diff options
author | Tad <tad@spotco.us> | 2017-08-05 17:32:30 -0400 |
---|---|---|
committer | Tad <tad@spotco.us> | 2017-08-07 01:26:34 -0400 |
commit | 00ea93e518be02e1bd759da4746a5f3e973f1dd2 (patch) | |
tree | 7845946f38cb619ff5611d8f8734a78da5000f87 /etc | |
parent | Unify all profiles (diff) | |
download | firejail-00ea93e518be02e1bd759da4746a5f3e973f1dd2.tar.gz firejail-00ea93e518be02e1bd759da4746a5f3e973f1dd2.tar.zst firejail-00ea93e518be02e1bd759da4746a5f3e973f1dd2.zip |
Fix comments in 88 profiles
There may actually be some other comments that were removed, but the bulk have been restored
Diffstat (limited to 'etc')
86 files changed, 123 insertions, 323 deletions
diff --git a/etc/akregator.profile b/etc/akregator.profile index 77868dac7..36886b961 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -30,6 +30,3 @@ private-tmp | |||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # nosound | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index 69f41bb1b..28398e2c1 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -17,12 +17,10 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
20 | # seccomp | ||
20 | shell none | 21 | shell none |
21 | 22 | ||
22 | # private-bin amarok | 23 | # private-bin amarok |
23 | private-dev | 24 | private-dev |
24 | # private-etc none | 25 | # private-etc none |
25 | private-tmp | 26 | private-tmp |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # seccomp | ||
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 86e19f838..3f4795195 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -32,6 +32,3 @@ private-dev | |||
32 | # private-tmp | 32 | # private-tmp |
33 | 33 | ||
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/caja.profile b/etc/caja.profile index adbcc09b9..1350b63dd 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/caja.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
9 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
10 | |||
8 | noblacklist ~/.config/caja | 11 | noblacklist ~/.config/caja |
9 | noblacklist ~/.local/share/Trash | 12 | noblacklist ~/.local/share/Trash |
10 | noblacklist ~/.local/share/caja-python | 13 | noblacklist ~/.local/share/caja-python |
@@ -24,12 +27,8 @@ seccomp | |||
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
30 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
27 | # private-bin caja | 31 | # private-bin caja |
28 | # private-dev | 32 | # private-dev |
29 | # private-etc fonts | 33 | # private-etc fonts |
30 | # private-tmp | 34 | # private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
34 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
35 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 9fef3dc83..759b5e384 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/catfish.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # We can't blacklist much since catfish | ||
9 | # is for finding files/content | ||
8 | noblacklist ~/.config/catfish | 10 | noblacklist ~/.config/catfish |
9 | 11 | ||
10 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
@@ -22,12 +24,8 @@ seccomp | |||
22 | shell none | 24 | shell none |
23 | tracelog | 25 | tracelog |
24 | 26 | ||
27 | # These options work but are disabled in case | ||
28 | # a users wants to search in these directories. | ||
25 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | 29 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m |
26 | # private-dev | 30 | # private-dev |
27 | # private-tmp | 31 | # private-tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # These options work but are disabled in case | ||
31 | # We can't blacklist much since catfish | ||
32 | # a users wants to search in these directories. | ||
33 | # is for finding files/content | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 8aa11a0e6..fe0153959 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -32,6 +32,3 @@ private-tmp | |||
32 | 32 | ||
33 | noexec ${HOME} | 33 | noexec ${HOME} |
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # cherrytree note taking application | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 97149d4d4..cec5366d9 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf | |||
11 | noblacklist ~/.pki | 11 | noblacklist ~/.pki |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
14 | # chromium is distributed with a perl script on Arch | ||
14 | # include /etc/firejail/disable-devel.inc | 15 | # include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
16 | 17 | ||
@@ -34,8 +35,3 @@ private-dev | |||
34 | 35 | ||
35 | noexec ${HOME} | 36 | noexec ${HOME} |
36 | noexec /tmp | 37 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # chromium is distributed with a perl script on Arch | ||
40 | # disable-mnt | ||
41 | # specific to Arch | ||
diff --git a/etc/clementine.profile b/etc/clementine.profile index a69be26df..13a14af3b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -16,7 +16,5 @@ nonewprivs | |||
16 | noroot | 16 | noroot |
17 | novideo | 17 | novideo |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
20 | |||
21 | # CLOBBERED COMMENTS | ||
22 | # Clementine makes ioprio_set system calls, which are blacklisted by default. | 19 | # Clementine makes ioprio_set system calls, which are blacklisted by default. |
