diff options
author | valoq <valoq@mailbox.org> | 2016-10-26 17:51:07 +0200 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-10-26 17:51:07 +0200 |
commit | ad773dec65ec32e0fcba1b123b3da5b9edcbf9d4 (patch) | |
tree | 0e35dd6dc35f3c8d5ea32a6c076e270524b3db36 /etc | |
parent | removed blacklist duplate (diff) | |
parent | removed ping blacklisting (diff) | |
download | firejail-ad773dec65ec32e0fcba1b123b3da5b9edcbf9d4.tar.gz firejail-ad773dec65ec32e0fcba1b123b3da5b9edcbf9d4.tar.zst firejail-ad773dec65ec32e0fcba1b123b3da5b9edcbf9d4.zip |
resolve conflict
Diffstat (limited to 'etc')
62 files changed, 316 insertions, 196 deletions
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 9a8d93875..fa0b316bb 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6,netlink | 15 | protocol unix,inet,inet6,netlink |
diff --git a/etc/atom.profile b/etc/atom.profile index 3cb86847e..61930d5c1 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6,netlink | 15 | protocol unix,inet,inet6,netlink |
diff --git a/etc/atril.profile b/etc/atril.profile index d9e10b072..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nonewprivs | ||
11 | nogroups | 10 | nogroups |
11 | nonewprivs | ||
12 | noroot | 12 | noroot |
13 | nosound | 13 | nosound |
14 | protocol unix | 14 | protocol unix |
diff --git a/etc/audacity.profile b/etc/audacity.profile index be3fac9be..827fa4301 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix | 14 | protocol unix |
15 | seccomp | 15 | seccomp |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 4e5c36f50..fa8654f1e 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -11,8 +11,8 @@ whitelist ~/.config/aweather | |||
11 | 11 | ||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 14 | nogroups |
15 | nonewprivs | ||
16 | noroot | 16 | noroot |
17 | nosound | 17 | nosound |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index ec6d0d69d..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nogroups | ||
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
14 | nosound | 15 | nosound |
15 | seccomp | 16 | seccomp |
16 | protocol unix,inet,inet6,netlink | 17 | protocol unix,inet,inet6,netlink |
17 | tracelog | 18 | tracelog |
18 | |||
19 | |||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 0d383aebf..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx | |||
25 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
26 | whitelist ~/.config/lastpass | 26 | whitelist ~/.config/lastpass |
27 | 27 | ||
28 | # specific to Arch | ||
29 | whitelist ~/.config/chromium-flags.conf | ||
30 | |||
28 | include /etc/firejail/whitelist-common.inc | 31 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19a23d764..82398473d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+ | |||
137 | blacklist /etc/ssh | 137 | blacklist /etc/ssh |
138 | blacklist /var/backup | 138 | blacklist /var/backup |
139 | 139 | ||
140 | # system directories | ||
141 | blacklist /sbin | ||
142 | blacklist /usr/sbin | ||
143 | blacklist /usr/local/sbin | ||
144 | |||
140 | # system management | 145 | # system management |
141 | # blacklist ${PATH}/umount | 146 | # blacklist ${PATH}/umount |
142 | # blacklist ${PATH}/mount | 147 | # blacklist ${PATH}/mount |
@@ -149,11 +154,22 @@ blacklist ${PATH}/xev | |||
149 | blacklist ${PATH}/strace | 154 | blacklist ${PATH}/strace |
150 | blacklist ${PATH}/nc | 155 | blacklist ${PATH}/nc |
151 | blacklist ${PATH}/ncat | 156 | blacklist ${PATH}/ncat |
152 | 157 | blacklist ${PATH}/gpasswd | |
153 | # system directories | 158 | blacklist ${PATH}/newgidmap |
154 | blacklist /sbin | 159 | blacklist ${PATH}/newgrp |
155 | blacklist /usr/sbin | 160 | blacklist ${PATH}/newuidmap |
156 | blacklist /usr/local/sbin | 161 | blacklist ${PATH}/pkexec |
162 | blacklist ${PATH}/sg | ||
163 | blacklist ${PATH}/rsh | ||
164 | blacklist ${PATH}/rlogin | ||
165 | blacklist ${PATH}/rcp | ||
166 | blacklist ${PATH}/crontab | ||
167 | blacklist ${PATH}/ksu | ||
168 | blacklist ${PATH}/chsh | ||
169 | blacklist ${PATH}/chfn | ||
170 | blacklist ${PATH}/chage | ||
171 | blacklist ${PATH}/expiry | ||
172 | blacklist ${PATH}/unix_chkpwd | ||
