diff options
author | Reiner Herrmann <reiner@reiner-h.de> | 2021-06-21 23:10:09 +0200 |
---|---|---|
committer | Reiner Herrmann <reiner@reiner-h.de> | 2021-06-21 23:10:09 +0200 |
commit | 0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2 (patch) | |
tree | 0875693a6ceef54818511972601d587a09a1aab4 /etc | |
parent | style: grammer and codestyle improvements (diff) | |
parent | creating alpine.profile (#4350) (diff) | |
download | firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.tar.gz firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.tar.zst firejail-0f0325459e211ff31895ed7cbbbaae6c2c6ae9a2.zip |
Merge branch 'master' into kuesji/master
Diffstat (limited to 'etc')
56 files changed, 669 insertions, 108 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index c671efef9..f5b3d5efa 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -35,11 +35,6 @@ | |||
35 | # cannot be overridden by --noblacklist or --ignore. | 35 | # cannot be overridden by --noblacklist or --ignore. |
36 | # disable-mnt no | 36 | # disable-mnt no |
37 | 37 | ||
38 | # Set the limit for file copy in several --private-* options. The size is set | ||
39 | # in megabytes. By default we allow up to 500MB. | ||
40 | # Note: the files are copied in RAM. | ||
41 | # file-copy-limit 500 | ||
42 | |||
43 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
44 | # file-transfer yes | 39 | # file-transfer yes |
45 | 40 | ||
@@ -77,18 +72,35 @@ | |||
77 | # Enable or disable overlayfs features, default enabled. | 72 | # Enable or disable overlayfs features, default enabled. |
78 | # overlayfs yes | 73 | # overlayfs yes |
79 | 74 | ||
75 | # Set the limit for file copy in several --private-* options. The size is set | ||
76 | # in megabytes. By default we allow up to 500MB. | ||
77 | # Note: the files are copied in RAM. | ||
78 | # file-copy-limit 500 | ||
79 | |||
80 | # Enable or disable private-bin feature, default enabled. | ||
81 | # private-bin yes | ||
82 | |||
80 | # Remove /usr/local directories from private-bin list, default disabled. | 83 | # Remove /usr/local directories from private-bin list, default disabled. |
81 | # private-bin-no-local no | 84 | # private-bin-no-local no |
82 | 85 | ||
83 | # Enable or disable private-cache feature, default enabled | 86 | # Enable or disable private-cache feature, default enabled |
84 | # private-cache yes | 87 | # private-cache yes |
85 | 88 | ||
89 | # Enable or disable private-etc feature, default enabled. | ||
90 | # private-etc yes | ||
91 | |||
86 | # Enable or disable private-home feature, default enabled | 92 | # Enable or disable private-home feature, default enabled |
87 | # private-home yes | 93 | # private-home yes |
88 | 94 | ||
89 | # Enable or disable private-lib feature, default enabled | 95 | # Enable or disable private-lib feature, default enabled |
90 | # private-lib yes | 96 | # private-lib yes |
91 | 97 | ||
98 | # Enable or disable private-opt feature, default enabled. | ||
99 | # private-opt yes | ||
100 | |||
101 | # Enable or disable private-srv feature, default enabled. | ||
102 | # private-srv yes | ||
103 | |||
92 | # Enable --quiet as default every time the sandbox is started. Default disabled. | 104 | # Enable --quiet as default every time the sandbox is started. Default disabled. |
93 | # quiet-by-default no | 105 | # quiet-by-default no |
94 | 106 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 518587957..0e575e5eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm* | |||
39 | blacklist ${HOME}/.Wolfram Research | 39 | blacklist ${HOME}/.Wolfram Research |
40 | blacklist ${HOME}/.ZAP | 40 | blacklist ${HOME}/.ZAP |
41 | blacklist ${HOME}/.abook | 41 | blacklist ${HOME}/.abook |
42 | blacklist ${HOME}/.addressbook | ||
43 | blacklist ${HOME}/.alpine-smime | ||
42 | blacklist ${HOME}/.aMule | 44 | blacklist ${HOME}/.aMule |
43 | blacklist ${HOME}/.android | 45 | blacklist ${HOME}/.android |
44 | blacklist ${HOME}/.anydesk | 46 | blacklist ${HOME}/.anydesk |
@@ -589,6 +591,7 @@ blacklist ${HOME}/.kodi | |||
589 | blacklist ${HOME}/.librewolf | 591 | blacklist ${HOME}/.librewolf |
590 | blacklist ${HOME}/.lincity-ng | 592 | blacklist ${HOME}/.lincity-ng |
591 | blacklist ${HOME}/.links | 593 | blacklist ${HOME}/.links |
594 | blacklist ${HOME}/.links2 | ||
592 | blacklist ${HOME}/.linphone-history.db | 595 | blacklist ${HOME}/.linphone-history.db |
593 | blacklist ${HOME}/.linphonerc | 596 | blacklist ${HOME}/.linphonerc |
594 | blacklist ${HOME}/.lmmsrc.xml | 597 | blacklist ${HOME}/.lmmsrc.xml |
@@ -809,6 +812,7 @@ blacklist ${HOME}/.netactview | |||
809 | blacklist ${HOME}/.neverball | 812 | blacklist ${HOME}/.neverball |
810 | blacklist ${HOME}/.newsbeuter | 813 | blacklist ${HOME}/.newsbeuter |
811 | blacklist ${HOME}/.newsboat | 814 | blacklist ${HOME}/.newsboat |
815 | blacklist ${HOME}/.newsrc | ||
812 | blacklist ${HOME}/.nicotine | 816 | blacklist ${HOME}/.nicotine |
813 | blacklist ${HOME}/.node-gyp | 817 | blacklist ${HOME}/.node-gyp |
814 | blacklist ${HOME}/.npm | 818 | blacklist ${HOME}/.npm |
@@ -829,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive | |||
829 | blacklist ${HOME}/.parallelrealities/blobwars | 833 | blacklist ${HOME}/.parallelrealities/blobwars |
830 | blacklist ${HOME}/.pcsxr | 834 | blacklist ${HOME}/.pcsxr |
831 | blacklist ${HOME}/.penguin-command | 835 | blacklist ${HOME}/.penguin-command |
836 | blacklist ${HOME}/.pine-crash | ||
837 | blacklist ${HOME}/.pine-debug1 | ||
838 | blacklist ${HOME}/.pine-debug2 | ||
839 | blacklist ${HOME}/.pine-debug3 | ||
840 | blacklist ${HOME}/.pine-debug4 | ||
841 | blacklist ${HOME}/.pine-interrupted-mail | ||
842 | blacklist ${HOME}/.pinerc | ||
843 | blacklist ${HOME}/.pinercex | ||
832 | blacklist ${HOME}/.pingus | 844 | blacklist ${HOME}/.pingus |
833 | blacklist ${HOME}/.pioneer | 845 | blacklist ${HOME}/.pioneer |
834 | blacklist ${HOME}/.purple | 846 | blacklist ${HOME}/.purple |
@@ -866,6 +878,7 @@ blacklist ${HOME}/.teeworlds | |||
