apparmor

author: netblue30 <netblue30@yahoo.com> 2020-03-23 14:32:49 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-03-23 14:32:49 -0400
commit: 255697b15aff5c6b57cb77b2dbedf6cffb366efe (patch)
tree: 00a7d8a0d9f33da0bc95075237a448667a09c2d7 /etc
parent: Merge pull request #3293 from 0x7969/master (diff)
download: firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.tar.gz
firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.tar.zst
firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.zip
15 files changed, 68 insertions, 5 deletions
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 84e38d0e1..2dc1173a4 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -23,7 +23,9 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index 2d4724610..f02fe13f6 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -22,6 +22,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 net none
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 468ef0401..3f186b90b 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -17,7 +17,9 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index ad3fa1753..7b27eb333 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -37,8 +38,9 @@ seccomp
 shell none
 tracelog
-private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,machine-id,pulse,fonts,xdg,gtk-3.0,dconf,selinux,
 private-tmp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index aa0b7dbe3..c28217efb 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -19,6 +19,7 @@ include disable-programs.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index b4791afc5..45a359624 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -26,7 +26,8 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-caps.drop all
+apparmor
+aps.drop all
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/kmplayer.profile b/etc/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 89a6a020b..faa19f27a 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -22,8 +22,10 @@ include disable-programs.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
+net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ad8b1015e..aff8b08e3 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -28,7 +28,7 @@ whitelist /usr/share/libquvi-scripts
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+apparmor
 caps.drop all
 netfilter
 # nodbus - makes settings immutable
@@ -38,7 +38,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 8fcbb203c..a1cbdf16c 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index f8744bdf8..7b4041222 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c6f5f70b0..73093a259 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.simutrans
 whitelist ${HOME}/.simutrans
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/smtube.profile b/etc/smtube.profile
index 98e0229ce..79bc02979 100644
--- a/etc/smtube.profile
+++ b/etc/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/widelands.profile b/etc/widelands.profile
index c6b5f27da..dd956fa28 100644
--- a/etc/widelands.profile
+++ b/etc/widelands.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index a096f803c..a644af351 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -15,6 +15,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 no3d
author	netblue30 <netblue30@yahoo.com>	2020-03-23 14:32:49 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-03-23 14:32:49 -0400
commit	255697b15aff5c6b57cb77b2dbedf6cffb366efe (patch)
tree	00a7d8a0d9f33da0bc95075237a448667a09c2d7 /etc
parent	Merge pull request #3293 from 0x7969/master (diff)
download	firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.tar.gz firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.tar.zst firejail-255697b15aff5c6b57cb77b2dbedf6cffb366efe.zip

diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 84e38d0e1..2dc1173a4 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile
@@ -23,7 +23,9 @@ include disable-xdg.inc
23		23
24	include whitelist-var-common.inc	24	include whitelist-var-common.inc
25		25
		26	apparmor
26	caps.drop all	27	caps.drop all
		28	net none
27	netfilter	29	netfilter
28	no3d	30	no3d
29	nodvd	31	nodvd


diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile index 2d4724610..f02fe13f6 100644 --- a/etc/gnome-characters.profile +++ b/etc/gnome-characters.profile
@@ -22,6 +22,7 @@ include whitelist-common.inc
22	include whitelist-usr-share-common.inc	22	include whitelist-usr-share-common.inc
23	include whitelist-var-common.inc	23	include whitelist-var-common.inc
24		24
		25	apparmor
25	caps.drop all	26	caps.drop all
26	machine-id	27	machine-id
27	net none	28	net none


diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 468ef0401..3f186b90b 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile
@@ -17,7 +17,9 @@ include disable-xdg.inc
17		17
18	include whitelist-var-common.inc	18	include whitelist-var-common.inc
19		19
		20	apparmor
20	caps.drop all	21	caps.drop all
		22	net none
21	netfilter	23	netfilter
22	no3d	24	no3d
23	nodvd	25	nodvd


diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index ad3fa1753..7b27eb333 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
23		23
24	include whitelist-var-common.inc	24	include whitelist-var-common.inc
25		25
		26	apparmor
26	caps.drop all	27	caps.drop all
27	netfilter	28	netfilter
28	no3d	29	no3d
@@ -37,8 +38,9 @@ seccomp
37	shell none	38	shell none
38	tracelog	39	tracelog
39		40
40	private-bin env,gio-launch-desktop,gnome-music,python*,yelp	41	# private-bin calls a file manager - whatever is installed!
		42	#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
41	private-dev	43	private-dev
42	private-etc alternatives,asound.conf,fonts,machine-id,pulse	44	private-etc alternatives,asound.conf,fonts,machine-id,pulse,fonts,xdg,gtk-3.0,dconf,selinux,
43	private-tmp	45	private-tmp
44		46


diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index aa0b7dbe3..c28217efb 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile
@@ -19,6 +19,7 @@ include disable-programs.inc
19		19
20	include whitelist-var-common.inc	20	include whitelist-var-common.inc
21		21
		22	apparmor
22	caps.drop all	23	caps.drop all
23	netfilter	24	netfilter
24	nodvd	25	nodvd


diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index b4791afc5..45a359624 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile
@@ -26,7 +26,8 @@ include whitelist-common.inc
26	include whitelist-usr-share-common.inc	26	include whitelist-usr-share-common.inc
27	include whitelist-var-common.inc	27	include whitelist-var-common.inc
28		28
29	caps.drop all	29	apparmor
		30	aps.drop all
30	ipc-namespace	31	ipc-namespace
31	machine-id	32	machine-id
32	netfilter	33	netfilter


