aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorLibravatar curiosity-seeker <seeker@posteo.org>2016-12-15 12:58:32 +0100
committerLibravatar GitHub <noreply@github.com>2016-12-15 12:58:32 +0100
commitd8ee390a6ca56fde4baad57dea7572c39d595809 (patch)
tree255252b15232086e6f65203cda676859ab4117a0 /etc
parentUpdate quiterss.profile (diff)
parentadded a 1 second delay after xpra server is started (diff)
downloadfirejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.gz
firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.zst
firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.zip
Merge pull request #1 from netblue30/master
Bring fork up-to-date
Diffstat (limited to 'etc')
-rw-r--r--etc/0ad.profile29
-rw-r--r--etc/7z.profile9
-rw-r--r--etc/Cryptocat.profile20
-rw-r--r--etc/Cyberfox.profile3
-rw-r--r--etc/Mathematica.profile3
-rw-r--r--etc/Telegram.profile2
-rw-r--r--etc/Wire.profile3
-rw-r--r--etc/abrowser.profile17
-rw-r--r--etc/amarok.profile19
-rw-r--r--etc/ark.profile23
-rw-r--r--etc/atom-beta.profile20
-rw-r--r--etc/atom.profile20
-rw-r--r--etc/atool.profile24
-rw-r--r--etc/atril.profile15
-rw-r--r--etc/audacious.profile5
-rw-r--r--etc/audacity.profile21
-rw-r--r--etc/aweather.profile25
-rw-r--r--etc/bitlbee.profile7
-rw-r--r--etc/bleachbit.profile21
-rw-r--r--etc/bless.profile20
-rw-r--r--etc/brasero.profile23
-rw-r--r--etc/brave.profile17
-rw-r--r--etc/cherrytree.profile20
-rw-r--r--etc/chromium.profile5
-rw-r--r--etc/claws-mail.profile23
-rw-r--r--etc/clementine.profile5
-rw-r--r--etc/cmus.profile5
-rw-r--r--etc/conkeror.profile5
-rw-r--r--etc/corebird.profile11
-rw-r--r--etc/cpio.profile21
-rw-r--r--etc/cryptocat.profile1
-rw-r--r--etc/cyberfox.profile49
-rw-r--r--etc/deadbeef.profile5
-rw-r--r--etc/default.profile24
-rw-r--r--etc/deluge.profile13
-rw-r--r--etc/dillo.profile11
-rw-r--r--etc/disable-common.inc102
-rw-r--r--etc/disable-devel.inc38
-rw-r--r--etc/disable-passwdmgr.inc4
-rw-r--r--etc/disable-programs.inc377
-rw-r--r--etc/display.profile23
-rw-r--r--etc/dnscrypt-proxy.profile2
-rw-r--r--etc/dnsmasq.profile8
-rw-r--r--etc/dolphin.profile27
-rw-r--r--etc/dosbox.profile21
-rw-r--r--etc/dragon.profile22
-rw-r--r--etc/dropbox.profile16
-rw-r--r--etc/elinks.profile24
-rw-r--r--etc/emacs.profile16
-rw-r--r--etc/empathy.profile7
-rw-r--r--etc/enchant.profile23
-rw-r--r--etc/eog.profile22
-rw-r--r--etc/eom.profile21
-rw-r--r--etc/epiphany.profile11
-rw-r--r--etc/evince.profile18
-rw-r--r--etc/evolution.profile25
-rw-r--r--etc/exiftool.profile28
-rw-r--r--etc/fbreader.profile10
-rw-r--r--etc/feh.profile21
-rw-r--r--etc/file-roller.profile21
-rw-r--r--etc/file.profile26
-rw-r--r--etc/filezilla.profile12
-rw-r--r--etc/firefox-esr.profile2
-rw-r--r--etc/firefox.profile29
-rw-r--r--etc/firejail-default154
-rw-r--r--etc/firejail.config50
-rw-r--r--etc/flashpeak-slimjet.profile7
-rw-r--r--etc/flowblade.profile13
-rw-r--r--etc/franz.profile24
-rw-r--r--etc/gajim.profile38
-rw-r--r--etc/gedit.profile26
-rw-r--r--etc/gimp.profile20
-rw-r--r--etc/git.profile26
-rw-r--r--etc/gitter.profile20
-rw-r--r--etc/gjs.profile28
-rw-r--r--etc/gnome-2048.profile25
-rw-r--r--etc/gnome-books.profile26
-rw-r--r--etc/gnome-calculator.profile19
-rw-r--r--etc/gnome-chess.profile22
-rw-r--r--etc/gnome-clocks.profile21
-rw-r--r--etc/gnome-contacts.profile19
-rw-r--r--etc/gnome-documents.profile24
-rw-r--r--etc/gnome-maps.profile24
-rw-r--r--etc/gnome-mplayer.profile11
-rw-r--r--etc/gnome-music.profile22
-rw-r--r--etc/gnome-photos.profile26
-rw-r--r--etc/gnome-weather.profile26
-rw-r--r--etc/goobox.profile20
-rw-r--r--etc/google-chrome-beta.profile2
-rw-r--r--etc/google-chrome-unstable.profile2
-rw-r--r--etc/google-chrome.profile2
-rw-r--r--etc/google-play-music-desktop-player.profile18
-rw-r--r--etc/gpa.profile23
-rw-r--r--etc/gpg-agent.profile23
-rw-r--r--etc/gpg.profile24
-rw-r--r--etc/gpredict.profile25
-rw-r--r--etc/gtar.profile3
-rw-r--r--etc/gthumb.profile21
-rw-r--r--etc/gwenview.profile22
-rw-r--r--etc/gzip.profile14
-rw-r--r--etc/hedgewars.profile7
-rw-r--r--etc/hexchat.profile22
-rw-r--r--etc/highlight.profile24
-rw-r--r--etc/icecat.profile50
-rw-r--r--etc/icedove.profile4
-rw-r--r--etc/img2txt.profile24
-rw-r--r--etc/inkscape.profile20
-rw-r--r--etc/inox.profile24
-rw-r--r--etc/jd-gui.profile19
-rw-r--r--etc/jitsi.profile17
-rw-r--r--etc/k3b.profile21
-rw-r--r--etc/kate.profile28
-rw-r--r--etc/keepass.profile21
-rw-r--r--etc/keepass2.profile5
-rw-r--r--etc/keepassx.profile22
-rw-r--r--etc/kmail.profile9
-rw-r--r--etc/konversation.profile14
-rw-r--r--etc/less.profile11
-rw-r--r--etc/libreoffice.profile19
-rw-r--r--etc/localc.profile5
-rw-r--r--etc/lodraw.profile5
-rw-r--r--etc/loffice.profile5
-rw-r--r--etc/lofromtemplate.profile5
-rw-r--r--etc/loimpress.profile5
-rw-r--r--etc/lollypop.profile20
-rw-r--r--etc/lomath.profile5
-rw-r--r--etc/loweb.profile5
-rw-r--r--etc/lowriter.profile5
-rw-r--r--etc/luminance-hdr.profile23
-rw-r--r--etc/lxterminal.profile5
-rw-r--r--etc/lynx.profile22
-rw-r--r--etc/mcabber.profile21
-rw-r--r--etc/mediainfo.profile26
-rw-r--r--etc/midori.profile6
-rw-r--r--etc/mpv.profile18
-rw-r--r--etc/multimc5.profile27
-rw-r--r--etc/mumble.profile26
-rw-r--r--etc/mupdf.profile30
-rw-r--r--etc/mupen64plus.profile8
-rw-r--r--etc/mutt.profile40
-rw-r--r--etc/nautilus.profile26
-rw-r--r--etc/netsurf.profile29
-rw-r--r--etc/nolocal.net3
-rw-r--r--etc/odt2txt.profile24
-rw-r--r--etc/okular.profile25
-rw-r--r--etc/openbox.profile5
-rw-r--r--etc/openshot.profile13
-rw-r--r--etc/opera-beta.profile2
-rw-r--r--etc/opera.profile2
-rw-r--r--etc/palemoon.profile34
-rw-r--r--etc/parole.profile5
-rw-r--r--etc/pdfsam.profile17
-rw-r--r--etc/pdftotext.profile22
-rw-r--r--etc/pidgin.profile16
-rw-r--r--etc/pithos.profile19
-rw-r--r--etc/pix.profile22
-rw-r--r--etc/pluma.profile21
-rw-r--r--etc/polari.profile12
-rw-r--r--etc/psi-plus.profile22
-rw-r--r--etc/qbittorrent.profile11
-rw-r--r--etc/qemu-launcher.profile19
-rw-r--r--etc/qemu-system-x86_64.profile17
-rw-r--r--etc/qpdfview.profile22
-rw-r--r--etc/qtox.profile14
-rw-r--r--etc/quassel.profile5
-rw-r--r--etc/qutebrowser.profile11
-rw-r--r--etc/ranger.profile24
-rw-r--r--etc/rhythmbox.profile14
-rw-r--r--etc/rtorrent.profile10
-rw-r--r--etc/seamonkey.profile17
-rw-r--r--etc/server.profile8
-rw-r--r--etc/simple-scan.profile23
-rw-r--r--etc/skanlite.profile21
-rw-r--r--etc/skype.profile3
-rw-r--r--etc/skypeforlinux.profile11
-rw-r--r--etc/slack.profile31
-rw-r--r--etc/snap.profile12
-rw-r--r--etc/soffice.profile5
-rw-r--r--etc/spotify.profile33
-rw-r--r--etc/ssh-agent.profile16
-rw-r--r--etc/ssh.profile8
-rw-r--r--etc/start-tor-browser.profile20
-rw-r--r--etc/steam.profile3
-rw-r--r--etc/stellarium.profile28
-rw-r--r--etc/strings.profile11
-rw-r--r--etc/synfigstudio.profile19
-rw-r--r--etc/tar.profile18
-rw-r--r--etc/telegram.profile11
-rw-r--r--etc/thunderbird.profile4
-rw-r--r--etc/totem.profile8
-rw-r--r--etc/tracker.profile24
-rw-r--r--etc/transmission-cli.profile23
-rw-r--r--etc/transmission-gtk.profile14
-rw-r--r--etc/transmission-qt.profile14
-rw-r--r--etc/transmission-show.profile24
-rw-r--r--etc/uget-gtk.profile12
-rw-r--r--etc/unbound.profile1
-rw-r--r--etc/unrar.profile18
-rw-r--r--etc/unzip.profile16
-rw-r--r--etc/uudeview.profile15
-rw-r--r--etc/vim.profile16
-rw-r--r--etc/virtualbox.profile12
-rw-r--r--etc/vivaldi.profile2
-rw-r--r--etc/vlc.profile13
-rw-r--r--etc/w3m.profile23
-rw-r--r--etc/warzone2100.profile26
-rw-r--r--etc/weechat.profile10
-rw-r--r--etc/wesnoth.profile12
-rw-r--r--etc/wget.profile22
-rw-r--r--etc/whitelist-common.inc12
-rw-r--r--etc/wine.profile1
-rw-r--r--etc/wire.profile23
-rw-r--r--etc/wireshark.profile22
-rw-r--r--etc/xchat.profile7
-rw-r--r--etc/xed.profile21
-rw-r--r--etc/xfburn.profile23
-rw-r--r--etc/xiphos.profile30
-rw-r--r--etc/xonotic-glx.profile5
-rw-r--r--etc/xonotic-sdl.profile5
-rw-r--r--etc/xonotic.profile25
-rw-r--r--etc/xpdf.profile (renamed from etc/generic.profile)15
-rw-r--r--etc/xplayer.profile22
-rw-r--r--etc/xpra.profile21
-rw-r--r--etc/xreader.profile23
-rw-r--r--etc/xviewer.profile21
-rw-r--r--etc/xz.profile3
-rw-r--r--etc/xzdec.profile14
-rw-r--r--etc/zathura.profile26
-rw-r--r--etc/zoom.profile22
229 files changed, 4042 insertions, 415 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index f8a3ce23d..1e7c06879 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,30 +1,31 @@
1# Firejail profile for 0ad. 1# Firejail profile for 0ad.
2noblacklist ~/.cache/0ad
2noblacklist ~/.config/0ad 3noblacklist ~/.config/0ad
4noblacklist ~/.local/share/0ad
3include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc 8include /etc/firejail/disable-programs.inc
7 9
8# Call these options
9caps.drop all
10seccomp
11protocol unix,inet,inet6,netlink
12netfilter
13tracelog
14noroot
15
16# Whitelists 10# Whitelists
17noblacklist ~/.cache/0ad
18mkdir ~/.cache
19mkdir ~/.cache/0ad 11mkdir ~/.cache/0ad
20whitelist ~/.cache/0ad 12whitelist ~/.cache/0ad
21 13
22mkdir ~/.config
23mkdir ~/.config/0ad 14mkdir ~/.config/0ad
24whitelist ~/.config/0ad 15whitelist ~/.config/0ad
25 16
26noblacklist ~/.local/share/0ad
27mkdir ~/.local
28mkdir ~/.local/share
29mkdir ~/.local/share/0ad 17mkdir ~/.local/share/0ad
30whitelist ~/.local/share/0ad 18whitelist ~/.local/share/0ad
19
20caps.drop all
21netfilter
22nogroups
23nonewprivs
24noroot
25protocol unix,inet,inet6
26seccomp
27shell none
28tracelog
29
30private-dev
31private-tmp
diff --git a/etc/7z.profile b/etc/7z.profile
new file mode 100644
index 000000000..0cb72ff8d
--- /dev/null
+++ b/etc/7z.profile
@@ -0,0 +1,9 @@
1# 7zip crompression tool profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5tracelog
6net none
7shell none
8private-dev
9nosound
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
new file mode 100644
index 000000000..3db34c03c
--- /dev/null
+++ b/etc/Cryptocat.profile
@@ -0,0 +1,20 @@
1# Firejail profile for
2noblacklist ${HOME}/.config/Cryptocat
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6,netlink
16seccomp
17shell none
18
19private-dev
20private-tmp
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
new file mode 100644
index 000000000..1f74606ce
--- /dev/null
+++ b/etc/Cyberfox.profile
@@ -0,0 +1,3 @@
1# Firejail profile for Cyberfox (based on Mozilla Firefox)
2
3include /etc/firejail/cyberfox.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 05131df43..e719f070f 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -15,5 +15,6 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16 16
17caps.drop all 17caps.drop all
18seccomp 18nonewprivs
19noroot 19noroot
20seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
new file mode 100644
index 000000000..2e0f97821
--- /dev/null
+++ b/etc/Telegram.profile
@@ -0,0 +1,2 @@
1# Telegram IRC profile
2include /etc/firejail/telegram.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
new file mode 100644
index 000000000..bd9645c7f
--- /dev/null
+++ b/etc/Wire.profile
@@ -0,0 +1,3 @@
1# wire messenger profile
2
3include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 949635258..481301420 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -1,5 +1,4 @@
1# Firejail profile for Abrowser 1# Firejail profile for Abrowser
2
3noblacklist ~/.mozilla 2noblacklist ~/.mozilla
4noblacklist ~/.cache/mozilla 3noblacklist ~/.cache/mozilla
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
@@ -7,17 +6,16 @@ include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
8 7
9caps.drop all 8caps.drop all
10seccomp
11protocol unix,inet,inet6,netlink
12netfilter 9netfilter
13tracelog 10nonewprivs
14noroot 11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15 15
16whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
17mkdir ~/.mozilla 17mkdir ~/.mozilla
18whitelist ~/.mozilla 18whitelist ~/.mozilla
19mkdir ~/.cache
20mkdir ~/.cache/mozilla
21mkdir ~/.cache/mozilla/abrowser 19mkdir ~/.cache/mozilla/abrowser
22whitelist ~/.cache/mozilla/abrowser 20whitelist ~/.cache/mozilla/abrowser
23whitelist ~/dwhelper 21whitelist ~/dwhelper
@@ -40,13 +38,12 @@ whitelist ~/.config/lastpass
40 38
41 39
42#silverlight 40#silverlight
43whitelist ~/.wine-pipelight 41whitelist ~/.wine-pipelight
44whitelist ~/.wine-pipelight64 42whitelist ~/.wine-pipelight64
45whitelist ~/.config/pipelight-widevine 43whitelist ~/.config/pipelight-widevine
46whitelist ~/.config/pipelight-silverlight5.1 44whitelist ~/.config/pipelight-silverlight5.1
47 45
48include /etc/firejail/whitelist-common.inc 46include /etc/firejail/whitelist-common.inc
49 47
50# experimental features 48# experimental features
51#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 49#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
52
diff --git a/etc/amarok.profile b/etc/amarok.profile
new file mode 100644
index 000000000..8d5b35d47
--- /dev/null
+++ b/etc/amarok.profile
@@ -0,0 +1,19 @@
1# amarok profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12shell none
13#seccomp
14protocol unix,inet,inet6
15
16#private-bin amarok
17private-dev
18private-tmp
19#private-etc none
diff --git a/etc/ark.profile b/etc/ark.profile
new file mode 100644
index 000000000..61b4c6f60
--- /dev/null
+++ b/etc/ark.profile
@@ -0,0 +1,23 @@
1# ark profile
2noblacklist ~/.config/arkrc
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15shell none
16seccomp
17protocol unix
18
19# private-bin
20private-dev
21private-tmp
22# private-etc
23
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
new file mode 100644
index 000000000..fa0b316bb
--- /dev/null
+++ b/etc/atom-beta.profile
@@ -0,0 +1,20 @@
1# Firejail profile for Atom Beta.
2noblacklist ~/.atom
3noblacklist ~/.config/Atom
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6,netlink
16seccomp
17shell none
18
19private-dev
20private-tmp
diff --git a/etc/atom.profile b/etc/atom.profile
new file mode 100644
index 000000000..61930d5c1
--- /dev/null
+++ b/etc/atom.profile
@@ -0,0 +1,20 @@
1# Firejail profile for Atom.
2noblacklist ~/.atom
3noblacklist ~/.config/Atom
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6,netlink
16seccomp
17shell none
18
19private-dev
20private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
new file mode 100644
index 000000000..3fbfb9fc7
--- /dev/null
+++ b/etc/atool.profile
@@ -0,0 +1,24 @@
1# atool profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4# include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19# private-bin atool
20private-tmp
21private-dev
22private-etc none
23
24
diff --git a/etc/atril.profile b/etc/atril.profile
index e078c1d20..fbcca0c1b 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,12 +1,21 @@
1# Atril profile 1# Atril profile
2noblacklist ~/.config/atril
3noblacklist ~/.local/share
2include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 5include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
6 8
7caps.drop all 9caps.drop all
8seccomp 10nogroups
9protocol unix,inet,inet6 11nonewprivs
10netfilter
11noroot 12noroot
13nosound
14protocol unix
15seccomp
16shell none
12tracelog 17tracelog
18
19private-bin atril, atril-previewer, atril-thumbnailer
20private-dev
21private-tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 290faa260..e5275213c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp 8nonewprivs
9protocol unix,inet,inet6
10noroot 9noroot
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/audacity.profile b/etc/audacity.profile
new file mode 100644
index 000000000..827fa4301
--- /dev/null
+++ b/etc/audacity.profile
@@ -0,0 +1,21 @@
1# Audacity profile
2noblacklist ~/.audacity-data
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin audacity
20private-dev
21private-tmp
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..fa8654f1e
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,25 @@
1# Firejail profile for aweather.
