diff options
| author |  Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2019-04-18 11:15:33 -0500 |
|---|---|---|
| committer | Fred Barclay <Fred-Barclay@users.noreply.github.com> | 2019-04-18 11:15:33 -0500 |
| commit | 5f7f3a5e26bbac22934daab982b4099b6cd5c492 (patch) | |
| tree | 53ffe95a5931df229ffd9d380efcf7ba4e36da20 /etc | |
| parent | Allow access to .pythonrc.py -- see #2651 (diff) | |
| parent | Merge pull request #2641 from rusty-snake/add-cheese (diff) | |
| download | firejail-5f7f3a5e26bbac22934daab982b4099b6cd5c492.tar.gz firejail-5f7f3a5e26bbac22934daab982b4099b6cd5c492.tar.zst firejail-5f7f3a5e26bbac22934daab982b4099b6cd5c492.zip | |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/Cheese.profile | 7 | ||||
| -rw-r--r-- | etc/authenticator.profile | 10 | ||||
| -rw-r--r-- | etc/cheese.profile | 43 | ||||
| -rw-r--r-- | etc/chromium-common.profile | 2 | ||||
| -rw-r--r-- | etc/disable-programs.inc | 4 | ||||
| -rw-r--r-- | etc/evince.profile | 2 | ||||
| -rw-r--r-- | etc/firefox-common.profile | 2 | ||||
| -rw-r--r-- | etc/firejail.config | 9 | ||||
| -rw-r--r-- | etc/freeoffice-planmaker.profile | 38 | ||||
| -rw-r--r-- | etc/freeoffice-presentations.profile | 38 | ||||
| -rw-r--r-- | etc/freeoffice-textmaker.profile | 38 | ||||
| -rw-r--r-- | etc/gajim.profile | 2 | ||||
| -rw-r--r-- | etc/gramps.profile | 53 | ||||
| -rw-r--r-- | etc/midori.profile | 2 | ||||
| -rw-r--r-- | etc/min.profile | 2 | ||||
| -rw-r--r-- | etc/mpv.profile | 2 | ||||
| -rw-r--r-- | etc/newsboat.profile | 47 |
17 files changed, 287 insertions, 14 deletions
diff --git a/etc/Cheese.profile b/etc/Cheese.profile new file mode 100644 index 000000000..4bfce53a9 --- /dev/null +++ b/etc/Cheese.profile | |||
| @@ -0,0 +1,7 @@ | |||
| 1 | # Firejail profile for cheese | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | |||
| 4 | |||
| 5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | ||
| 6 | # Redirect | ||
| 7 | include cheese.profile | ||
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index f989ab1ba..5f1c64682 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
| @@ -6,6 +6,7 @@ include authenticator.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.cache/Authenticator | ||
| 9 | noblacklist ${HOME}/.config/Authenticator | 10 | noblacklist ${HOME}/.config/Authenticator |
| 10 | 11 | ||
| 11 | # Allow python (blacklisted by disable-interpreters.inc) | 12 | # Allow python (blacklisted by disable-interpreters.inc) |
| @@ -25,7 +26,7 @@ include disable-programs.inc | |||
| 25 | 26 | ||
| 26 | # apparmor | 27 | # apparmor |
| 27 | caps.drop all | 28 | caps.drop all |
| 28 | net none | 29 | netfilter |
| 29 | no3d | 30 | no3d |
| 30 | # nodbus - makes settings immutable | 31 | # nodbus - makes settings immutable |
| 31 | nodvd | 32 | nodvd |
| @@ -36,15 +37,14 @@ nosound | |||
| 36 | notv | 37 | notv |
| 37 | nou2f | 38 | nou2f |
| 38 | # novideo | 39 | # novideo |
| 39 | protocol unix | 40 | protocol unix,inet,inet6 |
| 40 | seccomp | 41 | seccomp |
| 41 | shell none | 42 | shell none |
| 42 | 43 | ||
| 43 | disable-mnt | 44 | disable-mnt |
| 44 | # private-bin authenticator | 45 | # private-bin authenticator,python* |
| 45 | private-cache | ||
| 46 | private-dev | 46 | private-dev |
| 47 | private-etc alternatives,fonts,ld.so.cache | 47 | private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl |
| 48 | private-tmp | 48 | private-tmp |
| 49 | 49 | ||
| 50 | # memory-deny-write-execute - breaks on Arch | 50 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/cheese.profile b/etc/cheese.profile new file mode 100644 index 000000000..b6cb0c9ce --- /dev/null +++ b/etc/cheese.profile | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | # Firejail profile for cheese | ||
| 2 | # Description: taking pictures and movies from a webcam | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include cheese.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${VIDEOS} | ||
