diff options
author | Tad <tad@spotco.us> | 2017-09-16 14:11:43 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-09-18 18:24:13 -0400 |
commit | 3c3602fe4e747f3489c917f4de991c9043df9751 (patch) | |
tree | 052baee1387ce11b9ecd00e49a7c96d59f92d480 /etc | |
parent | Fixup 36 profiles (diff) | |
download | firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.gz firejail-3c3602fe4e747f3489c917f4de991c9043df9751.tar.zst firejail-3c3602fe4e747f3489c917f4de991c9043df9751.zip |
Harden 25 profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Viber.profile | 5 | ||||
-rw-r--r-- | etc/amule.profile | 9 | ||||
-rw-r--r-- | etc/ardour5.profile | 5 | ||||
-rw-r--r-- | etc/brackets.profile | 14 | ||||
-rw-r--r-- | etc/calligra.profile | 9 | ||||
-rw-r--r-- | etc/cin.profile | 7 | ||||
-rw-r--r-- | etc/dooble.profile | 12 | ||||
-rw-r--r-- | etc/fetchmail.profile | 9 | ||||
-rw-r--r-- | etc/freecad.profile | 5 | ||||
-rw-r--r-- | etc/google-earth.profile | 7 | ||||
-rw-r--r-- | etc/imagej.profile | 10 | ||||
-rw-r--r-- | etc/karbon.profile | 24 | ||||
-rw-r--r-- | etc/kdenlive.profile | 4 | ||||
-rw-r--r-- | etc/krita.profile | 7 | ||||
-rw-r--r-- | etc/linphone.profile | 16 | ||||
-rw-r--r-- | etc/lmms.profile | 10 | ||||
-rw-r--r-- | etc/macrofusion.profile | 9 | ||||
-rw-r--r-- | etc/mpd.profile | 13 | ||||
-rw-r--r-- | etc/natron.profile | 11 | ||||
-rw-r--r-- | etc/ricochet.profile | 10 | ||||
-rw-r--r-- | etc/shotcut.profile | 7 | ||||
-rw-r--r-- | etc/teamspeak3.profile | 16 | ||||
-rw-r--r-- | etc/tor-browser-en.profile | 8 | ||||
-rw-r--r-- | etc/tor.profile | 9 | ||||
-rw-r--r-- | etc/zart.profile | 6 |
25 files changed, 197 insertions, 45 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile index ee1ab6219..468199dd8 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
22 | netfilter | ||
23 | nodvd | ||
22 | nogroups | 24 | nogroups |
25 | nonewprivs | ||
23 | noroot | 26 | noroot |
27 | notv | ||
24 | seccomp | 28 | seccomp |
25 | shell none | 29 | shell none |
26 | 30 | ||
31 | disable-mnt | ||
27 | private-bin sh,dig,awk | 32 | private-bin sh,dig,awk |
28 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf | 33 | private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf |
29 | private-tmp | 34 | private-tmp |
diff --git a/etc/amule.profile b/etc/amule.profile index 48aad759d..c59377850 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
22 | nogroups | 25 | nogroups |
23 | nonewprivs | 26 | nonewprivs |
24 | noroot | 27 | noroot |
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
25 | seccomp | 31 | seccomp |
26 | shell none | 32 | shell none |
27 | 33 | ||
28 | private-bin amule | 34 | private-bin amule |
29 | private-dev | 35 | private-dev |
30 | private-tmp | 36 | private-tmp |
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 42744f4dd..738b5990a 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc | |||
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | 20 | ipc-namespace |
21 | net none | 21 | net none |
22 | nodvd | ||
22 | nogroups | 23 | nogroups |
24 | nonewprivs | ||
23 | noroot | 25 | noroot |
26 | notv | ||
24 | seccomp | 27 | seccomp |
25 | shell none | 28 | shell none |
26 | 29 | ||
@@ -29,5 +32,5 @@ private-dev | |||
29 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts | 32 | #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts |
30 | private-tmp | 33 | private-tmp |
31 | 34 | ||
32 | noexec /home | 35 | noexec ${HOME} |
33 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 151d88bdd..0a8c592a7 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | # Comment out or use --ignore=net if you want to install extensions or themes | 17 | netfilter |
18 | net none | 18 | nodvd |
19 | # Disable these if you use live preview (until I figure out a workaround) | 19 | nogroups |
20 | # Doing so should be relatively safe since there is no network access | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
22 | seccomp | 26 | seccomp |
27 | shell none | ||
23 | 28 | ||
24 | private-bin bash,brackets,readlink,dirname,google-chrome,cat | ||
25 | private-dev | 29 | private-dev |
