ${HOME}/.thunderbird | ||
46 | |||
47 | whitelist /usr/share/gnupg | ||
48 | whitelist /usr/share/mozilla | ||
49 | whitelist /usr/share/thunderbird | ||
50 | whitelist /usr/share/webext | ||
51 | include whitelist-usr-share-common.inc | ||
52 | |||
53 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required | ||
54 | #machine-id | ||
55 | novideo | ||
56 | |||
57 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | ||
58 | ignore private-tmp | ||
59 | |||
60 | read-only ${HOME}/.config/mimeapps.list | ||
61 | |||
62 | # Redirect | ||
63 | include firefox-common.profile | ||
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile new file mode 100644 index 000000000..4d38d5184 --- /dev/null +++ b/etc/profile-m-z/tilp.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for tilp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include tilp.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.tilp | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,netlink | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | disable-mnt | ||
31 | private-bin tilp | ||
32 | private-cache | ||
33 | private-etc alternatives,fonts | ||
34 | private-tmp | ||
35 | |||
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile new file mode 100644 index 000000000..612b2d01b --- /dev/null +++ b/etc/profile-m-z/tor-browser-ar.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ar | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ar | ||
7 | whitelist ${HOME}/.tor-browser-ar | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile new file mode 100644 index 000000000..db70a7109 --- /dev/null +++ b/etc/profile-m-z/tor-browser-ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ca | ||
7 | whitelist ${HOME}/.tor-browser-ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile new file mode 100644 index 000000000..77b271b68 --- /dev/null +++ b/etc/profile-m-z/tor-browser-cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-cs | ||
7 | whitelist ${HOME}/.tor-browser-cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile new file mode 100644 index 000000000..3b9fff9a4 --- /dev/null +++ b/etc/profile-m-z/tor-browser-da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-da | ||
7 | whitelist ${HOME}/.tor-browser-da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile new file mode 100644 index 000000000..3b4f7f94f --- /dev/null +++ b/etc/profile-m-z/tor-browser-de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-de | ||
7 | whitelist ${HOME}/.tor-browser-de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile new file mode 100644 index 000000000..b978b6042 --- /dev/null +++ b/etc/profile-m-z/tor-browser-el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-el | ||
7 | whitelist ${HOME}/.tor-browser-el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile new file mode 100644 index 000000000..db56dda1b --- /dev/null +++ b/etc/profile-m-z/tor-browser-en-us.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-en-us | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-en-us | ||
7 | whitelist ${HOME}/.tor-browser-en-us | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile new file mode 100644 index 000000000..ad4110c0e --- /dev/null +++ b/etc/profile-m-z/tor-browser-en.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-en | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-en | ||
7 | whitelist ${HOME}/.tor-browser-en | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile new file mode 100644 index 000000000..1aa586658 --- /dev/null +++ b/etc/profile-m-z/tor-browser-es-es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-es-es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-es-es | ||
7 | whitelist ${HOME}/.tor-browser-es-es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile new file mode 100644 index 000000000..a386e3387 --- /dev/null +++ b/etc/profile-m-z/tor-browser-es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-es | ||
7 | whitelist ${HOME}/.tor-browser-es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile new file mode 100644 index 000000000..7f847a7c2 --- /dev/null +++ b/etc/profile-m-z/tor-browser-fa.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-fa | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-fa | ||
7 | whitelist ${HOME}/.tor-browser-fa | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile new file mode 100644 index 000000000..bce470ec8 --- /dev/null +++ b/etc/profile-m-z/tor-browser-fr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-fr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-fr | ||
7 | whitelist ${HOME}/.tor-browser-fr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile new file mode 100644 index 000000000..994897a87 --- /dev/null +++ b/etc/profile-m-z/tor-browser-ga-ie.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ga-ie | ||
7 | whitelist ${HOME}/.tor-browser-ga-ie | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile new file mode 100644 index 000000000..6367b4c0a --- /dev/null +++ b/etc/profile-m-z/tor-browser-he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-he | ||
7 | whitelist ${HOME}/.tor-browser-he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile new file mode 100644 index 000000000..68e79833e --- /dev/null +++ b/etc/profile-m-z/tor-browser-hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-hu | ||
7 | whitelist ${HOME}/.tor-browser-hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile new file mode 100644 index 000000000..85b455ba2 --- /dev/null +++ b/etc/profile-m-z/tor-browser-id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-id | ||
7 | whitelist ${HOME}/.tor-browser-id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile new file mode 100644 index 000000000..48e88db71 --- /dev/null +++ b/etc/profile-m-z/tor-browser-is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-is | ||
7 | whitelist ${HOME}/.tor-browser-is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile new file mode 100644 index 000000000..3c239ca29 --- /dev/null +++ b/etc/profile-m-z/tor-browser-it.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-it | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-it | ||
7 | whitelist ${HOME}/.tor-browser-it | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile new file mode 100644 index 000000000..c52e0f64e --- /dev/null +++ b/etc/profile-m-z/tor-browser-ja.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ja | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ja | ||
7 | whitelist ${HOME}/.tor-browser-ja | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile new file mode 100644 index 000000000..173b85e5c --- /dev/null +++ b/etc/profile-m-z/tor-browser-ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ka | ||
7 | whitelist ${HOME}/.tor-browser-ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile new file mode 100644 index 000000000..8faa5afa1 --- /dev/null +++ b/etc/profile-m-z/tor-browser-ko.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ko | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ko | ||
7 | whitelist ${HOME}/.tor-browser-ko | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile new file mode 100644 index 000000000..d1352dd80 --- /dev/null +++ b/etc/profile-m-z/tor-browser-nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nb | ||
7 | whitelist ${HOME}/.tor-browser-nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile new file mode 100644 index 000000000..d4443cca2 --- /dev/null +++ b/etc/profile-m-z/tor-browser-nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nl | ||
7 | whitelist ${HOME}/.tor-browser-nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile new file mode 100644 index 000000000..08ddd4ae7 --- /dev/null +++ b/etc/profile-m-z/tor-browser-pl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-pl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-pl | ||
7 | whitelist ${HOME}/.tor-browser-pl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile new file mode 100644 index 000000000..9942a3fe8 --- /dev/null +++ b/etc/profile-m-z/tor-browser-pt-br.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-pt-br | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-pt-br | ||
7 | whitelist ${HOME}/.tor-browser-pt-br | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile new file mode 100644 index 000000000..6294f8ca0 --- /dev/null +++ b/etc/profile-m-z/tor-browser-ru.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ru | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ru | ||
7 | whitelist ${HOME}/.tor-browser-ru | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile new file mode 100644 index 000000000..c8544262f --- /dev/null +++ b/etc/profile-m-z/tor-browser-sv-se.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-sv-se | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-sv-se | ||
7 | whitelist ${HOME}/.tor-browser-sv-se | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile new file mode 100644 index 000000000..2343fa8de --- /dev/null +++ b/etc/profile-m-z/tor-browser-tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-tr | ||
7 | whitelist ${HOME}/.tor-browser-tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile new file mode 100644 index 000000000..734c38698 --- /dev/null +++ b/etc/profile-m-z/tor-browser-vi.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-vi | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-vi | ||
7 | whitelist ${HOME}/.tor-browser-vi | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile new file mode 100644 index 000000000..21e813e45 --- /dev/null +++ b/etc/profile-m-z/tor-browser-zh-cn.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-cn | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-cn | ||
7 | whitelist ${HOME}/.tor-browser-zh-cn | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile new file mode 100644 index 000000000..6fe09c6c1 --- /dev/null +++ b/etc/profile-m-z/tor-browser-zh-tw.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-tw | ||
7 | whitelist ${HOME}/.tor-browser-zh-tw | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile new file mode 100644 index 000000000..0cd84abf5 --- /dev/null +++ b/etc/profile-m-z/tor-browser.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser | ||
7 | whitelist ${HOME}/.tor-browser | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile new file mode 100644 index 000000000..1e1f5ce35 --- /dev/null +++ b/etc/profile-m-z/tor-browser_ar.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ar | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ar | ||
7 | whitelist ${HOME}/.tor-browser_ar | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile new file mode 100644 index 000000000..e114b6051 --- /dev/null +++ b/etc/profile-m-z/tor-browser_ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ca | ||
7 | whitelist ${HOME}/.tor-browser_ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile new file mode 100644 index 000000000..498068bc6 --- /dev/null +++ b/etc/profile-m-z/tor-browser_cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_cs | ||
7 | whitelist ${HOME}/.tor-browser_cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile new file mode 100644 index 000000000..5c25c03c8 --- /dev/null +++ b/etc/profile-m-z/tor-browser_da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_da | ||
7 | whitelist ${HOME}/.tor-browser_da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile new file mode 100644 index 000000000..d530e7dbe --- /dev/null +++ b/etc/profile-m-z/tor-browser_de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_de | ||
7 | whitelist ${HOME}/.tor-browser_de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile new file mode 100644 index 000000000..67d5ab440 --- /dev/null +++ b/etc/profile-m-z/tor-browser_el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_el | ||
7 | whitelist ${HOME}/.tor-browser_el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile new file mode 100644 index 000000000..b298ab2b8 --- /dev/null +++ b/etc/profile-m-z/tor-browser_en-US.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en-US | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en-US | ||
7 | whitelist ${HOME}/.tor-browser_en-US | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile new file mode 100644 index 000000000..6bb0616b1 --- /dev/null +++ b/etc/profile-m-z/tor-browser_en.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en | ||
7 | whitelist ${HOME}/.tor-browser_en | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile new file mode 100644 index 000000000..78f57ffe5 --- /dev/null +++ b/etc/profile-m-z/tor-browser_es-ES.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es-ES | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es-ES | ||