2noblacklist ~/.config/aweather
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8# Whitelist
9mkdir ~/.config/aweather
10whitelist ~/.config/aweather
11
12caps.drop all
13netfilter
14nogroups
15nonewprivs
16noroot
17nosound
18protocol unix,inet,inet6
19seccomp
20shell none
21tracelog
22
23private-bin aweather
24private-dev
25private-tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index fb84c260a..87d2e843a 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -4,8 +4,11 @@ noblacklist /usr/sbin
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc 5include /etc/firejail/disable-programs.inc
6 6
7protocol unix,inet,inet6 7netfilter
8nonewprivs
8private 9private
9private-dev 10private-dev
11protocol unix,inet,inet6
10seccomp 12seccomp
11netfilter 13nosound
14read-write /var/lib/bitlbee
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
new file mode 100644
index 000000000..0a71db9f0
--- /dev/null
+++ b/etc/bleachbit.profile
@@ -0,0 +1,21 @@
1# bleachbit profile
2include /etc/firejail/disable-common.inc
3# include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13shell none
14seccomp
15protocol unix
16
17# private-bin
18# private-dev
19# private-tmp
20# private-etc
21
diff --git a/etc/bless.profile b/etc/bless.profile
new file mode 100644
index 000000000..752edadf7
--- /dev/null
+++ b/etc/bless.profile
@@ -0,0 +1,20 @@
1#
2#Profile for bless
3#
4
5#No Blacklist Paths
6noblacklist ${HOME}/.config/bless
7
8#Blacklist Paths
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-devel.inc
13
14#Options
15caps.drop all
16netfilter
17nonewprivs
18noroot
19protocol unix,inet,inet6
20seccomp
diff --git a/etc/brasero.profile b/etc/brasero.profile
new file mode 100644
index 000000000..66de6fa50
--- /dev/null
+++ b/etc/brasero.profile
@@ -0,0 +1,23 @@
1# brasero profile
2noblacklist ~/.config/brasero
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin brasero
21# private-tmp
22# private-dev
23# private-etc fonts
diff --git a/etc/brave.profile b/etc/brave.profile
new file mode 100644
index 000000000..21ea7f908
--- /dev/null
+++ b/etc/brave.profile
@@ -0,0 +1,17 @@
1# Profile for Brave browser
2noblacklist ~/.config/brave
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6
7caps.drop all
8netfilter
9nonewprivs
10noroot
11protocol unix,inet,inet6,netlink
12seccomp
13
14whitelist ${DOWNLOADS}
15
16mkdir ~/.config/brave
17whitelist ~/.config/brave
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 7bcc61e98..139dec8ec 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,22 +1,18 @@
1# cherrytree note taking application 1# cherrytree note taking application
2noblacklist /usr/bin/python2*
3noblacklist /usr/lib/python3*
4noblacklist ${HOME}/.config/cherrytree
2include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 6include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 8include /etc/firejail/disable-passwdmgr.inc
6 9
7whitelist ${HOME}/cherrytree
8mkdir ~/.config
9mkdir ~/.config/cherrytree
10whitelist ${HOME}/.config/cherrytree/
11mkdir ~/.local
12mkdir ~/.local/share
13whitelist ${HOME}/.local/share/
14
15caps.drop all 10caps.drop all
16seccomp
17protocol unix,inet,inet6,netlink
18netfilter 11netfilter
19tracelog 12nogroups
13nonewprivs
20noroot 14noroot
21include /etc/firejail/whitelist-common.inc
22nosound 15nosound
16seccomp
17protocol unix,inet,inet6,netlink
18tracelog
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7cf2853ca..4109af9a4 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
11netfilter 11netfilter
12 12
13whitelist ${DOWNLOADS} 13whitelist ${DOWNLOADS}
14mkdir ~/.config
15mkdir ~/.config/chromium 14mkdir ~/.config/chromium
16whitelist ~/.config/chromium 15whitelist ~/.config/chromium
17mkdir ~/.cache
18mkdir ~/.cache/chromium 16mkdir ~/.cache/chromium
19whitelist ~/.cache/chromium 17whitelist ~/.cache/chromium
20mkdir ~/.pki 18mkdir ~/.pki
@@ -27,4 +25,7 @@ whitelist ~/keepassx.kdbx
27whitelist ~/.lastpass 25whitelist ~/.lastpass
28whitelist ~/.config/lastpass 26whitelist ~/.config/lastpass
29 27
28# specific to Arch
29whitelist ~/.config/chromium-flags.conf
30
30include /etc/firejail/whitelist-common.inc 31include /etc/firejail/whitelist-common.inc
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
new file mode 100644
index 000000000..8921bb25e
--- /dev/null
+++ b/etc/claws-mail.profile
@@ -0,0 +1,23 @@
1# claws-mail profile
2noblacklist ~/.claws-mail
3noblacklist ~/.signature
4noblacklist ~/.gnupg
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12netfilter
13nonewprivs
14noroot
15nogroups
16nosound
17protocol unix,inet,inet6
18seccomp
19shell none
20
21private-dev
22private-tmp
23
diff --git a/etc/clementine.profile b/etc/clementine.profile
index c6271e6e3..5ce085358 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp 8nonewprivs
9protocol unix,inet,inet6
10noroot 9noroot
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 72b43a70f..2e2a6940c 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -7,10 +7,11 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10seccomp
11protocol unix,inet,inet6
12netfilter 10netfilter
11nonewprivs
13noroot 12noroot
13protocol unix,inet,inet6
14seccomp
14 15
15private-bin cmus 16private-bin cmus
16private-etc group 17private-etc group
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 007eef663..e82eeec4c 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -4,10 +4,11 @@ include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc 4include /etc/firejail/disable-programs.inc
5 5
6caps.drop all 6caps.drop all
7seccomp
8protocol unix,inet,inet6
9netfilter 7netfilter
8nonewprivs
10noroot 9noroot
10protocol unix,inet,inet6
11seccomp
11 12
12whitelist ~/.conkeror.mozdev.org 13whitelist ~/.conkeror.mozdev.org
13whitelist ~/Downloads 14whitelist ~/Downloads
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..6fb8219e8
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,11 @@
1# Firejail corebird profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9noroot
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
new file mode 100644
index 000000000..519bd244c
--- /dev/null
+++ b/etc/cpio.profile
@@ -0,0 +1,21 @@
1# cpio profile
2# /sbin and /usr/sbin are visible inside the sandbox
3# /boot is not visible and /var is heavily modified
4quiet
5noblacklist /sbin
6noblacklist /usr/sbin
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11private-dev
12seccomp
13caps.drop all
14net none
15shell none
16tracelog
17net none
18nosound
19
20
21
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
new file mode 100644
index 000000000..0d392b272
--- /dev/null
+++ b/etc/cryptocat.profile
@@ -0,0 +1 @@
include /etc/Cryptocat.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
new file mode 100644
index 000000000..84021dab3
--- /dev/null
+++ b/etc/cyberfox.profile
@@ -0,0 +1,49 @@
1# Firejail profile for Cyberfox (based on Mozilla Firefox)
2noblacklist ~/.8pecxstudios
3noblacklist ~/.cache/8pecxstudios
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15
16whitelist ${DOWNLOADS}
17mkdir ~/.8pecxstudios
18whitelist ~/.8pecxstudios
19mkdir ~/.cache/8pecxstudios
20whitelist ~/.cache/8pecxstudios
21whitelist ~/dwhelper
22whitelist ~/.zotero
23whitelist ~/.vimperatorrc
24whitelist ~/.vimperator
25whitelist ~/.pentadactylrc
26whitelist ~/.pentadactyl
27whitelist ~/.keysnail.js
28whitelist ~/.config/gnome-mplayer
29whitelist ~/.cache/gnome-mplayer/plugin
30whitelist ~/.pki
31
32# lastpass, keepassx
33whitelist ~/.keepassx
34whitelist ~/.config/keepassx
35whitelist ~/keepassx.kdbx
36whitelist ~/.lastpass
37whitelist ~/.config/lastpass
38
39
40#silverlight
41whitelist ~/.wine-pipelight
42whitelist ~/.wine-pipelight64
43whitelist ~/.config/pipelight-widevine
44whitelist ~/.config/pipelight-silverlight5.1
45
46include /etc/firejail/whitelist-common.inc
47
48# experimental features
49#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 2810e5323..04abd0a92 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10seccomp 10nonewprivs
11protocol unix,inet,inet6
12noroot 11noroot
12protocol unix,inet,inet6
13seccomp
diff --git a/etc/default.profile b/etc/default.profile
new file mode 100644
index 000000000..603321316
--- /dev/null
+++ b/etc/default.profile
@@ -0,0 +1,24 @@
1################################
2# Generic GUI application profile
3################################
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
14
15#
16# depending on you usage, you can enable some of the commands below:
17#
18# nogroups
19# shell none
20# private-bin program
21# private-etc none
22# private-dev
23# private-tmp
24
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 4043f58f5..c6ddec3ec 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
1# deluge bittorernt client profile 1# deluge bittorrernt client profile
2include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 3include /etc/firejail/disable-programs.inc
4# deluge is using python on Debian 4# deluge is using python on Debian
@@ -6,8 +6,15 @@ include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc 6include /etc/firejail/disable-passwdmgr.inc
7 7
8caps.drop all 8caps.drop all
9seccomp
10protocol unix,inet,inet6
11netfilter 9netfilter
10nonewprivs
12noroot 11noroot
13nosound 12nosound
13protocol unix,inet,inet6
14seccomp
15
16shell none
17#private-bin deluge,sh,python,uname
18private-dev
19private-tmp
20
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 49c33fb7a..108787920 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -1,5 +1,4 @@
1# Firejail profile for Dillo web browser 1# Firejail profile for Dillo web browser
2
3noblacklist ~/.dillo 2noblacklist ~/.dillo
4include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc 4include /etc/firejail/disable-programs.inc
@@ -7,11 +6,12 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 6include /etc/firejail/disable-passwdmgr.inc
8 7
9caps.drop all 8caps.drop all
10seccomp
11protocol unix,inet,inet6
12netfilter 9netfilter
13tracelog 10nonewprivs
14noroot 11noroot
12protocol unix,inet,inet6
13seccomp
14tracelog
15 15
16whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
17mkdir ~/.dillo 17mkdir ~/.dillo
@@ -20,6 +20,3 @@ mkdir ~/.fltk
20whitelist ~/.fltk 20whitelist ~/.fltk
21 21
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23
24
25
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b1133f28f..b86c6f998 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,6 +1,7 @@
1# History files in $HOME 1# History files in $HOME
2blacklist-nolog ${HOME}/.history 2blacklist-nolog ${HOME}/.history
3blacklist-nolog ${HOME}/.*_history 3blacklist-nolog ${HOME}/.*_history
4blacklist-nolog ${HOME}/.bash_history
4blacklist ${HOME}/.local/share/systemd 5blacklist ${HOME}/.local/share/systemd
5blacklist-nolog ${HOME}/.adobe 6blacklist-nolog ${HOME}/.adobe
6blacklist-nolog ${HOME}/.macromedia 7blacklist-nolog ${HOME}/.macromedia
@@ -14,21 +15,48 @@ blacklist /etc/xdg/autostart
14blacklist ${HOME}/.kde4/Autostart 15blacklist ${HOME}/.kde4/Autostart
15blacklist ${HOME}/.kde4/share/autostart 16blacklist ${HOME}/.kde4/share/autostart
16blacklist ${HOME}/.kde/Autostart 17blacklist ${HOME}/.kde/Autostart
18blacklist ${HOME}/.kde/share/autostart
17blacklist ${HOME}/.config/plasma-workspace/shutdown 19blacklist ${HOME}/.config/plasma-workspace/shutdown
18blacklist ${HOME}/.config/plasma-workspace/env 20blacklist ${HOME}/.config/plasma-workspace/env
19blacklist ${HOME}/.config/lxsession/LXDE/autostart 21blacklist ${HOME}/.config/lxsession/LXDE/autostart
20blacklist ${HOME}/.fluxbox/startup 22blacklist ${HOME}/.fluxbox/startup
21blacklist ${HOME}/.config/openbox/autostart 23blacklist ${HOME}/.config/openbox/autostart
22blacklist ${HOME}/.config/openbox/environment 24blacklist ${HOME}/.config/openbox/environment
25blacklist ${HOME}/.gnomerc
26blacklist /etc/X11/Xsession.d/
27# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
23 28
24# VirtualBox 29# VirtualBox
25blacklist ${HOME}/.VirtualBox 30blacklist ${HOME}/.VirtualBox
26blacklist ${HOME}/VirtualBox VMs 31blacklist ${HOME}/VirtualBox VMs
27blacklist ${HOME}/.config/VirtualBox 32blacklist ${HOME}/.config/VirtualBox
28 33
34# VeraCrypt
35blacklist ${PATH}/veracrypt
36blacklist ${PATH}/veracrypt-uninstall.sh
37blacklist /usr/share/veracrypt
38blacklist /usr/share/applications/veracrypt.*
39blacklist /usr/share/pixmaps/veracrypt.*
40blacklist ${HOME}/.VeraCrypt
41
42# TrueCrypt
43blacklist ${PATH}/truecrypt
44blacklist ${PATH}/truecrypt-uninstall.sh
45blacklist /usr/share/truecrypt
46blacklist /usr/share/applications/truecrypt.*
47blacklist /usr/share/pixmaps/truecrypt.*
48blacklist ${HOME}/.TrueCrypt
49
50# zuluCrypt
51blacklist ${HOME}/.zuluCrypt
52blacklist ${HOME}/.zuluCrypt-socket
53blacklist ${PATH}/zuluCrypt-cli
54blacklist ${PATH}/zuluMount-cli
55
29# var 56# var
30blacklist /var/spool/cron 57blacklist /var/spool/cron
31blacklist /var/spool/anacron 58blacklist /var/spool/anacron
59blacklist /var/mail
32blacklist /var/run/acpid.socket 60blacklist /var/run/acpid.socket
33blacklist /var/run/minissdpd.sock 61blacklist /var/run/minissdpd.sock
34blacklist /var/run/rpcbind.sock 62blacklist /var/run/rpcbind.sock
@@ -39,7 +67,7 @@ blacklist /var/lib/mysql/mysql.sock
39blacklist /var/run/docker.sock 67blacklist /var/run/docker.sock
40 68
41# etc 69# etc
42blacklist /etc/cron.* 70blacklist /etc/cron*
43blacklist /etc/profile.d 71blacklist /etc/profile.d
44blacklist /etc/rc.local 72blacklist /etc/rc.local
45blacklist /etc/anacrontab 73blacklist /etc/anacrontab
@@ -50,11 +78,15 @@ read-only ${HOME}/.xserverrc
50read-only ${HOME}/.profile 78read-only ${HOME}/.profile
51 79
52# Shell startup files 80# Shell startup files
81read-only ${HOME}/.antigen
53read-only ${HOME}/.bash_login 82read-only ${HOME}/.bash_login
54read-only ${HOME}/.bashrc 83read-only ${HOME}/.bashrc
55read-only ${HOME}/.bash_profile 84read-only ${HOME}/.bash_profile
56read-only ${HOME}/.bash_logout 85read-only ${HOME}/.bash_logout
86read-only ${HOME}/.zsh.d
87read-only ${HOME}/.zshenv
57read-only ${HOME}/.zshrc 88read-only ${HOME}/.zshrc
89read-only ${HOME}/.zshrc.local
58read-only ${HOME}/.zlogin 90read-only ${HOME}/.zlogin
59read-only ${HOME}/.zprofile 91read-only ${HOME}/.zprofile
60read-only ${HOME}/.zlogout 92read-only ${HOME}/.zlogout
@@ -62,8 +94,12 @@ read-only ${HOME}/.zsh_files
62read-only ${HOME}/.tcshrc 94read-only ${HOME}/.tcshrc
63read-only ${HOME}/.cshrc 95read-only ${HOME}/.cshrc
64read-only ${HOME}/.csh_files 96read-only ${HOME}/.csh_files
97read-only ${HOME}/.profile
65 98
66# Initialization files that allow arbitrary command execution 99# Initialization files that allow arbitrary command execution
100read-only ${HOME}/.caffrc
101read-only ${HOME}/.dotfiles
102read-only ${HOME}/dotfiles
67read-only ${HOME}/.mailcap 103read-only ${HOME}/.mailcap
68read-only ${HOME}/.exrc 104read-only ${HOME}/.exrc
69read-only ${HOME}/_exrc 105read-only ${HOME}/_exrc
@@ -73,10 +109,11 @@ read-only ${HOME}/.gvimrc
73read-only ${HOME}/_gvimrc 109read-only ${HOME}/_gvimrc
74read-only ${HOME}/.vim 110read-only ${HOME}/.vim
75read-only ${HOME}/.emacs 111read-only ${HOME}/.emacs
112read-only ${HOME}/.emacs.d
113read-only ${HOME}/.nano
76read-only ${HOME}/.tmux.conf 114read-only ${HOME}/.tmux.conf
77read-only ${HOME}/.iscreenrc 115read-only ${HOME}/.iscreenrc
78read-only ${HOME}/.muttrc 116read-only ${HOME}/.reportbugrc
79read-only ${HOME}/.mutt/muttrc
80read-only ${HOME}/.xmonad 117read-only ${HOME}/.xmonad
81read-only ${HOME}/.xscreensaver 118read-only ${HOME}/.xscreensaver
82 119
@@ -84,16 +121,25 @@ read-only ${HOME}/.xscreensaver
84read-only ${HOME}/bin 121read-only ${HOME}/bin
85 122
86# top secret 123# top secret
124blacklist ${HOME}/.ecryptfs
125blacklist ${HOME}/.Private
87blacklist ${HOME}/.ssh 126blacklist ${HOME}/.ssh
127blacklist ${HOME}/.cert
88blacklist ${HOME}/.gnome2/keyrings 128blacklist ${HOME}/.gnome2/keyrings
89blacklist ${HOME}/kde4/share/apps/kwallet 129blacklist ${HOME}/.kde4/share/apps/kwallet
90blacklist ${HOME}/kde/share/apps/kwallet 130blacklist ${HOME}/.kde/share/apps/kwallet
91blacklist ${HOME}/.local/share/kwalletd 131blacklist ${HOME}/.local/share/kwalletd
132blacklist ${HOME}/.config/keybase
92blacklist ${HOME}/.netrc 133blacklist ${HOME}/.netrc
93blacklist ${HOME}/.gnupg 134blacklist ${HOME}/.gnupg
135blacklist ${HOME}/.caff
136blacklist ${HOME}/.smbcredentials
94blacklist ${HOME}/*.kdbx 137blacklist ${HOME}/*.kdbx
95blacklist ${HOME}/*.kdb 138blacklist ${HOME}/*.kdb
96blacklist ${HOME}/*.key 139blacklist ${HOME}/*.key
140blacklist ${HOME}/.muttrc
141blacklist ${HOME}/.mutt/muttrc
142blacklist ${HOME}/.msmtprc
97blacklist /etc/shadow 143blacklist /etc/shadow
98blacklist /etc/gshadow 144blacklist /etc/gshadow
99blacklist /etc/passwd- 145blacklist /etc/passwd-
@@ -106,11 +152,19 @@ blacklist /etc/shadow+
106blacklist /etc/gshadow+ 152blacklist /etc/gshadow+
107blacklist /etc/ssh 153blacklist /etc/ssh
108blacklist /var/backup 154blacklist /var/backup
155blacklist /home/.ecryptfs
156
157# system directories
158blacklist /sbin
159blacklist /usr/sbin
160blacklist /usr/local/sbin
109 161
110# system management 162# system management
111blacklist ${PATH}/umount 163blacklist ${PATH}/umount