866 | blacklist ${HOME}/.texlive20* | 878 | blacklist ${HOME}/.texlive20* |
867 | blacklist ${HOME}/.thunderbird | 879 | blacklist ${HOME}/.thunderbird |
868 | blacklist ${HOME}/.tilp | 880 | blacklist ${HOME}/.tilp |
881 | blacklist ${HOME}/.tin | ||
869 | blacklist ${HOME}/.tooling | 882 | blacklist ${HOME}/.tooling |
870 | blacklist ${HOME}/.tor-browser* | 883 | blacklist ${HOME}/.tor-browser* |
871 | blacklist ${HOME}/.torcs | 884 | blacklist ${HOME}/.torcs |
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 454a15ab2..4009853d3 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/0ad | |||
10 | noblacklist ${HOME}/.config/0ad | 10 | noblacklist ${HOME}/.config/0ad |
11 | noblacklist ${HOME}/.local/share/0ad | 11 | noblacklist ${HOME}/.local/share/0ad |
12 | 12 | ||
13 | blacklist /usr/libexec | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile new file mode 100644 index 000000000..0b5cf0df0 --- /dev/null +++ b/etc/profile-a-l/alpine.profile | |||
@@ -0,0 +1,104 @@ | |||
1 | # Firejail profile for alpine | ||
2 | # Description: Text-based email and newsgroups reader | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpine.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Workaround for bug https://github.com/netblue30/firejail/issues/2747 | ||
11 | # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' | ||
12 | |||
13 | noblacklist /var/mail | ||
14 | noblacklist /var/spool/mail | ||
15 | noblacklist ${DOCUMENTS} | ||
16 | noblacklist ${HOME}/.addressbook | ||
17 | noblacklist ${HOME}/.alpine-smime | ||
18 | noblacklist ${HOME}/.mailcap | ||
19 | noblacklist ${HOME}/.mh_profile | ||
20 | noblacklist ${HOME}/.mime.types | ||
21 | noblacklist ${HOME}/.newsrc | ||
22 | noblacklist ${HOME}/.pine-crash | ||
23 | noblacklist ${HOME}/.pine-debug1 | ||
24 | noblacklist ${HOME}/.pine-debug2 | ||
25 | noblacklist ${HOME}/.pine-debug3 | ||
26 | noblacklist ${HOME}/.pine-debug4 | ||
27 | noblacklist ${HOME}/.pine-interrupted-mail | ||
28 | noblacklist ${HOME}/.pinerc | ||
29 | noblacklist ${HOME}/.pinercex | ||
30 | noblacklist ${HOME}/.signature | ||
31 | noblacklist ${HOME}/mail | ||
32 | |||
33 | blacklist /tmp/.X11-unix | ||
34 | blacklist ${RUNUSER}/wayland-* | ||
35 | |||
36 | include disable-common.inc | ||
37 | include disable-devel.inc | ||
38 | include disable-exec.inc | ||
39 | include disable-interpreters.inc | ||
40 | include disable-passwdmgr.inc | ||
41 | include disable-programs.inc | ||
42 | include disable-shell.inc | ||
43 | include disable-xdg.inc | ||
44 | |||
45 | #whitelist ${DOCUMENTS} | ||
46 | #whitelist ${DOWNLOADS} | ||
47 | #whitelist ${HOME}/.addressbook | ||
48 | #whitelist ${HOME}/.alpine-smime | ||
49 | #whitelist ${HOME}/.mailcap | ||
50 | #whitelist ${HOME}/.mh_profile | ||
51 | #whitelist ${HOME}/.mime.types | ||
52 | #whitelist ${HOME}/.newsrc | ||
53 | #whitelist ${HOME}/.pine-crash | ||
54 | #whitelist ${HOME}/.pine-interrupted-mail | ||
55 | #whitelist ${HOME}/.pinerc | ||
56 | #whitelist ${HOME}/.pinercex | ||
57 | #whitelist ${HOME}/.pine-debug1 | ||
58 | #whitelist ${HOME}/.pine-debug2 | ||
59 | #whitelist ${HOME}/.pine-debug3 | ||
60 | #whitelist ${HOME}/.pine-debug4 | ||
61 | #whitelist ${HOME}/.signature | ||
62 | #whitelist ${HOME}/mail | ||
63 | whitelist /var/mail | ||
64 | whitelist /var/spool/mail | ||
65 | #include whitelist-common.inc | ||
66 | include whitelist-runuser-common.inc | ||
67 | include whitelist-usr-share-common.inc | ||
68 | include whitelist-var-common.inc | ||
69 | |||
70 | apparmor | ||
71 | caps.drop all | ||
72 | ipc-namespace | ||
73 | machine-id | ||
74 | netfilter | ||
75 | no3d | ||
76 | nodvd | ||
77 | nogroups | ||
78 | noinput | ||
79 | nonewprivs | ||
80 | noroot | ||
81 | nosound | ||
82 | notv | ||
83 | nou2f | ||
84 | novideo | ||
85 | protocol unix,inet,inet6 | ||
86 | seccomp | ||
87 | seccomp.block-secondary | ||
88 | shell none | ||
89 | tracelog | ||
90 | |||
91 | disable-mnt | ||
92 | private-bin alpine | ||
93 | private-cache | ||
94 | private-dev | ||
95 | private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | ||
96 | private-tmp | ||
97 | writable-run-user | ||
98 | writable-var | ||
99 | |||
100 | dbus-user none | ||
101 | dbus-system none | ||
102 | |||
103 | memory-deny-write-execute | ||
104 | read-only ${HOME}/.signature | ||
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile new file mode 100644 index 000000000..97b97fe5f --- /dev/null +++ b/etc/profile-a-l/alpinef.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for alpinef | ||
2 | # Description: Text-based email and newsgroups reader using function keys | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpinef.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin alpinef | ||
12 | |||
13 | # Redirect | ||
14 | include alpine.profile | ||
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 54abdb234..01566314f 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -31,6 +31,7 @@ include disable-programs.inc | |||
31 | include disable-shell.inc | 31 | include disable-shell.inc |
32 | include disable-xdg.inc | 32 | include disable-xdg.inc |
33 | 33 | ||
34 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
34 | whitelist /usr/share/apostrophe | 35 | whitelist /usr/share/apostrophe |
35 | whitelist /usr/share/texlive | 36 | whitelist /usr/share/texlive |
36 | whitelist /usr/share/texmf | 37 | whitelist /usr/share/texmf |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 721a6c082..854fe5cb9 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.local/share/bijiben | 20 | mkdir ${HOME}/.local/share/bijiben |
21 | whitelist ${HOME}/.local/share/bijiben | 21 | whitelist ${HOME}/.local/share/bijiben |
22 | whitelist ${HOME}/.cache/tracker | 22 | whitelist ${HOME}/.cache/tracker |
23 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
23 | whitelist /usr/share/bijiben | 24 | whitelist /usr/share/bijiben |
24 | whitelist /usr/share/tracker | 25 | whitelist /usr/share/tracker |