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index cd9b9ad7c..c5d7680a3 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -25,7 +25,3 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # /boot is not visible and /var is heavily modified | ||
31 | # /sbin and /usr/sbin are visible inside the sandbox | ||
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 0b63151a8..460966321 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -22,11 +22,9 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | # clvc doesn't like private-bin | ||
25 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 26 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
26 | private-dev | 27 | private-dev |
27 | private-tmp | 28 | private-tmp |
28 | 29 | ||
29 | memory-deny-write-execute | 30 | memory-deny-write-execute |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # clvc doesn't like private-bin | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index ed115b024..bb45c4371 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -27,9 +27,7 @@ protocol unix,inet,inet6 | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | # deluge is using python on Debian | ||
30 | # private-bin deluge,sh,python,uname | 31 | # private-bin deluge,sh,python,uname |
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # deluge is using python on Debian | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index 0ff437608..35365984e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
23 | seccomp | 23 | seccomp |
24 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
24 | shell none | 25 | shell none |
25 | 26 | ||
26 | # private-bin program | 27 | # private-bin program |
@@ -30,6 +31,3 @@ private-tmp | |||
30 | 31 | ||
31 | noexec ${HOME} | 32 | noexec ${HOME} |
32 | noexec /tmp | 33 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 5760f6811..93acbd09e 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
9 | |||
8 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
9 | noblacklist ~/.config/dolphinrc | 11 | noblacklist ~/.config/dolphinrc |
10 | noblacklist ~/.local/share/dolphin | 12 | noblacklist ~/.local/share/dolphin |
@@ -23,11 +25,8 @@ protocol unix | |||
23 | seccomp | 25 | seccomp |
24 | shell none | 26 | shell none |
25 | 27 | ||
28 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
26 | # private-bin | 29 | # private-bin |
27 | # private-dev | 30 | # private-dev |
28 | # private-etc | 31 | # private-etc |
29 | # private-tmp | 32 | # private-tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
33 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
diff --git a/etc/etr.profile b/etc/etr.profile index 6ed9a274d..dedc1e224 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/evince.profile b/etc/evince.profile index e58cef336..1a2b04160 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -28,11 +28,9 @@ tracelog | |||
28 | private-bin evince,evince-previewer,evince-thumbnailer | 28 | private-bin evince,evince-previewer,evince-thumbnailer |
29 | private-dev | 29 | private-dev |
30 | private-etc fonts | 30 | private-etc fonts |
31 | # evince needs access to /tmp/mozilla* to work in firefox | ||
31 | # private-tmp | 32 | # private-tmp |
32 | 33 | ||
33 | memory-deny-write-execute | 34 | memory-deny-write-execute |
34 | noexec ${HOME} | 35 | noexec ${HOME} |
35 | noexec /tmp | 36 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # evince needs access to /tmp/mozilla* to work in firefox | ||
diff --git a/etc/file.profile b/etc/file.profile index 6e8280c3b..99d2fd865 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -28,6 +28,3 @@ x11 none | |||
28 | private-bin file | 28 | private-bin file |
29 | private-dev | 29 | private-dev |
30 | private-etc magic.mgc,magic,localtime | 30 | private-etc magic.mgc,magic,localtime |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # noroot | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 8d48a4704..27f436c4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -68,6 +68,3 @@ private-tmp | |||
68 | 68 | ||
69 | noexec ${HOME} | 69 | noexec ${HOME} |
70 | noexec /tmp | 70 | noexec /tmp |
71 | |||
72 | # CLOBBERED COMMENTS | ||
73 | # disable-mnt | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b3aa80f85..be06dc460 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # This is a whitelisted profile, the internal browser sandbox | ||
9 | # is disabled because it requires sudo password. The command | ||
10 | # to run it is as follows: | ||
11 | # firejail flashpeak-slimjet --no-sandbox | ||
12 | |||
8 | noblacklist ~/.cache/slimjet | 13 | noblacklist ~/.cache/slimjet |
9 | noblacklist ~/.config/slimjet | 14 | noblacklist ~/.config/slimjet |
10 | noblacklist ~/.pki | 15 | noblacklist ~/.pki |
11 | 16 | ||
12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
18 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
15 | 21 | ||
@@ -28,9 +34,3 @@ nonewprivs | |||
28 | noroot | 34 | noroot |
29 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
30 | seccomp | 36 | seccomp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # firejail flashpeak-slimjet --no-sandbox | ||
34 | # chromium is distributed with a perl script on Arch | ||
35 | # is disabled because it requires sudo password. The command | ||
36 | # to run it is as follows: | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 486326fe0..82bdabfcd 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -37,6 +37,3 @@ private-tmp | |||
