diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-11-21 08:48:38 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-11-21 08:48:38 -0500 |
| commit | 8e932c019367bc270b3ae258077392f90feb7fa3 (patch) | |
| tree | 644029d0b62ce603e899ffdd52fdc468471bf908 /etc | |
| parent | testing (diff) | |
| parent | profiles (diff) | |
| download | firejail-8e932c019367bc270b3ae258077392f90feb7fa3.tar.gz firejail-8e932c019367bc270b3ae258077392f90feb7fa3.tar.zst firejail-8e932c019367bc270b3ae258077392f90feb7fa3.zip | |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'etc')
75 files changed, 1020 insertions, 46 deletions
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 4aa18aa90..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Abrowser | 1 | # Firejail profile for Abrowser |
| 2 | |||
| 3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
| 4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..8d5b35d47 --- /dev/null +++ b/etc/amarok.profile | |||
| @@ -0,0 +1,19 @@ | |||
| 1 | # amarok profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | netfilter | ||
| 9 | nogroups | ||
| 10 | nonewprivs | ||
| 11 | noroot | ||
| 12 | shell none | ||
| 13 | #seccomp | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | |||
| 16 | #private-bin amarok | ||
| 17 | private-dev | ||
| 18 | private-tmp | ||
| 19 | #private-etc none | ||
diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # ark profile | ||
| 2 | noblacklist ~/.config/arkrc | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | netfilter | ||
| 11 | nogroups | ||
| 12 | nonewprivs | ||
| 13 | noroot | ||
| 14 | nosound | ||
| 15 | shell none | ||
| 16 | seccomp | ||
| 17 | protocol unix | ||
| 18 | |||
| 19 | # private-bin | ||
| 20 | private-dev | ||
| 21 | private-tmp | ||
| 22 | # private-etc | ||
| 23 | |||
diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # atool profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | # include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | # private-bin atool | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | private-etc none | ||
| 23 | |||
| 24 | |||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # bleachbit profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | # include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | netfilter | ||
| 9 | nogroups | ||
| 10 | nonewprivs | ||
| 11 | noroot | ||
| 12 | nosound | ||
| 13 | shell none | ||
| 14 | seccomp | ||
| 15 | protocol unix | ||
| 16 | |||
| 17 | # private-bin | ||
| 18 | # private-dev | ||
| 19 | # private-tmp | ||
| 20 | # private-etc | ||
| 21 | |||
diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # brasero profile | ||
| 2 | noblacklist ~/.config/brasero | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin brasero | ||
| 21 | # private-tmp | ||
| 22 | # private-dev | ||
| 23 | # private-etc fonts | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 4fc3a5bb0..21ea7f908 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Profile for Brave browser | 1 | # Profile for Brave browser |
| 2 | |||
| 3 | noblacklist ~/.config/brave | 2 | noblacklist ~/.config/brave |
| 4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 1b6d2f645..8921bb25e 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # claws-mail profile | 1 | # claws-mail profile |
| 2 | |||
| 3 | noblacklist ~/.claws-mail | 2 | noblacklist ~/.claws-mail |
| 4 | noblacklist ~/.signature | 3 | noblacklist ~/.signature |
| 5 | noblacklist ~/.gnupg | 4 | noblacklist ~/.gnupg |
diff --git a/etc/corebird.profile b/etc/corebird.profile index 077ae30d0..6fb8219e8 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail corebird profile | 1 | # Firejail corebird profile |
| 2 | |||
| 3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ae487fa3c..84021dab3 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
| 2 | |||
| 3 | noblacklist ~/.8pecxstudios | 2 | noblacklist ~/.8pecxstudios |
| 4 | noblacklist ~/.cache/8pecxstudios | 3 | noblacklist ~/.cache/8pecxstudios |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/default.profile b/etc/default.profile index a2de72695..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
| @@ -5,11 +5,20 @@ include /etc/firejail/disable-common.inc | |||
| 5 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
| 6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
