diff options
author | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
---|---|---|
committer | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2017-09-19 23:26:22 -0500 |
commit | 88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2 (patch) | |
tree | ff4ab558330f8c566ddf7e9909a57e71913a232a /etc | |
parent | Fix private-bit filter for firefox on Arch (diff) | |
parent | add nogroups (diff) | |
download | firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.gz firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.tar.zst firejail-88c3a266eaaab9a41fe56c7c012ced5d6c33c6d2.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
100 files changed, 1300 insertions, 10 deletions
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 06cc69503..964a9e5fa 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nodvd | 20 | nodvd |
diff --git a/etc/Natron.profile b/etc/Natron.profile new file mode 100644 index 000000000..b21790fe4 --- /dev/null +++ b/etc/Natron.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/natron.profile | ||
diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..03e5f1086 --- /dev/null +++ b/etc/Viber.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for Viber | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/Viber.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.ViberPC | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ViberPC | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin sh,bash,dash,dig,awk,Viber | ||
34 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index 12bb06fb5..55434e45b 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | mkfile ${HOME}/.config/akregatorrc | ||
17 | mkdir ${HOME}/.local/share/akregator | ||
18 | whitelist ${HOME}/.config/akregatorrc | ||
19 | whitelist ${HOME}/.local/share/akregator | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
16 | caps.drop all | 22 | caps.drop all |
17 | netfilter | 23 | netfilter |
18 | no3d | 24 | no3d |
@@ -27,6 +33,7 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
30 | private-dev | 37 | private-dev |
31 | private-tmp | 38 | private-tmp |
32 | 39 | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index 478d5285c..79343fcdf 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nogroups | 18 | nogroups |
diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..98ec52015 --- /dev/null +++ b/etc/amule.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for amule | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/amule.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.aMule | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.aMule | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | private-bin amule | ||
36 | private-dev | ||
37 | private-tmp | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..7d1163174 --- /dev/null +++ b/etc/ardour4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/ardour5.profile | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..69b3dde46 --- /dev/null +++ b/etc/ardour5.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for ardour5 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ardour5.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/ardour4 | ||
10 | noblacklist ${HOME}/.config/ardour5 | ||
11 | noblacklist ${HOME}/.lv2 | ||
12 | noblacklist ${HOME}/.vst | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | ||
27 | protocol unix | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm | ||
32 | private-dev | ||
33 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index bd2367fe0..52e701821 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | notv | 21 | notv |
diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..0a8c592a7 --- /dev/null +++ b/etc/brackets.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for brackets | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/brackets.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Brackets | ||
9 | noblacklist /opt/brackets/ | ||
10 | noblacklist /opt/google/ | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
diff --git a/etc/calibre.profile b/etc/calibre.profile index aa0de473c..844231032 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-common.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | no3d | 20 | no3d |
diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..e90c8efe8 --- /dev/null +++ b/etc/calligra.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/calligra.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | nodvd | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | ||
26 | private-dev | ||
27 | |||
28 | noexec ${HOME} | ||
29 | noexec /tmp | ||