diff --git a/etc/kmplayer.profile b/etc/kmplayer.profile new file mode 100644 index 000000000..7eabde61d --- /dev/null +++ b/etc/kmplayer.profile
@@ -0,0 +1,41 @@
		1	# Firejail profile for mplayer
		2	# Description: mplayer KDE GUI (movie player)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include kmplayer.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/kmplayerrc
		10	noblacklist ${HOME}/.kde/share/config/kmplayerrc
		11	noblacklist ${HOME}/.local/share/kmplayer
		12	noblacklist ${MUSIC}
		13	noblacklist ${VIDEOS}
		14
		15	include disable-common.inc
		16	include disable-devel.inc
		17	include disable-exec.inc
		18	include disable-interpreters.inc
		19	include disable-passwdmgr.inc
		20	include disable-programs.inc
		21	include disable-xdg.inc
		22
		23	include whitelist-usr-share-common.inc
		24	include whitelist-var-common.inc
		25
		26	apparmor
		27	caps.drop all
		28	netfilter
		29	nogroups
		30	nonewprivs
		31	noroot
		32	nou2f
		33	protocol unix,inet,inet6,netlink
		34	seccomp
		35	shell none
		36
		37	# private-bin kmplayer,mplayer
		38	private-cache
		39	private-dev
		40	private-tmp
		41


diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 89a6a020b..faa19f27a 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile
@@ -22,8 +22,10 @@ include disable-programs.inc
22		22
23	include whitelist-var-common.inc	23	include whitelist-var-common.inc
24		24
		25	apparmor
25	caps.drop all	26	caps.drop all
26	ipc-namespace	27	ipc-namespace
		28	net none
27	netfilter	29	netfilter
28	nodvd	30	nodvd
29	nogroups	31	nogroups


diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index ad8b1015e..aff8b08e3 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile
@@ -28,7 +28,7 @@ whitelist /usr/share/libquvi-scripts
28	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
29	include whitelist-var-common.inc	29	include whitelist-var-common.inc
30		30
31	# apparmor - makes settings immutable	31	apparmor
32	caps.drop all	32	caps.drop all
33	netfilter	33	netfilter
34	# nodbus - makes settings immutable	34	# nodbus - makes settings immutable
@@ -38,7 +38,7 @@ noroot
38	notv	38	notv
39	nou2f	39	nou2f
40	novideo	40	novideo
41	protocol unix,inet,inet6	41	protocol unix,inet,inet6,netlink
42	seccomp	42	seccomp
43	shell none	43	shell none
44	tracelog	44	tracelog


diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 8fcbb203c..a1cbdf16c 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
17	include disable-passwdmgr.inc	17	include disable-passwdmgr.inc
18	include disable-programs.inc	18	include disable-programs.inc
19		19
		20	include whitelist-var-common.inc
		21
		22	apparmor
20	caps.drop all	23	caps.drop all
		24	net none
21	netfilter	25	netfilter
22	no3d	26	no3d
23	nodvd	27	nodvd


diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index f8744bdf8..7b4041222 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/shellcheck
23	include whitelist-usr-share-common.inc	23	include whitelist-usr-share-common.inc
24	include whitelist-var-common.inc	24	include whitelist-var-common.inc
25		25
		26	apparmor
26	caps.drop all	27	caps.drop all
27	ipc-namespace	28	ipc-namespace
28	machine-id	29	machine-id


diff --git a/etc/simutrans.profile b/etc/simutrans.profile index c6f5f70b0..73093a259 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
10		10
11	include disable-common.inc	11	include disable-common.inc
12	include disable-devel.inc	12	include disable-devel.inc
		13	include disable-exec.inc
13	include disable-interpreters.inc	14	include disable-interpreters.inc
14	include disable-passwdmgr.inc	15	include disable-passwdmgr.inc
15	include disable-programs.inc	16	include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
17	mkdir ${HOME}/.simutrans	18	mkdir ${HOME}/.simutrans
18	whitelist ${HOME}/.simutrans	19	whitelist ${HOME}/.simutrans
19	include whitelist-common.inc	20	include whitelist-common.inc
		21	include whitelist-var-common.inc
20		22
		23	apparmor
21	caps.drop all	24	caps.drop all
22	net none	25	net none
23	nodbus	26	nodbus


diff --git a/etc/smtube.profile b/etc/smtube.profile index 98e0229ce..79bc02979 100644 --- a/etc/smtube.profile +++ b/etc/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
28	include whitelist-usr-share-common.inc	28	include whitelist-usr-share-common.inc
29	include whitelist-var-common.inc	29	include whitelist-var-common.inc
30		30
		31	apparmor
31	caps.drop all	32	caps.drop all
32	netfilter	33	netfilter
33	nodvd	34	nodvd


diff --git a/etc/widelands.profile b/etc/widelands.profile index c6b5f27da..dd956fa28 100644 --- a/etc/widelands.profile +++ b/etc/widelands.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.widelands
21	include whitelist-common.inc	21	include whitelist-common.inc
22	include whitelist-var-common.inc	22	include whitelist-var-common.inc
23		23
		24	apparmor
24	caps.drop all	25	caps.drop all
25	ipc-namespace	26	ipc-namespace
26	netfilter	27	netfilter


diff --git a/etc/xcalc.profile b/etc/xcalc.profile index a096f803c..a644af351 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile
@@ -15,6 +15,7 @@ include disable-xdg.inc
15		15
16	include whitelist-var-common.inc	16	include whitelist-var-common.inc
17		17
		18	apparmor
18	caps.drop all	19	caps.drop all
19	net none	20	net none
20	no3d	21	no3d