summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar Fred-Barclay <Fred-Barclay@users.noreply.github.com>2017-09-19 23:26:22 -0500
committerLibravatar Fred-Barclay <Fred-Barclay@users.noreply.github.com>2017-09-19 23:26:22 -0500
commit88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2 (patch)
treeff4ab558330f8c566ddf7e9909a57e71913a232a /etc
parentFix private-bit filter for firefox on Arch (diff)
parentadd nogroups (diff)
downloadfirejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.gz
firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.zst
firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.zip
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
-rw-r--r--etc/2048-qt.profile2
-rw-r--r--etc/Natron.profile6
-rw-r--r--etc/Viber.profile38
-rw-r--r--etc/akregator.profile7
-rw-r--r--etc/amarok.profile2
-rw-r--r--etc/amule.profile40
-rw-r--r--etc/ardour4.profile6
-rw-r--r--etc/ardour5.profile37
-rw-r--r--etc/audacious.profile1
-rw-r--r--etc/brackets.profile29
-rw-r--r--etc/calibre.profile2
-rw-r--r--etc/calligra.profile29
-rw-r--r--etc/calligraauthor.profile6
-rw-r--r--etc/calligraconverter.profile6
-rw-r--r--etc/calligraflow.profile6
-rw-r--r--etc/calligraplan.profile6
-rw-r--r--etc/calligraplanwork.profile6
-rw-r--r--etc/calligrasheets.profile6
-rw-r--r--etc/calligrastage.profile6
-rw-r--r--etc/calligrawords.profile6
-rw-r--r--etc/catfish.profile7
-rw-r--r--etc/chromium.profile1
-rw-r--r--etc/cin.profile31
-rw-r--r--etc/clamav.profile32
-rw-r--r--etc/clamdscan.profile6
-rw-r--r--etc/clamdtop.profile6
-rw-r--r--etc/clamscan.profile6
-rw-r--r--etc/conky.profile35
-rw-r--r--etc/darktable.profile1
-rw-r--r--etc/dia.profile1
-rw-r--r--etc/digikam.profile2
-rw-r--r--etc/disable-common.inc4
-rw-r--r--etc/disable-programs.inc10
-rw-r--r--etc/dooble-qt4.profile6
-rw-r--r--etc/dooble.profile39
-rw-r--r--etc/dosbox.profile2
-rw-r--r--etc/dragon.profile2
-rw-r--r--etc/electron.profile3
-rw-r--r--etc/evince.profile2
-rw-r--r--etc/fetchmail.profile29
-rw-r--r--etc/firefox.profile1
-rw-r--r--etc/freecad.profile35
-rw-r--r--etc/freecadcmd.profile6
-rw-r--r--etc/freshclam.profile34
-rw-r--r--etc/galculator.profile1
-rw-r--r--etc/gimp.profile2
-rw-r--r--etc/gnome-calculator.profile1
-rw-r--r--etc/google-earth.profile48
-rw-r--r--etc/gpicview.profile2
-rw-r--r--etc/handbrake.profile2
-rw-r--r--etc/hugin.profile1
-rw-r--r--etc/imagej.profile35
-rw-r--r--etc/inkscape.profile3
-rw-r--r--etc/k3b.profile2
-rw-r--r--etc/karbon.profile6
-rw-r--r--etc/kate.profile2
-rw-r--r--etc/kcalc.profile2
-rw-r--r--etc/kdenlive.profile30
-rw-r--r--etc/krita.profile32
-rw-r--r--etc/kwrite.profile2
-rw-r--r--etc/leafpad.profile2
-rw-r--r--etc/libreoffice.profile2
-rw-r--r--etc/linphone.profile41
-rw-r--r--etc/lmms.profile34
-rw-r--r--etc/luminance-hdr.profile1
-rw-r--r--etc/macrofusion.profile35
-rw-r--r--etc/mousepad.profile2
-rw-r--r--etc/mpd.profile33
-rw-r--r--etc/mpv.profile2
-rw-r--r--etc/musescore.profile1
-rw-r--r--etc/natron.profile33
-rw-r--r--etc/okular.profile2
-rw-r--r--etc/pidgin.profile3
-rw-r--r--etc/ricochet.profile40
-rw-r--r--etc/riot-web.profile4
-rw-r--r--etc/rocketchat.profile14
-rw-r--r--etc/scribus.profile1
-rw-r--r--etc/shotcut.profile31
-rw-r--r--etc/silentarmy.profile3
-rw-r--r--etc/skype.profile1
-rw-r--r--etc/ssh-agent.profile1
-rw-r--r--etc/steam.profile4
-rw-r--r--etc/surf.profile35
-rw-r--r--etc/synfigstudio.profile1
-rw-r--r--etc/teamspeak3.profile39
-rw-r--r--etc/terasology.profile42
-rw-r--r--etc/tor-browser-en.profile6
-rw-r--r--etc/tor.profile47
-rw-r--r--etc/torbrowser-launcher.profile11
-rw-r--r--etc/transmission-gtk.profile1
-rw-r--r--etc/transmission-qt.profile1
-rw-r--r--etc/tuxguitar.profile1
-rw-r--r--etc/virtualbox.profile2
-rw-r--r--etc/vlc.profile2
-rw-r--r--etc/whitelist-common.inc8
-rw-r--r--etc/whitelist-var-common.inc11
-rw-r--r--etc/x-terminal-emulator.profile20
-rw-r--r--etc/xmr-stak-cpu.profile42
-rw-r--r--etc/youtube-dl.profile2
-rw-r--r--etc/zart.profile30
100 files changed, 1300 insertions, 10 deletions
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 06cc69503..964a9e5fa 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17netfilter 19netfilter
18nodvd 20nodvd
diff --git a/etc/Natron.profile b/etc/Natron.profile
new file mode 100644
index 000000000..b21790fe4
--- /dev/null
+++ b/etc/Natron.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for natron
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/natron.profile
diff --git a/etc/Viber.profile b/etc/Viber.profile
new file mode 100644
index 000000000..03e5f1086
--- /dev/null
+++ b/etc/Viber.profile
@@ -0,0 +1,38 @@
1# Firejail profile for Viber
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/Viber.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.ViberPC
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16whitelist ${DOWNLOADS}
17whitelist ${HOME}/.ViberPC
18include /etc/firejail/whitelist-common.inc
19
20caps.drop all
21ipc-namespace
22netfilter
23nodvd
24nogroups
25nonewprivs
26noroot
27notv
28protocol unix,inet,inet6
29seccomp
30shell none
31
32disable-mnt
33private-bin sh,bash,dash,dig,awk,Viber
34private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
35private-tmp
36
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 12bb06fb5..55434e45b 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16mkfile ${HOME}/.config/akregatorrc
17mkdir ${HOME}/.local/share/akregator
18whitelist ${HOME}/.config/akregatorrc
19whitelist ${HOME}/.local/share/akregator
20include /etc/firejail/whitelist-common.inc
21
16caps.drop all 22caps.drop all
17netfilter 23netfilter
18no3d 24no3d
@@ -27,6 +33,7 @@ seccomp
27shell none 33shell none
28 34
29disable-mnt 35disable-mnt
36private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
30private-dev 37private-dev
31private-tmp 38private-tmp
32 39
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 478d5285c..79343fcdf 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
16nogroups 18nogroups
diff --git a/etc/amule.profile b/etc/amule.profile
new file mode 100644
index 000000000..98ec52015
--- /dev/null
+++ b/etc/amule.profile
@@ -0,0 +1,40 @@
1# Firejail profile for amule
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/amule.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.aMule
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16whitelist ${DOWNLOADS}
17whitelist ${HOME}/.aMule
18include /etc/firejail/whitelist-common.inc
19
20caps.drop all
21ipc-namespace
22netfilter
23no3d
24nodvd
25nogroups
26nonewprivs
27noroot
28nosound
29notv
30novideo
31protocol unix,inet,inet6
32seccomp
33shell none
34
35private-bin amule
36private-dev
37private-tmp
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/ardour4.profile b/etc/ardour4.profile
new file mode 100644
index 000000000..7d1163174
--- /dev/null
+++ b/etc/ardour4.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for ardour5
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/ardour5.profile
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
new file mode 100644
index 000000000..69b3dde46
--- /dev/null
+++ b/etc/ardour5.profile
@@ -0,0 +1,37 @@