157 | 173 | ||
158 | # prevent lxterminal connecting to an existing lxterminal session | 174 | # prevent lxterminal connecting to an existing lxterminal session |
159 | blacklist /tmp/.lxterminal-socket* | 175 | blacklist /tmp/.lxterminal-socket* |
@@ -173,28 +189,6 @@ blacklist ${PATH}/terminix | |||
173 | blacklist ${PATH}/urxvtc | 189 | blacklist ${PATH}/urxvtc |
174 | blacklist ${PATH}/urxvtcd | 190 | blacklist ${PATH}/urxvtcd |
175 | 191 | ||
176 | # disable common suid programms | 192 | # kernel files |
177 | blacklist ${PATH}/firejail | 193 | blacklist /vmlinuz* |
178 | blacklist ${PATH}/sudo | 194 | blacklist /initrd* |
179 | blacklist ${PATH}/su | ||
180 | blacklist ${PATH}/mount | ||
181 | blacklist ${PATH}/umount | ||
182 | blacklist ${PATH}/fusermount | ||
183 | blacklist ${PATH}/passwd | ||
184 | blacklist ${PATH}/gpasswd | ||
185 | blacklist ${PATH}/newgidmap | ||
186 | blacklist ${PATH}/newgrp | ||
187 | blacklist ${PATH}/newuidmap | ||
188 | blacklist ${PATH}/pkexec | ||
189 | blacklist ${PATH}/sg | ||
190 | blacklist ${PATH}/rsh | ||
191 | blacklist ${PATH}/rlogin | ||
192 | blacklist ${PATH}/rcp | ||
193 | blacklist ${PATH}/crontab | ||
194 | blacklist ${PATH}/ksu | ||
195 | blacklist ${PATH}/chsh | ||
196 | blacklist ${PATH}/chfn | ||
197 | blacklist ${PATH}/chage | ||
198 | blacklist ${PATH}/expiry | ||
199 | blacklist ${PATH}/ping | ||
200 | blacklist ${PATH}/unix_chkpwd | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 971857710..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* | |||
20 | # clang/llvm | 20 | # clang/llvm |
21 | blacklist /usr/bin/clang* | 21 | blacklist /usr/bin/clang* |
22 | blacklist /usr/bin/llvm* | 22 | blacklist /usr/bin/llvm* |
23 | blacklist /usb/bin/lldb* | 23 | blacklist /usr/bin/lldb* |
24 | blacklist /usr/lib/llvm* | 24 | blacklist /usr/lib/llvm* |
25 | 25 | ||
26 | # tcc - Tiny C Compiler | 26 | # tcc - Tiny C Compiler |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 369e4813c..6e22fe04d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -7,6 +7,8 @@ blacklist ${HOME}/.wine | |||
7 | blacklist ${HOME}/.Mathematica | 7 | blacklist ${HOME}/.Mathematica |
8 | blacklist ${HOME}/.Wolfram Research | 8 | blacklist ${HOME}/.Wolfram Research |
9 | blacklist ${HOME}/.stellarium | 9 | blacklist ${HOME}/.stellarium |
10 | blacklist ${HOME}/.sword | ||
11 | blacklist ${HOME}/.xiphos | ||
10 | blacklist ${HOME}/.config/Atom | 12 | blacklist ${HOME}/.config/Atom |
11 | blacklist ${HOME}/.config/gthumb | 13 | blacklist ${HOME}/.config/gthumb |
12 | blacklist ${HOME}/.config/mupen64plus | 14 | blacklist ${HOME}/.config/mupen64plus |
@@ -35,6 +37,11 @@ blacklist ${HOME}/.gimp* | |||
35 | blacklist ${HOME}/.config/zathura | 37 | blacklist ${HOME}/.config/zathura |
36 | blacklist ${HOME}/.config/cherrytree | 38 | blacklist ${HOME}/.config/cherrytree |
37 | blacklist ${HOME}/.xpdfrc | 39 | blacklist ${HOME}/.xpdfrc |
40 | blacklist ${HOME}/.openshot | ||
41 | blacklist ${HOME}/.openshot_qt | ||
42 | blacklist ${HOME}/.flowblade | ||
43 | blacklist ${HOME}/.config/flowblade | ||
44 | blacklist ${HOME}/.config/eog | ||
38 | 45 | ||
39 | 46 | ||
40 | # Media players | 47 | # Media players |
@@ -72,8 +79,12 @@ blacklist ${HOME}/.8pecxstudios | |||
72 | blacklist ${HOME}/.config/brave | 79 | blacklist ${HOME}/.config/brave |
73 | blacklist ${HOME}/.config/inox | 80 | blacklist ${HOME}/.config/inox |
74 | blacklist ${HOME}/.muttrc | 81 | blacklist ${HOME}/.muttrc |
82 | blacklist ${HOME}/.mutt | ||
75 | blacklist ${HOME}/.mutt/muttrc | 83 | blacklist ${HOME}/.mutt/muttrc |
76 | blacklist ${HOME}/.msmtprc | 84 | blacklist ${HOME}/.msmtprc |
85 | blacklist ${HOME}/.config/evolution | ||
86 | blacklist ${HOME}/.local/share/evolution | ||
87 | blacklist ${HOME}/.cache/evolution | ||
77 | 88 | ||
78 | # Instant Messaging | 89 | # Instant Messaging |
79 | blacklist ${HOME}/.config/hexchat | 90 | blacklist ${HOME}/.config/hexchat |
diff --git a/etc/eog.profile b/etc/eog.profile index 32b54a042..7eb7fd127 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nogroups | ||