37 | 37 | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
40 | |||
41 | # CLOBBERED COMMENTS | ||
42 | # tracelog | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index dc8ad3e08..b1d9798bc 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index d8ca7424c..451a93c31 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -40,7 +40,5 @@ disable-mnt | |||
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts | 41 | # private-etc fonts |
42 | # private-tmp | 42 | # private-tmp |
43 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
44 | |||
45 | # CLOBBERED COMMENTS | ||
46 | # Allow the local python 2.7 site packages, in case any plugins are using these | 43 | # Allow the local python 2.7 site packages, in case any plugins are using these |
44 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
diff --git a/etc/geary.profile b/etc/geary.profile index 5833e51cf..3f9faf058 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/geary.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have Geary set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.gnupg | 11 | noblacklist ~/.gnupg |
9 | noblacklist ~/.local/share/geary | 12 | noblacklist ~/.local/share/geary |
10 | 13 | ||
@@ -21,9 +24,5 @@ ignore private-tmp | |||
21 | read-only ~/.config/mimeapps.list | 24 | read-only ~/.config/mimeapps.list |
22 | read-only ~/.local/share/applications | 25 | read-only ~/.local/share/applications |
23 | 26 | ||
24 | include /etc/firejail/firefox.profile | ||
25 | |||
26 | # CLOBBERED COMMENTS | ||
27 | # Users have Geary set to open a browser by clicking a link in an email | ||
28 | # We are not allowed to blacklist browser-specific directories | ||
29 | # allow browsers | 27 | # allow browsers |
28 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 2fd7f20fe..aa91d9518 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gedit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
9 | |||
8 | noblacklist ~/.config/gedit | 10 | noblacklist ~/.config/gedit |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -31,6 +33,3 @@ private-tmp | |||
31 | 33 | ||
32 | noexec ${HOME} | 34 | noexec ${HOME} |
33 | noexec /tmp | 35 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 9434d49b8..5936787dd 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -26,6 +26,3 @@ shell none | |||
26 | # private-bin geeqie | 26 | # private-bin geeqie |
27 | private-dev | 27 | private-dev |
28 | # private-etc X11 | 28 | # private-etc X11 |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # Experimental: | ||
diff --git a/etc/ghb.profile b/etc/ghb.profile index 80291223c..9437cea9e 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile | |||
@@ -3,6 +3,3 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index e63d10d35..d77c4df8d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -24,10 +24,7 @@ shell none | |||
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
26 | 26 | ||
27 | noexec /tmp | ||
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # gimp | ||
31 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | 27 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory |
32 | # if you are not using external plugins, you can enable noexec statement below | 28 | # if you are not using external plugins, you can enable noexec statement below |
33 | # noexec ${HOME} | 29 | # noexec ${HOME} |
30 | noexec /tmp | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index 443dccfea..739100888 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gjs.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/libgweather | 10 | noblacklist ~/.cache/libgweather |
9 | noblacklist ~/.cache/org.gnome.Books | 11 | noblacklist ~/.cache/org.gnome.Books |
10 | noblacklist ~/.config/libreoffice | 12 | noblacklist ~/.config/libreoffice |
@@ -29,6 +31,3 @@ tracelog | |||
29 | private-dev | 31 | private-dev |
30 | # private-etc fonts | 32 | # private-etc fonts |
31 | private-tmp | 33 | private-tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 480c6a35f..996c8e1f4 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -31,6 +31,3 @@ private-tmp | |||
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
33 | noexec /tmp | 33 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e934b48a5..60bd2f68d 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/org.gnome.Books | 10 | noblacklist ~/.cache/org.gnome.Books |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -32,6 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 2e949271b..995415edc 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -33,6 +33,3 @@ private-tmp | |||
33 | memory-deny-write-execute | 33 | memory-deny-write-execute |
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # net none | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2c77c32ae..e56a32a4a 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.config/libreoffice | 10 | noblacklist ~/.config/libreoffice |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -30,6 +32,3 @@ private-tmp | |||
30 | 32 | ||
31 | noexec ${HOME} | 33 | noexec ${HOME} |
32 | noexec /tmp | 34 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 79ea783a6..1e60c4470 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ${HOME}/.cache/champlain | 10 | noblacklist ${HOME}/.cache/champlain |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -32,6 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index bb13672f4..5982b9dbd 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.local/share/gnome-photos | 10 | noblacklist ~/.local/share/gnome-photos |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -30,6 +32,3 @@ private-tmp | |||
