diff options
author | netblue30 <netblue30@protonmail.com> | 2023-07-26 08:59:33 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-07-26 08:59:33 -0400 |
commit | 6d4bb95948363263e220dc475db71a9341f1294e (patch) | |
tree | 5c66a28720ee7fd78683a219717d3d7e40eed265 /etc | |
parent | netlock/nettrace cleanup (diff) | |
parent | spotify: D-Bus hardening (#5923) (diff) | |
download | firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.gz firejail-6d4bb95948363263e220dc475db71a9341f1294e.tar.zst firejail-6d4bb95948363263e220dc475db71a9341f1294e.zip |
Merge branch 'master' of ssh://github.com/netblue30/firejail
Diffstat (limited to 'etc')
37 files changed, 155 insertions, 82 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index e8bf45751..c3c355e3d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -163,12 +163,12 @@ | |||
163 | # Xpra server command extra parameters. None by default; this is an example. | 163 | # Xpra server command extra parameters. None by default; this is an example. |
164 | # xpra-extra-params --dpi 96 | 164 | # xpra-extra-params --dpi 96 |
165 | 165 | ||
166 | # Screen size for --x11=xvfb, default 800x600x24. The third dimension is | 166 | # Screen size for --x11=xvfb, default 800x600x24. The third dimension is |
167 | # color depth; use 24 unless you know exactly what you're doing. | 167 | # color depth; use 24 unless you know exactly what you're doing. |
168 | # xvfb-screen 640x480x24 | 168 | # xvfb-screen 640x480x24 |
169 | # xvfb-screen 800x600x24 | 169 | # xvfb-screen 800x600x24 |
170 | # xvfb-screen 1024x768x24 | 170 | # xvfb-screen 1024x768x24 |
171 | # xvfb-screen 1280x1024x24 | 171 | # xvfb-screen 1280x1024x24 |
172 | 172 | ||
173 | # Xvfb command extra parameters. None by default; this is an example. | 173 | # Xvfb command extra parameters. None by default; this is an example. |
174 | # xvfb-extra-params -pixdepths 8 24 32 | 174 | # xvfb-extra-params -pixdepths 8 24 32 |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 4e3590fed..e4497f832 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -44,8 +44,7 @@ blacklist /usr/share/perl* | |||
44 | # it is needed so that Firefox can run applications with Terminal=true in | 44 | # it is needed so that Firefox can run applications with Terminal=true in |
45 | # their .desktop file (depending on what is installed). The reason is that | 45 | # their .desktop file (depending on what is installed). The reason is that |
46 | # this is done via glib, which currently uses a hardcoded list of terminal | 46 | # this is done via glib, which currently uses a hardcoded list of terminal |
47 | # emulators: | 47 | # emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338. |
48 | # https://gitlab.gnome.org/GNOME/glib/-/issues/338 | ||
49 | # And in this list, rxvt comes before xterm. | 48 | # And in this list, rxvt comes before xterm. |
50 | blacklist ${PATH}/rxvt | 49 | blacklist ${PATH}/rxvt |
51 | 50 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 29d5a8700..b0d1b7a66 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -547,6 +547,7 @@ blacklist ${HOME}/.config/midori | |||
547 | blacklist ${HOME}/.config/mirage | 547 | blacklist ${HOME}/.config/mirage |
548 | blacklist ${HOME}/.config/monero-project | 548 | blacklist ${HOME}/.config/monero-project |
549 | blacklist ${HOME}/.config/mono | 549 | blacklist ${HOME}/.config/mono |
550 | blacklist ${HOME}/.config/mov-cli | ||
550 | blacklist ${HOME}/.config/mpDris2 | 551 | blacklist ${HOME}/.config/mpDris2 |
551 | blacklist ${HOME}/.config/mpd | 552 | blacklist ${HOME}/.config/mpd |
552 | blacklist ${HOME}/.config/mps-youtube | 553 | blacklist ${HOME}/.config/mps-youtube |
@@ -623,6 +624,7 @@ blacklist ${HOME}/.config/slimjet | |||
623 | blacklist ${HOME}/.config/smplayer | 624 | blacklist ${HOME}/.config/smplayer |
624 | blacklist ${HOME}/.config/smtube | 625 | blacklist ${HOME}/.config/smtube |
625 | blacklist ${HOME}/.config/smuxi | 626 | blacklist ${HOME}/.config/smuxi |
627 | blacklist ${HOME}/.config/sniffnet | ||
626 | blacklist ${HOME}/.config/snox | 628 | blacklist ${HOME}/.config/snox |
627 | blacklist ${HOME}/.config/sound-juicer | 629 | blacklist ${HOME}/.config/sound-juicer |
628 | blacklist ${HOME}/.config/specialmailcollectionsrc | 630 | blacklist ${HOME}/.config/specialmailcollectionsrc |
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile index 690086099..63a04330b 100644 --- a/etc/profile-a-l/1password.profile +++ b/etc/profile-a-l/1password.profile | |||
@@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password | |||
13 | 13 | ||
14 | private-etc @tls-ca | 14 | private-etc @tls-ca |
15 | 15 | ||
16 | # Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down | 16 | # Needed for keychain things, talking to Firefox, possibly other things? |
17 | ignore dbus-user none | 17 | ignore dbus-user none |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile index 2e6e8f1af..8b70756ba 100644 --- a/etc/profile-a-l/abrowser.profile +++ b/etc/profile-a-l/abrowser.profile | |||
