various profile fixes

author: smitsohu <smitsohu@gmail.com> 2017-08-22 01:54:31 +0200
committer: smitsohu <smitsohu@gmail.com> 2017-08-22 01:54:31 +0200
commit: f12c7af205ddd6c0d75587702f01688dc62a86c5 (patch)
tree: 853df0cb54dee640560b1832c14644df0ec18293 /etc
parent: testing (diff)
download: firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.gz
firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.zst
firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.zip
24 files changed, 76 insertions, 18 deletions
diff --git a/etc/atril.profile b/etc/atril.profile
index 7109d343e..6b0eed2db 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -28,4 +29,10 @@ tracelog
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
-private-tmp
+private-etc fonts
+# atril needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 3baa0ddba..eddc100ca 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -25,4 +25,7 @@ shell none
 tracelog
 private-bin audacious
+private-dev
 private-tmp
+memory-deny-write-execute
diff --git a/etc/audacity.profile b/etc/audacity.profile
index b5a15b04c..9fbc2b16d 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -30,5 +30,6 @@ private-bin audacity
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index e10fd6084..7bc5e7481 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-netfilter
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -29,3 +30,7 @@ tracelog
 private-dev
 # private-etc fonts
 # private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
index 54d5a1a88..e5161b313 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/eom.profile b/etc/eom.profile
index 6fd069b5c..3fb1fcaf4 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
@@ -30,7 +32,9 @@ tracelog
 private-bin eom
 private-dev
+private-etc fonts
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 1ecb3c632..8484aa162 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index 74073d8d1..cef522c53 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -17,7 +17,6 @@ whitelist ~/.fossamail
 whitelist ~/.gnupg
 include /etc/firejail/whitelist-common.inc
-nodvd
+# allow browsers
-notv
+# Redirect
 include /etc/firejail/firefox.profile
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 418575e09..3d7af1496 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-net none
+# net none - makes settings immutable
 no3d
 nodvd
 nogroups
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 9bedaa431..60ffe0594 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b32abca6..2b33051e2 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -18,7 +18,6 @@ nogroups
 nonewprivs
 noroot
 nosound
-notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 212aa8817..1a08c3d83 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -23,4 +23,5 @@ protocol unix,inet,inet6
 seccomp
 tracelog
+private-dev
 private-tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index b90e21e66..1cda5022d 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv
 noblacklist ~/.config/smplayer
 noblacklist ~/.config/totem
 noblacklist ~/.config/vlc
+noblacklist ~/.config/xplayer
 noblacklist ~/.java
 noblacklist ~/.local/share/totem
+noblacklist ~/.local/share/xplayer
 noblacklist ~/.mediathek3
 noblacklist ~/.mplayer
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/pluma.profile b/etc/pluma.profile
index d17a64d1d..718dee440 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 private-bin pluma
 private-dev
+# private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 2c652c688..7d69f38f9 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,3 +30,5 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
+memory-deny-write-execute
diff --git a/etc/scribus.profile b/etc/scribus.profile
index acd6b2239..e4c88be49 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 nodvd
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index de43f2a56..edd4db861 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,inet,inet6,netlink
 # simple-scan makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 1d590a142..1a53cc71c 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -20,7 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
-novideo
+# novideo
 protocol unix,netlink
 # skanlite makes ioperm system calls, which are blacklisted by default.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
diff --git a/etc/vlc.profile b/etc/vlc.profile
index a41f367dd..01ddfa8a9 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -25,5 +25,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index 758fb5526..42a42ef5f 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-net none
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
+protocol unix
 seccomp
 shell none
 tracelog
 private-bin xed
 private-dev
+# private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index e80685f0e..ec1aca75f 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 0722768d1..5c845e977 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -18,7 +18,6 @@ netfilter
 nogroups
 nonewprivs
 noroot
-notv
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -26,4 +25,8 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
+# private-etc fonts
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 107cefe5e..615256102 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
 tracelog
-private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-tmp
+private-etc fonts
+# xreader needs access to /tmp/mozilla* to work in firefox
+# private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 70ad3b895..b9ff3948a 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+# net none - makes settings immutable
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -29,7 +32,9 @@ tracelog
 private-bin xviewer
 private-dev
+private-etc fonts
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
author	smitsohu <smitsohu@gmail.com>	2017-08-22 01:54:31 +0200
committer	smitsohu <smitsohu@gmail.com>	2017-08-22 01:54:31 +0200
commit	f12c7af205ddd6c0d75587702f01688dc62a86c5 (patch)
tree	853df0cb54dee640560b1832c14644df0ec18293 /etc
parent	testing (diff)
download	firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.gz firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.tar.zst firejail-f12c7af205ddd6c0d75587702f01688dc62a86c5.zip