112blacklist ${PATH}/mount 164blacklist ${PATH}/mount
113blacklist ${PATH}/fusermount 165blacklist ${PATH}/fusermount
166blacklist ${PATH}/ntfs-3g
167blacklist ${PATH}/at
114blacklist ${PATH}/su 168blacklist ${PATH}/su
115blacklist ${PATH}/sudo 169blacklist ${PATH}/sudo
116blacklist ${PATH}/xinput 170blacklist ${PATH}/xinput
@@ -119,17 +173,45 @@ blacklist ${PATH}/xev
119blacklist ${PATH}/strace 173blacklist ${PATH}/strace
120blacklist ${PATH}/nc 174blacklist ${PATH}/nc
121blacklist ${PATH}/ncat 175blacklist ${PATH}/ncat
176blacklist ${PATH}/gpasswd
177blacklist ${PATH}/newgidmap
178blacklist ${PATH}/newgrp
179blacklist ${PATH}/newuidmap
180blacklist ${PATH}/pkexec
181blacklist ${PATH}/sg
182blacklist ${PATH}/crontab
183blacklist ${PATH}/ksu
184blacklist ${PATH}/chsh
185blacklist ${PATH}/chfn
186blacklist ${PATH}/chage
187blacklist ${PATH}/expiry
188blacklist ${PATH}/unix_chkpwd
189blacklist ${PATH}/procmail
190blacklist ${PATH}/mount.ecryptfs_private
122 191
123# system directories 192# other SUID binaries
124blacklist /sbin 193blacklist /usr/lib/virtualbox
125blacklist /usr/sbin
126blacklist /usr/local/sbin
127 194
128# prevent lxterminal connecting to an existing lxterminal session 195# prevent lxterminal connecting to an existing lxterminal session
129blacklist /tmp/.lxterminal-socket* 196blacklist /tmp/.lxterminal-socket*
130 197
131# disable terminals running as server 198# disable terminals running as server resulting in sandbox escape
132blacklist ${PATH}/gnome-terminal 199blacklist ${PATH}/gnome-terminal
133blacklist ${PATH}/gnome-terminal.wrapper 200blacklist ${PATH}/gnome-terminal.wrapper
134blacklist ${PATH}/xfce4-terminal 201blacklist ${PATH}/xfce4-terminal
135blacklist ${PATH}/xfce4-terminal.wrapper 202blacklist ${PATH}/xfce4-terminal.wrapper
203blacklist ${PATH}/mate-terminal
204blacklist ${PATH}/mate-terminal.wrapper
205blacklist ${PATH}/lilyterm
206blacklist ${PATH}/pantheon-terminal
207blacklist ${PATH}/roxterm
208blacklist ${PATH}/roxterm-config
209blacklist ${PATH}/terminix
210blacklist ${PATH}/urxvtc
211blacklist ${PATH}/urxvtcd
212#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
213#blacklist ${PATH}/konsole
214
215# kernel files
216blacklist /vmlinuz*
217blacklist /initrd*
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index fa77ed8d1..2ac367f37 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -2,20 +2,32 @@
2 2
3# GCC 3# GCC
4blacklist /usr/include 4blacklist /usr/include
5#blacklist /usr/lib/gcc - seems to create problems on Gentoo
5blacklist /usr/bin/gcc* 6blacklist /usr/bin/gcc*
6blacklist /usr/bin/cpp* 7blacklist /usr/bin/cpp*
7blacklist /usr/bin/c9* 8blacklist /usr/bin/c9*
8blacklist /usr/bin/c8* 9blacklist /usr/bin/c8*
9blacklist /usr/bin/c++* 10blacklist /usr/bin/c++*
11blacklist /usr/bin/as
10blacklist /usr/bin/ld 12blacklist /usr/bin/ld
11blacklist /usr/bin/gdb 13blacklist /usr/bin/gdb
14blacklist /usr/bin/g++*
15blacklist /usr/bin/x86_64-linux-gnu-g++*
16blacklist /usr/bin/x86_64-linux-gnu-gcc*
17blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
18blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
12 19
13# clang/llvm 20# clang/llvm
14blacklist /usr/bin/clang* 21blacklist /usr/bin/clang*
15blacklist /usr/bin/llvm* 22blacklist /usr/bin/llvm*
16blacklist /usb/bin/lldb* 23blacklist /usr/bin/lldb*
17blacklist /usr/lib/llvm* 24blacklist /usr/lib/llvm*
18 25
26# tcc - Tiny C Compiler
27blacklist /usr/bin/tcc
28blacklist /usr/bin/x86_64-tcc
29blacklist /usr/lib/tcc
30
19# Valgrind 31# Valgrind
20blacklist /usr/bin/valgrind* 32blacklist /usr/bin/valgrind*
21blacklist /usr/lib/valgrind 33blacklist /usr/lib/valgrind
@@ -35,17 +47,17 @@ blacklist /usr/lib/php*
35blacklist /usr/bin/ruby 47blacklist /usr/bin/ruby
36blacklist /usr/lib/ruby 48blacklist /usr/lib/ruby
37 49
50# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
38# Python 2 51# Python 2
39blacklist /usr/bin/python2* 52#blacklist /usr/bin/python2*
40blacklist /usr/lib/python2* 53#blacklist /usr/lib/python2*
41blacklist /usr/local/lib/python2* 54#blacklist /usr/local/lib/python2*
42blacklist /usr/include/python2* 55#blacklist /usr/include/python2*
43blacklist /usr/share/python2* 56#blacklist /usr/share/python2*
44 57#
45# Python 3 58# Python 3
46blacklist /usr/bin/python3* 59#blacklist /usr/bin/python3*
47blacklist /usr/lib/python3* 60#blacklist /usr/lib/python3*
48blacklist /usr/local/lib/python3* 61#blacklist /usr/local/lib/python3*
49blacklist /usr/share/python3* 62#blacklist /usr/share/python3*
50blacklist /usr/include/python3* 63#blacklist /usr/include/python3*
51
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index c1e68d1ec..045b4d92b 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,6 +1,10 @@
1blacklist ${HOME}/.pki/nssdb 1blacklist ${HOME}/.pki/nssdb
2blacklist ${HOME}/.lastpass 2blacklist ${HOME}/.lastpass
3blacklist ${HOME}/.keepassx 3blacklist ${HOME}/.keepassx
4blacklist ${HOME}/.keepass
4blacklist ${HOME}/.password-store 5blacklist ${HOME}/.password-store
5blacklist ${HOME}/keepassx.kdbx 6blacklist ${HOME}/keepassx.kdbx
7blacklist ${HOME}/.config/keepassx
8blacklist ${HOME}/.config/keepass
9blacklist ${HOME}/.config/KeePass
6 10
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f4e66dc66..a9ca487c5 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,168 +1,269 @@
1# various programs 1blacklist ${HOME}/.*coin
2blacklist ${HOME}/.8pecxstudios
2blacklist ${HOME}/.Atom 3blacklist ${HOME}/.Atom
3blacklist ${HOME}/.remmina
4blacklist ${HOME}/.tconn
5blacklist ${HOME}/.FBReader 4blacklist ${HOME}/.FBReader
6blacklist ${HOME}/.wine 5blacklist ${HOME}/.LuminanceHDR
7blacklist ${HOME}/.Mathematica 6blacklist ${HOME}/.Mathematica
7blacklist ${HOME}/.Natron
8blacklist ${HOME}/.Skype
9blacklist ${HOME}/.TelegramDesktop
10blacklist ${HOME}/.VirtualBox
8blacklist ${HOME}/.Wolfram Research 11blacklist ${HOME}/.Wolfram Research
9blacklist ${HOME}/.stellarium 12blacklist ${HOME}/.arduino15
10blacklist ${HOME}/.sword 13blacklist ${HOME}/.atom
11blacklist ${HOME}/.xiphos 14blacklist ${HOME}/.audacity-data
15blacklist ${HOME}/.bcast5
16blacklist ${HOME}/.cache/0ad
17blacklist ${HOME}/.cache/8pecxstudios
18blacklist ${HOME}/.cache/Franz
19blacklist ${HOME}/.cache/INRIA
20blacklist ${HOME}/.cache/QuiteRss
21blacklist ${HOME}/.cache/champlain
22blacklist ${HOME}/.cache/chromium
23blacklist ${HOME}/.cache/chromium-dev
24blacklist ${HOME}/.cache/darktable
25blacklist ${HOME}/.cache/epiphany
26blacklist ${HOME}/.cache/evolution
27blacklist ${HOME}/.cache/gajim
28blacklist ${HOME}/.cache/google-chrome
29blacklist ${HOME}/.cache/google-chrome-beta
30blacklist ${HOME}/.cache/google-chrome-unstable
31blacklist ${HOME}/.cache/icedove
32blacklist ${HOME}/.cache/inox
33blacklist ${HOME}/.cache/libgweather
34blacklist ${HOME}/.cache/midori
35blacklist ${HOME}/.cache/mozilla
36blacklist ${HOME}/.cache/mutt
37blacklist ${HOME}/.cache/netsurf
38blacklist ${HOME}/.cache/opera
39blacklist ${HOME}/.cache/opera-beta
40blacklist ${HOME}/.cache/org.gnome.Books
41blacklist ${HOME}/.cache/qutebrowser
42blacklist ${HOME}/.cache/simple-scan
43blacklist ${HOME}/.cache/slimjet
44blacklist ${HOME}/.cache/spotify
45blacklist ${HOME}/.cache/telepathy
46blacklist ${HOME}/.cache/thunderbird
47blacklist ${HOME}/.cache/torbrowser
48blacklist ${HOME}/.cache/transmission
49blacklist ${HOME}/.cache/vivaldi
50blacklist ${HOME}/.cache/wesnoth
51blacklist ${HOME}/.cache/xreader
52blacklist ${HOME}/.claws-mail
53blacklist ${HOME}/.config/0ad
12blacklist ${HOME}/.config/Atom 54blacklist ${HOME}/.config/Atom
13blacklist ${HOME}/.config/gthumb 55blacklist ${HOME}/.config/Brackets
14blacklist ${HOME}/.config/mupen64plus 56blacklist ${HOME}/.config/Cryptocat
15blacklist ${HOME}/.config/transmission 57blacklist ${HOME}/.config/Franz
16blacklist ${HOME}/.config/uGet 58blacklist ${HOME}/.config/Gitter
59blacklist ${HOME}/.config/Google
17blacklist ${HOME}/.config/Gpredict 60blacklist ${HOME}/.config/Gpredict
18blacklist ${HOME}/.config/aweather 61blacklist ${HOME}/.config/INRIA
19blacklist ${HOME}/.config/stellarium
20blacklist ${HOME}/.config/atril
21blacklist ${HOME}/.config/xreader
22blacklist ${HOME}/.config/xviewer
23blacklist ${HOME}/.config/libreoffice
24blacklist ${HOME}/.config/pix
25blacklist ${HOME}/.config/mate/eom
26blacklist ${HOME}/.kde/share/apps/okular
27blacklist ${HOME}/.kde/share/config/okularrc
28blacklist ${HOME}/.kde/share/config/okularpartrc
29blacklist ${HOME}/.kde/share/apps/gwenview
30blacklist ${HOME}/.kde/share/config/gwenviewrc
31blacklist ${HOME}/.config/qpdfview
32blacklist ${HOME}/.config/Luminance 62blacklist ${HOME}/.config/Luminance
33blacklist ${HOME}/.config/synfig 63blacklist ${HOME}/.config/Meltytech
34blacklist ${HOME}/.synfig 64blacklist ${HOME}/.config/Mumble
35blacklist ${HOME}/.inkscape 65blacklist ${HOME}/.config/QuiteRss
36blacklist ${HOME}/.gimp* 66blacklist ${HOME}/.config/QuiteRssrc
37blacklist ${HOME}/.config/zathura 67blacklist ${HOME}/.config/Slack
68blacklist ${HOME}/.config/VirtualBox
69blacklist ${HOME}/.config/Wire
70blacklist ${HOME}/.config/ardour4
71blacklist ${HOME}/.config/ardour5
72blacklist ${HOME}/.config/arkrc
73blacklist ${HOME}/.config/atril
74blacklist ${HOME}/.config/autostart
75blacklist ${HOME}/.config/autostart/dropbox.desktop
76blacklist ${HOME}/.config/aweather
77blacklist ${HOME}/.config/blender
78blacklist ${HOME}/.config/bless
79blacklist ${HOME}/.config/brasero
80blacklist ${HOME}/.config/brave
38blacklist ${HOME}/.config/cherrytree 81blacklist ${HOME}/.config/cherrytree
39blacklist ${HOME}/.xpdfrc 82blacklist ${HOME}/.config/chromium
40blacklist ${HOME}/.openshot 83blacklist ${HOME}/.config/chromium-dev
41blacklist ${HOME}/.openshot_qt 84blacklist ${HOME}/.config/chromium-flags.conf
42blacklist ${HOME}/.flowblade
43blacklist ${HOME}/.config/flowblade
44blacklist ${HOME}/.config/eog
45
46
47# Media players
48blacklist ${HOME}/.config/cmus 85blacklist ${HOME}/.config/cmus
86blacklist ${HOME}/.config/darktable
49blacklist ${HOME}/.config/deadbeef 87blacklist ${HOME}/.config/deadbeef
50blacklist ${HOME}/.config/spotify 88blacklist ${HOME}/.config/dolphinrc
51blacklist ${HOME}/.config/vlc 89blacklist ${HOME}/.config/dragonplayerrc
52blacklist ${HOME}/.config/mpv 90blacklist ${HOME}/.config/enchant
53blacklist ${HOME}/.config/totem 91blacklist ${HOME}/.config/eog
54blacklist ${HOME}/.config/xplayer 92blacklist ${HOME}/.config/epiphany
55blacklist ${HOME}/.audacity-data 93blacklist ${HOME}/.config/evince
56blacklist ${HOME}/.guayadeque 94blacklist ${HOME}/.config/evolution
57 95blacklist ${HOME}/.config/filezilla
58# HTTP / FTP / Mail 96blacklist ${HOME}/.config/flowblade
59blacklist ${HOME}/.icedove 97blacklist ${HOME}/.config/gajim
60blacklist ${HOME}/.thunderbird 98blacklist ${HOME}/.config/gedit
61blacklist ${HOME}/.sylpheed-2.0
62blacklist ${HOME}/.config/midori
63blacklist ${HOME}/.mozilla
64blacklist ${HOME}/.config/chromium
65blacklist ${HOME}/.config/google-chrome 99blacklist ${HOME}/.config/google-chrome
66blacklist ${HOME}/.config/google-chrome-beta 100blacklist ${HOME}/.config/google-chrome-beta
67blacklist ${HOME}/.config/google-chrome-unstable 101blacklist ${HOME}/.config/google-chrome-unstable
102blacklist ${HOME}/.config/gthumb
103blacklist ${HOME}/.config/hexchat
104blacklist ${HOME}/.config/inox
105blacklist ${HOME}/.config/jd-gui.cfg
106blacklist ${HOME}/.config/katepartrc
107blacklist ${HOME}/.config/katerc
108blacklist ${HOME}/.config/kateschemarc
109blacklist ${HOME}/.config/katesyntaxhighlightingrc
110blacklist ${HOME}/.config/katevirc
111blacklist ${HOME}/.config/libreoffice
112blacklist ${HOME}/.config/mate/eom
113blacklist ${HOME}/.config/midori
114blacklist ${HOME}/.config/mpv
115blacklist ${HOME}/.config/mupen64plus
116blacklist ${HOME}/.config/nautilus
117blacklist ${HOME}/.config/netsurf
68blacklist ${HOME}/.config/opera 118blacklist ${HOME}/.config/opera
69blacklist ${HOME}/.config/opera-beta 119blacklist ${HOME}/.config/opera-beta
70blacklist ${HOME}/.opera 120blacklist ${HOME}/.config/pix
71blacklist ${HOME}/.config/vivaldi 121blacklist ${HOME}/.config/pluma
72blacklist ${HOME}/.filezilla
73blacklist ${HOME}/.config/filezilla
74blacklist ${HOME}/.dillo
75blacklist ${HOME}/.conkeror.mozdev.org
76blacklist ${HOME}/.config/epiphany
77blacklist ${HOME}/.config/slimjet
78blacklist ${HOME}/.config/qutebrowser
79blacklist ${HOME}/.8pecxstudios
80blacklist ${HOME}/.config/brave
81blacklist ${HOME}/.config/inox
82blacklist ${HOME}/.muttrc
83blacklist ${HOME}/.mutt
84blacklist ${HOME}/.mutt/muttrc
85blacklist ${HOME}/.msmtprc
86blacklist ${HOME}/.config/evolution
87blacklist ${HOME}/.local/share/evolution
88blacklist ${HOME}/.cache/evolution
89
90# Instant Messaging
91blacklist ${HOME}/.config/hexchat
92blacklist ${HOME}/.mcabber
93blacklist ${HOME}/.mcabberrc
94blacklist ${HOME}/.purple
95blacklist ${HOME}/.config/psi+ 122blacklist ${HOME}/.config/psi+
96blacklist ${HOME}/.retroshare 123blacklist ${HOME}/.config/qpdfview
97blacklist ${HOME}/.weechat 124blacklist ${HOME}/.config/qutebrowser
98blacklist ${HOME}/.config/xchat 125blacklist ${HOME}/.config/ranger
99blacklist ${HOME}/.Skype 126blacklist ${HOME}/.config/redshift.conf
100blacklist ${HOME}/.config/skypeforlinux 127blacklist ${HOME}/.config/skypeforlinux
128blacklist ${HOME}/.config/slimjet
129blacklist ${HOME}/.config/spotify
130blacklist ${HOME}/.config/stellarium
131blacklist ${HOME}/.config/synfig
132blacklist ${HOME}/.config/telepathy-account-widgets
133blacklist ${HOME}/.config/torbrowser
134blacklist ${HOME}/.config/totem
101blacklist ${HOME}/.config/tox 135blacklist ${HOME}/.config/tox
102blacklist ${HOME}/.TelegramDesktop 136blacklist ${HOME}/.config/transmission
103blacklist ${HOME}/.config/Gitter 137blacklist ${HOME}/.config/uGet
104blacklist ${HOME}/.config/Franz 138blacklist ${HOME}/.config/vivaldi
105blacklist ${HOME}/.jitsi 139blacklist ${HOME}/.config/vlc
106blacklist ${HOME}/.config/Slack
107blacklist ${HOME}/.cache/gajim
108blacklist ${HOME}/.local/share/gajim
109blacklist ${HOME}/.config/gajim
110blacklist ${HOME}/.config/Wire
111
112# Games
113blacklist ${HOME}/.hedgewars
114blacklist ${HOME}/.steam
115blacklist ${HOME}/.config/wesnoth 140blacklist ${HOME}/.config/wesnoth
116blacklist ${HOME}/.config/0ad 141blacklist ${HOME}/.config/wire
117blacklist ${HOME}/.warzone2100-3.1 142blacklist ${HOME}/.config/wireshark
143blacklist ${HOME}/.config/xchat
144blacklist ${HOME}/.config/xed
145blacklist ${HOME}/.config/xfburn
146blacklist ${HOME}/.config/xplayer
147blacklist ${HOME}/.config/xreader
148blacklist ${HOME}/.config/xviewer
149blacklist ${HOME}/.config/zathura
150blacklist ${HOME}/.config/zoomus.conf
151blacklist ${HOME}/.conkeror.mozdev.org
152blacklist ${HOME}/.dillo
118blacklist ${HOME}/.dosbox 153blacklist ${HOME}/.dosbox
119 154blacklist ${HOME}/.dropbox-dist
120# Cryptocoins
121blacklist ${HOME}/.*coin
122blacklist ${HOME}/.electrum* 155blacklist ${HOME}/.electrum*
123blacklist ${HOME}/wallet.dat 156blacklist ${HOME}/.elinks
124 157blacklist ${HOME}/.emacs
125# git, subversion 158blacklist ${HOME}/.emacs.d
126blacklist ${HOME}/.subversion 159blacklist ${HOME}/.filezilla
127blacklist ${HOME}/.gitconfig 160blacklist ${HOME}/.flowblade
161blacklist ${HOME}/.fltk
162blacklist ${HOME}/.gimp*
128blacklist ${HOME}/.git-credential-cache 163blacklist ${HOME}/.git-credential-cache
129 164blacklist ${HOME}/.gitconfig
130# cache 165blacklist ${HOME}/.googleearth/Cache/
131blacklist ${HOME}/.cache/mozilla 166blacklist ${HOME}/.googleearth/Temp/
132blacklist ${HOME}/.cache/chromium 167blacklist ${HOME}/.googleearth/myplaces.backup.kml
133blacklist ${HOME}/.cache/google-chrome 168blacklist ${HOME}/.googleearth/myplaces.kml
134blacklist ${HOME}/.cache/google-chrome-beta 169blacklist ${HOME}/.guayadeque
135blacklist ${HOME}/.cache/google-chrome-unstable 170blacklist ${HOME}/.hedgewars
136blacklist ${HOME}/.cache/opera 171blacklist ${HOME}/.icedove
137blacklist ${HOME}/.cache/opera-beta 172blacklist ${HOME}/.inkscape
138blacklist ${HOME}/.cache/vivaldi 173blacklist ${HOME}/.jitsi
139blacklist ${HOME}/.cache/epiphany 174blacklist ${HOME}/.kde/share/apps/gwenview
140blacklist ${HOME}/.cache/slimjet 175blacklist ${HOME}/.kde/share/apps/okular
141blacklist ${HOME}/.cache/qutebrowser 176blacklist ${HOME}/.kde/share/config/gwenviewrc
142blacklist ${HOME}/.cache/spotify 177blacklist ${HOME}/.kde/share/config/okularpartrc
143blacklist ${HOME}/.cache/thunderbird 178blacklist ${HOME}/.kde/share/config/okularrc
144blacklist ${HOME}/.cache/icedove 179blacklist ${HOME}/.killingfloor
145blacklist ${HOME}/.cache/transmission 180blacklist ${HOME}/.linphone-history.db
146blacklist ${HOME}/.cache/wesnoth 181blacklist ${HOME}/.linphonerc
147blacklist ${HOME}/.cache/0ad 182blacklist ${HOME}/.lmmsrc.xml
148blacklist ${HOME}/.cache/8pecxstudios 183blacklist ${HOME}/.local/.share/maps-places.json
149blacklist ${HOME}/.cache/xreader 184blacklist ${HOME}/.local/lib/python2.7/site-packages
150blacklist ${HOME}/.cache/Franz 185blacklist ${HOME}/.local/share/0ad
151 186blacklist ${HOME}/.local/share/3909/PapersPlease
152# share 187blacklist ${HOME}/.local/share/Empathy
