mainline merge: profiles

author: netblue30 <netblue30@yahoo.com> 2018-09-26 09:22:01 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-26 09:22:01 -0400
commit: 52c9602ce6d0c8942cdb0200558bb91bec00ee65 (patch)
tree: 7b54171190c182bd072c4e3520d73ad9b76af41c /etc
parent: testing (diff)
download: firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.tar.gz
firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.tar.zst
firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.zip
24 files changed, 158 insertions, 3 deletions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index d845bd4b9..8f5cd56cc 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -20,6 +20,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/apktool.profile b/etc/apktool.profile
index 2043cf5af..d157b1478 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/bless.profile b/etc/bless.profile
index 01f75b00d..0da3436e8 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index b61d68e06..da59fc71a 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 5a7349eb1..87d8c0a1f 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index eaec627c6..819c40c98 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -37,9 +37,9 @@ seccomp
 shell none
 tracelog
-private-bin gnome-music,python*
+private-bin gnome-music,python*,env,gio-launch-desktop,yelp
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf
+private-etc fonts,machine-id,pulse,asound.conf
 private-tmp
 noexec ${HOME}
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 81e538153..3a280dab7 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/liferea.profile b/etc/liferea.profile
index 673182c10..04c649121 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/liferea
 whitelist ${HOME}/.config/liferea
 whitelist ${HOME}/.local/share/liferea
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 0f8f49488..efd40e899 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -22,6 +22,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/meld.profile b/etc/meld.profile
index 00d5c6caa..1a7935800 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/minetest.profile b/etc/minetest.profile
index 7de546791..3e06b6d30 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.minetest
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mumble.profile b/etc/mumble.profile
index f894acb57..c5af9aa42 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.local/share/data/Mumble
 whitelist ${HOME}/.config/Mumble
 whitelist ${HOME}/.local/share/data/Mumble
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/patch.profile b/etc/patch.profile
index d4058d6e7..8fa6ac966 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
diff --git a/etc/picard.profile b/etc/picard.profile
index 2cc0b5c68..8474eeda6 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -23,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/pithos.profile b/etc/pithos.profile
index e5af9c973..cbe7ac9c6 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -20,6 +20,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 5078000bb..51c0f2d17 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -18,6 +18,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 nodvd
 nogroups
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index e318dd568..a2a54f838 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index f6c154183..90fc9cb8c 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index ee4d90265..69efe5244 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
new file mode 100644
index 000000000..18d3a0575
--- /dev/null
+++ b/etc/spectre-meltdown-checker.profile
@@ -0,0 +1,53 @@
+# Firejail profile for spectre-meltdown-checker
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/spectre-meltdown-checker.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# sudo firejail --allow-debuggers spectre-meltdown-checker
+noblacklist ${PATH}/mount
+noblacklist ${PATH}/umount
+# Allow access to perl
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.keep sys_rawio
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+protocol unix
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
+shell none
+disable-mnt
+private
+private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
+private-cache
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 75e8ed5c0..0f030d559 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
new file mode 100644
index 000000000..c17815969
--- /dev/null
+++ b/etc/start-tor-browser.desktop.profile
@@ -0,0 +1,66 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+noblacklist ${HOME}/.tor-browser-ar:
+mkdir ${HOME}/.tor-browser-ar:
+whitelist ${HOME}/.tor-browser-ar:
+noblacklist ${HOME}/.tor-browser-en:
+mkdir ${HOME}/.tor-browser-en:
+whitelist ${HOME}/.tor-browser-en:
+noblacklist ${HOME}/.tor-browser-en-us:
+mkdir ${HOME}/.tor-browser-en-us:
+whitelist ${HOME}/.tor-browser-en-us:
+noblacklist ${HOME}/.tor-browser-es:
+mkdir ${HOME}/.tor-browser-es:
+whitelist ${HOME}/.tor-browser-es:
+noblacklist ${HOME}/.tor-browser-es-es:
+mkdir ${HOME}/.tor-browser-es-es:
+whitelist ${HOME}/.tor-browser-es-es:
+noblacklist ${HOME}/.tor-browser-fa:
+mkdir ${HOME}/.tor-browser-fa:
+whitelist ${HOME}/.tor-browser-fa:
+noblacklist ${HOME}/.tor-browser-fr:
+mkdir ${HOME}/.tor-browser-fr:
+whitelist ${HOME}/.tor-browser-fr:
+noblacklist ${HOME}/.tor-browser-it:
+mkdir ${HOME}/.tor-browser-it:
+whitelist ${HOME}/.tor-browser-it:
+noblacklist ${HOME}/.tor-browser-ja:
+mkdir ${HOME}/.tor-browser-ja:
+whitelist ${HOME}/.tor-browser-ja:
+noblacklist ${HOME}/.tor-browser-ko:
+mkdir ${HOME}/.tor-browser-ko:
+whitelist ${HOME}/.tor-browser-ko:
+noblacklist ${HOME}/.tor-browser-pl:
+mkdir ${HOME}/.tor-browser-pl:
+whitelist ${HOME}/.tor-browser-pl:
+noblacklist ${HOME}/.tor-browser-pt-br:
+mkdir ${HOME}/.tor-browser-pt-br:
+whitelist ${HOME}/.tor-browser-pt-br:
+noblacklist ${HOME}/.tor-browser-ru:
+mkdir ${HOME}/.tor-browser-ru:
+whitelist ${HOME}/.tor-browser-ru:
+noblacklist ${HOME}/.tor-browser-vi:
+mkdir ${HOME}/.tor-browser-vi:
+whitelist ${HOME}/.tor-browser-vi:
+noblacklist ${HOME}/.tor-browser-zh-cn:
+mkdir ${HOME}/.tor-browser-zh-cn:
+whitelist ${HOME}/.tor-browser-zh-cn:
+# Redirect
+include /etc/firejail/torbrowser-launcher.profile
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 20dafba25..594a5944b 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -25,7 +25,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 #nodbus
-#nogroups
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 29b2bb382..a7e8edc0f 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
author	netblue30 <netblue30@yahoo.com>	2018-09-26 09:22:01 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-26 09:22:01 -0400
commit	52c9602ce6d0c8942cdb0200558bb91bec00ee65 (patch)
tree	7b54171190c182bd072c4e3520d73ad9b76af41c /etc
parent	testing (diff)
download	firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.tar.gz firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.tar.zst firejail-52c9602ce6d0c8942cdb0200558bb91bec00ee65.zip

