Merge branch 'master' of github.com:netblue30/firejail

author: rusty-snake <print_hello_world+Public@protonmail.com> 2019-06-02 13:17:29 +0200
committer: rusty-snake <print_hello_world+Public@protonmail.com> 2019-06-02 13:17:29 +0200
commit: 1dc73328142faad4cce15778878d34a14f16c435 (patch)
tree: 83349cdfc799a65a572f152eaf53320364d45a45 /etc
parent: Add profiles for klatexformula, klatexformula_cmdl (diff)
parent: Add profile for links and xlinks (#2734) (diff)
download: firejail-1dc73328142faad4cce15778878d34a14f16c435.tar.gz
firejail-1dc73328142faad4cce15778878d34a14f16c435.tar.zst
firejail-1dc73328142faad4cce15778878d34a14f16c435.zip
3 files changed, 83 insertions, 0 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 1c3ff7840..c8e85cf1f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -432,6 +432,7 @@ blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
diff --git a/etc/links.profile b/etc/links.profile
new file mode 100644
index 000000000..99b445fe0
--- /dev/null
+++ b/etc/links.profile
@@ -0,0 +1,64 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+memory-deny-write-execute
diff --git a/etc/xlinks.profile b/etc/xlinks.profile
new file mode 100644
index 000000000..775d6f8ed
--- /dev/null
+++ b/etc/xlinks.profile
@@ -0,0 +1,18 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+include whitelist-common.inc
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+# Redirect
+include links.profile
+\ No newline at end of file
author	rusty-snake <print_hello_world+Public@protonmail.com>	2019-06-02 13:17:29 +0200
committer	rusty-snake <print_hello_world+Public@protonmail.com>	2019-06-02 13:17:29 +0200
commit	1dc73328142faad4cce15778878d34a14f16c435 (patch)
tree	83349cdfc799a65a572f152eaf53320364d45a45 /etc
parent	Add profiles for klatexformula, klatexformula_cmdl (diff)
parent	Add profile for links and xlinks (#2734) (diff)
download	firejail-1dc73328142faad4cce15778878d34a14f16c435.tar.gz firejail-1dc73328142faad4cce15778878d34a14f16c435.tar.zst firejail-1dc73328142faad4cce15778878d34a14f16c435.zip

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1c3ff7840..c8e85cf1f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -432,6 +432,7 @@ blacklist ${HOME}/.kodi
432	blacklist ${HOME}/.lincity-ng	432	blacklist ${HOME}/.lincity-ng
433	blacklist ${HOME}/.linphone-history.db	433	blacklist ${HOME}/.linphone-history.db
434	blacklist ${HOME}/.linphonerc	434	blacklist ${HOME}/.linphonerc
		435	blacklist ${HOME}/.links
435	blacklist ${HOME}/.lmmsrc.xml	436	blacklist ${HOME}/.lmmsrc.xml
436	blacklist ${HOME}/.local/lib/vivaldi	437	blacklist ${HOME}/.local/lib/vivaldi
437	blacklist ${HOME}/.local/share/0ad	438	blacklist ${HOME}/.local/share/0ad


diff --git a/etc/links.profile b/etc/links.profile new file mode 100644 index 000000000..99b445fe0 --- /dev/null +++ b/etc/links.profile
@@ -0,0 +1,64 @@
		1	# Firejail profile for links
		2	# Description: Text WWW browser
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include links.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /tmp/.X11-unix
		10
		11	noblacklist ${HOME}/.links
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-exec.inc
		16	include disable-interpreters.inc
		17	include disable-passwdmgr.inc
		18	# you may want to noblacklist files/directories blacklisted in
		19	# disable-programs.inc and used as associated programs
		20	include disable-programs.inc
		21	include disable-xdg.inc
		22
		23	mkdir ${HOME}/.links
		24	whitelist ${HOME}/.links
		25	whitelist ${DOWNLOADS}
		26	include whitelist-var-common.inc
		27
		28	caps.drop all
		29	ipc-namespace
		30	# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
		31	# to allow access only to user-configured associated media player
		32	machine-id
		33	netfilter
		34	# comment no3d (or put 'ignore no3d' in your links.local) if you want
		35	# to allow access only to user-configured associated media player
		36	no3d
		37	nodvd
		38	nogroups
		39	nonewprivs
		40	noroot
		41	# comment nosound (or put 'ignore nosound' in your links.local) if you want
		42	# to allow access only to user-configured associated media player
		43	nosound
		44	notv
		45	nou2f
		46	novideo
		47	protocol unix,inet,inet6
		48	seccomp
		49	shell none
		50	tracelog
		51
		52	disable-mnt
		53	# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
		54	# or append 'PROGRAM1,PROGRAM2' to this private-bin line
		55	private-bin links,sh
		56	private-cache
		57	private-dev
		58	private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
		59	# Uncomment the following line (or put it in your links.local) allow external
		60	# media players
		61	# private-etc alsa,asound.conf,machine-id,openal,pulse
		62	private-tmp
		63
		64	memory-deny-write-execute


diff --git a/etc/xlinks.profile b/etc/xlinks.profile new file mode 100644 index 000000000..775d6f8ed --- /dev/null +++ b/etc/xlinks.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for xlinks
		2	# Description: Text WWW browser (X11)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include xlinks.local
		6
		7	noblacklist /tmp/.X11-unix
		8	noblacklist ${HOME}/.links
		9
		10	include whitelist-common.inc
		11
		12	# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
		13	# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
		14	private-bin xlinks
		15	private-etc fonts
		16
		17	# Redirect
		18	include links.profile \ No newline at end of file