diff options
author | SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com> | 2018-02-12 22:37:05 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-12 22:37:05 -0500 |
commit | 22c9c5c7fd4ca6f8090ede7f4c8859a148db1cce (patch) | |
tree | 20ff230c2d28d311441c83c7d5cca910f130b287 /etc | |
parent | update various application blacklists (diff) | |
parent | Further unify private-etc in Firefox-based browsers (diff) | |
download | firejail-22c9c5c7fd4ca6f8090ede7f4c8859a148db1cce.tar.gz firejail-22c9c5c7fd4ca6f8090ede7f4c8859a148db1cce.tar.zst firejail-22c9c5c7fd4ca6f8090ede7f4c8859a148db1cce.zip |
Merge pull request #1774 from SkewedZeppelin/1773
Unify all Chromium and Firefox based browser profiles
Diffstat (limited to 'etc')
-rw-r--r-- | etc/abrowser.profile | 37 | ||||
-rw-r--r-- | etc/bnox.profile | 23 | ||||
-rw-r--r-- | etc/brave.profile | 27 | ||||
-rw-r--r-- | etc/chromium-common.profile | 32 | ||||
-rw-r--r-- | etc/chromium.profile | 24 | ||||
-rw-r--r-- | etc/cliqz.profile | 79 | ||||
-rw-r--r-- | etc/cyberfox.profile | 60 | ||||
-rw-r--r-- | etc/dnox.profile | 23 | ||||
-rw-r--r-- | etc/firefox-common-addons.inc | 51 | ||||
-rw-r--r-- | etc/firefox-common.profile | 44 | ||||
-rw-r--r-- | etc/firefox.profile | 83 | ||||
-rw-r--r-- | etc/flashpeak-slimjet.profile | 26 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 23 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 23 | ||||
-rw-r--r-- | etc/google-chrome.profile | 25 | ||||
-rw-r--r-- | etc/icecat.profile | 40 | ||||
-rw-r--r-- | etc/iceweasel.profile | 2 | ||||
-rw-r--r-- | etc/inox.profile | 23 | ||||
-rw-r--r-- | etc/iridium.profile | 24 | ||||
-rw-r--r-- | etc/opera-beta.profile | 17 | ||||
-rw-r--r-- | etc/opera.profile | 16 | ||||
-rw-r--r-- | etc/palemoon.profile | 50 | ||||
-rw-r--r-- | etc/vivaldi.profile | 22 | ||||
-rw-r--r-- | etc/waterfox.profile | 71 | ||||
-rw-r--r-- | etc/yandex-browser.profile | 24 |
25 files changed, 196 insertions, 673 deletions
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 5c964bad1..d757d6f49 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -7,42 +7,15 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/mozilla/abrowser | 11 | mkdir ${HOME}/.cache/mozilla/abrowser |
17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
20 | whitelist ${HOME}/.cache/mozilla/abrowser | 13 | whitelist ${HOME}/.cache/mozilla/abrowser |
21 | whitelist ${HOME}/.config/gnome-mplayer | ||
22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
23 | whitelist ${HOME}/.config/pipelight-widevine | ||
24 | whitelist ${HOME}/.keysnail.js | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
27 | whitelist ${HOME}/.pentadactyl | ||
28 | whitelist ${HOME}/.pentadactylrc | ||
29 | whitelist ${HOME}/.pki | ||
30 | whitelist ${HOME}/.vimperator | ||
31 | whitelist ${HOME}/.vimperatorrc | ||
32 | whitelist ${HOME}/.wine-pipelight | ||
33 | whitelist ${HOME}/.wine-pipelight64 | ||
34 | whitelist ${HOME}/.zotero | ||
35 | whitelist ${HOME}/dwhelper | ||
36 | include /etc/firejail/whitelist-common.inc | ||
37 | 15 | ||
38 | caps.drop all | 16 | # private-etc must first be enabled in firefox-common.profile |
39 | netfilter | 17 | #private-etc abrowser |
40 | nodvd | 18 | |
41 | nonewprivs | ||
42 | noroot | ||
43 | notv | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | tracelog | ||
47 | 19 | ||
48 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 20 | # Redirect |
21 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/bnox.profile b/etc/bnox.profile index 4270755c8..3207a2923 100644 --- a/etc/bnox.profile +++ b/etc/bnox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/bnox | 8 | noblacklist ${HOME}/.cache/bnox |
9 | noblacklist ${HOME}/.config/bnox | 9 | noblacklist ${HOME}/.config/bnox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/bnox | 11 | mkdir ${HOME}/.cache/bnox |
16 | mkdir ${HOME}/.config/bnox | 12 | mkdir ${HOME}/.config/bnox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/bnox | 13 | whitelist ${HOME}/.cache/bnox |
20 | whitelist ${HOME}/.config/bnox | 14 | whitelist ${HOME}/.config/bnox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index 668e8a244..f37ac2a05 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -8,31 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/brave | 8 | noblacklist ${HOME}/.config/brave |
9 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.config/brave | 12 | mkdir ${HOME}/.config/brave |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.config/KeePass | ||
21 | whitelist ${HOME}/.config/brave | 13 | whitelist ${HOME}/.config/brave |
22 | whitelist ${HOME}/.config/keepass | 14 | whitelist ${HOME}/.gnupg |
23 | whitelist ${HOME}/.config/lastpass | ||
24 | whitelist ${HOME}/.keepass | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.pki | ||
27 | include /etc/firejail/whitelist-common.inc | ||
28 | |||
29 | # caps.drop all | ||
30 | netfilter | ||
31 | # nonewprivs | ||
32 | # noroot | ||
