Add a profile for ncdu, enable private-etc in Steam again, and fixup gnome-recipes

author: Tad <tad@spotco.us> 2018-03-28 22:24:20 -0400
committer: Tad <tad@spotco.us> 2018-03-28 22:24:20 -0400
commit: 4c35ba3d383e1b749a61f245425cdf29812c1e0e (patch)
tree: 5b6140f693ef56244cd1b82b1437a10b7dadea2b /etc
parent: various blacklist additions (diff)
download: firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.gz
firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.zst
firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.zip
3 files changed, 35 insertions, 4 deletions
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 2392440a6..2f7657c0c 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc ca-certificates,fonts,ssl
+private-etc ca-certificates,fonts,ssl,crypto-policies,pki
 # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
 # not widely tested though, leaving it to devs discretion to enable it later
 #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
+# Firejail profile for ncdu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ncdu.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+caps.drop all
+ipc-namespace
+nodbus
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+# private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..e6449aa97 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+#ipc-namespace
 netfilter
+#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,10 +46,10 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
-# tracelog
+#tracelog
 # private-dev should be commented for controllers
 private-dev
-# private-etc breaks some games
+# private-etc breaks a small selection of games on some systems, comment to support those
-#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
 private-tmp
author	Tad <tad@spotco.us>	2018-03-28 22:24:20 -0400
committer	Tad <tad@spotco.us>	2018-03-28 22:24:20 -0400
commit	4c35ba3d383e1b749a61f245425cdf29812c1e0e (patch)
tree	5b6140f693ef56244cd1b82b1437a10b7dadea2b /etc
parent	various blacklist additions (diff)
download	firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.gz firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.tar.zst firejail-4c35ba3d383e1b749a61f245425cdf29812c1e0e.zip

diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index 2392440a6..2f7657c0c 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile
@@ -35,7 +35,7 @@ shell none
35	disable-mnt	35	disable-mnt
36	private-bin gnome-recipes,tar	36	private-bin gnome-recipes,tar
37	private-dev	37	private-dev
38	private-etc ca-certificates,fonts,ssl	38	private-etc ca-certificates,fonts,ssl,crypto-policies,pki
39	# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)	39	# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
40	# not widely tested though, leaving it to devs discretion to enable it later	40	# not widely tested though, leaving it to devs discretion to enable it later
41	#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2	41	#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2


diff --git a/etc/ncdu.profile b/etc/ncdu.profile new file mode 100644 index 000000000..ab79a325e --- /dev/null +++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
		1	# Firejail profile for ncdu
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/ncdu.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	caps.drop all
		9	ipc-namespace
		10	nodbus
		11	net none
		12	no3d
		13	nodvd
		14	nogroups
		15	nonewprivs
		16	noroot
		17	nosound
		18	notv
		19	novideo
		20	protocol unix
		21	seccomp
		22	shell none
		23
		24	private-dev
		25	# private-tmp
		26
		27	memory-deny-write-execute
		28	noexec ${HOME}
		29	noexec /tmp


diff --git a/etc/steam.profile b/etc/steam.profile index 4965d3a54..e6449aa97 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -32,7 +32,9 @@ include /etc/firejail/disable-programs.inc
32	include /etc/firejail/whitelist-var-common.inc	32	include /etc/firejail/whitelist-var-common.inc
33		33
34	caps.drop all	34	caps.drop all
		35	#ipc-namespace
35	netfilter	36	netfilter
		37	#nodbus
36	nodvd	38	nodvd
37	nogroups	39	nogroups
38	nonewprivs	40	nonewprivs
@@ -44,10 +46,10 @@ protocol unix,inet,inet6,netlink
44	seccomp	46	seccomp
45	shell none	47	shell none
46	# tracelog disabled as it breaks integrated browser	48	# tracelog disabled as it breaks integrated browser
47	# tracelog	49	#tracelog
48		50
49	# private-dev should be commented for controllers	51	# private-dev should be commented for controllers
50	private-dev	52	private-dev
51	# private-etc breaks some games	53	# private-etc breaks a small selection of games on some systems, comment to support those
52	#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies	54	private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
53	private-tmp	55	private-tmp