7 | whitelist ${HOME}/.tor-browser_es-ES | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile new file mode 100644 index 000000000..ea34a07c9 --- /dev/null +++ b/etc/profile-m-z/tor-browser_es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es | ||
7 | whitelist ${HOME}/.tor-browser_es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile new file mode 100644 index 000000000..fbc416ce5 --- /dev/null +++ b/etc/profile-m-z/tor-browser_fa.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fa | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fa | ||
7 | whitelist ${HOME}/.tor-browser_fa | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile new file mode 100644 index 000000000..caea6db5b --- /dev/null +++ b/etc/profile-m-z/tor-browser_fr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fr | ||
7 | whitelist ${HOME}/.tor-browser_fr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile new file mode 100644 index 000000000..6342daebf --- /dev/null +++ b/etc/profile-m-z/tor-browser_ga-IE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ga-IE | ||
7 | whitelist ${HOME}/.tor-browser_ga-IE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile new file mode 100644 index 000000000..cc4150620 --- /dev/null +++ b/etc/profile-m-z/tor-browser_he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_he | ||
7 | whitelist ${HOME}/.tor-browser_he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile new file mode 100644 index 000000000..952a0b68a --- /dev/null +++ b/etc/profile-m-z/tor-browser_hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_hu | ||
7 | whitelist ${HOME}/.tor-browser_hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile new file mode 100644 index 000000000..a006b27c0 --- /dev/null +++ b/etc/profile-m-z/tor-browser_id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_id | ||
7 | whitelist ${HOME}/.tor-browser_id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile new file mode 100644 index 000000000..038e0fabb --- /dev/null +++ b/etc/profile-m-z/tor-browser_is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_is | ||
7 | whitelist ${HOME}/.tor-browser_is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile new file mode 100644 index 000000000..3d2566994 --- /dev/null +++ b/etc/profile-m-z/tor-browser_it.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_it | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_it | ||
7 | whitelist ${HOME}/.tor-browser_it | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile new file mode 100644 index 000000000..08c942bcd --- /dev/null +++ b/etc/profile-m-z/tor-browser_ja.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ja | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ja | ||
7 | whitelist ${HOME}/.tor-browser_ja | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile new file mode 100644 index 000000000..97664be4d --- /dev/null +++ b/etc/profile-m-z/tor-browser_ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ka | ||
7 | whitelist ${HOME}/.tor-browser_ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile new file mode 100644 index 000000000..98cf1e3e1 --- /dev/null +++ b/etc/profile-m-z/tor-browser_ko.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ko | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ko | ||
7 | whitelist ${HOME}/.tor-browser_ko | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile new file mode 100644 index 000000000..6df840573 --- /dev/null +++ b/etc/profile-m-z/tor-browser_nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nb | ||
7 | whitelist ${HOME}/.tor-browser_nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile new file mode 100644 index 000000000..3f545f888 --- /dev/null +++ b/etc/profile-m-z/tor-browser_nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nl | ||
7 | whitelist ${HOME}/.tor-browser_nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile new file mode 100644 index 000000000..4e04dc027 --- /dev/null +++ b/etc/profile-m-z/tor-browser_pl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pl | ||
7 | whitelist ${HOME}/.tor-browser_pl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile new file mode 100644 index 000000000..7f864886c --- /dev/null +++ b/etc/profile-m-z/tor-browser_pt-BR.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pt-BR | ||
7 | whitelist ${HOME}/.tor-browser_pt-BR | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile new file mode 100644 index 000000000..2fae6fbe7 --- /dev/null +++ b/etc/profile-m-z/tor-browser_ru.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ru | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ru | ||
7 | whitelist ${HOME}/.tor-browser_ru | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile new file mode 100644 index 000000000..2157f8d2b --- /dev/null +++ b/etc/profile-m-z/tor-browser_sv-SE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_sv-SE | ||
7 | whitelist ${HOME}/.tor-browser_sv-SE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile new file mode 100644 index 000000000..20ac246ca --- /dev/null +++ b/etc/profile-m-z/tor-browser_tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_tr | ||
7 | whitelist ${HOME}/.tor-browser_tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile new file mode 100644 index 000000000..4faa06ff6 --- /dev/null +++ b/etc/profile-m-z/tor-browser_vi.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_vi | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_vi | ||
7 | whitelist ${HOME}/.tor-browser_vi | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile new file mode 100644 index 000000000..e4d8215e6 --- /dev/null +++ b/etc/profile-m-z/tor-browser_zh-CN.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-CN | ||
7 | whitelist ${HOME}/.tor-browser_zh-CN | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile new file mode 100644 index 000000000..8a28015a6 --- /dev/null +++ b/etc/profile-m-z/tor-browser_zh-TW.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-TW | ||
7 | whitelist ${HOME}/.tor-browser_zh-TW | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile new file mode 100644 index 000000000..13d071635 --- /dev/null +++ b/etc/profile-m-z/tor.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for tor | ||
2 | # Description: Anonymizing overlay network for TCP | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # How to use: | ||
10 | # Create a script called anything (e.g. mytor) | ||
11 | # with the following contents: | ||
12 | |||
13 | # #!/bin/bash | ||
14 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
15 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
16 | |||
17 | # You'll also likely want to disable the system service (if it exists) | ||
18 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | caps.keep dac_read_search,net_bind_service,setgid,setuid | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private | ||
46 | private-bin bash,tor | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | ||
50 | private-tmp | ||
51 | writable-var | ||
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile new file mode 100644 index 000000000..6bcc51f4d --- /dev/null +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for torbrowser-launcher | ||
2 | # Description: Helps download and run the Tor Browser Bundle | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include torbrowser-launcher.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.config/torbrowser | ||
12 | noblacklist ${HOME}/.local/share/torbrowser | ||
13 | |||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.config/torbrowser | ||
27 | mkdir ${HOME}/.local/share/torbrowser | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${HOME}/.config/torbrowser | ||
30 | whitelist ${HOME}/.local/share/torbrowser | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | caps.drop all | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp !chroot | ||
45 | shell none | ||
46 | # tracelog may cause issues, see github issue #1930 | ||
47 | #tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | ||
51 | private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile new file mode 100644 index 000000000..8dcd7447b --- /dev/null +++ b/etc/profile-m-z/torcs.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for torcs | ||
2 | # Description: The Open Racing Car Simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include torcs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.torcs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.torcs | ||
20 | whitelist ${HOME}/.torcs | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile new file mode 100644 index 000000000..d49ef0cb8 --- /dev/null +++ b/etc/profile-m-z/totem.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for totem | ||
2 | # Description: Simple media player for the GNOME desktop based on GStreamer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include totem.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow lua (required for youtube video) | ||
10 | include allow-lua.inc | ||
11 | |||
12 | noblacklist ${HOME}/.config/totem | ||
13 | noblacklist ${HOME}/.local/share/totem | ||
14 | noblacklist ${MUSIC} | ||
15 | noblacklist ${VIDEOS} | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | # apparmor - makes settings immutable | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | private-bin totem | ||
39 | # totem needs access to ~/.cache/tracker or it exits | ||
40 | #private-cache | ||
41 | private-dev | ||
42 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | ||
43 | private-tmp | ||
44 | |||
45 | # makes settings immutable | ||
46 | # dbus-user none | ||
47 | # dbus-system none | ||
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile new file mode 100644 index 000000000..9030b1e01 --- /dev/null +++ b/etc/profile-m-z/tracker.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for tracker | ||
2 | # Description: Metadata database, indexer and search tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tracker.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | blacklist ${RUNUSER}/wayland-* | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | # private-bin tracker | ||
38 | # private-dev | ||
39 | # private-tmp | ||
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile new file mode 100644 index 000000000..cafc6e6d1 --- /dev/null +++ b/etc/profile-m-z/transgui.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for transgui | ||
2 | # Description: Cross-platform Transmission BitTorrent client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include transgui.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/transgui | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/transgui | ||
20 | whitelist ${HOME}/.config/transgui | ||
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-bin geoiplookup,geoiplookup6,transgui | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | ||
49 | private-tmp | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile new file mode 100644 index 000000000..486be5fe6 --- /dev/null +++ b/etc/profile-m-z/transmission-cli.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for transmission-cli | ||
2 | # Description: Fast, easy and free BitTorrent client (CLI tools and web client) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-cli.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-cli | ||
11 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
12 | |||
13 | # Redirect | ||
14 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile new file mode 100644 index 000000000..9d2e8e990 --- /dev/null +++ b/etc/profile-m-z/transmission-common.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for transmission-common | ||
2 | # Description: Fast, easy and free BitTorrent client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include transmission-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.cache/transmission | ||
11 | noblacklist ${HOME}/.config/transmission | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/transmission | ||
21 | mkdir ${HOME}/.config/transmission | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${HOME}/.cache/transmission | ||
24 | whitelist ${HOME}/.config/transmission | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | private-cache | ||
46 | private-dev | ||
47 | private-lib | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/transmission-create.profile b/etc/profile-m-z/transmission-create.profile new file mode 100644 index 000000000..8220b7887 --- /dev/null +++ b/etc/profile-m-z/transmission-create.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for transmission-create | ||
2 | # Description: CLI utility to create BitTorrent .torrent files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-create.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-create | ||
11 | |||
12 | # Redirect | ||
13 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile new file mode 100644 index 000000000..363c685e0 --- /dev/null +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for transmission-daemon | ||