33 | nodvd | ||
34 | notv | ||
35 | # protocol unix,inet,inet6,netlink | ||
36 | # seccomp | ||
37 | 15 | ||
38 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile new file mode 100644 index 000000000..5c5215309 --- /dev/null +++ b/etc/chromium-common.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for chromium-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/chromium-common.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.pki | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | mkdir ${HOME}/.pki | ||
15 | whitelist ${DOWNLOADS} | ||
16 | whitelist ${HOME}/.pki | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.keep sys_chroot,sys_admin | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | notv | ||
25 | shell none | ||
26 | |||
27 | disable-mnt | ||
28 | private-dev | ||
29 | # private-tmp - problems with multiple browser sessions | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 64d790121..ad9f9af33 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -8,34 +8,14 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/chromium | 8 | noblacklist ${HOME}/.cache/chromium |
9 | noblacklist ${HOME}/.config/chromium | 9 | noblacklist ${HOME}/.config/chromium |
10 | noblacklist ${HOME}/.config/chromium-flags.conf | 10 | noblacklist ${HOME}/.config/chromium-flags.conf |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.cache/chromium | 12 | mkdir ${HOME}/.cache/chromium |
18 | mkdir ${HOME}/.config/chromium | 13 | mkdir ${HOME}/.config/chromium |
19 | mkdir ${HOME}/.pki | ||
20 | whitelist ${DOWNLOADS} | ||
21 | whitelist ${HOME}/.cache/chromium | 14 | whitelist ${HOME}/.cache/chromium |
22 | whitelist ${HOME}/.config/chromium | 15 | whitelist ${HOME}/.config/chromium |
23 | whitelist ${HOME}/.config/chromium-flags.conf | 16 | whitelist ${HOME}/.config/chromium-flags.conf |
24 | whitelist ${HOME}/.pki | ||
25 | include /etc/firejail/whitelist-common.inc | ||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
28 | caps.keep sys_chroot,sys_admin | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | notv | ||
33 | shell none | ||
34 | 17 | ||
35 | disable-mnt | ||
36 | # private-bin chromium,chromium-browser,chromedriver | 18 | # private-bin chromium,chromium-browser,chromedriver |
37 | private-dev | ||
38 | # private-tmp - problems with multiple browser sessions | ||
39 | 19 | ||
40 | noexec ${HOME} | 20 | # Redirect |
41 | noexec /tmp | 21 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile index 086dfa233..4ff96311d 100644 --- a/etc/cliqz.profile +++ b/etc/cliqz.profile | |||
@@ -7,77 +7,14 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/cliqz | 8 | noblacklist ${HOME}/.cache/cliqz |
9 | noblacklist ${HOME}/.config/cliqz | 9 | noblacklist ${HOME}/.config/cliqz |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/okular | ||
21 | noblacklist ${HOME}/.local/share/qpdfview | ||
22 | 10 | ||
23 | noblacklist ${HOME}/.pki | 11 | mkdir ${HOME}/.cache/cliqz |
12 | mkdir ${HOME}/.config/cliqz | ||
13 | whitelist ${HOME}/.cache/cliqz | ||
14 | whitelist ${HOME}/.config/cliqz | ||
24 | 15 | ||
25 | include /etc/firejail/disable-common.inc | 16 | # private-etc must first be enabled in firefox-common.profile |
26 | include /etc/firejail/disable-devel.inc | 17 | #private-etc cliqz |
27 | include /etc/firejail/disable-programs.inc | ||
28 | 18 | ||
29 | mkdir ${HOME}/.cache/mozilla/firefox | 19 | # Redirect |
30 | mkdir ${HOME}/.mozilla | 20 | include /etc/firejail/firefox-common.profile |
31 | mkdir ${HOME}/.pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
34 | whitelist ${HOME}/.cache/mozilla/firefox | ||
35 | whitelist ${HOME}/.config/gnome-mplayer | ||
36 | whitelist ${HOME}/.config/okularpartrc | ||
37 | whitelist ${HOME}/.config/okularrc | ||
38 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
39 | whitelist ${HOME}/.config/pipelight-widevine | ||
40 | whitelist ${HOME}/.config/qpdfview | ||
41 | whitelist ${HOME}/.kde/share/apps/okular | ||
42 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
43 | whitelist ${HOME}/.kde/share/config/okularrc | ||
44 | whitelist ${HOME}/.kde4/share/apps/okular | ||
45 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
46 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
47 | whitelist ${HOME}/.keysnail.js | ||
48 | whitelist ${HOME}/.lastpass | ||
49 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
50 | whitelist ${HOME}/.local/share/okular | ||
51 | whitelist ${HOME}/.local/share/qpdfview | ||
52 | whitelist ${HOME}/.mozilla | ||
53 | whitelist ${HOME}/.pentadactyl | ||
54 | whitelist ${HOME}/.pentadactylrc | ||
55 | whitelist ${HOME}/.pki | ||
56 | whitelist ${HOME}/.vimperator | ||
57 | whitelist ${HOME}/.vimperatorrc | ||
58 | whitelist ${HOME}/.wine-pipelight | ||
59 | whitelist ${HOME}/.wine-pipelight64 | ||
60 | whitelist ${HOME}/.zotero | ||
61 | whitelist ${HOME}/dwhelper | ||
62 | include /etc/firejail/whitelist-common.inc | ||
63 | include /etc/firejail/whitelist-var-common.inc | ||