188blacklist ${HOME}/.local/share/Mumble
189blacklist ${HOME}/.local/share/QuiteRss
190blacklist ${HOME}/.local/share/Ricochet
191blacklist ${HOME}/.local/share/Steam
192blacklist ${HOME}/.local/share/SuperHexagon
193blacklist ${HOME}/.local/share/Terraria
194blacklist ${HOME}/.local/share/TpLogger
195blacklist ${HOME}/.local/share/aspyr-media
196blacklist ${HOME}/.local/share/cdprojektred
197blacklist ${HOME}/.local/share/data/Mumble
198blacklist ${HOME}/.local/share/dolphin
153blacklist ${HOME}/.local/share/epiphany 199blacklist ${HOME}/.local/share/epiphany
200blacklist ${HOME}/.local/share/evolution
201blacklist ${HOME}/.local/share/feral-interactive
202blacklist ${HOME}/.local/share/gajim
203blacklist ${HOME}/.local/share/gnome-2048
204blacklist ${HOME}/.local/share/gnome-chess
205blacklist ${HOME}/.local/share/gnome-music
206blacklist ${HOME}/.local/share/gnome-photos
207blacklist ${HOME}/.local/share/kate
208blacklist ${HOME}/.local/share/lollypop
209blacklist ${HOME}/.local/share/multimc5
154blacklist ${HOME}/.local/share/mupen64plus 210blacklist ${HOME}/.local/share/mupen64plus
211blacklist ${HOME}/.local/share/pix
212blacklist ${HOME}/.local/share/psi+
213blacklist ${HOME}/.local/share/qpdfview
155blacklist ${HOME}/.local/share/spotify 214blacklist ${HOME}/.local/share/spotify
156blacklist ${HOME}/.local/share/steam 215blacklist ${HOME}/.local/share/steam
216blacklist ${HOME}/.local/share/telepathy
217blacklist ${HOME}/.local/share/torbrowser
218blacklist ${HOME}/.local/share/totem
219blacklist ${HOME}/.local/share/vpltd
220blacklist ${HOME}/.local/share/vulkan
157blacklist ${HOME}/.local/share/wesnoth 221blacklist ${HOME}/.local/share/wesnoth
158blacklist ${HOME}/.local/share/0ad
159blacklist ${HOME}/.local/share/xplayer 222blacklist ${HOME}/.local/share/xplayer
160blacklist ${HOME}/.local/share/totem 223blacklist ${HOME}/.local/share/xreader
161blacklist ${HOME}/.local/share/psi+
162blacklist ${HOME}/.local/share/pix
163blacklist ${HOME}/.local/share/gnome-chess
164blacklist ${HOME}/.local/share/qpdfview
165blacklist ${HOME}/.local/share/zathura 224blacklist ${HOME}/.local/share/zathura
166 225blacklist ${HOME}/.lv2
167# ssh 226blacklist ${HOME}/.mcabber
227blacklist ${HOME}/.mcabberrc
228blacklist ${HOME}/.mozilla
229blacklist ${HOME}/.mozilla/seamonkey
230blacklist ${HOME}/.mpdconf
231blacklist ${HOME}/.msmtprc
232blacklist ${HOME}/.multimc5
233blacklist ${HOME}/.mutt
234blacklist ${HOME}/.mutt/muttrc
235blacklist ${HOME}/.muttrc
236blacklist ${HOME}/.nv
237blacklist ${HOME}/.openshot
238blacklist ${HOME}/.openshot_qt
239blacklist ${HOME}/.opera
240blacklist ${HOME}/.opera-beta
241blacklist ${HOME}/.pki
242blacklist ${HOME}/.purple
243blacklist ${HOME}/.qemu-launcher
244blacklist ${HOME}/.remmina
245blacklist ${HOME}/.retroshare
246blacklist ${HOME}/.scribus
247blacklist ${HOME}/.steam
248blacklist ${HOME}/.steampath
249blacklist ${HOME}/.steampid
250blacklist ${HOME}/.stellarium
251blacklist ${HOME}/.subversion
252blacklist ${HOME}/.sword
253blacklist ${HOME}/.sylpheed-2.0
254blacklist ${HOME}/.synfig
255blacklist ${HOME}/.tconn
256blacklist ${HOME}/.thunderbird
257blacklist ${HOME}/.ts3client
258blacklist ${HOME}/.vst
259blacklist ${HOME}/.w3m
260blacklist ${HOME}/.warzone2100-3.1
261blacklist ${HOME}/.weechat
262blacklist ${HOME}/.wine
263blacklist ${HOME}/.wine64
264blacklist ${HOME}/.xiphos
265blacklist ${HOME}/.xonotic
266blacklist ${HOME}/.xpdfrc
267blacklist ${HOME}/.zoom
268blacklist ${HOME}/wallet.dat
168blacklist /tmp/ssh-* 269blacklist /tmp/ssh-*
diff --git a/etc/display.profile b/etc/display.profile
new file mode 100644
index 000000000..ec041bff7
--- /dev/null
+++ b/etc/display.profile
@@ -0,0 +1,23 @@
1# display (ImageMagick tool) image viewer profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8seccomp
9protocol unix
10netfilter
11net none
12nonewprivs
13noroot
14nogroups
15nosound
16shell none
17x11 xorg
18
19private-bin display
20private-tmp
21private-dev
22private-etc none
23
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index bd7e19dc2..926b8bfcc 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -8,5 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
8 8
9private 9private
10private-dev 10private-dev
11nosound
12no3d
11seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 13seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
12 14
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 474bc5aca..3bd43f144 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -5,9 +5,13 @@ include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc 5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc 6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
8
8caps 9caps
9seccomp
10protocol unix,inet,inet6,netlink
11netfilter 10netfilter
11nonewprivs
12private 12private
13private-dev 13private-dev
14nosound
15no3d
16protocol unix,inet,inet6,netlink
17seccomp
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
new file mode 100644
index 000000000..09a86f811
--- /dev/null
+++ b/etc/dolphin.profile
@@ -0,0 +1,27 @@
1# dolphin profile
2
3# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
4
5noblacklist ~/.config/dolphinrc
6noblacklist ~/.local/share/dolphin
7
8include /etc/firejail/disable-common.inc
9# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
10#include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13
14caps.drop all
15netfilter
16nogroups
17nonewprivs
18noroot
19shell none
20seccomp
21protocol unix
22
23# private-bin
24# private-dev
25# private-tmp
26# private-etc
27
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
new file mode 100644
index 000000000..45fbb712a
--- /dev/null
+++ b/etc/dosbox.profile
@@ -0,0 +1,21 @@
1# Firejail profile for dosbox
2noblacklist ~/.dosbox
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14protocol unix,inet,inet6
15seccomp
16shell none
17tracelog
18
19private-bin dosbox
20private-dev
21private-tmp
diff --git a/etc/dragon.profile b/etc/dragon.profile
new file mode 100644
index 000000000..09cb73802
--- /dev/null
+++ b/etc/dragon.profile
@@ -0,0 +1,22 @@
1# dragon player profile
2noblacklist ~/.config/dragonplayerrc
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14shell none
15seccomp
16protocol unix,inet,inet6
17
18private-bin dragon
19private-dev
20private-tmp
21# private-etc
22
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index a0a944dce..40efd62b2 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,9 +1,21 @@
1# dropbox profile 1# dropbox profile
2noblacklist ~/.config/autostart
2include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 4include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
5 6
6caps 7caps
7seccomp 8nonewprivs
8protocol unix,inet,inet6
9noroot 9noroot
10protocol unix,inet,inet6
11seccomp
12
13mkdir ~/Dropbox
14whitelist ~/Dropbox
15mkdir ~/.dropbox
16whitelist ~/.dropbox
17mkdir ~/.dropbox-dist
18whitelist ~/.dropbox-dist
19
20mkfile ~/.config/autostart/dropbox.desktop
21whitelist ~/.config/autostart/dropbox.desktop
diff --git a/etc/elinks.profile b/etc/elinks.profile
new file mode 100644
index 000000000..df817ea56
--- /dev/null
+++ b/etc/elinks.profile
@@ -0,0 +1,24 @@
1# elinks profile
2noblacklist ~/.elinks
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix,inet,inet6
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin elinks
21private-tmp
22private-dev
23# private-etc none
24
diff --git a/etc/emacs.profile b/etc/emacs.profile
new file mode 100644
index 000000000..2b9c5805c
--- /dev/null
+++ b/etc/emacs.profile
@@ -0,0 +1,16 @@
1# emacs profile
2noblacklist ~/.emacs
3noblacklist ~/.emacs.d
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9
10caps.drop all
11netfilter
12nonewprivs
13noroot
14nogroups
15protocol unix,inet,inet6
16seccomp
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 789bdda08..2a0a6389c 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -4,6 +4,9 @@ include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
5 5
6caps.drop all 6caps.drop all
7seccomp
8protocol unix,inet,inet6
9netfilter 7netfilter
8nonewprivs
9nogroups
10noroot
11protocol unix,inet,inet6
12seccomp
diff --git a/etc/enchant.profile b/etc/enchant.profile
new file mode 100644
index 000000000..cf8288919
--- /dev/null
+++ b/etc/enchant.profile
@@ -0,0 +1,23 @@
1# enchant profile
2noblacklist ~/.config/enchant
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin enchant
21# private-tmp
22# private-dev
23# private-etc fonts
diff --git a/etc/eog.profile b/etc/eog.profile
new file mode 100644
index 000000000..d463f3a97
--- /dev/null
+++ b/etc/eog.profile
@@ -0,0 +1,22 @@
1# eog (gnome image viewer) profile
2noblacklist ~/.config/eog
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix
16seccomp
17shell none
18
19private-bin eog
20private-dev
21private-etc fonts
22private-tmp
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..dfcea82c1
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,21 @@
1# Firejail profile for Eye of Mate (eom)
2noblacklist ~/.config/mate/eom
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin eom
20private-dev
21private-tmp
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 95a673bf9..0e898f02b 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -8,19 +8,16 @@ include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
9 9
10whitelist ${DOWNLOADS} 10whitelist ${DOWNLOADS}
11mkdir ${HOME}/.local
12mkdir ${HOME}/.local/share
13mkdir ${HOME}/.local/share/epiphany 11mkdir ${HOME}/.local/share/epiphany
14whitelist ${HOME}/.local/share/epiphany 12whitelist ${HOME}/.local/share/epiphany
15mkdir ${HOME}/.config
16mkdir ${HOME}/.config/epiphany 13mkdir ${HOME}/.config/epiphany
17whitelist ${HOME}/.config/epiphany 14whitelist ${HOME}/.config/epiphany
18mkdir ${HOME}/.cache
19mkdir ${HOME}/.cache/epiphany 15mkdir ${HOME}/.cache/epiphany
20whitelist ${HOME}/.cache/epiphany 16whitelist ${HOME}/.cache/epiphany
21include /etc/firejail/whitelist-common.inc 17include /etc/firejail/whitelist-common.inc
18
22caps.drop all 19caps.drop all
23seccomp
24protocol unix,inet,inet6
25netfilter 20netfilter
26 21nonewprivs
22protocol unix,inet,inet6
23seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
index c390dcaf3..1ec384947 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,11 +1,25 @@
1# evince pdf reader profile 1# evince pdf reader profile
2noblacklist ~/.config/evince
3
2include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 5include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
6 8
7caps.drop all 9caps.drop all
8seccomp 10netfilter
9protocol unix,inet,inet6 11#net none - creates some problems on some distributions
12nogroups
13nonewprivs
10noroot 14noroot
11nosound 15nosound
16protocol unix
17seccomp
18shell none
19tracelog
20
21private-bin evince,evince-previewer,evince-thumbnailer
22private-dev
23private-etc fonts
24# evince needs access to /tmp/mozilla* to work in firefox
25# private-tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
new file mode 100644
index 000000000..ab6dd7a4a
--- /dev/null
+++ b/etc/evolution.profile
@@ -0,0 +1,25 @@
1# evolution profile
2noblacklist ~/.config/evolution
3noblacklist ~/.local/share/evolution
4noblacklist ~/.cache/evolution
5noblacklist ~/.pki
6noblacklist ~/.pki/nssdb
7noblacklist ~/.gnupg
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13
14caps.drop all
15netfilter
16nogroups
17nonewprivs
18noroot
19nosound
20protocol unix,inet,inet6
21seccomp
22shell none
23
24private-dev
25private-tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
new file mode 100644
index 000000000..384695473
--- /dev/null
+++ b/etc/exiftool.profile
@@ -0,0 +1,28 @@
1# exiftool profile
2noblacklist /usr/bin/perl
3noblacklist /usr/share/perl*
4noblacklist /usr/lib/perl*
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12nogroups
13nonewprivs
14noroot
15nosound
16protocol unix
17seccomp
18netfilter
19net none
20shell none
21tracelog
22
23# private-bin exiftool,perl
24private-tmp
25private-dev
26private-etc none
27
28
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index cfbae1c74..ec098d5fe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10seccomp
11protocol unix,inet,inet6
12netfilter 10netfilter
11nonewprivs
13noroot 12noroot
14nosound 13nosound
14protocol unix,inet,inet6
15seccomp
16
17shell none
18private-bin fbreader,FBReader
19private-dev
20private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
new file mode 100644
index 000000000..2812effc9
--- /dev/null
+++ b/etc/feh.profile
@@ -0,0 +1,21 @@
1# feh image viewer profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9net none
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17
18private-bin feh
19private-dev
20private-etc feh
21private-tmp \ No newline at end of file
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
new file mode 100644
index 000000000..6116389db
--- /dev/null
+++ b/etc/file-roller.profile
@@ -0,0 +1,21 @@
1# file-roller profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15shell none
16tracelog
17
18# private-bin file-roller
19# private-tmp
20private-dev
21# private-etc fonts
diff --git a/etc/file.profile b/etc/file.profile
new file mode 100644
index 000000000..d145fe12a
--- /dev/null
+++ b/etc/file.profile
@@ -0,0 +1,26 @@
1# file profile
2quiet
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8hostname file
9netfilter
10net none
11no3d
12nogroups
13nonewprivs
14#noroot
15nosound
16protocol unix
17seccomp
18shell none
19tracelog
20x11 none
21
22blacklist /tmp/.X11-unix
23
24private-dev
25private-bin file
26private-etc magic.mgc,magic,localtime
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 8542de284..a40fceec1 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
8 8
9caps.drop all 9caps.drop all
10seccomp
11protocol unix,inet,inet6
12noroot
13netfilter 10netfilter
11nonewprivs
12noroot
14nosound 13nosound
14protocol unix,inet,inet6
15seccomp
16shell none
17
18private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
19private-dev
20private-tmp
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
new file mode 100644
index 000000000..d2fde9a3f
--- /dev/null
+++ b/etc/firefox-esr.profile
@@ -0,0 +1,2 @@
1# Firejail profile for Mozilla Firefox ESR
2include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1ea94a2c7..4f971f330 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -1,23 +1,24 @@
1# Firejail profile for Mozilla Firefox (Iceweasel in Debian) 1# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
2
3noblacklist ~/.mozilla 2noblacklist ~/.mozilla
4noblacklist ~/.cache/mozilla 3noblacklist ~/.cache/mozilla
4noblacklist ~/.config/qpdfview
5noblacklist ~/.local/share/qpdfview
6noblacklist ~/.kde/share/apps/okular
5include /etc/firejail/disable-common.inc 7include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc 8include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 9include /etc/firejail/disable-devel.inc
8 10
9caps.drop all 11caps.drop all
10seccomp
11protocol unix,inet,inet6,netlink
12netfilter 12netfilter
13tracelog 13nonewprivs
14noroot 14noroot
15protocol unix,inet,inet6,netlink
16seccomp
17tracelog
15 18
16whitelist ${DOWNLOADS} 19whitelist ${DOWNLOADS}
17mkdir ~/.mozilla 20mkdir ~/.mozilla
18whitelist ~/.mozilla 21whitelist ~/.mozilla
19mkdir ~/.cache
20mkdir ~/.cache/mozilla
21mkdir ~/.cache/mozilla/firefox 22mkdir ~/.cache/mozilla/firefox
22whitelist ~/.cache/mozilla/firefox 23whitelist ~/.cache/mozilla/firefox
23whitelist ~/dwhelper 24whitelist ~/dwhelper
@@ -30,6 +31,9 @@ whitelist ~/.keysnail.js
30whitelist ~/.config/gnome-mplayer 31whitelist ~/.config/gnome-mplayer
31whitelist ~/.cache/gnome-mplayer/plugin 32whitelist ~/.cache/gnome-mplayer/plugin
32whitelist ~/.pki 33whitelist ~/.pki
34whitelist ~/.config/qpdfview
35whitelist ~/.local/share/qpdfview
36whitelist ~/.kde/share/apps/okular
33 37
34# lastpass, keepassx 38# lastpass, keepassx
35whitelist ~/.keepassx 39whitelist ~/.keepassx
@@ -40,14 +44,15 @@ whitelist ~/.config/lastpass
40 44
41 45
42#silverlight 46#silverlight
43whitelist ~/.wine-pipelight 47whitelist ~/.wine-pipelight
44whitelist ~/.wine-pipelight64 48whitelist ~/.wine-pipelight64
45whitelist ~/.config/pipelight-widevine 49whitelist ~/.config/pipelight-widevine
46whitelist ~/.config/pipelight-silverlight5.1 50whitelist ~/.config/pipelight-silverlight5.1
47 51
48include /etc/firejail/whitelist-common.inc 52include /etc/firejail/whitelist-common.inc
49 53
50# experimental features 54# experimental features
51#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 55#private-bin firefox,which,sh,dbus-launch,dbus-send,env
52 56#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
53 57private-dev
58private-tmp
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..1b0eb7658
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,154 @@
1#########################################
2# Generic Firejail AppArmor profile
3#########################################
4
5##########
6# A simple PID declaration based on Ubuntu's @{pid}
7# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
8# We don't know if this definition is available outside Debian and Ubuntu, so
9# we declare our own here.