25 | whitelist /usr/share/tracker3 | 26 | whitelist /usr/share/tracker3 |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index f02161b9b..1c539cc93 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -17,6 +17,8 @@ include allow-lua.inc | |||
17 | include allow-python2.inc | 17 | include allow-python2.inc |
18 | include allow-python3.inc | 18 | include allow-python3.inc |
19 | 19 | ||
20 | blacklist /usr/libexec | ||
21 | |||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
22 | include disable-exec.inc | 24 | include disable-exec.inc |
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile index 0283a6934..8803a4d9d 100644 --- a/etc/profile-a-l/chromium-browser-privacy.profile +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -6,6 +6,8 @@ include chromium-browser-privacy.local | |||
6 | noblacklist ${HOME}/.cache/ungoogled-chromium | 6 | noblacklist ${HOME}/.cache/ungoogled-chromium |
7 | noblacklist ${HOME}/.config/ungoogled-chromium | 7 | noblacklist ${HOME}/.config/ungoogled-chromium |
8 | 8 | ||
9 | blacklist /usr/libexec | ||
10 | |||
9 | mkdir ${HOME}/.cache/ungoogled-chromium | 11 | mkdir ${HOME}/.cache/ungoogled-chromium |
10 | mkdir ${HOME}/.config/ungoogled-chromium | 12 | mkdir ${HOME}/.config/ungoogled-chromium |
11 | whitelist ${HOME}/.cache/ungoogled-chromium | 13 | whitelist ${HOME}/.cache/ungoogled-chromium |
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile new file mode 100644 index 000000000..b1d41ddf7 --- /dev/null +++ b/etc/profile-a-l/ddgr.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for ddgr | ||
2 | # Description: Search DuckDuckGo from your terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ddgr.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin ddgr | ||
11 | |||
12 | # Redirect | ||
13 | include googler-common.profile | ||
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 8120725d2..5a29eb24b 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for elinks | 1 | # Firejail profile for elinks |
2 | # Description: Advanced text-mode WWW browser | 2 | # Description: Advanced text-mode WWW browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include elinks.local | 6 | include elinks.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -8,37 +9,10 @@ include globals.local | |||
8 | 9 | ||
9 | noblacklist ${HOME}/.elinks | 10 | noblacklist ${HOME}/.elinks |
10 | 11 | ||
11 | blacklist /tmp/.X11-unix | 12 | mkdir ${HOME}/.elinks |
12 | blacklist ${RUNUSER}/wayland-* | 13 | whitelist ${HOME}/.elinks |
13 | 14 | ||
14 | include disable-common.inc | 15 | private-bin elinks |
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | 16 | ||
21 | include whitelist-runuser-common.inc | 17 | # Redirect |
22 | 18 | include links-common.profile | |
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | noinput | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | # private-bin elinks | ||
41 | private-cache | ||
42 | private-dev | ||
43 | # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | ||
44 | private-tmp | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 8e8047b00..fe7913e77 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/Trash | |||
11 | noblacklist ${HOME}/.Steam | 11 | noblacklist ${HOME}/.Steam |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | 13 | ||
14 | blacklist /usr/libexec | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index d44d419c1..fdff1e4b5 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile | |||
@@ -8,6 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.etr | 9 | noblacklist ${HOME}/.etr |
10 | 10 | ||
11 | blacklist /usr/libexec | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index adcb29063..a9e39b15c 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -13,6 +13,8 @@ include globals.local | |||
13 | noblacklist ${HOME}/.config/evince | 13 | noblacklist ${HOME}/.config/evince |
14 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
15 | 15 | ||
16 | blacklist /usr/libexec | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 0b8a8cd6c..4e651ed61 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -13,6 +13,7 @@ include disable-interpreters.inc | |||
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist /usr/libexec/file-roller | ||
16 | whitelist /usr/share/file-roller | 17 | whitelist /usr/share/file-roller |
17 | include whitelist-runuser-common.inc | 18 | include whitelist-runuser-common.inc |
18 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index b22a78458..7874c882f 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -17,6 +17,8 @@ include globals.local | |||
17 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
19 | 19 | ||
20 | blacklist /usr/libexec | ||
21 | |||
20 | mkdir ${HOME}/.cache/mozilla/firefox | 22 | mkdir ${HOME}/.cache/mozilla/firefox |
21 | mkdir ${HOME}/.mozilla | 23 | mkdir ${HOME}/.mozilla |
22 | whitelist ${HOME}/.cache/mozilla/firefox | 24 | whitelist ${HOME}/.cache/mozilla/firefox |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index fa56d2b2d..b4ad81046 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -18,6 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.frogatto | 19 | mkdir ${HOME}/.frogatto |
20 | whitelist ${HOME}/.frogatto | 20 | whitelist ${HOME}/.frogatto |
21 | whitelist /usr/libexec/frogatto | ||
21 | whitelist /usr/share/frogatto | 22 | whitelist /usr/share/frogatto |
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index f2da60c87..3a8c055f2 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -7,6 +7,7 @@ include gapplication.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | blacklist ${RUNUSER}/wayland-* |
10 | blacklist /usr/libexec | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 7ec8ba810..f894a42ca 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -31,6 +31,7 @@ whitelist ${HOME}/.cache/gfeeds | |||
31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | 31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds |
32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | 33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles |
34 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
34 | whitelist /usr/share/gfeeds | 35 | whitelist /usr/share/gfeeds |
35 | include whitelist-common.inc | 36 | include whitelist-common.inc |
36 | include whitelist-runuser-common.inc | 37 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index cf2ac2f75..23aab343f 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -18,6 +18,8 @@ noblacklist ${HOME}/.local/share/maps-places.json | |||
18 | # Allow gjs (blacklisted by disable-interpreters.inc) | 18 | # Allow gjs (blacklisted by disable-interpreters.inc) |
19 | include allow-gjs.inc | 19 | include allow-gjs.inc |
20 | 20 | ||
21 | blacklist /usr/libexec | ||
22 | |||
21 | include disable-common.inc | 23 | include disable-common.inc |
22 | include disable-devel.inc | 24 | include disable-devel.inc |
23 | include disable-exec.inc | 25 | include disable-exec.inc |
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 763d67b92..fee5f88b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${HOME}/*.kdbx | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python3.inc | 14 | include allow-python3.inc |
15 | 15 | ||
16 | blacklist /usr/libexec | ||
17 | |||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
18 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile new file mode 100644 index 000000000..2d0bce52b --- /dev/null +++ b/etc/profile-a-l/googler-common.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for googler clones | ||
2 | # Description: common profile for googler clones | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include googler-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | noblacklist ${HOME}/.w3m | ||
14 | |||
15 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
16 | include allow-bin-sh.inc | ||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
18 | include allow-python3.inc | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | whitelist ${HOME}/.w3m | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | ipc-namespace | ||
36 | machine-id | ||
37 | netfilter | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | noinput | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix,inet,inet6 | ||
49 | seccomp | ||
50 | seccomp.block-secondary | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | disable-mnt | ||
55 | private-bin env,python3*,sh,w3m | ||
56 | private-cache | ||
57 | private-dev | ||
58 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile new file mode 100644 index 000000000..9d67006f6 --- /dev/null +++ b/etc/profile-a-l/googler.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for googler | ||
2 | # Description: Search Google from your terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include googler.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin googler | ||
11 | |||
12 | # Redirect | ||
13 | include googler-common.profile | ||
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile index 6e97c6b78..584d88f85 100644 --- a/etc/profile-a-l/gunzip.profile +++ b/etc/profile-a-l/gunzip.profile | |||
@@ -7,5 +7,7 @@ include gunzip.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | include allow-bin-sh.inc | ||
11 | |||
10 | # Redirect | 12 | # Redirect |
11 | include gzip.profile | 13 | include gzip.profile |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index f72af0b4a..b887de147 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | include allow-perl.inc | 15 | include allow-perl.inc |
13 | 16 | ||
@@ -48,7 +51,7 @@ tracelog | |||
48 | 51 | ||
49 | disable-mnt | 52 | disable-mnt |
50 | # debug note: private-bin requires perl, python, etc on some systems | 53 | # debug note: private-bin requires perl, python, etc on some systems |
51 | private-bin hexchat,python* | 54 | private-bin hexchat,python*,sh |
52 | private-dev | 55 | private-dev |
53 | #private-lib - python problems | 56 | #private-lib - python problems |
54 | private-tmp | 57 | private-tmp |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index c352a5d89..f71dcf82b 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -22,6 +22,8 @@ noblacklist ${HOME}/.config/vivaldi | |||
22 | noblacklist ${HOME}/.local/share/torbrowser | 22 | noblacklist ${HOME}/.local/share/torbrowser |
23 | noblacklist ${HOME}/.mozilla | 23 | noblacklist ${HOME}/.mozilla |
24 | 24 | ||
25 | blacklist /usr/libexec | ||
26 | |||
25 | include disable-common.inc | 27 | include disable-common.inc |
26 | include disable-devel.inc | 28 | include disable-devel.inc |
27 | include disable-exec.inc | 29 | include disable-exec.inc |
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index b72632bf4..b7091f1fc 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | # noexec ${HOME} breaks plugins | 9 | # noexec ${HOME} breaks plugins |
10 | ignore noexec ${HOME} | 10 | ignore noexec ${HOME} |
11 | # Add the following to your kodi.local if you use a CEC Adapter. | ||
12 | #ignore nogroups | ||
13 | #ignore noroot | ||
14 | #ignore private-dev | ||
11 | 15 | ||
12 | noblacklist ${HOME}/.kodi | 16 | noblacklist ${HOME}/.kodi |
13 | noblacklist ${MUSIC} | 17 | noblacklist ${MUSIC} |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index e4440eac0..b1a24888c 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.config/libreoffice | |||
14 | # Allow java (blacklisted by disable-devel.inc) | 14 | # Allow java (blacklisted by disable-devel.inc) |
15 | include allow-java.inc | 15 | include allow-java.inc |
16 | 16 | ||
17 | blacklist /usr/libexec | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile new file mode 100644 index 000000000..cd885b1d4 --- /dev/null +++ b/etc/profile-a-l/links-common.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include links-common.local | ||
4 | |||
5 | # common profile for links browsers | ||
6 | |||
7 | blacklist /tmp/.X11-unix | ||
8 | blacklist ${RUNUSER}/wayland-* | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) | ||