64 | |||
65 | caps.drop all | ||
66 | netfilter | ||
67 | nodvd | ||
68 | nogroups | ||
69 | nonewprivs | ||
70 | noroot | ||
71 | notv | ||
72 | protocol unix,inet,inet6,netlink | ||
73 | seccomp | ||
74 | shell none | ||
75 | tracelog | ||
76 | |||
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
78 | private-dev | ||
79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
80 | private-tmp | ||
81 | |||
82 | noexec ${HOME} | ||
83 | noexec /tmp | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 66cd27461..ce51906ba 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -7,67 +7,15 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.8pecxstudios | 8 | noblacklist ${HOME}/.8pecxstudios |
9 | noblacklist ${HOME}/.cache/8pecxstudios | 9 | noblacklist ${HOME}/.cache/8pecxstudios |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
15 | noblacklist ${HOME}/.local/share/okular | ||
16 | noblacklist ${HOME}/.local/share/qpdfview | ||
17 | noblacklist ${HOME}/.pki | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | 10 | ||
23 | mkdir ${HOME}/.8pecxstudios | 11 | mkdir ${HOME}/.8pecxstudios |
24 | mkdir ${HOME}/.cache/8pecxstudios | 12 | mkdir ${HOME}/.cache/8pecxstudios |
25 | mkdir ${HOME}/.pki | ||
26 | whitelist ${DOWNLOADS} | ||
27 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
28 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
29 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
30 | whitelist ${HOME}/.config/gnome-mplayer | ||
31 | whitelist ${HOME}/.config/okularpartrc | ||
32 | whitelist ${HOME}/.config/okularrc | ||
33 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
34 | whitelist ${HOME}/.config/pipelight-widevine | ||
35 | whitelist ${HOME}/.config/qpdfview | ||
36 | whitelist ${HOME}/.kde/share/apps/okular | ||
37 | whitelist ${HOME}/.kde4/share/apps/okular | ||
38 | whitelist ${HOME}/.keysnail.js | ||
39 | whitelist ${HOME}/.lastpass | ||
40 | whitelist ${HOME}/.local/share/okular | ||
41 | whitelist ${HOME}/.local/share/qpdfview | ||
42 | whitelist ${HOME}/.pentadactyl | ||
43 | whitelist ${HOME}/.pentadactylrc | ||
44 | whitelist ${HOME}/.pki | ||
45 | whitelist ${HOME}/.vimperator | ||
46 | whitelist ${HOME}/.vimperatorrc | ||
47 | whitelist ${HOME}/.wine-pipelight | ||
48 | whitelist ${HOME}/.wine-pipelight64 | ||
49 | whitelist ${HOME}/.zotero | ||
50 | whitelist ${HOME}/dwhelper | ||
51 | include /etc/firejail/whitelist-common.inc | ||
52 | |||
53 | caps.drop all | ||
54 | netfilter | ||
55 | nodvd | ||
56 | nogroups | ||
57 | nonewprivs | ||
58 | noroot | ||
59 | notv | ||
60 | protocol unix,inet,inet6,netlink | ||
61 | seccomp | ||
62 | shell none | ||
63 | tracelog | ||
64 | 15 | ||
65 | disable-mnt | ||
66 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env |
67 | private-dev | 17 | # private-etc must first be enabled in firefox-common.profile |
68 | private-dev | 18 | #private-etc cyberfox |
69 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
70 | private-tmp | ||
71 | 19 | ||
72 | noexec ${HOME} | 20 | # Redirect |
73 | noexec /tmp | 21 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/dnox.profile b/etc/dnox.profile index d6626c048..505884ca6 100644 --- a/etc/dnox.profile +++ b/etc/dnox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/dnox | 8 | noblacklist ${HOME}/.cache/dnox |
9 | noblacklist ${HOME}/.config/dnox | 9 | noblacklist ${HOME}/.config/dnox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/dnox | 11 | mkdir ${HOME}/.cache/dnox |
16 | mkdir ${HOME}/.config/dnox | 12 | mkdir ${HOME}/.config/dnox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/dnox | 13 | whitelist ${HOME}/.cache/dnox |
20 | whitelist ${HOME}/.config/dnox | 14 | whitelist ${HOME}/.config/dnox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc new file mode 100644 index 000000000..b480aae18 --- /dev/null +++ b/etc/firefox-common-addons.inc | |||
@@ -0,0 +1,51 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/firefox-common-addons.local | ||
4 | |||
5 | noblacklist ${HOME}/.config/okularpartrc | ||
6 | noblacklist ${HOME}/.config/okularrc | ||
7 | noblacklist ${HOME}/.config/qpdfview | ||
8 | noblacklist ${HOME}/.kde/share/apps/kget | ||
9 | noblacklist ${HOME}/.kde/share/apps/okular | ||
10 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
11 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
12 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
13 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
14 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
15 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
16 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
18 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
19 | noblacklist ${HOME}/.local/share/okular | ||
20 | noblacklist ${HOME}/.local/share/qpdfview | ||
21 | |||
22 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
23 | whitelist ${HOME}/.config/gnome-mplayer | ||
24 | whitelist ${HOME}/.config/okularpartrc | ||