30 | 32 | ||
31 | noexec ${HOME} | 33 | noexec ${HOME} |
32 | noexec /tmp | 34 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 77538ad6e..514ef6f15 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/libgweather | 10 | noblacklist ~/.cache/libgweather |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -33,6 +35,3 @@ private-tmp | |||
33 | 35 | ||
34 | noexec ${HOME} | 36 | noexec ${HOME} |
35 | noexec /tmp | 37 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 53220997a..b6c39bfd2 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 6f4ec9101..ea111c7f6 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84fdcdd21..f0d452841 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index e326c8083..9c6c70f9f 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # whitelist ~/.config/pulse | ||
16 | # whitelist ~/.pulse | ||
15 | whitelist ~/.config/Google Play Music Desktop Player | 17 | whitelist ~/.config/Google Play Music Desktop Player |
16 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
17 | 19 | ||
@@ -32,7 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # whitelist ~/.config/pulse | ||
38 | # whitelist ~/.pulse | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 19d83866e..0f2be604b 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -34,6 +34,3 @@ private-dev | |||
34 | 34 | ||
35 | noexec ${HOME} | 35 | noexec ${HOME} |
36 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # Experimental: | ||
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index 80291223c..9437cea9e 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile | |||
@@ -3,6 +3,3 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index f070937ef..ceebb6d18 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
9 | # noblacklist /usr/lib/python2* | ||
10 | # noblacklist /usr/lib/python3* | ||
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
@@ -29,15 +31,10 @@ shell none | |||
29 | tracelog | 31 | tracelog |
30 | 32 | ||
31 | disable-mnt | 33 | disable-mnt |
34 | # debug note: private-bin requires perl, python, etc on some systems | ||
32 | private-bin hexchat | 35 | private-bin hexchat |
33 | private-dev | 36 | private-dev |
34 | private-tmp | 37 | private-tmp |
35 | 38 | ||
36 | noexec ${HOME} | 39 | noexec ${HOME} |
37 | noexec /tmp | 40 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Currently in testing (may not work for all users) | ||
41 | # debug note: private-bin requires perl, python, etc on some systems | ||
42 | # noblacklist /usr/lib/python2* | ||
43 | # noblacklist /usr/lib/python3* | ||
diff --git a/etc/icedove.profile b/etc/icedove.profile index 8cb4ec1ea..3931fd0c0 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/icedove.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have icedove set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.cache/icedove | 11 | noblacklist ~/.cache/icedove |
9 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
10 | noblacklist ~/.icedove | 13 | noblacklist ~/.icedove |
@@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc | |||
19 | 22 | ||
20 | ignore private-tmp | 23 | ignore private-tmp |
21 | 24 | ||
22 | include /etc/firejail/firefox.profile | ||
23 | |||
24 | # CLOBBERED COMMENTS | ||
25 | # Users have icedove set to open a browser by clicking a link in an email | ||
26 | # We are not allowed to blacklist browser-specific directories | ||
27 | # allow browsers | 25 | # allow browsers |
26 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 2ca4cba69..f0f0637d9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -32,6 +32,3 @@ private-dev | |||
32 | # private-tmp | 32 | # private-tmp |
33 | 33 | ||
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cde845907..6bba90d14 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -28,6 +28,3 @@ private-tmp | |||
28 | 28 | ||
29 | noexec ${HOME} | 29 | noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # inkscape | ||
diff --git a/etc/iridium.profile b/etc/iridium.profile index 03fae05dc..95e94cbf9 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium | |||
9 | noblacklist ~/.config/iridium | 9 | noblacklist ~/.config/iridium |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | # chromium/iridium is distributed with a perl script on Arch | ||
12 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
14 | 15 | ||
@@ -22,6 +23,3 @@ whitelist ~/.pki | |||
22 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
23 | 24 | ||
24 | netfilter | 25 | netfilter |
25 | |||
26 | # CLOBBERED COMMENTS | ||
27 | # chromium/iridium is distributed with a perl script on Arch | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index f3eb6867f..06db44132 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -27,6 +27,3 @@ private-tmp | |||
27 | 27 | ||
28 | noexec ${HOME} | 28 | noexec ${HOME} |
29 | noexec /tmp | 29 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # novideo | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 3b3045e07..b6406cc0d 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -22,6 +22,7 @@ netfilter | |||