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
14 | nogroups | ||
15 | protocol unix | 15 | protocol unix |
16 | seccomp | 16 | seccomp |
17 | shell none | 17 | shell none |
@@ -20,4 +20,3 @@ private-bin eog | |||
20 | private-dev | 20 | private-dev |
21 | private-etc fonts | 21 | private-etc fonts |
22 | private-tmp | 22 | private-tmp |
23 | |||
diff --git a/etc/evolution.profile b/etc/evolution.profile index cf581643d..d097c0f34 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | nogroups | ||
20 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
21 | seccomp | 21 | seccomp |
22 | shell none | 22 | shell none |
diff --git a/etc/feh.profile b/etc/feh.profile index 5fcb6bf25..e3b1ec528 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix | ||
10 | netfilter | 8 | netfilter |
11 | net none | 9 | net none |
10 | nogroups | ||
12 | nonewprivs | 11 | nonewprivs |
13 | noroot | 12 | noroot |
14 | nogroups | ||
15 | nosound | 13 | nosound |
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | 16 | shell none |
17 | 17 | ||
18 | private-bin feh | 18 | private-bin feh |
diff --git a/etc/file.profile b/etc/file.profile index 2e54030b1..199a97fad 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,16 +1,17 @@ | |||
1 | # file profile | 1 | # file profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname file | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
14 | |||
15 | private-dev | ||
9 | private-bin file | 16 | private-bin file |
10 | private-etc magic.mgc,magic,localtime | 17 | private-etc magic.mgc,magic,localtime |
11 | hostname file | ||
12 | private-dev | ||
13 | nosound | ||
14 | no3d | ||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 551c17a78..fe1d9d20d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -13,10 +13,9 @@ noroot | |||
13 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
16 | |||
17 | shell none | 16 | shell none |
17 | |||
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | 18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | nosound | ||
22 | 20 | ||
21 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..12afdb0aa --- /dev/null +++ b/etc/flowblade.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # FlowBlade profile | ||
2 | noblacklist ${HOME}/.flowblade | ||
3 | noblacklist ${HOME}/.config/flowblade | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 3cb7942ab..0b3be551b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | 9 | netfilter |
12 | #tracelog | ||
13 | nonewprivs | 10 | nonewprivs |
14 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | #tracelog | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.config/Franz | 17 | mkdir ~/.config/Franz |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 04902a734..809378ef9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc | |||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
25 | nonewprivs | ||
26 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
27 | noroot | 27 | noroot |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | seccomp | 29 | seccomp |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 23361b771..cb441fc9d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | nogroups | ||
9 | nonewprivs | 10 | nonewprivs |
10 | noroot | 11 | noroot |
12 | nosound | ||
11 | protocol unix | 13 | protocol unix |
12 | seccomp | 14 | seccomp |
13 | private-dev | 15 | |
14 | private-tmp | ||
15 | noexec ${HOME} | 16 | noexec ${HOME} |
16 | noexec /tmp | 17 | noexec /tmp |
17 | nogroups | 18 | |
18 | nosound | 19 | private-dev |
20 | private-tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index 2fb55377d..73122d347 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | 14 | ||
15 | quiet | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
18 | nogroups | ||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nogroups | ||
22 | nosound | 21 | nosound |
23 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
23 | quiet | ||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 353ecceae..801304c18 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -6,13 +6,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | # Whitelist | 8 | # Whitelist |