25 | whitelist ${HOME}/.config/okularrc | ||
26 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
27 | whitelist ${HOME}/.config/pipelight-widevine | ||
28 | whitelist ${HOME}/.config/qpdfview | ||
29 | whitelist ${HOME}/.kde/share/apps/kget | ||
30 | whitelist ${HOME}/.kde/share/apps/okular | ||
31 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
32 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
33 | whitelist ${HOME}/.kde/share/config/okularrc | ||
34 | whitelist ${HOME}/.kde4/share/apps/kget | ||
35 | whitelist ${HOME}/.kde4/share/apps/okular | ||
36 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
37 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
38 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
39 | whitelist ${HOME}/.keysnail.js | ||
40 | whitelist ${HOME}/.lastpass | ||
41 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
42 | whitelist ${HOME}/.local/share/okular | ||
43 | whitelist ${HOME}/.local/share/qpdfview | ||
44 | whitelist ${HOME}/.pentadactyl | ||
45 | whitelist ${HOME}/.pentadactylrc | ||
46 | whitelist ${HOME}/.vimperator | ||
47 | whitelist ${HOME}/.vimperatorrc | ||
48 | whitelist ${HOME}/.wine-pipelight | ||
49 | whitelist ${HOME}/.wine-pipelight64 | ||
50 | whitelist ${HOME}/.zotero | ||
51 | whitelist ${HOME}/dwhelper | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile new file mode 100644 index 000000000..0c4271edc --- /dev/null +++ b/etc/firefox-common.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for firefox-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/firefox-common.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | # uncomment the following line to allow access to common programs/addons/plugins | ||
9 | #include /etc/firejail/firefox-common-addons.inc | ||
10 | |||
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.pki | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | include /etc/firejail/whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
25 | #machine-id | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | disable-mnt | ||
38 | private-dev | ||
39 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
40 | #private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
41 | private-tmp | ||
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 079cb1536..0ab6a6141 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -6,90 +6,17 @@ include /etc/firejail/firefox.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.config/okularpartrc | ||
10 | noblacklist ${HOME}/.config/okularrc | ||
11 | noblacklist ${HOME}/.config/qpdfview | ||
12 | noblacklist ${HOME}/.kde/share/apps/kget | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
16 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
17 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
18 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
19 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
20 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
21 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
22 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
23 | noblacklist ${HOME}/.local/share/okular | ||
24 | noblacklist ${HOME}/.local/share/qpdfview | ||
25 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
26 | noblacklist ${HOME}/.pki | ||
27 | |||
28 | include /etc/firejail/disable-common.inc | ||
29 | include /etc/firejail/disable-devel.inc | ||
30 | include /etc/firejail/disable-programs.inc | ||
31 | 10 | ||
32 | mkdir ${HOME}/.cache/mozilla/firefox | 11 | mkdir ${HOME}/.cache/mozilla/firefox |
33 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
34 | mkdir ${HOME}/.pki | ||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
37 | whitelist ${HOME}/.cache/mozilla/firefox | 13 | whitelist ${HOME}/.cache/mozilla/firefox |
38 | whitelist ${HOME}/.config/gnome-mplayer | ||
39 | whitelist ${HOME}/.config/okularpartrc | ||
40 | whitelist ${HOME}/.config/okularrc | ||
41 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
42 | whitelist ${HOME}/.config/pipelight-widevine | ||
43 | whitelist ${HOME}/.config/qpdfview | ||
44 | whitelist ${HOME}/.kde/share/apps/kget | ||
45 | whitelist ${HOME}/.kde/share/apps/okular | ||
46 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
47 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
48 | whitelist ${HOME}/.kde/share/config/okularrc | ||
49 | whitelist ${HOME}/.kde4/share/apps/kget | ||
50 | whitelist ${HOME}/.kde4/share/apps/okular | ||
51 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
52 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
53 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
54 | whitelist ${HOME}/.keysnail.js | ||
55 | whitelist ${HOME}/.lastpass | ||
56 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
57 | whitelist ${HOME}/.local/share/okular | ||
58 | whitelist ${HOME}/.local/share/qpdfview | ||
59 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
60 | whitelist ${HOME}/.pentadactyl | ||