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraauthor.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraconverter.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraflow.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligraplanwork.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrasheets.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrastage.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..629ab46c1 --- /dev/null +++ b/etc/calligrawords.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for calligra | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/calligra.profile | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 498f3b6ee..5fc585d90 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local | |||
8 | # We can't blacklist much since catfish | 8 | # We can't blacklist much since catfish |
9 | # is for finding files/content | 9 | # is for finding files/content |
10 | noblacklist ~/.config/catfish | 10 | noblacklist ~/.config/catfish |
11 | include /etc/firejail/disable-common.inc | ||
12 | # include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
11 | 15 | ||
12 | include /etc/firejail/disable-devel.inc | 16 | whitelist /var/lib/mlocate |
17 | include /etc/firejail/whitelist-var-common.inc | ||
13 | 18 | ||
14 | caps.drop all | 19 | caps.drop all |
15 | net none | 20 | net none |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium | |||
23 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
24 | whitelist ~/.pki | 24 | whitelist ~/.pki |
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | include /etc/firejail/whitelist-var-common.inc | ||
26 | 27 | ||
27 | caps.keep sys_chroot,sys_admin | 28 | caps.keep sys_chroot,sys_admin |
28 | netfilter | 29 | netfilter |
diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..eeeda476f --- /dev/null +++ b/etc/cin.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast5 | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | notv | ||
22 | noroot | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin cin | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/clamav.profile b/etc/clamav.profile new file mode 100644 index 000000000..a5aacc1d5 --- /dev/null +++ b/etc/clamav.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.drop all | ||
11 | ipc-namespace | ||
12 | net none | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
22 | seccomp | ||
23 | shell none | ||
24 | tracelog | ||
25 | x11 none | ||
26 | |||
27 | private-dev | ||
28 | read-only ${HOME} | ||
29 | |||
30 | memory-deny-write-execute | ||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdscan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamdtop.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/clamscan.profile b/etc/clamscan.profile new file mode 100644 index 000000000..1fc728206 --- /dev/null +++ b/etc/clamscan.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/clamav.profile | ||
diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for conky | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/conky.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | netfilter | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile index e04163486..c2dc0b42c 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin darktable | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/dia.profile b/etc/dia.profile index a625ab36d..abe83ac8c 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -27,6 +27,7 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | #private-bin dia | ||
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index 43191ec06..ef518470e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | netfilter | 20 | netfilter |
19 | nodvd | 21 | nodvd |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5dd3dfd30..ca6ba9710 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -2,13 +2,15 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-common.local | 3 | include /etc/firejail/disable-common.local |
4 | 4 | ||
5 | # History files in $HOME | 5 | # History files and clipboard managers in $HOME |
6 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.bash_history |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
11 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | ||
13 | blacklist-nolog ${HOME}/.cache/greenclip* | ||
12 | 14 | ||
13 | # X11 session autostart | 15 | # X11 session autostart |
14 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 16 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7e44d582e..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam | |||
17 | blacklist ${HOME}/.Steampath | 17 | blacklist ${HOME}/.Steampath |
18 | blacklist ${HOME}/.Steampid | 18 | blacklist ${HOME}/.Steampid |
19 | blacklist ${HOME}/.TelegramDesktop | 19 | blacklist ${HOME}/.TelegramDesktop |
20 | blacklist ${HOME}/.ViberPC | ||
20 | blacklist ${HOME}/.VirtualBox | 21 | blacklist ${HOME}/.VirtualBox |
21 | blacklist ${HOME}/.Wolfram Research | 22 | blacklist ${HOME}/.Wolfram Research |
23 | blacklist ${HOME}/.aMule | ||
22 | blacklist ${HOME}/.android | 24 | blacklist ${HOME}/.android |
23 | blacklist ${HOME}/.arduino15 | 25 | blacklist ${HOME}/.arduino15 |
24 | blacklist ${HOME}/.atom | 26 | blacklist ${HOME}/.atom |
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets | |||