| 10 | |||
| 11 | include disable-common.inc | ||
| 12 | include disable-devel.inc | ||
| 13 | include disable-exec.inc | ||
| 14 | include disable-interpreters.inc | ||
| 15 | include disable-passwdmgr.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-xdg.inc | ||
| 18 | |||
| 19 | whitelist ${VIDEOS} | ||
| 20 | include whitelist-common.inc | ||
| 21 | include whitelist-var-common.inc | ||
| 22 | |||
| 23 | apparmor | ||
| 24 | caps.drop all | ||
| 25 | machine-id | ||
| 26 | net none | ||
| 27 | nodbus | ||
| 28 | nodvd | ||
| 29 | nogroups | ||
| 30 | nonewprivs | ||
| 31 | noroot | ||
| 32 | notv | ||
| 33 | nou2f | ||
| 34 | protocol unix | ||
| 35 | seccomp | ||
| 36 | shell none | ||
| 37 | tracelog | ||
| 38 | |||
| 39 | disable-mnt | ||
| 40 | private-bin cheese | ||
| 41 | private-cache | ||
| 42 | private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf | ||
| 43 | private-tmp | ||
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 3c7423316..63983d93b 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
| @@ -7,7 +7,7 @@ include chromium-common.local | |||
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
| 10 | ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 11 | 11 | ||
| 12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
| 13 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 96fd80daf..7e12b97b2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -5,6 +5,7 @@ include disable-programs.local | |||
| 5 | blacklist ${HOME}/Arduino | 5 | blacklist ${HOME}/Arduino |
| 6 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
| 7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
| 8 | blacklist ${HOME}/SoftMaker | ||
| 8 | blacklist ${HOME}/Standard Notes Backups | 9 | blacklist ${HOME}/Standard Notes Backups |
| 9 | blacklist ${HOME}/wallet.dat | 10 | blacklist ${HOME}/wallet.dat |
| 10 | blacklist ${HOME}/.*coin | 11 | blacklist ${HOME}/.*coin |
| @@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/ | |||
| 339 | blacklist ${HOME}/.googleearth/myplaces.backup.kml | 340 | blacklist ${HOME}/.googleearth/myplaces.backup.kml |
| 340 | blacklist ${HOME}/.googleearth/myplaces.kml | 341 | blacklist ${HOME}/.googleearth/myplaces.kml |
| 341 | blacklist ${HOME}/.gradle | 342 | blacklist ${HOME}/.gradle |
| 343 | blacklist ${HOME}/.gramps | ||
| 342 | blacklist ${HOME}/.guayadeque | 344 | blacklist ${HOME}/.guayadeque |
| 343 | blacklist ${HOME}/.hashcat | 345 | blacklist ${HOME}/.hashcat |
| 344 | blacklist ${HOME}/.hedgewars | 346 | blacklist ${HOME}/.hedgewars |
| @@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5 | |||
| 549 | blacklist ${HOME}/.nanorc | 551 | blacklist ${HOME}/.nanorc |
| 550 | blacklist ${HOME}/.netactview | 552 | blacklist ${HOME}/.netactview |
| 551 | blacklist ${HOME}/.neverball | 553 | blacklist ${HOME}/.neverball |
| 554 | blacklist ${HOME}/.newsboat | ||
| 552 | blacklist ${HOME}/.nv | 555 | blacklist ${HOME}/.nv |
| 553 | blacklist ${HOME}/.nylas-mail | 556 | blacklist ${HOME}/.nylas-mail |
| 554 | blacklist ${HOME}/.opencity | 557 | blacklist ${HOME}/.opencity |
| @@ -625,6 +628,7 @@ blacklist /tmp/ssh-* | |||
| 625 | # ${HOME}/.cache directory | 628 | # ${HOME}/.cache directory |
| 626 | blacklist ${HOME}/.cache/0ad | 629 | blacklist ${HOME}/.cache/0ad |
| 627 | blacklist ${HOME}/.cache/8pecxstudios | 630 | blacklist ${HOME}/.cache/8pecxstudios |
| 631 | blacklist ${HOME}/.cache/Authenticator | ||
| 628 | blacklist ${HOME}/.cache/Clementine | 632 | blacklist ${HOME}/.cache/Clementine |
| 629 | blacklist ${HOME}/.cache/Enox | 633 | blacklist ${HOME}/.cache/Enox |
| 630 | blacklist ${HOME}/.cache/Franz | 634 | blacklist ${HOME}/.cache/Franz |
diff --git a/etc/evince.profile b/etc/evince.profile index b1f984784..1a429d673 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