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | # nosound - KWrite is using ALSA! | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
@@ -31,6 +32,3 @@ tracelog | |||
31 | private-dev | 32 | private-dev |
32 | # private-etc fonts | 33 | # private-etc fonts |
33 | private-tmp | 34 | private-tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound - KWrite is using ALSA! | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index e2c8d0878..8387fef98 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -28,6 +28,3 @@ private-dev | |||
28 | 28 | ||
29 | noexec ${HOME} | 29 | noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # whitelist /tmp/.X11-unix/ | ||
diff --git a/etc/liferea.profile b/etc/liferea.profile index a0dd1a1ff..f9c050acb 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc | |||
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
27 | # no3d | ||
27 | nogroups | 28 | nogroups |
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
31 | # nosound | ||
30 | novideo | 32 | novideo |
31 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
32 | seccomp | 34 | seccomp |
@@ -38,7 +40,3 @@ private-tmp | |||
38 | 40 | ||
39 | noexec ${HOME} | 41 | noexec ${HOME} |
40 | noexec /tmp | 42 | noexec /tmp |
41 | |||
42 | # CLOBBERED COMMENTS | ||
43 | # no3d | ||
44 | # nosound | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 961fca905..bbceee7c7 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -29,6 +29,3 @@ private-tmp | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # luminance-hdr | ||
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 22ecbaa6f..771211b31 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | # noroot - somehow this breaks on Debian Jessie! | ||
15 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
16 | seccomp | 17 | seccomp |
17 | |||
18 | # CLOBBERED COMMENTS | ||
19 | # noroot - somehow this breaks on Debian Jessie! | ||
diff --git a/etc/midori.profile b/etc/midori.profile index f3a219f52..5b390a170 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc | |||
36 | caps.drop all | 36 | caps.drop all |
37 | netfilter | 37 | netfilter |
38 | nonewprivs | 38 | nonewprivs |
39 | # noroot - problems on Ubuntu 14.04 | ||
39 | protocol unix,inet,inet6,netlink | 40 | protocol unix,inet,inet6,netlink |
40 | seccomp | 41 | seccomp |
41 | tracelog | 42 | tracelog |
42 | |||
43 | # CLOBBERED COMMENTS | ||
44 | # noroot - porblems on Ubuntu 14.04 | ||
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 25bcef47a..b431e4695 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | # nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
@@ -26,6 +27,3 @@ private-tmp | |||
26 | 27 | ||
27 | noexec ${HOME} | 28 | noexec ${HOME} |
28 | noexec /tmp | 29 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # nogroups | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 7c1e5ea27..56192ac17 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -25,6 +25,3 @@ tracelog | |||
25 | 25 | ||
26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env | 26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env |
27 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # to test | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 882f17485..a2f5d46b4 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | novideo | 28 | novideo |
29 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
30 | # seccomp | ||
30 | shell none | 31 | shell none |
31 | 32 | ||
32 | disable-mnt | 33 | disable-mnt |
@@ -35,6 +36,3 @@ private-tmp | |||
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |
37 | noexec /tmp | 38 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # seccomp | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index a55a01206..4b98552c4 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -19,6 +19,7 @@ noroot | |||
19 | nosound | 19 | nosound |
20 | protocol unix | 20 | protocol unix |
21 | seccomp | 21 | seccomp |
22 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
22 | shell none | 23 | shell none |
23 | tracelog | 24 | tracelog |
24 | 25 | ||
@@ -26,9 +27,5 @@ tracelog | |||
26 | private-dev | 27 | private-dev |
27 | private-etc fonts | 28 | private-etc fonts |
28 | private-tmp | 29 | private-tmp |
29 | read-only ${HOME} | ||
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # Experimental: | ||
33 | # mupdf will never write anything | 30 | # mupdf will never write anything |
34 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | 31 | read-only ${HOME} |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 9c3bfe658..f0680c4ce 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | # you'll need to manually whitelist ROM files | ||
16 | mkdir ${HOME}/.config/mupen64plus | 17 | mkdir ${HOME}/.config/mupen64plus |
17 | mkdir ${HOME}/.local/share/mupen64plus | 18 | mkdir ${HOME}/.local/share/mupen64plus |
18 | whitelist ${HOME}/.config/mupen64plus/ | 19 | whitelist ${HOME}/.config/mupen64plus/ |
@@ -24,6 +25,3 @@ net none | |||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | seccomp | 27 | seccomp |
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # manually whitelist ROM files | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 350e7f9b6..2da8f32d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/nautilus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
9 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