61 | whitelist ${HOME}/.pentadactylrc | ||
62 | whitelist ${HOME}/.pki | ||
63 | whitelist ${HOME}/.vimperator | ||
64 | whitelist ${HOME}/.vimperatorrc | ||
65 | whitelist ${HOME}/.wine-pipelight | ||
66 | whitelist ${HOME}/.wine-pipelight64 | ||
67 | whitelist ${HOME}/.zotero | ||
68 | whitelist ${HOME}/dwhelper | ||
69 | include /etc/firejail/whitelist-common.inc | ||
70 | include /etc/firejail/whitelist-var-common.inc | ||
71 | |||
72 | caps.drop all | ||
73 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
74 | #machine-id | ||
75 | netfilter | ||
76 | nodvd | ||
77 | nogroups | ||
78 | nonewprivs | ||
79 | noroot | ||
80 | notv | ||
81 | protocol unix,inet,inet6,netlink | ||
82 | seccomp | ||
83 | shell none | ||
84 | tracelog | ||
85 | 15 | ||
86 | disable-mnt | ||
87 | # firefox requires a shell to launch on Arch. | 16 | # firefox requires a shell to launch on Arch. |
88 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 17 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash |
89 | private-dev | 18 | # private-etc must first be enabled in firefox-common.profile |
90 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 19 | #private-etc firefox |
91 | # private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
92 | private-tmp | ||
93 | 20 | ||
94 | noexec ${HOME} | 21 | # Redirect |
95 | noexec /tmp | 22 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index d9be8b9c5..63f9d19a9 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # This is a whitelisted profile, the internal browser sandbox | ||
9 | # is disabled because it requires sudo password. The command | ||
10 | # to run it is as follows: | ||
11 | # firejail flashpeak-slimjet --no-sandbox | ||
12 | |||
13 | noblacklist ${HOME}/.cache/slimjet | 8 | noblacklist ${HOME}/.cache/slimjet |
14 | noblacklist ${HOME}/.config/slimjet | 9 | noblacklist ${HOME}/.config/slimjet |
15 | noblacklist ${HOME}/.pki | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-devel.inc | ||
19 | include /etc/firejail/disable-programs.inc | ||
20 | 10 | ||
21 | mkdir ${HOME}/.cache/slimjet | 11 | mkdir ${HOME}/.cache/slimjet |
22 | mkdir ${HOME}/.config/slimjet | 12 | mkdir ${HOME}/.config/slimjet |
23 | mkdir ${HOME}/.pki | ||
24 | whitelist ${DOWNLOADS} | ||
25 | whitelist ${HOME}/.cache/slimjet | 13 | whitelist ${HOME}/.cache/slimjet |
26 | whitelist ${HOME}/.config/slimjet | 14 | whitelist ${HOME}/.config/slimjet |
27 | whitelist ${HOME}/.pki | ||
28 | include /etc/firejail/whitelist-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | 15 | ||
39 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 9c7306b85..ab16558ea 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 8 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 9 | noblacklist ${HOME}/.config/google-chrome-beta |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome-beta | 11 | mkdir ${HOME}/.cache/google-chrome-beta |
17 | mkdir ${HOME}/.config/google-chrome-beta | 12 | mkdir ${HOME}/.config/google-chrome-beta |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome-beta | 13 | whitelist ${HOME}/.cache/google-chrome-beta |
21 | whitelist ${HOME}/.config/google-chrome-beta | 14 | whitelist ${HOME}/.config/google-chrome-beta |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index bb05b3e99..b7d0eccf3 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 8 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 9 | noblacklist ${HOME}/.config/google-chrome-unstable |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome-unstable | 11 | mkdir ${HOME}/.cache/google-chrome-unstable |
17 | mkdir ${HOME}/.config/google-chrome-unstable | 12 | mkdir ${HOME}/.config/google-chrome-unstable |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome-unstable | 13 | whitelist ${HOME}/.cache/google-chrome-unstable |
21 | whitelist ${HOME}/.config/google-chrome-unstable | 14 | whitelist ${HOME}/.config/google-chrome-unstable |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 19ebfa974..6e44190ae 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -7,32 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome | 8 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 9 | noblacklist ${HOME}/.config/google-chrome |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/google-chrome | 11 | mkdir ${HOME}/.cache/google-chrome |
17 | mkdir ${HOME}/.config/google-chrome | 12 | mkdir ${HOME}/.config/google-chrome |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/google-chrome | 13 | whitelist ${HOME}/.cache/google-chrome |
21 | whitelist ${HOME}/.config/google-chrome | 14 | whitelist ${HOME}/.config/google-chrome |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | caps.keep sys_chroot,sys_admin | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | notv | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private-dev | ||
35 | # private-tmp - problems with multiple browser sessions | ||
36 | 15 | ||
37 | noexec ${HOME} | 16 | # Redirect |