| @@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
| 43 | private-cache | 43 | private-cache |
| 44 | private-dev | 44 | private-dev |
| 45 | private-etc alternatives,fonts,group,machine-id,passwd | 45 | private-etc alternatives,fonts,group,machine-id,passwd |
| 46 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv | 46 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv |
| 47 | private-tmp | 47 | private-tmp |
| 48 | 48 | ||
| 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) | 49 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index a2a34f33f..080d9e81a 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
| @@ -7,7 +7,7 @@ include firefox-common.local | |||
| 7 | #include globals.local | 7 | #include globals.local |
| 8 | 8 | ||
| 9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
| 10 | ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 11 | 11 | ||
| 12 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line to allow access to common programs/addons/plugins. |
| 13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
diff --git a/etc/firejail.config b/etc/firejail.config index b37edf7a5..497d9633e 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -5,9 +5,6 @@ | |||
| 5 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
| 6 | # apparmor yes | 6 | # apparmor yes |
| 7 | 7 | ||
| 8 | # Disable U2F in browsers, default enabled. | ||
| 9 | # browser-disable-u2f yes | ||
| 10 | |||
| 11 | # Number of ARP probes sent when assigning an IP address for --net option, | 8 | # Number of ARP probes sent when assigning an IP address for --net option, |
| 12 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
| 13 | # timeout is implemented for each probe. Increase this number to 4 if your | 10 | # timeout is implemented for each probe. Increase this number to 4 if your |
| @@ -18,6 +15,12 @@ | |||
| 18 | # Enable or disable bind support, default enabled. | 15 | # Enable or disable bind support, default enabled. |
| 19 | # bind yes | 16 | # bind yes |
| 20 | 17 | ||
| 18 | # Allow (DRM) execution in browsers, default disabled. | ||
| 19 | # browser-allow-drm no | ||
| 20 | |||
| 21 | # Disable U2F in browsers, default enabled. | ||
| 22 | # browser-disable-u2f yes | ||
| 23 | |||
| 21 | # Enable or disable cgroup support, default enabled. | 24 | # Enable or disable cgroup support, default enabled. |
| 22 | # cgroup yes | 25 | # cgroup yes |
| 23 | 26 | ||
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile new file mode 100644 index 000000000..8a53c63e3 --- /dev/null +++ b/etc/freeoffice-planmaker.profile | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | # Firejail profile for freeoffice-planmaker | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include freeoffice-planmaker.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/SoftMaker | ||
| 9 | |||
| 10 | include disable-common.inc | ||
| 11 | include disable-devel.inc | ||
| 12 | include disable-exec.inc | ||
| 13 | include disable-interpreters.inc | ||
| 14 | include disable-passwdmgr.inc | ||
| 15 | include disable-programs.inc | ||
| 16 | # include disable-xdg.inc | ||
| 17 | |||
| 18 | apparmor | ||
| 19 | caps.drop all | ||
| 20 | ipc-namespace | ||
| 21 | netfilter | ||
| 22 | no3d | ||
| 23 | nodbus | ||
| 24 | nodvd | ||
| 25 | nogroups | ||
| 26 | nonewprivs | ||
| 27 | noroot | ||
| 28 | notv | ||
| 29 | nou2f | ||
| 30 | novideo | ||
| 31 | protocol unix,inet,inet6 | ||
| 32 | seccomp | ||
| 33 | shell none | ||
| 34 | tracelog | ||
| 35 | |||
| 36 | private-cache | ||
| 37 | private-dev | ||
| 38 | private-tmp | ||
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile new file mode 100644 index 000000000..63be4da7f --- /dev/null +++ b/etc/freeoffice-presentations.profile | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | # Firejail profile for freeoffice-presentations | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include freeoffice-presentations.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/SoftMaker | ||