9 | mkdir ~/.config/Gpredict | ||
10 | whitelist ~/.config/Gpredict | 9 | whitelist ~/.config/Gpredict |
11 | 10 | ||
12 | caps.drop all | 11 | caps.drop all |
13 | netfilter | 12 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 13 | nogroups |
14 | nonewprivs | ||
16 | noroot | 15 | noroot |
17 | nosound | 16 | nosound |
18 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
@@ -21,5 +20,6 @@ shell none | |||
21 | tracelog | 20 | tracelog |
22 | 21 | ||
23 | private-bin gpredict | 22 | private-bin gpredict |
23 | private-etc fonts,resolv.conf | ||
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 67f10c4e1..c866c9e63 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nogroups | ||
10 | nonewprivs | 11 | nonewprivs |
11 | noroot | 12 | noroot |
12 | nogroups | ||
13 | private-dev | ||
14 | protocol unix | 13 | protocol unix |
15 | seccomp | 14 | seccomp |
16 | nosound | 15 | nosound |
17 | 16 | ||
17 | private-dev | ||
18 | |||
18 | #Experimental: | 19 | #Experimental: |
19 | #shell none | 20 | #shell none |
20 | #private-bin gwenview | 21 | #private-bin gwenview |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 5e73969c4..d51b9a951 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # gzip profile | 1 | # gzip profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | ||
7 | shell none | ||
8 | blacklist /tmp/.X11-unix | 5 | blacklist /tmp/.X11-unix |
9 | private-dev | 6 | |
10 | nosound | 7 | net none |
11 | no3d | 8 | no3d |
9 | nosound | ||
10 | quiet | ||
11 | shell none | ||
12 | tracelog | ||
12 | 13 | ||
14 | private-dev | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cf885fba2..a0e86b6c9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | nogroups | ||
9 | nonewprivs | 10 | nonewprivs |
10 | noroot | 11 | noroot |
12 | nosound | ||
11 | protocol unix | 13 | protocol unix |
12 | seccomp | 14 | seccomp |
13 | private-dev | 15 | |
14 | private-tmp | ||
15 | noexec ${HOME} | 16 | noexec ${HOME} |
16 | noexec /tmp | 17 | noexec /tmp |
17 | nogroups | 18 | |
18 | nosound | 19 | private-dev |
20 | private-tmp | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index c61158f8b..046499abe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | nonewprivs | ||
10 | nogroups | 9 | nogroups |
10 | nonewprivs | ||
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
13 | seccomp | 13 | seccomp |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 8c8fd18c4..bc21ba604 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
15 | seccomp | 15 | seccomp |
diff --git a/etc/less.profile b/etc/less.profile index 6dfae027e..08758aead 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -2,8 +2,10 @@ | |||
2 | quiet | 2 | quiet |
3 | ignore noroot | 3 | ignore noroot |
4 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
5 | tracelog | 5 | |
6 | net none | 6 | net none |
7 | nosound | ||
7 | shell none | 8 | shell none |
9 | tracelog | ||
10 | |||
8 | private-dev | 11 | private-dev |
9 | nosound | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6e059ea52..76e864e0c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | ipc-namespace | ||
8 | netfilter | 9 | netfilter |
9 | protocol unix | 10 | nogroups |
10 | nonewprivs | 11 | nonewprivs |
11 | noroot | 12 | noroot |
13 | nosound | ||
14 | protocol unix | ||
12 | seccomp | 15 | seccomp |
13 | shell none | 16 | shell none |
14 | tracelog | 17 | tracelog |
15 | private-tmp | 18 | |
16 | private-dev | ||
17 | noexec ${HOME} | 19 | noexec ${HOME} |
18 | noexec /tmp | 20 | noexec /tmp |
19 | nogroups | 21 | |
20 | nosound | 22 | private-tmp |
21 | ipc-namespace | 23 | private-dev |
diff --git a/etc/mutt.profile b/etc/mutt.profile index cda7fc4bf..b532ded67 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | 2 | ||
3 | noblacklist ~/.muttrc | 3 | noblacklist ~/.muttrc |
4 | noblacklist ~/.mutt | 4 | noblacklist ~/.mutt |
5 | noblacklist ~/.mutt/muttrc | ||
5 | noblacklist ~/.mailcap | 6 | noblacklist ~/.mailcap |
6 | noblacklist ~/.gnupg | 7 | noblacklist ~/.gnupg |
7 | noblacklist ~/.mail | 8 | noblacklist ~/.mail |
