Unify last 8 profiles

author: Tad <tad@spotco.us> 2017-08-07 14:24:51 -0400
committer: Tad <tad@spotco.us> 2017-08-07 14:29:40 -0400
commit: 39dc3c893b5d895ed9db9071dd47b3de7b28f2fd (patch)
tree: b76dbe39efe41bded67e3fe95d030b277d4a0236 /etc
parent: Fix comments in 88 profiles (diff)
download: firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.gz
firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.zst
firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.zip
9 files changed, 141 insertions, 134 deletions
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 22c0202ee..db3b3858c 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -1,9 +1,9 @@
-# Persistent global definitions go here
+# Firejail profile for Xephyr
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/Xephyr.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
@@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local
 #
-# using a private home directory
+blacklist /media
-private
+whitelist /var/lib/xkb
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
 nogroups
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-#noroot
+# noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
+# using a private home directory
+private
+# private-bin Xephyr,sh,xkbcomp
+# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
+# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
-#private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
-#private-bin Xephyr,sh,xkbcomp
-#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-blacklist /media
-whitelist /var/lib/xkb
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 8eba82db1..ce17a9732 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -1,10 +1,10 @@
-# Persistent global definitions go here
+# Firejail profile for Xvfb
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/Xvfb.local
+# Persistent global definitions
 include /etc/firejail/globals.local
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/xvfb.local
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
@@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
+blacklist /media
-# using a private home directory
+whitelist /var/lib/xkb
-private
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
@@ -27,15 +28,14 @@ nonewprivs
 # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
+# using a private home directory
+private
+# private-bin Xvfb,sh,xkbcomp
+# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-private-tmp
 private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-#private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
+private-tmp
-#private-bin Xvfb,sh,xkbcomp
-blacklist /media
-whitelist /var/lib/xkb
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 2fe6d1927..9c2909b0f 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -1,21 +1,21 @@
-# Persistent global definitions go here
+# Firejail profile for baloo_file
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/baloo_file.local
+# Persistent global definitions
+include /etc/firejail/globals.local
-# KDE Baloo file daemon profile
+noblacklist ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
 noblacklist ${HOME}/.local/share/baloo
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 nogroups
@@ -26,7 +26,6 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
 x11 xorg
 private-dev
@@ -37,6 +36,6 @@ noexec /tmp
 # Make home directory read-only and allow writing only to ~/.local/share
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-#read-only  ${HOME}
+# noexec     ${HOME}/.local/share
-#read-write ${HOME}/.local/share
+# read-only  ${HOME}
-#noexec     ${HOME}/.local/share
+# read-write ${HOME}/.local/share
diff --git a/etc/brave.profile b/etc/brave.profile
index e73dd37a2..20dbf6c52 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,43 +1,36 @@
-# Persistent global definitions go here
+# Firejail profile for brave
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/brave.local
+# Persistent global definitions
+include /etc/firejail/globals.local
-# Profile for Brave browser
 noblacklist ~/.config/brave
-noblacklist ~/.pki
 # brave uses gpg for built-in password manager
 noblacklist ~/.gnupg
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
-#caps.drop all
-netfilter
-#nonewprivs
-#noroot
-#protocol unix,inet,inet6,netlink
-#seccomp
-#disable-mnt
-whitelist ${DOWNLOADS}
 mkdir ~/.config/brave
-whitelist ~/.config/brave
 mkdir ~/.pki
-whitelist ~/.pki
+whitelist ${DOWNLOADS}
-# lastpass, keepass
-# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.keepass
-whitelist ~/.config/keepass
 whitelist ~/.config/KeePass
-whitelist ~/.lastpass
+whitelist ~/.config/brave
+whitelist ~/.config/keepass
 whitelist ~/.config/lastpass
+whitelist ~/.keepass
+whitelist ~/.lastpass
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+# caps.drop all
+netfilter
+# nonewprivs
+# noroot
+# protocol unix,inet,inet6,netlink
+# seccomp
+# disable-mnt
diff --git a/etc/default.profile b/etc/default.profile
index 44a9e548b..693f89ad3 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -1,31 +1,38 @@
-# Persistent global definitions go here
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/default.local
+# Persistent global definitions
 include /etc/firejail/globals.local
-# This file is overwritten during software install.
+# generic gui profile
-# Persistent customizations should go in a .local file.
+# depending on your usage, you can enable some of the commands below:
-include /etc/firejail/default.local
-################################
-# Generic GUI application profile
-################################
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
+# ipc-namespace
 netfilter
+# nogroups
 nonewprivs
 noroot
+# nosound
+# novideo
 protocol unix,inet,inet6
 seccomp
-#
-# depending on your usage, you can enable some of the commands below:
-#
-# nogroups
 # shell none
+# disable-mnt
+# private
 # private-bin program
-# private-etc none
 # private-dev
+# private-etc none
+# private-lib
 # private-tmp
-# nosound
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 4104e1e08..99c579c37 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -1,14 +1,12 @@
-# Persistent global definitions go here
+# Firejail profile for openbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/openbox.local
+# Persistent global definitions
 include /etc/firejail/globals.local
-# This file is overwritten during software install.
+# all applications started in OpenBox will run in this profile
-# Persistent customizations should go in a .local file.
-include /etc/firejail/openbox.local
-#######################################
-# OpenBox window manager profile
-# - all applications started in OpenBox will run in this profile
-#######################################
 include /etc/firejail/disable-common.inc
 caps.drop all
diff --git a/etc/server.profile b/etc/server.profile
index 2d79fa1c8..b0dd13f80 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,25 +1,37 @@
-# Persistent global definitions go here
+# Firejail profile for server
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/server.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 # generic server profile
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
-blacklist /tmp/.X11-unix
+caps
 no3d
 nosound
 seccomp
-caps
+# disable-mnt
 private
+# private-bin program
 private-dev
+# private-etc none
+# private-lib
 private-tmp
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/snap.profile b/etc/snap.profile
index 8493fcbd3..38aef7c23 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,17 +1,16 @@
-# Persistent global definitions go here
+# Firejail profile for snap
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/snap.local
+# Persistent global definitions
+include /etc/firejail/globals.local
-################################
 # Generic Ubuntu snap application profile
-################################
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
-whitelist ~/snap
 whitelist ${DOWNLOADS}
+whitelist ~/snap
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index c8bb3ef52..ed393d70b 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,10 +1,9 @@
-# Persistent global definitions go here
+# Firejail profile for xpra
-include /etc/firejail/globals.local
+# This file is overwritten after every install/update
+# Persistent local customizations
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
 include /etc/firejail/xpra.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
@@ -14,12 +13,15 @@ include /etc/firejail/xpra.local
 #
 # or run "sudo firecfg"
-# private home directory doesn't work on some distros, so we go for a regular home
+blacklist /media
-#private
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+whitelist /var/lib/xkb
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 # xpra needs to be allowed access to the abstract Unix socket namespace.
@@ -28,17 +30,14 @@ nonewprivs
 # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
+# private home directory doesn't work on some distros, so we go for a regular home
+# private
+# older Xpra versions also use Xvfb
+# private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 private-dev
+# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 private-tmp
-# older Xpra versions also use Xvfb
-#private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
-#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
-blacklist /media
-whitelist /var/lib/xkb
author	Tad <tad@spotco.us>	2017-08-07 14:24:51 -0400
committer	Tad <tad@spotco.us>	2017-08-07 14:29:40 -0400
commit	39dc3c893b5d895ed9db9071dd47b3de7b28f2fd (patch)
tree	b76dbe39efe41bded67e3fe95d030b277d4a0236 /etc
parent	Fix comments in 88 profiles (diff)
download	firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.gz firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.tar.zst firejail-39dc3c893b5d895ed9db9071dd47b3de7b28f2fd.zip

