Merge branch 'master' of ssh://github.com/netblue30/firejail

author: netblue30 <netblue30@protonmail.com> 2023-07-26 08:59:33 -0400
committer: netblue30 <netblue30@protonmail.com> 2023-07-26 08:59:33 -0400
commit: 6d4bb95948363263e220dc475db71a9341f1294e (patch)
tree: 5c66a28720ee7fd78683a219717d3d7e40eed265 /etc/profile-m-z
parent: netlock/nettrace cleanup (diff)
parent: spotify: D-Bus hardening (#5923) (diff)
download: firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.gz
firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.zst
firejail-6d4bb95948363263e220dc475db71a9341f1294e.zip
16 files changed, 95 insertions, 31 deletions
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 15474c96e..7b0135695 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,8 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
-# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
+# In order to save in-game screenshots to a persistent location,
-#   screenshot_path = /home/<USER>/.minetest/screenshots
+# edit ~/.minetest/minetest.conf:
+# screenshot_path = /home/<USER>/.minetest/screenshots
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index c5f764912..8007b887a 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -8,9 +8,13 @@ include mov-cli.local
 # added by included profile
 #include globals.local
+noblacklist ${HOME}/.config/mov-cli
 include disable-proc.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/mov-cli
+whitelist ${HOME}/.config/mov-cli
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index bd01d4082..fd35483be 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -9,7 +9,7 @@ include globals.local
 # In order to save screenshots to a persistent location,
 # edit ~/.config/mpv/foobar.conf:
-#    screenshot-directory=~/Pictures
+# screenshot-directory=~/Pictures
 # mpv has a powerful Lua API and some of the Lua scripts interact with
 # external resources which are blocked by firejail. In such cases you need to
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index f3b0c8a49..4c463521c 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
-# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index db4113f94..7d0e01d98 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -1,17 +1,16 @@
 # This is the weakest possible firejail profile.
-# If a program still fail with this profile, it is incompatible with firejail.
+# If a program still fails with this profile, it is incompatible with firejail.
 # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
 #
 # Usage:
-#   1. download
+# $ firejail --profile=noprofile.profile /path/to/program
-#   2. firejail --profile=noprofile.profile /path/to/program
 # Keep in mind that even with this profile some things are done
-# which can break the program.
+# which can break the program:
-# - some env-vars are cleared
+# - some env-vars are cleared;
-# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
-# - a new private pid-namespace is created
+# - a new private pid-namespace is created;
-# - a minimal hardcoded blacklist is applied
+# - a minimal hardcoded blacklist is applied;
 # - ...
 noblacklist /sys/fs
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 24701b657..ab4e24595 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /usr/share/moonchild productions
+whitelist /usr/share/palemoon
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3ff033e0b..e274b6443 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+# Debian keeps games data under /usr/share/games
+whitelist /usr/share/games/pingus
 whitelist /usr/share/pingus
-whitelist /usr/share/games/pingus      # Debian keeps games data under /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
index 87aa69bcb..b1acf8b2e 100644
--- a/etc/profile-m-z/rtin.profile
+++ b/etc/profile-m-z/rtin.profile
@@ -1,6 +1,6 @@
 # Firejail profile for rtin
 # Description: ncurses-based Usenet newsreader
-#              symlink to tin, same as `tin -r`
+# symlink to tin, same as `tin -r`
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rtin.local
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 3e1899ef3..8cb4e4173 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -11,7 +11,9 @@ ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal
 private-etc @tls-ca
 dbus-user filter
 # allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
-# allow D-Bus communication with Firefox browsers for opening links
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
new file mode 100644
index 000000000..eb18c1f01
--- /dev/null
+++ b/etc/profile-m-z/sniffnet.profile
@@ -0,0 +1,49 @@
+# Firejail profile for sniffnet
+# Description: Network traffic monitor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sniffnet.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/sniffnet
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+#caps.drop all
+caps.keep net_admin,net_raw
+netfilter
+nodvd
+nogroups
+noinput
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+notv
+nou2f
+novideo
+#seccomp
+tracelog
+disable-mnt
+#private-bin sniffnet
+# private-dev prevents (some) interfaces from being shown.
+private-etc @network,@tls-ca
+private-tmp
+dbus-user none
+dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index f07b10319..c893a92fb 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -16,6 +16,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 mkdir ${HOME}/.cache/spotify
@@ -34,6 +35,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
@@ -50,8 +52,11 @@ private-opt spotify
 private-srv none
 private-tmp
-# dbus needed for MPRIS
+dbus-user filter
-# dbus-user none
+dbus-user.own org.mpris.MediaPlayer2.spotify
-# dbus-system none
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 63d629a32..99317c9dc 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
-# NOTE: The following were intentionally left out as they are alternative
+# Note: The following were intentionally left out as they are alternative
 # (i.e.: unnecessary and/or legacy) paths whose existence may potentially
-# clobber other paths (see #4225).  If you use any, either add the entry to
+# clobber other paths (see #4225). If you use any, either add the entry to
 # steam.local or move the contents to a path listed above (or open an issue if
 # it's missing above).
 #mkdir ${HOME}/.config/RogueLegacyStorageContainer
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 5df207e25..f2405a7d3 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
-whitelist /usr/share/mozilla
 whitelist /usr/share/thunderbird
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
 #machine-id
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index a03a6caa0..35ff14e88 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -24,8 +24,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.tin
 mkfile ${HOME}/.newsrc
 # Note: files/directories directly in ${HOME} can't be whitelisted, as
-#       tin saves .newsrc by renaming a temporary file, which is not possible for
+# tin saves .newsrc by renaming a temporary file, which is not possible for
-#       bind-mounted files.
+# bind-mounted files.
 #whitelist ${HOME}/.newsrc
 #whitelist ${HOME}/.tin
 #include whitelist-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index ba68ccb53..2578eb0be 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -7,7 +7,6 @@ include trojita.local
 include globals.local
 noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/flaska.net/trojita
 noblacklist ${HOME}/.config/flaska.net
@@ -19,11 +18,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
 whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/flaska.net/trojita
 whitelist ${HOME}/.config/flaska.net
 include whitelist-common.inc
@@ -49,7 +53,6 @@ seccomp
 tracelog
 # disable-mnt
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin trojita
 private-cache
 private-dev
@@ -58,6 +61,8 @@ private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 18f1ca79a..bf6f45e41 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
 whitelist ${HOME}/.cache/waterfox
 whitelist ${HOME}/.waterfox
+whitelist /usr/share/waterfox
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
author	netblue30 <netblue30@protonmail.com>	2023-07-26 08:59:33 -0400
committer	netblue30 <netblue30@protonmail.com>	2023-07-26 08:59:33 -0400
commit	6d4bb95948363263e220dc475db71a9341f1294e (patch)
tree	5c66a28720ee7fd78683a219717d3d7e40eed265 /etc/profile-m-z
parent	netlock/nettrace cleanup (diff)
parent	spotify: D-Bus hardening (#5923) (diff)
download	firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.gz firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.zst firejail-6d4bb95948363263e220dc475db71a9341f1294e.zip

diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 15474c96e..7b0135695 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile
@@ -6,8 +6,9 @@ include minetest.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:	9	# In order to save in-game screenshots to a persistent location,
10	# screenshot_path = /home/<USER>/.minetest/screenshots	10	# edit ~/.minetest/minetest.conf:
		11	# screenshot_path = /home/<USER>/.minetest/screenshots
11		12
12	noblacklist ${HOME}/.cache/minetest	13	noblacklist ${HOME}/.cache/minetest
13	noblacklist ${HOME}/.minetest	14	noblacklist ${HOME}/.minetest


diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index c5f764912..8007b887a 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile
@@ -8,9 +8,13 @@ include mov-cli.local
8	# added by included profile	8	# added by included profile
9	#include globals.local	9	#include globals.local
10		10
		11	noblacklist ${HOME}/.config/mov-cli
		12
11	include disable-proc.inc	13	include disable-proc.inc
12	include disable-xdg.inc	14	include disable-xdg.inc
13		15
		16	mkdir ${HOME}/.config/mov-cli
		17	whitelist ${HOME}/.config/mov-cli
14	include whitelist-run-common.inc	18	include whitelist-run-common.inc
15	include whitelist-runuser-common.inc	19	include whitelist-runuser-common.inc
16		20


diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index bd01d4082..fd35483be 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile
@@ -9,7 +9,7 @@ include globals.local
9		9
10	# In order to save screenshots to a persistent location,	10	# In order to save screenshots to a persistent location,
11	# edit ~/.config/mpv/foobar.conf:	11	# edit ~/.config/mpv/foobar.conf:
12	# screenshot-directory=~/Pictures	12	# screenshot-directory=~/Pictures
13		13
14	# mpv has a powerful Lua API and some of the Lua scripts interact with	14	# mpv has a powerful Lua API and some of the Lua scripts interact with
15	# external resources which are blocked by firejail. In such cases you need to	15	# external resources which are blocked by firejail. In such cases you need to


diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index f3b0c8a49..4c463521c 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
7	# added by caller profile	7	# added by caller profile
8	#include globals.local	8	#include globals.local
9		9
10	# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts	10	# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
11	# using the `#!/usr/bin/env node` shebang. By sandboxing node the full	11	# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
12	# node.js stack will be firejailed. The only exception is nvm, which is implemented	12	# node.js stack will be firejailed. The only exception is nvm, which is implemented
13	# as a sourced shell function, not an executable binary. Hence it is not	13	# as a sourced shell function, not an executable binary. Hence it is not


diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index db4113f94..7d0e01d98 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile
@@ -1,17 +1,16 @@
1	# This is the weakest possible firejail profile.	1	# This is the weakest possible firejail profile.
2	# If a program still fail with this profile, it is incompatible with firejail.	2	# If a program still fails with this profile, it is incompatible with firejail.
3	# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)	3	# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
4	#	4	#
5	# Usage:	5	# Usage:
6	# 1. download	6	# $ firejail --profile=noprofile.profile /path/to/program
7	# 2. firejail --profile=noprofile.profile /path/to/program
8		7
9	# Keep in mind that even with this profile some things are done	8	# Keep in mind that even with this profile some things are done
10	# which can break the program.	9	# which can break the program:
11	# - some env-vars are cleared	10	# - some env-vars are cleared;
12	# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'	11	# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
13	# - a new private pid-namespace is created	12	# - a new private pid-namespace is created;
14	# - a minimal hardcoded blacklist is applied	13	# - a minimal hardcoded blacklist is applied;
15	# - ...	14	# - ...
16		15
17	noblacklist /sys/fs	16	noblacklist /sys/fs


diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 24701b657..ab4e24595 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
12	mkdir ${HOME}/.moonchild productions	12	mkdir ${HOME}/.moonchild productions
13	whitelist ${HOME}/.cache/moonchild productions/pale moon	13	whitelist ${HOME}/.cache/moonchild productions/pale moon
14	whitelist ${HOME}/.moonchild productions	14	whitelist ${HOME}/.moonchild productions
		15	whitelist /usr/share/moonchild productions
		16	whitelist /usr/share/palemoon
15		17
16	# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)	18	# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
17	seccomp	19	seccomp


diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3ff033e0b..e274b6443 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
23		23
24	mkdir ${HOME}/.pingus	24	mkdir ${HOME}/.pingus
25	whitelist ${HOME}/.pingus	25	whitelist ${HOME}/.pingus
		26	# Debian keeps games data under /usr/share/games
		27	whitelist /usr/share/games/pingus
26	whitelist /usr/share/pingus	28	whitelist /usr/share/pingus
27	whitelist /usr/share/games/pingus # Debian keeps games data under /usr/share/games
28	include whitelist-common.inc	29	include whitelist-common.inc
29	include whitelist-runuser-common.inc	30	include whitelist-runuser-common.inc
30	include whitelist-usr-share-common.inc	31	include whitelist-usr-share-common.inc


diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile index 87aa69bcb..b1acf8b2e 100644 --- a/etc/profile-m-z/rtin.profile +++ b/etc/profile-m-z/rtin.profile
@@ -1,6 +1,6 @@
1	# Firejail profile for rtin	1	# Firejail profile for rtin
2	# Description: ncurses-based Usenet newsreader	2	# Description: ncurses-based Usenet newsreader
3	# symlink to tin, same as `tin -r`	3	# symlink to tin, same as `tin -r`
4	# This file is overwritten after every install/update	4	# This file is overwritten after every install/update
5	# Persistent local customizations	5	# Persistent local customizations
6	include rtin.local	6	include rtin.local


diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 3e1899ef3..8cb4e4173 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile
@@ -11,7 +11,9 @@ ignore noexec /tmp
11		11
12	noblacklist ${HOME}/.config/Signal	12	noblacklist ${HOME}/.config/Signal
13		13
14	# These lines are needed to allow Firefox to open links	14	# The lines below are needed to find the default Firefox profile name, to allow
		15	# opening links in an existing instance of Firefox (note that it still fails if
		16	# there isn't a Firefox instance running with the default profile; see #5352)
15	noblacklist ${HOME}/.mozilla	17	noblacklist ${HOME}/.mozilla
16	whitelist ${HOME}/.mozilla/firefox/profiles.ini	18	whitelist ${HOME}/.mozilla/firefox/profiles.ini
17		19
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal
21	private-etc @tls-ca	23	private-etc @tls-ca
22		24
23	dbus-user filter	25	dbus-user filter
24
25	# allow D-Bus notifications	26	# allow D-Bus notifications
26	dbus-user.talk org.freedesktop.Notifications	27	dbus-user.talk org.freedesktop.Notifications
27		28	# allow D-Bus communication with firefox for opening links
28	# allow D-Bus communication with Firefox browsers for opening links
29	dbus-user.talk org.mozilla.*	29	dbus-user.talk org.mozilla.*
30		30
31	ignore dbus-user none	31	ignore dbus-user none


diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile new file mode 100644 index 000000000..eb18c1f01 --- /dev/null +++ b/etc/profile-m-z/sniffnet.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for sniffnet
		2	# Description: Network traffic monitor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include sniffnet.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/sniffnet
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-proc.inc
		16	include disable-programs.inc
		17	include disable-xdg.inc
		18
		19	include whitelist-common.inc
		20	include whitelist-run-common.inc
		21	include whitelist-runuser-common.inc
		22	include whitelist-usr-share-common.inc
		23	include whitelist-var-common.inc
		24
		25	apparmor
		26	#caps.drop all
		27	caps.keep net_admin,net_raw
		28	netfilter
		29	nodvd
		30	nogroups
		31	noinput
		32	# nonewprivs - breaks network traffic capture for unprivileged users
		33	# noroot
		34	notv
		35	nou2f
		36	novideo
		37	#seccomp
		38	tracelog
		39
		40	disable-mnt
		41	#private-bin sniffnet
		42	# private-dev prevents (some) interfaces from being shown.
		43	private-etc @network,@tls-ca
		44	private-tmp
		45
		46	dbus-user none
		47	dbus-system none
		48
		49	#restrict-namespaces


diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index f07b10319..c893a92fb 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile
@@ -16,6 +16,7 @@ include disable-common.inc
16	include disable-devel.inc	16	include disable-devel.inc
17	include disable-exec.inc	17	include disable-exec.inc
18	include disable-interpreters.inc	18	include disable-interpreters.inc
		19	include disable-proc.inc
19	include disable-programs.inc	20	include disable-programs.inc
20		21
21	mkdir ${HOME}/.cache/spotify	22	mkdir ${HOME}/.cache/spotify
@@ -34,6 +35,7 @@ nodvd
34	nogroups	35	nogroups
35	noinput	36	noinput
36	nonewprivs	37	nonewprivs
		38	noprinters
37	noroot	39	noroot
38	notv	40	notv
39	nou2f	41	nou2f
@@ -50,8 +52,11 @@ private-opt spotify
50	private-srv none	52	private-srv none
51	private-tmp	53	private-tmp
52		54
53	# dbus needed for MPRIS	55	dbus-user filter
54	# dbus-user none	56	dbus-user.own org.mpris.MediaPlayer2.spotify
55	# dbus-system none	57	dbus-user.talk org.freedesktop.Notifications
		58	dbus-user.talk org.freedesktop.secrets
		59	dbus-user.talk org.mpris.MediaPlayer2.Player
		60	dbus-system none
56		61
57	restrict-namespaces	62	restrict-namespaces


diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 63d629a32..99317c9dc 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid
133	include whitelist-common.inc	133	include whitelist-common.inc
134	include whitelist-var-common.inc	134	include whitelist-var-common.inc
135		135
136	# NOTE: The following were intentionally left out as they are alternative	136	# Note: The following were intentionally left out as they are alternative
137	# (i.e.: unnecessary and/or legacy) paths whose existence may potentially	137	# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
138	# clobber other paths (see #4225). If you use any, either add the entry to	138	# clobber other paths (see #4225). If you use any, either add the entry to
139	# steam.local or move the contents to a path listed above (or open an issue if	139	# steam.local or move the contents to a path listed above (or open an issue if
140	# it's missing above).	140	# it's missing above).
141	#mkdir ${HOME}/.config/RogueLegacyStorageContainer	141	#mkdir ${HOME}/.config/RogueLegacyStorageContainer


diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 5df207e25..f2405a7d3 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird
47		47
48	whitelist /usr/share/gnupg	48	whitelist /usr/share/gnupg
49	whitelist /usr/share/gnupg2	49	whitelist /usr/share/gnupg2
50	whitelist /usr/share/mozilla
51	whitelist /usr/share/thunderbird	50	whitelist /usr/share/thunderbird
52	whitelist /usr/share/webext
53	include whitelist-usr-share-common.inc
54		51
55	# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required	52	# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
56	#machine-id	53	#machine-id


diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a03a6caa0..35ff14e88 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile
@@ -24,8 +24,8 @@ include disable-xdg.inc
24	mkdir ${HOME}/.tin	24	mkdir ${HOME}/.tin
25	mkfile ${HOME}/.newsrc	25	mkfile ${HOME}/.newsrc
26	# Note: files/directories directly in ${HOME} can't be whitelisted, as	26	# Note: files/directories directly in ${HOME} can't be whitelisted, as
27	# tin saves .newsrc by renaming a temporary file, which is not possible for	27	# tin saves .newsrc by renaming a temporary file, which is not possible for
28	# bind-mounted files.	28	# bind-mounted files.
29	#whitelist ${HOME}/.newsrc	29	#whitelist ${HOME}/.newsrc
30	#whitelist ${HOME}/.tin	30	#whitelist ${HOME}/.tin
31	#include whitelist-common.inc	31	#include whitelist-common.inc


diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index ba68ccb53..2578eb0be 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile
@@ -7,7 +7,6 @@ include trojita.local
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.abook	9	noblacklist ${HOME}/.abook
10	noblacklist ${HOME}/.mozilla
11	noblacklist ${HOME}/.cache/flaska.net/trojita	10	noblacklist ${HOME}/.cache/flaska.net/trojita
12	noblacklist ${HOME}/.config/flaska.net	11	noblacklist ${HOME}/.config/flaska.net
13		12
@@ -19,11 +18,16 @@ include disable-programs.inc
19	include disable-shell.inc	18	include disable-shell.inc
20	include disable-xdg.inc	19	include disable-xdg.inc
21		20
		21	# The lines below are needed to find the default Firefox profile name, to allow
		22	# opening links in an existing instance of Firefox (note that it still fails if
		23	# there isn't a Firefox instance running with the default profile; see #5352)
		24	noblacklist ${HOME}/.mozilla
		25	whitelist ${HOME}/.mozilla/firefox/profiles.ini
		26
22	mkdir ${HOME}/.abook	27	mkdir ${HOME}/.abook
23	mkdir ${HOME}/.cache/flaska.net/trojita	28	mkdir ${HOME}/.cache/flaska.net/trojita
24	mkdir ${HOME}/.config/flaska.net	29	mkdir ${HOME}/.config/flaska.net
25	whitelist ${HOME}/.abook	30	whitelist ${HOME}/.abook
26	whitelist ${HOME}/.mozilla/firefox/profiles.ini
27	whitelist ${HOME}/.cache/flaska.net/trojita	31	whitelist ${HOME}/.cache/flaska.net/trojita
28	whitelist ${HOME}/.config/flaska.net	32	whitelist ${HOME}/.config/flaska.net
29	include whitelist-common.inc	33	include whitelist-common.inc
@@ -49,7 +53,6 @@ seccomp
49	tracelog	53	tracelog
50		54
51	# disable-mnt	55	# disable-mnt
52	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
53	private-bin trojita	56	private-bin trojita
54	private-cache	57	private-cache
55	private-dev	58	private-dev
@@ -58,6 +61,8 @@ private-tmp
58		61
59	dbus-user filter	62	dbus-user filter
60	dbus-user.talk org.freedesktop.secrets	63	dbus-user.talk org.freedesktop.secrets
		64	# allow D-Bus communication with firefox for opening links
		65	dbus-user.talk org.mozilla.*
61	dbus-system none	66	dbus-system none
62		67
63	restrict-namespaces	68	restrict-namespaces


diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index 18f1ca79a..bf6f45e41 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox
12	mkdir ${HOME}/.waterfox	12	mkdir ${HOME}/.waterfox
13	whitelist ${HOME}/.cache/waterfox	13	whitelist ${HOME}/.cache/waterfox
14	whitelist ${HOME}/.waterfox	14	whitelist ${HOME}/.waterfox
		15	whitelist /usr/share/waterfox
15		16
16	# Add the next lines to your watefox.local if you want to use the migration wizard.	17	# Add the next lines to your watefox.local if you want to use the migration wizard.
17	#noblacklist ${HOME}/.mozilla	18	#noblacklist ${HOME}/.mozilla