1# Firejail profile for ardour5
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/ardour5.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.config/ardour4
10noblacklist ${HOME}/.config/ardour5
11noblacklist ${HOME}/.lv2
12noblacklist ${HOME}/.vst
13
14include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc
18
19caps.drop all
20ipc-namespace
21net none
22nodvd
23nogroups
24nonewprivs
25noroot
26notv
27protocol unix
28seccomp
29shell none
30
31#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
32private-dev
33#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
34private-tmp
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index bd2367fe0..52e701821 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20notv 21notv
diff --git a/etc/brackets.profile b/etc/brackets.profile
new file mode 100644
index 000000000..0a8c592a7
--- /dev/null
+++ b/etc/brackets.profile
@@ -0,0 +1,29 @@
1# Firejail profile for brackets
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/brackets.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.config/Brackets
9noblacklist /opt/brackets/
10noblacklist /opt/google/
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17netfilter
18nodvd
19nogroups
20nonewprivs
21noroot
22nosound
23notv
24novideo
25protocol unix,inet,inet6
26seccomp
27shell none
28
29private-dev
diff --git a/etc/calibre.profile b/etc/calibre.profile
index aa0de473c..844231032 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17netfilter 19netfilter
18no3d 20no3d
diff --git a/etc/calligra.profile b/etc/calligra.profile
new file mode 100644
index 000000000..e90c8efe8
--- /dev/null
+++ b/etc/calligra.profile
@@ -0,0 +1,29 @@
1# Firejail profile for calligra
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/calligra.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-programs.inc
12
13caps.drop all
14ipc-namespace
15nodvd
16nogroups
17nonewprivs
18noroot
19notv
20novideo
21protocol unix
22seccomp
23shell none
24
25private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
26private-dev
27
28noexec ${HOME}
29noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraauthor.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraconverter.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraflow.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraplan.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraplanwork.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrasheets.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrastage.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrawords.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/calligra.profile
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 498f3b6ee..5fc585d90 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local
8# We can't blacklist much since catfish 8# We can't blacklist much since catfish
9# is for finding files/content 9# is for finding files/content
10noblacklist ~/.config/catfish 10noblacklist ~/.config/catfish
11include /etc/firejail/disable-common.inc
12# include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
11 15
12include /etc/firejail/disable-devel.inc 16whitelist /var/lib/mlocate
17include /etc/firejail/whitelist-var-common.inc
13 18
14caps.drop all 19caps.drop all
15net none 20net none
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 9be99e68a..0c7058a11 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
23whitelist ~/.config/chromium-flags.conf 23whitelist ~/.config/chromium-flags.conf
24whitelist ~/.pki 24whitelist ~/.pki
25include /etc/firejail/whitelist-common.inc 25include /etc/firejail/whitelist-common.inc
26include /etc/firejail/whitelist-var-common.inc
26 27
27caps.keep sys_chroot,sys_admin 28caps.keep sys_chroot,sys_admin
28netfilter 29netfilter
diff --git a/etc/cin.profile b/etc/cin.profile
new file mode 100644
index 000000000..eeeda476f
--- /dev/null
+++ b/etc/cin.profile
@@ -0,0 +1,31 @@
1# Firejail profile for cin
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/cin.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.bcast5
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
14
15caps.drop all
16ipc-namespace
17net none
18nodvd
19nogroups
20nonewprivs
21notv
22noroot
23protocol unix
24seccomp
25shell none
26
27#private-bin cin
28private-dev
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/clamav.profile b/etc/clamav.profile
new file mode 100644
index 000000000..a5aacc1d5
--- /dev/null
+++ b/etc/clamav.profile
@@ -0,0 +1,32 @@
1# Firejail profile for clamav
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include /etc/firejail/clamav.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9
10caps.drop all
11ipc-namespace
12net none
13no3d
14nodvd
15nogroups
16nonewprivs
17noroot
18nosound
19notv
20novideo
21protocol unix
22seccomp
23shell none
24tracelog
25x11 none
26
27private-dev
28read-only ${HOME}
29
30memory-deny-write-execute
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamdscan.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for clamav
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/clamav.profile
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamdtop.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for clamav
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/clamav.profile
diff --git a/etc/clamscan.profile b/etc/clamscan.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamscan.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for clamav
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/clamav.profile
diff --git a/etc/conky.profile b/etc/conky.profile
new file mode 100644
index 000000000..4ee25f099
--- /dev/null
+++ b/etc/conky.profile
@@ -0,0 +1,35 @@
1# Firejail profile for conky
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/conky.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15ipc-namespace
16netfilter
17no3d
18nodvd
19nogroups
20nonewprivs
21noroot
22nosound
23notv
24novideo
25protocol unix,inet,inet6
26seccomp
27shell none
28
29disable-mnt
30private-dev
31private-tmp
32
33memory-deny-write-execute
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/darktable.profile b/etc/darktable.profile
index e04163486..c2dc0b42c 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
26seccomp 26seccomp
27shell none 27shell none
28 28
29#private-bin darktable
29private-dev 30private-dev
30private-tmp 31private-tmp
31 32
diff --git a/etc/dia.profile b/etc/dia.profile
index a625ab36d..abe83ac8c 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -27,6 +27,7 @@ seccomp
27shell none 27shell none
28 28
29disable-mnt 29disable-mnt
30#private-bin dia
30private-dev 31private-dev
31private-tmp 32private-tmp
32 33
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 43191ec06..ef518470e 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc
18
17caps.drop all 19caps.drop all
18netfilter 20netfilter
19nodvd 21nodvd
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 5dd3dfd30..ca6ba9710 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -2,13 +2,15 @@
2# Persistent customizations should go in a .local file. 2# Persistent customizations should go in a .local file.