| 7 | 7 | ||
| 8 | #blacklist ${HOME}/.wine | ||
| 9 | |||
| 10 | caps.drop all | 8 | caps.drop all |
| 11 | netfilter | 9 | netfilter |
| 12 | nonewprivs | 10 | nonewprivs |
| 13 | noroot | 11 | noroot |
| 14 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
| 15 | seccomp | 13 | seccomp |
| 14 | |||
| 15 | # | ||
| 16 | # depending on you usage, you can enable some of the commands below: | ||
| 17 | # | ||
| 18 | # nogroups | ||
| 19 | # shell none | ||
| 20 | # private-bin program | ||
| 21 | # private-etc none | ||
| 22 | # private-dev | ||
| 23 | # private-tmp | ||
| 24 | |||
diff --git a/etc/dillo.profile b/etc/dillo.profile index 2ddd363cb..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Dillo web browser | 1 | # Firejail profile for Dillo web browser |
| 2 | |||
| 3 | noblacklist ~/.dillo | 2 | noblacklist ~/.dillo |
| 4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
| 5 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # dolphin profile | ||
| 2 | noblacklist ~/.config/dolphinrc | ||
| 3 | noblacklist ~/.local/share/dolphin | ||
| 4 | |||
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | include /etc/firejail/disable-devel.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | netfilter | ||
| 12 | nogroups | ||
| 13 | nonewprivs | ||
| 14 | noroot | ||
| 15 | shell none | ||
| 16 | seccomp | ||
| 17 | protocol unix | ||
| 18 | |||
| 19 | # private-bin | ||
| 20 | # private-dev | ||
| 21 | # private-tmp | ||
| 22 | # private-etc | ||
| 23 | |||
diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | # dragon player profile | ||
| 2 | noblacklist ~/.config/dragonplayerrc | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | netfilter | ||
| 11 | nogroups | ||
| 12 | nonewprivs | ||
| 13 | noroot | ||
| 14 | shell none | ||
| 15 | seccomp | ||
| 16 | protocol unix,inet,inet6 | ||
| 17 | |||
| 18 | private-bin dragon | ||
| 19 | private-dev | ||
| 20 | private-tmp | ||
| 21 | # private-etc | ||
| 22 | |||
diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # elinks profile | ||
| 2 | noblacklist ~/.elinks | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin elinks | ||
| 21 | private-tmp | ||
| 22 | private-dev | ||
| 23 | # private-etc none | ||
| 24 | |||
diff --git a/etc/emacs.profile b/etc/emacs.profile index cbdba7712..2b9c5805c 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # emacs profile | 1 | # emacs profile |
| 2 | |||
| 3 | noblacklist ~/.emacs | 2 | noblacklist ~/.emacs |
| 4 | noblacklist ~/.emacs.d | 3 | noblacklist ~/.emacs.d |
| 5 | 4 | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # enchant profile | ||
| 2 | noblacklist ~/.config/enchant | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin enchant | ||
| 21 | # private-tmp | ||
| 22 | # private-dev | ||
| 23 | # private-etc fonts | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 68e950bd7..d463f3a97 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # eog (gnome image viewer) profile | 1 | # eog (gnome image viewer) profile |
| 2 | |||
| 3 | noblacklist ~/.config/eog | 2 | noblacklist ~/.config/eog |
| 4 | 3 | ||
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/evince.profile b/etc/evince.profile index cbb2083f4..12ea358be 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
| @@ -19,4 +19,5 @@ tracelog | |||
| 19 | private-bin evince,evince-previewer,evince-thumbnailer | 19 | private-bin evince,evince-previewer,evince-thumbnailer |
| 20 | private-dev | 20 | private-dev |
| 21 | private-etc fonts | 21 | private-etc fonts |
| 22 | private-tmp \ No newline at end of file | 22 | # evince needs access to /tmp/mozilla* to work in firefox |
| 23 | # private-tmp | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index d63eeed74..ab6dd7a4a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # evolution profile | 1 | # evolution profile |
| 2 | |||
| 3 | noblacklist ~/.config/evolution | 2 | noblacklist ~/.config/evolution |
| 4 | noblacklist ~/.local/share/evolution | 3 | noblacklist ~/.local/share/evolution |
| 5 | noblacklist ~/.cache/evolution | 4 | noblacklist ~/.cache/evolution |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | # exiftool profile | ||
| 2 | noblacklist /usr/bin/perl | ||
| 3 | noblacklist /usr/share/perl* | ||
| 4 | noblacklist /usr/lib/perl* | ||
| 5 | |||
| 6 | include /etc/firejail/disable-common.inc | ||