35 | blacklist ${HOME}/.config/Clementine | 37 | blacklist ${HOME}/.config/Clementine |
36 | blacklist ${HOME}/.config/Cryptocat | 38 | blacklist ${HOME}/.config/Cryptocat |
37 | blacklist ${HOME}/.config/Franz | 39 | blacklist ${HOME}/.config/Franz |
40 | blacklist ${HOME}/.config/FreeCAD | ||
38 | blacklist ${HOME}/.config/Gitter | 41 | blacklist ${HOME}/.config/Gitter |
39 | blacklist ${HOME}/.config/Google | 42 | blacklist ${HOME}/.config/Google |
40 | blacklist ${HOME}/.config/Gpredict | 43 | blacklist ${HOME}/.config/Gpredict |
@@ -51,6 +54,7 @@ blacklist ${HOME}/.config/Qlipper | |||
51 | blacklist ${HOME}/.config/QuiteRss | 54 | blacklist ${HOME}/.config/QuiteRss |
52 | blacklist ${HOME}/.config/QuiteRssrc | 55 | blacklist ${HOME}/.config/QuiteRssrc |
53 | blacklist ${HOME}/.config/Riot | 56 | blacklist ${HOME}/.config/Riot |
57 | blacklist ${HOME}/.config/Rocket.Chat | ||
54 | blacklist ${HOME}/.config/Slack | 58 | blacklist ${HOME}/.config/Slack |
55 | blacklist ${HOME}/.config/Thunar | 59 | blacklist ${HOME}/.config/Thunar |
56 | blacklist ${HOME}/.config/VirtualBox | 60 | blacklist ${HOME}/.config/VirtualBox |
@@ -123,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt | |||
123 | blacklist ${HOME}/.config/mate-calc | 127 | blacklist ${HOME}/.config/mate-calc |
124 | blacklist ${HOME}/.config/mate/eom | 128 | blacklist ${HOME}/.config/mate/eom |
125 | blacklist ${HOME}/.config/mate/mate-dictionary | 129 | blacklist ${HOME}/.config/mate/mate-dictionary |
130 | blacklist ${HOME}/.config/mfusion | ||
126 | blacklist ${HOME}/.config/midori | 131 | blacklist ${HOME}/.config/midori |
127 | blacklist ${HOME}/.config/mpv | 132 | blacklist ${HOME}/.config/mpv |
128 | blacklist ${HOME}/.config/mupen64plus | 133 | blacklist ${HOME}/.config/mupen64plus |
@@ -187,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org | |||
187 | blacklist ${HOME}/.curlrc | 192 | blacklist ${HOME}/.curlrc |
188 | blacklist ${HOME}/.dia | 193 | blacklist ${HOME}/.dia |
189 | blacklist ${HOME}/.dillo | 194 | blacklist ${HOME}/.dillo |
195 | blacklist ${HOME}/.dooble | ||
190 | blacklist ${HOME}/.dosbox | 196 | blacklist ${HOME}/.dosbox |
191 | blacklist ${HOME}/.dropbox-dist | 197 | blacklist ${HOME}/.dropbox-dist |
192 | blacklist ${HOME}/.electrum* | 198 | blacklist ${HOME}/.electrum* |
@@ -211,6 +217,7 @@ blacklist ${HOME}/.guayadeque | |||
211 | blacklist ${HOME}/.hedgewars | 217 | blacklist ${HOME}/.hedgewars |
212 | blacklist ${HOME}/.hugin | 218 | blacklist ${HOME}/.hugin |
213 | blacklist ${HOME}/.icedove | 219 | blacklist ${HOME}/.icedove |
220 | blacklist ${HOME}/.imagej | ||
214 | blacklist ${HOME}/.inkscape | 221 | blacklist ${HOME}/.inkscape |
215 | blacklist ${HOME}/.java | 222 | blacklist ${HOME}/.java |
216 | blacklist ${HOME}/.jitsi | 223 | blacklist ${HOME}/.jitsi |
@@ -318,6 +325,7 @@ blacklist ${HOME}/.local/share/spotify | |||
318 | blacklist ${HOME}/.local/share/steam | 325 | blacklist ${HOME}/.local/share/steam |
319 | blacklist ${HOME}/.local/share/supertux2 | 326 | blacklist ${HOME}/.local/share/supertux2 |
320 | blacklist ${HOME}/.local/share/telepathy | 327 | blacklist ${HOME}/.local/share/telepathy |
328 | blacklist ${HOME}/.local/share/terasology | ||
321 | blacklist ${HOME}/.local/share/torbrowser | 329 | blacklist ${HOME}/.local/share/torbrowser |
322 | blacklist ${HOME}/.local/share/totem | 330 | blacklist ${HOME}/.local/share/totem |
323 | blacklist ${HOME}/.local/share/vpltd | 331 | blacklist ${HOME}/.local/share/vpltd |
@@ -360,6 +368,7 @@ blacklist ${HOME}/.steampath | |||
360 | blacklist ${HOME}/.steampid | 368 | blacklist ${HOME}/.steampid |
361 | blacklist ${HOME}/.stellarium | 369 | blacklist ${HOME}/.stellarium |
362 | blacklist ${HOME}/.subversion | 370 | blacklist ${HOME}/.subversion |
371 | blacklist ${HOME}/.surf | ||
363 | blacklist ${HOME}/.sword | 372 | blacklist ${HOME}/.sword |
364 | blacklist ${HOME}/.sylpheed-2.0 | 373 | blacklist ${HOME}/.sylpheed-2.0 |
365 | blacklist ${HOME}/.synfig | 374 | blacklist ${HOME}/.synfig |
@@ -407,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome | |||
407 | blacklist ${HOME}/.cache/google-chrome-beta | 416 | blacklist ${HOME}/.cache/google-chrome-beta |
408 | blacklist ${HOME}/.cache/google-chrome-unstable | 417 | blacklist ${HOME}/.cache/google-chrome-unstable |
409 | blacklist ${HOME}/.cache/icedove | 418 | blacklist ${HOME}/.cache/icedove |
419 | blacklist ${HOME}/.cache/INRIA/Natron | ||
410 | blacklist ${HOME}/.cache/inox | 420 | blacklist ${HOME}/.cache/inox |
411 | blacklist ${HOME}/.cache/libgweather | 421 | blacklist ${HOME}/.cache/libgweather |
412 | blacklist ${HOME}/.cache/midori | 422 | blacklist ${HOME}/.cache/midori |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile new file mode 100644 index 000000000..4e1227a0f --- /dev/null +++ b/etc/dooble-qt4.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/dooble.profile | ||