16 | # used as associated programs can be added in your links-common.local. | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist ${DOWNLOADS} | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | # Add 'ignore machine-id' to your links-common.local if you want to restrict access to | ||
28 | # the user-configured associated media player. | ||
29 | machine-id | ||
30 | netfilter | ||
31 | # Add 'ignore no3d' to your links-common.local if you want to restrict access to | ||
32 | # the user-configured associated media player. | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | noinput | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | # Add 'ignore nosound' to your links-common.local if you want to restrict access to | ||
40 | # the user-configured associated media player. | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. | ||
52 | private-bin sh | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
56 | # Add the next line to your links-common.local to allow external media players. | ||
57 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index a1eeda14a..8ce39cc7f 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -9,58 +9,10 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.links | 10 | noblacklist ${HOME}/.links |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | # Additional noblacklist files/directories (blacklisted in disable-programs.inc) | ||
21 | # used as associated programs can be added in your links.local. | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.links | 12 | mkdir ${HOME}/.links |
26 | whitelist ${HOME}/.links | 13 | whitelist ${HOME}/.links |
27 | whitelist ${DOWNLOADS} | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | # Add 'ignore machine-id' to your links.local if you want to restrict access to | ||
34 | # the user-configured associated media player. | ||
35 | machine-id | ||
36 | netfilter | ||
37 | # Add 'ignore no3d' to your links.local if you want to restrict access to | ||
38 | # the user-configured associated media player. | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | noinput | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | # Add 'ignore nosound' to your links.local if you want to restrict access to | ||
46 | # the user-configured associated media player. | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6 | ||
52 | seccomp | ||
53 | shell none | ||
54 | tracelog | ||
55 | 14 | ||
56 | disable-mnt | 15 | private-bin links |
57 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links.local if you want to use user-configured programs. | ||
58 | private-bin links,sh | ||
59 | private-cache | ||
60 | private-dev | ||
61 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
62 | # Add the next line to your links.local to allow external media players. | ||
63 | # private-etc alsa,asound.conf,machine-id,openal,pulse | ||
64 | private-tmp | ||
65 | 16 | ||
66 | memory-deny-write-execute | 17 | # Redirect |
18 | include links-common.profile | ||
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile new file mode 100644 index 000000000..5f91dfcd2 --- /dev/null +++ b/etc/profile-a-l/links2.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for links2 | ||
2 | # Description: Text WWW browser with a graphic version | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include links2.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.links2 | ||
11 | |||
12 | mkdir ${HOME}/.links2 | ||
13 | whitelist ${HOME}/.links2 | ||
14 | |||
15 | private-bin links2 | ||
16 | |||
17 | # Redirect | ||
18 | include links-common.profile | ||
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 087c02964..bd56a8221 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -25,6 +25,7 @@ include disable-programs.inc | |||
25 | include disable-shell.inc | 25 | include disable-shell.inc |
26 | include disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
28 | whitelist /usr/share/com.github.fabiocolacio.marker | 29 | whitelist /usr/share/com.github.fabiocolacio.marker |
29 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile new file mode 100644 index 000000000..fcd1e24e5 --- /dev/null +++ b/etc/profile-m-z/mcomix.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for mcomix | ||
2 | # Description: A comic book and manga viewer in python | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mcomix.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mcomix | ||
10 | noblacklist ${HOME}/.local/share/mcomix | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | # mcomix <= 1.2 uses python2 | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-shell.inc | ||
28 | include disable-write-mnt.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | mkdir ${HOME}/.config/mcomix | ||
32 | mkdir ${HOME}/.local/share/mcomix | ||
33 | whitelist /usr/share/mcomix | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | include whitelist-runuser-common.inc | ||
37 | |||
38 | apparmor | ||
39 | caps.drop all | ||
40 | machine-id | ||
41 | net none | ||
42 | nodvd | ||
43 | nogroups | ||
44 | noinput | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix | ||
52 | seccomp | ||
53 | seccomp.block-secondary | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | # mcomix <= 1.2 uses python2 | ||
58 | private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip | ||
59 | private-cache | ||
60 | private-dev | ||
61 | # mcomix <= 1.2 uses gtk-2.0 | ||
62 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg | ||
63 | private-tmp | ||
64 | |||
65 | dbus-user none | ||
66 | dbus-system none | ||
67 | |||
68 | read-only ${HOME} | ||
69 | read-write ${HOME}/.config/mcomix | ||
70 | read-write ${HOME}/.local/share/mcomix | ||
71 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
72 | read-write ${HOME}/.local/share | ||
73 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails | ||
74 | read-write ${HOME}/.thumbnails | ||
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 972838729..f07b9166a 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.megaglest | 20 | mkdir ${HOME}/.megaglest |
21 | whitelist ${HOME}/.megaglest | 21 | whitelist ${HOME}/.megaglest |