| 9 | |||
| 10 | include disable-common.inc | ||
| 11 | include disable-devel.inc | ||
| 12 | include disable-exec.inc | ||
| 13 | include disable-interpreters.inc | ||
| 14 | include disable-passwdmgr.inc | ||
| 15 | include disable-programs.inc | ||
| 16 | # include disable-xdg.inc | ||
| 17 | |||
| 18 | apparmor | ||
| 19 | caps.drop all | ||
| 20 | ipc-namespace | ||
| 21 | netfilter | ||
| 22 | no3d | ||
| 23 | nodbus | ||
| 24 | nodvd | ||
| 25 | nogroups | ||
| 26 | nonewprivs | ||
| 27 | noroot | ||
| 28 | notv | ||
| 29 | nou2f | ||
| 30 | novideo | ||
| 31 | protocol unix,inet,inet6 | ||
| 32 | seccomp | ||
| 33 | shell none | ||
| 34 | tracelog | ||
| 35 | |||
| 36 | private-cache | ||
| 37 | private-dev | ||
| 38 | private-tmp | ||
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile new file mode 100644 index 000000000..4bca5a98c --- /dev/null +++ b/etc/freeoffice-textmaker.profile | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | # Firejail profile for freeoffice-textmaker | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include freeoffice-textmaker.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/SoftMaker | ||
| 9 | |||
| 10 | include disable-common.inc | ||
| 11 | include disable-devel.inc | ||
| 12 | include disable-exec.inc | ||
| 13 | include disable-interpreters.inc | ||
| 14 | include disable-passwdmgr.inc | ||
| 15 | include disable-programs.inc | ||
| 16 | # include disable-xdg.inc | ||
| 17 | |||
| 18 | apparmor | ||
| 19 | caps.drop all | ||
| 20 | ipc-namespace | ||
| 21 | netfilter | ||
| 22 | no3d | ||
| 23 | nodbus | ||
| 24 | nodvd | ||
| 25 | nogroups | ||
| 26 | nonewprivs | ||
| 27 | noroot | ||
| 28 | notv | ||
| 29 | nou2f | ||
| 30 | novideo | ||
| 31 | protocol unix,inet,inet6 | ||
| 32 | seccomp | ||
| 33 | shell none | ||
| 34 | tracelog | ||
| 35 | |||
| 36 | private-cache | ||
| 37 | private-dev | ||
| 38 | private-tmp | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index 36121c4b9..ee84a0994 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
| @@ -42,7 +42,7 @@ nonewprivs | |||
| 42 | noroot | 42 | noroot |
| 43 | notv | 43 | notv |
| 44 | nou2f | 44 | nou2f |
| 45 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6,netlink |
| 46 | seccomp | 46 | seccomp |
| 47 | shell none | 47 | shell none |
| 48 | tracelog | 48 | tracelog |
diff --git a/etc/gramps.profile b/etc/gramps.profile new file mode 100644 index 000000000..764c14b60 --- /dev/null +++ b/etc/gramps.profile | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | # Firejail profile for gramps | ||
| 2 | # Description: genealogy program | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include gramps.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.gramps | ||
| 10 | |||
| 11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
| 12 | #noblacklist ${PATH}/python2* | ||
| 13 | noblacklist ${PATH}/python3* | ||
| 14 | #noblacklist /usr/lib/python2* | ||
| 15 | noblacklist /usr/lib/python3* | ||
| 16 | #noblacklist /usr/local/lib/python2* | ||
| 17 | noblacklist /usr/local/lib/python3* | ||
| 18 | |||
| 19 | include disable-common.inc | ||
| 20 | include disable-devel.inc | ||
| 21 | include disable-exec.inc | ||
| 22 | include disable-interpreters.inc | ||
| 23 | include disable-passwdmgr.inc | ||
| 24 | include disable-programs.inc | ||
| 25 | include disable-xdg.inc | ||
| 26 | |||
| 27 | mkdir ${HOME}/.gramps | ||
| 28 | whitelist ${HOME}/.gramps | ||
| 29 | include whitelist-common.inc | ||
| 30 | include whitelist-var-common.inc | ||
| 31 | |||
| 32 | apparmor | ||
| 33 | caps.drop all | ||
| 34 | ipc-namespace | ||
| 35 | netfilter | ||
| 36 | no3d | ||