| 7 | include /etc/firejail/disable-programs.inc | ||
| 8 | include /etc/firejail/disable-devel.inc | ||
| 9 | include /etc/firejail/disable-passwdmgr.inc | ||
| 10 | |||
| 11 | caps.drop all | ||
| 12 | nogroups | ||
| 13 | nonewprivs | ||
| 14 | noroot | ||
| 15 | nosound | ||
| 16 | protocol unix | ||
| 17 | seccomp | ||
| 18 | netfilter | ||
| 19 | net none | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin exiftool,perl | ||
| 24 | private-tmp | ||
| 25 | private-dev | ||
| 26 | private-etc none | ||
| 27 | |||
| 28 | |||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # file-roller profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | shell none | ||
| 16 | tracelog | ||
| 17 | |||
| 18 | # private-bin file-roller | ||
| 19 | # private-tmp | ||
| 20 | private-dev | ||
| 21 | # private-etc fonts | ||
diff --git a/etc/file.profile b/etc/file.profile index 199a97fad..f709e7f0c 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
| @@ -1,16 +1,25 @@ | |||
| 1 | # file profile | 1 | # file profile |
| 2 | ignore noroot | 2 | include /etc/firejail/disable-common.inc |
| 3 | include /etc/firejail/default.profile | 3 | include /etc/firejail/disable-programs.inc |
| 4 | 4 | include /etc/firejail/disable-passwdmgr.inc | |
| 5 | blacklist /tmp/.X11-unix | ||
| 6 | 5 | ||
| 6 | caps.drop all | ||
| 7 | hostname file | 7 | hostname file |
| 8 | netfilter | ||
| 8 | net none | 9 | net none |
| 9 | no3d | 10 | no3d |
| 11 | nogroups | ||
| 12 | nonewprivs | ||
| 13 | #noroot | ||
| 10 | nosound | 14 | nosound |
| 11 | quiet | 15 | protocol unix |
| 16 | seccomp | ||
| 12 | shell none | 17 | shell none |
| 13 | tracelog | 18 | tracelog |
| 19 | quiet | ||
| 20 | x11 none | ||
| 21 | |||
| 22 | blacklist /tmp/.X11-unix | ||
| 14 | 23 | ||
| 15 | private-dev | 24 | private-dev |
| 16 | private-bin file | 25 | private-bin file |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 6bb581f4f..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
| 2 | |||
| 3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
| 4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
| 5 | noblacklist ~/.config/qpdfview | 4 | noblacklist ~/.config/qpdfview |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 809378ef9..b030a68b4 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Gajim | 1 | # Firejail profile for Gajim |
| 2 | |||
| 3 | mkdir ${HOME}/.cache/gajim | 2 | mkdir ${HOME}/.cache/gajim |
| 4 | mkdir ${HOME}/.local/share/gajim | 3 | mkdir ${HOME}/.local/share/gajim |
| 5 | mkdir ${HOME}/.config/gajim | 4 | mkdir ${HOME}/.config/gajim |
diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # gedit profile | ||
| 2 | |||
| 3 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
| 4 | |||
| 5 | noblacklist ~/.config/gedit | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | include /etc/firejail/disable-programs.inc | ||
| 9 | #include /etc/firejail/disable-devel.inc | ||
| 10 | include /etc/firejail/disable-passwdmgr.inc | ||
| 11 | |||
| 12 | caps.drop all | ||
| 13 | nogroups | ||
| 14 | nonewprivs | ||
| 15 | noroot | ||
| 16 | nosound | ||
| 17 | protocol unix | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin gedit | ||
| 24 | private-tmp | ||
| 25 | private-dev | ||
| 26 | # private-etc fonts | ||
diff --git a/etc/git.profile b/etc/git.profile index 73122d347..edb59ce13 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # git profile | 1 | # git profile |
| 2 | |||
| 3 | noblacklist ~/.gitconfig | 2 | noblacklist ~/.gitconfig |
| 4 | noblacklist ~/.ssh | 3 | noblacklist ~/.ssh |
| 5 | noblacklist ~/.gnupg | 4 | noblacklist ~/.gnupg |
diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | # gjs (gnome javascript bindings) profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | noblacklist ~/.cache/org.gnome.Books | ||
| 6 | noblacklist ~/.config/libreoffice | ||
| 7 | noblacklist ~/.local/share/gnome-photos | ||
| 8 | noblacklist ~/.cache/libgweather | ||
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | ||
| 11 | include /etc/firejail/disable-programs.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | |||
| 15 | caps.drop all | ||
| 16 | nogroups | ||
| 17 | nonewprivs | ||
| 18 | noroot | ||
| 19 | protocol unix,inet,inet6 | ||
| 20 | seccomp | ||
| 21 | netfilter | ||
| 22 | shell none | ||
| 23 | tracelog | ||