38 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/icecat.profile b/etc/icecat.profile index 9e5526c95..42e762c21 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -7,46 +7,14 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | 10 | ||
16 | mkdir ${HOME}/.cache/mozilla/icecat | 11 | mkdir ${HOME}/.cache/mozilla/icecat |
17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
20 | whitelist ${HOME}/.cache/mozilla/icecat | 13 | whitelist ${HOME}/.cache/mozilla/icecat |
21 | whitelist ${HOME}/.config/gnome-mplayer | ||
22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
23 | whitelist ${HOME}/.config/pipelight-widevine | ||
24 | whitelist ${HOME}/.keysnail.js | ||
25 | whitelist ${HOME}/.lastpass | ||
26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
27 | whitelist ${HOME}/.pentadactyl | ||
28 | whitelist ${HOME}/.pentadactylrc | ||
29 | whitelist ${HOME}/.pki | ||
30 | whitelist ${HOME}/.vimperator | ||
31 | whitelist ${HOME}/.vimperatorrc | ||
32 | whitelist ${HOME}/.wine-pipelight | ||
33 | whitelist ${HOME}/.wine-pipelight64 | ||
34 | whitelist ${HOME}/.zotero | ||
35 | whitelist ${HOME}/dwhelper | ||
36 | include /etc/firejail/whitelist-common.inc | ||
37 | |||
38 | caps.drop all | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | notv | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | tracelog | ||
47 | 15 | ||
48 | disable-mnt | 16 | # private-etc must first be enabled in firefox-common.profile |
49 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 17 | #private-etc icecat |
50 | 18 | ||
51 | noexec ${HOME} | 19 | # Redirect |
52 | noexec /tmp | 20 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index f6b57dde0..51f15aa1b 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # private-etc must first be enabled in firefox-common.profile | ||
9 | #private-etc iceweasel | ||
8 | 10 | ||
9 | # Redirect | 11 | # Redirect |
10 | include /etc/firejail/firefox.profile | 12 | include /etc/firejail/firefox.profile |
diff --git a/etc/inox.profile b/etc/inox.profile index fbc654434..652761c54 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/inox | 8 | noblacklist ${HOME}/.cache/inox |
9 | noblacklist ${HOME}/.config/inox | 9 | noblacklist ${HOME}/.config/inox |
10 | noblacklist ${HOME}/.pki | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/inox | 11 | mkdir ${HOME}/.cache/inox |
16 | mkdir ${HOME}/.config/inox | 12 | mkdir ${HOME}/.config/inox |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/inox | 13 | whitelist ${HOME}/.cache/inox |
20 | whitelist ${HOME}/.config/inox | 14 | whitelist ${HOME}/.config/inox |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | include /etc/firejail/whitelist-var-common.inc | ||
24 | |||
25 | caps.keep sys_chroot,sys_admin | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | notv | ||
30 | shell none | ||
31 | |||
32 | private-dev | ||
33 | # private-tmp - problems with multiple browser sessions | ||
34 | 15 | ||
35 | noexec ${HOME} | 16 | # Redirect |
36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/iridium.profile b/etc/iridium.profile index 76026722f..2869c3070 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -8,30 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/iridium | 8 | noblacklist ${HOME}/.cache/iridium |
9 | noblacklist ${HOME}/.config/iridium | 9 | noblacklist ${HOME}/.config/iridium |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | # chromium/iridium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/iridium | 11 | mkdir ${HOME}/.cache/iridium |
17 | mkdir ${HOME}/.config/iridium | 12 | mkdir ${HOME}/.config/iridium |
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.cache/iridium | 13 | whitelist ${HOME}/.cache/iridium |
21 | whitelist ${HOME}/.config/iridium | 14 | whitelist ${HOME}/.config/iridium |
22 | whitelist ${HOME}/.pki | ||
23 | include /etc/firejail/whitelist-common.inc | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
26 | caps.keep sys_chroot,sys_admin | ||
27 | netfilter | ||
28 | nodvd | ||
29 | nogroups | ||
30 | notv | ||
31 | shell none | ||
32 | |||
33 | private-dev | ||
34 | # private-tmp - problems with multiple browser sessions | ||
35 | 15 | ||
36 | noexec ${HOME} | 16 | # Redirect |
37 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3fe86d26c..38a3152d2 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/opera | ||
8 | noblacklist ${HOME}/.config/opera-beta | 9 | noblacklist ${HOME}/.config/opera-beta |
9 | noblacklist ${HOME}/.pki | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | 10 | ||
15 | mkdir ${HOME}/.cache/opera | 11 | mkdir ${HOME}/.cache/opera |
16 | mkdir ${HOME}/.config/opera-beta | 12 | mkdir ${HOME}/.config/opera-beta |
17 | mkdir ${HOME}/.pki | ||
18 | whitelist ${DOWNLOADS} | ||
19 | whitelist ${HOME}/.cache/opera | 13 | whitelist ${HOME}/.cache/opera |
20 | whitelist ${HOME}/.config/opera-beta | 14 | whitelist ${HOME}/.config/opera-beta |
21 | whitelist ${HOME}/.pki | ||