diff --git a/etc/dooble.profile b/etc/dooble.profile new file mode 100644 index 000000000..2a57b0ef3 --- /dev/null +++ b/etc/dooble.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for dooble | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/dooble-qt4.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.dooble | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.dooble | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.dooble | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index fa9b26e82..a64578e5c 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 211c2432f..c37f81ac9 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/electron.profile b/etc/electron.profile index 9b21c1bfd..91e5cd3df 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -5,11 +5,12 @@ include /etc/firejail/electron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
12 | 11 | ||
12 | whitelist ${DOWNLOADS} | ||
13 | |||
13 | caps.drop all | 14 | caps.drop all |
14 | netfilter | 15 | netfilter |
15 | nodvd | 16 | nodvd |
diff --git a/etc/evince.profile b/etc/evince.profile index 5c6215bb2..f503b9a8e 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..3fd7f3d75 --- /dev/null +++ b/etc/fetchmail.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for fetchmail | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/fetchmail.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin fetchmail,procmail,bash,chmod | ||
29 | private-dev | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 85201b021..1f4a8e3f6 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64 | |||
59 | whitelist ~/.zotero | 59 | whitelist ~/.zotero |
60 | whitelist ~/dwhelper | 60 | whitelist ~/dwhelper |
61 | include /etc/firejail/whitelist-common.inc | 61 | include /etc/firejail/whitelist-common.inc |
62 | include /etc/firejail/whitelist-var-common.inc | ||
62 | 63 | ||
63 | caps.drop all | 64 | caps.drop all |
64 | netfilter | 65 | netfilter |
diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..4fde66839 --- /dev/null +++ b/etc/freecad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/freecad.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/FreeCAD | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin freecad,freecadcmd | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..f8bbff593 --- /dev/null +++ b/etc/freecadcmd.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for freecad | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/freecad.profile | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile new file mode 100644 index 000000000..08eac5595 --- /dev/null +++ b/etc/freshclam.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for freshclam | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/clamav.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | caps.keep setgid,setuid | ||
11 | ipc-namespace | ||
12 | netfilter | ||
13 | no3d | ||
14 | nodvd | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | nosound | ||
18 | notv | ||
19 | novideo | ||
20 | protocol unix,inet,inet6 | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | disable-mnt | ||
26 | private | ||
27 | private-dev | ||
28 | private-tmp | ||
29 | writable-var | ||
30 | writable-var-log | ||
31 | |||
32 | memory-deny-write-execute | ||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
16 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | net none | 21 | net none |
diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | nodvd | 18 | nodvd |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6547c73df..326222426 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
14 | include /etc/firejail/whitelist-var-common.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
16 | netfilter | 17 | netfilter |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..b60f5b3a5 --- /dev/null +++ b/etc/google-earth.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for google-earth | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/google-earth.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Google | ||
9 | noblacklist ${HOME}/.googleearth/Cache/ | ||
10 | noblacklist ${HOME}/.googleearth/Temp/ | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/Google | ||
20 | mkdir ${HOME}/.googleearth/Cache/ | ||
21 | mkdir ${HOME}/.googleearth/Temp/ | ||
22 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
23 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
24 | whitelist ${HOME}/.config/Google | ||
25 | whitelist ${HOME}/.googleearth/Cache/ | ||
26 | whitelist ${HOME}/.googleearth/Temp/ | ||
27 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
28 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname | ||
45 | private-dev | ||
46 | |||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 26bc589ee..1842c9cb1 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | net none | 18 | net none |
17 | nodvd | 19 | nodvd |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b33051e2..f5e7bc329 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nogroups | 19 | nogroups |