diff --git a/etc/android-studio.profile b/etc/android-studio.profile index d845bd4b9..8f5cd56cc 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile
@@ -20,6 +20,8 @@ include /etc/firejail/disable-common.inc
20	include /etc/firejail/disable-passwdmgr.inc	20	include /etc/firejail/disable-passwdmgr.inc
21	include /etc/firejail/disable-programs.inc	21	include /etc/firejail/disable-programs.inc
22		22
		23	include /etc/firejail/whitelist-var-common.inc
		24
23	caps.drop all	25	caps.drop all
24	netfilter	26	netfilter
25	nodvd	27	nodvd


diff --git a/etc/apktool.profile b/etc/apktool.profile index 2043cf5af..d157b1478 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/disable-xdg.inc	13	include /etc/firejail/disable-xdg.inc
14		14
		15	include /etc/firejail/whitelist-var-common.inc
		16
15	caps.drop all	17	caps.drop all
16	net none	18	net none
17	no3d	19	no3d


diff --git a/etc/bless.profile b/etc/bless.profile index 01f75b00d..0da3436e8 100644 --- a/etc/bless.profile +++ b/etc/bless.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-interpreters.inc
14	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
16		16
		17	include /etc/firejail/whitelist-var-common.inc
		18
17	caps.drop all	19	caps.drop all
18	net none	20	net none
19	no3d	21	no3d


diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index b61d68e06..da59fc71a 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc
19	include /etc/firejail/disable-programs.inc	19	include /etc/firejail/disable-programs.inc
20	include /etc/firejail/disable-xdg.inc	20	include /etc/firejail/disable-xdg.inc
21		21
		22	include /etc/firejail/whitelist-var-common.inc
		23
22	caps.drop all	24	caps.drop all
23	net none	25	net none
24	no3d	26	no3d


diff --git a/etc/gitg.profile b/etc/gitg.profile index 5a7349eb1..87d8c0a1f 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-interpreters.inc
16	include /etc/firejail/disable-passwdmgr.inc	16	include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
		19	include /etc/firejail/whitelist-var-common.inc
		20
19	caps.drop all	21	caps.drop all
20	no3d	22	no3d
21	nodvd	23	nodvd


diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index eaec627c6..819c40c98 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile
@@ -37,9 +37,9 @@ seccomp
37	shell none	37	shell none
38	tracelog	38	tracelog
39		39
40	private-bin gnome-music,python*	40	private-bin gnome-music,python*,env,gio-launch-desktop,yelp
41	private-dev	41	private-dev
42	# private-etc fonts,machine-id,pulse,asound.conf	42	private-etc fonts,machine-id,pulse,asound.conf
43	private-tmp	43	private-tmp
44		44
45	noexec ${HOME}	45	noexec ${HOME}


diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 81e538153..3a280dab7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc
21	include /etc/firejail/disable-programs.inc	21	include /etc/firejail/disable-programs.inc
22	include /etc/firejail/disable-xdg.inc	22	include /etc/firejail/disable-xdg.inc
23		23
		24	include /etc/firejail/whitelist-var-common.inc
		25
24	caps.drop all	26	caps.drop all
25	net none	27	net none
26	no3d	28	no3d


diff --git a/etc/liferea.profile b/etc/liferea.profile index 673182c10..04c649121 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/liferea
29	whitelist ${HOME}/.config/liferea	29	whitelist ${HOME}/.config/liferea
30	whitelist ${HOME}/.local/share/liferea	30	whitelist ${HOME}/.local/share/liferea
31	include /etc/firejail/whitelist-common.inc	31	include /etc/firejail/whitelist-common.inc
		32	include /etc/firejail/whitelist-var-common.inc
32		33
33	caps.drop all	34	caps.drop all
34	netfilter	35	netfilter


diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 0f8f49488..efd40e899 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile
@@ -22,6 +22,8 @@ include /etc/firejail/disable-passwdmgr.inc
22	include /etc/firejail/disable-programs.inc	22	include /etc/firejail/disable-programs.inc
23	include /etc/firejail/disable-xdg.inc	23	include /etc/firejail/disable-xdg.inc
24		24
		25	include /etc/firejail/whitelist-var-common.inc
		26
25	caps.drop all	27	caps.drop all
26	netfilter	28	netfilter
27	no3d	29	no3d


diff --git a/etc/meld.profile b/etc/meld.profile index 00d5c6caa..1a7935800 100644 --- a/etc/meld.profile +++ b/etc/meld.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
16	caps.drop all	18	caps.drop all
17	net none	19	net none
18	no3d	20	no3d


diff --git a/etc/minetest.profile b/etc/minetest.profile index 7de546791..3e06b6d30 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile
@@ -17,10 +17,12 @@ include /etc/firejail/disable-programs.inc
17	mkdir ${HOME}/.minetest	17	mkdir ${HOME}/.minetest
18	whitelist ${HOME}/.minetest	18	whitelist ${HOME}/.minetest
19	include /etc/firejail/whitelist-common.inc	19	include /etc/firejail/whitelist-common.inc
		20	include /etc/firejail/whitelist-var-common.inc
20		21
21	caps.drop all	22	caps.drop all
22	ipc-namespace	23	ipc-namespace
23	netfilter	24	netfilter
		25	nodbus
24	nodvd	26	nodvd
25	nogroups	27	nogroups
26	nonewprivs	28	nonewprivs


diff --git a/etc/mumble.profile b/etc/mumble.profile index f894acb57..c5af9aa42 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile
@@ -20,6 +20,7 @@ mkdir ${HOME}/.local/share/data/Mumble
20	whitelist ${HOME}/.config/Mumble	20	whitelist ${HOME}/.config/Mumble
21	whitelist ${HOME}/.local/share/data/Mumble	21	whitelist ${HOME}/.local/share/data/Mumble
22	include /etc/firejail/whitelist-common.inc	22	include /etc/firejail/whitelist-common.inc
		23	include /etc/firejail/whitelist-var-common.inc
23		24
24	caps.drop all	25	caps.drop all
25	netfilter	26	netfilter


diff --git a/etc/patch.profile b/etc/patch.profile index d4058d6e7..8fa6ac966 100644 --- a/etc/patch.profile +++ b/etc/patch.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-interpreters.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-xdg.inc	16	include /etc/firejail/disable-xdg.inc
17		17
		18	include /etc/firejail/whitelist-var-common.inc
		19
18	caps.drop all	20	caps.drop all
19	ipc-namespace	21	ipc-namespace
20	net none	22	net none


diff --git a/etc/picard.profile b/etc/picard.profile index 2cc0b5c68..8474eeda6 100644 --- a/etc/picard.profile +++ b/etc/picard.profile
@@ -23,6 +23,8 @@ include /etc/firejail/disable-passwdmgr.inc
23	include /etc/firejail/disable-programs.inc	23	include /etc/firejail/disable-programs.inc
24	include /etc/firejail/disable-xdg.inc	24	include /etc/firejail/disable-xdg.inc
25		25
		26	include /etc/firejail/whitelist-var-common.inc
		27
26	caps.drop all	28	caps.drop all
27	no3d	29	no3d
28	nodvd	30	nodvd