diff --git a/etc/okular.profile b/etc/okular.profile index df142ccfc..b43a5fbea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | nonewprivs | ||
13 | nogroups | 12 | nogroups |
13 | nonewprivs | ||
14 | noroot | 14 | noroot |
15 | private-dev | ||
16 | protocol unix | 15 | protocol unix |
17 | seccomp | 16 | seccomp |
18 | nosound | 17 | nosound |
19 | 18 | ||
19 | private-dev | ||
20 | |||
20 | #Experimental: | 21 | #Experimental: |
21 | #net none | 22 | #net none |
22 | #shell none | 23 | #shell none |
diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # OpenShot profile | ||
2 | noblacklist ${HOME}/.openshot | ||
3 | noblacklist ${HOME}/.openshot_qt | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 47be2b6ea..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
diff --git a/etc/pix.profile b/etc/pix.profile index 80c05fd09..e21ddadc6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc | |||
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix | 15 | protocol unix |
@@ -20,4 +20,3 @@ tracelog | |||
20 | private-bin pix | 20 | private-bin pix |
21 | whitelist /tmp/.X11-unix | 21 | whitelist /tmp/.X11-unix |
22 | private-dev | 22 | private-dev |
23 | |||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 22c5bafc5..a9323448b 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+ | |||
14 | mkdir ~/.cache/psi+ | 14 | mkdir ~/.cache/psi+ |
15 | whitelist ~/.cache/psi+ | 15 | whitelist ~/.cache/psi+ |
16 | 16 | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | 17 | caps.drop all |
20 | netfilter | 18 | netfilter |
21 | noroot | 19 | noroot |
22 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
23 | seccomp | 21 | seccomp |
22 | |||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 138b6db55..67829c9ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -15,6 +15,6 @@ seccomp | |||
15 | # there are some problems with "Open destination folder", see bug #536 | 15 | # there are some problems with "Open destination folder", see bug #536 |
16 | #shell none | 16 | #shell none |
17 | #private-bin qbittorrent | 17 | #private-bin qbittorrent |
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | 18 | private-dev |
20 | nosound | 19 | |
20 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 07ea173e6..06c0db206 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -18,5 +18,5 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin qpdfview | 20 | private-bin qpdfview |
21 | private-tmp | ||
22 | private-dev | 21 | private-dev |
22 | private-tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 927487037..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -11,8 +11,8 @@ whitelist ${DOWNLOADS} | |||
11 | 11 | ||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 14 | nogroups |
15 | nonewprivs | ||
16 | noroot | 16 | noroot |
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2ab5d8a8e..2b28fce73 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nonewprivs | ||
18 | nogroups | 17 | nogroups |
18 | nonewprivs | ||
19 | noroot | 19 | noroot |
20 | private-bin quiterss | ||
21 | private-dev | ||
22 | nosound | 20 | nosound |
23 | #private-etc X11,ssl | ||
24 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
25 | seccomp | 22 | seccomp |
26 | shell none | 23 | shell none |
27 | tracelog | 24 | tracelog |
28 | 25 | ||
26 | private-bin quiterss | ||
27 | private-dev | ||
28 | #private-etc X11,ssl | ||
29 | |||
29 | include /etc/firejail/whitelist-common.inc | 30 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index a040cd6bc..323e64dee 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | net none | 14 | net none |
15 | nogroups | ||
15 | nonewprivs | 16 | nonewprivs |
16 | noroot | 17 | noroot |
17 | nogroups | ||
18 | protocol unix | 18 | protocol unix |
19 | seccomp | 19 | seccomp |
20 | nosound | 20 | nosound |
21 | 21 | ||
22 | private-tmp | 22 | private-tmp |
23 | private-dev | 23 | private-dev |
24 | |||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0e8527ae7..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | nogroups | ||
9 | netfilter | 8 | netfilter |
9 | nogroups | ||