22 | include /etc/firejail/whitelist-common.inc | ||
23 | |||
24 | netfilter | ||
25 | nodvd | ||
26 | notv | ||
27 | 15 | ||
28 | disable-mnt | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/opera.profile b/etc/opera.profile index fed7564b2..c0138c555 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -8,25 +8,13 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/opera | 8 | noblacklist ${HOME}/.cache/opera |
9 | noblacklist ${HOME}/.config/opera | 9 | noblacklist ${HOME}/.config/opera |
10 | noblacklist ${HOME}/.opera | 10 | noblacklist ${HOME}/.opera |
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | 11 | ||
17 | mkdir ${HOME}/.cache/opera | 12 | mkdir ${HOME}/.cache/opera |
18 | mkdir ${HOME}/.config/opera | 13 | mkdir ${HOME}/.config/opera |
19 | mkdir ${HOME}/.opera | 14 | mkdir ${HOME}/.opera |
20 | mkdir ${HOME}/.pki | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.cache/opera | 15 | whitelist ${HOME}/.cache/opera |
23 | whitelist ${HOME}/.config/opera | 16 | whitelist ${HOME}/.config/opera |
24 | whitelist ${HOME}/.opera | 17 | whitelist ${HOME}/.opera |
25 | whitelist ${HOME}/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | ||
27 | |||
28 | netfilter | ||
29 | nodvd | ||
30 | notv | ||
31 | 18 | ||
32 | disable-mnt | 19 | # Redirect |
20 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1112a9bb7..ff7087e55 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -8,53 +8,15 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon | 8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon |
9 | noblacklist ${HOME}/.moonchild productions/pale moon | 9 | noblacklist ${HOME}/.moonchild productions/pale moon |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
16 | # want to uncomment (some of) them. | ||
17 | #whitelist ${HOME}/dwhelper | ||
18 | #whitelist ${HOME}/.zotero | ||
19 | #whitelist ${HOME}/.vimperatorrc | ||
20 | #whitelist ${HOME}/.vimperator | ||
21 | #whitelist ${HOME}/.pentadactylrc | ||
22 | #whitelist ${HOME}/.pentadactyl | ||
23 | #whitelist ${HOME}/.keysnail.js | ||
24 | #whitelist ${HOME}/.config/gnome-mplayer | ||
25 | #whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
26 | #whitelist ${HOME}/.pki | ||
27 | #whitelist ${HOME}/.lastpass | ||
28 | |||
29 | # For silverlight | ||
30 | #whitelist ${HOME}/.wine-pipelight | ||
31 | #whitelist ${HOME}/.wine-pipelight64 | ||
32 | #whitelist ${HOME}/.config/pipelight-widevine | ||
33 | #whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
34 | |||
35 | mkdir ${HOME}/.cache/moonchild productions/pale moon | 11 | mkdir ${HOME}/.cache/moonchild productions/pale moon |
36 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
39 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
40 | include /etc/firejail/whitelist-common.inc | ||
41 | |||
42 | caps.drop all | ||
43 | netfilter | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | notv | ||
49 | protocol unix,inet,inet6,netlink | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | 15 | ||
54 | # private-bin palemoon | 16 | #private-bin palemoon |
55 | # private-dev (disabled for now as it will interfere with webcam use in palemoon) | 17 | # private-etc must first be enabled in firefox-common.profile |
56 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 18 | #private-etc palemoon |
57 | # private-opt palemoon | 19 | #private-opt palemoon |
58 | private-tmp | ||
59 | 20 | ||
60 | disable-mnt | 21 | # Redirect |
22 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 3a1f72f23..aeef58292 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -8,28 +8,10 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.cache/vivaldi | 8 | noblacklist ${HOME}/.cache/vivaldi |
9 | noblacklist ${HOME}/.config/vivaldi | 9 | noblacklist ${HOME}/.config/vivaldi |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.cache/vivaldi | 11 | mkdir ${HOME}/.cache/vivaldi |
16 | mkdir ${HOME}/.config/vivaldi | 12 | mkdir ${HOME}/.config/vivaldi |
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.cache/vivaldi | 13 | whitelist ${HOME}/.cache/vivaldi |
19 | whitelist ${HOME}/.config/vivaldi | 14 | whitelist ${HOME}/.config/vivaldi |
20 | include /etc/firejail/whitelist-common.inc | ||
21 | include /etc/firejail/whitelist-var-common.inc | ||
22 | |||
23 | caps.keep sys_chroot,sys_admin | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | notv | ||
28 | shell none | ||
29 | |||
30 | disable-mnt | ||
31 | private-dev | ||
32 | # private-tmp - problems with multiple browser sessions | ||
33 | 15 | ||
34 | noexec ${HOME} | 16 | # Redirect |
35 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index b2abb3a5f..fdd299bbf 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -7,83 +7,22 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.cache/waterfox | 9 | noblacklist ${HOME}/.cache/waterfox |
10 | noblacklist ${HOME}/.config/okularpartrc | ||
11 | noblacklist ${HOME}/.config/okularrc | ||
12 | noblacklist ${HOME}/.config/qpdfview | ||
