diff options
author | Chiraag Nataraj <chiraag.nataraj@gmail.com> | 2017-09-16 13:18:26 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-09-18 18:24:13 -0400 |
commit | 9c833ae929f64fa54c5d8aa49e4a784803b805c8 (patch) | |
tree | 6a15f6bda1665adfb1ff58842b995a8a03bba921 /etc | |
parent | Add a profile for TeamSpeak3 (diff) | |
download | firejail-9c833ae929f64fa54c5d8aa49e4a784803b805c8.tar.gz firejail-9c833ae929f64fa54c5d8aa49e4a784803b805c8.tar.zst firejail-9c833ae929f64fa54c5d8aa49e4a784803b805c8.zip |
Add 31 profiles
Diffstat (limited to 'etc')
31 files changed, 748 insertions, 0 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..5de92f36f --- /dev/null +++ b/etc/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Viber.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | whitelist ${HOME}/.ViberPC | ||
11 | whitelist /dev/dri | ||
12 | whitelist /dev/full | ||
13 | whitelist /dev/null | ||
14 | whitelist /dev/ptmx | ||
15 | whitelist /dev/pts | ||
16 | whitelist /dev/random | ||
17 | whitelist /dev/shm | ||
18 | whitelist /dev/snd | ||
19 | whitelist /dev/tty | ||
20 | whitelist /dev/urandom | ||
21 | whitelist /dev/video0 | ||
22 | whitelist /dev/zero | ||
23 | whitelist /opt/viber | ||
24 | include /etc/firejail/whitelist-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | nogroups | ||
29 | noroot | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | private-bin sh,dig,awk | ||
34 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..5cd6e613e --- /dev/null +++ b/etc/amule.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for amule | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amule.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /usr/local/sbin | ||
14 | |||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ${HOME}/.aMule | ||
17 | whitelist ${HOME}/.gtkrc-2.0 | ||
18 | whitelist ${HOME}/.gtkrc.mine | ||
19 | whitelist ${HOME}/.themes | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin amule | ||
31 | private-dev | ||
32 | private-etc fonts,hosts | ||
33 | private-tmp | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..f17c74e2b --- /dev/null +++ b/etc/ardour5.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | |||
14 | whitelist ${DOWNLOADS} | ||
15 | whitelist ${HOME}/.config/ardour4 | ||
16 | whitelist ${HOME}/.config/ardour5 | ||
17 | whitelist ${HOME}/.lv2 | ||
18 | whitelist ${HOME}/.vst | ||
19 | whitelist ${HOME}/Documents | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | nogroups | ||
26 | noroot | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | ||
31 | private-dev | ||
32 | private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | ||
33 | private-tmp | ||
34 | |||
35 | noexec /home | ||
36 | noexec /tmp | ||
diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..3c7622435 --- /dev/null +++ b/etc/brackets.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/brackets.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | |||
12 | whitelist ${DOWNLOADS} | ||
13 | whitelist ${HOME}/.config/Brackets | ||
14 | whitelist ${HOME}/.gtkrc-2.0 | ||
15 | whitelist ${HOME}/.themes | ||
16 | whitelist ${HOME}/Documents | ||
17 | whitelist /opt/brackets/ | ||
18 | whitelist /opt/google/ | ||
19 | whitelist /tmp/.X11-unix | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | # Comment out or use --ignore=net if you want to install extensions or themes | ||
24 | net none | ||
25 | # Disable these if you use live preview (until I figure out a workaround) | ||
26 | # Doing so should be relatively safe since there is no network access | ||
27 | noroot | ||
28 | seccomp | ||
29 | |||
30 | private-bin bash,brackets,readlink,dirname,google-chrome,cat | ||
31 | private-dev | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..260097560 --- /dev/null +++ b/etc/calligra.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/calligra.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.config/Trolltech.conf | ||
15 | whitelist ${HOME}/.gtkrc-2.0 | ||
16 | whitelist ${HOME}/.kde | ||
17 | whitelist ${HOME}/.themes | ||
18 | whitelist ${HOME}/Documents | ||
19 | whitelist /tmp/.X11-unix | ||
20 | # DBus is forced to use an ordinary unix socket | ||
21 | whitelist /tmp/dbus_session_socket | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nogroups | ||
28 | noroot | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | ||