2 | # Description: Fast, easy and free BitTorrent client (daemon) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-daemon.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore caps.drop all | ||
11 | |||
12 | mkdir ${HOME}/.config/transmission-daemon | ||
13 | whitelist ${HOME}/.config/transmission-daemon | ||
14 | whitelist /var/lib/transmission | ||
15 | |||
16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | ||
17 | |||
18 | private-bin transmission-daemon | ||
19 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
20 | |||
21 | read-write /var/lib/transmission | ||
22 | writable-var-log | ||
23 | writable-run-user | ||
24 | |||
25 | # Redirect | ||
26 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-edit.profile b/etc/profile-m-z/transmission-edit.profile new file mode 100644 index 000000000..df381b5cd --- /dev/null +++ b/etc/profile-m-z/transmission-edit.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for transmission-edit | ||
2 | # Description: CLI utility to modify BitTorrent .torrent files' announce URLs | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-edit.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-edit | ||
11 | |||
12 | # Redirect | ||
13 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile new file mode 100644 index 000000000..baa970307 --- /dev/null +++ b/etc/profile-m-z/transmission-gtk.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for transmission-gtk | ||
2 | # Description: Fast, easy and free BitTorrent client (GTK GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-gtk.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include whitelist-runuser-common.inc | ||
11 | |||
12 | private-bin transmission-gtk | ||
13 | |||
14 | ignore memory-deny-write-execute | ||
15 | |||
16 | # Redirect | ||
17 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-qt.profile b/etc/profile-m-z/transmission-qt.profile new file mode 100644 index 000000000..94f3c3a20 --- /dev/null +++ b/etc/profile-m-z/transmission-qt.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for transmission-qt | ||
2 | # Description: Fast, easy and free BitTorrent client (Qt GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-qt.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-qt | ||
11 | |||
12 | # private-lib - breaks on Arch | ||
13 | ignore private-lib | ||
14 | |||
15 | ignore memory-deny-write-execute | ||
16 | |||
17 | # Redirect | ||
18 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-remote-cli.profile b/etc/profile-m-z/transmission-remote-cli.profile new file mode 100644 index 000000000..7b9285e66 --- /dev/null +++ b/etc/profile-m-z/transmission-remote-cli.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for transmission-remote-cli | ||
2 | # Description: A remote control utility for transmission-daemon (CLI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-remote-cli.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | private-bin python*,transmission-remote-cli | ||
15 | |||
16 | # Redirect | ||
17 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile new file mode 100644 index 000000000..a6400e2c0 --- /dev/null +++ b/etc/profile-m-z/transmission-remote-gtk.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for transmission-remote-gtk | ||
2 | # Description: A remote control utility for transmission-daemon (GTK GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-remote-gtk.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/transmission-remote-gtk | ||
11 | |||
12 | mkdir ${HOME}/.config/transmission-remote-gtk | ||
13 | whitelist ${HOME}/.config/transmission-remote-gtk | ||
14 | |||
15 | private-etc fonts,hostname,hosts,resolv.conf | ||
16 | # Problems with private-lib (see issue #2889) | ||
17 | ignore private-lib | ||
18 | |||
19 | ignore memory-deny-write-execute | ||
20 | |||
21 | # Redirect | ||
22 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile new file mode 100644 index 000000000..fee4999e6 --- /dev/null +++ b/etc/profile-m-z/transmission-remote.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for transmission-remote | ||
2 | # Description: A remote control utility for transmission-daemon (CLI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-remote.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-remote | ||
11 | private-etc alternatives,hosts,nsswitch.conf | ||
12 | |||
13 | # Redirect | ||
14 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile new file mode 100644 index 000000000..5a3c83f58 --- /dev/null +++ b/etc/profile-m-z/transmission-show.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for transmission-show | ||
2 | # Description: CLI utility to show BitTorrent .torrent file metadata | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include transmission-show.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin transmission-show | ||
11 | private-etc alternatives,hosts,nsswitch.conf | ||
12 | |||
13 | # Redirect | ||
14 | include transmission-common.profile | ||
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile new file mode 100644 index 000000000..64bb8cba8 --- /dev/null +++ b/etc/profile-m-z/tremulous.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for tremulous | ||
2 | # Description: First Person Shooter game based on the Quake 3 engine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tremulous.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.tremulous | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.tremulous | ||
20 | whitelist ${HOME}/.tremulous | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin tremded,tremulous,tremulous-wrapper | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile new file mode 100644 index 000000000..e76d52219 --- /dev/null +++ b/etc/profile-m-z/truecraft.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for truecraft | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include truecraft.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/mono | ||
9 | noblacklist ${HOME}/.config/truecraft | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/mono | ||
19 | mkdir ${HOME}/.config/truecraft | ||
20 | whitelist ${HOME}/.config/mono | ||
21 | whitelist ${HOME}/.config/truecraft | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile new file mode 100644 index 000000000..8d4675454 --- /dev/null +++ b/etc/profile-m-z/ts3client_runscript.sh.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile alias for teamspeak3 | ||
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ts3client_runscript.sh.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | noblacklist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
13 | noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
14 | |||
15 | whitelist ${HOME}/TeamSpeak3-Client-linux_x86 | ||
16 | whitelist ${HOME}/TeamSpeak3-Client-linux_amd64 | ||
17 | |||
18 | # Redirect | ||
19 | include teamspeak3.profile | ||
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile new file mode 100644 index 000000000..684a9491d --- /dev/null +++ b/etc/profile-m-z/tshark.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for tshark | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/wireshark | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | #caps.keep net_raw | ||
25 | caps.keep dac_override,net_admin,net_raw | ||
26 | ipc-namespace | ||
27 | #net tun0 | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | # nogroups - breaks network traffic capture for unprivileged users | ||
32 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
33 | # noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | #protocol unix,inet,inet6,netlink,packet | ||
39 | #seccomp | ||
40 | |||
41 | disable-mnt | ||
42 | #private | ||
43 | private-cache | ||
44 | #private-bin tshark | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile new file mode 100644 index 000000000..d2b13d9ee --- /dev/null +++ b/etc/profile-m-z/tuxguitar.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for tuxguitar | ||
2 | # Description: Multitrack guitar tablature editor and player (gp3 to gp5) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tuxguitar.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.tuxguitar* | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | # Allow java (blacklisted by disable-devel.inc) | ||
14 | include allow-java.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | tracelog | ||
40 | |||
41 | private-dev | ||
42 | private-tmp | ||
43 | |||
44 | # noexec ${HOME} - tuxguitar may fail to launch | ||
45 | noexec /tmp | ||
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile new file mode 100644 index 000000000..d3dcbfe53 --- /dev/null +++ b/etc/profile-m-z/tvbrowser.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for tvbrowser | ||
2 | # Description: java tv programm form tvbrowser.org | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tvbrowser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/tvbrowser | ||
10 | noblacklist ${HOME}/.tvbrowser | ||
11 | |||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/tvbrowser | ||
24 | mkdir ${HOME}/.tvbrowser | ||
25 | whitelist ${HOME}/.config/tvbrowser | ||
26 | whitelist ${HOME}/.tvbrowser | ||
27 | whitelist /usr/share/tvbrowser | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile new file mode 100644 index 000000000..265f6429d --- /dev/null +++ b/etc/profile-m-z/udiskie.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for udiskie | ||
2 | # Description: Removable disk automounter using udisks | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include udiskie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp !request_key | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop | ||
39 | # add your configured file browser in udiskie.local, e. g. | ||
40 | # private-bin nautilus | ||
41 | # private-bin thunar | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | ||
45 | private-tmp | ||
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile new file mode 100644 index 000000000..8807b0b2c --- /dev/null +++ b/etc/profile-m-z/uefitool.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for uefitool | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include uefitool.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${DOCUMENTS} | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-cache | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | dbus-user none | ||
39 | dbus-system none | ||
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile new file mode 100644 index 000000000..8a2e83a1a --- /dev/null +++ b/etc/profile-m-z/uget-gtk.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for uget-gtk | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include uget-gtk.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/uGet | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.config/uGet | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.config/uGet | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin uget-gtk | ||
36 | private-dev | ||
37 | private-tmp | ||
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile new file mode 100644 index 000000000..714a3f2f4 --- /dev/null +++ b/etc/profile-m-z/unbound.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for unbound | ||
2 | # Description: Validating, recursive, caching DNS resolver | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include unbound.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /sbin | ||
10 | noblacklist /usr/sbin | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-usr-share-common.inc | ||
24 | |||
25 | whitelist /var/lib/unbound | ||
26 | whitelist /var/run | ||
27 | |||
28 | caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nonewprivs | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol inet,inet6 | ||
40 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | writable-var | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | # mdwe can break modules/plugins | ||
52 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/uncompress.profile b/etc/profile-m-z/uncompress.profile new file mode 100644 index 000000000..f659d8e87 --- /dev/null +++ b/etc/profile-m-z/uncompress.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for uncompress | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include uncompress.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile new file mode 100644 index 000000000..fbbe949e9 --- /dev/null +++ b/etc/profile-m-z/unf.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for unf | ||
2 | # Description: UNixize Filename -- replace annoying anti-unix characters in filenames | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include unf.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${DOWNLOADS} | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | hostname unf | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | net none | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | x11 none | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin unf | ||