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/abrowser | |||
12 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
13 | whitelist ${HOME}/.cache/mozilla/abrowser | 13 | whitelist ${HOME}/.cache/mozilla/abrowser |
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/abrowser | ||
15 | 16 | ||
16 | # private-etc must first be enabled in firefox-common.profile | 17 | # private-etc must first be enabled in firefox-common.profile |
17 | #private-etc abrowser | 18 | #private-etc abrowser |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index b31f3f1b2..6abd87c92 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -14,6 +14,7 @@ include disable-common.inc | |||
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-proc.inc | ||
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
@@ -26,6 +27,7 @@ netfilter | |||
26 | nogroups | 27 | nogroups |
27 | noinput | 28 | noinput |
28 | nonewprivs | 29 | nonewprivs |
30 | noprinters | ||
29 | noroot | 31 | noroot |
30 | notv | 32 | notv |
31 | nou2f | 33 | nou2f |
@@ -39,8 +41,13 @@ private-cache | |||
39 | private-dev | 41 | private-dev |
40 | private-tmp | 42 | private-tmp |
41 | 43 | ||
42 | # dbus needed for MPRIS | 44 | dbus-user filter |
43 | # dbus-user none | 45 | dbus-user.own org.atheme.audacious |
44 | # dbus-system none | 46 | dbus-user.own org.mpris.MediaPlayer2.audacious |
47 | dbus-user.talk ca.desrt.dconf | ||
48 | dbus-user.talk org.freedesktop.Notifications | ||
49 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
50 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
51 | dbus-system none | ||
45 | 52 | ||
46 | restrict-namespaces | 53 | restrict-namespaces |
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile index a962bfe02..7d2fe143c 100644 --- a/etc/profile-a-l/basilisk.profile +++ b/etc/profile-a-l/basilisk.profile | |||
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/basilisk | |||
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${HOME}/.cache/moonchild productions/basilisk | 13 | whitelist ${HOME}/.cache/moonchild productions/basilisk |
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | whitelist /usr/share/basilisk | ||
15 | 16 | ||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | 17 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | seccomp | 18 | seccomp |
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 071a279b0..b3994c974 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
@@ -9,8 +9,8 @@ include globals.local | |||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | 9 | # noexec /tmp is included in chromium-common.profile and breaks Brave |
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | # TOR is installed in ${HOME}. | 11 | # TOR is installed in ${HOME}. |
12 | # NOTE: chromium-common.profile enables apparmor. To keep that intact | 12 | # Note: chromium-common.profile enables apparmor. To keep that intact, |
13 | # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. | 13 | # uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. |
14 | # Alternatively you can add 'ignore apparmor' to your brave.local. | 14 | # Alternatively you can add 'ignore apparmor' to your brave.local. |
15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
16 | # Causes slow starts (#4604) | 16 | # Causes slow starts (#4604) |
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile index 7a14d9464..05e1a69f1 100644 --- a/etc/profile-a-l/cachy-browser.profile +++ b/etc/profile-a-l/cachy-browser.profile | |||
@@ -13,26 +13,21 @@ mkdir ${HOME}/.cache/cachy | |||
13 | mkdir ${HOME}/.cachy | 13 | mkdir ${HOME}/.cachy |
14 | whitelist ${HOME}/.cache/cachy | 14 | whitelist ${HOME}/.cache/cachy |
15 | whitelist ${HOME}/.cachy | 15 | whitelist ${HOME}/.cachy |
16 | whitelist /usr/share/cachy-browser | ||
16 | 17 | ||
17 | # Add the next lines to your cachy-browser.local if you want to use the migration wizard. | 18 | # Add the next lines to your cachy-browser.local if you want to use the migration wizard. |
18 | #noblacklist ${HOME}/.mozilla | 19 | #noblacklist ${HOME}/.mozilla |
19 | #whitelist ${HOME}/.mozilla | 20 | #whitelist ${HOME}/.mozilla |
20 | 21 | ||
21 | # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. | 22 | # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. |
22 | # NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them. | 23 | # Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them. |
23 | #whitelist ${RUNUSER}/kpxc_server | 24 | #whitelist ${RUNUSER}/kpxc_server |
24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 25 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
25 | 26 | ||
26 | whitelist /usr/share/doc | ||
27 | whitelist /usr/share/gtk-doc/html | ||
28 | whitelist /usr/share/mozilla | ||
29 | whitelist /usr/share/webext | ||
30 | include whitelist-usr-share-common.inc | ||
31 | |||
32 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). | 27 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). |
33 | #private-bin dbus-launch,dbus-send,cachy-browser,sh | 28 | #private-bin dbus-launch,dbus-send,cachy-browser,sh |