3include /etc/firejail/disable-common.local 3include /etc/firejail/disable-common.local
4 4
5# History files in $HOME 5# History files and clipboard managers in $HOME
6blacklist-nolog ${HOME}/.*_history 6blacklist-nolog ${HOME}/.*_history
7blacklist-nolog ${HOME}/.adobe 7blacklist-nolog ${HOME}/.adobe
8blacklist-nolog ${HOME}/.bash_history 8blacklist-nolog ${HOME}/.bash_history
9blacklist-nolog ${HOME}/.history 9blacklist-nolog ${HOME}/.history
10blacklist-nolog ${HOME}/.local/share/fish/fish_history 10blacklist-nolog ${HOME}/.local/share/fish/fish_history
11blacklist-nolog ${HOME}/.macromedia 11blacklist-nolog ${HOME}/.macromedia
12blacklist-nolog /tmp/clipmenu*
13blacklist-nolog ${HOME}/.cache/greenclip*
12 14
13# X11 session autostart 15# X11 session autostart
14# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs 16# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7e44d582e..88b7e7d32 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam
17blacklist ${HOME}/.Steampath 17blacklist ${HOME}/.Steampath
18blacklist ${HOME}/.Steampid 18blacklist ${HOME}/.Steampid
19blacklist ${HOME}/.TelegramDesktop 19blacklist ${HOME}/.TelegramDesktop
20blacklist ${HOME}/.ViberPC
20blacklist ${HOME}/.VirtualBox 21blacklist ${HOME}/.VirtualBox
21blacklist ${HOME}/.Wolfram Research 22blacklist ${HOME}/.Wolfram Research
23blacklist ${HOME}/.aMule
22blacklist ${HOME}/.android 24blacklist ${HOME}/.android
23blacklist ${HOME}/.arduino15 25blacklist ${HOME}/.arduino15
24blacklist ${HOME}/.atom 26blacklist ${HOME}/.atom
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets
35blacklist ${HOME}/.config/Clementine 37blacklist ${HOME}/.config/Clementine
36blacklist ${HOME}/.config/Cryptocat 38blacklist ${HOME}/.config/Cryptocat
37blacklist ${HOME}/.config/Franz 39blacklist ${HOME}/.config/Franz
40blacklist ${HOME}/.config/FreeCAD
38blacklist ${HOME}/.config/Gitter 41blacklist ${HOME}/.config/Gitter
39blacklist ${HOME}/.config/Google 42blacklist ${HOME}/.config/Google
40blacklist ${HOME}/.config/Gpredict 43blacklist ${HOME}/.config/Gpredict
@@ -51,6 +54,7 @@ blacklist ${HOME}/.config/Qlipper
51blacklist ${HOME}/.config/QuiteRss 54blacklist ${HOME}/.config/QuiteRss
52blacklist ${HOME}/.config/QuiteRssrc 55blacklist ${HOME}/.config/QuiteRssrc
53blacklist ${HOME}/.config/Riot 56blacklist ${HOME}/.config/Riot
57blacklist ${HOME}/.config/Rocket.Chat
54blacklist ${HOME}/.config/Slack 58blacklist ${HOME}/.config/Slack
55blacklist ${HOME}/.config/Thunar 59blacklist ${HOME}/.config/Thunar
56blacklist ${HOME}/.config/VirtualBox 60blacklist ${HOME}/.config/VirtualBox
@@ -123,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt
123blacklist ${HOME}/.config/mate-calc 127blacklist ${HOME}/.config/mate-calc
124blacklist ${HOME}/.config/mate/eom 128blacklist ${HOME}/.config/mate/eom
125blacklist ${HOME}/.config/mate/mate-dictionary 129blacklist ${HOME}/.config/mate/mate-dictionary
130blacklist ${HOME}/.config/mfusion
126blacklist ${HOME}/.config/midori 131blacklist ${HOME}/.config/midori
127blacklist ${HOME}/.config/mpv 132blacklist ${HOME}/.config/mpv
128blacklist ${HOME}/.config/mupen64plus 133blacklist ${HOME}/.config/mupen64plus
@@ -187,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org
187blacklist ${HOME}/.curlrc 192blacklist ${HOME}/.curlrc
188blacklist ${HOME}/.dia 193blacklist ${HOME}/.dia
189blacklist ${HOME}/.dillo 194blacklist ${HOME}/.dillo
195blacklist ${HOME}/.dooble
190blacklist ${HOME}/.dosbox 196blacklist ${HOME}/.dosbox
191blacklist ${HOME}/.dropbox-dist 197blacklist ${HOME}/.dropbox-dist
192blacklist ${HOME}/.electrum* 198blacklist ${HOME}/.electrum*
@@ -211,6 +217,7 @@ blacklist ${HOME}/.guayadeque
211blacklist ${HOME}/.hedgewars 217blacklist ${HOME}/.hedgewars
212blacklist ${HOME}/.hugin 218blacklist ${HOME}/.hugin
213blacklist ${HOME}/.icedove 219blacklist ${HOME}/.icedove
220blacklist ${HOME}/.imagej
214blacklist ${HOME}/.inkscape 221blacklist ${HOME}/.inkscape
215blacklist ${HOME}/.java 222blacklist ${HOME}/.java
216blacklist ${HOME}/.jitsi 223blacklist ${HOME}/.jitsi
@@ -318,6 +325,7 @@ blacklist ${HOME}/.local/share/spotify
318blacklist ${HOME}/.local/share/steam 325blacklist ${HOME}/.local/share/steam
319blacklist ${HOME}/.local/share/supertux2 326blacklist ${HOME}/.local/share/supertux2
320blacklist ${HOME}/.local/share/telepathy 327blacklist ${HOME}/.local/share/telepathy
328blacklist ${HOME}/.local/share/terasology
321blacklist ${HOME}/.local/share/torbrowser 329blacklist ${HOME}/.local/share/torbrowser
322blacklist ${HOME}/.local/share/totem 330blacklist ${HOME}/.local/share/totem
323blacklist ${HOME}/.local/share/vpltd 331blacklist ${HOME}/.local/share/vpltd
@@ -360,6 +368,7 @@ blacklist ${HOME}/.steampath
360blacklist ${HOME}/.steampid 368blacklist ${HOME}/.steampid
361blacklist ${HOME}/.stellarium 369blacklist ${HOME}/.stellarium
362blacklist ${HOME}/.subversion 370blacklist ${HOME}/.subversion
371blacklist ${HOME}/.surf
363blacklist ${HOME}/.sword 372blacklist ${HOME}/.sword
364blacklist ${HOME}/.sylpheed-2.0 373blacklist ${HOME}/.sylpheed-2.0
365blacklist ${HOME}/.synfig 374blacklist ${HOME}/.synfig
@@ -407,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome
407blacklist ${HOME}/.cache/google-chrome-beta 416blacklist ${HOME}/.cache/google-chrome-beta
408blacklist ${HOME}/.cache/google-chrome-unstable 417blacklist ${HOME}/.cache/google-chrome-unstable
409blacklist ${HOME}/.cache/icedove 418blacklist ${HOME}/.cache/icedove
419blacklist ${HOME}/.cache/INRIA/Natron
410blacklist ${HOME}/.cache/inox 420blacklist ${HOME}/.cache/inox
411blacklist ${HOME}/.cache/libgweather 421blacklist ${HOME}/.cache/libgweather
412blacklist ${HOME}/.cache/midori 422blacklist ${HOME}/.cache/midori
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile
new file mode 100644
index 000000000..4e1227a0f
--- /dev/null
+++ b/etc/dooble-qt4.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for dooble
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/dooble.profile
diff --git a/etc/dooble.profile b/etc/dooble.profile
new file mode 100644
index 000000000..2a57b0ef3
--- /dev/null
+++ b/etc/dooble.profile
@@ -0,0 +1,39 @@
1# Firejail profile for dooble