22 | whitelist /usr/share/megaglest | 22 | whitelist /usr/share/megaglest |
23 | whitelist /usr/share/games/megaglest # Debian version | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 1225cc107..2a8bb3acf 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -29,6 +29,8 @@ include allow-python3.inc | |||
29 | # Allow ssh (blacklisted by disable-common.inc) | 29 | # Allow ssh (blacklisted by disable-common.inc) |
30 | include allow-ssh.inc | 30 | include allow-ssh.inc |
31 | 31 | ||
32 | blacklist /usr/libexec | ||
33 | |||
32 | # Add the next line to your meld.local if you don't need to compare files in disable-common.inc. | 34 | # Add the next line to your meld.local if you don't need to compare files in disable-common.inc. |
33 | #include disable-common.inc | 35 | #include disable-common.inc |
34 | include disable-devel.inc | 36 | include disable-devel.inc |
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 2536d0b38..1028e374a 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc | |||
31 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | apparmor | ||
35 | caps.drop all | 34 | caps.drop all |
36 | netfilter | 35 | netfilter |
37 | nodvd | 36 | nodvd |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 310f36ea1..af5c214f7 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -35,6 +35,8 @@ include allow-lua.inc | |||
35 | include allow-python2.inc | 35 | include allow-python2.inc |
36 | include allow-python3.inc | 36 | include allow-python3.inc |
37 | 37 | ||
38 | blacklist /usr/libexec | ||
39 | |||
38 | include disable-common.inc | 40 | include disable-common.inc |
39 | include disable-devel.inc | 41 | include disable-devel.inc |
40 | include disable-exec.inc | 42 | include disable-exec.inc |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 035a7e625..e3ceb3bd4 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -14,6 +14,8 @@ include allow-bin-sh.inc | |||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | 14 | # Allow lua (blacklisted by disable-interpreters.inc) |
15 | include allow-lua.inc | 15 | include allow-lua.inc |
16 | 16 | ||
17 | blacklist /usr/libexec | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3889d87d2..f1fdfcbad 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.pingus | |||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) |
12 | include allow-bin-sh.inc | 12 | include allow-bin-sh.inc |
13 | 13 | ||
14 | blacklist /usr/libexec | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile new file mode 100644 index 000000000..0e52d7fc4 --- /dev/null +++ b/etc/profile-m-z/qcomicbook.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for qcomicbook | ||
2 | # Description: A comic book and manga viewer in QT | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qcomicbook.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/PawelStolowski | ||
10 | noblacklist ${HOME}/.config/PawelStolowski | ||
11 | noblacklist ${HOME}/.local/share/PawelStolowski | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-write-mnt.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.cache/PawelStolowski | ||
28 | mkdir ${HOME}/.config/PawelStolowski | ||
29 | mkdir ${HOME}/.local/share/PawelStolowski | ||
30 | whitelist /usr/share/qcomicbook | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | net none | ||
39 | nodvd | ||
40 | nogroups | ||
41 | noinput | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | seccomp.block-secondary | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | read-only ${HOME} | ||
64 | read-write ${HOME}/.cache/PawelStolowski | ||
65 | read-write ${HOME}/.config/PawelStolowski | ||
66 | read-write ${HOME}/.local/share/PawelStolowski | ||
67 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
68 | read-write ${HOME}/.local/share | ||
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile new file mode 100644 index 000000000..cd84ce05e --- /dev/null +++ b/etc/profile-m-z/rtin.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for rtin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # symlink to tin, same as `tin -r` | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include rtin.local | ||
7 | |||
8 | include tin.profile | ||
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index aac3e721f..b1989e474 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.scorched3d | 19 | mkdir ${HOME}/.scorched3d |
20 | whitelist ${HOME}/.scorched3d | 20 | whitelist ${HOME}/.scorched3d |
21 | whitelist /usr/share/scorched3d | 21 | whitelist /usr/share/scorched3d |
22 | whitelist /usr/share/games/scorched3d | ||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 131dcbb68..7799ab7ed 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -6,6 +6,9 @@ include seahorse-adventures.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
10 | include allow-bin-sh.inc | ||
11 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | include allow-python2.inc | 13 | include allow-python2.inc |
11 | include allow-python3.inc | 14 | include allow-python3.inc |
@@ -20,6 +23,7 @@ include disable-shell.inc | |||
20 | include disable-xdg.inc | 23 | include disable-xdg.inc |
21 | 24 | ||
22 | whitelist /usr/share/seahorse-adventures | 25 | whitelist /usr/share/seahorse-adventures |
26 | whitelist /usr/share/games/seahorse-adventures | ||
23 | include whitelist-common.inc | 27 | include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
@@ -42,7 +46,7 @@ tracelog | |||
42 | 46 | ||
43 | disable-mnt | 47 | disable-mnt |
44 | private | 48 | private |
45 | private-bin python*,seahorse-adventures | 49 | private-bin bash,dash,python*,seahorse-adventures,sh |
46 | private-cache | 50 | private-cache |
47 | private-dev | 51 | private-dev |
48 | private-etc machine-id | 52 | private-etc machine-id |
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 9ad772cd5..51f6c8b00 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -18,12 +18,14 @@ ignore dbus-system none | |||
18 | 18 | ||
19 | noblacklist ${HOME}/.config/Slack | 19 | noblacklist ${HOME}/.config/Slack |
20 | 20 | ||