10 | nonewprivs | 10 | nonewprivs |
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 15df2c374..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -16,4 +16,3 @@ shell none | |||
16 | private-bin rtorrent | 16 | private-bin rtorrent |
17 | whitelist /tmp/.X11-unix | 17 | whitelist /tmp/.X11-unix |
18 | private-dev | 18 | private-dev |
19 | nosound | ||
diff --git a/etc/server.profile b/etc/server.profile index 22cef0a3c..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | private | ||
10 | private-dev | ||
11 | nosound | ||
12 | no3d | ||
13 | private-tmp | ||
14 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | |||
11 | no3d | ||
12 | nosound | ||
15 | seccomp | 13 | seccomp |
16 | 14 | ||
15 | private | ||
16 | private-dev | ||
17 | private-tmp | ||
diff --git a/etc/slack.profile b/etc/slack.profile index 1009f7ee0..a85a28f03 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | # Firejail profile for Slack | ||
1 | noblacklist ${HOME}/.config/Slack | 2 | noblacklist ${HOME}/.config/Slack |
2 | noblacklist ${HOME}/Downloads | 3 | noblacklist ${HOME}/Downloads |
3 | 4 | ||
@@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
8 | 9 | ||
9 | mkdir ${HOME}/.config | ||
10 | mkdir ${HOME}/.config/Slack | ||
11 | whitelist ${HOME}/.config/Slack | ||
12 | whitelist ${HOME}/Downloads | ||
13 | |||
14 | protocol unix,inet,inet6,netlink | ||
15 | private-dev | ||
16 | private-tmp | ||
17 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | ||
18 | name slack | ||
19 | blacklist /var | 10 | blacklist /var |
20 | 11 | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | 12 | caps.drop all |
24 | seccomp | 13 | name slack |
25 | netfilter | 14 | netfilter |
26 | nonewprivs | ||
27 | nogroups | 15 | nogroups |
16 | nonewprivs | ||
28 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6,netlink | ||
19 | seccomp | ||
29 | shell none | 20 | shell none |
21 | |||
30 | private-bin slack | 22 | private-bin slack |
23 | private-dev | ||
24 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | ||
25 | private-tmp | ||
26 | |||
27 | mkdir ${HOME}/.config | ||
28 | mkdir ${HOME}/.config/Slack | ||
29 | whitelist ${HOME}/.config/Slack | ||
30 | whitelist ${HOME}/Downloads | ||
31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify |
11 | # than a blacklist though, but this is all spotify requires for | ||
12 | # streaming audio | ||
13 | mkdir ${HOME}/.config/spotify | 11 | mkdir ${HOME}/.config/spotify |
14 | whitelist ${HOME}/.config/spotify | 12 | whitelist ${HOME}/.config/spotify |
15 | mkdir ${HOME}/.local/share/spotify | 13 | mkdir ${HOME}/.local/share/spotify |
16 | whitelist ${HOME}/.local/share/spotify | 14 | whitelist ${HOME}/.local/share/spotify |
17 | mkdir ${HOME}/.cache/spotify | 15 | mkdir ${HOME}/.cache/spotify |
18 | whitelist ${HOME}/.cache/spotify | 16 | whitelist ${HOME}/.cache/spotify |
19 | include /etc/firejail/whitelist-common.inc | ||
20 | 17 | ||
21 | caps.drop all | 18 | caps.drop all |
22 | netfilter | 19 | netfilter |
@@ -27,5 +24,20 @@ protocol unix,inet,inet6,netlink | |||
27 | seccomp | 24 | seccomp |
28 | shell none | 25 | shell none |
29 | 26 | ||
30 | #private-bin spotify | 27 | private-bin spotify |
28 | private-etc fonts,machine-id,pulse,resolv.conf | ||
31 | private-dev | 29 | private-dev |
30 | private-tmp | ||
31 | |||
32 | blacklist ${HOME}/.Xauthority | ||
33 | blacklist ${HOME}/.bashrc | ||
34 | blacklist /boot | ||
35 | blacklist /lost+found | ||
36 | blacklist /media | ||
37 | blacklist /mnt | ||
38 | blacklist /opt | ||
39 | blacklist /root | ||
40 | blacklist /sbin | ||
41 | blacklist /srv | ||
42 | blacklist /sys | ||
43 | blacklist /var | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for the Tor Brower Bundle | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-devel.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | ||
18 | private-etc fonts | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile index f99a65009..7c464bf88 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,10 +1,11 @@ | |||
1 | # strings profile | 1 | # strings profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | 5 | net none |