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/dooble-qt4.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.dooble
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16mkdir ${HOME}/.dooble
17whitelist ${DOWNLOADS}
18whitelist ${HOME}/.dooble
19include /etc/firejail/whitelist-common.inc
20
21caps.drop all
22netfilter
23nodvd
24nogroups
25nonewprivs
26noroot
27notv
28novideo
29protocol unix,inet,inet6,netlink
30seccomp
31shell none
32tracelog
33
34disable-mnt
35private-dev
36private-tmp
37
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index fa9b26e82..a64578e5c 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nodvd 19nodvd
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 211c2432f..c37f81ac9 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nodvd 19nodvd
diff --git a/etc/electron.profile b/etc/electron.profile
index 9b21c1bfd..91e5cd3df 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -5,11 +5,12 @@ include /etc/firejail/electron.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8
9include /etc/firejail/disable-common.inc 8include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-passwdmgr.inc 9include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-programs.inc 10include /etc/firejail/disable-programs.inc
12 11
12whitelist ${DOWNLOADS}
13
13caps.drop all 14caps.drop all
14netfilter 15netfilter
15nodvd 16nodvd
diff --git a/etc/evince.profile b/etc/evince.profile
index 5c6215bb2..f503b9a8e 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17no3d 19no3d
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
new file mode 100644
index 000000000..3fd7f3d75
--- /dev/null
+++ b/etc/fetchmail.profile
@@ -0,0 +1,29 @@
1# Firejail profile for fetchmail
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/fetchmail.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15netfilter
16no3d
17nodvd
18nogroups
19nonewprivs
20noroot
21nosound
22notv
23novideo
24protocol unix,inet,inet6
25seccomp
26shell none
27
28#private-bin fetchmail,procmail,bash,chmod
29private-dev
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 85201b021..1f4a8e3f6 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
59whitelist ~/.zotero 59whitelist ~/.zotero
60whitelist ~/dwhelper 60whitelist ~/dwhelper
61include /etc/firejail/whitelist-common.inc 61include /etc/firejail/whitelist-common.inc
62include /etc/firejail/whitelist-var-common.inc
62 63
63caps.drop all 64caps.drop all
64netfilter 65netfilter
diff --git a/etc/freecad.profile b/etc/freecad.profile
new file mode 100644
index 000000000..4fde66839
--- /dev/null
+++ b/etc/freecad.profile
@@ -0,0 +1,35 @@
1# Firejail profile for freecad
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/freecad.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.config/FreeCAD
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17ipc-namespace
18net none
19nodvd
20nogroups
21nonewprivs
22noroot
23nosound
24notv
25novideo
26protocol unix
27seccomp
28shell none
29
30private-bin freecad,freecadcmd
31private-dev
32private-tmp
33
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile
new file mode 100644
index 000000000..f8bbff593
--- /dev/null
+++ b/etc/freecadcmd.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for freecad
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/freecad.profile
diff --git a/etc/freshclam.profile b/etc/freshclam.profile
new file mode 100644
index 000000000..08eac5595
--- /dev/null
+++ b/etc/freshclam.profile
@@ -0,0 +1,34 @@
1# Firejail profile for freshclam
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include /etc/firejail/clamav.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9
10caps.keep setgid,setuid
11ipc-namespace
12netfilter
13no3d
14nodvd
15nogroups
16nonewprivs
17nosound
18notv
19novideo
20protocol unix,inet,inet6
21seccomp
22shell none
23tracelog
24
25disable-mnt
26private
27private-dev
28private-tmp
29writable-var
30writable-var-log
31
32memory-deny-write-execute
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 37f147f0f..dbc22a889 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15mkdir ~/.config/galculator 15mkdir ~/.config/galculator
16whitelist ~/.config/galculator 16whitelist ~/.config/galculator
17include /etc/firejail/whitelist-common.inc 17include /etc/firejail/whitelist-common.inc
18include /etc/firejail/whitelist-var-common.inc
18 19
19caps.drop all 20caps.drop all
20net none 21net none
diff --git a/etc/gimp.profile b/etc/gimp.profile
index aa77d6105..292c2aac9 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15net none 17net none
16nodvd 18nodvd
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6547c73df..326222426 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13include /etc/firejail/whitelist-common.inc 13include /etc/firejail/whitelist-common.inc
14include /etc/firejail/whitelist-var-common.inc
14 15
15caps.drop all 16caps.drop all
16netfilter 17netfilter
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
new file mode 100644
index 000000000..b60f5b3a5
--- /dev/null
+++ b/etc/google-earth.profile
@@ -0,0 +1,48 @@
1# Firejail profile for google-earth
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/google-earth.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.config/Google
9noblacklist ${HOME}/.googleearth/Cache/
10noblacklist ${HOME}/.googleearth/Temp/
11noblacklist ${HOME}/.googleearth/myplaces.backup.kml
12noblacklist ${HOME}/.googleearth/myplaces.kml
13
14include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc
18
19mkdir ${HOME}/.config/Google
20mkdir ${HOME}/.googleearth/Cache/
21mkdir ${HOME}/.googleearth/Temp/
22mkfile ${HOME}/.googleearth/myplaces.backup.kml
23mkfile ${HOME}/.googleearth/myplaces.kml
24whitelist ${HOME}/.config/Google
25whitelist ${HOME}/.googleearth/Cache/
26whitelist ${HOME}/.googleearth/Temp/
27whitelist ${HOME}/.googleearth/myplaces.backup.kml
28whitelist ${HOME}/.googleearth/myplaces.kml
29include /etc/firejail/whitelist-common.inc
30
31caps.drop all
32ipc-namespace
33netfilter
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39novideo
40protocol unix,inet,inet6
41seccomp
42shell none
43
44private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname
45private-dev
46