| 24 | |||
| 25 | # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather | ||
| 26 | private-tmp | ||
| 27 | private-dev | ||
| 28 | # private-etc fonts | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # gnome-books profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | noblacklist ~/.cache/org.gnome.Books | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | include /etc/firejail/disable-programs.inc | ||
| 9 | include /etc/firejail/disable-devel.inc | ||
| 10 | include /etc/firejail/disable-passwdmgr.inc | ||
| 11 | |||
| 12 | caps.drop all | ||
| 13 | nogroups | ||
| 14 | nonewprivs | ||
| 15 | noroot | ||
| 16 | nosound | ||
| 17 | protocol unix | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin gjs gnome-books | ||
| 24 | private-tmp | ||
| 25 | private-dev | ||
| 26 | private-etc fonts | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..6cccf9d32 --- /dev/null +++ b/etc/gnome-clocks.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # gnome-clocks profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix,inet,inet6 | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | shell none | ||
| 16 | tracelog | ||
| 17 | |||
| 18 | # private-bin gnome-clocks | ||
| 19 | private-tmp | ||
| 20 | private-dev | ||
| 21 | # private-etc fonts | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # gnome-documents profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | noblacklist ~/.config/libreoffice | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | include /etc/firejail/disable-programs.inc | ||
| 9 | include /etc/firejail/disable-devel.inc | ||
| 10 | include /etc/firejail/disable-passwdmgr.inc | ||
| 11 | |||
| 12 | caps.drop all | ||
| 13 | nogroups | ||
| 14 | nonewprivs | ||
| 15 | noroot | ||
| 16 | nosound | ||
| 17 | protocol unix | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | private-tmp | ||
| 24 | private-dev | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # gnome-maps profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | include /etc/firejail/disable-devel.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | nogroups | ||
| 12 | nonewprivs | ||
| 13 | noroot | ||
| 14 | nosound | ||
| 15 | protocol unix,inet,inet6 | ||
| 16 | seccomp | ||
| 17 | netfilter | ||
| 18 | shell none | ||
| 19 | tracelog | ||
| 20 | |||
| 21 | # private-bin gjs gnome-maps | ||
| 22 | private-tmp | ||
| 23 | private-dev | ||
| 24 | # private-etc fonts | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | # gnome-music profile | ||
| 2 | noblacklist ~/.local/share/gnome-music | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | protocol unix | ||
| 14 | seccomp | ||
| 15 | netfilter | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | # private-bin gnome-music,python3 | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | # private-etc fonts | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # gnome-photos profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | noblacklist ~/.local/share/gnome-photos | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | include /etc/firejail/disable-programs.inc | ||
| 9 | include /etc/firejail/disable-devel.inc | ||
| 10 | include /etc/firejail/disable-passwdmgr.inc | ||
| 11 | |||
| 12 | caps.drop all | ||
| 13 | nogroups | ||
| 14 | nonewprivs | ||
| 15 | noroot | ||
| 16 | nosound | ||
| 17 | protocol unix | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin gjs gnome-photos | ||
| 24 | private-tmp | ||
| 25 | private-dev | ||
| 26 | # private-etc fonts | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # gnome-weather profile | ||
| 2 | |||
| 3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
| 4 | |||
| 5 | noblacklist ~/.cache/libgweather | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | include /etc/firejail/disable-programs.inc | ||
| 9 | include /etc/firejail/disable-devel.inc | ||
| 10 | include /etc/firejail/disable-passwdmgr.inc | ||
| 11 | |||
| 12 | caps.drop all | ||
| 13 | nogroups | ||
| 14 | nonewprivs | ||
| 15 | noroot | ||
| 16 | nosound | ||
| 17 | protocol unix,inet,inet6 | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin gjs gnome-weather | ||
| 24 | private-tmp | ||
| 25 | private-dev | ||
| 26 | # private-etc fonts | ||
diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | # goobox profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | protocol unix | ||