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 22c0202ee..db3b3858c 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile
@@ -1,9 +1,9 @@
1	# Persistent global definitions go here	1	# Firejail profile for Xephyr
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/Xephyr.local	4	include /etc/firejail/Xephyr.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	#	8	#
9	# This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.	9	# This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
@@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local
15	#	15	#
16		16
17		17
18	# using a private home directory	18	blacklist /media
19	private
20		19
		20	whitelist /var/lib/xkb
		21	include /etc/firejail/whitelist-common.inc
21		22
22	caps.drop all	23	caps.drop all
23	# Xephyr needs to be allowed access to the abstract Unix socket namespace.	24	# Xephyr needs to be allowed access to the abstract Unix socket namespace.
24	nogroups	25	nogroups
25	nonewprivs	26	nonewprivs
26	# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.	27	# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
27	#noroot	28	# noroot
28	nosound	29	nosound
29	shell none
30	seccomp
31	protocol unix	30	protocol unix
		31	seccomp
		32	shell none
32		33
		34	# using a private home directory
		35	private
		36	# private-bin Xephyr,sh,xkbcomp
		37	# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
33	private-dev	38	private-dev
		39	# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
34	private-tmp	40	private-tmp
35	#private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
36	#private-bin Xephyr,sh,xkbcomp
37	#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
38
39	blacklist /media
40	whitelist /var/lib/xkb


diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 8eba82db1..ce17a9732 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile
@@ -1,10 +1,10 @@
1	# Persistent global definitions go here	1	# Firejail profile for Xvfb
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/Xvfb.local
		5	# Persistent global definitions
2	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
3		7
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/xvfb.local
7
8	#	8	#
9	# This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.	9	# This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
10	# The target program is sandboxed with its own profile. By default the this functionality	10	# The target program is sandboxed with its own profile. By default the this functionality
@@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local
16	# some Linux distributions. Also, older versions of Xpra use Xvfb.	16	# some Linux distributions. Also, older versions of Xpra use Xvfb.
17	#	17	#
18		18
		19	blacklist /media
19		20
20	# using a private home directory	21	whitelist /var/lib/xkb
21	private	22	include /etc/firejail/whitelist-common.inc
22		23
23	caps.drop all	24	caps.drop all
24	# Xvfb needs to be allowed access to the abstract Unix socket namespace.	25	# Xvfb needs to be allowed access to the abstract Unix socket namespace.
@@ -27,15 +28,14 @@ nonewprivs
27	# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.	28	# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
28	#noroot	29	#noroot
29	nosound	30	nosound
30	shell none
31	seccomp
32	protocol unix	31	protocol unix
		32	seccomp
		33	shell none
33		34
		35	# using a private home directory
		36	private
		37	# private-bin Xvfb,sh,xkbcomp
		38	# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
34	private-dev	39	private-dev
35	private-tmp
36	private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname	40	private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
37	#private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls	41	private-tmp
38	#private-bin Xvfb,sh,xkbcomp
39
40	blacklist /media
41	whitelist /var/lib/xkb


diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 2fe6d1927..9c2909b0f 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile
@@ -1,21 +1,21 @@
1	# Persistent global definitions go here	1	# Firejail profile for baloo_file
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/baloo_file.local	4	include /etc/firejail/baloo_file.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	# KDE Baloo file daemon profile	8	noblacklist ${HOME}/.config/baloofilerc
9	noblacklist ${HOME}/.kde4/share/config/baloofilerc
10	noblacklist ${HOME}/.kde4/share/config/baloorc
11	noblacklist ${HOME}/.kde/share/config/baloofilerc	9	noblacklist ${HOME}/.kde/share/config/baloofilerc
12	noblacklist ${HOME}/.kde/share/config/baloorc	10	noblacklist ${HOME}/.kde/share/config/baloorc
13	noblacklist ${HOME}/.config/baloofilerc	11	noblacklist ${HOME}/.kde4/share/config/baloofilerc
		12	noblacklist ${HOME}/.kde4/share/config/baloorc
14	noblacklist ${HOME}/.local/share/baloo	13	noblacklist ${HOME}/.local/share/baloo
		14
15	include /etc/firejail/disable-common.inc	15	include /etc/firejail/disable-common.inc
16	include /etc/firejail/disable-programs.inc
17	include /etc/firejail/disable-devel.inc	16	include /etc/firejail/disable-devel.inc
18	include /etc/firejail/disable-passwdmgr.inc	17	include /etc/firejail/disable-passwdmgr.inc
		18	include /etc/firejail/disable-programs.inc
19		19
20	caps.drop all	20	caps.drop all
21	nogroups	21	nogroups
@@ -26,7 +26,6 @@ novideo
26	protocol unix	26	protocol unix
27	# Baloo makes ioprio_set system calls, which are blacklisted by default.	27	# Baloo makes ioprio_set system calls, which are blacklisted by default.
28	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old	28	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
29
30	x11 xorg	29	x11 xorg
31		30
32	private-dev	31	private-dev
@@ -37,6 +36,6 @@ noexec /tmp
37		36
38	# Make home directory read-only and allow writing only to ~/.local/share	37	# Make home directory read-only and allow writing only to ~/.local/share
39	# Note: Baloo will not be able to update the "first run" key in its configuration files.	38	# Note: Baloo will not be able to update the "first run" key in its configuration files.
40	#read-only ${HOME}	39	# noexec ${HOME}/.local/share
41	#read-write ${HOME}/.local/share	40	# read-only ${HOME}
42	#noexec ${HOME}/.local/share	41	# read-write ${HOME}/.local/share