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 26bc589ee..1842c9cb1 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16net none 18net none
17nodvd 19nodvd
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b33051e2..f5e7bc329 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nogroups 19nogroups
diff --git a/etc/hugin.profile b/etc/hugin.profile
index d3cd181b1..ff88e0d5c 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -25,6 +25,7 @@ protocol unix
25seccomp 25seccomp
26shell none 26shell none
27 27
28private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
28private-dev 29private-dev
29private-tmp 30private-tmp
30 31
diff --git a/etc/imagej.profile b/etc/imagej.profile
new file mode 100644
index 000000000..88a56c706
--- /dev/null
+++ b/etc/imagej.profile
@@ -0,0 +1,35 @@
1# Firejail profile for imagej
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/imagej.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.imagej
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17ipc-namespace
18net none
19nodvd
20nogroups
21nonewprivs
22noroot
23nosound
24notv
25novideo
26protocol unix
27seccomp
28shell none
29
30private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
31private-dev
32private-tmp
33
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 1d24f5d7d..c062ab8ef 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nodvd 19nodvd
@@ -25,6 +27,7 @@ protocol unix
25seccomp 27seccomp
26shell none 28shell none
27 29
30#private-bin inkscape
28private-dev 31private-dev
29private-tmp 32private-tmp
30 33
diff --git a/etc/k3b.profile b/etc/k3b.profile
index ca190ecb9..58623d823 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc
18
17caps.drop all 19caps.drop all
18no3d 20no3d
19nonewprivs 21nonewprivs
diff --git a/etc/karbon.profile b/etc/karbon.profile
new file mode 100644
index 000000000..3525a3e06
--- /dev/null
+++ b/etc/karbon.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for krita
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/krita.profile
diff --git a/etc/kate.profile b/etc/kate.profile
index ec5d09ce2..69100d49d 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc 18include /etc/firejail/disable-programs.inc
19 19
20include /etc/firejail/whitelist-var-common.inc
21
20caps.drop all 22caps.drop all
21netfilter 23netfilter
22nodvd 24nodvd
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index f334c4c72..0de23f106 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
16no3d 18no3d
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
new file mode 100644
index 000000000..a1a5f957c
--- /dev/null
+++ b/etc/kdenlive.profile
@@ -0,0 +1,30 @@
1# Firejail profile for kdenlive
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/kdenlive.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15net none
16nodvd
17nogroups
18nonewprivs
19noroot
20notv
21protocol unix,inet,inet6
22seccomp
23shell none
24
25private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
26private-dev
27#private-etc fonts,alternatives,X11,pulse,passwd
28
29noexec ${HOME}
30noexec /tmp
diff --git a/etc/krita.profile b/etc/krita.profile
new file mode 100644
index 000000000..e91f5b242
--- /dev/null
+++ b/etc/krita.profile
@@ -0,0 +1,32 @@
1# Firejail profile for krita
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/krita.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15ipc-namespace
16net none
17nodvd
18nogroups
19nonewprivs
20noroot
21nosound
22notv
23novideo
24protocol unix
25seccomp
26shell none
27
28private-dev
29private-tmp
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 6ba076dc0..6b458ede3 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc 18include /etc/firejail/disable-programs.inc
19 19
20include /etc/firejail/whitelist-var-common.inc
21
20caps.drop all 22caps.drop all
21netfilter 23netfilter
22nodvd 24nodvd
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index e7557651b..c9addba21 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17no3d 19no3d
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index ec7356002..8d05a557c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc
18
17caps.drop all 19caps.drop all
18netfilter 20netfilter
19nodvd 21nodvd
diff --git a/etc/linphone.profile b/etc/linphone.profile
new file mode 100644
index 000000000..41f9245a2
--- /dev/null
+++ b/etc/linphone.profile
@@ -0,0 +1,41 @@
1# Firejail profile for linphone
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/linphone.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.linphone-history.db
9noblacklist ${HOME}/.linphonerc
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16mkfile ${HOME}/.linphone-history.db
17mkfile ${HOME}/.linphonerc
18whitelist ${HOME}/.linphone-history.db
19whitelist ${HOME}/.linphonerc
20whitelist ${HOME}/Downloads
21include /etc/firejail/whitelist-common.inc
22
23caps.drop all
24netfilter
25no3d
26nodvd
27nogroups
28nonewprivs
29noroot
30notv
31novideo
32protocol unix,inet,inet6
33seccomp
34shell none
35
36disable-mnt
37private-dev
38private-tmp
39
40noexec ${HOME}
41noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
new file mode 100644
index 000000000..29ed235c6
--- /dev/null
+++ b/etc/lmms.profile
@@ -0,0 +1,34 @@
1# Firejail profile for lmms
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/lmms.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.lmmsrc.xml
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17ipc-namespace
18net none
19no3d
20nodvd
21nogroups
22nonewprivs
23noroot
24notv
25novideo
26protocol unix
27seccomp
28shell none
29
30private-dev
31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index bd32e0c70..ec2a65290 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -26,6 +26,7 @@ seccomp
26shell none 26shell none
27tracelog 27tracelog
28 28
29#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
29private-dev 30private-dev
30private-tmp 31private-tmp
31 32
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
new file mode 100644
index 000000000..be66cf6ee
--- /dev/null
+++ b/etc/macrofusion.profile
@@ -0,0 +1,35 @@
1# Firejail profile for macrofusion
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/macrofusion.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.config/mfusion