| 12 | seccomp | ||
| 13 | netfilter | ||
| 14 | shell none | ||
| 15 | tracelog | ||
| 16 | |||
| 17 | # private-bin goobox | ||
| 18 | # private-tmp | ||
| 19 | # private-dev | ||
| 20 | # private-etc fonts | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # gpa profile | ||
| 2 | noblacklist ~/.gnupg | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin gpa,gpg | ||
| 21 | private-tmp | ||
| 22 | private-dev | ||
| 23 | # private-etc none | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..b0ebdf43c --- /dev/null +++ b/etc/gpg-agent.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # gpg-agent profile | ||
| 2 | noblacklist ~/.gnupg | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin gpg-agent,gpg | ||
| 21 | private-tmp | ||
| 22 | private-dev | ||
| 23 | # private-etc none | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # gpg profile | ||
| 2 | noblacklist ~/.gnupg | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | net none | ||
| 18 | shell none | ||
| 19 | tracelog | ||
| 20 | |||
| 21 | # private-bin gpg,gpg-agent | ||
| 22 | private-tmp | ||
| 23 | private-dev | ||
| 24 | # private-etc none | ||
diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # highlight profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | private-bin highlight | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | |||
| 23 | |||
| 24 | |||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 2f8e2df7f..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for GNU Icecat | 1 | # Firejail profile for GNU Icecat |
| 2 | |||
| 3 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
| 4 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # img2txt profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | #private-bin img2txt | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | #private-etc none | ||
| 23 | |||
| 24 | |||
diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..8a5fff0c6 --- /dev/null +++ b/etc/k3b.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # k3b profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | netfilter | ||
| 9 | nogroups | ||
| 10 | nonewprivs | ||
| 11 | noroot | ||
| 12 | nosound | ||
| 13 | shell none | ||
| 14 | seccomp | ||
| 15 | protocol unix | ||
| 16 | |||
| 17 | # private-bin | ||
| 18 | # private-dev | ||
| 19 | # private-tmp | ||
| 20 | # private-etc | ||
| 21 | |||
diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | # kate profile | ||
| 2 | noblacklist ~/.local/share/kate | ||
| 3 | noblacklist ~/.config/katerc | ||
| 4 | noblacklist ~/.config/katepartrc | ||
| 5 | noblacklist ~/.config/kateschemarc | ||
| 6 | noblacklist ~/.config/katesyntaxhighlightingrc | ||
| 7 | noblacklist ~/.config/katevirc | ||
| 8 | |||
| 9 | include /etc/firejail/disable-common.inc | ||
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | #include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | |||
| 14 | caps.drop all | ||
| 15 | nogroups | ||
| 16 | nonewprivs | ||
| 17 | noroot | ||
| 18 | nosound | ||
| 19 | protocol unix | ||
| 20 | seccomp | ||
| 21 | netfilter | ||
| 22 | shell none | ||
| 23 | tracelog | ||
| 24 | |||
| 25 | # private-bin kate | ||
| 26 | private-tmp | ||
| 27 | private-dev | ||
| 28 | # private-etc fonts | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile index 23f9a7b40..18a5f4ebd 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # keepass password manager profile | 1 | # keepass password manager profile |
| 2 | |||
| 3 | noblacklist ${HOME}/.config/keepass | 2 | noblacklist ${HOME}/.config/keepass |
| 4 | noblacklist ${HOME}/.keepass | 3 | noblacklist ${HOME}/.keepass |
| 5 | 4 | ||
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index fd390f7ed..9daa014e3 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # keepass password manager profile | 1 | # keepass password manager profile |
| 2 | |||
| 3 | #noblacklist ${HOME}/.config/KeePass | 2 | #noblacklist ${HOME}/.config/KeePass |
| 4 | #noblacklist ${HOME}/.keepass | 3 | #noblacklist ${HOME}/.keepass |
| 5 | 4 | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 415160df3..d8621773f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # keepassx password manager profile | 1 | # keepassx password manager profile |
| 2 | |||