diff --git a/etc/hugin.profile b/etc/hugin.profile index d3cd181b1..ff88e0d5c 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -25,6 +25,7 @@ protocol unix | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
30 | 31 | ||
diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..88a56c706 --- /dev/null +++ b/etc/imagej.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for imagej | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/imagej.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.imagej | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..c062ab8ef 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
@@ -25,6 +27,7 @@ protocol unix | |||
25 | seccomp | 27 | seccomp |
26 | shell none | 28 | shell none |
27 | 29 | ||
30 | #private-bin inkscape | ||
28 | private-dev | 31 | private-dev |
29 | private-tmp | 32 | private-tmp |
30 | 33 | ||
diff --git a/etc/k3b.profile b/etc/k3b.profile index ca190ecb9..58623d823 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | no3d | 20 | no3d |
19 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/karbon.profile b/etc/karbon.profile new file mode 100644 index 000000000..3525a3e06 --- /dev/null +++ b/etc/karbon.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/krita.profile | ||
diff --git a/etc/kate.profile b/etc/kate.profile index ec5d09ce2..69100d49d 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index f334c4c72..0de23f106 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | no3d | 18 | no3d |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..a1a5f957c --- /dev/null +++ b/etc/kdenlive.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for kdenlive | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/kdenlive.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
22 | seccomp | ||
23 | shell none | ||
24 | |||
25 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | ||
26 | private-dev | ||
27 | #private-etc fonts,alternatives,X11,pulse,passwd | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile new file mode 100644 index 000000000..e91f5b242 --- /dev/null +++ b/etc/krita.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/krita.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | private-dev | ||
29 | private-tmp | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 6ba076dc0..6b458ede3 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | netfilter | 23 | netfilter |
22 | nodvd | 24 | nodvd |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index ec7356002..8d05a557c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | netfilter | 20 | netfilter |
19 | nodvd | 21 | nodvd |
diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..41f9245a2 --- /dev/null +++ b/etc/linphone.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for linphone | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/linphone.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.linphone-history.db | ||
9 | noblacklist ${HOME}/.linphonerc | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkfile ${HOME}/.linphone-history.db | ||
17 | mkfile ${HOME}/.linphonerc | ||
18 | whitelist ${HOME}/.linphone-history.db | ||
19 | whitelist ${HOME}/.linphonerc | ||
20 | whitelist ${HOME}/Downloads | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..29ed235c6 --- /dev/null +++ b/etc/lmms.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for lmms | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/lmms.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.lmmsrc.xml | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index bd32e0c70..ec2a65290 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -26,6 +26,7 @@ seccomp | |||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
29 | #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..be66cf6ee --- /dev/null +++ b/etc/macrofusion.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for macrofusion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/macrofusion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/mfusion | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..7bfa47d77 --- /dev/null +++ b/etc/mpd.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for mpd | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/mpd.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.mpdconf | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | no3d | ||
19 | nodvd | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
26 | shell none | ||
27 | |||
28 | #private-bin mpd,bash | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 3b5a0b13c..b039d07b2 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..d77539d83 --- /dev/null +++ b/etc/natron.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for natron | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/natron.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.Natron | ||
10 | noblacklist ${HOME}/.cache/INRIA/Natron | ||
11 | noblacklist ${HOME}/.config/INRIA | ||