diff --git a/etc/calligra.profile b/etc/calligra.profile index 58006f203..e90c8efe8 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | 14 | ipc-namespace |
15 | net none | 15 | nodvd |
16 | nogroups | 16 | nogroups |
17 | nonewprivs | ||
17 | noroot | 18 | noroot |
19 | notv | ||
20 | novideo | ||
21 | protocol unix | ||
18 | seccomp | 22 | seccomp |
19 | shell none | 23 | shell none |
20 | 24 | ||
21 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch |
22 | private-dev | 26 | private-dev |
23 | #private-etc fonts,passwd,alternatives,X11 | ||
24 | 27 | ||
25 | noexec /home | 28 | noexec ${HOME} |
26 | noexec /tmp | 29 | noexec /tmp |
diff --git a/etc/cin.profile b/etc/cin.profile index e895805eb..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc | |||
15 | caps.drop all | 15 | caps.drop all |
16 | ipc-namespace | 16 | ipc-namespace |
17 | net none | 17 | net none |
18 | nodvd | ||
18 | nogroups | 19 | nogroups |
20 | nonewprivs | ||
21 | notv | ||
19 | noroot | 22 | noroot |
23 | protocol unix | ||
20 | seccomp | 24 | seccomp |
21 | shell none | 25 | shell none |
22 | 26 | ||
23 | private-bin cin | 27 | private-bin cin |
24 | private-dev | 28 | private-dev |
25 | #private-etc fonts,pulse | ||
26 | 29 | ||
27 | noexec /home | 30 | noexec ${HOME} |
28 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/dooble.profile b/etc/dooble.profile index cbb0f96b8..aabfcd8bb 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc | |||
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | nodvd | ||
24 | nogroups | ||
23 | nonewprivs | 25 | nonewprivs |
24 | noroot | 26 | noroot |
27 | notv | ||
28 | novideo | ||
25 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
26 | seccomp | 30 | seccomp |
31 | shell none | ||
27 | tracelog | 32 | tracelog |
33 | |||
34 | disable-mnt | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 2b2be4c16..9ee59f453 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | ||
16 | no3d | ||
17 | nodvd | ||
15 | nogroups | 18 | nogroups |
19 | nonewprivs | ||
16 | noroot | 20 | noroot |
17 | nosound | 21 | nosound |
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6 | ||
18 | seccomp | 25 | seccomp |
26 | shell none | ||
19 | 27 | ||
20 | # private-bin fetchmail,procmail,bash,chmod | 28 | # private-bin fetchmail,procmail,bash,chmod |
21 | private-dev | 29 | private-dev |
22 | # private-etc passwd,hosts,resolv.conf | ||
diff --git a/etc/freecad.profile b/etc/freecad.profile index c2d4661e8..4fde66839 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
18 | net none | 18 | net none |
19 | nodvd | ||
19 | nogroups | 20 | nogroups |
21 | nonewprivs | ||
20 | noroot | 22 | noroot |
21 | nosound | 23 | nosound |
24 | notv | ||
25 | novideo | ||
22 | protocol unix | 26 | protocol unix |
23 | seccomp | 27 | seccomp |
24 | shell none | 28 | shell none |
25 | 29 | ||
26 | private-bin freecad,freecadcmd | 30 | private-bin freecad,freecadcmd |
27 | private-dev | 31 | private-dev |
28 | #private-etc fonts,passwd,alternatives,X11 | ||
29 | private-tmp | 32 | private-tmp |
30 | 33 | ||
31 | noexec ${HOME} | 34 | noexec ${HOME} |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 11d55281a..32da9a5a8 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile | |||
@@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc | |||
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
24 | netfilter | ||
25 | nodvd | ||
24 | nogroups | 26 | nogroups |
27 | nonewprivs | ||
25 | noroot | 28 | noroot |
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
26 | seccomp | 32 | seccomp |
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | private-bin google-earth,sh,grep,sed,ls,dirname | 35 | private-bin google-earth,sh,grep,sed,ls,dirname |
30 | private-dev | 36 | private-dev |
31 | #private-etc fonts,resolv.conf,X11,alternatives,pulse | ||
32 | 37 | ||
33 | noexec ${HOME} | 38 | noexec ${HOME} |
34 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 4613e378f..88a56c706 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
18 | net none | 18 | net none |
19 | nodvd | ||
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
22 | seccomp | 27 | seccomp |
28 | shell none | ||
23 | 29 | ||