48 | private-cache | ||
49 | ?HAS_APPIMAGE: ignore private-dev | ||
50 | private-dev | ||
51 | private-etc alternatives | ||
52 | private-lib gcc/*/*/libgcc_s.so.* | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile new file mode 100644 index 000000000..7dc13e284 --- /dev/null +++ b/etc/profile-m-z/unknown-horizons.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for unknown-horizons | ||
2 | # Description: 2D realtime strategy simulation | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include unknown-horizons.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.unknown-horizons | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.unknown-horizons | ||
17 | whitelist ${HOME}/.unknown-horizons | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | whitelist /usr/share/unknown-horizons | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | # private-bin unknown-horizons | ||
39 | private-dev | ||
40 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
41 | private-tmp | ||
42 | |||
43 | # doesn't work - maybe all Tcl/Tk programs have this problem | ||
44 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/unlzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile new file mode 100644 index 000000000..88a753d59 --- /dev/null +++ b/etc/profile-m-z/unrar.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for unrar | ||
2 | # Description: Unarchiver for .rar files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include unrar.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | hostname unrar | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | #nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | private-bin unrar | ||
40 | private-dev | ||
41 | private-etc alternatives,group,localtime,passwd | ||
42 | private-tmp | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/unxz.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile new file mode 100644 index 000000000..b4b63882b --- /dev/null +++ b/etc/profile-m-z/unzip.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for unzip | ||
2 | # Description: De-archiver for .zip files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include unzip.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # GNOME Shell integration (chrome-gnome-shell) | ||
13 | noblacklist ${HOME}/.local/share/gnome-shell | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | caps.drop all | ||
23 | hostname unzip | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | #nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | x11 none | ||
41 | |||
42 | private-bin unzip | ||
43 | private-dev | ||
44 | private-etc alternatives,group,localtime,passwd | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/unzstd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile new file mode 100644 index 000000000..9877ea889 --- /dev/null +++ b/etc/profile-m-z/utox.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for utox | ||
2 | # Description: Lightweight Tox client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include utox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Tox | ||
10 | noblacklist ${HOME}/.config/tox | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/tox | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/tox | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin utox | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile new file mode 100644 index 000000000..6b5f14cab --- /dev/null +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for uudeview | ||
2 | # Description: Smart multi-file multi-part decoder | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include uudeview.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | include whitelist-usr-share-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | hostname uudeview | ||
23 | ipc-namespace | ||
24 | machine-id | ||
25 | net none | ||
26 | nodvd | ||
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-bin uudeview | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,ld.so.preload | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile new file mode 100644 index 000000000..41487a8f2 --- /dev/null +++ b/etc/profile-m-z/uzbl-browser.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for uzbl-browser | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include uzbl-browser.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/uzbl | ||
9 | noblacklist ${HOME}/.gnupg | ||
10 | noblacklist ${HOME}/.local/share/uzbl | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/uzbl | ||
22 | mkdir ${HOME}/.gnupg | ||
23 | mkdir ${HOME}/.local/share/uzbl | ||
24 | mkdir ${HOME}/.password-store | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.config/uzbl | ||
27 | whitelist ${HOME}/.gnupg | ||
28 | whitelist ${HOME}/.local/share/uzbl | ||
29 | whitelist ${HOME}/.password-store | ||
30 | include whitelist-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | tracelog | ||
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile new file mode 100644 index 000000000..f009f6340 --- /dev/null +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for viewnior | ||
2 | # Description: Simple, fast and elegant image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include viewnior.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.config/viewnior | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | blacklist ${HOME}/.bashrc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin viewnior | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,fonts,machine-id | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) | ||
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile new file mode 100644 index 000000000..5b6228a94 --- /dev/null +++ b/etc/profile-m-z/viking.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for viking | ||
2 | # Description: GPS data editor, analyzer and viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include viking.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.viking | ||
10 | noblacklist ${HOME}/.viking-maps | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile new file mode 100644 index 000000000..e9a474239 --- /dev/null +++ b/etc/profile-m-z/vim.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for vim | ||
2 | # Description: Vi IMproved - enhanced vi editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vim.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.vim | ||
10 | noblacklist ${HOME}/.viminfo | ||
11 | noblacklist ${HOME}/.vimrc | ||
12 | |||
13 | # Allows files commonly used by IDEs | ||
14 | include allow-common-devel.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | |||
34 | private-dev | ||
diff --git a/etc/profile-m-z/vimcat.profile b/etc/profile-m-z/vimcat.profile new file mode 100644 index 000000000..73b76b5ab --- /dev/null +++ b/etc/profile-m-z/vimcat.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimcat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include vimcat.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vim.profile | ||
diff --git a/etc/profile-m-z/vimdiff.profile b/etc/profile-m-z/vimdiff.profile new file mode 100644 index 000000000..f09faf1d6 --- /dev/null +++ b/etc/profile-m-z/vimdiff.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimdiff | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include vimdiff.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vim.profile | ||
diff --git a/etc/profile-m-z/vimpager.profile b/etc/profile-m-z/vimpager.profile new file mode 100644 index 000000000..af7703752 --- /dev/null +++ b/etc/profile-m-z/vimpager.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for vimpager | ||
2 | # Description: A vim-based script to use as a PAGER | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vimpager.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include vim.profile | ||
diff --git a/etc/profile-m-z/vimtutor.profile b/etc/profile-m-z/vimtutor.profile new file mode 100644 index 000000000..b9584cc49 --- /dev/null +++ b/etc/profile-m-z/vimtutor.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for vimtutor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include vimtutor.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vim.profile | ||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile new file mode 100644 index 000000000..c0dbc9116 --- /dev/null +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for virtualbox | ||
2 | # Description: x86 virtualization solution | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include virtualbox.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.VirtualBox | ||
10 | noblacklist ${HOME}/.config/VirtualBox | ||
11 | noblacklist ${HOME}/VirtualBox VMs | ||
12 | # noblacklist /usr/bin/virtualbox | ||
13 | noblacklist /usr/lib/virtualbox | ||
14 | noblacklist /usr/lib64/virtualbox | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/VirtualBox | ||
22 | mkdir ${HOME}/VirtualBox VMs | ||
23 | whitelist ${HOME}/.config/VirtualBox | ||
24 | whitelist ${HOME}/VirtualBox VMs | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.keep net_raw,sys_admin,sys_nice | ||
30 | netfilter | ||
31 | nodvd | ||
32 | notv | ||
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile new file mode 100644 index 000000000..5de5682a3 --- /dev/null +++ b/etc/profile-m-z/vivaldi-beta.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for vivaldi | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include vivaldi.profile | ||
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile new file mode 100644 index 000000000..ea4a4009f --- /dev/null +++ b/etc/profile-m-z/vivaldi-snapshot.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for vivaldi-snapshot | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include vivaldi-snapshot.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/vivaldi-snapshot | ||
9 | noblacklist ${HOME}/.config/vivaldi-snapshot | ||
10 | |||
11 | mkdir ${HOME}/.cache/vivaldi-snapshot | ||
12 | mkdir ${HOME}/.config/vivaldi-snapshot | ||
13 | whitelist ${HOME}/.cache/vivaldi-snapshot | ||
14 | whitelist ${HOME}/.config/vivaldi-snapshot | ||
15 | |||
16 | # Redirect | ||
17 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile new file mode 100644 index 000000000..5de5682a3 --- /dev/null +++ b/etc/profile-m-z/vivaldi-stable.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for vivaldi | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include vivaldi.profile | ||
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile new file mode 100644 index 000000000..096ce8a72 --- /dev/null +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for vivaldi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include vivaldi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | # Allow HTML5 Proprietary Media & DRM/EME (Widevine) | ||
9 | ignore apparmor | ||
10 | ignore noexec /var | ||
11 | noblacklist /var/opt | ||
12 | whitelist /var/opt/vivaldi | ||
13 | writable-var | ||
14 | |||
15 | noblacklist ${HOME}/.cache/vivaldi | ||
16 | noblacklist ${HOME}/.config/vivaldi | ||
17 | noblacklist ${HOME}/.local/lib/vivaldi | ||
18 | |||
19 | mkdir ${HOME}/.cache/vivaldi | ||
20 | mkdir ${HOME}/.config/vivaldi | ||
21 | mkdir ${HOME}/.local/lib/vivaldi | ||
22 | whitelist ${HOME}/.cache/vivaldi | ||
23 | whitelist ${HOME}/.config/vivaldi | ||
24 | whitelist ${HOME}/.local/lib/vivaldi | ||
25 | |||
26 | # breaks vivaldi sync | ||
27 | ignore dbus-user none | ||
28 | ignore dbus-system none | ||
29 | |||
30 | # Redirect | ||
31 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile new file mode 100644 index 000000000..0069ebeae --- /dev/null +++ b/etc/profile-m-z/vlc.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for vlc | ||
2 | # Description: Multimedia player and streamer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vlc.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/vlc | ||
10 | noblacklist ${HOME}/.config/vlc | ||
11 | noblacklist ${HOME}/.local/share/vlc | ||
12 | noblacklist ${MUSIC} | ||
13 | noblacklist ${VIDEOS} | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nou2f | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | # dbus needed for MPRIS | ||
41 | # dbus-user none | ||
42 | # dbus-system none | ||
43 | |||
44 | # mdwe is disabled due to breaking hardware accelerated decoding | ||
45 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile new file mode 100644 index 000000000..b4728fb72 --- /dev/null +++ b/etc/profile-m-z/vscodium.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.VSCodium | ||
5 | |||
6 | # Redirect | ||
7 | include code.profile | ||