diff --git a/etc/brave.profile b/etc/brave.profile index e73dd37a2..20dbf6c52 100644 --- a/etc/brave.profile +++ b/etc/brave.profile
@@ -1,43 +1,36 @@
1	# Persistent global definitions go here	1	# Firejail profile for brave
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/brave.local	4	include /etc/firejail/brave.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	# Profile for Brave browser
9	noblacklist ~/.config/brave	8	noblacklist ~/.config/brave
10	noblacklist ~/.pki
11
12	# brave uses gpg for built-in password manager	9	# brave uses gpg for built-in password manager
13	noblacklist ~/.gnupg	10	noblacklist ~/.gnupg
		11	noblacklist ~/.pki
14		12
15	include /etc/firejail/disable-common.inc	13	include /etc/firejail/disable-common.inc
16	include /etc/firejail/disable-programs.inc
17	include /etc/firejail/disable-devel.inc	14	include /etc/firejail/disable-devel.inc
18		15	include /etc/firejail/disable-programs.inc
19	#caps.drop all
20	netfilter
21	#nonewprivs
22	#noroot
23	#protocol unix,inet,inet6,netlink
24	#seccomp
25
26	#disable-mnt
27
28	whitelist ${DOWNLOADS}
29		16
30	mkdir ~/.config/brave	17	mkdir ~/.config/brave
31	whitelist ~/.config/brave
32	mkdir ~/.pki	18	mkdir ~/.pki
33	whitelist ~/.pki	19	whitelist ${DOWNLOADS}
34
35	# lastpass, keepass
36	# for keepass we additionally need to whitelist our .kdbx password database
37	whitelist ~/.keepass
38	whitelist ~/.config/keepass
39	whitelist ~/.config/KeePass	20	whitelist ~/.config/KeePass
40	whitelist ~/.lastpass	21	whitelist ~/.config/brave
		22	whitelist ~/.config/keepass
41	whitelist ~/.config/lastpass	23	whitelist ~/.config/lastpass
42		24	whitelist ~/.keepass
		25	whitelist ~/.lastpass
		26	whitelist ~/.pki
43	include /etc/firejail/whitelist-common.inc	27	include /etc/firejail/whitelist-common.inc
		28
		29	# caps.drop all
		30	netfilter
		31	# nonewprivs
		32	# noroot
		33	# protocol unix,inet,inet6,netlink
		34	# seccomp
		35
		36	# disable-mnt


diff --git a/etc/default.profile b/etc/default.profile index 44a9e548b..693f89ad3 100644 --- a/etc/default.profile +++ b/etc/default.profile
@@ -1,31 +1,38 @@
1	# Persistent global definitions go here	1	# Firejail profile for default
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/default.local
		5	# Persistent global definitions
2	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
3		7
4	# This file is overwritten during software install.	8	# generic gui profile
5	# Persistent customizations should go in a .local file.	9	# depending on your usage, you can enable some of the commands below:
6	include /etc/firejail/default.local
7		10
8	################################
9	# Generic GUI application profile
10	################################
11	include /etc/firejail/disable-common.inc	11	include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-programs.inc	12	# include /etc/firejail/disable-devel.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
		14	include /etc/firejail/disable-programs.inc
14		15
15	caps.drop all	16	caps.drop all
		17	# ipc-namespace
16	netfilter	18	netfilter
		19	# nogroups
17	nonewprivs	20	nonewprivs
18	noroot	21	noroot
		22	# nosound
		23	# novideo
19	protocol unix,inet,inet6	24	protocol unix,inet,inet6
20	seccomp	25	seccomp
21
22	#
23	# depending on your usage, you can enable some of the commands below:
24	#
25	# nogroups
26	# shell none	26	# shell none
		27
		28	# disable-mnt
		29	# private
27	# private-bin program	30	# private-bin program
28	# private-etc none
29	# private-dev	31	# private-dev
		32	# private-etc none
		33	# private-lib
30	# private-tmp	34	# private-tmp
31	# nosound	35
		36	# memory-deny-write-execute
		37	# noexec ${HOME}
		38	# noexec /tmp


diff --git a/etc/openbox.profile b/etc/openbox.profile index 4104e1e08..99c579c37 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile
@@ -1,14 +1,12 @@
1	# Persistent global definitions go here	1	# Firejail profile for openbox
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/openbox.local
		5	# Persistent global definitions
2	include /etc/firejail/globals.local	6	include /etc/firejail/globals.local
3		7
4	# This file is overwritten during software install.	8	# all applications started in OpenBox will run in this profile
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/openbox.local
7		9
8	#######################################
9	# OpenBox window manager profile
10	# - all applications started in OpenBox will run in this profile
11	#######################################
12	include /etc/firejail/disable-common.inc	10	include /etc/firejail/disable-common.inc
13		11
14	caps.drop all	12	caps.drop all