21 | include allow-bin-sh.inc | ||
22 | |||
21 | include disable-shell.inc | 23 | include disable-shell.inc |
22 | 24 | ||
23 | mkdir ${HOME}/.config/Slack | 25 | mkdir ${HOME}/.config/Slack |
24 | whitelist ${HOME}/.config/Slack | 26 | whitelist ${HOME}/.config/Slack |
25 | 27 | ||
26 | private-bin locale,slack | 28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack |
27 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
28 | 30 | ||
29 | # Redirect | 31 | # Redirect |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index dd456f085..cfd7a63ea 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.local/share/supertux2 | 20 | mkdir ${HOME}/.local/share/supertux2 |
21 | whitelist ${HOME}/.local/share/supertux2 | 21 | whitelist ${HOME}/.local/share/supertux2 |
22 | whitelist /usr/share/supertux2 | 22 | whitelist /usr/share/supertux2 |
23 | whitelist /usr/share/games/supertux2 # Debian version | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 25 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 6a0ed46e0..4eb8f921c 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.config/supertuxkart | |||
10 | noblacklist ${HOME}/.cache/supertuxkart | 10 | noblacklist ${HOME}/.cache/supertuxkart |
11 | noblacklist ${HOME}/.local/share/supertuxkart | 11 | noblacklist ${HOME}/.local/share/supertuxkart |
12 | 12 | ||
13 | blacklist /usr/libexec | ||
14 | |||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
15 | include disable-exec.inc | 17 | include disable-exec.inc |
@@ -26,6 +28,7 @@ whitelist ${HOME}/.config/supertuxkart | |||
26 | whitelist ${HOME}/.cache/supertuxkart | 28 | whitelist ${HOME}/.cache/supertuxkart |
27 | whitelist ${HOME}/.local/share/supertuxkart | 29 | whitelist ${HOME}/.local/share/supertuxkart |
28 | whitelist /usr/share/supertuxkart | 30 | whitelist /usr/share/supertuxkart |
31 | whitelist /usr/share/games/supertuxkart # Debian version | ||
29 | include whitelist-common.inc | 32 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 33 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 34 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile index e0c5aee9e..7463b761f 100644 --- a/etc/profile-m-z/telegram-desktop.profile +++ b/etc/profile-m-z/telegram-desktop.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: Official Telegram Desktop client | 2 | # Description: Official Telegram Desktop client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tekegram-desktop.local | 5 | include telegram-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 000000000..e0ed3090a --- /dev/null +++ b/etc/profile-m-z/tin.profile | |||
@@ -0,0 +1,69 @@ | |||
1 | # Firejail profile for tin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.newsrc | ||
10 | noblacklist ${HOME}/.tin | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER} | ||
14 | blacklist /usr/libexec | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.tin | ||
26 | mkfile ${HOME}/.newsrc | ||
27 | # Note: files/directories directly in ${HOME} can't be whitelisted, as | ||
28 | # tin saves .newsrc by renaming a temporary file, which is not possible for | ||
29 | # bind-mounted files. | ||
30 | #whitelist ${HOME}/.newsrc | ||
31 | #whitelist ${HOME}/.tin | ||
32 | #include whitelist-common.inc | ||
33 | include whitelist-runuser-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | ipc-namespace | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | noinput | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol inet,inet6 | ||
53 | seccomp | ||
54 | seccomp.block-secondary | ||
55 | shell none | ||
56 | tracelog | ||
57 | |||
58 | disable-mnt | ||
59 | private-bin rtin,tin | ||
60 | private-cache | ||
61 | private-dev | ||
62 | private-etc passwd,resolv.conf,terminfo,tin | ||
63 | private-lib terminfo | ||
64 | private-tmp | ||
65 | |||
66 | dbus-user none | ||
67 | dbus-system none | ||
68 | |||
69 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile index d0bcbe79f..3cd496412 100644 --- a/etc/profile-m-z/tuxguitar.profile +++ b/etc/profile-m-z/tuxguitar.profile | |||
@@ -6,6 +6,9 @@ include tuxguitar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # tuxguitar fails to launch | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.tuxguitar* | 12 | noblacklist ${HOME}/.tuxguitar* |
10 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
11 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
@@ -41,6 +44,3 @@ tracelog | |||
41 | 44 | ||
42 | private-dev | 45 | private-dev |
43 | private-tmp | 46 | private-tmp |
44 | |||
45 | # noexec ${HOME} - tuxguitar may fail to launch | ||
46 | noexec /tmp | ||
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 131213ed2..69b2c6c59 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m | |||
17 | blacklist /tmp/.X11-unix | 17 | blacklist /tmp/.X11-unix |
18 | blacklist ${RUNUSER}/wayland-* | 18 | blacklist ${RUNUSER}/wayland-* |
19 | 19 | ||
20 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
21 | include allow-bin-sh.inc | ||
22 | |||
23 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
20 | include allow-perl.inc | 24 | include allow-perl.inc |
21 | 25 | ||
22 | include disable-common.inc | 26 | include disable-common.inc |
23 | include disable-devel.inc | 27 | include disable-devel.inc |
28 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 29 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 30 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 31 | include disable-programs.inc |
32 | include disable-shell.inc | ||
27 | include disable-xdg.inc | 33 | include disable-xdg.inc |
28 | 34 | ||
35 | mkdir ${HOME}/.w3m | ||
36 | whitelist /usr/share/w3m | ||
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.w3m | ||
29 | include whitelist-runuser-common.inc | 39 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
30 | 42 | ||
31 | caps.drop all | 43 | caps.drop all |
44 | ipc-namespace | ||
45 | machine-id | ||
32 | netfilter | 46 | netfilter |
33 | no3d | 47 | no3d |
34 | nodvd | 48 | nodvd |
@@ -45,8 +59,14 @@ seccomp | |||