| 3 | noblacklist ${HOME}/.config/keepassx | 2 | noblacklist ${HOME}/.config/keepassx |
| 4 | noblacklist ${HOME}/.keepassx | 3 | noblacklist ${HOME}/.keepassx |
| 5 | noblacklist ${HOME}/keepassx.kdbx | 4 | noblacklist ${HOME}/keepassx.kdbx |
diff --git a/etc/konversation.profile b/etc/konversation.profile index e9546fd1b..c00b91c18 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail konversation profile | 1 | # Firejail konversation profile |
| 2 | |||
| 3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index d1d0b8a0d..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # lxterminal (LXDE) profile | 1 | # lxterminal (LXDE) profile |
| 2 | |||
| 3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-passwdmgr.inc | 4 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | # lynx profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix,inet,inet6 | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | shell none | ||
| 16 | tracelog | ||
| 17 | |||
| 18 | # private-bin lynx | ||
| 19 | private-tmp | ||
| 20 | private-dev | ||
| 21 | # private-etc none | ||
| 22 | |||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # mediainfo profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | private-bin mediainfo | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | private-etc none | ||
| 23 | |||
| 24 | |||
| 25 | |||
| 26 | |||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index dc23d5840..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
| @@ -16,9 +16,6 @@ net none | |||
| 16 | shell none | 16 | shell none |
| 17 | tracelog | 17 | tracelog |
| 18 | 18 | ||
| 19 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
| 20 | |||
| 21 | private-bin mupdf | ||
| 22 | private-tmp | 19 | private-tmp |
| 23 | private-dev | 20 | private-dev |
| 24 | private-etc fonts | 21 | private-etc fonts |
| @@ -26,3 +23,8 @@ private-etc fonts | |||
| 26 | # mupdf will never write anything | 23 | # mupdf will never write anything |
| 27 | read-only ${HOME} | 24 | read-only ${HOME} |
| 28 | 25 | ||
| 26 | # | ||
| 27 | # Experimental: | ||
| 28 | # | ||
| 29 | #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
| 30 | # private-bin mupdf,sh,tempfile,rm | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile index 54cf828b1..2718421c5 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # mutt email client profile | 1 | # mutt email client profile |
| 2 | |||
| 3 | noblacklist ~/.muttrc | 2 | noblacklist ~/.muttrc |
| 4 | noblacklist ~/.mutt | 3 | noblacklist ~/.mutt |
| 5 | noblacklist ~/.mutt/muttrc | 4 | noblacklist ~/.mutt/muttrc |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | # nautilus profile | ||
| 2 | |||
| 3 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. | ||
| 4 | |||
| 5 | noblacklist ~/.config/nautilus | ||
| 6 | |||
| 7 | include /etc/firejail/disable-common.inc | ||
| 8 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
| 9 | #include /etc/firejail/disable-programs.inc | ||
| 10 | include /etc/firejail/disable-devel.inc | ||
| 11 | include /etc/firejail/disable-passwdmgr.inc | ||
| 12 | |||
| 13 | caps.drop all | ||
| 14 | nogroups | ||
| 15 | nonewprivs | ||
| 16 | noroot | ||
| 17 | protocol unix | ||
| 18 | seccomp | ||
| 19 | netfilter | ||
| 20 | shell none | ||
| 21 | tracelog | ||
| 22 | |||
| 23 | # private-bin nautilus | ||
| 24 | # private-tmp | ||
| 25 | # private-dev | ||
| 26 | # private-etc fonts | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 1ed2163c2..2071e5519 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
| 2 | |||
| 3 | noblacklist ~/.config/netsurf | 2 | noblacklist ~/.config/netsurf |
| 4 | noblacklist ~/.cache/netsurf | 3 | noblacklist ~/.cache/netsurf |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # odt2txt profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | private-bin odt2txt | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | private-etc none | ||
| 23 | |||
| 24 | read-only ${HOME} | ||
diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
| @@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc | |||
| 9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
| 10 | 10 | ||
| 11 | caps.drop all | 11 | caps.drop all |
| 12 | nogroups | 12 | netfilter |
| 13 | nonewprivs | 13 | nonewprivs |
| 14 | nogroups | ||
| 14 | noroot | 15 | noroot |
| 16 | nosound | ||