diff --git a/etc/atril.profile b/etc/atril.profile index 7109d343e..6b0eed2db 100644 --- a/etc/atril.profile +++ b/etc/atril.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
14	include /etc/firejail/disable-programs.inc	14	include /etc/firejail/disable-programs.inc
15		15
16	caps.drop all	16	caps.drop all
		17	no3d
17	nodvd	18	nodvd
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs
@@ -28,4 +29,10 @@ tracelog
28		29
29	private-bin atril, atril-previewer, atril-thumbnailer	30	private-bin atril, atril-previewer, atril-thumbnailer
30	private-dev	31	private-dev
31	private-tmp	32	private-etc fonts
		33	# atril needs access to /tmp/mozilla* to work in firefox
		34	# private-tmp
		35
		36	memory-deny-write-execute
		37	noexec ${HOME}
		38	noexec /tmp


diff --git a/etc/audacious.profile b/etc/audacious.profile index 3baa0ddba..eddc100ca 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile
@@ -25,4 +25,7 @@ shell none
25	tracelog	25	tracelog
26		26
27	private-bin audacious	27	private-bin audacious
		28	private-dev
28	private-tmp	29	private-tmp
		30
		31	memory-deny-write-execute


diff --git a/etc/audacity.profile b/etc/audacity.profile index b5a15b04c..9fbc2b16d 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile
@@ -30,5 +30,6 @@ private-bin audacity
30	private-dev	30	private-dev
31	private-tmp	31	private-tmp
32		32
		33	memory-deny-write-execute
33	noexec ${HOME}	34	noexec ${HOME}
34	noexec /tmp	35	noexec /tmp


diff --git a/etc/engrampa.profile b/etc/engrampa.profile index e10fd6084..7bc5e7481 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
15	netfilter	15	# net none - makes settings immutable
		16	no3d
16	nodvd	17	nodvd
17	nogroups	18	nogroups
18	nonewprivs	19	nonewprivs
@@ -29,3 +30,7 @@ tracelog
29	private-dev	30	private-dev
30	# private-etc fonts	31	# private-etc fonts
31	# private-tmp	32	# private-tmp
		33
		34	memory-deny-write-execute
		35	noexec ${HOME}
		36	noexec /tmp


diff --git a/etc/eog.profile b/etc/eog.profile index 54d5a1a88..e5161b313 100644 --- a/etc/eog.profile +++ b/etc/eog.profile
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps.drop all	18	caps.drop all
19	net none	19	# net none - makes settings immutable
20	no3d	20	no3d
21	nodvd	21	nodvd
22	nogroups	22	nogroups


diff --git a/etc/eom.profile b/etc/eom.profile index 6fd069b5c..3fb1fcaf4 100644 --- a/etc/eom.profile +++ b/etc/eom.profile
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps.drop all	18	caps.drop all
		19	# net none - makes settings immutable
		20	no3d
19	nodvd	21	nodvd
20	nogroups	22	nogroups
21	nonewprivs	23	nonewprivs
@@ -30,7 +32,9 @@ tracelog
30		32
31	private-bin eom	33	private-bin eom
32	private-dev	34	private-dev
		35	private-etc fonts
33	private-tmp	36	private-tmp
34		37
		38	memory-deny-write-execute
35	noexec ${HOME}	39	noexec ${HOME}
36	noexec /tmp	40	noexec /tmp


diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 1ecb3c632..8484aa162 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
15	net none	15	# net none - makes settings immutable
16	no3d	16	no3d
17	nodvd	17	nodvd
18	nogroups	18	nogroups


diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 74073d8d1..cef522c53 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile
@@ -17,7 +17,6 @@ whitelist ~/.fossamail
17	whitelist ~/.gnupg	17	whitelist ~/.gnupg
18	include /etc/firejail/whitelist-common.inc	18	include /etc/firejail/whitelist-common.inc
19		19
20	nodvd	20	# allow browsers
21	notv	21	# Redirect
22
23	include /etc/firejail/firefox.profile	22	include /etc/firejail/firefox.profile


diff --git a/etc/gedit.profile b/etc/gedit.profile index 418575e09..3d7af1496 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
16		16
17	caps.drop all	17	caps.drop all
18	net none	18	# net none - makes settings immutable
19	no3d	19	no3d
20	nodvd	20	nodvd
21	nogroups	21	nogroups
@@ -23,6 +23,7 @@ nonewprivs
23	noroot	23	noroot
24	nosound	24	nosound
25	notv	25	notv
		26	novideo
26	protocol unix	27	protocol unix
27	seccomp	28	seccomp
28	shell none	29	shell none