45 | shell none | 59 | shell none |
46 | tracelog | 60 | tracelog |
47 | 61 | ||
48 | # private-bin w3m | 62 | disable-mnt |
63 | private-bin perl,sh,w3m | ||
49 | private-cache | 64 | private-cache |
50 | private-dev | 65 | private-dev |
51 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 66 | private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
52 | private-tmp | 67 | private-tmp |
68 | |||
69 | dbus-user none | ||
70 | dbus-system none | ||
71 | |||
72 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile index 3a93d2ec7..76935212f 100644 --- a/etc/profile-m-z/weechat.profile +++ b/etc/profile-m-z/weechat.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat | |||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | whitelist /usr/share/weechat | ||
14 | include whitelist-usr-share-common.inc | 15 | include whitelist-usr-share-common.inc |
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index 7987af280..d5e25cfe7 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile | |||
@@ -8,7 +8,6 @@ include xlinks.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist /tmp/.X11-unix | 10 | noblacklist /tmp/.X11-unix |
11 | noblacklist ${HOME}/.links | ||
12 | 11 | ||
13 | include whitelist-common.inc | 12 | include whitelist-common.inc |
14 | 13 | ||
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2 new file mode 100644 index 000000000..1ae6a60ca --- /dev/null +++ b/etc/profile-m-z/xlinks2 | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for xlinks2 | ||
2 | # Description: Text WWW browser (X11) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xlinks2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist /tmp/.X11-unix | ||
11 | |||
12 | include whitelist-common.inc | ||
13 | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | ||
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | ||
16 | private-bin xlinks2 | ||
17 | private-etc fonts | ||
18 | |||
19 | # Redirect | ||
20 | include links2.profile | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 93054bfed..dee154409 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkdir ${HOME}/.config/yelp | 20 | mkdir ${HOME}/.config/yelp |
21 | whitelist ${HOME}/.config/yelp | 21 | whitelist ${HOME}/.config/yelp |
22 | whitelist /usr/libexec/webkit2gtk-4.0 | ||
22 | whitelist /usr/share/doc | 23 | whitelist /usr/share/doc |
23 | whitelist /usr/share/groff | 24 | whitelist /usr/share/groff |
24 | whitelist /usr/share/help | 25 | whitelist /usr/share/help |
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index a39729685..d0e68c980 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile | |||
@@ -17,12 +17,14 @@ include disable-interpreters.inc | |||
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | 19 | include disable-shell.inc |
20 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
22 | mkdir ${HOME}/.config/zathura | 23 | mkdir ${HOME}/.config/zathura |
23 | mkdir ${HOME}/.local/share/zathura | 24 | mkdir ${HOME}/.local/share/zathura |
24 | whitelist /usr/share/doc | 25 | whitelist /usr/share/doc |
25 | whitelist /usr/share/zathura | 26 | whitelist /usr/share/zathura |
27 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
28 | 30 | ||
@@ -41,6 +43,7 @@ nou2f | |||
41 | novideo | 43 | novideo |
42 | protocol unix | 44 | protocol unix |
43 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
44 | shell none | 47 | shell none |
45 | tracelog | 48 | tracelog |
46 | 49 | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fcc7fe949..18e4e8bce 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -59,14 +59,6 @@ include globals.local | |||
59 | ##ignore noexec ${HOME} | 59 | ##ignore noexec ${HOME} |
60 | ##ignore noexec /tmp | 60 | ##ignore noexec /tmp |
61 | 61 | ||
62 | ##blacklist PATH | ||
63 | # Disable X11 (CLI only), see also 'x11 none' below | ||
64 | #blacklist /tmp/.X11-unix | ||
65 | # Disable Wayland | ||
66 | #blacklist ${RUNUSER}/wayland-* | ||
67 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | ||
68 | #blacklist ${RUNUSER} | ||
69 | |||
70 | # It is common practice to add files/dirs containing program-specific configuration | 62 | # It is common practice to add files/dirs containing program-specific configuration |
71 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 63 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
72 | # (keep list sorted) and then disable blacklisting below. | 64 | # (keep list sorted) and then disable blacklisting below. |
@@ -109,6 +101,17 @@ include globals.local | |||
109 | # Allow ssh (blacklisted by disable-common.inc) | 101 | # Allow ssh (blacklisted by disable-common.inc) |
110 | #include allow-ssh.inc | 102 | #include allow-ssh.inc |
111 | 103 | ||
104 | ##blacklist PATH | ||
105 | # Disable X11 (CLI only), see also 'x11 none' below | ||
106 | #blacklist /tmp/.X11-unix | ||
107 | # Disable Wayland | ||
108 | #blacklist ${RUNUSER}/wayland-* | ||
109 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | ||
110 | #blacklist ${RUNUSER} | ||
111 | # Remove the next blacklist if you system has no /usr/libexec dir, | ||
112 | # otherwise try to add it. | ||
113 | #blacklist /usr/libexec | ||
114 | |||
112 | # disable-*.inc includes | 115 | # disable-*.inc includes |
113 | # remove disable-write-mnt.inc if you set disable-mnt | 116 | # remove disable-write-mnt.inc if you set disable-mnt |
114 | #include disable-common.inc | 117 | #include disable-common.inc |
@@ -189,7 +192,7 @@ include globals.local | |||
189 | # GUI: fonts,pango,X11 | 192 | # GUI: fonts,pango,X11 |
190 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | 193 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 |
191 | # KDE: kde4rc,kde5rc | 194 | # KDE: kde4rc,kde5rc |
192 | # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl | 195 | # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
193 | # Extra: gai.conf,proxychains.conf | 196 | # Extra: gai.conf,proxychains.conf |
194 | # Qt: Trolltech.conf | 197 | # Qt: Trolltech.conf |
195 | ##private-lib LIBS | 198 | ##private-lib LIBS |