12 | noblacklist /opt/natron | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-bin natron,Natron,NatronRenderer | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 5a704ad26..94736fbae 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -20,6 +20,8 @@ include /etc/firejail/disable-devel.inc | |||
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
23 | caps.drop all | 25 | caps.drop all |
24 | netfilter | 26 | netfilter |
25 | nodvd | 27 | nodvd |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index dd610920a..d195cf586 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -27,3 +27,6 @@ tracelog | |||
27 | private-bin pidgin | 27 | private-bin pidgin |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..6da0e21d5 --- /dev/null +++ b/etc/ricochet.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for ricochet | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ricochet.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/Ricochet | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.local/share/Ricochet | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-bin ricochet,tor | ||
36 | private-dev | ||
37 | #private-etc fonts,tor,X11,alternatives | ||
38 | |||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index c714652df..06dbbe9d9 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -5,9 +5,9 @@ include /etc/firejail/riot-web.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/Riot | 8 | noblacklist ${HOME}/.config/Riot |
9 | 9 | ||
10 | whitelist ~/.config/Riot | 10 | whitelist ${HOME}/.config/Riot |
11 | include /etc/firejail/whitelist-common.inc | 11 | include /etc/firejail/whitelist-common.inc |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile new file mode 100644 index 000000000..da92cd938 --- /dev/null +++ b/etc/rocketchat.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for rocketchat | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/rocketchat.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/Rocket.Chat | ||
9 | |||
10 | whitelist ${HOME}/.config/Rocket.Chat | ||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | # Redirect | ||
14 | include /etc/firejail/electron.profile | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index e4c88be49..dd06fa59f 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -38,5 +38,6 @@ protocol unix | |||
38 | seccomp | 38 | seccomp |
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | #private-bin scribus,gs | ||
41 | private-dev | 42 | private-dev |
42 | # private-tmp | 43 | # private-tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..e30bc1f46 --- /dev/null +++ b/etc/shotcut.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for shotcut | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/shotcut.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Meltytech | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | #private-bin shotcut,melt,qmelt,nice | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index abc68a499..977cfea99 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nodvd | 18 | nodvd |
@@ -28,6 +30,7 @@ disable-mnt | |||
28 | private | 30 | private |
29 | # private-bin silentarmy,sa-solver,python3 | 31 | # private-bin silentarmy,sa-solver,python3 |
30 | private-dev | 32 | private-dev |
33 | private-opt none | ||
31 | private-tmp | 34 | private-tmp |
32 | 35 | ||
33 | noexec ${HOME} | 36 | noexec ${HOME} |
diff --git a/etc/skype.profile b/etc/skype.profile index f3e504a3f..b12f9879e 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -24,6 +24,7 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | #private-bin skype,bash | ||
27 | private-dev | 28 | private-dev |
28 | private-tmp | 29 | private-tmp |
29 | 30 | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 7e9d34c92..fa5728d9b 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -16,6 +16,7 @@ include /etc/firejail/disable-common.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | shell none | ||
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
diff --git a/etc/steam.profile b/etc/steam.profile index 227162e1f..b4b9ede70 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -21,6 +21,8 @@ noblacklist ${HOME}/.steampath | |||
21 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
22 | # with >=llvm-4 mesa drivers need llvm stuff | 22 | # with >=llvm-4 mesa drivers need llvm stuff |
23 | noblacklist /usr/lib/llvm* | 23 | noblacklist /usr/lib/llvm* |
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | ||
25 | noblacklist /sbin | ||
24 | 26 | ||
25 | include /etc/firejail/disable-common.inc | 27 | include /etc/firejail/disable-common.inc |
26 | include /etc/firejail/disable-devel.inc | 28 | include /etc/firejail/disable-devel.inc |
@@ -44,5 +46,5 @@ shell none | |||
44 | 46 | ||
45 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
46 | private-dev | 48 | private-dev |
47 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 49 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl |
48 | private-tmp | 50 | private-tmp |
diff --git a/etc/surf.profile b/etc/surf.profile new file mode 100644 index 000000000..251331902 --- /dev/null +++ b/etc/surf.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for surf | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/surf.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.surf | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ~/.surf | ||
15 | whitelist ${DOWNLOADS} | ||
16 | include /etc/firejail/whitelist-common.inc | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nodvd | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | notv | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop | ||
30 | private-dev | ||
31 | private-etc passwd,group,hosts,resolv.conf,fonts,ssl | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 08ece1e9b..b0014ace6 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -26,6 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
31 | 32 | ||
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..86f96ba50 --- /dev/null +++ b/etc/teamspeak3.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for teamspeak3 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/teamspeak3.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.ts3client | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.ts3client | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ${HOME}/.ts3client | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/terasology.profile b/etc/terasology.profile new file mode 100644 index 000000000..ca580c0d0 --- /dev/null +++ b/etc/terasology.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for terasology | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/default.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.java | ||
10 | noblacklist ${HOME}/.local/share/terasology | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.java | ||
18 | mkdir ${HOME}/.local/share/terasology | ||
19 | whitelist ${HOME}/.java | ||
20 | whitelist ${HOME}/.local/share/terasology | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | novideo | ||
33 | protocol unix,inet,inet6 | ||
34 | seccomp | ||
35 | shell none | ||
36 | |||
37 | disable-mnt | ||
38 | private-dev | ||
39 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk | ||
40 | private-tmp | ||
41 | |||
42 | noexec ${HOME} | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..bf3a80139 --- /dev/null +++ b/etc/tor-browser-en.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/torbrowser-launcher.profile | ||
diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..fcb123eef --- /dev/null +++ b/etc/tor.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for tor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/tor.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # How to use: | ||
9 | # Create a script called anything (e.g. mytor) | ||
10 | # with the following contents: | ||
11 | |||
12 | # #!/bin/bash | ||
13 | # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" | ||
14 | # sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD | ||
15 | |||
16 | # You'll also likely want to disable the system service (if it exists) | ||
17 | # Run mytor (or whatever you called the script above) whenever you want to start tor | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.keep setuid,setgid,net_bind_service,dac_read_search | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
35 | seccomp | ||
36 | shell none | ||
37 | writable-var | ||
38 | |||
39 | disable-mnt | ||
40 | private | ||
41 | private-bin tor,bash | ||
42 | private-dev | ||
43 | private-etc tor,passwd | ||
44 | private-tmp | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | 8 | noblacklist ~/.tor-browser-en | |
9 | noblacklist ~/.config/torbrowser | 9 | noblacklist ~/.config/torbrowser |
10 | whitelist ~/.config/torbrowser | ||
11 | noblacklist ~/.local/share/torbrowser | 10 | noblacklist ~/.local/share/torbrowser |
12 | whitelist ~/.local/share/torbrowser | ||
13 | 11 | ||
14 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
18 | 16 | ||
17 | whitelist ~/.tor-browser-en | ||
18 | whitelist ~/.config/torbrowser | ||
19 | whitelist ~/.local/share/torbrowser | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
19 | caps.drop all | 22 | caps.drop all |
20 | netfilter | 23 | netfilter |
21 | nodvd | 24 | nodvd |
@@ -29,7 +32,7 @@ seccomp | |||
29 | shell none | 32 | shell none |
30 | tracelog | 33 | tracelog |
31 | 34 | ||
32 | private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 35 | private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
33 | private-dev | 36 | private-dev |
34 | private-etc fonts | 37 | private-etc fonts |
35 | private-tmp | 38 | private-tmp |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 5b6a257f6..fbc198cc3 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | no3d | 18 | no3d |
19 | nodvd | 19 | nodvd |
