Harden 25 profiles

author: Tad <tad@spotco.us> 2017-09-16 14:11:43 -0400
committer: Tad <tad@spotco.us> 2017-09-18 18:24:13 -0400
commit: 3c3602fe4e747f3489c917f4de991c9043df9751 (patch)
tree: 052baee1387ce11b9ecd00e49a7c96d59f92d480 /etc
parent: Fixup 36 profiles (diff)
download: firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.gz
firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.zst
firejail-3c3602fe4e747f3489c917f4de991c9043df9751.zip
25 files changed, 197 insertions, 45 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile
index ee1ab6219..468199dd8 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 ipc-namespace
+netfilter
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
 seccomp
 shell none
+disable-mnt
 private-bin sh,dig,awk
 private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
 private-tmp
diff --git a/etc/amule.profile b/etc/amule.profile
index 48aad759d..c59377850 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 ipc-namespace
+netfilter
+no3d
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
 seccomp
 shell none
 private-bin amule
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 42744f4dd..738b5990a 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
 seccomp
 shell none
@@ -29,5 +32,5 @@ private-dev
 #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
 private-tmp
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 151d88bdd..0a8c592a7 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-# Comment out or use --ignore=net if you want to install extensions or themes
+netfilter
-net none
+nodvd
-# Disable these if you use live preview (until I figure out a workaround)
+nogroups
-# Doing so should be relatively safe since there is no network access
+nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
-private-bin bash,brackets,readlink,dirname,google-chrome,cat
 private-dev
diff --git a/etc/calligra.profile b/etc/calligra.profile
index 58006f203..e90c8efe8 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
-net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
 private-dev
-#private-etc fonts,passwd,alternatives,X11
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index e895805eb..93a94c910 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
+notv
 noroot
+protocol unix
 seccomp
 shell none
 private-bin cin
 private-dev
-#private-etc fonts,pulse
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/dooble.profile b/etc/dooble.profile
index cbb0f96b8..aabfcd8bb 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+nodvd
+nogroups
 nonewprivs
 noroot
+notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
+disable-mnt
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 2b2be4c16..9ee59f453 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+netfilter
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
 nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
 # private-bin fetchmail,procmail,bash,chmod
 private-dev
-# private-etc passwd,hosts,resolv.conf
diff --git a/etc/freecad.profile b/etc/freecad.profile
index c2d4661e8..4fde66839 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
 nosound
+notv
+novideo
 protocol unix
 seccomp
 shell none
 private-bin freecad,freecadcmd
 private-dev
-#private-etc fonts,passwd,alternatives,X11
 private-tmp
 noexec ${HOME}
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
index 11d55281a..32da9a5a8 100644
--- a/etc/google-earth.profile
+++ b/etc/google-earth.profile
@@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 ipc-namespace
+netfilter
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 private-bin google-earth,sh,grep,sed,ls,dirname
 private-dev
-#private-etc fonts,resolv.conf,X11,alternatives,pulse
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 4613e378f..88a56c706 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
+shell none
 private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
 private-dev
-# private-etc passwd,alternatives,hosts,fonts,X11
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/karbon.profile b/etc/karbon.profile
index 7d7f25ad0..d94f20012 100644
--- a/etc/karbon.profile
+++ b/etc/karbon.profile
@@ -1,25 +1,5 @@
-# Firejail profile for karbon
+# Firejail profile alias for krita
 # This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/karbon.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-include /etc/firejail/disable-common.inc
+include /etc/firejail/krita.profile
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-seccomp
-shell none
-private-dev
-noexec /home
-noexec /tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index b91bd9c41..56bb729e1 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/krita.profile b/etc/krita.profile
index d60ef2fa7..2dfd084ef 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
 shell none
 private-dev
+private-tmp
 noexec /home
 noexec /tmp
diff --git a/etc/linphone.profile b/etc/linphone.profile
index 8763b348a..41f9245a2 100644
--- a/etc/linphone.profile
+++ b/etc/linphone.profile
@@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads
 include /etc/firejail/whitelist-common.inc
 caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
index 14a7209a9..29ed235c6 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
 private-dev
-private-etc fonts,pulse
+private-tmp
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index e53f175f8..be66cf6ee 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
 nogroups
 nonewprivs
 noroot
+nosound
+notv
+novideo
+protocol unix
 seccomp
 shell none
 #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
 private-dev
-#private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
index ebcdca443..601861083 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
+shell none
 #private-bin mpd,bash
 private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/natron.profile b/etc/natron.profile
index 8f266f56c..ac89409f1 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-ipc-namespace
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
 shell none
 private-bin natron
-#private-etc fonts,X11,pulse
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index 423dfb887..6da0e21d5 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 ipc-namespace
+netfilter
+no3d
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
+disable-mnt
 private-bin ricochet,tor
 private-dev
 #private-etc fonts,tor,X11,alternatives
-noexec /home
+noexec ${HOME}
 noexec /tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 1a7ce6bce..e30bc1f46 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
+nodvd
 nogroups
+nonewprivs
 noroot
+notv
+protocol unix
 seccomp
 shell none
-private-bin shotcut,melt,qmelt,nice
+#private-bin shotcut,melt,qmelt,nice
 private-dev
-#private-etc X11,alternatives,pulse,fonts
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index 7ca5ae666..f8afff551 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client
 include /etc/firejail/whitelist-common.inc
 caps.drop all
+ipc-namespace
 netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
+disable-mnt
+private
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
index 65ea41e18..75a079a2e 100644
--- a/etc/tor-browser-en.profile
+++ b/etc/tor-browser-en.profile
@@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en
 include /etc/firejail/whitelist-common.inc
 caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
+disable-mnt
 private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr
 private-tmp
diff --git a/etc/tor.profile b/etc/tor.profile
index 73577825a..fcb123eef 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc
 caps.keep setuid,setgid,net_bind_service,dac_read_search
 ipc-namespace
+netfilter
 no3d
+nodvd
 nogroups
 nonewprivs
 nosound
+notv
+novideo
+protocol unix,inet,inet6
 seccomp
 shell none
 writable-var
+disable-mnt
 private
 private-bin tor,bash
 private-dev
 private-etc tor,passwd
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/zart.profile b/etc/zart.profile
index 6022e8260..b5897f4a9 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodvd
+nogroups
+nonewprivs
 noroot
+notv
+novideo
+protocol unix
 seccomp
 shell none
author	Tad <tad@spotco.us>	2017-09-16 14:11:43 -0400
committer	Tad <tad@spotco.us>	2017-09-18 18:24:13 -0400
commit	3c3602fe4e747f3489c917f4de991c9043df9751 (patch)
tree	052baee1387ce11b9ecd00e49a7c96d59f92d480 /etc
parent	Fixup 36 profiles (diff)
download	firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.gz firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.zst firejail-3c3602fe4e747f3489c917f4de991c9043df9751.zip