34 | # Add the next line to your cachy-browser.local to enable private-etc. | 29 | # Add the next line to your cachy-browser.local to enable private-etc. |
35 | # NOTE: private-etc must first be enabled in firefox-common.local. | 30 | # Note: private-etc must first be enabled in firefox-common.local. |
36 | #private-etc cachy-browser | 31 | #private-etc cachy-browser |
37 | 32 | ||
38 | dbus-user filter | 33 | dbus-user filter |
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile index d0b8cc0ef..d0bf9797e 100644 --- a/etc/profile-a-l/cliqz.profile +++ b/etc/profile-a-l/cliqz.profile | |||
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/cliqz | |||
15 | whitelist ${HOME}/.cache/cliqz | 15 | whitelist ${HOME}/.cache/cliqz |
16 | whitelist ${HOME}/.cliqz | 16 | whitelist ${HOME}/.cliqz |
17 | whitelist ${HOME}/.config/cliqz | 17 | whitelist ${HOME}/.config/cliqz |
18 | whitelist /usr/share/cliqz | ||
18 | 19 | ||
19 | # private-etc must first be enabled in firefox-common.profile | 20 | # private-etc must first be enabled in firefox-common.profile |
20 | #private-etc cliqz | 21 | #private-etc cliqz |
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile index d1fff0004..a303c5979 100644 --- a/etc/profile-a-l/cyberfox.profile +++ b/etc/profile-a-l/cyberfox.profile | |||
@@ -12,6 +12,8 @@ mkdir ${HOME}/.8pecxstudios | |||
12 | mkdir ${HOME}/.cache/8pecxstudios | 12 | mkdir ${HOME}/.cache/8pecxstudios |
13 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
14 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
15 | whitelist /usr/share/8pecxstudios | ||
16 | whitelist /usr/share/cyberfox | ||
15 | 17 | ||
16 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which | 18 | # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which |
17 | # private-etc must first be enabled in firefox-common.profile | 19 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile index c39c0d843..265bf5615 100644 --- a/etc/profile-a-l/discord-ptb.profile +++ b/etc/profile-a-l/discord-ptb.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for discord-ptb | 1 | # Firejail profile for discord-ptb |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include discord-ptb.local | 4 | include discord-ptb.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/discordptb | 8 | noblacklist ${HOME}/.config/discordptb |
9 | 9 | ||
10 | mkdir ${HOME}/.config/discordptb | 10 | mkdir ${HOME}/.config/discordptb |
11 | whitelist ${HOME}/.config/discordptb | 11 | whitelist ${HOME}/.config/discordptb |
12 | 12 | ||
13 | private-bin discord-ptb,DiscordPTB | 13 | private-bin discord-ptb,DiscordPTB |
14 | private-opt discord-ptb,DiscordPTB | 14 | private-opt discord-ptb,DiscordPTB |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include discord-common.profile | 17 | include discord-common.profile |
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile index 77487161e..3177fb989 100644 --- a/etc/profile-a-l/firedragon.profile +++ b/etc/profile-a-l/firedragon.profile | |||
@@ -13,6 +13,7 @@ mkdir ${HOME}/.cache/firedragon | |||
13 | mkdir ${HOME}/.firedragon | 13 | mkdir ${HOME}/.firedragon |
14 | whitelist ${HOME}/.cache/firedragon | 14 | whitelist ${HOME}/.cache/firedragon |
15 | whitelist ${HOME}/.firedragon | 15 | whitelist ${HOME}/.firedragon |
16 | whitelist /usr/share/firedragon | ||
16 | 17 | ||
17 | # Add the next lines to your firedragon.local if you want to use the migration wizard. | 18 | # Add the next lines to your firedragon.local if you want to use the migration wizard. |
18 | #noblacklist ${HOME}/.mozilla | 19 | #noblacklist ${HOME}/.mozilla |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index 6dc1fca8a..f12750fda 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -74,7 +74,6 @@ whitelist ${HOME}/.zotero | |||
74 | whitelist ${HOME}/dwhelper | 74 | whitelist ${HOME}/dwhelper |
75 | whitelist /usr/share/lua | 75 | whitelist /usr/share/lua |
76 | whitelist /usr/share/lua* | 76 | whitelist /usr/share/lua* |
77 | whitelist /usr/share/vulkan | ||
78 | 77 | ||
79 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 78 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
80 | noblacklist ${HOME}/.local/share/gnome-shell | 79 | noblacklist ${HOME}/.local/share/gnome-shell |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 42d12c5d9..9c8601e7b 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -29,9 +29,14 @@ mkdir ${HOME}/.pki | |||
29 | whitelist ${DOWNLOADS} | 29 | whitelist ${DOWNLOADS} |
30 | whitelist ${HOME}/.local/share/pki | 30 | whitelist ${HOME}/.local/share/pki |
31 | whitelist ${HOME}/.pki | 31 | whitelist ${HOME}/.pki |
32 | whitelist /usr/share/doc | ||
33 | whitelist /usr/share/gtk-doc/html | ||
34 | whitelist /usr/share/mozilla | ||
35 | whitelist /usr/share/webext | ||
32 | include whitelist-common.inc | 36 | include whitelist-common.inc |
33 | include whitelist-run-common.inc | 37 | include whitelist-run-common.inc |
34 | include whitelist-runuser-common.inc | 38 | include whitelist-runuser-common.inc |
39 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