| 15 | protocol unix | 17 | protocol unix |
| 16 | seccomp | 18 | seccomp |
| 17 | nosound | 19 | shell none |
| 20 | tracelog | ||
| 18 | 21 | ||
| 22 | # private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
| 23 | # private-etc X11 | ||
| 19 | private-dev | 24 | private-dev |
| 20 | 25 | private-tmp | |
| 21 | #Experimental: | ||
| 22 | #net none | ||
| 23 | #shell none | ||
| 24 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
| 25 | #private-etc X11 | ||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | # pdftotext profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | nogroups | ||
| 9 | nonewprivs | ||
| 10 | noroot | ||
| 11 | nosound | ||
| 12 | protocol unix | ||
| 13 | seccomp | ||
| 14 | netfilter | ||
| 15 | net none | ||
| 16 | shell none | ||
| 17 | tracelog | ||
| 18 | |||
| 19 | private-bin pdftotext | ||
| 20 | private-tmp | ||
| 21 | private-dev | ||
| 22 | private-etc none | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index a9323448b..e4e69b9f6 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Psi+ | 1 | # Firejail profile for Psi+ |
| 2 | |||
| 3 | noblacklist ${HOME}/.config/psi+ | 2 | noblacklist ${HOME}/.config/psi+ |
| 4 | noblacklist ${HOME}/.local/share/psi+ | 3 | noblacklist ${HOME}/.local/share/psi+ |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 9fa8a91d4..f9c8e6345 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # qemu-launcher profile | 1 | # qemu-launcher profile |
| 2 | |||
| 3 | noblacklist ~/.qemu-launcher | 2 | noblacklist ~/.qemu-launcher |
| 4 | 3 | ||
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3d4587fb1..65e1e44ea 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # qemu profile | 1 | # qemu profile |
| 2 | |||
| 3 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
| 4 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
| 5 | include /etc/firejail/disable-passwdmgr.inc | 4 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 0efb7b629..eabbe0f3e 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | 1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser |
| 2 | |||
| 3 | noblacklist ~/.config/qutebrowser | 2 | noblacklist ~/.config/qutebrowser |
| 4 | noblacklist ~/.cache/qutebrowser | 3 | noblacklist ~/.cache/qutebrowser |
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # simple-scan profile | ||
| 2 | noblacklist ~/.cache/simple-scan | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | #seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin simple-scan | ||
| 21 | # private-tmp | ||
| 22 | # private-dev | ||
| 23 | # private-etc fonts | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..4dcfa64d9 --- /dev/null +++ b/etc/skanlite.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # skanlite profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | netfilter | ||
| 9 | nogroups | ||
| 10 | nonewprivs | ||
| 11 | noroot | ||
| 12 | nosound | ||
| 13 | shell none | ||
| 14 | #seccomp | ||
| 15 | protocol unix,inet,inet6 | ||
| 16 | |||
| 17 | private-bin skanlite | ||
| 18 | # private-dev | ||
| 19 | # private-tmp | ||
| 20 | # private-etc | ||
| 21 | |||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile | |||
| @@ -0,0 +1,15 @@ | |||
| 1 | # ssh-agent | ||
| 2 | quiet | ||
| 3 | noblacklist ~/.ssh | ||
| 4 | noblacklist /tmp/ssh-* | ||
| 5 | |||
| 6 | include /etc/firejail/disable-common.inc | ||
| 7 | include /etc/firejail/disable-programs.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | netfilter | ||
| 12 | nonewprivs | ||
| 13 | noroot | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | seccomp | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # tracker profile | ||
| 2 | |||
| 3 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
| 4 | |||
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | include /etc/firejail/disable-devel.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | nogroups | ||
| 12 | nonewprivs | ||
| 13 | noroot | ||
| 14 | nosound | ||
| 15 | protocol unix | ||
| 16 | seccomp | ||
| 17 | netfilter | ||
| 18 | shell none | ||
| 19 | tracelog | ||
| 20 | |||
| 21 | # private-bin tracker | ||
| 22 | # private-tmp | ||
| 23 | # private-dev | ||
| 24 | # private-etc fonts | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # transmission-cli bittorrent profile | ||
| 2 | noblacklist ${HOME}/.config/transmission | ||