7 | shell none | ||
8 | private-dev | ||
9 | nosound | 6 | nosound |
7 | quiet | ||
8 | shell none | ||
9 | tracelog | ||
10 | 10 | ||
11 | private-dev | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index d46467b99..69b2a0db2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -11,7 +11,9 @@ nonewprivs | |||
11 | noroot | 11 | noroot |
12 | protocol unix | 12 | protocol unix |
13 | seccomp | 13 | seccomp |
14 | private-dev | 14 | |
15 | private-tmp | ||
16 | noexec ${HOME} | 15 | noexec ${HOME} |
17 | noexec /tmp | 16 | noexec /tmp |
17 | |||
18 | private-dev | ||
19 | private-tmp | ||
diff --git a/etc/tar.profile b/etc/tar.profile index 663ac3805..91fdaf48d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # tar profile | 1 | # tar profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname tar | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
9 | 14 | ||
10 | # support compressed archives | 15 | # support compressed archives |
11 | private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 16 | private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
12 | private-dev | 17 | private-dev |
13 | nosound | ||
14 | no3d | ||
15 | private-etc passwd,group,localtime | 18 | private-etc passwd,group,localtime |
16 | hostname tar | ||
17 | blacklist /tmp/.X11-unix | ||
18 | |||
diff --git a/etc/telegram.profile b/etc/telegram.profile index 8e91e426b..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -10,4 +10,3 @@ nonewprivs | |||
10 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | 12 | seccomp |
13 | |||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0cfa4fcfc..316cdfec6 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -18,6 +18,6 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin transmission-gtk | 20 | private-bin transmission-gtk |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
23 | 22 | ||
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 754211a63..51c58e224 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -14,9 +14,10 @@ noroot | |||
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | shell none | ||
17 | tracelog | 18 | tracelog |
18 | 19 | ||
19 | shell none | ||
20 | private-bin transmission-qt | 20 | private-bin transmission-qt |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
22 | |||
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 522b4bd1e..f42e6c69a 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -9,17 +9,16 @@ caps.drop all | |||
9 | netfilter | 9 | netfilter |
10 | nonewprivs | 10 | nonewprivs |
11 | noroot | 11 | noroot |
12 | nosound | ||
12 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
13 | seccomp | 14 | seccomp |
15 | shell none | ||
14 | 16 | ||
17 | private-bin uget-gtk | ||
18 | private-dev | ||
19 | |||
20 | whitelist /tmp/.X11-unix | ||
15 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
16 | mkdir ~/.config/uGet | 22 | mkdir ~/.config/uGet |
17 | whitelist ~/.config/uGet | 23 | whitelist ~/.config/uGet |
18 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
19 | |||
20 | shell none | ||
21 | private-bin uget-gtk | ||
22 | whitelist /tmp/.X11-unix | ||
23 | private-dev | ||
24 | nosound | ||
25 | |||
diff --git a/etc/unrar.profile b/etc/unrar.profile index f29d1b51b..0700cafe9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # unrar profile | 1 | # unrar profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname unrar | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
14 | |||
9 | private-bin unrar | 15 | private-bin unrar |
10 | private-dev | 16 | private-dev |
11 | nosound | ||
12 | no3d | ||
13 | private-etc passwd,group,localtime | 17 | private-etc passwd,group,localtime |
14 | hostname unrar | ||
15 | private-tmp | 18 | private-tmp |
16 | blacklist /tmp/.X11-unix | ||
17 | |||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 07224855f..a43785795 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # unzip profile | 1 | # unzip profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
4 | blacklist /tmp/.X11-unix | ||
5 | 5 | ||
6 | tracelog | 6 | hostname unzip |