33 | private-dev | ||
34 | private-etc fonts,passwd,alternatives,X11 | ||
35 | |||
36 | noexec /home | ||
37 | noexec /tmp | ||
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraauthor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraconverter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraflow.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplan.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplanwork.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrasheets.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrastage.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrawords.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/calligra.profile | ||
diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..3a8a4d8de --- /dev/null +++ b/etc/cin.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.bcast5 | ||
15 | whitelist ${HOME}/Videos | ||
16 | whitelist /tmp/.X11-unix | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | nogroups | ||
23 | noroot | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-bin cin | ||
28 | private-dev | ||
29 | private-etc fonts,pulse | ||
30 | |||
31 | noexec /home | ||
32 | noexec /tmp | ||
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..dc7f4abc3 --- /dev/null +++ b/etc/fetchmail.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/fetchmail.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | # Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc | ||
14 | # whitelist ${HOME}/.fetchmailrc.gpg | ||
15 | whitelist ${HOME}/.procmailrc.brown | ||
16 | whitelist ${HOME}/.procmailrc.gmail | ||
17 | whitelist ${HOME}/Mail | ||
18 | whitelist ${HOME}/scripts/fetchmail-real.sh | ||
19 | whitelist /tmp/fetchmailrc | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | nogroups | ||
24 | noroot | ||
25 | nosound | ||
26 | seccomp | ||
27 | x11 none | ||
28 | |||
29 | # private-bin fetchmail,procmail,bash,chmod | ||
30 | private-dev | ||
31 | # private-etc passwd,hosts,resolv.conf | ||
diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..0467edb6d --- /dev/null +++ b/etc/freecad.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/freecad.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /usr/local/sbin | ||
14 | |||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ${HOME}/.config/FreeCAD | ||
17 | whitelist ${HOME}/Documents | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | net none | ||
23 | nogroups | ||
24 | noroot | ||
25 | nosound | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin freecad,freecadcmd | ||
31 | private-dev | ||
32 | private-etc fonts,passwd,alternatives,X11 | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..41cfd3fab --- /dev/null +++ b/etc/freecadcmd.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | include ${HOME}/.config/firejail/freecad.profile | ||
diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..a339402e2 --- /dev/null +++ b/etc/google-earth.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | |||
12 | whitelist ${HOME}/.config/Google | ||
13 | whitelist ${HOME}/.googleearth/Cache/ | ||
14 | whitelist ${HOME}/.googleearth/Temp/ | ||
15 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
16 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
17 | whitelist /tmp/.X11-unix | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | nogroups | ||
23 | noroot | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-bin google-earth,sh,grep,sed,ls,dirname | ||
28 | private-dev | ||
29 | private-etc fonts,resolv.conf,X11,alternatives,pulse | ||
30 | |||
31 | noexec /home | ||
32 | noexec /tmp | ||
diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..4404cc9a2 --- /dev/null +++ b/etc/imagej.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/imagej.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /usr/local/sbin | ||
14 | |||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ${HOME}/.gtkrc-2.0 | ||
17 | whitelist ${HOME}/.gtkrc.mine | ||
18 | whitelist ${HOME}/.imagej | ||
19 | whitelist ${HOME}/.themes | ||
20 | whitelist ${HOME}/Pictures | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | seccomp | ||
30 | |||
31 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | ||
32 | private-dev | ||
33 | # private-etc passwd,alternatives,hosts,fonts,X11 | ||