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17ipc-namespace
18net none
19nodvd
20nogroups
21nonewprivs
22noroot
23nosound
24notv
25novideo
26protocol unix
27seccomp
28shell none
29
30#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
31private-dev
32private-tmp
33
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 36365fc2f..60205ffda 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nodvd 19nodvd
diff --git a/etc/mpd.profile b/etc/mpd.profile
new file mode 100644
index 000000000..7bfa47d77
--- /dev/null
+++ b/etc/mpd.profile
@@ -0,0 +1,33 @@
1# Firejail profile for mpd
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/mpd.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.mpdconf
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17netfilter
18no3d
19nodvd
20nonewprivs
21noroot
22notv
23novideo
24protocol unix,inet,inet6
25seccomp
26shell none
27
28#private-bin mpd,bash
29private-dev
30private-tmp
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0592751ef..eb8a88a4b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17netfilter 19netfilter
18nogroups 20nogroups
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 3b5a0b13c..b039d07b2 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -19,6 +19,7 @@ caps.drop all
19netfilter 19netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24notv 25notv
diff --git a/etc/natron.profile b/etc/natron.profile
new file mode 100644
index 000000000..d77539d83
--- /dev/null
+++ b/etc/natron.profile
@@ -0,0 +1,33 @@
1# Firejail profile for natron
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/natron.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.Natron
10noblacklist ${HOME}/.cache/INRIA/Natron
11noblacklist ${HOME}/.config/INRIA
12noblacklist /opt/natron
13
14include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc
18
19caps.drop all
20netfilter
21nodvd
22nogroups
23nonewprivs
24noroot
25notv
26protocol unix,inet,inet6
27seccomp
28shell none
29
30private-bin natron,Natron,NatronRenderer
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/okular.profile b/etc/okular.profile
index 5a704ad26..94736fbae 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -20,6 +20,8 @@ include /etc/firejail/disable-devel.inc
20include /etc/firejail/disable-passwdmgr.inc 20include /etc/firejail/disable-passwdmgr.inc
21include /etc/firejail/disable-programs.inc 21include /etc/firejail/disable-programs.inc
22 22
23include /etc/firejail/whitelist-var-common.inc
24
23caps.drop all 25caps.drop all
24netfilter 26netfilter
25nodvd 27nodvd
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index dd610920a..d195cf586 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -27,3 +27,6 @@ tracelog
27private-bin pidgin 27private-bin pidgin
28private-dev 28private-dev
29private-tmp 29private-tmp
30
31noexec ${HOME}
32noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
new file mode 100644
index 000000000..6da0e21d5
--- /dev/null
+++ b/etc/ricochet.profile
@@ -0,0 +1,40 @@
1# Firejail profile for ricochet
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/ricochet.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.local/share/Ricochet
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16whitelist ${DOWNLOADS}
17whitelist ${HOME}/.local/share/Ricochet
18include /etc/firejail/whitelist-common.inc
19
20caps.drop all
21ipc-namespace
22netfilter
23no3d
24nodvd
25nogroups
26nonewprivs
27noroot
28notv
29novideo
30protocol unix,inet,inet6
31seccomp
32shell none
33
34disable-mnt
35private-bin ricochet,tor
36private-dev
37#private-etc fonts,tor,X11,alternatives
38
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/riot-web.profile b/etc/riot-web.profile
index c714652df..06dbbe9d9 100644
--- a/etc/riot-web.profile
+++ b/etc/riot-web.profile
@@ -5,9 +5,9 @@ include /etc/firejail/riot-web.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ~/.config/Riot 8noblacklist ${HOME}/.config/Riot
9 9
10whitelist ~/.config/Riot 10whitelist ${HOME}/.config/Riot
11include /etc/firejail/whitelist-common.inc 11include /etc/firejail/whitelist-common.inc
12 12
13# Redirect 13# Redirect
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
new file mode 100644
index 000000000..da92cd938
--- /dev/null
+++ b/etc/rocketchat.profile
@@ -0,0 +1,14 @@
1# Firejail profile for rocketchat
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/rocketchat.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.config/Rocket.Chat
9
10whitelist ${HOME}/.config/Rocket.Chat
11include /etc/firejail/whitelist-common.inc
12
13# Redirect
14include /etc/firejail/electron.profile
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e4c88be49..dd06fa59f 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -38,5 +38,6 @@ protocol unix
38seccomp 38seccomp
39tracelog 39tracelog
40 40
41#private-bin scribus,gs
41private-dev 42private-dev
42# private-tmp 43# private-tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
new file mode 100644
index 000000000..e30bc1f46
--- /dev/null
+++ b/etc/shotcut.profile
@@ -0,0 +1,31 @@
1# Firejail profile for shotcut
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/shotcut.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.config/Meltytech
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17net none
18nodvd
19nogroups
20nonewprivs
21noroot
22notv
23protocol unix
24seccomp
25shell none
26
27#private-bin shotcut,melt,qmelt,nice
28private-dev
29
30noexec ${HOME}
31noexec /tmp
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
index abc68a499..977cfea99 100644
--- a/etc/silentarmy.profile
+++ b/etc/silentarmy.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
16nodvd 18nodvd
@@ -28,6 +30,7 @@ disable-mnt
28private 30private
29# private-bin silentarmy,sa-solver,python3 31# private-bin silentarmy,sa-solver,python3
30private-dev 32private-dev
33private-opt none
31private-tmp 34private-tmp
32 35
33noexec ${HOME} 36noexec ${HOME}
diff --git a/etc/skype.profile b/etc/skype.profile
index f3e504a3f..b12f9879e 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -24,6 +24,7 @@ seccomp
24shell none 24shell none
25 25
26disable-mnt 26disable-mnt
27#private-bin skype,bash