10 | |||
8 | noblacklist ~/.config/nautilus | 11 | noblacklist ~/.config/nautilus |
9 | noblacklist ~/.local/share/Trash | 12 | noblacklist ~/.local/share/Trash |
10 | noblacklist ~/.local/share/nautilus | 13 | noblacklist ~/.local/share/nautilus |
@@ -25,12 +28,8 @@ seccomp | |||
25 | shell none | 28 | shell none |
26 | tracelog | 29 | tracelog |
27 | 30 | ||
31 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
28 | # private-bin nautilus | 32 | # private-bin nautilus |
29 | # private-dev | 33 | # private-dev |
30 | # private-etc fonts | 34 | # private-etc fonts |
31 | # private-tmp | 35 | # private-tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
35 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
36 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index e4c87e5b9..2587027ab 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ab72497c0..e3e498195 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -12,6 +12,26 @@ include /etc/firejail/disable-common.inc | |||
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
16 | # want to uncomment (some of) them. | ||
17 | #whitelist ~/dwhelper | ||
18 | #whitelist ~/.zotero | ||
19 | #whitelist ~/.vimperatorrc | ||
20 | #whitelist ~/.vimperator | ||
21 | #whitelist ~/.pentadactylrc | ||
22 | #whitelist ~/.pentadactyl | ||
23 | #whitelist ~/.keysnail.js | ||
24 | #whitelist ~/.config/gnome-mplayer | ||
25 | #whitelist ~/.cache/gnome-mplayer/plugin | ||
26 | #whitelist ~/.pki | ||
27 | #whitelist ~/.lastpass | ||
28 | |||
29 | # For silverlight | ||
30 | #whitelist ~/.wine-pipelight | ||
31 | #whitelist ~/.wine-pipelight64 | ||
32 | #whitelist ~/.config/pipelight-widevine | ||
33 | #whitelist ~/.config/pipelight-silverlight5.1 | ||
34 | |||
15 | mkdir ~/.cache/moonchild productions/pale moon | 35 | mkdir ~/.cache/moonchild productions/pale moon |
16 | mkdir ~/.moonchild productions | 36 | mkdir ~/.moonchild productions |
17 | whitelist ${DOWNLOADS} | 37 | whitelist ${DOWNLOADS} |
@@ -34,22 +54,3 @@ tracelog | |||
34 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 54 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
35 | # private-opt palemoon | 55 | # private-opt palemoon |
36 | private-tmp | 56 | private-tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # For silverlight | ||
40 | # want to uncomment (some of) them. | ||
41 | # whitelist ~/.cache/gnome-mplayer/plugin | ||
42 | # whitelist ~/.config/gnome-mplayer | ||
43 | # whitelist ~/.config/pipelight-silverlight5.1 | ||
44 | # whitelist ~/.config/pipelight-widevine | ||
45 | # whitelist ~/.keysnail.js | ||
46 | # whitelist ~/.lastpass | ||
47 | # whitelist ~/.pentadactyl | ||
48 | # whitelist ~/.pentadactylrc | ||
49 | # whitelist ~/.pki | ||
50 | # whitelist ~/.vimperator | ||
51 | # whitelist ~/.vimperatorrc | ||
52 | # whitelist ~/.wine-pipelight | ||
53 | # whitelist ~/.wine-pipelight64 | ||
54 | # whitelist ~/.zotero | ||
55 | # whitelist ~/dwhelper | ||
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6699b7944..848bf88ad 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 5dcba0825..025a6fa61 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -35,12 +35,9 @@ noroot | |||
35 | nosound | 35 | nosound |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp | 37 | seccomp |
38 | # shell none | ||
38 | 39 | ||
39 | # private-bin qbittorrent | 40 | # private-bin qbittorrent |
40 | private-dev | 41 | private-dev |
41 | # private-etc X11,fonts,xdg,resolv.conf | 42 | # private-etc X11,fonts,xdg,resolv.conf |
42 | private-tmp | 43 | private-tmp |
43 | |||
44 | # CLOBBERED COMMENTS | ||
45 | # shell none | ||
46 | # there are some problems with "Open destination folder", see bug # 536 | ||
diff --git a/etc/rambox.profile b/etc/rambox.profile index ea88b472c..a5b87e901 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile | |||
@@ -26,6 +26,4 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | 28 | seccomp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # tracelog | 29 | # tracelog |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 3915cffb6..3767c7ba8 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # noblacklist /usr/bin/cpan* | ||
8 | noblacklist /usr/bin/perl | 9 | noblacklist /usr/bin/perl |
9 | noblacklist /usr/lib/perl* | 10 | noblacklist /usr/lib/perl* |
10 | noblacklist /usr/share/perl* | 11 | noblacklist /usr/share/perl* |
@@ -25,6 +26,3 @@ protocol unix | |||
25 | seccomp | 26 | seccomp |
26 | 27 | ||
27 | private-dev | 28 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # noblacklist /usr/bin/cpan* | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f8e8fb1a..ac8882165 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | # no3d | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
@@ -28,6 +29,3 @@ private-tmp | |||
28 | 29 | ||
29 | noexec ${HOME} | 30 | noexec ${HOME} |
30 | noexec /tmp | 31 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # no3d | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index 73343f5da..7e117dcd1 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/scribus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Support for PDF readers (Scribus 1.5 and higher) | ||
8 | noblacklist ~/.config/okularpartrc | 9 | noblacklist ~/.config/okularpartrc |
9 | noblacklist ~/.config/okularrc | 10 | noblacklist ~/.config/okularrc |