7 | net none | 7 | net none |
8 | no3d | ||
9 | nosound | ||
10 | quiet | ||
8 | shell none | 11 | shell none |
12 | tracelog | ||
13 | |||
9 | private-bin unzip | 14 | private-bin unzip |
10 | private-etc passwd,group,localtime | ||
11 | hostname unzip | ||
12 | private-dev | 15 | private-dev |
13 | nosound | 16 | private-etc passwd,group,localtime |
14 | no3d | ||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8ea9d5163..5ba0896ab 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # uudeview profile | 1 | # uudeview profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /etc |
6 | |||
7 | hostname uudeview | ||
7 | net none | 8 | net none |
9 | nosound | ||
10 | quiet | ||
8 | shell none | 11 | shell none |
12 | tracelog | ||
13 | |||
9 | private-bin uudeview | 14 | private-bin uudeview |
10 | private-dev | 15 | private-dev |
11 | private-etc nonexisting_fakefile_for_empty_etc | ||
12 | hostname uudeview | ||
13 | nosound | ||
14 | uudeview | ||
15 | |||
diff --git a/etc/vim.profile b/etc/vim.profile index 3c1fefe41..b161fcbb0 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # vim profile | 1 | # vim profile |
2 | |||
3 | noblacklist ~/.vim | 2 | noblacklist ~/.vim |
4 | noblacklist ~/.vimrc | 3 | noblacklist ~/.vimrc |
5 | noblacklist ~/.viminfo | 4 | noblacklist ~/.viminfo |
@@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
10 | 9 | ||
11 | caps.drop all | 10 | caps.drop all |
12 | netfilter | 11 | netfilter |
12 | nogroups | ||
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | nogroups | ||
16 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
17 | seccomp | 16 | seccomp |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..148b7efc8 --- /dev/null +++ b/etc/virtualbox.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # VirtualBox profile | ||
2 | |||
3 | noblacklist ${HOME}/.VirtualBox | ||
4 | noblacklist ${HOME}/VirtualBox VMs | ||
5 | noblacklist ${HOME}/.config/VirtualBox | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | |||
12 | |||
diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for xiphos | ||
2 | noblacklist ~/.sword | ||
3 | noblacklist ~/.xiphos | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | |||
10 | blacklist ~/.bashrc | ||
11 | blacklist ~/.Xauthority | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin xiphos | ||
25 | private-etc fonts,resolv.conf,sword | ||
26 | private-dev | ||
27 | private-tmp | ||
28 | |||
29 | whitelist ${HOME}/.sword | ||
30 | whitelist ${HOME}/.xiphos | ||
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e036fba21..7ea368bbe 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | shell none | 10 | net none |
11 | nonewprivs | 11 | nonewprivs |
12 | noroot | 12 | noroot |
13 | protocol unix | 13 | protocol unix |
14 | shell none | ||
14 | seccomp | 15 | seccomp |
16 | |||
15 | private-dev | 17 | private-dev |
16 | private-tmp | 18 | private-tmp |
17 | net none | ||
18 | |||
19 | |||
20 | |||
21 | |||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 54d5ed89b..191d2f67f 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
13 | nogroups | 12 | nogroups |
13 | nonewprivs | ||
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a9d027c38..04f98cef6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # xzdec profile | 1 | # xzdec profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | ||
7 | shell none | ||
8 | blacklist /tmp/.X11-unix | 5 | blacklist /tmp/.X11-unix |
9 | private-dev | 6 | |
10 | nosound | 7 | net none |
11 | no3d | 8 | no3d |
9 | nosound | ||
10 | quiet | ||
11 | shell none | ||
12 | tracelog | ||
12 | 13 | ||
14 | private-dev | ||
diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..ab2e99dbc 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix | ||
12 | netfilter | 10 | netfilter |
11 | nogroups | ||
13 | nonewprivs | 12 | nonewprivs |
14 | noroot | 13 | noroot |
15 | nogroups | ||
16 | nosound | 14 | nosound |
17 | shell none | 15 | shell none |
16 | seccomp | ||
17 | protocol unix | ||
18 | 18 | ||
19 | private-bin zathura | 19 | private-bin zathura |
20 | private-dev | 20 | private-dev |