diff --git a/etc/Viber.profile b/etc/Viber.profile index ee1ab6219..468199dd8 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile
@@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc
19		19
20	caps.drop all	20	caps.drop all
21	ipc-namespace	21	ipc-namespace
		22	netfilter
		23	nodvd
22	nogroups	24	nogroups
		25	nonewprivs
23	noroot	26	noroot
		27	notv
24	seccomp	28	seccomp
25	shell none	29	shell none
26		30
		31	disable-mnt
27	private-bin sh,dig,awk	32	private-bin sh,dig,awk
28	private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf	33	private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
29	private-tmp	34	private-tmp


diff --git a/etc/amule.profile b/etc/amule.profile index 48aad759d..c59377850 100644 --- a/etc/amule.profile +++ b/etc/amule.profile
@@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc
19		19
20	caps.drop all	20	caps.drop all
21	ipc-namespace	21	ipc-namespace
		22	netfilter
		23	no3d
		24	nodvd
22	nogroups	25	nogroups
23	nonewprivs	26	nonewprivs
24	noroot	27	noroot
		28	nosound
		29	notv
		30	novideo
25	seccomp	31	seccomp
26	shell none	32	shell none
27		33
28	private-bin amule	34	private-bin amule
29	private-dev	35	private-dev
30	private-tmp	36	private-tmp
		37
		38	noexec ${HOME}
		39	noexec /tmp


diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 42744f4dd..738b5990a 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile
@@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc
19	caps.drop all	19	caps.drop all
20	ipc-namespace	20	ipc-namespace
21	net none	21	net none
		22	nodvd
22	nogroups	23	nogroups
		24	nonewprivs
23	noroot	25	noroot
		26	notv
24	seccomp	27	seccomp
25	shell none	28	shell none
26		29
@@ -29,5 +32,5 @@ private-dev
29	#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts	32	#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
30	private-tmp	33	private-tmp
31		34
32	noexec /home	35	noexec ${HOME}
33	noexec /tmp	36	noexec /tmp


diff --git a/etc/brackets.profile b/etc/brackets.profile index 151d88bdd..0a8c592a7 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile
@@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
16	caps.drop all	16	caps.drop all
17	# Comment out or use --ignore=net if you want to install extensions or themes	17	netfilter
18	net none	18	nodvd
19	# Disable these if you use live preview (until I figure out a workaround)	19	nogroups
20	# Doing so should be relatively safe since there is no network access	20	nonewprivs
21	noroot	21	noroot
		22	nosound
		23	notv
		24	novideo
		25	protocol unix,inet,inet6
22	seccomp	26	seccomp
		27	shell none
23		28
24	private-bin bash,brackets,readlink,dirname,google-chrome,cat
25	private-dev	29	private-dev


diff --git a/etc/calligra.profile b/etc/calligra.profile index 58006f203..e90c8efe8 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile
@@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc
12		12
13	caps.drop all	13	caps.drop all
14	ipc-namespace	14	ipc-namespace
15	net none	15	nodvd
16	nogroups	16	nogroups
		17	nonewprivs
17	noroot	18	noroot
		19	notv
		20	novideo
		21	protocol unix
18	seccomp	22	seccomp
19	shell none	23	shell none
20		24
21	private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch	25	private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
22	private-dev	26	private-dev
23	#private-etc fonts,passwd,alternatives,X11
24		27
25	noexec /home	28	noexec ${HOME}
26	noexec /tmp	29	noexec /tmp


diff --git a/etc/cin.profile b/etc/cin.profile index e895805eb..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
15	caps.drop all	15	caps.drop all
16	ipc-namespace	16	ipc-namespace
17	net none	17	net none
		18	nodvd
18	nogroups	19	nogroups
		20	nonewprivs
		21	notv
19	noroot	22	noroot
		23	protocol unix
20	seccomp	24	seccomp
21	shell none	25	shell none
22		26
23	private-bin cin	27	private-bin cin
24	private-dev	28	private-dev
25	#private-etc fonts,pulse
26		29
27	noexec /home	30	noexec ${HOME}
28	noexec /tmp	31	noexec /tmp


diff --git a/etc/dooble.profile b/etc/dooble.profile index cbb0f96b8..aabfcd8bb 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile
@@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc
20		20
21	caps.drop all	21	caps.drop all
22	netfilter	22	netfilter
		23	nodvd
		24	nogroups
23	nonewprivs	25	nonewprivs
24	noroot	26	noroot
		27	notv
		28	novideo
25	protocol unix,inet,inet6,netlink	29	protocol unix,inet,inet6,netlink
26	seccomp	30	seccomp
		31	shell none
27	tracelog	32	tracelog
		33
		34	disable-mnt
		35	private-dev
		36	private-tmp
		37
		38	noexec ${HOME}
		39	noexec /tmp


diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 2b2be4c16..9ee59f453 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile
@@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
		15	netfilter
		16	no3d
		17	nodvd
15	nogroups	18	nogroups
		19	nonewprivs
16	noroot	20	noroot
17	nosound	21	nosound
		22	notv
		23	novideo
		24	protocol unix,inet,inet6
18	seccomp	25	seccomp
		26	shell none
19		27
20	# private-bin fetchmail,procmail,bash,chmod	28	# private-bin fetchmail,procmail,bash,chmod
21	private-dev	29	private-dev
22	# private-etc passwd,hosts,resolv.conf


diff --git a/etc/freecad.profile b/etc/freecad.profile index c2d4661e8..4fde66839 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile
@@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc
16	caps.drop all	16	caps.drop all
17	ipc-namespace	17	ipc-namespace
18	net none	18	net none
		19	nodvd
19	nogroups	20	nogroups
		21	nonewprivs
20	noroot	22	noroot
21	nosound	23	nosound
		24	notv
		25	novideo
22	protocol unix	26	protocol unix
23	seccomp	27	seccomp
24	shell none	28	shell none
25		29
26	private-bin freecad,freecadcmd	30	private-bin freecad,freecadcmd
27	private-dev	31	private-dev
28	#private-etc fonts,passwd,alternatives,X11
29	private-tmp	32	private-tmp
30		33
31	noexec ${HOME}	34	noexec ${HOME}


diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 11d55281a..32da9a5a8 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile
@@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc
21		21
22	caps.drop all	22	caps.drop all
23	ipc-namespace	23	ipc-namespace
		24	netfilter
		25	nodvd
24	nogroups	26	nogroups
		27	nonewprivs
25	noroot	28	noroot
		29	notv
		30	novideo
		31	protocol unix,inet,inet6
26	seccomp	32	seccomp
27	shell none	33	shell none
28		34
29	private-bin google-earth,sh,grep,sed,ls,dirname	35	private-bin google-earth,sh,grep,sed,ls,dirname
30	private-dev	36	private-dev
31	#private-etc fonts,resolv.conf,X11,alternatives,pulse
32		37
33	noexec ${HOME}	38	noexec ${HOME}
34	noexec /tmp	39	noexec /tmp


diff --git a/etc/imagej.profile b/etc/imagej.profile index 4613e378f..88a56c706 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile
@@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc
16	caps.drop all	16	caps.drop all
17	ipc-namespace	17	ipc-namespace
18	net none	18	net none
		19	nodvd
19	nogroups	20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
		23	nosound
		24	notv
		25	novideo
		26	protocol unix
22	seccomp	27	seccomp
		28	shell none
23		29
24	private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln	30	private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
25	private-dev	31	private-dev
26	# private-etc passwd,alternatives,hosts,fonts,X11
27	private-tmp	32	private-tmp
		33
		34	noexec ${HOME}
		35	noexec /tmp


diff --git a/etc/karbon.profile b/etc/karbon.profile index 7d7f25ad0..d94f20012 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile
@@ -1,25 +1,5 @@
1	# Firejail profile for karbon	1	# Firejail profile alias for krita
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
3	# Persistent local customizations
4	include /etc/firejail/karbon.local
5	# Persistent global definitions
6	include /etc/firejail/globals.local
7		3
8		4
9	include /etc/firejail/disable-common.inc	5	include /etc/firejail/krita.profile
10	include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc
13
14	caps.drop all
15	ipc-namespace
16	net none
17	nogroups
18	noroot
19	seccomp
20	shell none
21
22	private-dev
23
24	noexec /home
25	noexec /tmp


diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b91bd9c41..56bb729e1 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile
@@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
15	net none	15	net none
		16	nodvd
16	nogroups	17	nogroups
		18	nonewprivs
17	noroot	19	noroot
		20	notv
		21	protocol unix,inet,inet6
18	seccomp	22	seccomp
19	shell none	23	shell none
20		24