10 | noblacklist ~/.config/scribus | 11 | noblacklist ~/.config/scribus |
@@ -35,6 +36,3 @@ tracelog | |||
35 | 36 | ||
36 | private-dev | 37 | private-dev |
37 | # private-tmp | 38 | # private-tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Support for PDF readers (Scribus 1.5 and higher) | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index d6c6886c7..a55388fee 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -20,12 +20,10 @@ noroot | |||
20 | nosound | 20 | nosound |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | shell none | 22 | shell none |
23 | # seccomp | ||
23 | tracelog | 24 | tracelog |
24 | 25 | ||
25 | # private-bin simple-scan | 26 | # private-bin simple-scan |
26 | # private-dev | 27 | # private-dev |
27 | # private-etc fonts | 28 | # private-etc fonts |
28 | # private-tmp | 29 | # private-tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # seccomp | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 32c0436f8..d67d2a575 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index f6e27a474..25f0107f8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -17,6 +17,7 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | # protocol unix,inet,inet6 | ||
20 | seccomp | 21 | seccomp |
21 | shell none | 22 | shell none |
22 | 23 | ||
@@ -24,6 +25,3 @@ shell none | |||
24 | # private-dev | 25 | # private-dev |
25 | # private-etc | 26 | # private-etc |
26 | # private-tmp | 27 | # private-tmp |
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # protocol unix,inet,inet6 | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index d3ff02ddf..d8861f937 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | # nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
@@ -27,6 +28,3 @@ private-tmp | |||
27 | 28 | ||
28 | noexec ${HOME} | 29 | noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # nogroups | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 520524192..f2c88c943 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -23,6 +23,3 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
25 | seccomp | 25 | seccomp |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # ssh-agent | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 0f9950a81..ac3b7a0ba 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -33,6 +33,3 @@ private-dev | |||
33 | memory-deny-write-execute | 33 | memory-deny-write-execute |
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # ssh client | ||
diff --git a/etc/steam.profile b/etc/steam.profile index b3b62471d..d928e660d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/steam | |||
14 | noblacklist ${HOME}/.steam | 14 | noblacklist ${HOME}/.steam |
15 | noblacklist ${HOME}/.steampath | 15 | noblacklist ${HOME}/.steampath |
16 | noblacklist ${HOME}/.steampid | 16 | noblacklist ${HOME}/.steampid |
17 | # with >=llvm-4 mesa drivers need llvm stuff | ||
17 | noblacklist /usr/lib/llvm* | 18 | noblacklist /usr/lib/llvm* |
18 | 19 | ||
19 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
@@ -26,15 +27,12 @@ netfilter | |||
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
30 | # novideo | ||
29 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
30 | seccomp | 32 | seccomp |
31 | shell none | 33 | shell none |
34 | # tracelog disabled as it breaks integrated browser | ||
35 | # tracelog | ||
32 | 36 | ||
33 | private-dev | 37 | private-dev |
34 | private-tmp | 38 | private-tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # novideo | ||
38 | # tracelog | ||
39 | # tracelog disabled as it breaks integrated browser | ||
40 | # with >=llvm-4 mesa drivers need llvm stuff | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 87ad8da7f..4e70f9e8c 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 02db74df3..6861e6efb 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -29,6 +29,3 @@ private-tmp | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # synfigstudio | ||
diff --git a/etc/tar.profile b/etc/tar.profile index c3b5aa0e6..817e51542 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -16,11 +16,9 @@ nosound | |||
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | # support compressed archives | ||
19 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 20 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
20 | private-dev | 21 | private-dev |
21 | private-etc passwd,group,localtime | 22 | private-etc passwd,group,localtime |
22 | 23 | ||
23 | include /etc/firejail/default.profile | 24 | include /etc/firejail/default.profile |
24 | |||
25 | # CLOBBERED COMMENTS | ||
26 | # support compressed archives | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c80f76aa8..d3b7ee871 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/thunderbird.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.cache/thunderbird | 11 | noblacklist ~/.cache/thunderbird |
9 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
10 | noblacklist ~/.icedove | 13 | noblacklist ~/.icedove |
@@ -27,9 +30,5 @@ ignore private-tmp | |||
27 | read-only ~/.config/mimeapps.list | 30 | read-only ~/.config/mimeapps.list |
28 | read-only ~/.local/share/applications | 31 | read-only ~/.local/share/applications |
29 | 32 | ||
30 | include /etc/firejail/firefox.profile | ||
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
34 | # We are not allowed to blacklist browser-specific directories | ||