10##########
11@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
12
13profile firejail-default {
14
15##########
16# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
17# functionality.
18##########
19#dbus,
20
21##########
22# Mask /proc and /sys information leakage. The configuration here is barely
23# enough to run "top" or "ps aux".
24##########
25/ r,
26/[^proc,^sys]** mrwlk,
27/{,var/}run/ r,
28/{,var/}run/** r,
29/{,var/}run/user/**/dconf/ rw,
30/{,var/}run/user/**/dconf/user rw,
31/{,var/}run/user/**/pulse/ rw,
32/{,var/}run/user/**/pulse/** rw,
33/{,var/}run/firejail/mnt/fslogger r,
34/{,var/}run/firejail/appimage r,
35/{,var/}run/firejail/appimage/** r,
36/{,var/}run/firejail/appimage/** ix,
37/{run,dev}/shm/ r,
38/{run,dev}/shm/** rmwk,
39
40/proc/ r,
41/proc/meminfo r,
42/proc/cpuinfo r,
43/proc/filesystems r,
44/proc/uptime r,
45/proc/loadavg r,
46/proc/stat r,
47
48/proc/@{PID}/ r,
49/proc/@{PID}/fd/ r,
50/proc/@{PID}/task/ r,
51/proc/@{PID}/cmdline r,
52/proc/@{PID}/comm r,
53/proc/@{PID}/stat r,
54/proc/@{PID}/statm r,
55/proc/@{PID}/status r,
56/proc/@{PID}/task/@{PID}/stat r,
57/proc/sys/kernel/pid_max r,
58/proc/sys/kernel/shmmax r,
59/proc/sys/vm/overcommit_memory r,
60/proc/sys/vm/overcommit_ratio r,
61
62/sys/ r,
63/sys/bus/ r,
64/sys/bus/** r,
65/sys/class/ r,
66/sys/class/** r,
67/sys/devices/ r,
68/sys/devices/** r,
69
70/proc/@{PID}/maps r,
71/proc/@{PID}/mounts r,
72/proc/@{PID}/mountinfo r,
73/proc/@{PID}/oom_score_adj r,
74
75##########
76# Allow running programs only from well-known system directories. If you need
77# to run programs from your home directory, uncomment /home line.
78##########
79/lib/** ix,
80/lib64/** ix,
81/bin/** ix,
82/sbin/** ix,
83/usr/bin/** ix,
84/usr/sbin/** ix,
85/usr/local/** ix,
86/usr/lib/** ix,
87/usr/games/** ix,
88/opt/ r,
89/opt/** r,
90/opt/** ix,
91#/home/** ix,
92
93##########
94# Allow all networking functionality, and control it from Firejail.
95##########
96network inet,
97network inet6,
98network unix,
99network netlink,
100network raw,
101
102##########
103# There is no equivalent in Firejail for filtering signals.
104##########
105signal,
106
107##########
108# We let Firejail deal with capabilities.
109##########
110capability chown,
111capability dac_override,
112capability dac_read_search,
113capability fowner,
114capability fsetid,
115capability kill,
116capability setgid,
117capability setuid,
118capability setpcap,
119capability linux_immutable,
120capability net_bind_service,
121capability net_broadcast,
122capability net_admin,
123capability net_raw,
124capability ipc_lock,
125capability ipc_owner,
126capability sys_module,
127capability sys_rawio,
128capability sys_chroot,
129capability sys_ptrace,
130capability sys_pacct,
131capability sys_admin,
132capability sys_boot,
133capability sys_nice,
134capability sys_resource,
135capability sys_time,
136capability sys_tty_config,
137capability mknod,
138capability lease,
139capability audit_write,
140capability audit_control,
141capability setfcap,
142capability mac_override,
143capability mac_admin,
144
145##########
146# We let Firejail deal with mount/umount functionality.
147##########
148mount,
149remount,
150umount,
151pivot_root,
152
153}
154
diff --git a/etc/firejail.config b/etc/firejail.config
index 41cd08e68..824e3f503 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,24 +9,63 @@
9# Enable or disable chroot support, default enabled. 9# Enable or disable chroot support, default enabled.
10# chroot yes 10# chroot yes
11 11
12# Use chroot for desktop programs, default enabled. The sandbox will have full
13# access to system's /dev directory in order to allow video acceleration,
14# and it will harden the rest of the chroot tree.
15# chroot-desktop yes
16
12# Enable or disable file transfer support, default enabled. 17# Enable or disable file transfer support, default enabled.
13# file-transfer yes 18# file-transfer yes
14 19
20# Enable Firejail green prompt in terminal, default disabled
21# firejail-prompt no
22
23# Force use of nonewprivs. This mitigates the possibility of
24# a user abusing firejail's features to trick a privileged (suid
25# or file capabilities) process into loading code or configuration
26# that is partially under their control. Default disabled.
27# force-nonewprivs no
28
15# Enable or disable networking features, default enabled. 29# Enable or disable networking features, default enabled.
16# network yes 30# network yes
17 31
32# Enable or disable overlayfs features, default enabled.
33# overlayfs yes
34
35# Remove /usr/local directories from private-bin list, default disabled.
36# private-bin-no-local no
37
38# Enable or disable private-home feature, default enabled
39# private-home yes
40
41# Enable --quiet as default every time the sandbox is started. Default disabled.
42# quiet-by-default no
43
44# Remount /proc and /sys inside the sandbox, default enabled.
45# remount-proc-sys yes
46
18# Enable or disable restricted network support, default disabled. If enabled, 47# Enable or disable restricted network support, default disabled. If enabled,
19# networking features should also be enabled (network yes). 48# networking features should also be enabled (network yes).
20# Restricted networking grants access to --interface and --net=ethXXX 49# Restricted networking grants access to --interface, --net=ethXXX and
21# only to root user. Regular users are only allowed --net=none. 50# --netfilter only to root user. Regular users are only allowed --net=none.
22# restricted-network no 51# restricted-network no
23 52
53# Change default netfilter configuration. When using --netfilter option without
54# a file argument, the default filter is hardcoded (see man 1 firejail). This
55# configuration entry allows the user to change the default by specifying
56# a file containing the filter configuration. The filter file format is the
57# format of iptables-save and iptable-restore commands. Example:
58# netfilter-default /etc/iptables.iptables.rules
59
24# Enable or disable seccomp support, default enabled. 60# Enable or disable seccomp support, default enabled.
25# seccomp yes 61# seccomp yes
26 62
27# Enable or disable user namespace support, default enabled. 63# Enable or disable user namespace support, default enabled.
28# userns yes 64# userns yes
29 65
66# Enable or disable whitelisting support, default enabled.
67# whitelist yes
68
30# Enable or disable X11 sandboxing support, default enabled. 69# Enable or disable X11 sandboxing support, default enabled.
31# x11 yes 70# x11 yes
32 71
@@ -36,3 +75,10 @@
36# xephyr-screen 800x600 75# xephyr-screen 800x600
37# xephyr-screen 1024x768 76# xephyr-screen 1024x768
38# xephyr-screen 1280x1024 77# xephyr-screen 1280x1024
78
79# Firejail window title in Xephyr, default enabled.
80# xephyr-window-title yes
81
82# Xephyr command extra parameters. None by default, and the declaration is commented out.
83# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
84# xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 94c672acf..7e0eb486b 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,16 +15,15 @@ include /etc/firejail/disable-programs.inc
15# 15#
16 16
17caps.drop all 17caps.drop all
18seccomp
19protocol unix,inet,inet6,netlink
20netfilter 18netfilter
19nonewprivs
21noroot 20noroot
21protocol unix,inet,inet6,netlink
22seccomp
22 23
23whitelist ${DOWNLOADS} 24whitelist ${DOWNLOADS}
24mkdir ~/.config
25mkdir ~/.config/slimjet 25mkdir ~/.config/slimjet
26whitelist ~/.config/slimjet 26whitelist ~/.config/slimjet
27mkdir ~/.cache
28mkdir ~/.cache/slimjet 27mkdir ~/.cache/slimjet
29whitelist ~/.cache/slimjet 28whitelist ~/.cache/slimjet
30mkdir ~/.pki 29mkdir ~/.pki
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
new file mode 100644
index 000000000..12afdb0aa
--- /dev/null
+++ b/etc/flowblade.profile
@@ -0,0 +1,13 @@
1# FlowBlade profile
2noblacklist ${HOME}/.flowblade
3noblacklist ${HOME}/.config/flowblade
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
diff --git a/etc/franz.profile b/etc/franz.profile
new file mode 100644
index 000000000..0b3be551b
--- /dev/null
+++ b/etc/franz.profile
@@ -0,0 +1,24 @@
1# Franz profile
2noblacklist ~/.config/Franz
3noblacklist ~/.cache/Franz
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14#tracelog
15
16whitelist ${DOWNLOADS}
17mkdir ~/.config/Franz
18whitelist ~/.config/Franz
19mkdir ~/.cache/Franz
20whitelist ~/.cache/Franz
21mkdir ~/.pki
22whitelist ~/.pki
23
24include /etc/firejail/whitelist-common.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
new file mode 100644
index 000000000..eb60f858b
--- /dev/null
+++ b/etc/gajim.profile
@@ -0,0 +1,38 @@
1# Firejail profile for Gajim
2noblacklist ${HOME}/.cache/gajim
3noblacklist ${HOME}/.local/share/gajim
4noblacklist ${HOME}/.config/gajim
5
6mkdir ${HOME}/.cache/gajim
7mkdir ${HOME}/.local/share/gajim
8mkdir ${HOME}/.config/gajim
9mkdir ${HOME}/Downloads
10
11# Allow the local python 2.7 site packages, in case any plugins are using these
12mkdir ${HOME}/.local/lib/python2.7/site-packages/
13whitelist ${HOME}/.local/lib/python2.7/site-packages/
14read-only ${HOME}/.local/lib/python2.7/site-packages/
15
16whitelist ${HOME}/.cache/gajim
17whitelist ${HOME}/.local/share/gajim
18whitelist ${HOME}/.config/gajim
19whitelist ${HOME}/Downloads
20
21include /etc/firejail/disable-common.inc
22include /etc/firejail/disable-passwdmgr.inc
23include /etc/firejail/disable-programs.inc
24include /etc/firejail/disable-devel.inc
25
26caps.drop all
27netfilter
28nogroups
29nonewprivs
30noroot
31protocol unix,inet,inet6
32seccomp
33shell none
34
35#private-bin python2.7 gajim
36#private-etc fonts
37private-dev
38#private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
new file mode 100644
index 000000000..a25286bfa
--- /dev/null
+++ b/etc/gedit.profile
@@ -0,0 +1,26 @@
1# gedit profile
2
3# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
4
5noblacklist ~/.config/gedit
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9#include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11
12caps.drop all
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix
18seccomp
19netfilter
20shell none
21tracelog
22
23# private-bin gedit
24private-tmp
25private-dev
26# private-etc fonts
diff --git a/etc/gimp.profile b/etc/gimp.profile
new file mode 100644
index 000000000..cb441fc9d
--- /dev/null
+++ b/etc/gimp.profile
@@ -0,0 +1,20 @@
1# gimp
2noblacklist ${HOME}/.gimp*
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13protocol unix
14seccomp
15
16noexec ${HOME}
17noexec /tmp
18
19private-dev
20private-tmp
diff --git a/etc/git.profile b/etc/git.profile
new file mode 100644
index 000000000..d60e58c03
--- /dev/null
+++ b/etc/git.profile
@@ -0,0 +1,26 @@
1# git profile
2quiet
3noblacklist ~/.gitconfig
4noblacklist ~/.ssh
5noblacklist ~/.gnupg
6noblacklist ~/.emacs
7noblacklist ~/.emacs.d
8noblacklist ~/.viminfo
9noblacklist ~/.vim
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-programs.inc
13include /etc/firejail/disable-passwdmgr.inc
14
15
16caps.drop all
17netfilter
18nogroups
19nonewprivs
20noroot
21nosound
22protocol unix,inet,inet6
23seccomp
24shell none
25
26private-dev
diff --git a/etc/gitter.profile b/etc/gitter.profile
new file mode 100644
index 000000000..f43f5f199
--- /dev/null
+++ b/etc/gitter.profile
@@ -0,0 +1,20 @@
1# Firejail profile for Gitter
2noblacklist ~/.config/Gitter
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-passwdmgr.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix,inet,inet6,netlink
15seccomp
16shell none
17
18private-bin gitter
19private-dev
20private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
new file mode 100644
index 000000000..8d71728a2
--- /dev/null
+++ b/etc/gjs.profile
@@ -0,0 +1,28 @@
1# gjs (gnome javascript bindings) profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5noblacklist ~/.cache/org.gnome.Books
6noblacklist ~/.config/libreoffice
7noblacklist ~/.local/share/gnome-photos
8noblacklist ~/.cache/libgweather
9
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14
15caps.drop all
16nogroups
17nonewprivs
18noroot
19protocol unix,inet,inet6
20seccomp
21netfilter
22shell none
23tracelog
24
25# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
26private-tmp
27private-dev
28# private-etc fonts
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
new file mode 100644
index 000000000..f9982da61
--- /dev/null
+++ b/etc/gnome-2048.profile
@@ -0,0 +1,25 @@
1#
2#Profile for gnome-2048
3#
4
5#No Blacklist Paths
6noblacklist ${HOME}/.local/share/gnome-2048
7
8#Blacklist Paths
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-devel.inc
13
14#Whitelist Paths
15mkdir ${HOME}/.local/share/gnome-2048
16whitelist ${HOME}/.local/share/gnome-2048
17include /etc/firejail/whitelist-common.inc
18
19#Options
20caps.drop all
21netfilter
22nonewprivs
23noroot
24protocol unix,inet,inet6
25seccomp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
new file mode 100644
index 000000000..10b06e173
--- /dev/null
+++ b/etc/gnome-books.profile
@@ -0,0 +1,26 @@
1# gnome-books profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5noblacklist ~/.cache/org.gnome.Books
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11
12caps.drop all
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix
18seccomp
19netfilter
20shell none
21tracelog
22
23# private-bin gjs gnome-books
24private-tmp
25private-dev
26private-etc fonts
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
new file mode 100644
index 000000000..49e068171
--- /dev/null
+++ b/etc/gnome-calculator.profile
@@ -0,0 +1,19 @@
1#
2#Profile for gnome-calculator
3#
4
5#Blacklist Paths
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9include /etc/firejail/disable-devel.inc
10
11include /etc/firejail/whitelist-common.inc
12
13#Options
14caps.drop all
15netfilter
16nonewprivs
17noroot
18protocol unix,inet,inet6
19seccomp
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
new file mode 100644
index 000000000..4db485ea7
--- /dev/null
+++ b/etc/gnome-chess.profile
@@ -0,0 +1,22 @@
1# Firejail profile for gnome-chess
2noblacklist ~/.local/share/gnome-chess
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin fairymax,gnome-chess,hoichess
20private-dev
21private-etc fonts,gnome-chess
22private-tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
new file mode 100644
index 000000000..6cccf9d32
--- /dev/null
+++ b/etc/gnome-clocks.profile
@@ -0,0 +1,21 @@
1# gnome-clocks profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix,inet,inet6
13seccomp
14netfilter
15shell none
16tracelog
17
18# private-bin gnome-clocks
19private-tmp
20private-dev
21# private-etc fonts
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
new file mode 100644
index 000000000..9dc25b26c
--- /dev/null
+++ b/etc/gnome-contacts.profile
@@ -0,0 +1,19 @@
1#
2#Profile for gnome-contacts
3#
4
5#Blacklist Paths
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9include /etc/firejail/disable-devel.inc
10
11include /etc/firejail/whitelist-common.inc
12
13#Options
14caps.drop all
15netfilter
16nonewprivs
17noroot
18protocol unix,inet,inet6
19seccomp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
new file mode 100644
index 000000000..c5def7aff
--- /dev/null
+++ b/etc/gnome-documents.profile
@@ -0,0 +1,24 @@
1# gnome-documents profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5noblacklist ~/.config/libreoffice
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11
12caps.drop all
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix
18seccomp
19netfilter
20shell none
21tracelog
22
23private-tmp
24private-dev
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
new file mode 100644
index 000000000..f1451506e
--- /dev/null
+++ b/etc/gnome-maps.profile
@@ -0,0 +1,24 @@
1# gnome-maps profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6
16seccomp
17netfilter
18shell none
19tracelog
20
21# private-bin gjs gnome-maps
22private-tmp
23private-dev
24# private-etc fonts
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index ec3698ac8..1b0fc9807 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -5,6 +5,13 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp 8nogroups
9protocol unix,inet,inet6 9nonewprivs
10noroot 10noroot
11protocol unix,inet,inet6
12seccomp
13shell none
14
15private-bin gnome-mplayer
16private-dev
17private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
new file mode 100644
index 000000000..4a8adeb22
--- /dev/null
+++ b/etc/gnome-music.profile
@@ -0,0 +1,22 @@
1# gnome-music profile
2noblacklist ~/.local/share/gnome-music
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13protocol unix
14seccomp
15netfilter
16shell none
17tracelog
18
19# private-bin gnome-music,python3
20private-tmp
21private-dev
22# private-etc fonts
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
new file mode 100644
index 000000000..8f9d60cb5
--- /dev/null
+++ b/etc/gnome-photos.profile
@@ -0,0 +1,26 @@
1# gnome-photos profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5noblacklist ~/.local/share/gnome-photos
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11
12caps.drop all
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix
18seccomp
19netfilter
20shell none
21tracelog
22
23# private-bin gjs gnome-photos
24private-tmp
25private-dev
26# private-etc fonts
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
new file mode 100644
index 000000000..9f93b8f15
--- /dev/null
+++ b/etc/gnome-weather.profile
@@ -0,0 +1,26 @@
1# gnome-weather profile
2
3# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
4
5noblacklist ~/.cache/libgweather
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-passwdmgr.inc
11
12caps.drop all
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix,inet,inet6
18seccomp
19netfilter
20shell none
21tracelog
22
23# private-bin gjs gnome-weather
24private-tmp
25private-dev
26# private-etc fonts
diff --git a/etc/goobox.profile b/etc/goobox.profile
new file mode 100644
index 000000000..8990943fc
--- /dev/null
+++ b/etc/goobox.profile
@@ -0,0 +1,20 @@
1# goobox profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11protocol unix
12seccomp
13netfilter
14shell none
15tracelog
16
17# private-bin goobox
18# private-tmp
19# private-dev
20# private-etc fonts
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 11f9f9e33..fe870274f 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
11netfilter 11netfilter
12 12
13whitelist ${DOWNLOADS} 13whitelist ${DOWNLOADS}
14mkdir ~/.config
15mkdir ~/.config/google-chrome-beta 14mkdir ~/.config/google-chrome-beta
16whitelist ~/.config/google-chrome-beta 15whitelist ~/.config/google-chrome-beta
17mkdir ~/.cache
18mkdir ~/.cache/google-chrome-beta 16mkdir ~/.cache/google-chrome-beta
19whitelist ~/.cache/google-chrome-beta 17whitelist ~/.cache/google-chrome-beta
20mkdir ~/.pki 18mkdir ~/.pki
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index f253e5a90..f6680ac2d 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
11netfilter 11netfilter
12 12
13whitelist ${DOWNLOADS} 13whitelist ${DOWNLOADS}
14mkdir ~/.config
15mkdir ~/.config/google-chrome-unstable 14mkdir ~/.config/google-chrome-unstable
16whitelist ~/.config/google-chrome-unstable 15whitelist ~/.config/google-chrome-unstable
17mkdir ~/.cache
18mkdir ~/.cache/google-chrome-unstable 16mkdir ~/.cache/google-chrome-unstable
19whitelist ~/.cache/google-chrome-unstable 17whitelist ~/.cache/google-chrome-unstable
20mkdir ~/.pki 18mkdir ~/.pki
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 5e168aae5..a9fcebe73 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
11netfilter 11netfilter
12 12
13whitelist ${DOWNLOADS} 13whitelist ${DOWNLOADS}
14mkdir ~/.config
15mkdir ~/.config/google-chrome 14mkdir ~/.config/google-chrome
16whitelist ~/.config/google-chrome 15whitelist ~/.config/google-chrome
17mkdir ~/.cache
18mkdir ~/.cache/google-chrome 16mkdir ~/.cache/google-chrome
19whitelist ~/.cache/google-chrome 17whitelist ~/.cache/google-chrome
20mkdir ~/.pki 18mkdir ~/.pki
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..b4cf8d9ac
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,18 @@
1# Google Play Music desktop player profile
2noblacklist ~/.config/Google Play Music Desktop Player
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nonewprivs
11noroot
12netfilter
13protocol unix,inet,inet6,netlink
14seccomp
15
16#whitelist ~/.pulse
17#whitelist ~/.config/pulse
18whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpa.profile b/etc/gpa.profile
new file mode 100644
index 000000000..7d7277190
--- /dev/null
+++ b/etc/gpa.profile
@@ -0,0 +1,23 @@
1# gpa profile
2noblacklist ~/.gnupg
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix,inet,inet6
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin gpa,gpg
21private-tmp
22private-dev
23# private-etc none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
new file mode 100644
index 000000000..b0ebdf43c
--- /dev/null
+++ b/etc/gpg-agent.profile
@@ -0,0 +1,23 @@
1# gpg-agent profile
2noblacklist ~/.gnupg
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin gpg-agent,gpg
21private-tmp
22private-dev
23# private-etc none
diff --git a/etc/gpg.profile b/etc/gpg.profile
new file mode 100644
index 000000000..31372eb90
--- /dev/null
+++ b/etc/gpg.profile
@@ -0,0 +1,24 @@
1# gpg profile
2noblacklist ~/.gnupg
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16netfilter
17net none
18shell none
19tracelog
20
21# private-bin gpg,gpg-agent
22private-tmp
23private-dev
24# private-etc none
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..801304c18
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,25 @@
1# Firejail profile for gpredict.