34 | private-tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..b982bd045 --- /dev/null +++ b/etc/kdenlive.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kdenlive.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | # Apparently these break kdenlive for some people - they work for me though? | ||
14 | # whitelist ${DOWNLOADS} | ||
15 | # whitelist ${HOME}/.config/ | ||
16 | # whitelist ${HOME}/Videos | ||
17 | # whitelist ${HOME}/kdenlive | ||
18 | whitelist /tmp/.X11-unix | ||
19 | # DBus is forced to use an ordinary unix socket | ||
20 | whitelist /tmp/dbus_session_socket | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | net none | ||
25 | nogroups | ||
26 | noroot | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
31 | private-dev | ||
32 | private-etc fonts,alternatives,X11,pulse,passwd | ||
diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..850fcb320 --- /dev/null +++ b/etc/linphone.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/linphone.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${HOME}/.gtkrc-2.0 | ||
14 | whitelist ${HOME}/.gtkrc.mine | ||
15 | whitelist ${HOME}/.linphone-history.db | ||
16 | whitelist ${HOME}/.linphonerc | ||
17 | whitelist ${HOME}/Downloads | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | noroot | ||
22 | seccomp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..8ac039cc0 --- /dev/null +++ b/etc/lmms.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lmms.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.lmmsrc.xml | ||
15 | whitelist ${HOME}/Music | ||
16 | whitelist ${HOME}/lmms | ||
17 | whitelist /tmp/.X11-unix | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | net none | ||
23 | nogroups | ||
24 | noroot | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-etc fonts,pulse | ||
30 | |||
31 | noexec /home | ||
32 | noexec /tmp | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..287a5ea85 --- /dev/null +++ b/etc/macrofusion.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | whitelist ${HOME}/.config/gtk-3.0 | ||
11 | whitelist ${HOME}/.config/mfusion | ||
12 | whitelist ${HOME}/.themes | ||
13 | whitelist ${HOME}/Pictures | ||
14 | include /etc/firejail/whitelist-common.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | ||
26 | private-dev | ||
27 | private-etc fonts | ||
28 | private-tmp | ||
diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..44baab7e9 --- /dev/null +++ b/etc/mpd.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mpd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${HOME}/.config/pulse/ | ||
14 | whitelist ${HOME}/.mpdconf | ||
15 | whitelist ${HOME}/.pulse/ | ||
16 | whitelist ${HOME}/Music | ||
17 | whitelist ${HOME}/mpd | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | noroot | ||
22 | seccomp | ||
23 | |||
24 | private-bin mpd,bash | ||
25 | private-dev | ||
26 | read-only ${HOME}/Music/ | ||
diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..6101d1331 --- /dev/null +++ b/etc/natron.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/natron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # Contributed by triceratops1 (https://github.com/triceratops1) | ||
9 | |||
10 | blacklist /boot | ||
11 | blacklist /media | ||
12 | blacklist /mnt | ||
13 | blacklist /usr/local/bin | ||
14 | blacklist /usr/local/sbin | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.Natron | ||
18 | whitelist ${HOME}/.cache/INRIA/Natron/ | ||
19 | whitelist ${HOME}/.config/INRIA/ | ||
20 | whitelist ${HOME}/.gtkrc-2.0 | ||
21 | whitelist ${HOME}/.themes | ||
22 | whitelist ${HOME}/Videos | ||
23 | whitelist /opt/natron/ | ||
24 | whitelist /tmp/.X11-unix/ | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | |||
27 | ipc-namespace | ||
28 | shell none | ||
29 | |||
30 | private-bin natron | ||
31 | private-etc fonts,X11,pulse | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..47b16b30e --- /dev/null +++ b/etc/ricochet.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | |||
13 | whitelist ${DOWNLOADS} | ||
14 | whitelist ${HOME}/.local/share/Ricochet | ||
15 | whitelist /tmp/.X11-unix | ||
16 | include /etc/firejail/whitelist-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | nogroups | ||
21 | noroot | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin ricochet,tor | ||
26 | private-dev | ||
27 | private-etc fonts,tor,X11,alternatives | ||
28 | |||
29 | noexec /home | ||
30 | noexec /tmp | ||
diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..2bf3cc2e0 --- /dev/null +++ b/etc/shotcut.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/shotcut.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /usr/local/bin | ||
9 | |||
10 | whitelist ${DOWNLOADS} | ||
11 | whitelist ${HOME}/.config/Meltytech | ||
12 | whitelist ${HOME}/Videos | ||
13 | whitelist /tmp/.X11-unix | ||
14 | include /etc/firejail/whitelist-common.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | nogroups | ||
19 | noroot | ||
20 | seccomp | ||
21 | shell none | ||
22 | |||
23 | private-bin shotcut,melt,qmelt,nice | ||
24 | private-dev | ||
25 | private-etc X11,alternatives,pulse,fonts | ||
26 | |||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..1f0b61c75 --- /dev/null +++ b/etc/tor-browser-en.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for tor-browser-en | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor-browser-en.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | blacklist /boot | ||
9 | blacklist /media | ||
10 | blacklist /mnt | ||
11 | blacklist /opt | ||
12 | blacklist /usr/local/bin | ||
13 | blacklist /var | ||
14 | |||
15 | whitelist ${HOME}/.tor-browser-en | ||
16 | whitelist /dev/dri | ||
17 | whitelist /dev/full | ||
18 | whitelist /dev/null | ||
19 | whitelist /dev/ptmx | ||
20 | whitelist /dev/pts | ||
21 | whitelist /dev/random | ||
22 | whitelist /dev/shm | ||
23 | whitelist /dev/snd | ||
24 | whitelist /dev/tty | ||
25 | whitelist /dev/urandom | ||
26 | whitelist /dev/video0 | ||
27 | whitelist /dev/zero | ||
28 | include /etc/firejail/whitelist-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | noroot | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr | ||
36 | # FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) | ||
37 | # https://github.com/netblue30/firejail/issues/955 | ||
38 | private-etc X11,pulse,machine-id | ||
39 | private-tmp | ||
40 | |||
41 | noexec /tmp | ||
diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..2e2172cad --- /dev/null +++ b/etc/tor.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for tor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # How to use: | ||
9 | # Create a script called anything (e.g. mytor) | ||
10 | # with the following contents: | ||
11 | # #!/bin/bash | ||
12 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
13 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
14 | |||
15 | # You'll also likely want to disable the system service (if it exists) | ||
16 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
17 | |||
18 | blacklist /boot | ||
19 | blacklist /media | ||
20 | blacklist /mnt | ||
21 | blacklist /opt | ||
22 | |||
23 | caps.keep setuid,setgid,net_bind_service,dac_read_search | ||
24 | ipc-namespace | ||
25 | no3d | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | nosound | ||
29 | seccomp | ||
30 | shell none | ||
31 | writable-var | ||
32 | x11 none | ||
33 | |||
34 | private | ||
35 | private-bin tor,bash | ||
36 | private-dev | ||
37 | private-etc tor,passwd | ||
38 | private-tmp | ||
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..eb4c58480 --- /dev/null +++ b/etc/x-terminal-emulator.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | whitelist /tmp/.X11-unix/X470 | ||
10 | whitelist /tmp/fcitx-socket-:0 | ||
11 | whitelist /tmp/user/1000/ | ||
12 | include /etc/firejail/whitelist-common.inc | ||
13 | |||
14 | caps.drop all | ||
15 | env DISPLAY=:470 | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | netfilter | ||
19 | nogroups | ||
20 | noroot | ||
21 | seccomp | ||
22 | |||
23 | private-dev | ||
24 | |||
25 | noexec /tmp | ||
diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..654679174 --- /dev/null +++ b/etc/zart.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for zart | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/zart.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # Contributed by triceratops1 (https://github.com/triceratops1) | ||
9 | |||
10 | whitelist ${DOWNLOADS} | ||
11 | whitelist ${HOME}/Videos | ||
12 | whitelist /tmp/.X11-unix | ||
13 | include /etc/firejail/whitelist-common.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | noroot | ||
19 | seccomp | ||
20 | shell none | ||
21 | |||
22 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | ||
23 | private-dev | ||
24 | private-etc fonts,X11 | ||
25 | |||
26 | noexec ${HOME} | ||
27 | noexec /tmp | ||