Merge branch 'master' of http://github.com/netblue30/firejail

author: netblue30 <netblue30@yahoo.com> 2018-03-30 14:22:54 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-03-30 14:22:54 -0400
commit: dd94e54c70e23496c4e3a841ca3fb0849cb96a9a (patch)
tree: d51885bf61ec6ca306ad99076f263b9f73a8bc45 /etc
parent: testing (diff)
parent: redirect knotes to kmail, some tweaks (diff)
download: firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.tar.gz
firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.tar.zst
firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.zip
7 files changed, 14 insertions, 32 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 296b25b83..3a4404b28 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -23,8 +23,8 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
-# the default mysqld-akonadi apparmor profile in debian and ubuntu
+# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
-# is not compatible with the commented options below
+# this affects ubuntu and debian currently
 # apparmor
 caps.drop all
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3842a46f1..a6f12f3db 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -385,6 +385,7 @@ blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
 blacklist ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
diff --git a/etc/kmail.profile b/etc/kmail.profile
index f095b5853..3e425b62e 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -28,6 +28,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 # apparmor
 caps.drop all
 netfilter
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 85b267f8b..4bbbd332d 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,34 +5,12 @@ include /etc/firejail/knotes.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-noblacklist ${HOME}/.config/akonadi*
+# knotes has problems launching akonadi in debian and ubuntu.
-noblacklist ${HOME}/.config/knotesrc
+# one solution is to have akonadi already running when knotes is started
-noblacklist ${HOME}/.local/share/akonadi*
-noblacklist /tmp/akonadi-*
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/whitelist-var-common.inc
+noblacklist ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.local/share/knotes
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-private-dev
-# private-tmp - interrupts connection to akonadi
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/kmail.profile
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 8382a5c66..17526c4ea 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -11,6 +11,7 @@ include /etc/firejail/globals.local
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
+# noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 60af4cf17..187b0674a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -18,7 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus
+# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 0b362eb32..c8c84b992 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -19,7 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus
+# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
author	netblue30 <netblue30@yahoo.com>	2018-03-30 14:22:54 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-03-30 14:22:54 -0400
commit	dd94e54c70e23496c4e3a841ca3fb0849cb96a9a (patch)
tree	d51885bf61ec6ca306ad99076f263b9f73a8bc45 /etc
parent	testing (diff)
parent	redirect knotes to kmail, some tweaks (diff)
download	firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.tar.gz firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.tar.zst firejail-dd94e54c70e23496c4e3a841ca3fb0849cb96a9a.zip

diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 296b25b83..3a4404b28 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile
@@ -23,8 +23,8 @@ include /etc/firejail/disable-programs.inc
23		23
24	include /etc/firejail/whitelist-var-common.inc	24	include /etc/firejail/whitelist-var-common.inc
25		25
26	# the default mysqld-akonadi apparmor profile in debian and ubuntu	26	# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
27	# is not compatible with the commented options below	27	# this affects ubuntu and debian currently
28		28
29	# apparmor	29	# apparmor
30	caps.drop all	30	caps.drop all


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3842a46f1..a6f12f3db 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -385,6 +385,7 @@ blacklist ${HOME}/.local/share/kate
385	blacklist ${HOME}/.local/share/kdenlive	385	blacklist ${HOME}/.local/share/kdenlive
386	blacklist ${HOME}/.local/share/kget	386	blacklist ${HOME}/.local/share/kget
387	blacklist ${HOME}/.local/share/kmail2	387	blacklist ${HOME}/.local/share/kmail2
		388	blacklist ${HOME}/.local/share/knotes
388	blacklist ${HOME}/.local/share/krita	389	blacklist ${HOME}/.local/share/krita
389	blacklist ${HOME}/.local/share/ktorrentrc	390	blacklist ${HOME}/.local/share/ktorrentrc
390	blacklist ${HOME}/.local/share/ktorrent	391	blacklist ${HOME}/.local/share/ktorrent


diff --git a/etc/kmail.profile b/etc/kmail.profile index f095b5853..3e425b62e 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile
@@ -28,6 +28,8 @@ include /etc/firejail/disable-devel.inc
28	include /etc/firejail/disable-passwdmgr.inc	28	include /etc/firejail/disable-passwdmgr.inc
29	include /etc/firejail/disable-programs.inc	29	include /etc/firejail/disable-programs.inc
30		30
		31	include /etc/firejail/whitelist-var-common.inc
		32
31	# apparmor	33	# apparmor
32	caps.drop all	34	caps.drop all
33	netfilter	35	netfilter


diff --git a/etc/knotes.profile b/etc/knotes.profile index 85b267f8b..4bbbd332d 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile
@@ -5,34 +5,12 @@ include /etc/firejail/knotes.local
5	# Persistent global definitions	5	# Persistent global definitions
6	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
7		7
8	noblacklist ${HOME}/.config/akonadi*	8	# knotes has problems launching akonadi in debian and ubuntu.
9	noblacklist ${HOME}/.config/knotesrc	9	# one solution is to have akonadi already running when knotes is started
10	noblacklist ${HOME}/.local/share/akonadi*
11	noblacklist /tmp/akonadi-*
12
13	include /etc/firejail/disable-common.inc
14	include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc
17		10
18	include /etc/firejail/whitelist-var-common.inc	11	noblacklist ${HOME}/.config/knotesrc
19		12	noblacklist ${HOME}/.local/share/knotes
20	caps.drop all
21	netfilter
22	nodvd
23	nogroups
24	nonewprivs
25	noroot
26	nosound
27	notv
28	novideo
29	protocol unix
30	seccomp
31	shell none
32	tracelog
33		13
34	private-dev
35	# private-tmp - interrupts connection to akonadi
36		14
37	noexec ${HOME}	15	# Redirect
38	noexec /tmp	16	include /etc/firejail/kmail.profile


diff --git a/etc/krunner.profile b/etc/krunner.profile index 8382a5c66..17526c4ea 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile
@@ -11,6 +11,7 @@ include /etc/firejail/globals.local
11		11
12	# noblacklist ${HOME}/.cache/krunner	12	# noblacklist ${HOME}/.cache/krunner
13	# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite	13	# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
		14	# noblacklist ${HOME}/.config/chromium
14	noblacklist ${HOME}/.config/krunnerrc	15	noblacklist ${HOME}/.config/krunnerrc
15	noblacklist ${HOME}/.kde/share/config/krunnerrc	16	noblacklist ${HOME}/.kde/share/config/krunnerrc
16	noblacklist ${HOME}/.kde4/share/config/krunnerrc	17	noblacklist ${HOME}/.kde4/share/config/krunnerrc


diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 60af4cf17..187b0674a 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile
@@ -18,7 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
18	apparmor	18	apparmor
19	caps.drop all	19	caps.drop all
20	netfilter	20	netfilter
21	# nodbus	21	# nodbus - problems with KDE
22	# nogroups	22	# nogroups
23	nonewprivs	23	nonewprivs
24	noroot	24	noroot


diff --git a/etc/vlc.profile b/etc/vlc.profile index 0b362eb32..c8c84b992 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -19,7 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
19	apparmor	19	apparmor
20	caps.drop all	20	caps.drop all
21	netfilter	21	netfilter
22	# nodbus	22	# nodbus - problems with KDE
23	# nogroups	23	# nogroups
24	nonewprivs	24	nonewprivs
25	noroot	25	noroot