2noblacklist ~/.config/Gpredict
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8# Whitelist
9whitelist ~/.config/Gpredict
10
11caps.drop all
12netfilter
13nogroups
14nonewprivs
15noroot
16nosound
17protocol unix,inet,inet6
18seccomp
19shell none
20tracelog
21
22private-bin gpredict
23private-etc fonts,resolv.conf
24private-dev
25private-tmp
diff --git a/etc/gtar.profile b/etc/gtar.profile
new file mode 100644
index 000000000..2f675cd9d
--- /dev/null
+++ b/etc/gtar.profile
@@ -0,0 +1,3 @@
1# gtar profile
2quiet
3include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
new file mode 100644
index 000000000..055d78935
--- /dev/null
+++ b/etc/gthumb.profile
@@ -0,0 +1,21 @@
1# gthumb profile
2noblacklist ${HOME}/.config/gthumb
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin gthumb
20private-dev
21private-tmp \ No newline at end of file
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..c866c9e63
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,22 @@
1# KDE gwenview profile
2noblacklist ~/.kde/share/apps/gwenview
3noblacklist ~/.kde/share/config/gwenviewrc
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13protocol unix
14seccomp
15nosound
16
17private-dev
18
19#Experimental:
20#shell none
21#private-bin gwenview
22#private-etc X11
diff --git a/etc/gzip.profile b/etc/gzip.profile
new file mode 100644
index 000000000..feb27c150
--- /dev/null
+++ b/etc/gzip.profile
@@ -0,0 +1,14 @@
1# gzip profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6blacklist /tmp/.X11-unix
7
8net none
9no3d
10nosound
11shell none
12tracelog
13
14private-dev
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 5ab7cfe72..7910b7eb0 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -7,11 +7,16 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10netfilter
11nogroups
12nonewprivs
10noroot 13noroot
11private-dev
12seccomp 14seccomp
13tracelog 15tracelog
14 16
17private-dev
18private-tmp
19
15mkdir ~/.hedgewars 20mkdir ~/.hedgewars
16whitelist ~/.hedgewars 21whitelist ~/.hedgewars
17include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f6fd6217..5cefe45b5 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,10 +1,28 @@
1# HexChat instant messaging profile 1# HexChat instant messaging profile
2# Currently in testing (may not work for all users)
2noblacklist ${HOME}/.config/hexchat 3noblacklist ${HOME}/.config/hexchat
4#noblacklist /usr/lib/python2*
5#noblacklist /usr/lib/python3*
3include /etc/firejail/disable-common.inc 6include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc 7include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
6 9
7caps.drop all 10caps.drop all
8seccomp 11netfilter
9protocol unix,inet,inet6 12nogroups
13nonewprivs
10noroot 14noroot
15nosound
16protocol unix,inet,inet6
17seccomp
18shell none
19tracelog
20
21mkdir ~/.config/hexchat
22whitelist ~/.config/hexchat
23include /etc/firejail/whitelist-common.inc
24
25private-bin hexchat
26#debug note: private-bin requires perl, python, etc on some systems
27private-dev
28private-tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
new file mode 100644
index 000000000..f95f3924a
--- /dev/null
+++ b/etc/highlight.profile
@@ -0,0 +1,24 @@
1# highlight profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19private-bin highlight
20private-tmp
21private-dev
22
23
24
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 25d426ad2..0348076da 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,2 +1,50 @@
1# Firejail profile for GNU Icecat 1# Firejail profile for GNU Icecat
2include /etc/firejail/firefox.profile 2noblacklist ~/.mozilla
3noblacklist ~/.cache/mozilla
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15
16whitelist ${DOWNLOADS}
17mkdir ~/.mozilla
18whitelist ~/.mozilla
19mkdir ~/.cache/mozilla/icecat
20whitelist ~/.cache/mozilla/icecat
21whitelist ~/dwhelper
22whitelist ~/.zotero
23whitelist ~/.vimperatorrc
24whitelist ~/.vimperator
25whitelist ~/.pentadactylrc
26whitelist ~/.pentadactyl
27whitelist ~/.keysnail.js
28whitelist ~/.config/gnome-mplayer
29whitelist ~/.cache/gnome-mplayer/plugin
30whitelist ~/.pki
31
32# lastpass, keepassx
33whitelist ~/.keepassx
34whitelist ~/.config/keepassx
35whitelist ~/keepassx.kdbx
36whitelist ~/.lastpass
37whitelist ~/.config/lastpass
38
39
40#silverlight
41whitelist ~/.wine-pipelight
42whitelist ~/.wine-pipelight64
43whitelist ~/.config/pipelight-widevine
44whitelist ~/.config/pipelight-silverlight5.1
45
46include /etc/firejail/whitelist-common.inc
47
48# experimental features
49#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
50
diff --git a/etc/icedove.profile b/etc/icedove.profile
index e9a63c8dd..310684bdb 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -11,9 +11,11 @@ mkdir ~/.icedove
11whitelist ~/.icedove 11whitelist ~/.icedove
12 12
13noblacklist ~/.cache/icedove 13noblacklist ~/.cache/icedove
14mkdir ~/.cache
15mkdir ~/.cache/icedove 14mkdir ~/.cache/icedove
16whitelist ~/.cache/icedove 15whitelist ~/.cache/icedove
17 16
17# allow browsers
18ignore private-tmp
18include /etc/firejail/firefox.profile 19include /etc/firejail/firefox.profile
20#include /etc/firejail/chromium.profile - chromium runs as suid!
19 21
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
new file mode 100644
index 000000000..d55a31cd0
--- /dev/null
+++ b/etc/img2txt.profile
@@ -0,0 +1,24 @@
1# img2txt profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19#private-bin img2txt
20private-tmp
21private-dev
22#private-etc none
23
24
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
new file mode 100644
index 000000000..a0e86b6c9
--- /dev/null
+++ b/etc/inkscape.profile
@@ -0,0 +1,20 @@
1# inkscape
2noblacklist ${HOME}/.inkscape
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13protocol unix
14seccomp
15
16noexec ${HOME}
17noexec /tmp
18
19private-dev
20private-tmp
diff --git a/etc/inox.profile b/etc/inox.profile
new file mode 100644
index 000000000..49d2f2835
--- /dev/null
+++ b/etc/inox.profile
@@ -0,0 +1,24 @@
1# Inox browser profile
2noblacklist ~/.config/inox
3noblacklist ~/.cache/inox
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6
7netfilter
8
9whitelist ${DOWNLOADS}
10mkdir ~/.config/inox
11whitelist ~/.config/inox
12mkdir ~/.cache/inox
13whitelist ~/.cache/inox
14mkdir ~/.pki
15whitelist ~/.pki
16
17# lastpass, keepassx
18whitelist ~/.keepassx
19whitelist ~/.config/keepassx
20whitelist ~/keepassx.kdbx
21whitelist ~/.lastpass
22whitelist ~/.config/lastpass
23
24include /etc/firejail/whitelist-common.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
new file mode 100644
index 000000000..1d6eb41f8
--- /dev/null
+++ b/etc/jd-gui.profile
@@ -0,0 +1,19 @@
1#
2#Profile for jd-gui
3#
4
5noblacklist ${HOME}/.config/jd-gui.cfg
6
7#Blacklist Paths
8include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-programs.inc
10include /etc/firejail/disable-passwdmgr.inc
11include /etc/firejail/disable-devel.inc
12
13#Options
14caps.drop all
15netfilter
16nonewprivs
17noroot
18protocol unix,inet,inet6
19seccomp
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
new file mode 100644
index 000000000..046499abe
--- /dev/null
+++ b/etc/jitsi.profile
@@ -0,0 +1,17 @@
1# Firejail profile for jitsi
2noblacklist ~/.jitsi
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8caps.drop all
9nogroups
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
14shell none
15tracelog
16
17private-tmp
diff --git a/etc/k3b.profile b/etc/k3b.profile
new file mode 100644
index 000000000..8a5fff0c6
--- /dev/null
+++ b/etc/k3b.profile
@@ -0,0 +1,21 @@
1# k3b profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13shell none
14seccomp
15protocol unix
16
17# private-bin
18# private-dev
19# private-tmp
20# private-etc
21
diff --git a/etc/kate.profile b/etc/kate.profile
new file mode 100644
index 000000000..4b07ea6cb
--- /dev/null
+++ b/etc/kate.profile
@@ -0,0 +1,28 @@
1# kate profile
2noblacklist ~/.local/share/kate
3noblacklist ~/.config/katerc
4noblacklist ~/.config/katepartrc
5noblacklist ~/.config/kateschemarc
6noblacklist ~/.config/katesyntaxhighlightingrc
7noblacklist ~/.config/katevirc
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11#include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc
13
14caps.drop all
15nogroups
16nonewprivs
17noroot
18nosound
19protocol unix
20seccomp
21netfilter
22shell none
23tracelog
24
25# private-bin kate
26private-tmp
27private-dev
28# private-etc fonts
diff --git a/etc/keepass.profile b/etc/keepass.profile
new file mode 100644
index 000000000..18a5f4ebd
--- /dev/null
+++ b/etc/keepass.profile
@@ -0,0 +1,21 @@
1# keepass password manager profile
2noblacklist ${HOME}/.config/keepass
3noblacklist ${HOME}/.keepass
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6
16seccomp
17netfilter
18shell none
19
20private-tmp
21private-dev
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
new file mode 100644
index 000000000..9daa014e3
--- /dev/null
+++ b/etc/keepass2.profile
@@ -0,0 +1,5 @@
1# keepass password manager profile
2#noblacklist ${HOME}/.config/KeePass
3#noblacklist ${HOME}/.keepass
4
5include /etc/firejail/keepass.profile
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
new file mode 100644
index 000000000..d8621773f
--- /dev/null
+++ b/etc/keepassx.profile
@@ -0,0 +1,22 @@
1# keepassx password manager profile
2noblacklist ${HOME}/.config/keepassx
3noblacklist ${HOME}/.keepassx
4noblacklist ${HOME}/keepassx.kdbx
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12nogroups
13nonewprivs
14noroot
15nosound
16protocol unix
17seccomp
18netfilter
19shell none
20
21private-tmp
22private-dev
diff --git a/etc/kmail.profile b/etc/kmail.profile
index a7079661b..410ff36c6 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -7,8 +7,13 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10seccomp
11protocol unix,inet,inet6,netlink
12netfilter 10netfilter
11nogroups
12nonewprivs
13noroot 13noroot
14protocol unix,inet,inet6,netlink
15seccomp
14tracelog 16tracelog
17
18private-dev
19# private-tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..c00b91c18
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,14 @@
1# Firejail konversation profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10noroot
11seccomp
12protocol unix,inet,inet6
13
14private-tmp
diff --git a/etc/less.profile b/etc/less.profile
new file mode 100644
index 000000000..08758aead
--- /dev/null
+++ b/etc/less.profile
@@ -0,0 +1,11 @@
1# less profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6net none
7nosound
8shell none
9tracelog
10
11private-dev
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
new file mode 100644
index 000000000..d6aceb7a8
--- /dev/null
+++ b/etc/libreoffice.profile
@@ -0,0 +1,19 @@
1# Firejail profile for LibreOffice
2noblacklist ~/.config/libreoffice
3noblacklist /usr/local/sbin
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14protocol unix,inet,inet6
15seccomp
16tracelog
17
18private-dev
19# whitelist /tmp/.X11-unix/
diff --git a/etc/localc.profile b/etc/localc.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/localc.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lodraw.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/loffice.profile b/etc/loffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loffice.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lofromtemplate.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loimpress.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
new file mode 100644
index 000000000..41a662bca
--- /dev/null
+++ b/etc/lollypop.profile
@@ -0,0 +1,20 @@
1#
2#Profile for lollypop
3#
4
5#No Blacklist Paths
6noblacklist ${HOME}/.local/share/lollypop
7
8#Blacklist Paths
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-devel.inc
13
14#Options
15caps.drop all
16netfilter
17nonewprivs
18noroot
19protocol unix,inet,inet6
20seccomp
diff --git a/etc/lomath.profile b/etc/lomath.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lomath.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/loweb.profile b/etc/loweb.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loweb.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lowriter.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
new file mode 100644
index 000000000..76e864e0c
--- /dev/null
+++ b/etc/luminance-hdr.profile
@@ -0,0 +1,23 @@
1# luminance-hdr
2noblacklist ${HOME}/.config/Luminance
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8ipc-namespace
9netfilter
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19noexec ${HOME}
20noexec /tmp
21
22private-tmp
23private-dev
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index b6acf2587..12765c299 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,11 +1,10 @@
1# lxterminal (LXDE) profile 1# lxterminal (LXDE) profile
2
3include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc 3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc 4include /etc/firejail/disable-passwdmgr.inc
6 5
7caps.drop all 6caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 7netfilter
8protocol unix,inet,inet6
9seccomp
11#noroot - somehow this breaks on Debian Jessie! 10#noroot - somehow this breaks on Debian Jessie!