13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/okular | ||
21 | noblacklist ${HOME}/.local/share/qpdfview | ||
22 | noblacklist ${HOME}/.mozilla | 10 | noblacklist ${HOME}/.mozilla |
23 | noblacklist ${HOME}/.waterfox | 11 | noblacklist ${HOME}/.waterfox |
24 | noblacklist ${HOME}/.pki | ||
25 | |||
26 | include /etc/firejail/disable-common.inc | ||
27 | include /etc/firejail/disable-devel.inc | ||
28 | include /etc/firejail/disable-programs.inc | ||
29 | 12 | ||
30 | mkdir ${HOME}/.cache/mozilla/firefox | 13 | mkdir ${HOME}/.cache/mozilla/firefox |
31 | mkdir ${HOME}/.mozilla | 14 | mkdir ${HOME}/.mozilla |
32 | mkdir ${HOME}/.cache/waterfox | 15 | mkdir ${HOME}/.cache/waterfox |
33 | mkdir ${HOME}/.waterfox | 16 | mkdir ${HOME}/.waterfox |
34 | mkdir ${HOME}/.pki | ||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
37 | whitelist ${HOME}/.cache/mozilla/firefox | 17 | whitelist ${HOME}/.cache/mozilla/firefox |
38 | whitelist ${HOME}/.cache/waterfox | 18 | whitelist ${HOME}/.cache/waterfox |
39 | whitelist ${HOME}/.config/gnome-mplayer | ||
40 | whitelist ${HOME}/.config/okularpartrc | ||
41 | whitelist ${HOME}/.config/okularrc | ||
42 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
43 | whitelist ${HOME}/.config/pipelight-widevine | ||
44 | whitelist ${HOME}/.config/qpdfview | ||
45 | whitelist ${HOME}/.kde/share/apps/okular | ||
46 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
47 | whitelist ${HOME}/.kde/share/config/okularrc | ||
48 | whitelist ${HOME}/.kde4/share/apps/okular | ||
49 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
50 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
51 | whitelist ${HOME}/.keysnail.js | ||
52 | whitelist ${HOME}/.lastpass | ||
53 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
54 | whitelist ${HOME}/.local/share/okular | ||
55 | whitelist ${HOME}/.local/share/qpdfview | ||
56 | whitelist ${HOME}/.mozilla | 19 | whitelist ${HOME}/.mozilla |
57 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
58 | whitelist ${HOME}/.pentadactyl | ||
59 | whitelist ${HOME}/.pentadactylrc | ||
60 | whitelist ${HOME}/.pki | ||
61 | whitelist ${HOME}/.vimperator | ||
62 | whitelist ${HOME}/.vimperatorrc | ||
63 | whitelist ${HOME}/.wine-pipelight | ||
64 | whitelist ${HOME}/.wine-pipelight64 | ||
65 | whitelist ${HOME}/.zotero | ||
66 | whitelist ${HOME}/dwhelper | ||
67 | include /etc/firejail/whitelist-common.inc | ||
68 | include /etc/firejail/whitelist-var-common.inc | ||
69 | |||
70 | caps.drop all | ||
71 | netfilter | ||
72 | nodvd | ||
73 | nogroups | ||
74 | nonewprivs | ||
75 | noroot | ||
76 | notv | ||
77 | protocol unix,inet,inet6,netlink | ||
78 | seccomp | ||
79 | shell none | ||
80 | tracelog | ||
81 | 21 | ||
82 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
83 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash |
84 | private-dev | 24 | # private-etc must first be enabled in firefox-common.profile |
85 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 25 | #private-etc waterfox |
86 | private-tmp | ||
87 | 26 | ||
88 | noexec ${HOME} | 27 | # Redirect |
89 | noexec /tmp | 28 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile index 1c7769727..fdb7694a5 100644 --- a/etc/yandex-browser.profile +++ b/etc/yandex-browser.profile | |||
@@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser | |||
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 9 | noblacklist ${HOME}/.cache/yandex-browser-beta |
10 | noblacklist ${HOME}/.config/yandex-browser | 10 | noblacklist ${HOME}/.config/yandex-browser |
11 | noblacklist ${HOME}/.config/yandex-browser-beta | 11 | noblacklist ${HOME}/.config/yandex-browser-beta |
12 | noblacklist ${HOME}/.pki | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | 12 | ||
18 | mkdir ${HOME}/.cache/yandex-browser | 13 | mkdir ${HOME}/.cache/yandex-browser |
19 | mkdir ${HOME}/.cache/yandex-browser-beta | 14 | mkdir ${HOME}/.cache/yandex-browser-beta |
20 | mkdir ${HOME}/.config/yandex-browser | 15 | mkdir ${HOME}/.config/yandex-browser |
21 | mkdir ${HOME}/.config/yandex-browser-beta | 16 | mkdir ${HOME}/.config/yandex-browser-beta |
22 | mkdir ${HOME}/.pki | ||
23 | whitelist ${DOWNLOADS} | ||
24 | whitelist ${HOME}/.cache/yandex-browser | 17 | whitelist ${HOME}/.cache/yandex-browser |
25 | whitelist ${HOME}/.cache/yandex-browser-beta | 18 | whitelist ${HOME}/.cache/yandex-browser-beta |
26 | whitelist ${HOME}/.config/yandex-browser | 19 | whitelist ${HOME}/.config/yandex-browser |
27 | whitelist ${HOME}/.config/yandex-browser-beta | 20 | whitelist ${HOME}/.config/yandex-browser-beta |
28 | whitelist ${HOME}/.pki | ||
29 | include /etc/firejail/whitelist-common.inc | ||
30 | |||
31 | caps.keep sys_chroot,sys_admin | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | # private-tmp - problems with multiple browser sessions | ||
41 | 21 | ||
42 | noexec ${HOME} | 22 | # Redirect |
43 | noexec /tmp | 23 | include /etc/firejail/chromium-common.profile |