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile new file mode 100644 index 000000000..2e9078a7b --- /dev/null +++ b/etc/profile-m-z/vulturesclaw.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vulturesclaw | ||
5 | whitelist /var/games/vulturesclaw | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile new file mode 100644 index 000000000..44c263cfc --- /dev/null +++ b/etc/profile-m-z/vultureseye.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vultureseye | ||
5 | whitelist /var/games/vultureseye | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile new file mode 100644 index 000000000..fbb53943c --- /dev/null +++ b/etc/profile-m-z/vym.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for vym | ||
2 | # Description: Mindmapping tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vym.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/InSilmaril | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile new file mode 100644 index 000000000..5215ee6f5 --- /dev/null +++ b/etc/profile-m-z/w3m.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for w3m | ||
2 | # Description: WWW browsable pager with excellent tables/frames support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include w3m.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.w3m | ||
10 | |||
11 | blacklist /tmp/.X11-unix | ||
12 | blacklist ${RUNUSER}/wayland-* | ||
13 | |||
14 | include allow-perl.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-runuser-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | # private-bin w3m | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
45 | private-tmp | ||
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile new file mode 100644 index 000000000..a3de3d444 --- /dev/null +++ b/etc/profile-m-z/warmux.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for warmux | ||
2 | # Description: a convivial mass murder game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warmux.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/wormux | ||
10 | noblacklist ${HOME}/.local/share/wormux | ||
11 | noblacklist ${HOME}/.wormux | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/wormux | ||
22 | mkdir ${HOME}/.local/share/wormux | ||
23 | mkdir ${HOME}/.wormux | ||
24 | whitelist ${HOME}/.config/wormux | ||
25 | whitelist ${HOME}/.local/share/wormux | ||
26 | whitelist ${HOME}/.wormux | ||
27 | whitelist /usr/share/warmux | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin warmux | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile new file mode 100644 index 000000000..32d27e1b9 --- /dev/null +++ b/etc/profile-m-z/warsow.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for warsow | ||
2 | # Description: Fast paced 3D first person shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warsow.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.cache/warsow-2.1 | ||
12 | noblacklist ${HOME}/.local/share/warsow-2.1 | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/warsow-2.1 | ||
23 | mkdir ${HOME}/.local/share/warsow-2.1 | ||
24 | whitelist ${HOME}/.cache/warsow-2.1 | ||
25 | whitelist ${HOME}/.local/share/warsow-2.1 | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin warsow | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile new file mode 100644 index 000000000..25f401d85 --- /dev/null +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for warzone2100 | ||
2 | # Description: 3D real time strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warzone2100.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.warzone2100-3.* | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | # mkdir ${HOME}/.warzone2100-3.1 | ||
19 | # mkdir ${HOME}/.warzone2100-3.2 | ||
20 | whitelist ${HOME}/.warzone2100-3.1 | ||
21 | whitelist ${HOME}/.warzone2100-3.2 | ||
22 | whitelist /usr/share/games | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6,netlink | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin warzone2100 | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-m-z/waterfox-classic.profile b/etc/profile-m-z/waterfox-classic.profile new file mode 100644 index 000000000..6c7e18a46 --- /dev/null +++ b/etc/profile-m-z/waterfox-classic.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for waterfox-classic | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include waterfox-classic.local | ||
5 | |||
6 | # Redirect | ||
7 | include waterfox.profile | ||
diff --git a/etc/profile-m-z/waterfox-current.profile b/etc/profile-m-z/waterfox-current.profile new file mode 100644 index 000000000..5e12a6fe3 --- /dev/null +++ b/etc/profile-m-z/waterfox-current.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for waterfox-current | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include waterfox-current.local | ||
5 | |||
6 | # Redirect | ||
7 | include waterfox.profile | ||
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile new file mode 100644 index 000000000..c6c940fa3 --- /dev/null +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for waterfox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include waterfox.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/waterfox | ||
9 | noblacklist ${HOME}/.waterfox | ||
10 | |||
11 | mkdir ${HOME}/.cache/waterfox | ||
12 | mkdir ${HOME}/.waterfox | ||
13 | whitelist ${HOME}/.cache/waterfox | ||
14 | whitelist ${HOME}/.waterfox | ||
15 | |||
16 | # Uncomment (or add to watefox.local) the following lines if you want to | ||
17 | # use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | ||
19 | #whitelist ${HOME}/.mozilla | ||
20 | |||
21 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | ||
22 | #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which | ||
23 | # private-etc must first be enabled in firefox-common.profile | ||
24 | #private-etc waterfox | ||
25 | |||
26 | # Redirect | ||
27 | include firefox-common.profile | ||
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile new file mode 100644 index 000000000..fc4e8e571 --- /dev/null +++ b/etc/profile-m-z/webstorm.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for WebStorm | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include webstorm.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.WebStorm* | ||
9 | noblacklist ${HOME}/.android | ||
10 | noblacklist ${HOME}/.local/share/JetBrains | ||
11 | noblacklist ${HOME}/.ssh | ||
12 | noblacklist ${HOME}/.tooling | ||
13 | |||
14 | # Allows files commonly used by IDEs | ||
15 | include allow-common-devel.inc | ||
16 | |||
17 | noblacklist ${PATH}/node | ||
18 | noblacklist ${HOME}/.nvm | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | |||
26 | caps.drop all | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile new file mode 100644 index 000000000..8928f8116 --- /dev/null +++ b/etc/profile-m-z/webui-aria2.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for webui-aria2 | ||
2 | # Run this with firejail --profile=webui-aria2 node node-server.js | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include webui-aria2.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PATH}/node | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-cache | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
37 | dbus-user none | ||
38 | dbus-system none | ||
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile new file mode 100644 index 000000000..4719b9788 --- /dev/null +++ b/etc/profile-m-z/weechat-curses.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for weechat | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include weechat.profile | ||
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile new file mode 100644 index 000000000..800724054 --- /dev/null +++ b/etc/profile-m-z/weechat.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for weechat | ||
2 | # Description: Fast, light and extensible chat client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include weechat.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.weechat | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-programs.inc | ||
13 | |||
14 | whitelist /usr/share/perl5 | ||
15 | include whitelist-usr-share-common.inc | ||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | |||
27 | # no private-bin support for various reasons: | ||
28 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | ||
29 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins | ||
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile new file mode 100644 index 000000000..934edfce9 --- /dev/null +++ b/etc/profile-m-z/wesnoth.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for wesnoth | ||
2 | # Description: Fantasy turn-based strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wesnoth.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/wesnoth | ||
10 | noblacklist ${HOME}/.config/wesnoth | ||
11 | noblacklist ${HOME}/.local/share/wesnoth | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.cache/wesnoth | ||
20 | mkdir ${HOME}/.config/wesnoth | ||
21 | mkdir ${HOME}/.local/share/wesnoth | ||
22 | whitelist ${HOME}/.cache/wesnoth | ||
23 | whitelist ${HOME}/.config/wesnoth | ||
24 | whitelist ${HOME}/.local/share/wesnoth | ||
25 | include whitelist-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | nodvd | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | |||
37 | private-dev | ||
38 | private-tmp | ||
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile new file mode 100644 index 000000000..65723e68c --- /dev/null +++ b/etc/profile-m-z/wget.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for wget | ||
2 | # Description: Retrieves files from the web | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include wget.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.netrc | ||
11 | noblacklist ${HOME}/.wget-hsts | ||
12 | noblacklist ${HOME}/.wgetrc | ||
13 | |||
14 | blacklist /tmp/.X11-unix | ||
15 | blacklist ${RUNUSER}/wayland-* | ||
16 | blacklist ${RUNUSER} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local | ||
25 | #include disable-xdg.inc | ||
26 | |||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | machine-id | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6 | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | private-bin wget | ||
50 | private-cache | ||
51 | private-dev | ||
52 | # depending on workflow you can uncomment the below or put this private-etc in your wget.local | ||
53 | #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc | ||
54 | #private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile new file mode 100644 index 000000000..187c49ed8 --- /dev/null +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for whalebird | ||
2 | # Description: Electron-based Mastodon/Pleroma client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include whalebird.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore dbus-user none | ||
11 | ignore dbus-system none | ||
12 | |||
13 | noblacklist ${HOME}/.config/Whalebird | ||
14 | |||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Whalebird | ||
21 | whitelist ${HOME}/.config/Whalebird | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | no3d | ||
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin whalebird | ||
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc fonts,machine-id | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include electron.profile | ||
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile new file mode 100644 index 000000000..2af1379e0 --- /dev/null +++ b/etc/profile-m-z/whois.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for whois | ||
2 | # Description: Intelligent WHOIS client | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include whois.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | hostname whois | ||
28 | ipc-namespace | ||
29 | machine-id | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private | ||
47 | private-bin bash,sh,whois | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf | ||
51 | private-lib gconv | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile new file mode 100644 index 000000000..079e4eb96 --- /dev/null +++ b/etc/profile-m-z/widelands.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for widelands | ||
2 | # Description: Open source realtime-strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include widelands.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.widelands | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.widelands | ||
20 | whitelist ${HOME}/.widelands | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin widelands | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile new file mode 100644 index 000000000..901340052 --- /dev/null +++ b/etc/profile-m-z/wine.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for wine | ||