diff --git a/etc/server.profile b/etc/server.profile index 2d79fa1c8..b0dd13f80 100644 --- a/etc/server.profile +++ b/etc/server.profile
@@ -1,25 +1,37 @@
1	# Persistent global definitions go here	1	# Firejail profile for server
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/server.local	4	include /etc/firejail/server.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	# generic server profile	8	# generic server profile
9	# it allows /sbin and /usr/sbin directories - this is where servers are installed	9	# it allows /sbin and /usr/sbin directories - this is where servers are installed
		10	# depending on your usage, you can enable some of the commands below:
		11
		12	blacklist /tmp/.X11-unix
		13
10	noblacklist /sbin	14	noblacklist /sbin
11	noblacklist /usr/sbin	15	noblacklist /usr/sbin
		16
12	include /etc/firejail/disable-common.inc	17	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-programs.inc	18	# include /etc/firejail/disable-devel.inc
14	include /etc/firejail/disable-passwdmgr.inc	19	include /etc/firejail/disable-passwdmgr.inc
		20	include /etc/firejail/disable-programs.inc
15		21
16	blacklist /tmp/.X11-unix	22	caps
17
18	no3d	23	no3d
19	nosound	24	nosound
20	seccomp	25	seccomp
21	caps
22		26
		27	# disable-mnt
23	private	28	private
		29	# private-bin program
24	private-dev	30	private-dev
		31	# private-etc none
		32	# private-lib
25	private-tmp	33	private-tmp
		34
		35	# memory-deny-write-execute
		36	# noexec ${HOME}
		37	# noexec /tmp


diff --git a/etc/snap.profile b/etc/snap.profile index 8493fcbd3..38aef7c23 100644 --- a/etc/snap.profile +++ b/etc/snap.profile
@@ -1,17 +1,16 @@
1	# Persistent global definitions go here	1	# Firejail profile for snap
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/snap.local	4	include /etc/firejail/snap.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
7		7
8	################################
9	# Generic Ubuntu snap application profile	8	# Generic Ubuntu snap application profile
10	################################	9
11	include /etc/firejail/disable-common.inc	10	include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
		12	include /etc/firejail/disable-programs.inc
14		13
15	whitelist ~/snap
16	whitelist ${DOWNLOADS}	14	whitelist ${DOWNLOADS}
		15	whitelist ~/snap
17	include /etc/firejail/whitelist-common.inc	16	include /etc/firejail/whitelist-common.inc


diff --git a/etc/xpra.profile b/etc/xpra.profile index c8bb3ef52..ed393d70b 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile
@@ -1,10 +1,9 @@
1	# Persistent global definitions go here	1	# Firejail profile for xpra
2	include /etc/firejail/globals.local	2	# This file is overwritten after every install/update
3		3	# Persistent local customizations
4	# This file is overwritten during software install.
5	# Persistent customizations should go in a .local file.
6	include /etc/firejail/xpra.local	4	include /etc/firejail/xpra.local
7		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
8		7
9	#	8	#
10	# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.	9	# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
@@ -14,12 +13,15 @@ include /etc/firejail/xpra.local
14	#	13	#
15	# or run "sudo firecfg"	14	# or run "sudo firecfg"
16		15
17	# private home directory doesn't work on some distros, so we go for a regular home	16	blacklist /media
18	#private	17
19	include /etc/firejail/disable-common.inc	18	include /etc/firejail/disable-common.inc
20	include /etc/firejail/disable-programs.inc
21	include /etc/firejail/disable-devel.inc	19	include /etc/firejail/disable-devel.inc
22	include /etc/firejail/disable-passwdmgr.inc	20	include /etc/firejail/disable-passwdmgr.inc
		21	include /etc/firejail/disable-programs.inc
		22
		23	whitelist /var/lib/xkb
		24	include /etc/firejail/whitelist-common.inc
23		25
24	caps.drop all	26	caps.drop all
25	# xpra needs to be allowed access to the abstract Unix socket namespace.	27	# xpra needs to be allowed access to the abstract Unix socket namespace.
@@ -28,17 +30,14 @@ nonewprivs
28	# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.	30	# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
29	#noroot	31	#noroot
30	nosound	32	nosound
31	shell none
32	seccomp
33	protocol unix	33	protocol unix
		34	seccomp
		35	shell none
34		36
35		37	# private home directory doesn't work on some distros, so we go for a regular home
		38	# private
		39	# older Xpra versions also use Xvfb
		40	# private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
36	private-dev	41	private-dev
		42	# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
37	private-tmp	43	private-tmp
38	# older Xpra versions also use Xvfb
39	#private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
40	#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
41
42	blacklist /media
43	whitelist /var/lib/xkb
44