diff --git a/etc/lynx.profile b/etc/lynx.profile
new file mode 100644
index 000000000..6e150f62e
--- /dev/null
+++ b/etc/lynx.profile
@@ -0,0 +1,22 @@
1# lynx profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix,inet,inet6
13seccomp
14netfilter
15shell none
16tracelog
17
18# private-bin lynx
19private-tmp
20private-dev
21# private-etc none
22
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
new file mode 100644
index 000000000..48b46dba0
--- /dev/null
+++ b/etc/mcabber.profile
@@ -0,0 +1,21 @@
1# mcabber profile
2noblacklist ${HOME}/.mcabber
3noblacklist ${HOME}/.mcabberrc
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nonewprivs
13noroot
14protocol inet,inet6
15seccomp
16
17private-bin mcabber
18private-etc null
19private-dev
20shell none
21nosound
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
new file mode 100644
index 000000000..c07a9a9e8
--- /dev/null
+++ b/etc/mediainfo.profile
@@ -0,0 +1,26 @@
1# mediainfo profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19private-bin mediainfo
20private-tmp
21private-dev
22private-etc none
23
24
25
26
diff --git a/etc/midori.profile b/etc/midori.profile
index 7fc27e07c..046c45d94 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -5,7 +5,9 @@ include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 8netfilter
9nonewprivs
10# noroot - noroot break midori on Ubuntu 14.04
11protocol unix,inet,inet6
12seccomp
11 13
diff --git a/etc/mpv.profile b/etc/mpv.profile
new file mode 100644
index 000000000..80f8de54a
--- /dev/null
+++ b/etc/mpv.profile
@@ -0,0 +1,18 @@
1# mpv media player profile
2noblacklist ${HOME}/.config/mpv
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15
16# to test
17shell none
18private-bin mpv,youtube-dl,python2.7
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
new file mode 100644
index 000000000..cc310f294
--- /dev/null
+++ b/etc/multimc5.profile
@@ -0,0 +1,27 @@
1#
2#Profile for multimc5
3#
4
5#No Blacklist Paths
6noblacklist ${HOME}/.local/share/multimc5
7noblacklist ${HOME}/.multimc5
8
9#Blacklist Paths
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-programs.inc
12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-devel.inc
14
15#Whitelist Paths
16mkdir ${HOME}/.local/share/multimc5
17whitelist ${HOME}/.local/share/multimc5
18mkdir ${HOME}/.multimc5
19whitelist ${HOME}/.multimc5
20include /etc/firejail/whitelist-common.inc
21
22#Options
23caps.drop all
24netfilter
25nonewprivs
26noroot
27protocol unix,inet,inet6
diff --git a/etc/mumble.profile b/etc/mumble.profile
new file mode 100644
index 000000000..ddd70822d
--- /dev/null
+++ b/etc/mumble.profile
@@ -0,0 +1,26 @@
1# mumble profile
2noblacklist ${HOME}/.config/Mumble
3noblacklist ${HOME}/.local/share/data/Mumble
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9mkdir ${HOME}/.config/Mumble
10mkdir ${HOME}/.local/share/data/Mumble
11whitelist ${HOME}/.config/Mumble
12whitelist ${HOME}/.local/share/data/Mumble
13include /etc/firejail/whitelist-common.inc
14
15caps.drop all
16netfilter
17nonewprivs
18nogroups
19noroot
20protocol unix,inet,inet6
21seccomp
22shell none
23tracelog
24
25private-bin mumble
26private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
new file mode 100644
index 000000000..7f9261d8b
--- /dev/null
+++ b/etc/mupdf.profile
@@ -0,0 +1,30 @@
1# mupdf reader profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19private-tmp
20private-dev
21private-etc fonts
22
23# mupdf will never write anything
24read-only ${HOME}
25
26#
27# Experimental:
28#
29#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
30# private-bin mupdf,sh,tempfile,rm
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 7b38b411a..acb13e6b9 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -8,15 +8,13 @@ include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc 9include /etc/firejail/disable-passwdmgr.inc
10 10
11mkdir ${HOME}/.local
12mkdir ${HOME}/.local/share
13mkdir ${HOME}/.local/share/mupen64plus 11mkdir ${HOME}/.local/share/mupen64plus
14whitelist ${HOME}/.local/share/mupen64plus/ 12whitelist ${HOME}/.local/share/mupen64plus/
15mkdir ${HOME}/.config
16mkdir ${HOME}/.config/mupen64plus 13mkdir ${HOME}/.config/mupen64plus
17whitelist ${HOME}/.config/mupen64plus/ 14whitelist ${HOME}/.config/mupen64plus/
18 15
19noroot
20caps.drop all 16caps.drop all
21seccomp
22net none 17net none
18nonewprivs
19noroot
20seccomp
diff --git a/etc/mutt.profile b/etc/mutt.profile
new file mode 100644
index 000000000..2718421c5
--- /dev/null
+++ b/etc/mutt.profile
@@ -0,0 +1,40 @@
1# mutt email client profile
2noblacklist ~/.muttrc
3noblacklist ~/.mutt
4noblacklist ~/.mutt/muttrc
5noblacklist ~/.mailcap
6noblacklist ~/.gnupg
7noblacklist ~/.mail
8noblacklist ~/.Mail
9noblacklist ~/mail
10noblacklist ~/Mail
11noblacklist ~/sent
12noblacklist ~/postponed
13noblacklist ~/.cache/mutt
14noblacklist ~/.w3m
15noblacklist ~/.elinks
16noblacklist ~/.vim
17noblacklist ~/.vimrc
18noblacklist ~/.viminfo
19noblacklist ~/.emacs
20noblacklist ~/.emacs.d
21noblacklist ~/.signature
22noblacklist ~/.bogofilter
23noblacklist ~/.msmtprc
24
25include /etc/firejail/disable-common.inc
26include /etc/firejail/disable-programs.inc
27include /etc/firejail/disable-passwdmgr.inc
28include /etc/firejail/disable-devel.inc
29
30caps.drop all
31netfilter
32nogroups
33nonewprivs
34noroot
35nosound
36protocol unix,inet,inet6
37seccomp
38shell none
39
40private-dev
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
new file mode 100644
index 000000000..264ee0b9d
--- /dev/null
+++ b/etc/nautilus.profile
@@ -0,0 +1,26 @@
1# nautilus profile
2
3# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect.
4
5noblacklist ~/.config/nautilus
6
7include /etc/firejail/disable-common.inc
8# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
9#include /etc/firejail/disable-programs.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12
13caps.drop all
14nogroups
15nonewprivs
16noroot
17protocol unix
18seccomp
19netfilter
20shell none
21tracelog
22
23# private-bin nautilus
24# private-tmp
25# private-dev
26# private-etc fonts
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..2071e5519
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,29 @@
1# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
2noblacklist ~/.config/netsurf
3noblacklist ~/.cache/netsurf
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15
16whitelist ${DOWNLOADS}
17mkdir ~/.config/netsurf
18whitelist ~/.config/netsurf
19mkdir ~/.cache/netsurf
20whitelist ~/.cache/netsurf
21
22# lastpass, keepassx
23whitelist ~/.keepassx
24whitelist ~/.config/keepassx
25whitelist ~/keepassx.kdbx
26whitelist ~/.lastpass
27whitelist ~/.config/lastpass
28
29include /etc/firejail/whitelist-common.inc
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9c0c6e125..9fa785450 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -4,7 +4,8 @@
4:OUTPUT ACCEPT [0:0] 4:OUTPUT ACCEPT [0:0]
5 5
6################################################################### 6###################################################################
7# Client filter rejecting local network traffic, with the exception of DNS traffic 7# Client filter rejecting local network traffic, with the exception of
8# DNS traffic
8# 9#
9# Usage: 10# Usage:
10# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox 11# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
new file mode 100644
index 000000000..329275022
--- /dev/null
+++ b/etc/odt2txt.profile
@@ -0,0 +1,24 @@
1# odt2txt profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19private-bin odt2txt
20private-tmp
21private-dev
22private-etc none
23
24read-only ${HOME}
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..22e223cea
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,25 @@
1# KDE okular profile
2noblacklist ~/.kde/share/apps/okular
3noblacklist ~/.kde/share/config/okularrc
4noblacklist ~/.kde/share/config/okularpartrc
5read-only ~/.kde/share/config/kdeglobals
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12netfilter
13nonewprivs
14nogroups
15noroot
16nosound
17protocol unix
18seccomp
19shell none
20tracelog
21
22# private-bin okular,kbuildsycoca4,kbuildsycoca5
23# private-etc X11
24private-dev
25private-tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 6e2e5d6fd..f812768a1 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -5,8 +5,7 @@
5include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 8netfilter
11noroot 9noroot
12 10protocol unix,inet,inet6
11seccomp
diff --git a/etc/openshot.profile b/etc/openshot.profile
new file mode 100644
index 000000000..f12bd7d11
--- /dev/null
+++ b/etc/openshot.profile
@@ -0,0 +1,13 @@
1# OpenShot profile
2noblacklist ${HOME}/.openshot
3noblacklist ${HOME}/.openshot_qt
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3d6edb286..12c91c744 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc
8netfilter 8netfilter
9 9
10whitelist ${DOWNLOADS} 10whitelist ${DOWNLOADS}
11mkdir ~/.config
12mkdir ~/.config/opera-beta 11mkdir ~/.config/opera-beta
13whitelist ~/.config/opera-beta 12whitelist ~/.config/opera-beta
14mkdir ~/.cache
15mkdir ~/.cache/opera-beta 13mkdir ~/.cache/opera-beta
16whitelist ~/.cache/opera-beta 14whitelist ~/.cache/opera-beta
17mkdir ~/.pki 15mkdir ~/.pki
diff --git a/etc/opera.profile b/etc/opera.profile
index ff00eb349..e0c89a195 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc
9netfilter 9netfilter
10 10
11whitelist ${DOWNLOADS} 11whitelist ${DOWNLOADS}
12mkdir ~/.config
13mkdir ~/.config/opera 12mkdir ~/.config/opera
14whitelist ~/.config/opera 13whitelist ~/.config/opera
15mkdir ~/.cache
16mkdir ~/.cache/opera 14mkdir ~/.cache/opera
17whitelist ~/.cache/opera 15whitelist ~/.cache/opera
18mkdir ~/.opera 16mkdir ~/.opera
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index fc4ea453b..71deec6bc 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,31 +1,30 @@
1# Firejail profile for Pale Moon 1# Firejail profile for Pale Moon
2
3# Noblacklists
4noblacklist ~/.moonchild productions/pale moon 2noblacklist ~/.moonchild productions/pale moon
5noblacklist ~/.cache/moonchild productions/pale moon 3noblacklist ~/.cache/moonchild productions/pale moon
6
7# Included profiles
8include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-programs.inc 5include /etc/firejail/disable-programs.inc
10include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
11include /etc/firejail/whitelist-common.inc 7include /etc/firejail/whitelist-common.inc
12 8
13# Options
14caps.drop all
15seccomp
16protocol unix,inet,inet6,netlink
17netfilter
18tracelog
19noroot
20
21whitelist ${DOWNLOADS} 9whitelist ${DOWNLOADS}
22mkdir ~/.moonchild productions 10mkdir ~/.moonchild productions
23whitelist ~/.moonchild productions 11whitelist ~/.moonchild productions
24mkdir ~/.cache
25mkdir ~/.cache/moonchild productions
26mkdir ~/.cache/moonchild productions/pale moon 12mkdir ~/.cache/moonchild productions/pale moon
27whitelist ~/.cache/moonchild productions/pale moon 13whitelist ~/.cache/moonchild productions/pale moon
28 14
15caps.drop all
16netfilter
17nogroups
18nonewprivs
19noroot
20protocol unix,inet,inet6,netlink
21seccomp
22shell none
23tracelog
24
25private-bin palemoon
26private-tmp
27
29# These are uncommented in the Firefox profile. If you run into trouble you may 28# These are uncommented in the Firefox profile. If you run into trouble you may
30# want to uncomment (some of) them. 29# want to uncomment (some of) them.
31#whitelist ~/dwhelper 30#whitelist ~/dwhelper
@@ -40,9 +39,9 @@ whitelist ~/.cache/moonchild productions/pale moon
40#whitelist ~/.pki 39#whitelist ~/.pki
41 40
42# For silverlight 41# For silverlight
43#whitelist ~/.wine-pipelight 42#whitelist ~/.wine-pipelight
44#whitelist ~/.wine-pipelight64 43#whitelist ~/.wine-pipelight64
45#whitelist ~/.config/pipelight-widevine 44#whitelist ~/.config/pipelight-widevine
46#whitelist ~/.config/pipelight-silverlight5.1 45#whitelist ~/.config/pipelight-silverlight5.1
47 46
48 47
@@ -55,3 +54,4 @@ whitelist ~/.config/lastpass
55 54
56# experimental features 55# experimental features
57#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 56#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
57#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/parole.profile b/etc/parole.profile
index 0c9a72143..1440a9ef7 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -8,8 +8,9 @@ private-etc passwd,group,fonts
8private-bin parole,dbus-launch 8private-bin parole,dbus-launch
9 9
10caps.drop all 10caps.drop all
11seccomp
12protocol unix,inet,inet6
13netfilter 11netfilter
12nonewprivs
14noroot 13noroot
14protocol unix,inet,inet6
15seccomp
15shell none 16shell none
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
new file mode 100644
index 000000000..6e50f37cf
--- /dev/null
+++ b/etc/pdfsam.profile
@@ -0,0 +1,17 @@
1#
2#Profile for pdfsam
3#
4
5#Blacklist Paths
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9include /etc/firejail/disable-devel.inc
10
11#Options
12caps.drop all
13netfilter
14nonewprivs
15noroot
16protocol unix,inet,inet6
17seccomp
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
new file mode 100644
index 000000000..632c9d15e
--- /dev/null
+++ b/etc/pdftotext.profile
@@ -0,0 +1,22 @@
1# pdftotext profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8nogroups
9nonewprivs
10noroot
11nosound
12protocol unix
13seccomp
14netfilter
15net none
16shell none
17tracelog
18
19private-bin pdftotext
20private-tmp
21private-dev
22private-etc none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index fd497f082..850706145 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -2,10 +2,20 @@
2noblacklist ${HOME}/.purple 2noblacklist ${HOME}/.purple
3 3
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
7 8
8caps.drop all 9caps.drop all
9seccomp 10netfilter
10protocol unix,inet,inet6 11nogroups
12nonewprivs
11noroot 13noroot
14protocol unix,inet,inet6
15seccomp
16shell none
17tracelog
18
19private-bin pidgin
20private-dev
21private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
new file mode 100644
index 000000000..8270b8bee
--- /dev/null
+++ b/etc/pithos.profile
@@ -0,0 +1,19 @@
1#
2#Profile for pithos
3#
4
5#Blacklist Paths
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9include /etc/firejail/disable-devel.inc
10
11include /etc/firejail/whitelist-common.inc
12
13#Options
14caps.drop all
15netfilter
16nonewprivs
17noroot
18protocol unix,inet,inet6
19seccomp
diff --git a/etc/pix.profile b/etc/pix.profile
new file mode 100644
index 000000000..dc8192b01
--- /dev/null
+++ b/etc/pix.profile
@@ -0,0 +1,22 @@
1# Firejail profile for pix
2noblacklist ${HOME}/.config/pix
3noblacklist ${HOME}/.local/share/pix
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix
16seccomp
17shell none
18tracelog
19
20private-bin pix
21private-dev
22private-tmp \ No newline at end of file
diff --git a/etc/pluma.profile b/etc/pluma.profile
new file mode 100644
index 000000000..895cc2369
--- /dev/null
+++ b/etc/pluma.profile
@@ -0,0 +1,21 @@
1# Firejail profile for Xed
2noblacklist ${HOME}/.config/pluma
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10net none
11nogroups
12nonewprivs
13noroot
14nosound
15seccomp
16shell none
17tracelog
18
19private-bin pluma
20private-dev
21private-tmp
diff --git a/etc/polari.profile b/etc/polari.profile
index 0bc46f3f7..ac9530c40 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
5 5
6mkdir ${HOME}/.local
7mkdir ${HOME}/.local/share/
8mkdir ${HOME}/.local/share/Empathy 6mkdir ${HOME}/.local/share/Empathy
9whitelist ${HOME}/.local/share/Empathy 7whitelist ${HOME}/.local/share/Empathy
10mkdir ${HOME}/.local/share/telepathy 8mkdir ${HOME}/.local/share/telepathy
11whitelist ${HOME}/.local/share/telepathy 9whitelist ${HOME}/.local/share/telepathy
12mkdir ${HOME}/.local/share/TpLogger 10mkdir ${HOME}/.local/share/TpLogger
13whitelist ${HOME}/.local/share/TpLogger 11whitelist ${HOME}/.local/share/TpLogger
14mkdir ${HOME}/.config
15mkdir ${HOME}/.config/telepathy-account-widgets 12mkdir ${HOME}/.config/telepathy-account-widgets
16whitelist ${HOME}/.config/telepathy-account-widgets 13whitelist ${HOME}/.config/telepathy-account-widgets
17mkdir ${HOME}/.cache
18mkdir ${HOME}/.cache/telepathy 14mkdir ${HOME}/.cache/telepathy
19whitelist ${HOME}/.cache/telepathy 15whitelist ${HOME}/.cache/telepathy
20mkdir ${HOME}/.purple 16mkdir ${HOME}/.purple
@@ -22,8 +18,8 @@ whitelist ${HOME}/.purple
22include /etc/firejail/whitelist-common.inc 18include /etc/firejail/whitelist-common.inc
23 19
24caps.drop all 20caps.drop all
25seccomp
26protocol unix,inet,inet6
27noroot
28netfilter 21netfilter
29 22nonewprivs
23noroot
24protocol unix,inet,inet6
25seccomp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..e4e69b9f6
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,22 @@
1# Firejail profile for Psi+
2noblacklist ${HOME}/.config/psi+
3noblacklist ${HOME}/.local/share/psi+
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8whitelist ${DOWNLOADS}
9mkdir ~/.config/psi+
10whitelist ~/.config/psi+
11mkdir ~/.local/share/psi+
12whitelist ~/.local/share/psi+
13mkdir ~/.cache/psi+
14whitelist ~/.cache/psi+
15
16caps.drop all
17netfilter
18noroot
19protocol unix,inet,inet6
20seccomp
21
22include /etc/firejail/whitelist-common.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8bdc745fb..89e0e4c78 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -5,8 +5,15 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 8netfilter
9nonewprivs
11noroot 10noroot
12nosound 11nosound
12protocol unix,inet,inet6
13seccomp
14
15# there are some problems with "Open destination folder", see bug #536
16#shell none
17#private-bin qbittorrent
18private-dev
19private-tmp
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
new file mode 100644
index 000000000..f9c8e6345
--- /dev/null
+++ b/etc/qemu-launcher.profile
@@ -0,0 +1,19 @@
1# qemu-launcher profile
2noblacklist ~/.qemu-launcher
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nogroups
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15shell none
16tracelog
17
18private-tmp
19
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
new file mode 100644
index 000000000..65e1e44ea
--- /dev/null
+++ b/etc/qemu-system-x86_64.profile
@@ -0,0 +1,17 @@
1# qemu profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-passwdmgr.inc
5
6caps.drop all
7netfilter
8nogroups
9nonewprivs
10noroot
11protocol unix,inet,inet6
12seccomp
13shell none
14tracelog
15
16private-tmp
17
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
new file mode 100644
index 000000000..06c0db206
--- /dev/null
+++ b/etc/qpdfview.profile
@@ -0,0 +1,22 @@
1# qpdfview profile
2noblacklist ${HOME}/.config/qpdfview
3noblacklist ${HOME}/.local/share/qpdfview
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix
16seccomp
17shell none
18tracelog
19
20private-bin qpdfview
21private-dev
22private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 80acc3873..81d8aa10e 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -3,13 +3,21 @@ noblacklist ${HOME}/.config/tox
3include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc 4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
6 7
7mkdir ${HOME}/.config/tox 8mkdir ${HOME}/.config/tox
8whitelist ${HOME}/.config/tox 9whitelist ${HOME}/.config/tox
9whitelist ${DOWNLOADS} 10whitelist ${DOWNLOADS}
10include /etc/firejail/whitelist-common.inc
11 11
12caps.drop all 12caps.drop all
13seccomp 13netfilter
14protocol unix,inet,inet6 14nogroups
15nonewprivs
15noroot 16noroot
17protocol unix,inet,inet6
18seccomp
19shell none
20tracelog
21
22private-bin qtox
23private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 72004da7f..f92dfeb9f 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -4,7 +4,8 @@ include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
5 5
6caps.drop all 6caps.drop all
7seccomp 7nonewprivs
8protocol unix,inet,inet6
9noroot 8noroot
10netfilter 9netfilter