2 | # Description: A compatibility layer for running Windows programs | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wine.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.local/share/Steam | ||
11 | noblacklist ${HOME}/.local/share/steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | noblacklist ${HOME}/.wine | ||
14 | noblacklist /tmp/.wine-* | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | # some applications don't need allow-debuggers, comment the next line | ||
25 | # if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) | ||
26 | allow-debuggers | ||
27 | caps.drop all | ||
28 | # net none | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | # nosound | ||
35 | notv | ||
36 | # novideo | ||
37 | seccomp | ||
38 | |||
39 | private-dev | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile new file mode 100644 index 000000000..c1250b1f0 --- /dev/null +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for wire-desktop | ||
2 | # Description: End-to-end encrypted messenger with file sharing, voice calls and video conferences | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wire-desktop.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | ||
11 | |||
12 | ignore caps.drop all | ||
13 | ignore dbus-user none | ||
14 | ignore dbus-system none | ||
15 | |||
16 | noblacklist ${HOME}/.config/Wire | ||
17 | |||
18 | include disable-devel.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Wire | ||
22 | whitelist ${HOME}/.config/Wire | ||
23 | include whitelist-common.inc | ||
24 | |||
25 | caps.keep sys_admin,sys_chroot | ||
26 | nou2f | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-bin bash,electron,electron4,electron6,env,sh,wire-desktop | ||
31 | private-dev | ||
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | ||
33 | private-tmp | ||
34 | |||
35 | # Redirect | ||
36 | include electron.profile | ||
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile new file mode 100644 index 000000000..3e2e1807e --- /dev/null +++ b/etc/profile-m-z/wireshark-gtk.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for wireshark | ||
2 | # Description: Network protocol analyzer | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include wireshark.profile | ||
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile new file mode 100644 index 000000000..3e2e1807e --- /dev/null +++ b/etc/profile-m-z/wireshark-qt.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for wireshark | ||
2 | # Description: Network protocol analyzer | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include wireshark.profile | ||
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile new file mode 100644 index 000000000..d73e2e279 --- /dev/null +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for wireshark | ||
2 | # Description: Network traffic analyzer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wireshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/wireshark | ||
10 | noblacklist ${HOME}/.wireshark | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist /usr/share/wireshark | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | # caps.drop all | ||
30 | caps.keep dac_override,net_admin,net_raw | ||
31 | netfilter | ||
32 | no3d | ||
33 | # nogroups - breaks network traffic capture for unprivileged users | ||
34 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
35 | # noroot | ||
36 | nodvd | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | # protocol unix,inet,inet6,netlink | ||
42 | # seccomp - breaks network traffic capture for unprivileged users | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | # private-bin wireshark | ||
47 | private-dev | ||
48 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl | ||
49 | private-tmp | ||
50 | |||
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile new file mode 100644 index 000000000..6372654bd --- /dev/null +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for wordwarvi | ||
2 | # Description: Old school '80's style side scrolling space shoot'em up game. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wordwarvi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.wordwarvi | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.wordwarvi | ||
20 | whitelist ${HOME}/.wordwarvi | ||
21 | whitelist /usr/share/wordwarvi | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin wordwarvi | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alsa,asound.conf,machine-id,pulse | ||
48 | private-tmp | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
diff --git a/etc/profile-m-z/wpp.profile b/etc/profile-m-z/wpp.profile new file mode 100644 index 000000000..a219397a9 --- /dev/null +++ b/etc/profile-m-z/wpp.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for wpp | ||
2 | # Description: WPS Office - Presentation | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wpp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore machine-id | ||
11 | ignore nosound | ||
12 | |||
13 | # Redirect | ||
14 | include wps.profile | ||
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile new file mode 100644 index 000000000..6e4a313e3 --- /dev/null +++ b/etc/profile-m-z/wps.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for wps | ||
2 | # Description: WPS Office - Writer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wps.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kingsoft | ||
10 | noblacklist ${HOME}/.config/Kingsoft | ||
11 | noblacklist ${HOME}/.local/share/Kingsoft | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | # Uncomment the next line (or add to wps.local) if you don't use network features. | ||
27 | #net none | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | # seccomp cause some minor issues, if you can live with them enable it. | ||
40 | #seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-cache | ||
45 | private-dev | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/wpspdf.profile b/etc/profile-m-z/wpspdf.profile new file mode 100644 index 000000000..82080acbc --- /dev/null +++ b/etc/profile-m-z/wpspdf.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for wpspdf | ||
2 | # Description: Kingsoft Pdf Reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include et.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include wps.profile | ||
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile new file mode 100644 index 000000000..fe0781336 --- /dev/null +++ b/etc/profile-m-z/x-terminal-emulator.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | caps.drop all | ||
9 | ipc-namespace | ||
10 | net none | ||
11 | nogroups | ||
12 | noroot | ||
13 | nou2f | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | |||
17 | private-dev | ||
18 | |||
19 | dbus-user none | ||
20 | dbus-system none | ||
21 | |||
22 | noexec /tmp | ||
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile new file mode 100644 index 000000000..bc9603835 --- /dev/null +++ b/etc/profile-m-z/x2goclient.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for x2goclient | ||
2 | # Description: Graphical client for X2Go remote desktop system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include x2goclient.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ssh | ||
10 | noblacklist ${HOME}/.x2go | ||
11 | noblacklist ${HOME}/.x2goclient | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | #no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | #private-bin nxproxy,x2goclient | ||
38 | private-cache | ||
39 | private-dev | ||
40 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg | ||
41 | #private-lib | ||
42 | private-opt none | ||
43 | private-srv none | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | #memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile new file mode 100644 index 000000000..56d3cf40d --- /dev/null +++ b/etc/profile-m-z/xbill.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for xbill | ||
2 | # Description: save your computers from Wingdows [TM] virus | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xbill.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/xbill | ||
18 | whitelist /var/games/xbill/scores | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private | ||
43 | private-bin xbill | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc none | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
51 | |||
52 | memory-deny-write-execute | ||
53 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile new file mode 100644 index 000000000..294ad7c80 --- /dev/null +++ b/etc/profile-m-z/xcalc.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for xcalc | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xcalc.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | include disable-common.inc | ||
9 | include disable-devel.inc | ||
10 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | ||
12 | include disable-passwdmgr.inc | ||
13 | include disable-programs.inc | ||
14 | include disable-xdg.inc | ||
15 | |||
16 | include whitelist-var-common.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private | ||
36 | private-bin xcalc | ||
37 | private-dev | ||
38 | private-lib | ||
39 | private-tmp | ||
40 | |||
41 | dbus-user none | ||
42 | dbus-system none | ||
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile new file mode 100644 index 000000000..a94444aab --- /dev/null +++ b/etc/profile-m-z/xchat.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for xchat | ||
2 | # Description: IRC client for X similar to AmIRC | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xchat.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/xchat | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | nodvd | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | |||
23 | # private-bin requires perl, python*, etc. | ||
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile new file mode 100644 index 000000000..64a50083f --- /dev/null +++ b/etc/profile-m-z/xed.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for xed | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xed.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/xed | ||
9 | noblacklist ${HOME}/.python-history | ||
10 | noblacklist ${HOME}/.python_history | ||
11 | noblacklist ${HOME}/.pythonhist | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | # apparmor - makes settings immutable | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | # net none - makes settings immutable | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | private-bin xed | ||
45 | private-dev | ||
46 | private-tmp | ||
47 | |||
48 | # makes settings immutable | ||
49 | # dbus-user none | ||
50 | # dbus-system none | ||
51 | |||
52 | # xed uses python plugins, memory-deny-write-execute breaks python | ||
53 | # memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile new file mode 100644 index 000000000..cd9561e74 --- /dev/null +++ b/etc/profile-m-z/xfburn.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for xfburn | ||
2 | # Description: CD-burner application for Xfce Desktop Environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfburn.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/xfburn | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | # private-bin xfburn | ||
31 | # private-dev | ||
32 | # private-tmp | ||
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile new file mode 100644 index 000000000..a3e0c4633 --- /dev/null +++ b/etc/profile-m-z/xfce4-dict.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for xfce4-dict | ||
2 | # Description: Dictionary plugin for Xfce4 panel | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfce4-dict.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/xfce4-dict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile new file mode 100644 index 000000000..5707dc443 --- /dev/null +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for xfce4-mixer | ||
2 | # Description: Volume control for Xfce | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfce4-mixer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | ||
20 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | ||
21 | whitelist /usr/share/xfce4 | ||
22 | whitelist /usr/share/xfce4-mixer | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | |||
43 | disable-mnt | ||
44 | private-bin xfce4-mixer,xfconf-query | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,asound.conf,fonts,machine-id,pulse | ||
48 | private-tmp | ||
49 | |||
50 | # dbus-user none | ||
51 | # dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile new file mode 100644 index 000000000..c3d0930ff --- /dev/null +++ b/etc/profile-m-z/xfce4-notes.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for xfce4-notes | ||
2 | # Description: Notes application for the Xfce4 desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xfce4-notes.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc | ||