24 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln | 30 | private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln |
25 | private-dev | 31 | private-dev |
26 | # private-etc passwd,alternatives,hosts,fonts,X11 | ||
27 | private-tmp | 32 | private-tmp |
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/karbon.profile b/etc/karbon.profile index 7d7f25ad0..d94f20012 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile | |||
@@ -1,25 +1,5 @@ | |||
1 | # Firejail profile for karbon | 1 | # Firejail profile alias for krita |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include /etc/firejail/karbon.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 3 | ||
8 | 4 | ||
9 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/krita.profile |
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | nogroups | ||
18 | noroot | ||
19 | seccomp | ||
20 | shell none | ||
21 | |||
22 | private-dev | ||
23 | |||
24 | noexec /home | ||
25 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b91bd9c41..56bb729e1 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
16 | nodvd | ||
16 | nogroups | 17 | nogroups |
18 | nonewprivs | ||
17 | noroot | 19 | noroot |
20 | notv | ||
21 | protocol unix,inet,inet6 | ||
18 | seccomp | 22 | seccomp |
19 | shell none | 23 | shell none |
20 | 24 | ||
diff --git a/etc/krita.profile b/etc/krita.profile index d60ef2fa7..2dfd084ef 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc | |||
14 | caps.drop all | 14 | caps.drop all |
15 | ipc-namespace | 15 | ipc-namespace |
16 | net none | 16 | net none |
17 | nodvd | ||
17 | nogroups | 18 | nogroups |
19 | nonewprivs | ||
18 | noroot | 20 | noroot |
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
19 | seccomp | 25 | seccomp |
20 | shell none | 26 | shell none |
21 | 27 | ||
22 | private-dev | 28 | private-dev |
29 | private-tmp | ||
23 | 30 | ||
24 | noexec /home | 31 | noexec /home |
25 | noexec /tmp | 32 | noexec /tmp |
diff --git a/etc/linphone.profile b/etc/linphone.profile index 8763b348a..41f9245a2 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile | |||
@@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads | |||
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
24 | noroot | 29 | noroot |
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
25 | seccomp | 33 | seccomp |
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/lmms.profile b/etc/lmms.profile index 14a7209a9..29ed235c6 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile | |||
@@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
18 | net none | 18 | net none |
19 | no3d | ||
20 | nodvd | ||
19 | nogroups | 21 | nogroups |
22 | nonewprivs | ||
20 | noroot | 23 | noroot |
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
21 | seccomp | 27 | seccomp |
22 | shell none | 28 | shell none |
23 | 29 | ||
24 | private-dev | 30 | private-dev |
25 | private-etc fonts,pulse | 31 | private-tmp |
26 | 32 | ||
27 | noexec /home | 33 | noexec ${HOME} |
28 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index e53f175f8..be66cf6ee 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
18 | net none | 18 | net none |
19 | nodvd | ||
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
22 | seccomp | 27 | seccomp |
23 | shell none | 28 | shell none |
24 | 29 | ||
25 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack | 30 | #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack |
26 | private-dev | 31 | private-dev |
27 | #private-etc fonts | ||
28 | private-tmp | 32 | private-tmp |
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/mpd.profile b/etc/mpd.profile index ebcdca443..601861083 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | ||
18 | no3d | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
17 | noroot | 22 | noroot |
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
18 | seccomp | 26 | seccomp |
27 | shell none | ||
19 | 28 | ||
20 | #private-bin mpd,bash | 29 | #private-bin mpd,bash |
21 | private-dev | 30 | private-dev |
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/natron.profile b/etc/natron.profile index 8f266f56c..ac89409f1 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | ipc-namespace | 19 | caps.drop all |