35 | # allow browsers | 33 | # allow browsers |
34 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index 98040133c..feb8b4fd3 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/tracker.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
9 | |||
8 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -28,6 +30,3 @@ tracelog | |||
28 | # private-dev | 30 | # private-dev |
29 | # private-etc fonts | 31 | # private-etc fonts |
30 | # private-tmp | 32 | # private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index fc24fc04d..e09b65632 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -27,7 +27,3 @@ shell none | |||
27 | private-dev | 27 | private-dev |
28 | # private-etc none | 28 | # private-etc none |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # depending on your usage, you can enable some of the commands below: | ||
33 | # nosound | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index ca7987932..e94dec35c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.VirtualBox | 8 | noblacklist ${HOME}/.VirtualBox |
9 | noblacklist ${HOME}/.config/VirtualBox | 9 | noblacklist ${HOME}/.config/VirtualBox |
10 | noblacklist ${HOME}/VirtualBox VMs | 10 | noblacklist ${HOME}/VirtualBox VMs |
11 | # noblacklist /usr/bin/virtualbox | ||
11 | noblacklist /usr/lib/virtualbox | 12 | noblacklist /usr/lib/virtualbox |
12 | noblacklist /usr/lib64/virtualbox | 13 | noblacklist /usr/lib64/virtualbox |
13 | 14 | ||
@@ -23,6 +24,3 @@ include /etc/firejail/whitelist-common.inc | |||
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
25 | netfilter | 26 | netfilter |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # noblacklist /usr/bin/virtualbox | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 1b63f1573..ae9b49e8c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -29,6 +29,3 @@ private-dev | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # disable-mnt | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index c95f6f048..a41f367dd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | # nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
@@ -26,7 +27,3 @@ private-tmp | |||
26 | 27 | ||
27 | noexec ${HOME} | 28 | noexec ${HOME} |
28 | noexec /tmp | 29 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # memory-deny-write-execute - breaks playing videos | ||
32 | # nogroups | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 157fe3e81..9569226aa 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # mkdir ~/.warzone2100-3.1 | ||
16 | # mkdir ~/.warzone2100-3.2 | ||
15 | whitelist ~/.warzone2100-3.1 | 17 | whitelist ~/.warzone2100-3.1 |
16 | whitelist ~/.warzone2100-3.2 | 18 | whitelist ~/.warzone2100-3.2 |
17 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
@@ -30,8 +32,3 @@ disable-mnt | |||
30 | private-bin warzone2100 | 32 | private-bin warzone2100 |
31 | private-dev | 33 | private-dev |
32 | private-tmp | 34 | private-tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # Call these options | ||
36 | # mkdir ~/.warzone2100-3.1 | ||
37 | # mkdir ~/.warzone2100-3.2 | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 75a4dc4a7..833414f3e 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -17,7 +17,6 @@ noroot | |||
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
19 | 19 | ||
20 | # CLOBBERED COMMENTS | 20 | # no private-bin support for various reasons: |
21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | 21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, |
22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins | 22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins |
23 | # no private-bin support for various reasons: | ||
diff --git a/etc/wire.profile b/etc/wire.profile index f20dfe8e2..aacea9940 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/wire.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | ||
9 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
10 | |||
8 | noblacklist ~/.config/Wire | 11 | noblacklist ~/.config/Wire |
9 | noblacklist ~/.config/wire | 12 | noblacklist ~/.config/wire |
10 | 13 | ||
@@ -25,7 +28,3 @@ shell none | |||
25 | disable-mnt | 28 | disable-mnt |
26 | private-dev | 29 | private-dev |
27 | private-tmp | 30 | private-tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | ||
31 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 0c4bc8029..8a25ec011 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -12,9 +12,15 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # caps.drop all | ||
15 | netfilter | 16 | netfilter |
16 | no3d | 17 | no3d |
18 | # nogroups - breaks unprivileged wireshark usage | ||
19 | # nonewprivs - breaks unprivileged wireshark usage | ||
20 | # noroot | ||
17 | nosound | 21 | nosound |
22 | # protocol unix,inet,inet6,netlink | ||
23 | # seccomp - breaks unprivileged wireshark usage | ||
18 | shell none | 24 | shell none |
19 | tracelog | 25 | tracelog |
20 | 26 | ||
@@ -25,11 +31,3 @@ private-tmp | |||
25 | 31 | ||
26 | noexec ${HOME} | 32 | noexec ${HOME} |
27 | noexec /tmp | 33 | noexec /tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # caps.drop all | ||
31 | # nogroups - breaks unprivileged wireshark usage | ||
32 | # nonewprivs - breaks unprivileged wireshark usage | ||
33 | # noroot | ||
34 | # protocol unix,inet,inet6,netlink | ||
35 | # seccomp - breaks unprivileged wireshark usage | ||