10 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | ||
11 | noblacklist ${HOME}/.local/share/notes | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-cache | ||
40 | private-dev | ||
41 | private-tmp | ||
42 | |||
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile new file mode 100644 index 000000000..7114f0469 --- /dev/null +++ b/etc/profile-m-z/xiphos.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for xiphos | ||
2 | # Description: Environment for Bible reading, study, and research | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xiphos.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.sword | ||
10 | noblacklist ${HOME}/.xiphos | ||
11 | |||
12 | blacklist ${HOME}/.bashrc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.sword | ||
22 | mkdir ${HOME}/.xiphos | ||
23 | whitelist ${HOME}/.sword | ||
24 | whitelist ${HOME}/.xiphos | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin xiphos | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf | ||
50 | private-tmp | ||
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile new file mode 100644 index 000000000..7987af280 --- /dev/null +++ b/etc/profile-m-z/xlinks.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for xlinks | ||
2 | # Description: Text WWW browser (X11) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xlinks.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist /tmp/.X11-unix | ||
11 | noblacklist ${HOME}/.links | ||
12 | |||
13 | include whitelist-common.inc | ||
14 | |||
15 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | ||
16 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
17 | private-bin xlinks | ||
18 | private-etc fonts | ||
19 | |||
20 | # Redirect | ||
21 | include links.profile | ||
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile new file mode 100644 index 000000000..7a11e1244 --- /dev/null +++ b/etc/profile-m-z/xmms.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for xmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xmms.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.xmms | ||
9 | noblacklist ${MUSIC} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | no3d | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | nou2f | ||
25 | novideo | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin xmms | ||
31 | private-dev | ||
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile new file mode 100644 index 000000000..c6ba9bd9d --- /dev/null +++ b/etc/profile-m-z/xmr-stak.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for xmr-stak | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xmr-stak.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.xmr-stak | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | mkdir ${HOME}/.xmr-stak | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private ${HOME}/.xmr-stak | ||
38 | private-bin xmr-stak | ||
39 | private-dev | ||
40 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
41 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | ||
42 | private-opt cuda | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile new file mode 100644 index 000000000..abb91e1ec --- /dev/null +++ b/etc/profile-m-z/xonotic-glx.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for xonotic | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include xonotic.profile | ||
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile new file mode 100644 index 000000000..abb91e1ec --- /dev/null +++ b/etc/profile-m-z/xonotic-sdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for xonotic | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include xonotic.profile | ||
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile new file mode 100644 index 000000000..949988c3b --- /dev/null +++ b/etc/profile-m-z/xonotic.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for xonotic | ||
2 | # Description: A free, fast-paced crossplatform first-person shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xonotic.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.xonotic | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.xonotic | ||
19 | whitelist ${HOME}/.xonotic | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl | ||
38 | private-dev | ||
39 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile new file mode 100644 index 000000000..ba41d5bb3 --- /dev/null +++ b/etc/profile-m-z/xournal.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for xournal | ||
2 | # Description: Note taking and PDF editing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xournal.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /usr/share/xournal | ||
20 | whitelist /usr/share/poppler | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-bin xournal | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc alternatives,fonts,group,machine-id,passwd | ||
45 | # TODO should use private-lib | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile new file mode 100644 index 000000000..cdffe4eb7 --- /dev/null +++ b/etc/profile-m-z/xpdf.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for xpdf | ||
2 | # Description: Portable Document Format (PDF) reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xpdf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.xpdfrc | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | machine-id | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | dbus-user none | ||
43 | dbus-system none | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xplayer-audio-preview.profile b/etc/profile-m-z/xplayer-audio-preview.profile new file mode 100644 index 000000000..0559b8183 --- /dev/null +++ b/etc/profile-m-z/xplayer-audio-preview.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xplayer-audio-preview | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xplayer-audio-preview.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include xplayer.profile | ||
diff --git a/etc/profile-m-z/xplayer-video-thumbnailer.profile b/etc/profile-m-z/xplayer-video-thumbnailer.profile new file mode 100644 index 000000000..6b2878476 --- /dev/null +++ b/etc/profile-m-z/xplayer-video-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xplayer-video-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xplayer-video-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include xplayer.profile | ||
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile new file mode 100644 index 000000000..28df73ea5 --- /dev/null +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for xplayer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xplayer.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/xplayer | ||
9 | noblacklist ${HOME}/.local/share/xplayer | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | # apparmor - makes settings immutable | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nou2f | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | ||
40 | private-dev | ||
41 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | ||
42 | private-tmp | ||
43 | |||
44 | # makes settings immutable | ||
45 | # dbus-user none | ||
46 | # dbus-system none | ||
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile new file mode 100644 index 000000000..1033a7471 --- /dev/null +++ b/etc/profile-m-z/xpra.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for xpra | ||
2 | # Description: Tool to detach/reattach running X programs | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include xpra.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # | ||
11 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | ||
12 | # To enable it, create a firejail-xpra symlink in /usr/local/bin: | ||
13 | # | ||
14 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | ||
15 | # | ||
16 | # or run "sudo firecfg" | ||
17 | |||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
19 | include allow-python2.inc | ||
20 | include allow-python3.inc | ||
21 | |||
22 | include disable-common.inc | ||
23 | include disable-devel.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | |||
28 | whitelist /var/lib/xkb | ||
29 | # whitelisting home directory, or including whitelist-common.inc | ||
30 | # will crash xpra on some platforms | ||
31 | |||
32 | caps.drop all | ||
33 | # xpra needs to be allowed access to the abstract Unix socket namespace. | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. | ||
38 | #noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | |||
47 | disable-mnt | ||
48 | # private home directory doesn't work on some distros, so we go for a regular home | ||
49 | # private | ||
50 | # older Xpra versions also use Xvfb | ||
51 | # private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb | ||
52 | private-dev | ||
53 | # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra | ||
54 | private-tmp | ||
diff --git a/etc/profile-m-z/xreader-previewer.profile b/etc/profile-m-z/xreader-previewer.profile new file mode 100644 index 000000000..6e1dcb5d2 --- /dev/null +++ b/etc/profile-m-z/xreader-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xreader-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xreader-previewer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include xreader.profile | ||
diff --git a/etc/profile-m-z/xreader-thumbnailer.profile b/etc/profile-m-z/xreader-thumbnailer.profile new file mode 100644 index 000000000..a6925fcde --- /dev/null +++ b/etc/profile-m-z/xreader-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for xreader-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xreader-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include xreader.profile | ||
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile new file mode 100644 index 000000000..643c5a317 --- /dev/null +++ b/etc/profile-m-z/xreader.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for xreader | ||
2 | # Description: Document viewer for files like PDF and Postscript. X-Apps Project. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xreader.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/xreader | ||
10 | noblacklist ${HOME}/.config/xreader | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | # Breaks xreader on Mint 18.3 | ||
22 | # include whitelist-var-common.inc | ||
23 | |||
24 | # apparmor | ||
25 | caps.drop all | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | private-bin xreader,xreader-previewer,xreader-thumbnailer | ||
41 | private-dev | ||
42 | private-etc alternatives,fonts,ld.so.cache | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile new file mode 100644 index 000000000..59c8a44f2 --- /dev/null +++ b/etc/profile-m-z/xviewer.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for xviewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include xviewer.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.Steam | ||
9 | noblacklist ${HOME}/.config/xviewer | ||
10 | noblacklist ${HOME}/.local/share/Trash | ||
11 | noblacklist ${HOME}/.steam | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | # apparmor - makes settings immutable | ||
23 | caps.drop all | ||
24 | # net none - makes settings immutable | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | private-bin xviewer | ||
40 | private-dev | ||
41 | private-lib | ||
42 | private-tmp | ||
43 | |||
44 | # makes settings immutable | ||
45 | # dbus-user none | ||
46 | # dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/xxd.profile b/etc/profile-m-z/xxd.profile new file mode 100644 index 000000000..864e8ce9c --- /dev/null +++ b/etc/profile-m-z/xxd.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for xxd | ||
2 | # Description: Tool to make (or reverse) a hex dump | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include xxd.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xz.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile new file mode 100644 index 000000000..542363b57 --- /dev/null +++ b/etc/profile-m-z/xzdec.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for xzdec | ||
2 | # Description: XZ-format compression utilities - tiny decompressors | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include xzdec.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | x11 none | ||
37 | |||
38 | private-dev | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile new file mode 100644 index 000000000..f7410b928 --- /dev/null +++ b/etc/profile-m-z/xzgrep.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile new file mode 100644 index 000000000..f7410b928 --- /dev/null +++ b/etc/profile-m-z/xzless.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | # Redirect | ||
6 | include cpio.profile | ||