27private-dev 28private-dev
28private-tmp 29private-tmp
29 30
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 7e9d34c92..fa5728d9b 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-passwdmgr.inc 16include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc 17include /etc/firejail/disable-programs.inc
18 18
19shell none
19caps.drop all 20caps.drop all
20netfilter 21netfilter
21no3d 22no3d
diff --git a/etc/steam.profile b/etc/steam.profile
index 227162e1f..b4b9ede70 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -21,6 +21,8 @@ noblacklist ${HOME}/.steampath
21noblacklist ${HOME}/.steampid 21noblacklist ${HOME}/.steampid
22# with >=llvm-4 mesa drivers need llvm stuff 22# with >=llvm-4 mesa drivers need llvm stuff
23noblacklist /usr/lib/llvm* 23noblacklist /usr/lib/llvm*
24# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
25noblacklist /sbin
24 26
25include /etc/firejail/disable-common.inc 27include /etc/firejail/disable-common.inc
26include /etc/firejail/disable-devel.inc 28include /etc/firejail/disable-devel.inc
@@ -44,5 +46,5 @@ shell none
44 46
45# private-dev should be commented for controllers 47# private-dev should be commented for controllers
46private-dev 48private-dev
47private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl 49private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
48private-tmp 50private-tmp
diff --git a/etc/surf.profile b/etc/surf.profile
new file mode 100644
index 000000000..251331902
--- /dev/null
+++ b/etc/surf.profile
@@ -0,0 +1,35 @@
1# Firejail profile for surf
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/surf.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ~/.surf
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-programs.inc
13
14mkdir ~/.surf
15whitelist ${DOWNLOADS}
16include /etc/firejail/whitelist-common.inc
17
18caps.drop all
19netfilter
20nodvd
21nonewprivs
22noroot
23notv
24protocol unix,inet,inet6,netlink
25seccomp
26shell none
27tracelog
28
29private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
30private-dev
31private-etc passwd,group,hosts,resolv.conf,fonts,ssl
32private-tmp
33
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 08ece1e9b..b0014ace6 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -26,6 +26,7 @@ protocol unix
26seccomp 26seccomp
27shell none 27shell none
28 28
29#private-bin synfigstudio
29private-dev 30private-dev
30private-tmp 31private-tmp
31 32
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
new file mode 100644
index 000000000..86f96ba50
--- /dev/null
+++ b/etc/teamspeak3.profile
@@ -0,0 +1,39 @@
1# Firejail profile for teamspeak3
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/teamspeak3.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.ts3client
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc
14
15mkdir ${HOME}/.ts3client
16whitelist ${DOWNLOADS}
17whitelist ${HOME}/.ts3client
18include /etc/firejail/whitelist-common.inc
19
20caps.drop all
21ipc-namespace
22netfilter
23no3d
24nodvd
25nogroups
26nonewprivs
27noroot
28notv
29novideo
30protocol unix,inet,inet6
31seccomp
32shell none
33
34disable-mnt
35private-dev
36private-tmp
37
38noexec ${HOME}
39noexec /tmp
diff --git a/etc/terasology.profile b/etc/terasology.profile
new file mode 100644
index 000000000..ca580c0d0
--- /dev/null
+++ b/etc/terasology.profile
@@ -0,0 +1,42 @@
1# Firejail profile for terasology
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/default.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.java
10noblacklist ${HOME}/.local/share/terasology
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17mkdir ${HOME}/.java
18mkdir ${HOME}/.local/share/terasology
19whitelist ${HOME}/.java
20whitelist ${HOME}/.local/share/terasology
21include /etc/firejail/whitelist-common.inc
22
23caps.drop all
24ipc-namespace
25net none
26netfilter
27nodvd
28nogroups
29nonewprivs
30noroot
31notv
32novideo
33protocol unix,inet,inet6
34seccomp
35shell none
36
37disable-mnt
38private-dev
39private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk
40private-tmp
41
42noexec ${HOME}
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
new file mode 100644
index 000000000..bf3a80139
--- /dev/null
+++ b/etc/tor-browser-en.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/torbrowser-launcher.profile
diff --git a/etc/tor.profile b/etc/tor.profile
new file mode 100644
index 000000000..fcb123eef
--- /dev/null
+++ b/etc/tor.profile
@@ -0,0 +1,47 @@
1# Firejail profile for tor
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/tor.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8# How to use:
9# Create a script called anything (e.g. mytor)
10# with the following contents:
11
12# #!/bin/bash
13# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1"
14# sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD
15
16# You'll also likely want to disable the system service (if it exists)
17# Run mytor (or whatever you called the script above) whenever you want to start tor
18
19include /etc/firejail/disable-common.inc
20include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-passwdmgr.inc
22include /etc/firejail/disable-programs.inc
23
24caps.keep setuid,setgid,net_bind_service,dac_read_search
25ipc-namespace
26netfilter
27no3d
28nodvd
29nogroups
30nonewprivs
31nosound
32notv
33novideo
34protocol unix,inet,inet6
35seccomp
36shell none
37writable-var
38
39disable-mnt
40private
41private-bin tor,bash
42private-dev
43private-etc tor,passwd
44private-tmp
45
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 763c2d051..3b6b65bec 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8 8noblacklist ~/.tor-browser-en
9noblacklist ~/.config/torbrowser 9noblacklist ~/.config/torbrowser
10whitelist ~/.config/torbrowser
11noblacklist ~/.local/share/torbrowser 10noblacklist ~/.local/share/torbrowser
12whitelist ~/.local/share/torbrowser
13 11
14include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
18 16
17whitelist ~/.tor-browser-en
18whitelist ~/.config/torbrowser
19whitelist ~/.local/share/torbrowser
20include /etc/firejail/whitelist-common.inc
21
19caps.drop all 22caps.drop all
20netfilter 23netfilter
21nodvd 24nodvd
@@ -29,7 +32,7 @@ seccomp
29shell none 32shell none
30tracelog 33tracelog
31 34
32private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf 35private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher
33private-dev 36private-dev
34private-etc fonts 37private-etc fonts
35private-tmp 38private-tmp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 0bb721c64..6a8d6c679 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19whitelist ~/.cache/transmission 19whitelist ~/.cache/transmission
20whitelist ~/.config/transmission 20whitelist ~/.config/transmission
21include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
22include /etc/firejail/whitelist-var-common.inc
22 23
23caps.drop all 24caps.drop all
24netfilter 25netfilter
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 08964bbab..4db8e19ce 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS}
19whitelist ~/.cache/transmission 19whitelist ~/.cache/transmission
20whitelist ~/.config/transmission 20whitelist ~/.config/transmission
21include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
22include /etc/firejail/whitelist-var-common.inc
22 23
23caps.drop all 24caps.drop all
24netfilter 25netfilter
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 5b6a257f6..fbc198cc3 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -17,6 +17,7 @@ caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd 19nodvd
20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22notv 23notv
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 6e153d559..b01e6d144 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -20,7 +20,9 @@ mkdir ~/.config/VirtualBox
20mkdir ~/VirtualBox VMs 20mkdir ~/VirtualBox VMs
21whitelist ~/.config/VirtualBox 21whitelist ~/.config/VirtualBox
22whitelist ~/VirtualBox VMs 22whitelist ~/VirtualBox VMs
23whitelist ${DOWNLOADS}
23include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
25include /etc/firejail/whitelist-var-common.inc
24 26
25caps.drop all 27caps.drop all
26netfilter 28netfilter
diff --git a/etc/vlc.profile b/etc/vlc.profile
index bccde7a3d..c3a4d58d0 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17# nogroups 19# nogroups
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index ba4b91451..310149ecd 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -16,6 +16,7 @@ whitelist ~/.drirc
16whitelist ~/.mime.types 16whitelist ~/.mime.types
17whitelist ~/.local/share/applications 17whitelist ~/.local/share/applications
18read-only ~/.local/share/applications 18read-only ~/.local/share/applications
19whitelist ~/.config/ibus
19 20
20# fonts 21# fonts
21whitelist ~/.fonts 22whitelist ~/.fonts
@@ -34,10 +35,14 @@ whitelist ~/.gtkrc-2.0
34whitelist ~/.gtk-2.0 35whitelist ~/.gtk-2.0
35whitelist ~/.config/gtk-2.0 36whitelist ~/.config/gtk-2.0
36whitelist ~/.config/gtk-3.0 37whitelist ~/.config/gtk-3.0
38whitelist ~/.config/gtkrc
39whitelist ~/.config/gtkrc-2.0
37whitelist ~/.themes 40whitelist ~/.themes
38whitelist ~/.local/share/themes 41whitelist ~/.local/share/themes
39whitelist ~/.kde/share/config/gtkrc 42whitelist ~/.kde/share/config/gtkrc
40whitelist ~/.kde/share/config/gtkrc-2.0 43whitelist ~/.kde/share/config/gtkrc-2.0
44whitelist ~/.kde4/share/config/gtkrc
45whitelist ~/.kde4/share/config/gtkrc-2.0
41whitelist ~/.gnome2 46whitelist ~/.gnome2
42whitelist ~/.gnome2-private 47whitelist ~/.gnome2-private
43 48
@@ -50,3 +55,6 @@ whitelist ~/.config/kdeglobals
50whitelist ~/.kde/share/config/oxygenrc 55whitelist ~/.kde/share/config/oxygenrc
51whitelist ~/.kde/share/config/kdeglobals 56whitelist ~/.kde/share/config/kdeglobals
52whitelist ~/.kde/share/icons 57whitelist ~/.kde/share/icons
58whitelist ~/.kde4/share/config/oxygenrc
59whitelist ~/.kde4/share/config/kdeglobals
60whitelist ~/.kde4/share/icons
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
new file mode 100644
index 000000000..024995f20
--- /dev/null
+++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,11 @@
1# Local customizations come here
2include /etc/firejail/whitelist-var-common.local
3
4# common /var whitelist for all profiles
5
6whitelist /var/lib/dbus
7whitelist /var/lib/menu-xdg
8whitelist /var/cache/fontconfig
9whitelist /var/tmp
10whitelist /var/run
11whitelist /var/lock
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
new file mode 100644
index 000000000..1395b81c9
--- /dev/null
+++ b/etc/x-terminal-emulator.profile
@@ -0,0 +1,20 @@
1# Firejail profile for x-terminal-emulator
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/x-terminal-emulator.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9caps.drop all
10ipc-namespace
11net none
12netfilter
13nogroups
14noroot
15protocol unix
16seccomp
17
18private-dev
19
20noexec /tmp
diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile
new file mode 100644
index 000000000..9cc6e0c1f
--- /dev/null
+++ b/etc/xmr-stak-cpu.profile
@@ -0,0 +1,42 @@
1# Firejail profile for xmr-stak-cpu
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/xmr-stak-cpu.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14include /etc/firejail/whitelist-var-common.inc
15
16caps.drop all
17ipc-namespace
18netfilter
19no3d
20nodvd
21nogroups
22nonewprivs
23noroot
24nosound
25notv
26novideo
27protocol unix,inet,inet6
28seccomp
29shell none
30
31disable-mnt
32private
33private-bin xmr-stak-cpu
34private-dev
35private-etc xmr-stak-cpu.json
36private-lib
37private-opt none
38private-tmp
39
40memory-deny-write-execute
41noexec ${HOME}
42noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index e20fb3e99..d41591fd6 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17ipc-namespace 19ipc-namespace
18netfilter 20netfilter
diff --git a/etc/zart.profile b/etc/zart.profile
new file mode 100644
index 000000000..6e136d0c9
--- /dev/null
+++ b/etc/zart.profile
@@ -0,0 +1,30 @@
1# Firejail profile for zart
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/zart.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15ipc-namespace
16net none
17nodvd
18nogroups
19nonewprivs
20noroot
21notv
22protocol unix
23seccomp
24shell none
25
26private-bin zart,ffmpeg,melt,ffprobe,ffplay
27private-dev
28
29noexec ${HOME}
30noexec /tmp
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-14 22:03:27 +0000