diff options
author | valoq <valoq@mailbox.org> | 2016-11-03 23:51:36 +0100 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-11-03 23:51:36 +0100 |
commit | 7165f68e3430ccce0bfa0618200310db19e69d30 (patch) | |
tree | 81433ea340831f2274b60280fc07b3d5f46a0f03 /etc | |
parent | added nosound (diff) | |
download | firejail-7165f68e3430ccce0bfa0618200310db19e69d30.tar.gz firejail-7165f68e3430ccce0bfa0618200310db19e69d30.tar.zst firejail-7165f68e3430ccce0bfa0618200310db19e69d30.zip |
private-tmp changes
Diffstat (limited to 'etc')
-rw-r--r-- | etc/deluge.profile | 3 | ||||
-rw-r--r-- | etc/evince.profile | 4 | ||||
-rw-r--r-- | etc/fbreader.profile | 3 | ||||
-rw-r--r-- | etc/feh.profile | 2 | ||||
-rw-r--r-- | etc/filezilla.profile | 3 | ||||
-rw-r--r-- | etc/firefox.profile | 6 | ||||
-rw-r--r-- | etc/gthumb.profile | 2 | ||||
-rw-r--r-- | etc/mupdf.profile | 4 | ||||
-rw-r--r-- | etc/pix.profile | 2 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 3 | ||||
-rw-r--r-- | etc/rtorrent.profile | 2 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 3 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 3 | ||||
-rw-r--r-- | etc/uget-gtk.profile | 2 | ||||
-rw-r--r-- | etc/wesnoth.profile | 3 | ||||
-rw-r--r-- | etc/zathura.profile | 3 |
16 files changed, 27 insertions, 21 deletions
diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -15,7 +15,6 @@ seccomp | |||
15 | 15 | ||
16 | shell none | 16 | shell none |
17 | private-bin deluge,sh,python,uname | 17 | private-bin deluge,sh,python,uname |
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | 18 | private-dev |
20 | nosound | 19 | private-tmp |
21 | 20 | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | ||
9 | net none | ||
8 | nogroups | 10 | nogroups |
9 | nonewprivs | 11 | nonewprivs |
10 | noroot | 12 | noroot |
@@ -16,3 +18,5 @@ tracelog | |||
16 | 18 | ||
17 | private-bin evince,evince-previewer,evince-thumbnailer | 19 | private-bin evince,evince-previewer,evince-thumbnailer |
18 | private-dev | 20 | private-dev |
21 | private-etc fonts | ||
22 | private-tmp \ No newline at end of file | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -16,6 +16,5 @@ seccomp | |||
16 | 16 | ||
17 | shell none | 17 | shell none |
18 | private-bin fbreader,FBReader | 18 | private-bin fbreader,FBReader |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | nosound | 20 | private-tmp |
diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -16,6 +16,6 @@ seccomp | |||
16 | shell none | 16 | shell none |
17 | 17 | ||
18 | private-bin feh | 18 | private-bin feh |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | private-etc feh | 20 | private-etc feh |
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -17,5 +17,4 @@ shell none | |||
17 | 17 | ||
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | 18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp |
19 | private-dev | 19 | private-dev |
20 | 20 | private-tmp | |
21 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
47 | include /etc/firejail/whitelist-common.inc | 47 | include /etc/firejail/whitelist-common.inc |
48 | 48 | ||
49 | # experimental features | 49 | # experimental features |
50 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 50 | |
51 | private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
52 | private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
53 | private-dev | ||
54 | private-tmp | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -17,5 +17,5 @@ shell none | |||
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | private-bin gthumb | 19 | private-bin gthumb |
20 | whitelist /tmp/.X11-unix | ||
21 | private-dev | 20 | private-dev |
21 | private-tmp \ No newline at end of file | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -12,12 +12,16 @@ nosound | |||
12 | protocol unix | 12 | protocol unix |
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | ||
15 | shell none | 16 | shell none |
16 | tracelog | 17 | tracelog |
17 | 18 | ||
19 | seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
20 | |||
18 | private-bin mupdf | 21 | private-bin mupdf |
19 | private-tmp | 22 | private-tmp |
20 | private-dev | 23 | private-dev |
24 | private-etc fonts | ||
21 | 25 | ||
22 | # mupdf will never write anything | 26 | # mupdf will never write anything |
23 | read-only ${HOME} | 27 | read-only ${HOME} |
diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -18,5 +18,5 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin pix | 20 | private-bin pix |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
22 | private-tmp \ No newline at end of file | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -16,5 +16,4 @@ seccomp | |||
16 | #shell none | 16 | #shell none |
17 | #private-bin qbittorrent | 17 | #private-bin qbittorrent |
18 | private-dev | 18 | private-dev |
19 | 19 | private-tmp | |
20 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -14,5 +14,5 @@ seccomp | |||
14 | 14 | ||
15 | shell none | 15 | shell none |
16 | private-bin rtorrent | 16 | private-bin rtorrent |
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | 17 | private-dev |
18 | private-tmp \ No newline at end of file | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,5 +19,4 @@ tracelog | |||
19 | 19 | ||
20 | private-bin transmission-gtk | 20 | private-bin transmission-gtk |
21 | private-dev | 21 | private-dev |
22 | 22 | private-tmp | |
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,5 +19,4 @@ tracelog | |||
19 | 19 | ||
20 | private-bin transmission-qt | 20 | private-bin transmission-qt |
21 | private-dev | 21 | private-dev |
22 | 22 | private-tmp | |
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -16,8 +16,8 @@ shell none | |||
16 | 16 | ||
17 | private-bin uget-gtk | 17 | private-bin uget-gtk |
18 | private-dev | 18 | private-dev |
19 | private-tmp | ||
19 | 20 | ||
20 | whitelist /tmp/.X11-unix | ||
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | mkdir ~/.config/uGet | 22 | mkdir ~/.config/uGet |
23 | whitelist ~/.config/uGet | 23 | whitelist ~/.config/uGet |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -15,8 +15,7 @@ protocol unix,inet,inet6 | |||
15 | seccomp | 15 | seccomp |
16 | 16 | ||
17 | private-dev | 17 | private-dev |
18 | 18 | private-tmp | |
19 | whitelist /tmp/.X11-unix | ||
20 | 19 | ||
21 | mkdir ${HOME}/.local/share/wesnoth | 20 | mkdir ${HOME}/.local/share/wesnoth |
22 | mkdir ${HOME}/.config/wesnoth | 21 | mkdir ${HOME}/.config/wesnoth |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | net none | ||
11 | nogroups | 12 | nogroups |
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
@@ -19,7 +20,7 @@ protocol unix | |||
19 | private-bin zathura | 20 | private-bin zathura |
20 | private-dev | 21 | private-dev |
21 | private-etc fonts | 22 | private-etc fonts |
22 | whitelist /tmp/.X11-unix | 23 | private-tmp |
23 | 24 | ||
24 | read-only ~/ | 25 | read-only ~/ |
25 | read-write ~/.local/share/zathura/ | 26 | read-write ~/.local/share/zathura/ |