diff --git a/etc/pithos.profile b/etc/pithos.profile index e5af9c973..cbe7ac9c6 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile
@@ -20,6 +20,7 @@ include /etc/firejail/disable-programs.inc
20	include /etc/firejail/disable-xdg.inc	20	include /etc/firejail/disable-xdg.inc
21		21
22	include /etc/firejail/whitelist-common.inc	22	include /etc/firejail/whitelist-common.inc
		23	include /etc/firejail/whitelist-var-common.inc
23		24
24	caps.drop all	25	caps.drop all
25	netfilter	26	netfilter


diff --git a/etc/remmina.profile b/etc/remmina.profile index 5078000bb..51c0f2d17 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile
@@ -18,6 +18,8 @@ include /etc/firejail/disable-passwdmgr.inc
18	include /etc/firejail/disable-programs.inc	18	include /etc/firejail/disable-programs.inc
19	include /etc/firejail/disable-xdg.inc	19	include /etc/firejail/disable-xdg.inc
20		20
		21	include /etc/firejail/whitelist-var-common.inc
		22
21	caps.drop all	23	caps.drop all
22	nodvd	24	nodvd
23	nogroups	25	nogroups


diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index e318dd568..a2a54f838 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-passwdmgr.inc
19	include /etc/firejail/disable-programs.inc	19	include /etc/firejail/disable-programs.inc
20	include /etc/firejail/disable-xdg.inc	20	include /etc/firejail/disable-xdg.inc
21		21
		22	include /etc/firejail/whitelist-var-common.inc
		23
22	caps.drop all	24	caps.drop all
23	net none	25	net none
24	no3d	26	no3d


diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index f6c154183..90fc9cb8c 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17	include /etc/firejail/disable-xdg.inc	17	include /etc/firejail/disable-xdg.inc
18		18
		19	include /etc/firejail/whitelist-var-common.inc
		20
19	caps.drop all	21	caps.drop all
20	ipc-namespace	22	ipc-namespace
21	net none	23	net none


diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index ee4d90265..69efe5244 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-passwdmgr.inc
21	include /etc/firejail/disable-programs.inc	21	include /etc/firejail/disable-programs.inc
22	include /etc/firejail/disable-xdg.inc	22	include /etc/firejail/disable-xdg.inc
23		23
		24	include /etc/firejail/whitelist-var-common.inc
		25
24	caps.drop all	26	caps.drop all
25	net none	27	net none
26	no3d	28	no3d


diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile new file mode 100644 index 000000000..18d3a0575 --- /dev/null +++ b/etc/spectre-meltdown-checker.profile
@@ -0,0 +1,53 @@
		1	# Firejail profile for spectre-meltdown-checker
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include /etc/firejail/spectre-meltdown-checker.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# sudo firejail --allow-debuggers spectre-meltdown-checker
		10
		11	noblacklist ${PATH}/mount
		12	noblacklist ${PATH}/umount
		13
		14	# Allow access to perl
		15	noblacklist ${PATH}/cpan*
		16	noblacklist ${PATH}/core_perl
		17	noblacklist ${PATH}/perl
		18	noblacklist /usr/lib/perl*
		19	noblacklist /usr/share/perl*
		20
		21	include /etc/firejail/disable-common.inc
		22	include /etc/firejail/disable-devel.inc
		23	include /etc/firejail/disable-interpreters.inc
		24	include /etc/firejail/disable-passwdmgr.inc
		25	include /etc/firejail/disable-programs.inc
		26	include /etc/firejail/disable-xdg.inc
		27
		28	include /etc/firejail/whitelist-var-common.inc
		29
		30	caps.keep sys_rawio
		31	ipc-namespace
		32	net none
		33	no3d
		34	nodbus
		35	nodvd
		36	nogroups
		37	nonewprivs
		38	nosound
		39	notv
		40	novideo
		41	protocol unix
		42	seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
		43	shell none
		44
		45	disable-mnt
		46	private
		47	private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
		48	private-cache
		49	private-tmp
		50
		51	memory-deny-write-execute
		52	noexec ${HOME}
		53	noexec /tmp


diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 75e8ed5c0..0f030d559 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17	include /etc/firejail/disable-xdg.inc	17	include /etc/firejail/disable-xdg.inc
18		18
		19	include /etc/firejail/whitelist-var-common.inc
		20
19	caps.drop all	21	caps.drop all
20	net none	22	net none
21	no3d	23	no3d


diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile new file mode 100644 index 000000000..c17815969 --- /dev/null +++ b/etc/start-tor-browser.desktop.profile
@@ -0,0 +1,66 @@
		1	# Firejail profile alias for torbrowser-launcher
		2	# This file is overwritten after every install/update
		3
		4
		5	noblacklist ${HOME}/.tor-browser-ar:
		6	mkdir ${HOME}/.tor-browser-ar:
		7	whitelist ${HOME}/.tor-browser-ar:
		8
		9	noblacklist ${HOME}/.tor-browser-en:
		10	mkdir ${HOME}/.tor-browser-en:
		11	whitelist ${HOME}/.tor-browser-en:
		12
		13	noblacklist ${HOME}/.tor-browser-en-us:
		14	mkdir ${HOME}/.tor-browser-en-us:
		15	whitelist ${HOME}/.tor-browser-en-us:
		16
		17	noblacklist ${HOME}/.tor-browser-es:
		18	mkdir ${HOME}/.tor-browser-es:
		19	whitelist ${HOME}/.tor-browser-es:
		20
		21	noblacklist ${HOME}/.tor-browser-es-es:
		22	mkdir ${HOME}/.tor-browser-es-es:
		23	whitelist ${HOME}/.tor-browser-es-es:
		24
		25	noblacklist ${HOME}/.tor-browser-fa:
		26	mkdir ${HOME}/.tor-browser-fa:
		27	whitelist ${HOME}/.tor-browser-fa:
		28
		29	noblacklist ${HOME}/.tor-browser-fr:
		30	mkdir ${HOME}/.tor-browser-fr:
		31	whitelist ${HOME}/.tor-browser-fr:
		32
		33	noblacklist ${HOME}/.tor-browser-it:
		34	mkdir ${HOME}/.tor-browser-it:
		35	whitelist ${HOME}/.tor-browser-it:
		36
		37	noblacklist ${HOME}/.tor-browser-ja:
		38	mkdir ${HOME}/.tor-browser-ja:
		39	whitelist ${HOME}/.tor-browser-ja:
		40
		41	noblacklist ${HOME}/.tor-browser-ko:
		42	mkdir ${HOME}/.tor-browser-ko:
		43	whitelist ${HOME}/.tor-browser-ko:
		44
		45	noblacklist ${HOME}/.tor-browser-pl:
		46	mkdir ${HOME}/.tor-browser-pl:
		47	whitelist ${HOME}/.tor-browser-pl:
		48
		49	noblacklist ${HOME}/.tor-browser-pt-br:
		50	mkdir ${HOME}/.tor-browser-pt-br:
		51	whitelist ${HOME}/.tor-browser-pt-br:
		52
		53	noblacklist ${HOME}/.tor-browser-ru:
		54	mkdir ${HOME}/.tor-browser-ru:
		55	whitelist ${HOME}/.tor-browser-ru:
		56
		57	noblacklist ${HOME}/.tor-browser-vi:
		58	mkdir ${HOME}/.tor-browser-vi:
		59	whitelist ${HOME}/.tor-browser-vi:
		60
		61	noblacklist ${HOME}/.tor-browser-zh-cn:
		62	mkdir ${HOME}/.tor-browser-zh-cn:
		63	whitelist ${HOME}/.tor-browser-zh-cn:
		64
		65	# Redirect
		66	include /etc/firejail/torbrowser-launcher.profile


diff --git a/etc/vlc.profile b/etc/vlc.profile index 20dafba25..594a5944b 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -25,7 +25,7 @@ include /etc/firejail/whitelist-var-common.inc
25	caps.drop all	25	caps.drop all
26	netfilter	26	netfilter
27	#nodbus	27	#nodbus
28	#nogroups	28	nogroups
29	nonewprivs	29	nonewprivs
30	noroot	30	noroot
31	protocol unix,inet,inet6,netlink	31	protocol unix,inet,inet6,netlink


diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 29b2bb382..a7e8edc0f 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc
21		21
22	caps.drop all	22	caps.drop all
23	netfilter	23	netfilter
		24	nodbus
24	nodvd	25	nodvd
25	nogroups	26	nogroups
26	nonewprivs	27	nonewprivs