| 37 | nodbus | ||
| 38 | nodvd | ||
| 39 | nogroups | ||
| 40 | nonewprivs | ||
| 41 | noroot | ||
| 42 | nosound | ||
| 43 | notv | ||
| 44 | nou2f | ||
| 45 | novideo | ||
| 46 | protocol unix,inet,inet6 | ||
| 47 | seccomp | ||
| 48 | shell none | ||
| 49 | |||
| 50 | disable-mnt | ||
| 51 | private-cache | ||
| 52 | private-dev | ||
| 53 | private-tmp | ||
diff --git a/etc/midori.profile b/etc/midori.profile index d59a6a16b..e4d39cd70 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
| @@ -14,7 +14,7 @@ noblacklist ${HOME}/.pki | |||
| 14 | noblacklist ${HOME}/.local/share/pki | 14 | noblacklist ${HOME}/.local/share/pki |
| 15 | 15 | ||
| 16 | # noexec ${HOME} breaks DRM binaries. | 16 | # noexec ${HOME} breaks DRM binaries. |
| 17 | ignore noexec ${HOME} | 17 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 18 | 18 | ||
| 19 | include disable-common.inc | 19 | include disable-common.inc |
| 20 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/min.profile b/etc/min.profile index eec81677d..c89df0a95 100644 --- a/etc/min.profile +++ b/etc/min.profile | |||
| @@ -12,7 +12,7 @@ noblacklist ${HOME}/.pki | |||
| 12 | noblacklist ${HOME}/.local/share/pki | 12 | noblacklist ${HOME}/.local/share/pki |
| 13 | 13 | ||
| 14 | # noexec ${HOME} breaks DRM binaries. | 14 | # noexec ${HOME} breaks DRM binaries. |
| 15 | ignore noexec ${HOME} | 15 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
| 16 | 16 | ||
| 17 | include disable-common.inc | 17 | include disable-common.inc |
| 18 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/mpv.profile b/etc/mpv.profile index c2ae9c6f9..34542b11b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | # Firejail profile for mpv | 1 | # Firejail profile for mpv |
| 2 | # Description: Video player based on MPlayer/mplayer2 | 2 | # Description: Video player based on MPlayer/mplayer2 |
| 3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
| 4 | quiet | ||
| 4 | # Persistent local customizations | 5 | # Persistent local customizations |
| 5 | include mpv.local | 6 | include mpv.local |
| 6 | # Persistent global definitions | 7 | # Persistent global definitions |
| @@ -44,4 +45,5 @@ shell none | |||
| 44 | tracelog | 45 | tracelog |
| 45 | 46 | ||
| 46 | private-bin mpv,youtube-dl,python*,env | 47 | private-bin mpv,youtube-dl,python*,env |
| 48 | private-cache | ||
| 47 | private-dev | 49 | private-dev |
diff --git a/etc/newsboat.profile b/etc/newsboat.profile new file mode 100644 index 000000000..e063abe53 --- /dev/null +++ b/etc/newsboat.profile | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | # Firejail profile for Newsboat | ||
| 2 | # Description: RSS program | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include newsboat.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.newsboat | ||
| 10 | |||
| 11 | include disable-common.inc | ||
| 12 | include disable-devel.inc | ||
| 13 | include disable-exec.inc | ||
| 14 | include disable-interpreters.inc | ||
| 15 | include disable-passwdmgr.inc | ||
| 16 | include disable-programs.inc | ||
| 17 | include disable-xdg.inc | ||
| 18 | |||
| 19 | mkdir ${HOME}/.newsboat | ||
| 20 | whitelist ${HOME}/.newsboat | ||
| 21 | include whitelist-common.inc | ||
| 22 | include whitelist-var-common.inc | ||
| 23 | |||
| 24 | caps.drop all | ||
| 25 | ipc-namespace | ||
| 26 | netfilter | ||
| 27 | no3d | ||
| 28 | nodbus | ||
| 29 | nodvd | ||
| 30 | nogroups | ||
| 31 | nonewprivs | ||
| 32 | noroot | ||
| 33 | notv | ||
| 34 | nou2f | ||
| 35 | novideo | ||
| 36 | protocol inet,inet6 | ||
| 37 | seccomp | ||
| 38 | shell none | ||
| 39 | |||
| 40 | disable-mnt | ||
| 41 | private-bin newsboat | ||
| 42 | private-cache | ||
| 43 | private-dev | ||
| 44 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo | ||
| 45 | private-tmp | ||
| 46 | |||
| 47 | memory-deny-write-execute | ||