20 | nogroups | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | notv | 23 | notv |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 6e153d559..b01e6d144 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -20,7 +20,9 @@ mkdir ~/.config/VirtualBox | |||
20 | mkdir ~/VirtualBox VMs | 20 | mkdir ~/VirtualBox VMs |
21 | whitelist ~/.config/VirtualBox | 21 | whitelist ~/.config/VirtualBox |
22 | whitelist ~/VirtualBox VMs | 22 | whitelist ~/VirtualBox VMs |
23 | whitelist ${DOWNLOADS} | ||
23 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
25 | include /etc/firejail/whitelist-var-common.inc | ||
24 | 26 | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | netfilter |
diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | # nogroups | 19 | # nogroups |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ba4b91451..310149ecd 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -16,6 +16,7 @@ whitelist ~/.drirc | |||
16 | whitelist ~/.mime.types | 16 | whitelist ~/.mime.types |
17 | whitelist ~/.local/share/applications | 17 | whitelist ~/.local/share/applications |
18 | read-only ~/.local/share/applications | 18 | read-only ~/.local/share/applications |
19 | whitelist ~/.config/ibus | ||
19 | 20 | ||
20 | # fonts | 21 | # fonts |
21 | whitelist ~/.fonts | 22 | whitelist ~/.fonts |
@@ -34,10 +35,14 @@ whitelist ~/.gtkrc-2.0 | |||
34 | whitelist ~/.gtk-2.0 | 35 | whitelist ~/.gtk-2.0 |
35 | whitelist ~/.config/gtk-2.0 | 36 | whitelist ~/.config/gtk-2.0 |
36 | whitelist ~/.config/gtk-3.0 | 37 | whitelist ~/.config/gtk-3.0 |
38 | whitelist ~/.config/gtkrc | ||
39 | whitelist ~/.config/gtkrc-2.0 | ||
37 | whitelist ~/.themes | 40 | whitelist ~/.themes |
38 | whitelist ~/.local/share/themes | 41 | whitelist ~/.local/share/themes |
39 | whitelist ~/.kde/share/config/gtkrc | 42 | whitelist ~/.kde/share/config/gtkrc |
40 | whitelist ~/.kde/share/config/gtkrc-2.0 | 43 | whitelist ~/.kde/share/config/gtkrc-2.0 |
44 | whitelist ~/.kde4/share/config/gtkrc | ||
45 | whitelist ~/.kde4/share/config/gtkrc-2.0 | ||
41 | whitelist ~/.gnome2 | 46 | whitelist ~/.gnome2 |
42 | whitelist ~/.gnome2-private | 47 | whitelist ~/.gnome2-private |
43 | 48 | ||
@@ -50,3 +55,6 @@ whitelist ~/.config/kdeglobals | |||
50 | whitelist ~/.kde/share/config/oxygenrc | 55 | whitelist ~/.kde/share/config/oxygenrc |
51 | whitelist ~/.kde/share/config/kdeglobals | 56 | whitelist ~/.kde/share/config/kdeglobals |
52 | whitelist ~/.kde/share/icons | 57 | whitelist ~/.kde/share/icons |
58 | whitelist ~/.kde4/share/config/oxygenrc | ||
59 | whitelist ~/.kde4/share/config/kdeglobals | ||
60 | whitelist ~/.kde4/share/icons | ||
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..024995f20 --- /dev/null +++ b/etc/whitelist-var-common.inc | |||
@@ -0,0 +1,11 @@ | |||
1 | # Local customizations come here | ||
2 | include /etc/firejail/whitelist-var-common.local | ||
3 | |||
4 | # common /var whitelist for all profiles | ||
5 | |||
6 | whitelist /var/lib/dbus | ||
7 | whitelist /var/lib/menu-xdg | ||
8 | whitelist /var/cache/fontconfig | ||
9 | whitelist /var/tmp | ||
10 | whitelist /var/run | ||
11 | whitelist /var/lock | ||
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..1395b81c9 --- /dev/null +++ b/etc/x-terminal-emulator.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for x-terminal-emulator | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/x-terminal-emulator.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | caps.drop all | ||
10 | ipc-namespace | ||
11 | net none | ||
12 | netfilter | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | |||
18 | private-dev | ||
19 | |||
20 | noexec /tmp | ||
diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile new file mode 100644 index 000000000..9cc6e0c1f --- /dev/null +++ b/etc/xmr-stak-cpu.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for xmr-stak-cpu | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xmr-stak-cpu.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | netfilter | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | nosound | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private | ||
33 | private-bin xmr-stak-cpu | ||
34 | private-dev | ||
35 | private-etc xmr-stak-cpu.json | ||
36 | private-lib | ||
37 | private-opt none | ||
38 | private-tmp | ||
39 | |||
40 | memory-deny-write-execute | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index e20fb3e99..d41591fd6 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | ipc-namespace | 19 | ipc-namespace |
18 | netfilter | 20 | netfilter |
diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..6e136d0c9 --- /dev/null +++ b/etc/zart.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for zart | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/zart.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | notv | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin zart,ffmpeg,melt,ffprobe,ffplay | ||
27 | private-dev | ||
28 | |||
29 | noexec ${HOME} | ||
30 | noexec /tmp | ||