36 | 41 | ||
37 | apparmor | 42 | apparmor |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 1fcbf0562..659519ca8 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -6,7 +6,7 @@ include firefox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # NOTE: sandboxing web browsers is as important as it is complex. Users might be | 9 | # Note: Sandboxing web browsers is as important as it is complex. Users might be |
10 | # interested in creating custom profiles depending on use case (e.g. one for | 10 | # interested in creating custom profiles depending on use case (e.g. one for |
11 | # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more | 11 | # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more |
12 | # info. Here are a few links to get you going. | 12 | # info. Here are a few links to get you going. |
@@ -30,19 +30,14 @@ whitelist ${HOME}/.cache/mozilla/firefox | |||
30 | whitelist ${HOME}/.mozilla | 30 | whitelist ${HOME}/.mozilla |
31 | 31 | ||
32 | # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. | 32 | # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. |
33 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. | 33 | # Note: Start KeePassXC before Firefox and keep it open to allow communication between them. |
34 | #whitelist ${RUNUSER}/kpxc_server | 34 | #whitelist ${RUNUSER}/kpxc_server |
35 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 35 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
36 | 36 | ||
37 | whitelist /usr/share/doc | ||
38 | whitelist /usr/share/firefox | 37 | whitelist /usr/share/firefox |
39 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | 38 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini |
40 | whitelist /usr/share/gtk-doc/html | ||
41 | whitelist /usr/share/mozilla | ||
42 | whitelist /usr/share/webext | ||
43 | whitelist ${RUNUSER}/*firefox* | 39 | whitelist ${RUNUSER}/*firefox* |
44 | whitelist ${RUNUSER}/psd/*firefox* | 40 | whitelist ${RUNUSER}/psd/*firefox* |
45 | include whitelist-usr-share-common.inc | ||
46 | 41 | ||
47 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. | 42 | # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. |
48 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 43 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 70a302138..ddfe57879 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -53,7 +53,7 @@ dbus-user.talk ca.desrt.dconf | |||
53 | dbus-user.talk org.gnome.evolution.dataserver.* | 53 | dbus-user.talk org.gnome.evolution.dataserver.* |
54 | #dbus-user.talk org.gnome.OnlineAccounts | 54 | #dbus-user.talk org.gnome.OnlineAccounts |
55 | #dbus-user.talk org.gnome.ControlCenter | 55 | #dbus-user.talk org.gnome.ControlCenter |
56 | # NOTE: dbus-system none fails, filter without rules works. | 56 | # Note: dbus-system none fails, filter without rules works. |
57 | dbus-system filter | 57 | dbus-system filter |
58 | #dbus-system.talk org.freedesktop.timedate1 | 58 | #dbus-system.talk org.freedesktop.timedate1 |
59 | #dbus-system.talk org.freedesktop.login1 | 59 | #dbus-system.talk org.freedesktop.login1 |
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile index 660343a29..b0a42fb77 100644 --- a/etc/profile-a-l/icecat.profile +++ b/etc/profile-a-l/icecat.profile | |||
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/icecat | |||
12 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
13 | whitelist ${HOME}/.cache/mozilla/icecat | 13 | whitelist ${HOME}/.cache/mozilla/icecat |
14 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
15 | whitelist /usr/share/icecat | ||
15 | 16 | ||
16 | # private-etc must first be enabled in firefox-common.profile | 17 | # private-etc must first be enabled in firefox-common.profile |
17 | #private-etc icecat | 18 | #private-etc icecat |
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index 27feccf40..a0244ef47 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile | |||
@@ -6,9 +6,9 @@ include krunner.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # - programs started in krunner run with this generic profile | 9 | # Programs started in krunner run with this generic profile. |
10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox | 10 | # When a file is opened in krunner, the file viewer runs in its own sandbox |
11 | # with its own profile, if it is sandboxed automatically | 11 | # with its own profile, if it is sandboxed automatically. |
12 | 12 | ||
13 | # noblacklist ${HOME}/.cache/krunner | 13 | # noblacklist ${HOME}/.cache/krunner |
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5cf30ed40..82336969d 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -6,11 +6,10 @@ include kube.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.gnupg | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/kube | 9 | noblacklist ${HOME}/.cache/kube |
12 | noblacklist ${HOME}/.config/kube | 10 | noblacklist ${HOME}/.config/kube |
13 | noblacklist ${HOME}/.config/sink | 11 | noblacklist ${HOME}/.config/sink |
12 | noblacklist ${HOME}/.gnupg | ||
