diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-11-16 11:41:35 +0100 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-11-16 11:41:35 +0100 |
commit | 096d0de5f8bb253d0c1035796464bc5982f06f81 (patch) | |
tree | d9634d1c26afca63ada52f66dd55eb09a46647dd /etc/profile-m-z | |
parent | Add XAUTHORITY file of sddm from openSUSE Tumblew… (diff) | |
download | firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.gz firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.tar.zst firejail-096d0de5f8bb253d0c1035796464bc5982f06f81.zip |
from my overrides
- add seccomp.block-secondary to a lot profiles
- add wruc to firefox-common and ignore it in TB and
firefox-common-addons
- harden dia, gnome-keyring, libreoffice, megaglest, pngquant,
ghostwriter, rhythmbox, sqlitebrowser
Diffstat (limited to 'etc/profile-m-z')
23 files changed, 31 insertions, 0 deletions
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 19f9edf05..37ac9e304 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.megaglest | 20 | mkdir ${HOME}/.megaglest |
@@ -37,6 +38,7 @@ nou2f | |||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
40 | shell none | 42 | shell none |
41 | tracelog | 43 | tracelog |
42 | 44 | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 385700648..6ceeb867f 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -62,6 +62,7 @@ nou2f | |||
62 | novideo | 62 | novideo |
63 | protocol unix,inet,inet6 | 63 | protocol unix,inet,inet6 |
64 | seccomp | 64 | seccomp |
65 | seccomp.block-secondary | ||
65 | shell none | 66 | shell none |
66 | tracelog | 67 | tracelog |
67 | 68 | ||
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 3468bc22d..c70090a25 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -44,6 +44,7 @@ nou2f | |||
44 | novideo | 44 | novideo |
45 | protocol unix | 45 | protocol unix |
46 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
47 | shell none | 48 | shell none |
48 | tracelog | 49 | tracelog |
49 | 50 | ||
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index a22d2c2e3..5678a781c 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -47,6 +47,7 @@ nou2f | |||
47 | novideo | 47 | novideo |
48 | protocol unix,inet,inet6 | 48 | protocol unix,inet,inet6 |
49 | seccomp | 49 | seccomp |
50 | seccomp.block-secondary | ||
50 | shell none | 51 | shell none |
51 | tracelog | 52 | tracelog |
52 | 53 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 389b64535..ce3bfe421 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -67,6 +67,7 @@ noroot | |||
67 | nou2f | 67 | nou2f |
68 | protocol unix,inet,inet6,netlink | 68 | protocol unix,inet,inet6,netlink |
69 | seccomp | 69 | seccomp |
70 | seccomp.block-secondary | ||
70 | shell none | 71 | shell none |
71 | tracelog | 72 | tracelog |
72 | 73 | ||
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 8663fb453..6cbaa66ad 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | x11 none | 43 | x11 none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index eee42424f..2a7d0cec1 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -40,6 +41,7 @@ nou2f | |||
40 | novideo | 41 | novideo |
41 | protocol unix | 42 | protocol unix |
42 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
43 | shell none | 45 | shell none |
44 | tracelog | 46 | tracelog |
45 | x11 none | 47 | x11 none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 28a7da404..710a533a9 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 83905b108..3513e91cc 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -7,6 +7,8 @@ include pngquant.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
10 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
@@ -16,6 +18,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | ||
19 | 22 | ||
20 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index f906ec31d..e7f379509 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -45,10 +45,12 @@ nou2f | |||
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6,netlink | 46 | protocol unix,inet,inet6,netlink |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
51 | private-bin rhythmbox,rhythmbox-client | 52 | private-bin rhythmbox,rhythmbox-client |
53 | private-cache | ||
52 | private-dev | 54 | private-dev |
53 | private-tmp | 55 | private-tmp |
54 | 56 | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 6cd70c2ea..c67a88161 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -40,6 +40,7 @@ nou2f | |||
40 | novideo | 40 | novideo |
41 | protocol unix | 41 | protocol unix |
42 | seccomp | 42 | seccomp |
43 | seccomp.block-secondary | ||
43 | shell none | 44 | shell none |
44 | tracelog | 45 | tracelog |
45 | x11 none | 46 | x11 none |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index cdb20b4e0..110434736 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -18,6 +18,7 @@ include disable-programs.inc | |||
18 | include disable-shell.inc | 18 | include disable-shell.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
@@ -35,6 +36,7 @@ nou2f | |||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
37 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
38 | shell none | 40 | shell none |
39 | 41 | ||
40 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 426b2dc1c..09ada1e25 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix | 39 | protocol unix |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | x11 none | 44 | x11 none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index ceaae8fbf..9cc023765 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,netlink | 37 | protocol unix,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 40b996794..ff99c234e 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -43,6 +43,7 @@ nou2f | |||
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index e3eb73730..2e7b69cec 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -6,6 +6,8 @@ include thunderbird.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore whitelist-runuser-common.inc | ||
10 | |||
9 | # writable-run-user and dbus are needed by enigmail | 11 | # writable-run-user and dbus are needed by enigmail |
10 | ignore dbus-user none | 12 | ignore dbus-user none |
11 | ignore dbus-system none | 13 | ignore dbus-system none |
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 9d2e8e990..d601f0f15 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 541942453..cd06b7f4c 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -29,6 +29,8 @@ whitelist ${HOME}/.config/vivaldi | |||
29 | whitelist ${HOME}/.config/vivaldi-snapshot | 29 | whitelist ${HOME}/.config/vivaldi-snapshot |
30 | whitelist ${HOME}/.local/lib/vivaldi | 30 | whitelist ${HOME}/.local/lib/vivaldi |
31 | 31 | ||
32 | #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot | ||
33 | |||
32 | # breaks vivaldi sync | 34 | # breaks vivaldi sync |
33 | ignore dbus-user none | 35 | ignore dbus-user none |
34 | ignore dbus-system none | 36 | ignore dbus-system none |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index cdb8f0b93..8a64d2d73 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -44,6 +44,7 @@ nou2f | |||
44 | novideo | 44 | novideo |
45 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
46 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
47 | shell none | 48 | shell none |
48 | tracelog | 49 | tracelog |
49 | 50 | ||
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 2af1379e0..a9cecb18d 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol inet,inet6 | 40 | protocol inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index b842b5307..0c6969e09 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index fd95ceb04..e198af8b2 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index db3535f78..d9dee6891 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -52,6 +52,7 @@ nou2f | |||
52 | novideo | 52 | novideo |
53 | protocol unix,inet,inet6 | 53 | protocol unix,inet,inet6 |
54 | seccomp | 54 | seccomp |
55 | seccomp.block-secondary | ||
55 | shell none | 56 | shell none |
56 | tracelog | 57 | tracelog |
57 | 58 | ||