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile new file mode 100644 index 000000000..d9c72407f --- /dev/null +++ b/etc/profile-m-z/xzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile new file mode 100644 index 000000000..680bef677 --- /dev/null +++ b/etc/profile-m-z/yandex-browser.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for yandex-browser | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include yandex-browser.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/yandex-browser | ||
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | ||
10 | noblacklist ${HOME}/.config/yandex-browser | ||
11 | noblacklist ${HOME}/.config/yandex-browser-beta | ||
12 | |||
13 | mkdir ${HOME}/.cache/yandex-browser | ||
14 | mkdir ${HOME}/.cache/yandex-browser-beta | ||
15 | mkdir ${HOME}/.config/yandex-browser | ||
16 | mkdir ${HOME}/.config/yandex-browser-beta | ||
17 | whitelist ${HOME}/.cache/yandex-browser | ||
18 | whitelist ${HOME}/.cache/yandex-browser-beta | ||
19 | whitelist ${HOME}/.config/yandex-browser | ||
20 | whitelist ${HOME}/.config/yandex-browser-beta | ||
21 | |||
22 | # Redirect | ||
23 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile new file mode 100644 index 000000000..7053f98e8 --- /dev/null +++ b/etc/profile-m-z/yelp.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for yelp | ||
2 | # Description: Help browser for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include yelp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/yelp | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/yelp | ||
20 | whitelist ${HOME}/.config/yelp | ||
21 | whitelist /usr/share/doc | ||
22 | whitelist /usr/share/help | ||
23 | whitelist /usr/share/yelp | ||
24 | whitelist /usr/share/yelp-xsl | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | net none | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin yelp | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | ||
50 | private-tmp | ||
51 | |||
52 | # read-only ${HOME} breaks some not necesarry featrues, comment it if | ||
53 | # you need them or put 'ignore read-only ${HOME}' into your yelp.local. | ||
54 | # broken features: | ||
55 | # 1. yelp --editor-mode | ||
56 | # 2. saving the window geometry | ||
57 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile new file mode 100644 index 000000000..061d873b3 --- /dev/null +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -0,0 +1,66 @@ | |||
1 | # Firejail profile for youtube-dl | ||
2 | # Description: Downloader of videos from YouTube and other sites | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include youtube-dl.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # breaks when installed under ${HOME} via `pip install --user` (see #2833) | ||
11 | ignore noexec ${HOME} | ||
12 | |||
13 | noblacklist ${HOME}/.cache/youtube-dl | ||
14 | noblacklist ${HOME}/.config/youtube-dl | ||
15 | noblacklist ${HOME}/.netrc | ||
16 | noblacklist ${MUSIC} | ||
17 | noblacklist ${VIDEOS} | ||
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | ||
20 | include allow-python2.inc | ||
21 | include allow-python3.inc | ||
22 | |||
23 | blacklist /tmp/.X11-unix | ||
24 | blacklist ${RUNUSER}/wayland-* | ||
25 | blacklist ${RUNUSER} | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-passwdmgr.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | include whitelist-usr-share-common.inc | ||
36 | include whitelist-var-common.inc | ||
37 | |||
38 | apparmor | ||
39 | caps.drop all | ||
40 | ipc-namespace | ||
41 | machine-id | ||
42 | netfilter | ||
43 | no3d | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | private-bin env,ffmpeg,python*,youtube-dl | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | ||
61 | private-tmp | ||
62 | |||
63 | dbus-user none | ||
64 | dbus-system none | ||
65 | |||
66 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile new file mode 100644 index 000000000..6228ff3bd --- /dev/null +++ b/etc/profile-m-z/zaproxy.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for zaproxy | ||
2 | # Description: Integrated penetration testing tool for finding vulnerabilities in web applications | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zaproxy.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ZAP | ||
10 | |||
11 | # Allow java (blacklisted by disable-devel.inc) | ||
12 | include allow-java.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | mkdir ${HOME}/.java | ||
22 | mkdir ${HOME}/.ZAP | ||
23 | whitelist ${HOME}/.java | ||
24 | whitelist ${HOME}/.ZAP | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | no3d | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | disable-mnt | ||
45 | private-dev | ||
46 | private-tmp | ||
47 | |||
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile new file mode 100644 index 000000000..3fe3c8ce8 --- /dev/null +++ b/etc/profile-m-z/zart.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for zart | ||
2 | # Description: A GUI for G'MIC real-time manipulations on the output of a webcam | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zart.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | net none | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | ||
29 | protocol unix | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-bin ffmpeg,ffplay,ffprobe,melt,zart | ||
34 | private-dev | ||
35 | |||
36 | dbus-user none | ||
37 | dbus-system none | ||
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile new file mode 100644 index 000000000..ba0ea1032 --- /dev/null +++ b/etc/profile-m-z/zathura.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for zathura | ||
2 | # Description: Document viewer with a minimalistic interface | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zathura.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/zathura | ||
10 | noblacklist ${HOME}/.local/share/zathura | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/zathura | ||
22 | mkdir ${HOME}/.local/share/zathura | ||
23 | whitelist /usr/share/doc | ||
24 | whitelist /usr/share/zathura | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | private-bin zathura | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id | ||
50 | # private-lib has problems on Debian 10 | ||
51 | #private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | read-only ${HOME} | ||
58 | read-write ${HOME}/.config/zathura | ||
59 | read-write ${HOME}/.local/share/zathura | ||
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile new file mode 100644 index 000000000..12932ea92 --- /dev/null +++ b/etc/profile-m-z/zcat.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcat | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zcmp.profile b/etc/profile-m-z/zcmp.profile new file mode 100644 index 000000000..795cdae2a --- /dev/null +++ b/etc/profile-m-z/zcmp.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zcmp | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zcmp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zdiff.profile b/etc/profile-m-z/zdiff.profile new file mode 100644 index 000000000..1e75e38fe --- /dev/null +++ b/etc/profile-m-z/zdiff.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zdiff | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zdiff.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile new file mode 100644 index 000000000..943d39097 --- /dev/null +++ b/etc/profile-m-z/zeal.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for zeal | ||
2 | # Description: Offline documentation browser | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zeal.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Zeal | ||
10 | noblacklist ${HOME}/.cache/Zeal | ||
11 | noblacklist ${HOME}/.local/share/Zeal | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Zeal | ||
22 | mkdir ${HOME}/.cache/Zeal | ||
23 | mkdir ${HOME}/.local/share/Zeal | ||
24 | whitelist ${HOME}/.config/Zeal | ||
25 | whitelist ${HOME}/.cache/Zeal | ||
26 | whitelist ${HOME}/.local/share/Zeal | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin zeal | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/zegrep.profile b/etc/profile-m-z/zegrep.profile new file mode 100644 index 000000000..54dc6b2a0 --- /dev/null +++ b/etc/profile-m-z/zegrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zegrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zegrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zfgrep.profile b/etc/profile-m-z/zfgrep.profile new file mode 100644 index 000000000..73b22f2e8 --- /dev/null +++ b/etc/profile-m-z/zfgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zfgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zfgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zforce.profile b/etc/profile-m-z/zforce.profile new file mode 100644 index 000000000..d62e57065 --- /dev/null +++ b/etc/profile-m-z/zforce.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zforce | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zforce.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile new file mode 100644 index 000000000..b39a58420 --- /dev/null +++ b/etc/profile-m-z/zgrep.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zgrep | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zgrep.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zless.profile b/etc/profile-m-z/zless.profile new file mode 100644 index 000000000..0a26cda1f --- /dev/null +++ b/etc/profile-m-z/zless.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zless | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zless.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zmore.profile b/etc/profile-m-z/zmore.profile new file mode 100644 index 000000000..3a8f63562 --- /dev/null +++ b/etc/profile-m-z/zmore.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for zmore | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include zmore.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/znew.profile b/etc/profile-m-z/znew.profile new file mode 100644 index 000000000..a8593e58e --- /dev/null +++ b/etc/profile-m-z/znew.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for znew | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include znew.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile new file mode 100644 index 000000000..6eac10703 --- /dev/null +++ b/etc/profile-m-z/zoom.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for zoom | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include zoom.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/zoomus.conf | ||
9 | noblacklist ${HOME}/.zoom | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/zoom | ||
17 | mkfile ${HOME}/.config/zoomus.conf | ||
18 | mkdir ${HOME}/.zoom | ||
19 | whitelist ${HOME}/.cache/zoom | ||
20 | whitelist ${HOME}/.config/zoomus.conf | ||
21 | whitelist ${HOME}/.zoom | ||
22 | include whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp !chroot | ||
32 | |||
33 | private-tmp | ||
diff --git a/etc/profile-m-z/zpaq.profile b/etc/profile-m-z/zpaq.profile new file mode 100644 index 000000000..80329ecfd --- /dev/null +++ b/etc/profile-m-z/zpaq.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for zpaq | ||
2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include zpaq.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # mdwx breaks 'list' functionality | ||
12 | ignore memory-deny-write-execute | ||
13 | |||
14 | # Redirect | ||
15 | include cpio.profile | ||
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile new file mode 100644 index 000000000..be27c10e1 --- /dev/null +++ b/etc/profile-m-z/zstd.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for zstd | ||
2 | # Description: Zstandard - Fast real-time compression algorithm | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include zstd.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname zstd | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/zstdcat.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/zstdgrep.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/zstdless.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile new file mode 100644 index 000000000..ce9af3286 --- /dev/null +++ b/etc/profile-m-z/zstdmt.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for zstd | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include zstd.profile | ||
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile new file mode 100644 index 000000000..999c2f77a --- /dev/null +++ b/etc/profile-m-z/zulip.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for zulip | ||
2 | # Description: Real-time team chat based on the email threading model | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zulip.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec /tmp | ||
10 | |||
11 | noblacklist ${HOME}/.config/Zulip | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/Zulip | ||
22 | whitelist ${HOME}/.config/Zulip | ||
23 | whitelist ${DOWNLOADS} | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin locale,zulip | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc asound.conf,fonts,machine-id | ||
47 | private-tmp | ||