mainline merge

author: startx2017 <vradu.startx@yandex.com> 2018-09-04 07:29:09 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-09-04 07:29:09 -0400
commit: d8c567ea0c6dc7d6d4722c1c7d0067113303948d (patch)
tree: abe4a87ca7ca89b7c137417abae8381e250d1220 /etc
parent: merge from mainline (diff)
download: firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.gz
firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.zst
firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.zip
14 files changed, 271 insertions, 69 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index f5c3491ff..f9320f6c7 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -39,6 +39,7 @@ shell none
 tracelog
 disable-mnt
+private-bin 0ad,pyrogenesis,sh,which
 private-dev
 private-tmp
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
new file mode 100644
index 000000000..659a41603
--- /dev/null
+++ b/etc/JDownloader.profile
@@ -0,0 +1,51 @@
+# Firejail profile for JDownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/JDownloader.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.jd
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+mkdir ${HOME}/.jd
+whitelist ${HOME}/.jd
+whitelist ${DOWNLOADS}
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/awesome.profile b/etc/awesome.profile
new file mode 100644
index 000000000..49c1a4aad
--- /dev/null
+++ b/etc/awesome.profile
@@ -0,0 +1,19 @@
+# Firejail profile for awesome
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/awesome.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.config/awesome
+include /etc/firejail/disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+read-only ${HOME}/.config/awesome/autorun.sh
diff --git a/etc/blackbox.profile b/etc/blackbox.profile
new file mode 100644
index 000000000..2672c812a
--- /dev/null
+++ b/etc/blackbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for blackbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/blackbox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.blackbox
+include /etc/firejail/disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/dig.profile b/etc/dig.profile
new file mode 100644
index 000000000..4b6ab0975
--- /dev/null
+++ b/etc/dig.profile
@@ -0,0 +1,47 @@
+quiet
+# Firejail profile for dig
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/dig.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+# include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-xdg.inc
+whitelist ~/.digrc
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private
+private-bin sh,bash,dig
+private-cache
+private-dev
+# private-etc resolv.conf
+private-lib
+private-tmp
+memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 0c295ae6d..94254931e 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -17,14 +17,17 @@ blacklist-nolog /tmp/clipmenu*
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
 blacklist ${HOME}/.Xsession
+blacklist ${HOME}/.blackbox
 blacklist ${HOME}/.config/autostart
 blacklist ${HOME}/.config/autostart-scripts
+blacklist ${HOME}/.config/awesome
+blacklist ${HOME}/.config/i3
 blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.config/openbox
 blacklist ${HOME}/.config/plasma-workspace
 blacklist ${HOME}/.config/startupconfig
 blacklist ${HOME}/.config/startupconfigkeys
-blacklist ${HOME}/.fluxbox/startup
+blacklist ${HOME}/.fluxbox
 blacklist ${HOME}/.gnomerc
 blacklist ${HOME}/.kde/Autostart
 blacklist ${HOME}/.kde/env
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index d685fceed..1213e4f24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -287,6 +287,7 @@ blacklist ${HOME}/.inkscape
 blacklist ${HOME}/.jack-server
 blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.java
+blacklist ${HOME}/.jd
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/digikam
 blacklist ${HOME}/.kde/share/apps/gwenview
diff --git a/etc/evince.profile b/etc/evince.profile
index 94f706440..2ade9c6f6 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -23,7 +23,7 @@ machine-id
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/firejail-default b/etc/firejail-default
index 09dc896e6..c4107270c 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
 ##########
 # With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line
+# is needed only for debugging. To allow ptrace, uncomment the following line.
 ##########
 #ptrace,
 ##########
-# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
+# Allow read access to whole filesystem and control it from firejail.
 ##########
-/ r,
+/{,**} rklm,
-/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/{,var/}run/ r,
+##########
-/{,var/}run/** r,
+# Allow write access to paths writable in firejail which aren't used for
-/run/firejail/mnt/oroot/{,var/}run/ r,
+# executing programs. /run, /proc and /sys are handled separately.
-/run/firejail/mnt/oroot/{,var/}run/** r,
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
+##########
-owner /{,var/}run/user/[0-9]*/** rw,
+/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
-owner /{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /{,var/}run/user/[0-9]*/orcexec.* rwkm,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm,
-/{,var/}run/firejail/mnt/fslogger r,
+##########
-/{,var/}run/firejail/appimage r,
+# Whitelist writable paths under /run, /proc and /sys.
-/{,var/}run/firejail/appimage/** r,
+##########
-/{,var/}run/firejail/appimage/** ix,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
-/{run,dev}/shm/ r,
+owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
-owner /{run,dev}/shm/** rmwk,
-/run/firejail/mnt/oroot/{run,dev}/shm/ r,
-owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Allow logging Firejail blacklist violations to journal
 /{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Needed for wine
 /{,var/}run/firejail/profile/@{PID} w,
-##########
+# Allow access to cups printing socket.
-# Allow /proc and /sys read-only access.
+/{,var/}run/cups/cups.sock w,
-# Blacklisting is controlled from userspace Firejail.
-##########
+# Needed for firefox sandbox
-/proc/ r,
-/proc/** r,
 /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
-# Uncomment to silence all denied write warnings
-#deny /proc/** w,
+# Silence noise
 deny /proc/@{PID}/oom_adj w,
 deny /proc/@{PID}/oom_score_adj w,
-/sys/ r,
-/sys/** r,
 # Uncomment to silence all denied write warnings
-#deny /sys/** w,
+#deny /proc/** w,
-# Blacklist snapshots
+# Uncomment to silence all denied write warnings
-deny /**/.snapshots/ rwx,
+#deny /sys/** w,
 ##########
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
 ##########
-/lib/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
-/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
-/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
-/sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
-/usr/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
-/usr/sbin/** ix,
+#/{,run/firejail/mnt/oroot/}home/** ix,
-/usr/local/** ix,
-/usr/lib/** ix,
+# Appimage support
-/usr/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
-/usr/games/** ix,
-/opt/** ix,
-#/home/** ix,
-/run/firejail/mnt/oroot/lib/** ix,
-/run/firejail/mnt/oroot/lib64/** ix,
-/run/firejail/mnt/oroot/bin/** ix,
-/run/firejail/mnt/oroot/sbin/** ix,
-/run/firejail/mnt/oroot/usr/bin/** ix,
-/run/firejail/mnt/oroot/usr/sbin/** ix,
-/run/firejail/mnt/oroot/usr/local/** ix,
-/run/firejail/mnt/oroot/usr/lib/** ix,
-/run/firejail/mnt/oroot/usr/lib64/** ix,
-/run/firejail/mnt/oroot/usr/games/** ix,
-/run/firejail/mnt/oroot/opt/** ix,
 ##########
-# Allow access to cups printing socket.
+# Blacklist specific sensitive paths.
 ##########
-/run/cups/cups.sock w,
+# Common backup directory
+deny /**/.snapshots/ rwx,
 ##########
 # Allow all networking functionality, and control it from Firejail.
diff --git a/etc/fluxbox.profile b/etc/fluxbox.profile
new file mode 100644
index 000000000..5fafef95a
--- /dev/null
+++ b/etc/fluxbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for fluxbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/fluxbox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.fluxbox
+include /etc/firejail/disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/i3.profile b/etc/i3.profile
new file mode 100644
index 000000000..efbc1f6e7
--- /dev/null
+++ b/etc/i3.profile
@@ -0,0 +1,18 @@
+# Firejail profile for i3
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/i3.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.config/i3
+include /etc/firejail/disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile
new file mode 100644
index 000000000..dbcc85e8d
--- /dev/null
+++ b/etc/jdownloader.profile
@@ -0,0 +1,10 @@
+# Firejail profile for jdownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/jdownloader.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/JDownloader.profile
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 4e2718c95..3adf3183c 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
 private-tmp
diff --git a/etc/whois.profile b/etc/whois.profile
new file mode 100644
index 000000000..3ef2e1476
--- /dev/null
+++ b/etc/whois.profile
@@ -0,0 +1,45 @@
+quiet
+# Firejail profile for whois
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/whois.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+# include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol inet,inet6
+seccomp
+shell none
+disable-mnt
+private
+private-bin sh,bash,whois
+private-cache
+private-dev
+# private-etc hosts,services,whois.conf
+private-lib
+private-tmp
+memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
author	startx2017 <vradu.startx@yandex.com>	2018-09-04 07:29:09 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-09-04 07:29:09 -0400
commit	d8c567ea0c6dc7d6d4722c1c7d0067113303948d (patch)
tree	abe4a87ca7ca89b7c137417abae8381e250d1220 /etc
parent	merge from mainline (diff)
download	firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.gz firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.tar.zst firejail-d8c567ea0c6dc7d6d4722c1c7d0067113303948d.zip

diff --git a/etc/0ad.profile b/etc/0ad.profile index f5c3491ff..f9320f6c7 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile
@@ -39,6 +39,7 @@ shell none
39	tracelog	39	tracelog
40		40
41	disable-mnt	41	disable-mnt
		42	private-bin 0ad,pyrogenesis,sh,which
42	private-dev	43	private-dev
43	private-tmp	44	private-tmp
44		45


diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile new file mode 100644 index 000000000..659a41603 --- /dev/null +++ b/etc/JDownloader.profile
@@ -0,0 +1,51 @@
		1	# Firejail profile for JDownloader
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/JDownloader.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8
		9	noblacklist ${HOME}/.jd
		10
		11	# Allow access to java
		12	noblacklist ${PATH}/java
		13	noblacklist /usr/lib/java
		14	noblacklist /etc/java
		15	noblacklist /usr/share/java
		16
		17	include /etc/firejail/disable-common.inc
		18	include /etc/firejail/disable-devel.inc
		19	include /etc/firejail/disable-interpreters.inc
		20	include /etc/firejail/disable-passwdmgr.inc
		21	include /etc/firejail/disable-programs.inc
		22	include /etc/firejail/disable-xdg.inc
		23
		24	mkdir ${HOME}/.jd
		25	whitelist ${HOME}/.jd
		26	whitelist ${DOWNLOADS}
		27	include /etc/firejail/whitelist-common.inc
		28	include /etc/firejail/whitelist-var-common.inc
		29
		30	caps.drop all
		31	ipc-namespace
		32	netfilter
		33	no3d
		34	nodbus
		35	nodvd
		36	nogroups
		37	nonewprivs
		38	noroot
		39	nosound
		40	notv
		41	novideo
		42	protocol unix,inet,inet6
		43	seccomp
		44	shell none
		45
		46	private-cache
		47	private-dev
		48	private-tmp
		49
		50	noexec ${HOME}
		51	noexec /tmp


diff --git a/etc/awesome.profile b/etc/awesome.profile new file mode 100644 index 000000000..49c1a4aad --- /dev/null +++ b/etc/awesome.profile
@@ -0,0 +1,19 @@
		1	# Firejail profile for awesome
		2	# Description: Standards-compliant, fast, light-weight and extensible window manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/awesome.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# all applications started in awesome will run in this profile
		10	noblacklist ${HOME}/.config/awesome
		11	include /etc/firejail/disable-common.inc
		12
		13	caps.drop all
		14	netfilter
		15	noroot
		16	protocol unix,inet,inet6
		17	seccomp
		18
		19	read-only ${HOME}/.config/awesome/autorun.sh


diff --git a/etc/blackbox.profile b/etc/blackbox.profile new file mode 100644 index 000000000..2672c812a --- /dev/null +++ b/etc/blackbox.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for blackbox
		2	# Description: Standards-compliant, fast, light-weight and extensible window manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/blackbox.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# all applications started in awesome will run in this profile
		10	noblacklist ${HOME}/.blackbox
		11	include /etc/firejail/disable-common.inc
		12
		13	caps.drop all
		14	netfilter
		15	noroot
		16	protocol unix,inet,inet6
		17	seccomp
		18


diff --git a/etc/dig.profile b/etc/dig.profile new file mode 100644 index 000000000..4b6ab0975 --- /dev/null +++ b/etc/dig.profile
@@ -0,0 +1,47 @@
		1	quiet
		2	# Firejail profile for dig
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/dig.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	include /etc/firejail/disable-common.inc
		10	# include /etc/firejail/disable-devel.inc
		11	# include /etc/firejail/disable-interpreters.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14	#include /etc/firejail/disable-xdg.inc
		15
		16	whitelist ~/.digrc
		17	include /etc/firejail/whitelist-common.inc
		18	include /etc/firejail/whitelist-var-common.inc
		19
		20	caps.drop all
		21	# ipc-namespace
		22	netfilter
		23	no3d
		24	nodbus
		25	nodvd
		26	nogroups
		27	nonewprivs
		28	noroot
		29	nosound
		30	notv
		31	novideo
		32	protocol unix,inet,inet6
		33	seccomp
		34	shell none
		35
		36	disable-mnt
		37	private
		38	private-bin sh,bash,dig
		39	private-cache
		40	private-dev
		41	# private-etc resolv.conf
		42	private-lib
		43	private-tmp
		44
		45	memory-deny-write-execute
		46	# noexec ${HOME}
		47	# noexec /tmp


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0c295ae6d..94254931e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -17,14 +17,17 @@ blacklist-nolog /tmp/clipmenu*
17	# X11 session autostart	17	# X11 session autostart
18	# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs	18	# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
19	blacklist ${HOME}/.Xsession	19	blacklist ${HOME}/.Xsession
		20	blacklist ${HOME}/.blackbox
20	blacklist ${HOME}/.config/autostart	21	blacklist ${HOME}/.config/autostart
21	blacklist ${HOME}/.config/autostart-scripts	22	blacklist ${HOME}/.config/autostart-scripts
		23	blacklist ${HOME}/.config/awesome
		24	blacklist ${HOME}/.config/i3
22	blacklist ${HOME}/.config/lxsession/LXDE/autostart	25	blacklist ${HOME}/.config/lxsession/LXDE/autostart
23	blacklist ${HOME}/.config/openbox	26	blacklist ${HOME}/.config/openbox
24	blacklist ${HOME}/.config/plasma-workspace	27	blacklist ${HOME}/.config/plasma-workspace
25	blacklist ${HOME}/.config/startupconfig	28	blacklist ${HOME}/.config/startupconfig
26	blacklist ${HOME}/.config/startupconfigkeys	29	blacklist ${HOME}/.config/startupconfigkeys
27	blacklist ${HOME}/.fluxbox/startup	30	blacklist ${HOME}/.fluxbox
28	blacklist ${HOME}/.gnomerc	31	blacklist ${HOME}/.gnomerc
29	blacklist ${HOME}/.kde/Autostart	32	blacklist ${HOME}/.kde/Autostart
30	blacklist ${HOME}/.kde/env	33	blacklist ${HOME}/.kde/env


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index d685fceed..1213e4f24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -287,6 +287,7 @@ blacklist ${HOME}/.inkscape
287	blacklist ${HOME}/.jack-server	287	blacklist ${HOME}/.jack-server
288	blacklist ${HOME}/.jack-settings	288	blacklist ${HOME}/.jack-settings
289	blacklist ${HOME}/.java	289	blacklist ${HOME}/.java
		290	blacklist ${HOME}/.jd
290	blacklist ${HOME}/.jitsi	291	blacklist ${HOME}/.jitsi
291	blacklist ${HOME}/.kde/share/apps/digikam	292	blacklist ${HOME}/.kde/share/apps/digikam
292	blacklist ${HOME}/.kde/share/apps/gwenview	293	blacklist ${HOME}/.kde/share/apps/gwenview


diff --git a/etc/evince.profile b/etc/evince.profile index 94f706440..2ade9c6f6 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -23,7 +23,7 @@ machine-id
23	# net none breaks AppArmor on Ubuntu systems	23	# net none breaks AppArmor on Ubuntu systems
24	netfilter	24	netfilter
25	no3d	25	no3d
26	# nodbus	26	nodbus
27	nodvd	27	nodvd
28	nogroups	28	nogroups
29	nonewprivs	29	nonewprivs


diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..c4107270c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
22		22
23	##########	23	##########
24	# With ptrace it is possible to inspect and hijack running programs. Usually this	24	# With ptrace it is possible to inspect and hijack running programs. Usually this
25	# is needed only for debugging. To allow ptrace, uncomment the following line	25	# is needed only for debugging. To allow ptrace, uncomment the following line.
26	##########	26	##########
27	#ptrace,	27	#ptrace,
28		28
29	##########	29	##########
30	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes	30	# Allow read access to whole filesystem and control it from firejail.
31	##########	31	##########
32	/ r,	32	/{,**} rklm,
33	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
34	/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
35		33
36	/{,var/}run/ r,	34	##########
37	/{,var/}run/** r,	35	# Allow write access to paths writable in firejail which aren't used for
38	/run/firejail/mnt/oroot/{,var/}run/ r,	36	# executing programs. /run, /proc and /sys are handled separately.
39	/run/firejail/mnt/oroot/{,var/}run/** r,	37	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
40		38	##########
41	owner /{,var/}run/user/[0-9]/* rw,	39	/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
42	owner /{,var/}run/user/[0-9]/.slave-socket rwl,
43	owner /{,var/}run/user/[0-9]/orcexec. rwkm,
44	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/* rw,
45	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/.slave-socket rwl,
46	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/orcexec. rwkm,
47		40
48	/{,var/}run/firejail/mnt/fslogger r,	41	##########
49	/{,var/}run/firejail/appimage r,	42	# Whitelist writable paths under /run, /proc and /sys.
50	/{,var/}run/firejail/appimage/** r,	43	##########
51	/{,var/}run/firejail/appimage/** ix,	44	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,
52	/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,	45	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/.slave-socket w,
53	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,	46	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/orcexec. w,
54	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
55	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
56		47
57	/{run,dev}/shm/ r,	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
58	owner /{run,dev}/shm/** rmwk,
59	/run/firejail/mnt/oroot/{run,dev}/shm/ r,
60	owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
61		49
62	# Allow logging Firejail blacklist violations to journal	50	# Allow logging Firejail blacklist violations to journal
63	/{,var/}run/systemd/journal/socket w,	51	/{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
66	# Needed for wine	54	# Needed for wine
67	/{,var/}run/firejail/profile/@{PID} w,	55	/{,var/}run/firejail/profile/@{PID} w,
68		56
69	##########	57	# Allow access to cups printing socket.
70	# Allow /proc and /sys read-only access.	58	/{,var/}run/cups/cups.sock w,
71	# Blacklisting is controlled from userspace Firejail.	59
72	##########	60	# Needed for firefox sandbox
73	/proc/ r,
74	/proc/** r,
75	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,	61	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
76	# Uncomment to silence all denied write warnings	62
77	#deny /proc/** w,	63	# Silence noise
78	deny /proc/@{PID}/oom_adj w,	64	deny /proc/@{PID}/oom_adj w,
79	deny /proc/@{PID}/oom_score_adj w,	65	deny /proc/@{PID}/oom_score_adj w,
80		66
81	/sys/ r,
82	/sys/** r,
83	# Uncomment to silence all denied write warnings	67	# Uncomment to silence all denied write warnings
84	#deny /sys/** w,	68	#deny /proc/** w,
85		69
86	# Blacklist snapshots	70	# Uncomment to silence all denied write warnings
87	deny /**/.snapshots/ rwx,	71	#deny /sys/** w,
88		72
89	##########	73	##########
90	# Allow running programs only from well-known system directories. If you need	74	# Allow running programs only from well-known system directories. If you need
91	# to run programs from your home directory, uncomment /home line.	75	# to run programs from your home directory, uncomment /home line.
92	##########	76	##########
93	/lib/** ix,	77	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
94	/lib64/** ix,	78	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
95	/bin/** ix,	79	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
96	/sbin/** ix,	80	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
97	/usr/bin/** ix,	81	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
98	/usr/sbin/** ix,	82	#/{,run/firejail/mnt/oroot/}home/** ix,
99	/usr/local/** ix,	83
100	/usr/lib/** ix,	84	# Appimage support
101	/usr/lib64/** ix,	85	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
102	/usr/games/** ix,
103	/opt/** ix,
104	#/home/** ix,
105	/run/firejail/mnt/oroot/lib/** ix,
106	/run/firejail/mnt/oroot/lib64/** ix,
107	/run/firejail/mnt/oroot/bin/** ix,
108	/run/firejail/mnt/oroot/sbin/** ix,
109	/run/firejail/mnt/oroot/usr/bin/** ix,
110	/run/firejail/mnt/oroot/usr/sbin/** ix,
111	/run/firejail/mnt/oroot/usr/local/** ix,
112	/run/firejail/mnt/oroot/usr/lib/** ix,
113	/run/firejail/mnt/oroot/usr/lib64/** ix,
114	/run/firejail/mnt/oroot/usr/games/** ix,
115	/run/firejail/mnt/oroot/opt/** ix,
116		86
117	##########	87	##########
118	# Allow access to cups printing socket.	88	# Blacklist specific sensitive paths.
119	##########	89	##########
120	/run/cups/cups.sock w,	90	# Common backup directory
		91	deny /**/.snapshots/ rwx,
121		92
122	##########	93	##########
123	# Allow all networking functionality, and control it from Firejail.	94	# Allow all networking functionality, and control it from Firejail.


diff --git a/etc/fluxbox.profile b/etc/fluxbox.profile new file mode 100644 index 000000000..5fafef95a --- /dev/null +++ b/etc/fluxbox.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for fluxbox
		2	# Description: Standards-compliant, fast, light-weight and extensible window manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/fluxbox.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# all applications started in awesome will run in this profile
		10	noblacklist ${HOME}/.fluxbox
		11	include /etc/firejail/disable-common.inc
		12
		13	caps.drop all
		14	netfilter
		15	noroot
		16	protocol unix,inet,inet6
		17	seccomp
		18


diff --git a/etc/i3.profile b/etc/i3.profile new file mode 100644 index 000000000..efbc1f6e7 --- /dev/null +++ b/etc/i3.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for i3
		2	# Description: Standards-compliant, fast, light-weight and extensible window manager
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/i3.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# all applications started in awesome will run in this profile
		10	noblacklist ${HOME}/.config/i3
		11	include /etc/firejail/disable-common.inc
		12
		13	caps.drop all
		14	netfilter
		15	noroot
		16	protocol unix,inet,inet6
		17	seccomp
		18


diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile new file mode 100644 index 000000000..dbcc85e8d --- /dev/null +++ b/etc/jdownloader.profile
@@ -0,0 +1,10 @@
		1	# Firejail profile for jdownloader
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/jdownloader.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8
		9	# Redirect
		10	include /etc/firejail/JDownloader.profile


diff --git a/etc/spotify.profile b/etc/spotify.profile index 4e2718c95..3adf3183c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile
@@ -45,7 +45,7 @@ tracelog
45	disable-mnt	45	disable-mnt
46	private-bin spotify,bash,sh,zenity	46	private-bin spotify,bash,sh,zenity
47	private-dev	47	private-dev
48	private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies	48	private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
49	private-opt spotify	49	private-opt spotify
50	private-tmp	50	private-tmp
51		51


diff --git a/etc/whois.profile b/etc/whois.profile new file mode 100644 index 000000000..3ef2e1476 --- /dev/null +++ b/etc/whois.profile
@@ -0,0 +1,45 @@
		1	quiet
		2	# Firejail profile for whois
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/whois.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	include /etc/firejail/disable-common.inc
		10	# include /etc/firejail/disable-devel.inc
		11	# include /etc/firejail/disable-interpreters.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14	#include /etc/firejail/disable-xdg.inc
		15
		16	include /etc/firejail/whitelist-var-common.inc
		17
		18	caps.drop all
		19	# ipc-namespace
		20	netfilter
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	novideo
		30	protocol inet,inet6
		31	seccomp
		32	shell none
		33
		34	disable-mnt
		35	private
		36	private-bin sh,bash,whois
		37	private-cache
		38	private-dev
		39	# private-etc hosts,services,whois.conf
		40	private-lib
		41	private-tmp
		42
		43	memory-deny-write-execute
		44	# noexec ${HOME}
		45	# noexec /tmp