diff --git a/etc/goobox.profile b/etc/goobox.profile index 9bedaa431..60ffe0594 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc
13		13
14	caps.drop all	14	caps.drop all
15	netfilter	15	netfilter
16	nodvd
17	nogroups	16	nogroups
18	nonewprivs	17	nonewprivs
19	noroot	18	noroot
20	notv	19	notv
		20	novideo
21	protocol unix	21	protocol unix
22	seccomp	22	seccomp
23	shell none	23	shell none


diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b32abca6..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile
@@ -18,7 +18,6 @@ nogroups
18	nonewprivs	18	nonewprivs
19	noroot	19	noroot
20	nosound	20	nosound
21	notv
22	novideo	21	novideo
23	protocol unix,inet,inet6,netlink	22	protocol unix,inet,inet6,netlink
24	seccomp	23	seccomp


diff --git a/etc/konversation.profile b/etc/konversation.profile index 212aa8817..1a08c3d83 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile
@@ -23,4 +23,5 @@ protocol unix,inet,inet6
23	seccomp	23	seccomp
24	tracelog	24	tracelog
25		25
		26	private-dev
26	private-tmp	27	private-tmp


diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index b90e21e66..1cda5022d 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv
9	noblacklist ~/.config/smplayer	9	noblacklist ~/.config/smplayer
10	noblacklist ~/.config/totem	10	noblacklist ~/.config/totem
11	noblacklist ~/.config/vlc	11	noblacklist ~/.config/vlc
		12	noblacklist ~/.config/xplayer
12	noblacklist ~/.java	13	noblacklist ~/.java
13	noblacklist ~/.local/share/totem	14	noblacklist ~/.local/share/totem
		15	noblacklist ~/.local/share/xplayer
14	noblacklist ~/.mediathek3	16	noblacklist ~/.mediathek3
15	noblacklist ~/.mplayer	17	noblacklist ~/.mplayer
16		18
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc
22	caps.drop all	24	caps.drop all
23	netfilter	25	netfilter
24	nodvd	26	nodvd
		27	nogroups
25	nonewprivs	28	nonewprivs
26	noroot	29	noroot
27	notv	30	notv


diff --git a/etc/pluma.profile b/etc/pluma.profile index d17a64d1d..718dee440 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
15	caps.drop all	15	caps.drop all
16	net none	16	# net none - makes settings immutable
		17	no3d
17	nodvd	18	nodvd
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
21	nosound	22	nosound
22	notv	23	notv
		24	novideo
		25	protocol unix
23	seccomp	26	seccomp
24	shell none	27	shell none
25	tracelog	28	tracelog
26		29
27	private-bin pluma	30	private-bin pluma
28	private-dev	31	private-dev
		32	# private-etc fonts
29	private-tmp	33	private-tmp
		34
		35	noexec ${HOME}
		36	noexec /tmp


diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 2c652c688..7d69f38f9 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile
@@ -21,6 +21,7 @@ nonewprivs
21	noroot	21	noroot
22	nosound	22	nosound
23	notv	23	notv
		24	novideo
24	protocol unix	25	protocol unix
25	seccomp	26	seccomp
26	shell none	27	shell none
@@ -29,3 +30,5 @@ tracelog
29	private-bin qpdfview	30	private-bin qpdfview
30	private-dev	31	private-dev
31	private-tmp	32	private-tmp
		33
		34	memory-deny-write-execute


diff --git a/etc/scribus.profile b/etc/scribus.profile index acd6b2239..e4c88be49 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc
28		28
29	caps.drop all	29	caps.drop all
30	nodvd	30	nodvd
		31	nogroups
31	nonewprivs	32	nonewprivs
32	noroot	33	noroot
33	nosound	34	nosound


diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index de43f2a56..edd4db861 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile
@@ -20,7 +20,7 @@ nonewprivs
20	noroot	20	noroot
21	nosound	21	nosound
22	notv	22	notv
23	novideo	23	# novideo
24	protocol unix,inet,inet6,netlink	24	protocol unix,inet,inet6,netlink
25	# simple-scan makes ioperm system calls, which are blacklisted by default.	25	# simple-scan makes ioperm system calls, which are blacklisted by default.
26	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	26	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice


diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 1d590a142..1a53cc71c 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile
@@ -20,7 +20,7 @@ nonewprivs
20	noroot	20	noroot
21	nosound	21	nosound
22	notv	22	notv
23	novideo	23	# novideo
24	protocol unix,netlink	24	protocol unix,netlink
25	# skanlite makes ioperm system calls, which are blacklisted by default.	25	# skanlite makes ioperm system calls, which are blacklisted by default.
26	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice	26	seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice


diff --git a/etc/vlc.profile b/etc/vlc.profile index a41f367dd..01ddfa8a9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -25,5 +25,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
25	private-dev	25	private-dev
26	private-tmp	26	private-tmp
27		27
		28	# memory-deny-write-execute
28	noexec ${HOME}	29	noexec ${HOME}
29	noexec /tmp	30	noexec /tmp


diff --git a/etc/xed.profile b/etc/xed.profile index 758fb5526..42a42ef5f 100644 --- a/etc/xed.profile +++ b/etc/xed.profile
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc
13	include /etc/firejail/disable-programs.inc	13	include /etc/firejail/disable-programs.inc
14		14
15	caps.drop all	15	caps.drop all
16	net none	16	# net none - makes settings immutable
		17	no3d
17	nodvd	18	nodvd
18	nogroups	19	nogroups
19	nonewprivs	20	nonewprivs
20	noroot	21	noroot
21	nosound	22	nosound
22	notv	23	notv
		24	novideo
		25	protocol unix
23	seccomp	26	seccomp
24	shell none	27	shell none
25	tracelog	28	tracelog
26		29
27	private-bin xed	30	private-bin xed
28	private-dev	31	private-dev
		32	# private-etc fonts
29	private-tmp	33	private-tmp
		34
		35	noexec ${HOME}
		36	noexec /tmp


diff --git a/etc/xfburn.profile b/etc/xfburn.profile index e80685f0e..ec1aca75f 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc
14		14
15	caps.drop all	15	caps.drop all
16	netfilter	16	netfilter
17	nodvd
18	nogroups	17	nogroups
19	nonewprivs	18	nonewprivs
20	noroot	19	noroot
21	nosound	20	nosound
22	notv	21	notv
		22	novideo
23	protocol unix	23	protocol unix
24	seccomp	24	seccomp
25	shell none	25	shell none


diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0722768d1..5c845e977 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile
@@ -18,7 +18,6 @@ netfilter
18	nogroups	18	nogroups
19	nonewprivs	19	nonewprivs
20	noroot	20	noroot
21	notv
22	protocol unix,inet,inet6	21	protocol unix,inet,inet6
23	seccomp	22	seccomp
24	shell none	23	shell none
@@ -26,4 +25,8 @@ tracelog
26		25
27	private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer	26	private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
28	private-dev	27	private-dev
		28	# private-etc fonts
29	private-tmp	29	private-tmp
		30
		31	noexec ${HOME}
		32	noexec /tmp


diff --git a/etc/xreader.profile b/etc/xreader.profile index 107cefe5e..615256102 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-programs.inc	15	include /etc/firejail/disable-programs.inc
16		16
17	caps.drop all	17	caps.drop all
		18	no3d
18	nodvd	19	nodvd
19	nogroups	20	nogroups
20	nonewprivs	21	nonewprivs
21	noroot	22	noroot
22	nosound	23	nosound
23	notv	24	notv
		25	novideo
24	protocol unix	26	protocol unix
25	seccomp	27	seccomp
26	shell none	28	shell none
27	tracelog	29	tracelog
28		30
29	private-bin xreader, xreader-previewer, xreader-thumbnailer	31	private-bin xreader,xreader-previewer,xreader-thumbnailer
30	private-dev	32	private-dev
31	private-tmp	33	private-etc fonts
		34	# xreader needs access to /tmp/mozilla* to work in firefox
		35	# private-tmp
		36
		37	memory-deny-write-execute
		38	noexec ${HOME}
		39	noexec /tmp


diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 70ad3b895..b9ff3948a 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
18	caps.drop all	18	caps.drop all
		19	# net none - makes settings immutable
		20	no3d
19	nodvd	21	nodvd
20	nogroups	22	nogroups
21	nonewprivs	23	nonewprivs
22	noroot	24	noroot
23	nosound	25	nosound
24	notv	26	notv
		27	novideo
25	protocol unix	28	protocol unix
26	seccomp	29	seccomp
27	shell none	30	shell none
@@ -29,7 +32,9 @@ tracelog
29		32
30	private-bin xviewer	33	private-bin xviewer
31	private-dev	34	private-dev
		35	private-etc fonts
32	private-tmp	36	private-tmp
33		37
		38	memory-deny-write-execute
34	noexec ${HOME}	39	noexec ${HOME}
35	noexec /tmp	40	noexec /tmp