| 3 | noblacklist ${HOME}/.cache/transmission | ||
| 4 | |||
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | include /etc/firejail/disable-devel.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | netfilter | ||
| 12 | net none | ||
| 13 | nonewprivs | ||
| 14 | noroot | ||
| 15 | nosound | ||
| 16 | protocol unix | ||
| 17 | seccomp | ||
| 18 | shell none | ||
| 19 | tracelog | ||
| 20 | |||
| 21 | #private-bin transmission-cli | ||
| 22 | private-tmp | ||
| 23 | private-dev | ||
| 24 | private-etc none | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | # transmission-show profile | ||
| 2 | noblacklist ${HOME}/.config/transmission | ||
| 3 | noblacklist ${HOME}/.cache/transmission | ||
| 4 | |||
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | include /etc/firejail/disable-devel.inc | ||
| 8 | include /etc/firejail/disable-passwdmgr.inc | ||
| 9 | |||
| 10 | caps.drop all | ||
| 11 | netfilter | ||
| 12 | net none | ||
| 13 | nonewprivs | ||
| 14 | noroot | ||
| 15 | nosound | ||
| 16 | protocol unix | ||
| 17 | seccomp | ||
| 18 | shell none | ||
| 19 | tracelog | ||
| 20 | |||
| 21 | # private-bin | ||
| 22 | private-tmp | ||
| 23 | private-dev | ||
| 24 | private-etc none | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 49f8f8b24..36a1e0704 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # VirtualBox profile | 1 | # VirtualBox profile |
| 2 | |||
| 3 | noblacklist ${HOME}/.VirtualBox | 2 | noblacklist ${HOME}/.VirtualBox |
| 4 | noblacklist ${HOME}/VirtualBox VMs | 3 | noblacklist ${HOME}/VirtualBox VMs |
| 5 | noblacklist ${HOME}/.config/VirtualBox | 4 | noblacklist ${HOME}/.config/VirtualBox |
diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # w3m profile | ||
| 2 | noblacklist ~/.w3m | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix,inet,inet6 | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin w3m | ||
| 21 | private-tmp | ||
| 22 | private-dev | ||
| 23 | private-etc none | ||
diff --git a/etc/wire.profile b/etc/wire.profile index c84b4cc28..ec8ed8771 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # wire messenger profile | 1 | # wire messenger profile |
| 2 | |||
| 3 | noblacklist ~/.config/Wire | 2 | noblacklist ~/.config/Wire |
| 4 | noblacklist ~/.config/wire | 3 | noblacklist ~/.config/wire |
| 5 | 4 | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | # xfburn profile | ||
| 2 | noblacklist ~/.config/xfburn | ||
| 3 | |||
| 4 | include /etc/firejail/disable-common.inc | ||
| 5 | include /etc/firejail/disable-programs.inc | ||
| 6 | include /etc/firejail/disable-devel.inc | ||
| 7 | include /etc/firejail/disable-passwdmgr.inc | ||
| 8 | |||
| 9 | caps.drop all | ||
| 10 | nogroups | ||
| 11 | nonewprivs | ||
| 12 | noroot | ||
| 13 | nosound | ||
| 14 | protocol unix | ||
| 15 | seccomp | ||
| 16 | netfilter | ||
| 17 | shell none | ||
| 18 | tracelog | ||
| 19 | |||
| 20 | # private-bin xfburn | ||
| 21 | # private-tmp | ||
| 22 | # private-dev | ||
| 23 | # private-etc fonts | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | # xpra profile | ||
| 2 | include /etc/firejail/disable-common.inc | ||
| 3 | include /etc/firejail/disable-programs.inc | ||
| 4 | include /etc/firejail/disable-devel.inc | ||
| 5 | include /etc/firejail/disable-passwdmgr.inc | ||
| 6 | |||
| 7 | caps.drop all | ||
| 8 | netfilter | ||
| 9 | nogroups | ||
| 10 | nonewprivs | ||
| 11 | noroot | ||
| 12 | nosound | ||
| 13 | shell none | ||
| 14 | seccomp | ||
| 15 | protocol unix,inet,inet6 | ||
| 16 | |||
| 17 | # private-bin | ||
| 18 | private-dev | ||
| 19 | private-tmp | ||
| 20 | # private-etc | ||
| 21 | |||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index cbb59d16e..ca380b4c7 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
| @@ -1,3 +1,4 @@ | |||
| 1 | # xviewer profile | ||
| 1 | noblacklist ~/.config/xviewer | 2 | noblacklist ~/.config/xviewer |
| 2 | 3 | ||
| 3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
diff --git a/etc/zoom.profile b/etc/zoom.profile index f5831dd88..4c08868cf 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | # Firejail profile for zoom.us | 1 | # Firejail profile for zoom.us |
| 2 | |||
| 3 | noblacklist ~/.config/zoomus.conf | 2 | noblacklist ~/.config/zoomus.conf |
| 4 | 3 | ||
| 5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |