Harden 19 more profiles

author: Tad <tad@spotco.us> 2017-04-15 16:07:25 -0400
committer: Tad <tad@spotco.us> 2017-04-15 16:07:25 -0400
commit: b7d51c2df6fb62d7830bdd3a873fff618adb00dc (patch)
tree: b7970715f4f36fda11c39c34655fded68b354230 /etc
parent: Harden dino (diff)
download: firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.tar.gz
firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.tar.zst
firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.zip
19 files changed, 92 insertions, 9 deletions
diff --git a/etc/bless.profile b/etc/bless.profile
index 08a756989..ac4c08fb0 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
+net none
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/eog.profile b/etc/eog.profile
index c5afec7fa..7c2cd557c 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -24,3 +26,6 @@ private-bin eog
 private-dev
 private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index 94cefdd8b..ae50425b9 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 #net none - creates some problems on some distributions
+no3d
 nogroups
 nonewprivs
 noroot
@@ -27,3 +28,6 @@ private-dev
 private-etc fonts
 # evince needs access to /tmp/mozilla* to work in firefox
 # private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
index cb6615716..04bf480ff 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution
 noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
+noblacklist ~/.bogofilter
 noblacklist /var/spool/mail
 noblacklist /var/mail
@@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -30,3 +32,6 @@ shell none
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 804d20ce1..a3f687651 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+net none
+netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
@@ -23,3 +25,6 @@ tracelog
 # private-tmp
 private-dev
 # private-etc fonts
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 9f4eee9b3..07bdb1bbe 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+net none
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
 # private-bin gedit
-private-tmp
 private-dev
 # private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 4088bd680..5f8ccb4fb 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
+shell none
 # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can enable noexec statement below
-# noexec ${HOME} 
+# noexec ${HOME}
 noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 714a97650..f5d952e3d 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -17,7 +17,19 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+#net none                                     
+no3d
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin gnome-calculator
+private-dev
+private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 53f447f7e..d24f492d8 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -30,3 +31,6 @@ private-bin hexchat
 #debug note: private-bin requires perl, python, etc on some systems
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 1802c59fd..e0184908b 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
+net none
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/keepass.profile b/etc/keepass.profile
index d269c3e8a..abe52eca3 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6
 seccomp
-netfilter
 shell none
-private-tmp
 private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 379b8a668..845a1bcc9 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -28,3 +29,6 @@ private-bin keepassx
 private-etc fonts
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index a21caf3f1..32dddc2fe 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -24,6 +25,9 @@ seccomp
 shell none
 private-bin keepassx2
-private-etc fonts
 private-dev
+private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 654a30682..369d4a5ae 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
 # To use KeePassHTTP, comment out `net none`
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -25,6 +26,9 @@ seccomp
 shell none
 private-bin keepassxc
-private-etc fonts
 private-dev
+private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 685073e7c..dda4e6ab9 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -17,7 +17,12 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
 tracelog
 private-dev
 # whitelist /tmp/.X11-unix/
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
index d5405a6ae..c5c6a4d1a 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+no3d
 nonewprivs
 nogroups
 noroot
@@ -28,3 +29,6 @@ tracelog
 private-bin mumble
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index c37ccba09..523c11f26 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
+net none
 netfilter
 nogroups
 nonewprivs
diff --git a/etc/totem.profile b/etc/totem.profile
index 0b3942cf0..fadfbb00b 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+nogroups
 nonewprivs
 noroot
-netfilter
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin totem
+private-dev
+private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 0c96f0108..21282dfbd 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -22,3 +22,6 @@ shell none
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 # private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
author	Tad <tad@spotco.us>	2017-04-15 16:07:25 -0400
committer	Tad <tad@spotco.us>	2017-04-15 16:07:25 -0400
commit	b7d51c2df6fb62d7830bdd3a873fff618adb00dc (patch)
tree	b7970715f4f36fda11c39c34655fded68b354230 /etc
parent	Harden dino (diff)
download	firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.tar.gz firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.tar.zst firejail-b7d51c2df6fb62d7830bdd3a873fff618adb00dc.zip

diff --git a/etc/bless.profile b/etc/bless.profile index 08a756989..ac4c08fb0 100644 --- a/etc/bless.profile +++ b/etc/bless.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
17		17
18	#Options	18	#Options
19	caps.drop all	19	caps.drop all
		20	net none
20	netfilter	21	netfilter
21	nogroups	22	nogroups
22	nonewprivs	23	nonewprivs


diff --git a/etc/eog.profile b/etc/eog.profile index c5afec7fa..7c2cd557c 100644 --- a/etc/eog.profile +++ b/etc/eog.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12		12
13	caps.drop all	13	caps.drop all
		14	net none
14	netfilter	15	netfilter
		16	no3d
15	nogroups	17	nogroups
16	nonewprivs	18	nonewprivs
17	noroot	19	noroot
@@ -24,3 +26,6 @@ private-bin eog
24	private-dev	26	private-dev
25	private-etc fonts	27	private-etc fonts
26	private-tmp	28	private-tmp
		29
		30	noexec ${HOME}
		31	noexec /tmp


diff --git a/etc/evince.profile b/etc/evince.profile index 94cefdd8b..ae50425b9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
13	caps.drop all	13	caps.drop all
14	netfilter	14	netfilter
15	#net none - creates some problems on some distributions	15	#net none - creates some problems on some distributions
		16	no3d
16	nogroups	17	nogroups
17	nonewprivs	18	nonewprivs
18	noroot	19	noroot
@@ -27,3 +28,6 @@ private-dev
27	private-etc fonts	28	private-etc fonts
28	# evince needs access to /tmp/mozilla* to work in firefox	29	# evince needs access to /tmp/mozilla* to work in firefox
29	# private-tmp	30	# private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/etc/evolution.profile b/etc/evolution.profile index cb6615716..04bf480ff 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile
@@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution
9	noblacklist ~/.pki	9	noblacklist ~/.pki
10	noblacklist ~/.pki/nssdb	10	noblacklist ~/.pki/nssdb
11	noblacklist ~/.gnupg	11	noblacklist ~/.gnupg
		12	noblacklist ~/.bogofilter
12		13
13	noblacklist /var/spool/mail	14	noblacklist /var/spool/mail
14	noblacklist /var/mail	15	noblacklist /var/mail
@@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc
20		21
21	caps.drop all	22	caps.drop all
22	netfilter	23	netfilter
		24	no3d
23	nogroups	25	nogroups
24	nonewprivs	26	nonewprivs
25	noroot	27	noroot
@@ -30,3 +32,6 @@ shell none
30		32
31	private-dev	33	private-dev
32	private-tmp	34	private-tmp
		35
		36	noexec ${HOME}
		37	noexec /tmp


diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 804d20ce1..a3f687651 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile
@@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc
9	include /etc/firejail/disable-passwdmgr.inc	9	include /etc/firejail/disable-passwdmgr.inc
10		10
11	caps.drop all	11	caps.drop all
		12	net none
		13	netfilter
		14	no3d
12	nogroups	15	nogroups
13	nonewprivs	16	nonewprivs
14	noroot	17	noroot
15	nosound	18	nosound
16	protocol unix	19	protocol unix
17	seccomp	20	seccomp
18	netfilter
19	shell none	21	shell none
20	tracelog	22	tracelog
21		23
@@ -23,3 +25,6 @@ tracelog
23	# private-tmp	25	# private-tmp
24	private-dev	26	private-dev
25	# private-etc fonts	27	# private-etc fonts
		28
		29	noexec ${HOME}
		30	noexec /tmp


diff --git a/etc/gedit.profile b/etc/gedit.profile index 9f4eee9b3..07bdb1bbe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile
@@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc
14	include /etc/firejail/disable-passwdmgr.inc	14	include /etc/firejail/disable-passwdmgr.inc
15		15
16	caps.drop all	16	caps.drop all
		17	netfilter
		18	net none
		19	no3d
17	nogroups	20	nogroups
18	nonewprivs	21	nonewprivs
19	noroot	22	noroot
20	nosound	23	nosound
21	protocol unix	24	protocol unix
22	seccomp	25	seccomp
23	netfilter
24	shell none	26	shell none
25	tracelog	27	tracelog
26		28
27	# private-bin gedit	29	# private-bin gedit
28	private-tmp
29	private-dev	30	private-dev
30	# private-etc fonts	31	# private-etc fonts
		32	private-tmp
		33
		34	noexec ${HOME}
		35	noexec /tmp


diff --git a/etc/gimp.profile b/etc/gimp.profile index 4088bd680..5f8ccb4fb 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile
@@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc
10		10
11	caps.drop all	11	caps.drop all
12	netfilter	12	netfilter
		13	net none
13	nogroups	14	nogroups
14	nonewprivs	15	nonewprivs
15	noroot	16	noroot
16	nosound	17	nosound
17	protocol unix	18	protocol unix
18	seccomp	19	seccomp
		20	shell none
19		21
20	# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory	22	# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
21	# if you are not using external plugins, you can enable noexec statement below	23	# if you are not using external plugins, you can enable noexec statement below
22	# noexec ${HOME}	24	# noexec ${HOME}
23		25
24	noexec /tmp	26	noexec /tmp
25		27


diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 714a97650..f5d952e3d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile
@@ -17,7 +17,19 @@ include /etc/firejail/whitelist-common.inc
17	#Options	17	#Options
18	caps.drop all	18	caps.drop all
19	netfilter	19	netfilter
		20	#net none
		21	no3d
20	nonewprivs	22	nonewprivs
21	noroot	23	noroot
		24	nosound
22	protocol unix,inet,inet6	25	protocol unix,inet,inet6
23	seccomp	26	seccomp
		27	shell none
		28
		29	private-bin gnome-calculator
		30	private-dev
		31	private-etc fonts
		32	private-tmp
		33
		34	noexec ${HOME}
		35	noexec /tmp


diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 53f447f7e..d24f492d8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc
13		13
14	caps.drop all	14	caps.drop all
15	netfilter	15	netfilter
		16	no3d
16	nogroups	17	nogroups
17	nonewprivs	18	nonewprivs
18	noroot	19	noroot
@@ -30,3 +31,6 @@ private-bin hexchat
30	#debug note: private-bin requires perl, python, etc on some systems	31	#debug note: private-bin requires perl, python, etc on some systems
31	private-dev	32	private-dev
32	private-tmp	33	private-tmp
		34
		35	noexec ${HOME}
		36	noexec /tmp


diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 1802c59fd..e0184908b 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc
16		16
17	#Options	17	#Options
18	caps.drop all	18	caps.drop all
		19	net none
19	netfilter	20	netfilter
20	nogroups	21	nogroups
21	nonewprivs	22	nonewprivs


diff --git a/etc/keepass.profile b/etc/keepass.profile index d269c3e8a..abe52eca3 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile
@@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16		16
17	caps.drop all	17	caps.drop all
		18	netfilter
		19	no3d
18	nogroups	20	nogroups
19	nonewprivs	21	nonewprivs
20	noroot	22	noroot
21	nosound	23	nosound
22	protocol unix,inet,inet6	24	protocol unix,inet,inet6
23	seccomp	25	seccomp
24	netfilter
25	shell none	26	shell none
26		27
27	private-tmp
28	private-dev	28	private-dev
		29	private-tmp
		30
		31	noexec ${HOME}
		32	noexec /tmp


diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 379b8a668..845a1bcc9 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
15		15
16	caps.drop all	16	caps.drop all
17	net none	17	net none
		18	no3d
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
@@ -28,3 +29,6 @@ private-bin keepassx
28	private-etc fonts	29	private-etc fonts
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index a21caf3f1..32dddc2fe 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
15		15
16	caps.drop all	16	caps.drop all
17	net none	17	net none
		18	no3d
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
@@ -24,6 +25,9 @@ seccomp
24	shell none	25	shell none
25		26
26	private-bin keepassx2	27	private-bin keepassx2
27	private-etc fonts
28	private-dev	28	private-dev
		29	private-etc fonts
29	private-tmp	30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 654a30682..369d4a5ae 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
16	# To use KeePassHTTP, comment out `net none`	16	# To use KeePassHTTP, comment out `net none`
17	caps.drop all	17	caps.drop all
18	net none	18	net none
		19	no3d
19	nogroups	20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
@@ -25,6 +26,9 @@ seccomp
25	shell none	26	shell none
26		27
27	private-bin keepassxc	28	private-bin keepassxc
28	private-etc fonts
29	private-dev	29	private-dev
		30	private-etc fonts
30	private-tmp	31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 685073e7c..dda4e6ab9 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -17,7 +17,12 @@ nonewprivs
17	noroot	17	noroot
18	protocol unix,inet,inet6	18	protocol unix,inet,inet6
19	seccomp	19	seccomp
		20	shell none
20	tracelog	21	tracelog
21		22
22	private-dev	23	private-dev
23	# whitelist /tmp/.X11-unix/	24	# whitelist /tmp/.X11-unix/
		25
		26	noexec ${HOME}
		27	noexec /tmp
		28


diff --git a/etc/mumble.profile b/etc/mumble.profile index d5405a6ae..c5c6a4d1a 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
18		18
19	caps.drop all	19	caps.drop all
20	netfilter	20	netfilter
		21	no3d
21	nonewprivs	22	nonewprivs
22	nogroups	23	nogroups
23	noroot	24	noroot
@@ -28,3 +29,6 @@ tracelog
28		29
29	private-bin mumble	30	private-bin mumble
30	private-tmp	31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index c37ccba09..523c11f26 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
14		14
15	#Options	15	#Options
16	caps.drop all	16	caps.drop all
		17	net none
17	netfilter	18	netfilter
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs


diff --git a/etc/totem.profile b/etc/totem.profile index 0b3942cf0..fadfbb00b 100644 --- a/etc/totem.profile +++ b/etc/totem.profile
@@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13		13
14	caps.drop all	14	caps.drop all
		15	netfilter
		16	nogroups
15	nonewprivs	17	nonewprivs
16	noroot	18	noroot
17	netfilter
18	protocol unix,inet,inet6	19	protocol unix,inet,inet6
19	seccomp	20	seccomp
		21	shell none
		22
		23	private-bin totem
		24	private-dev
		25	private-etc fonts
		26	private-tmp
		27
		28	noexec ${HOME}
		29	noexec /tmp


diff --git a/etc/vlc.profile b/etc/vlc.profile index 0c96f0108..21282dfbd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -22,3 +22,6 @@ shell none
22	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc	22	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
23	# private-dev	23	# private-dev
24	private-tmp	24	private-tmp
		25
		26	noexec ${HOME}
		27	noexec /tmp