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
20 | shell none | 28 | shell none |
21 | 29 | ||
22 | private-bin natron | 30 | private-bin natron |
23 | #private-etc fonts,X11,pulse | ||
24 | 31 | ||
25 | noexec ${HOME} | 32 | noexec ${HOME} |
26 | noexec /tmp | 33 | noexec /tmp |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 423dfb887..6da0e21d5 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
22 | netfilter | ||
23 | no3d | ||
24 | nodvd | ||
22 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
23 | noroot | 27 | noroot |
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
24 | seccomp | 31 | seccomp |
25 | shell none | 32 | shell none |
26 | 33 | ||
34 | disable-mnt | ||
27 | private-bin ricochet,tor | 35 | private-bin ricochet,tor |
28 | private-dev | 36 | private-dev |
29 | #private-etc fonts,tor,X11,alternatives | 37 | #private-etc fonts,tor,X11,alternatives |
30 | 38 | ||
31 | noexec /home | 39 | noexec ${HOME} |
32 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 1a7ce6bce..e30bc1f46 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
18 | nodvd | ||
18 | nogroups | 19 | nogroups |
20 | nonewprivs | ||
19 | noroot | 21 | noroot |
22 | notv | ||
23 | protocol unix | ||
20 | seccomp | 24 | seccomp |
21 | shell none | 25 | shell none |
22 | 26 | ||
23 | private-bin shotcut,melt,qmelt,nice | 27 | #private-bin shotcut,melt,qmelt,nice |
24 | private-dev | 28 | private-dev |
25 | #private-etc X11,alternatives,pulse,fonts | ||
26 | 29 | ||
27 | noexec ${HOME} | 30 | noexec ${HOME} |
28 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 7ca5ae666..f8afff551 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client | |||
19 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | ||
22 | netfilter | 23 | netfilter |
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
23 | noroot | 28 | noroot |
29 | notv | ||
30 | novideo | ||
24 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
25 | seccomp | 32 | seccomp |
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
40 | noexec ${HOME} | ||
41 | noexec /tmp | ||
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 65ea41e18..75a079a2e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile | |||
@@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en | |||
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
20 | noroot | 24 | noroot |
25 | notv | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
21 | seccomp | 28 | seccomp |
22 | shell none | 29 | shell none |
23 | 30 | ||
31 | disable-mnt | ||
24 | private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr | 32 | private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr |
25 | private-tmp | 33 | private-tmp |
26 | 34 | ||
diff --git a/etc/tor.profile b/etc/tor.profile index 73577825a..fcb123eef 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc | |||
23 | 23 | ||
24 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 24 | caps.keep setuid,setgid,net_bind_service,dac_read_search |
25 | ipc-namespace | 25 | ipc-namespace |
26 | netfilter | ||
26 | no3d | 27 | no3d |
28 | nodvd | ||
27 | nogroups | 29 | nogroups |
28 | nonewprivs | 30 | nonewprivs |
29 | nosound | 31 | nosound |
32 | notv | ||
33 | novideo | ||
34 | protocol unix,inet,inet6 | ||
30 | seccomp | 35 | seccomp |
31 | shell none | 36 | shell none |
32 | writable-var | 37 | writable-var |
33 | 38 | ||
39 | disable-mnt | ||
34 | private | 40 | private |
35 | private-bin tor,bash | 41 | private-bin tor,bash |
36 | private-dev | 42 | private-dev |
37 | private-etc tor,passwd | 43 | private-etc tor,passwd |
38 | private-tmp | 44 | private-tmp |
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/zart.profile b/etc/zart.profile index 6022e8260..b5897f4a9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc | |||
14 | caps.drop all | 14 | caps.drop all |
15 | ipc-namespace | 15 | ipc-namespace |
16 | net none | 16 | net none |
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
17 | noroot | 20 | noroot |
21 | notv | ||
22 | novideo | ||
23 | protocol unix | ||
18 | seccomp | 24 | seccomp |
19 | shell none | 25 | shell none |
20 | 26 | ||