diff --git a/etc/krita.profile b/etc/krita.profile index d60ef2fa7..2dfd084ef 100644 --- a/etc/krita.profile +++ b/etc/krita.profile
@@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc
14	caps.drop all	14	caps.drop all
15	ipc-namespace	15	ipc-namespace
16	net none	16	net none
		17	nodvd
17	nogroups	18	nogroups
		19	nonewprivs
18	noroot	20	noroot
		21	nosound
		22	notv
		23	novideo
		24	protocol unix
19	seccomp	25	seccomp
20	shell none	26	shell none
21		27
22	private-dev	28	private-dev
		29	private-tmp
23		30
24	noexec /home	31	noexec /home
25	noexec /tmp	32	noexec /tmp


diff --git a/etc/linphone.profile b/etc/linphone.profile index 8763b348a..41f9245a2 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile
@@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads
21	include /etc/firejail/whitelist-common.inc	21	include /etc/firejail/whitelist-common.inc
22		22
23	caps.drop all	23	caps.drop all
		24	netfilter
		25	no3d
		26	nodvd
		27	nogroups
		28	nonewprivs
24	noroot	29	noroot
		30	notv
		31	novideo
		32	protocol unix,inet,inet6
25	seccomp	33	seccomp
		34	shell none
		35
		36	disable-mnt
		37	private-dev
		38	private-tmp
		39
		40	noexec ${HOME}
		41	noexec /tmp


diff --git a/etc/lmms.profile b/etc/lmms.profile index 14a7209a9..29ed235c6 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile
@@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc
16	caps.drop all	16	caps.drop all
17	ipc-namespace	17	ipc-namespace
18	net none	18	net none
		19	no3d
		20	nodvd
19	nogroups	21	nogroups
		22	nonewprivs
20	noroot	23	noroot
		24	notv
		25	novideo
		26	protocol unix
21	seccomp	27	seccomp
22	shell none	28	shell none
23		29
24	private-dev	30	private-dev
25	private-etc fonts,pulse	31	private-tmp
26		32
27	noexec /home	33	noexec ${HOME}
28	noexec /tmp	34	noexec /tmp


diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index e53f175f8..be66cf6ee 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile
@@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc
16	caps.drop all	16	caps.drop all
17	ipc-namespace	17	ipc-namespace
18	net none	18	net none
		19	nodvd
19	nogroups	20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
		23	nosound
		24	notv
		25	novideo
		26	protocol unix
22	seccomp	27	seccomp
23	shell none	28	shell none
24		29
25	#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack	30	#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
26	private-dev	31	private-dev
27	#private-etc fonts
28	private-tmp	32	private-tmp
		33
		34	noexec ${HOME}
		35	noexec /tmp


diff --git a/etc/mpd.profile b/etc/mpd.profile index ebcdca443..601861083 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile
@@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
16	caps.drop all	16	caps.drop all
		17	netfilter
		18	no3d
		19	nodvd
		20	nogroups
		21	nonewprivs
17	noroot	22	noroot
		23	notv
		24	novideo
		25	protocol unix,inet,inet6
18	seccomp	26	seccomp
		27	shell none
19		28
20	#private-bin mpd,bash	29	#private-bin mpd,bash
21	private-dev	30	private-dev
		31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/natron.profile b/etc/natron.profile index 8f266f56c..ac89409f1 100644 --- a/etc/natron.profile +++ b/etc/natron.profile
@@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc
16	include /etc/firejail/disable-passwdmgr.inc	16	include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
19	ipc-namespace	19	caps.drop all
		20	netfilter
		21	nodvd
		22	nogroups
		23	nonewprivs
		24	noroot
		25	notv
		26	protocol unix,inet,inet6
		27	seccomp
20	shell none	28	shell none
21		29
22	private-bin natron	30	private-bin natron
23	#private-etc fonts,X11,pulse
24		31
25	noexec ${HOME}	32	noexec ${HOME}
26	noexec /tmp	33	noexec /tmp


diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 423dfb887..6da0e21d5 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile
@@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc
19		19
20	caps.drop all	20	caps.drop all
21	ipc-namespace	21	ipc-namespace
		22	netfilter
		23	no3d
		24	nodvd
22	nogroups	25	nogroups
		26	nonewprivs
23	noroot	27	noroot
		28	notv
		29	novideo
		30	protocol unix,inet,inet6
24	seccomp	31	seccomp
25	shell none	32	shell none
26		33
		34	disable-mnt
27	private-bin ricochet,tor	35	private-bin ricochet,tor
28	private-dev	36	private-dev
29	#private-etc fonts,tor,X11,alternatives	37	#private-etc fonts,tor,X11,alternatives
30		38
31	noexec /home	39	noexec ${HOME}
32	noexec /tmp	40	noexec /tmp


diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 1a7ce6bce..e30bc1f46 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc
15		15
16	caps.drop all	16	caps.drop all
17	net none	17	net none
		18	nodvd
18	nogroups	19	nogroups
		20	nonewprivs
19	noroot	21	noroot
		22	notv
		23	protocol unix
20	seccomp	24	seccomp
21	shell none	25	shell none
22		26
23	private-bin shotcut,melt,qmelt,nice	27	#private-bin shotcut,melt,qmelt,nice
24	private-dev	28	private-dev
25	#private-etc X11,alternatives,pulse,fonts
26		29
27	noexec ${HOME}	30	noexec ${HOME}
28	noexec /tmp	31	noexec /tmp


diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 7ca5ae666..f8afff551 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile
@@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client
19	include /etc/firejail/whitelist-common.inc	19	include /etc/firejail/whitelist-common.inc
20		20
21	caps.drop all	21	caps.drop all
		22	ipc-namespace
22	netfilter	23	netfilter
		24	no3d
		25	nodvd
		26	nogroups
		27	nonewprivs
23	noroot	28	noroot
		29	notv
		30	novideo
24	protocol unix,inet,inet6	31	protocol unix,inet,inet6
25	seccomp	32	seccomp
		33	shell none
		34
		35	disable-mnt
		36	private
		37	private-dev
		38	private-tmp
		39
		40	noexec ${HOME}
		41	noexec /tmp


diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 65ea41e18..75a079a2e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile
@@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en
17	include /etc/firejail/whitelist-common.inc	17	include /etc/firejail/whitelist-common.inc
18		18
19	caps.drop all	19	caps.drop all
		20	netfilter
		21	nodvd
		22	nogroups
		23	nonewprivs
20	noroot	24	noroot
		25	notv
		26	novideo
		27	protocol unix,inet,inet6
21	seccomp	28	seccomp
22	shell none	29	shell none
23		30
		31	disable-mnt
24	private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr	32	private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr
25	private-tmp	33	private-tmp
26		34


diff --git a/etc/tor.profile b/etc/tor.profile index 73577825a..fcb123eef 100644 --- a/etc/tor.profile +++ b/etc/tor.profile
@@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc
23		23
24	caps.keep setuid,setgid,net_bind_service,dac_read_search	24	caps.keep setuid,setgid,net_bind_service,dac_read_search
25	ipc-namespace	25	ipc-namespace
		26	netfilter
26	no3d	27	no3d
		28	nodvd
27	nogroups	29	nogroups
28	nonewprivs	30	nonewprivs
29	nosound	31	nosound
		32	notv
		33	novideo
		34	protocol unix,inet,inet6
30	seccomp	35	seccomp
31	shell none	36	shell none
32	writable-var	37	writable-var
33		38
		39	disable-mnt
34	private	40	private
35	private-bin tor,bash	41	private-bin tor,bash
36	private-dev	42	private-dev
37	private-etc tor,passwd	43	private-etc tor,passwd
38	private-tmp	44	private-tmp
		45
		46	noexec ${HOME}
		47	noexec /tmp


diff --git a/etc/zart.profile b/etc/zart.profile index 6022e8260..b5897f4a9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile
@@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc
14	caps.drop all	14	caps.drop all
15	ipc-namespace	15	ipc-namespace
16	net none	16	net none
		17	nodvd
		18	nogroups
		19	nonewprivs
17	noroot	20	noroot
		21	notv
		22	novideo
		23	protocol unix
18	seccomp	24	seccomp
19	shell none	25	shell none
20		26