14 | noblacklist ${HOME}/.local/share/kube | 13 | noblacklist ${HOME}/.local/share/kube |
15 | noblacklist ${HOME}/.local/share/sink | 14 | noblacklist ${HOME}/.local/share/sink |
16 | 15 | ||
@@ -22,23 +21,28 @@ include disable-programs.inc | |||
22 | include disable-shell.inc | 21 | include disable-shell.inc |
23 | include disable-xdg.inc | 22 | include disable-xdg.inc |
24 | 23 | ||
25 | mkdir ${HOME}/.gnupg | 24 | # The lines below are needed to find the default Firefox profile name, to allow |
25 | # opening links in an existing instance of Firefox (note that it still fails if | ||
26 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
27 | noblacklist ${HOME}/.mozilla | ||
28 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
29 | |||
26 | mkdir ${HOME}/.cache/kube | 30 | mkdir ${HOME}/.cache/kube |
27 | mkdir ${HOME}/.config/kube | 31 | mkdir ${HOME}/.config/kube |
28 | mkdir ${HOME}/.config/sink | 32 | mkdir ${HOME}/.config/sink |
33 | mkdir ${HOME}/.gnupg | ||
29 | mkdir ${HOME}/.local/share/kube | 34 | mkdir ${HOME}/.local/share/kube |
30 | mkdir ${HOME}/.local/share/sink | 35 | mkdir ${HOME}/.local/share/sink |
31 | whitelist ${HOME}/.gnupg | ||
32 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
33 | whitelist ${HOME}/.cache/kube | 36 | whitelist ${HOME}/.cache/kube |
34 | whitelist ${HOME}/.config/kube | 37 | whitelist ${HOME}/.config/kube |
35 | whitelist ${HOME}/.config/sink | 38 | whitelist ${HOME}/.config/sink |
39 | whitelist ${HOME}/.gnupg | ||
36 | whitelist ${HOME}/.local/share/kube | 40 | whitelist ${HOME}/.local/share/kube |
37 | whitelist ${HOME}/.local/share/sink | 41 | whitelist ${HOME}/.local/share/sink |
38 | whitelist ${RUNUSER}/gnupg | 42 | whitelist ${RUNUSER}/gnupg |
39 | whitelist /usr/share/kube | ||
40 | whitelist /usr/share/gnupg | 43 | whitelist /usr/share/gnupg |
41 | whitelist /usr/share/gnupg2 | 44 | whitelist /usr/share/gnupg2 |
45 | whitelist /usr/share/kube | ||
42 | include whitelist-common.inc | 46 | include whitelist-common.inc |
43 | include whitelist-runuser-common.inc | 47 | include whitelist-runuser-common.inc |
44 | include whitelist-usr-share-common.inc | 48 | include whitelist-usr-share-common.inc |
@@ -63,7 +67,6 @@ tracelog | |||
63 | 67 | ||
64 | # disable-mnt | 68 | # disable-mnt |
65 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 69 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
66 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
67 | private-bin kube,sink_synchronizer | 70 | private-bin kube,sink_synchronizer |
68 | private-cache | 71 | private-cache |
69 | private-dev | 72 | private-dev |
@@ -75,6 +78,8 @@ dbus-user filter | |||
75 | dbus-user.talk ca.desrt.dconf | 78 | dbus-user.talk ca.desrt.dconf |
76 | dbus-user.talk org.freedesktop.secrets | 79 | dbus-user.talk org.freedesktop.secrets |
77 | dbus-user.talk org.freedesktop.Notifications | 80 | dbus-user.talk org.freedesktop.Notifications |
81 | # allow D-Bus communication with firefox for opening links | ||
82 | dbus-user.talk org.mozilla.* | ||
78 | dbus-system none | 83 | dbus-system none |
79 | 84 | ||
80 | restrict-namespaces | 85 | restrict-namespaces |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index b84cbb119..65a4a3787 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -19,21 +19,16 @@ whitelist ${HOME}/.librewolf | |||
19 | #whitelist ${HOME}/.mozilla | 19 | #whitelist ${HOME}/.mozilla |
20 | 20 | ||
21 | # To enable KeePassXC Plugin add one of the following lines to your librewolf.local. | 21 | # To enable KeePassXC Plugin add one of the following lines to your librewolf.local. |
22 | # NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. | 22 | # Note: Start KeePassXC before Librewolf and keep it open to allow communication between them. |
23 | #whitelist ${RUNUSER}/kpxc_server | 23 | #whitelist ${RUNUSER}/kpxc_server |
24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | 24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
25 | 25 | ||
26 | whitelist /usr/share/doc | ||
27 | whitelist /usr/share/gtk-doc/html | ||
28 | whitelist /usr/share/librewolf | 26 | whitelist /usr/share/librewolf |
29 | whitelist /usr/share/mozilla | ||
30 | whitelist /usr/share/webext | ||
31 | include whitelist-usr-share-common.inc | ||
32 | 27 | ||
33 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). | 28 | # Add the next line to your librewolf.local to enable private-bin (Arch Linux). |
34 | #private-bin dbus-launch,dbus-send,librewolf,sh | 29 | #private-bin dbus-launch,dbus-send,librewolf,sh |
35 | # Add the next line to your librewolf.local to enable private-etc. | 30 | # Add the next line to your librewolf.local to enable private-etc. |
36 | # NOTE: private-etc must first be enabled in firefox-common.local. | 31 | # Note: private-etc must first be enabled in firefox-common.local. |
37 | #private-etc librewolf | 32 | #private-etc librewolf |
38 | 33 | ||
39 | dbus-user filter | 34 | dbus-user filter |
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 15474c96e..7b0135695 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -6,8 +6,9 @@ include minetest.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf: | 9 | # In order to save in-game screenshots to a persistent location, |
10 | # screenshot_path = /home/<USER>/.minetest/screenshots | 10 | # edit ~/.minetest/minetest.conf: |
11 | # screenshot_path = /home/<USER>/.minetest/screenshots | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.cache/minetest | 13 | noblacklist ${HOME}/.cache/minetest |
13 | noblacklist ${HOME}/.minetest | 14 | noblacklist ${HOME}/.minetest |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile index c5f764912..8007b887a 100644 --- a/etc/profile-m-z/mov-cli.profile +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -8,9 +8,13 @@ include mov-cli.local | |||
8 | # added by included profile | 8 | # added by included profile |
9 | #include globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/mov-cli | ||
12 | |||
11 | include disable-proc.inc | 13 | include disable-proc.inc |
12 | include disable-xdg.inc | 14 | include disable-xdg.inc |
13 | 15 | ||
16 | mkdir ${HOME}/.config/mov-cli | ||
17 | whitelist ${HOME}/.config/mov-cli | ||
14 | include whitelist-run-common.inc | 18 | include whitelist-run-common.inc |
15 | include whitelist-runuser-common.inc | 19 | include whitelist-runuser-common.inc |
16 | 20 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index bd01d4082..fd35483be 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -9,7 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | # In order to save screenshots to a persistent location, | 10 | # In order to save screenshots to a persistent location, |
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # mpv has a powerful Lua API and some of the Lua scripts interact with | 14 | # mpv has a powerful Lua API and some of the Lua scripts interact with |
15 | # external resources which are blocked by firejail. In such cases you need to | 15 | # external resources which are blocked by firejail. In such cases you need to |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index f3b0c8a49..4c463521c 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,7 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts | 10 | # Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | 11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full |
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | 12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented |
13 | # as a sourced shell function, not an executable binary. Hence it is not | 13 | # as a sourced shell function, not an executable binary. Hence it is not |
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index db4113f94..7d0e01d98 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -1,17 +1,16 @@ | |||
1 | # This is the weakest possible firejail profile. | 1 | # This is the weakest possible firejail profile. |
2 | # If a program still fail with this profile, it is incompatible with firejail. | 2 | # If a program still fails with this profile, it is incompatible with firejail. |
3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) | 3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) |
4 | # | 4 | # |
5 | # Usage: | 5 | # Usage: |
6 | # 1. download | 6 | # $ firejail --profile=noprofile.profile /path/to/program |
7 | # 2. firejail --profile=noprofile.profile /path/to/program | ||
8 | 7 | ||
9 | # Keep in mind that even with this profile some things are done | 8 | # Keep in mind that even with this profile some things are done |
10 | # which can break the program. | 9 | # which can break the program: |
11 | # - some env-vars are cleared | 10 | # - some env-vars are cleared; |
12 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' | 11 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'; |
13 | # - a new private pid-namespace is created | 12 | # - a new private pid-namespace is created; |
14 | # - a minimal hardcoded blacklist is applied | 13 | # - a minimal hardcoded blacklist is applied; |
15 | # - ... | 14 | # - ... |
16 | 15 | ||
17 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile index 24701b657..ab4e24595 100644 --- a/etc/profile-m-z/palemoon.profile +++ b/etc/profile-m-z/palemoon.profile | |||
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon | |||
12 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
13 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | whitelist /usr/share/moonchild productions | ||
16 | whitelist /usr/share/palemoon | ||
15 | 17 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 18 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | seccomp | 19 | seccomp |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 3ff033e0b..e274b6443 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -23,8 +23,9 @@ include disable-xdg.inc | |||
23 | 23 | ||
24 | mkdir ${HOME}/.pingus | 24 | mkdir ${HOME}/.pingus |
25 | whitelist ${HOME}/.pingus | 25 | whitelist ${HOME}/.pingus |
26 | # Debian keeps games data under /usr/share/games | ||
27 | whitelist /usr/share/games/pingus | ||
26 | whitelist /usr/share/pingus | 28 | whitelist /usr/share/pingus |
27 | whitelist /usr/share/games/pingus # Debian keeps games data under /usr/share/games | ||
28 | include whitelist-common.inc | 29 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile index 87aa69bcb..b1acf8b2e 100644 --- a/etc/profile-m-z/rtin.profile +++ b/etc/profile-m-z/rtin.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | # Firejail profile for rtin | 1 | # Firejail profile for rtin |
2 | # Description: ncurses-based Usenet newsreader | 2 | # Description: ncurses-based Usenet newsreader |
3 | # symlink to tin, same as `tin -r` | 3 | # symlink to tin, same as `tin -r` |
4 | # This file is overwritten after every install/update | 4 | # This file is overwritten after every install/update |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include rtin.local | 6 | include rtin.local |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 3e1899ef3..8cb4e4173 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -11,7 +11,9 @@ ignore noexec /tmp | |||
11 | 11 | ||
12 | noblacklist ${HOME}/.config/Signal | 12 | noblacklist ${HOME}/.config/Signal |
13 | 13 | ||
14 | # These lines are needed to allow Firefox to open links | 14 | # The lines below are needed to find the default Firefox profile name, to allow |
15 | # opening links in an existing instance of Firefox (note that it still fails if | ||
16 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | 17 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 18 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | 19 | ||
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal | |||
21 | private-etc @tls-ca | 23 | private-etc @tls-ca |
22 | 24 | ||
23 | dbus-user filter | 25 | dbus-user filter |
24 | |||
25 | # allow D-Bus notifications | 26 | # allow D-Bus notifications |
26 | dbus-user.talk org.freedesktop.Notifications | 27 | dbus-user.talk org.freedesktop.Notifications |
27 | 28 | # allow D-Bus communication with firefox for opening links | |
28 | # allow D-Bus communication with Firefox browsers for opening links | ||
29 | dbus-user.talk org.mozilla.* | 29 | dbus-user.talk org.mozilla.* |
30 | 30 | ||
31 | ignore dbus-user none | 31 | ignore dbus-user none |
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile new file mode 100644 index 000000000..eb18c1f01 --- /dev/null +++ b/etc/profile-m-z/sniffnet.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for sniffnet | ||
2 | # Description: Network traffic monitor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include sniffnet.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/sniffnet | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-proc.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | include whitelist-common.inc | ||
20 | include whitelist-run-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | #caps.drop all | ||
27 | caps.keep net_admin,net_raw | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | noinput | ||
32 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
33 | # noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | #seccomp | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | #private-bin sniffnet | ||
42 | # private-dev prevents (some) interfaces from being shown. | ||
43 | private-etc @network,@tls-ca | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index f07b10319..c893a92fb 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
@@ -16,6 +16,7 @@ include disable-common.inc | |||
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-proc.inc | ||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | 21 | ||
21 | mkdir ${HOME}/.cache/spotify | 22 | mkdir ${HOME}/.cache/spotify |
@@ -34,6 +35,7 @@ nodvd | |||
34 | nogroups | 35 | nogroups |
35 | noinput | 36 | noinput |
36 | nonewprivs | 37 | nonewprivs |
38 | noprinters | ||
37 | noroot | 39 | noroot |
38 | notv | 40 | notv |
39 | nou2f | 41 | nou2f |
@@ -50,8 +52,11 @@ private-opt spotify | |||
50 | private-srv none | 52 | private-srv none |
51 | private-tmp | 53 | private-tmp |
52 | 54 | ||
53 | # dbus needed for MPRIS | 55 | dbus-user filter |
54 | # dbus-user none | 56 | dbus-user.own org.mpris.MediaPlayer2.spotify |
55 | # dbus-system none | 57 | dbus-user.talk org.freedesktop.Notifications |
58 | dbus-user.talk org.freedesktop.secrets | ||
59 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
60 | dbus-system none | ||
56 | 61 | ||
57 | restrict-namespaces | 62 | restrict-namespaces |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 63d629a32..99317c9dc 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid | |||
133 | include whitelist-common.inc | 133 | include whitelist-common.inc |
134 | include whitelist-var-common.inc | 134 | include whitelist-var-common.inc |
135 | 135 | ||
136 | # NOTE: The following were intentionally left out as they are alternative | 136 | # Note: The following were intentionally left out as they are alternative |
137 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially | 137 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially |
138 | # clobber other paths (see #4225). If you use any, either add the entry to | 138 | # clobber other paths (see #4225). If you use any, either add the entry to |
139 | # steam.local or move the contents to a path listed above (or open an issue if | 139 | # steam.local or move the contents to a path listed above (or open an issue if |
140 | # it's missing above). | 140 | # it's missing above). |
141 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer | 141 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 5df207e25..f2405a7d3 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird | |||
47 | 47 | ||
48 | whitelist /usr/share/gnupg | 48 | whitelist /usr/share/gnupg |
49 | whitelist /usr/share/gnupg2 | 49 | whitelist /usr/share/gnupg2 |
50 | whitelist /usr/share/mozilla | ||
51 | whitelist /usr/share/thunderbird | 50 | whitelist /usr/share/thunderbird |
52 | whitelist /usr/share/webext | ||
53 | include whitelist-usr-share-common.inc | ||
54 | 51 | ||
55 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required | 52 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required |
56 | #machine-id | 53 | #machine-id |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index a03a6caa0..35ff14e88 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
@@ -24,8 +24,8 @@ include disable-xdg.inc | |||
24 | mkdir ${HOME}/.tin | 24 | mkdir ${HOME}/.tin |
25 | mkfile ${HOME}/.newsrc | 25 | mkfile ${HOME}/.newsrc |
26 | # Note: files/directories directly in ${HOME} can't be whitelisted, as | 26 | # Note: files/directories directly in ${HOME} can't be whitelisted, as |
27 | # tin saves .newsrc by renaming a temporary file, which is not possible for | 27 | # tin saves .newsrc by renaming a temporary file, which is not possible for |
28 | # bind-mounted files. | 28 | # bind-mounted files. |
29 | #whitelist ${HOME}/.newsrc | 29 | #whitelist ${HOME}/.newsrc |
30 | #whitelist ${HOME}/.tin | 30 | #whitelist ${HOME}/.tin |
31 | #include whitelist-common.inc | 31 | #include whitelist-common.inc |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index ba68ccb53..2578eb0be 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -7,7 +7,6 @@ include trojita.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.abook | 9 | noblacklist ${HOME}/.abook |
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/flaska.net/trojita | 10 | noblacklist ${HOME}/.cache/flaska.net/trojita |
12 | noblacklist ${HOME}/.config/flaska.net | 11 | noblacklist ${HOME}/.config/flaska.net |
13 | 12 | ||
@@ -19,11 +18,16 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 18 | include disable-shell.inc |
20 | include disable-xdg.inc | 19 | include disable-xdg.inc |
21 | 20 | ||
21 | # The lines below are needed to find the default Firefox profile name, to allow | ||
22 | # opening links in an existing instance of Firefox (note that it still fails if | ||
23 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
24 | noblacklist ${HOME}/.mozilla | ||
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
26 | |||
22 | mkdir ${HOME}/.abook | 27 | mkdir ${HOME}/.abook |
23 | mkdir ${HOME}/.cache/flaska.net/trojita | 28 | mkdir ${HOME}/.cache/flaska.net/trojita |
24 | mkdir ${HOME}/.config/flaska.net | 29 | mkdir ${HOME}/.config/flaska.net |
25 | whitelist ${HOME}/.abook | 30 | whitelist ${HOME}/.abook |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | whitelist ${HOME}/.cache/flaska.net/trojita | 31 | whitelist ${HOME}/.cache/flaska.net/trojita |
28 | whitelist ${HOME}/.config/flaska.net | 32 | whitelist ${HOME}/.config/flaska.net |
29 | include whitelist-common.inc | 33 | include whitelist-common.inc |
@@ -49,7 +53,6 @@ seccomp | |||
49 | tracelog | 53 | tracelog |
50 | 54 | ||
51 | # disable-mnt | 55 | # disable-mnt |
52 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
53 | private-bin trojita | 56 | private-bin trojita |
54 | private-cache | 57 | private-cache |
55 | private-dev | 58 | private-dev |
@@ -58,6 +61,8 @@ private-tmp | |||
58 | 61 | ||
59 | dbus-user filter | 62 | dbus-user filter |
60 | dbus-user.talk org.freedesktop.secrets | 63 | dbus-user.talk org.freedesktop.secrets |
64 | # allow D-Bus communication with firefox for opening links | ||
65 | dbus-user.talk org.mozilla.* | ||
61 | dbus-system none | 66 | dbus-system none |
62 | 67 | ||
63 | restrict-namespaces | 68 | restrict-namespaces |
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index 18f1ca79a..bf6f45e41 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile | |||
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox | |||
12 | mkdir ${HOME}/.waterfox | 12 | mkdir ${HOME}/.waterfox |
13 | whitelist ${HOME}/.cache/waterfox | 13 | whitelist ${HOME}/.cache/waterfox |
14 | whitelist ${HOME}/.waterfox | 14 | whitelist ${HOME}/.waterfox |
15 | whitelist /usr/share/waterfox | ||
15 | 16 | ||
16 | # Add the next lines to your watefox.local if you want to use the migration wizard. | 17 | # Add the next lines to your watefox.local if you want to use the migration wizard. |
17 | #noblacklist ${HOME}/.mozilla | 18 | #noblacklist ${HOME}/.mozilla |