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 934a374de..dcacd4f29 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -1,5 +1,4 @@
1# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser 1# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
2
3noblacklist ~/.config/qutebrowser 2noblacklist ~/.config/qutebrowser
4noblacklist ~/.cache/qutebrowser 3noblacklist ~/.cache/qutebrowser
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
@@ -7,16 +6,18 @@ include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
8 7
9caps.drop all 8caps.drop all
10seccomp
11protocol unix,inet,inet6,netlink
12netfilter 9netfilter
13tracelog 10nonewprivs
14noroot 11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15 15
16whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
17mkdir ~/.config/qutebrowser 17mkdir ~/.config/qutebrowser
18whitelist ~/.config/qutebrowser 18whitelist ~/.config/qutebrowser
19mkdir ~/.cache
20mkdir ~/.cache/qutebrowser 19mkdir ~/.cache/qutebrowser
21whitelist ~/.cache/qutebrowser 20whitelist ~/.cache/qutebrowser
21mkdir ~/.local/share/qutebrowser
22whitelist ~/.local/share/qutebrowser
22include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
new file mode 100644
index 000000000..3538f3eb2
--- /dev/null
+++ b/etc/ranger.profile
@@ -0,0 +1,24 @@
1# ranger file manager profile
2noblacklist /usr/bin/perl
3#noblacklist /usr/bin/cpan*
4noblacklist /usr/share/perl*
5noblacklist /usr/lib/perl*
6noblacklist ~/.config/ranger
7
8include /etc/firejail/disable-common.inc
9include /etc/firejail/disable-programs.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12
13caps.drop all
14netfilter
15net none
16nogroups
17nonewprivs
18noroot
19protocol unix
20seccomp
21nosound
22
23private-tmp
24private-dev
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 782cd3832..e5e192486 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -5,7 +5,15 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10noroot
11netfilter 8netfilter
9nogroups
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
14shell none
15tracelog
16
17private-bin rhythmbox
18private-dev
19private-tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index ae0430830..55bfcd77f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 5include /etc/firejail/disable-passwdmgr.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 8netfilter
9nonewprivs
11noroot 10noroot
12nosound 11nosound
12protocol unix,inet,inet6
13seccomp
14
15shell none
16private-bin rtorrent
17private-dev
18private-tmp \ No newline at end of file
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index a10d5b0ec..b981d9516 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -6,18 +6,16 @@ include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7 7
8caps.drop all 8caps.drop all
9seccomp
10protocol unix,inet,inet6,netlink
11netfilter 9netfilter
12tracelog 10nonewprivs
13noroot 11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
14 15
15whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
16mkdir ~/.mozilla
17mkdir ~/.mozilla/seamonkey 17mkdir ~/.mozilla/seamonkey
18whitelist ~/.mozilla/seamonkey 18whitelist ~/.mozilla/seamonkey
19mkdir ~/.cache
20mkdir ~/.cache/mozilla
21mkdir ~/.cache/mozilla/seamonkey 19mkdir ~/.cache/mozilla/seamonkey
22whitelist ~/.cache/mozilla/seamonkey 20whitelist ~/.cache/mozilla/seamonkey
23whitelist ~/dwhelper 21whitelist ~/dwhelper
@@ -41,11 +39,10 @@ whitelist ~/.lastpass
41whitelist ~/.config/lastpass 39whitelist ~/.config/lastpass
42 40
43#silverlight 41#silverlight
44whitelist ~/.wine-pipelight 42whitelist ~/.wine-pipelight
45whitelist ~/.wine-pipelight64 43whitelist ~/.wine-pipelight64
46whitelist ~/.config/pipelight-widevine 44whitelist ~/.config/pipelight-widevine
47whitelist ~/.config/pipelight-silverlight5.1 45whitelist ~/.config/pipelight-silverlight5.1
48 46
49# experimental features 47# experimental features
50#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 48#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
51
diff --git a/etc/server.profile b/etc/server.profile
index 1b3cb7207..b8a34feb2 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -6,8 +6,12 @@ include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc 6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9blacklist /tmp/.X11-unix
10
11no3d
12nosound
13seccomp
14
9private 15private
10private-dev 16private-dev
11private-tmp 17private-tmp
12seccomp
13
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
new file mode 100644
index 000000000..03089482b
--- /dev/null
+++ b/etc/simple-scan.profile
@@ -0,0 +1,23 @@
1# simple-scan profile
2noblacklist ~/.cache/simple-scan
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix,inet,inet6
15#seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin simple-scan
21# private-tmp
22# private-dev
23# private-etc fonts
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
new file mode 100644
index 000000000..4dcfa64d9
--- /dev/null
+++ b/etc/skanlite.profile
@@ -0,0 +1,21 @@
1# skanlite profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13shell none
14#seccomp
15protocol unix,inet,inet6
16
17private-bin skanlite
18# private-dev
19# private-tmp
20# private-etc
21
diff --git a/etc/skype.profile b/etc/skype.profile
index 26feac1a4..9cbcd5117 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc
6 6
7caps.drop all 7caps.drop all
8netfilter 8netfilter
9nonewprivs
9noroot 10noroot
10seccomp
11protocol unix,inet,inet6 11protocol unix,inet,inet6
12seccomp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
new file mode 100644
index 000000000..3f0a274f9
--- /dev/null
+++ b/etc/skypeforlinux.profile
@@ -0,0 +1,11 @@
1# skypeforlinux profile
2noblacklist ${HOME}/.config/skypeforlinux
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9noroot
10seccomp
11protocol unix,inet,inet6,netlink
diff --git a/etc/slack.profile b/etc/slack.profile
new file mode 100644
index 000000000..a85a28f03
--- /dev/null
+++ b/etc/slack.profile
@@ -0,0 +1,31 @@
1# Firejail profile for Slack
2noblacklist ${HOME}/.config/Slack
3noblacklist ${HOME}/Downloads
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10blacklist /var
11
12caps.drop all
13name slack
14netfilter
15nogroups
16nonewprivs
17noroot
18protocol unix,inet,inet6,netlink
19seccomp
20shell none
21
22private-bin slack
23private-dev
24private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
25private-tmp
26
27mkdir ${HOME}/.config
28mkdir ${HOME}/.config/Slack
29whitelist ${HOME}/.config/Slack
30whitelist ${HOME}/Downloads
31include /etc/firejail/whitelist-common.inc
diff --git a/etc/snap.profile b/etc/snap.profile
new file mode 100644
index 000000000..e2ada3a99
--- /dev/null
+++ b/etc/snap.profile
@@ -0,0 +1,12 @@
1################################
2# Generic Ubuntu snap application profile
3################################
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8whitelist ~/snap
9whitelist ${DOWNLOADS}
10include /etc/firejail/whitelist-common.inc
11
12
diff --git a/etc/soffice.profile b/etc/soffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/soffice.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/spotify.profile b/etc/spotify.profile
index fd4586dd5..6dbcc03ee 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -7,24 +7,37 @@ include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc 8include /etc/firejail/disable-passwdmgr.inc
9 9
10# Whitelist the folders needed by Spotify - This is more restrictive 10# Whitelist the folders needed by Spotify
11# than a blacklist though, but this is all spotify requires for
12# streaming audio
13mkdir ${HOME}/.config
14mkdir ${HOME}/.config/spotify 11mkdir ${HOME}/.config/spotify
15whitelist ${HOME}/.config/spotify 12whitelist ${HOME}/.config/spotify
16mkdir ${HOME}/.local
17mkdir ${HOME}/.local/share
18mkdir ${HOME}/.local/share/spotify 13mkdir ${HOME}/.local/share/spotify
19whitelist ${HOME}/.local/share/spotify 14whitelist ${HOME}/.local/share/spotify
20mkdir ${HOME}/.cache
21mkdir ${HOME}/.cache/spotify 15mkdir ${HOME}/.cache/spotify
22whitelist ${HOME}/.cache/spotify 16whitelist ${HOME}/.cache/spotify
23include /etc/firejail/whitelist-common.inc
24 17
25caps.drop all 18caps.drop all
26seccomp
27protocol unix,inet,inet6,netlink
28netfilter 19netfilter
20nogroups
21nonewprivs
29noroot 22noroot
23protocol unix,inet,inet6,netlink
24seccomp
25shell none
26
27private-bin spotify
28private-etc fonts,machine-id,pulse,resolv.conf
29private-dev
30private-tmp
30 31
32blacklist ${HOME}/.Xauthority
33blacklist ${HOME}/.bashrc
34blacklist /boot
35blacklist /lost+found
36blacklist /media
37blacklist /mnt
38blacklist /opt
39blacklist /root
40blacklist /sbin
41blacklist /srv
42blacklist /sys
43blacklist /var
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
new file mode 100644
index 000000000..548ede37d
--- /dev/null
+++ b/etc/ssh-agent.profile
@@ -0,0 +1,16 @@
1# ssh-agent
2quiet
3noblacklist ~/.ssh
4noblacklist /tmp/ssh-*
5noblacklist /etc/ssh
6
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12netfilter
13nonewprivs
14noroot
15protocol unix,inet,inet6
16seccomp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7b282bde6..b7a8ed2b9 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,12 +1,16 @@
1# ssh client 1# ssh client
2quiet
2noblacklist ~/.ssh 3noblacklist ~/.ssh
4noblacklist /tmp/ssh-*
5noblacklist /etc/ssh
3 6
4include /etc/firejail/disable-common.inc 7include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc 8include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc 9include /etc/firejail/disable-passwdmgr.inc
7 10
8caps.drop all 11caps.drop all
9seccomp
10protocol unix,inet,inet6
11netfilter 12netfilter
13nonewprivs
12noroot 14noroot
15protocol unix,inet,inet6
16seccomp
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
new file mode 100644
index 000000000..ee19cee25
--- /dev/null
+++ b/etc/start-tor-browser.profile
@@ -0,0 +1,20 @@
1# Firejail profile for the Tor Brower Bundle
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-devel.inc
4include /etc/firejail/disable-passwdmgr.inc
5include /etc/firejail/disable-programs.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
14shell none
15tracelog
16
17private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
18private-etc fonts
19private-dev
20private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4c96e8258..5dc5e80ff 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10netfilter 10netfilter
11nonewprivs
11noroot 12noroot
13protocol unix,inet,inet6,netlink
12seccomp 14seccomp
13protocol unix,inet,inet6
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..d57c9e5f7
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,28 @@
1# Firejail profile for Stellarium.
2noblacklist ~/.stellarium
3noblacklist ~/.config/stellarium
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9# Whitelist
10mkdir ~/.stellarium
11whitelist ~/.stellarium
12mkdir ~/.config/stellarium
13whitelist ~/.config/stellarium
14
15caps.drop all
16netfilter
17nogroups
18nonewprivs
19noroot
20nosound
21protocol unix,inet,inet6,netlink
22seccomp
23shell none
24tracelog
25
26private-bin stellarium
27private-dev
28private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
new file mode 100644
index 000000000..2b7724b11
--- /dev/null
+++ b/etc/strings.profile
@@ -0,0 +1,11 @@
1# strings profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6net none
7nosound
8shell none
9tracelog
10
11private-dev
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
new file mode 100644
index 000000000..69b2a0db2
--- /dev/null
+++ b/etc/synfigstudio.profile
@@ -0,0 +1,19 @@
1# synfigstudio
2noblacklist ${HOME}/.config/synfig
3noblacklist ${HOME}/.synfig
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix
13seccomp
14
15noexec ${HOME}
16noexec /tmp
17
18private-dev
19private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
new file mode 100644
index 000000000..3addb02fb
--- /dev/null
+++ b/etc/tar.profile
@@ -0,0 +1,18 @@
1# tar profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6blacklist /tmp/.X11-unix
7
8hostname tar
9net none
10no3d
11nosound
12shell none
13tracelog
14
15# support compressed archives
16private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
17private-dev
18private-etc passwd,group,localtime
diff --git a/etc/telegram.profile b/etc/telegram.profile
index df6b6a270..7615c8eef 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -5,11 +5,8 @@ include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
6 6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10noroot
11netfilter 8netfilter
12 9nonewprivs
13whitelist ~/Downloads/Telegram Desktop 10noroot
14mkdir ${HOME}/.TelegramDesktop 11protocol unix,inet,inet6
15whitelist ~/.TelegramDesktop 12seccomp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 7882367b9..568343ba6 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -11,9 +11,11 @@ mkdir ~/.thunderbird
11whitelist ~/.thunderbird 11whitelist ~/.thunderbird
12 12
13noblacklist ~/.cache/thunderbird 13noblacklist ~/.cache/thunderbird
14mkdir ~/.cache
15mkdir ~/.cache/thunderbird 14mkdir ~/.cache/thunderbird
16whitelist ~/.cache/thunderbird 15whitelist ~/.cache/thunderbird
17 16
17# allow browsers
18ignore private-tmp
18include /etc/firejail/firefox.profile 19include /etc/firejail/firefox.profile
20#include /etc/firejail/chromium.profile - chromium runs as suid!
19 21
diff --git a/etc/totem.profile b/etc/totem.profile
index 4d87cbb85..252b46979 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,11 +1,15 @@
1# Totem media player profile 1# Totem media player profile
2noblacklist ~/.config/totem
3noblacklist ~/.local/share/totem
4
2include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc 6include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc 8include /etc/firejail/disable-passwdmgr.inc
6 9
7caps.drop all 10caps.drop all
8seccomp 11nonewprivs
9protocol unix,inet,inet6
10noroot 12noroot
11netfilter 13netfilter
14protocol unix,inet,inet6
15seccomp
diff --git a/etc/tracker.profile b/etc/tracker.profile
new file mode 100644
index 000000000..217631216
--- /dev/null
+++ b/etc/tracker.profile
@@ -0,0 +1,24 @@
1# tracker profile
2
3# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix
16seccomp
17netfilter
18shell none
19tracelog
20
21# private-bin tracker
22# private-tmp
23# private-dev
24# private-etc fonts
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
new file mode 100644
index 000000000..6cbc3415c
--- /dev/null
+++ b/etc/transmission-cli.profile
@@ -0,0 +1,23 @@
1# transmission-cli bittorrent profile
2noblacklist ${HOME}/.config/transmission
3noblacklist ${HOME}/.cache/transmission
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6
16seccomp
17shell none
18tracelog
19
20#private-bin transmission-cli
21private-tmp
22private-dev
23private-etc none
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index d61d36a8c..fa54ea81b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
1# transmission-gtk profile 1# transmission-gtk bittorrent profile
2noblacklist ${HOME}/.config/transmission 2noblacklist ${HOME}/.config/transmission
3noblacklist ${HOME}/.cache/transmission 3noblacklist ${HOME}/.cache/transmission
4 4
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc 8include /etc/firejail/disable-passwdmgr.inc
9 9
10caps.drop all 10caps.drop all
11seccomp
12protocol unix,inet,inet6
13netfilter 11netfilter
12nonewprivs
14noroot 13noroot
15tracelog
16nosound 14nosound
15protocol unix,inet,inet6
16seccomp
17shell none
18tracelog
19
20private-bin transmission-gtk
21private-dev
22private-tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 3db7a5452..100fadc27 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
1# transmission-qt profile 1# transmission-qt bittorrent profile
2noblacklist ${HOME}/.config/transmission 2noblacklist ${HOME}/.config/transmission
3noblacklist ${HOME}/.cache/transmission 3noblacklist ${HOME}/.cache/transmission
4 4
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc 8include /etc/firejail/disable-passwdmgr.inc
9 9
10caps.drop all 10caps.drop all
11seccomp
12protocol unix,inet,inet6
13netfilter 11netfilter
12nonewprivs
14noroot 13noroot
15tracelog
16nosound 14nosound
15protocol unix,inet,inet6
16seccomp
17shell none
18tracelog
19
20private-bin transmission-qt
21private-dev
22private-tmp
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
new file mode 100644
index 000000000..5e5284b34
--- /dev/null
+++ b/etc/transmission-show.profile
@@ -0,0 +1,24 @@
1# transmission-show profile
2noblacklist ${HOME}/.config/transmission
3noblacklist ${HOME}/.cache/transmission
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12net none
13nonewprivs
14noroot
15nosound
16protocol unix
17seccomp
18shell none
19tracelog
20
21# private-bin
22private-tmp
23private-dev
24private-etc none
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index ef5aa7d4a..3ba28f772 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -6,13 +6,19 @@ include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7 7
8caps.drop all 8caps.drop all
9seccomp
10protocol unix,inet,inet6
11netfilter 9netfilter
10nonewprivs
12noroot 11noroot
12nosound
13protocol unix,inet,inet6
14seccomp
15shell none
16
17private-bin uget-gtk
18private-dev
19private-tmp
13 20
14whitelist ${DOWNLOADS} 21whitelist ${DOWNLOADS}
15mkdir ~/.config
16mkdir ~/.config/uGet 22mkdir ~/.config/uGet
17whitelist ~/.config/uGet 23whitelist ~/.config/uGet
18include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4365e4fee..5e2cb5f65 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc
8 8
9private 9private
10private-dev 10private-dev
11nosound
11seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 12seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
12 13
diff --git a/etc/unrar.profile b/etc/unrar.profile
new file mode 100644
index 000000000..bde6f4e22
--- /dev/null
+++ b/etc/unrar.profile
@@ -0,0 +1,18 @@
1# unrar profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6blacklist /tmp/.X11-unix
7
8hostname unrar
9net none
10no3d
11nosound
12shell none
13tracelog
14
15private-bin unrar
16private-dev
17private-etc passwd,group,localtime
18private-tmp
diff --git a/etc/unzip.profile b/etc/unzip.profile
new file mode 100644
index 000000000..8c10d11a0
--- /dev/null
+++ b/etc/unzip.profile
@@ -0,0 +1,16 @@
1# unzip profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5blacklist /tmp/.X11-unix
6
7hostname unzip
8net none
9no3d
10nosound
11shell none
12tracelog
13
14private-bin unzip
15private-dev
16private-etc passwd,group,localtime
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
new file mode 100644
index 000000000..d5b750a13
--- /dev/null
+++ b/etc/uudeview.profile
@@ -0,0 +1,15 @@
1# uudeview profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6blacklist /etc
7
8hostname uudeview
9net none
10nosound
11shell none
12tracelog
13
14private-bin uudeview
15private-dev
diff --git a/etc/vim.profile b/etc/vim.profile
new file mode 100644
index 000000000..b161fcbb0
--- /dev/null
+++ b/etc/vim.profile
@@ -0,0 +1,16 @@
1# vim profile
2noblacklist ~/.vim
3noblacklist ~/.vimrc
4noblacklist ~/.viminfo
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nogroups
13nonewprivs
14noroot
15protocol unix,inet,inet6
16seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
new file mode 100644
index 000000000..36a1e0704
--- /dev/null
+++ b/etc/virtualbox.profile
@@ -0,0 +1,12 @@
1# VirtualBox profile
2noblacklist ${HOME}/.VirtualBox
3noblacklist ${HOME}/VirtualBox VMs
4noblacklist ${HOME}/.config/VirtualBox
5noblacklist /usr/bin/virtualbox
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11
12
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 449d9a168..08b046847 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc
8netfilter 8netfilter
9 9
10whitelist ${DOWNLOADS} 10whitelist ${DOWNLOADS}
11mkdir ~/.config
12mkdir ~/.config/vivaldi 11mkdir ~/.config/vivaldi
13whitelist ~/.config/vivaldi 12whitelist ~/.config/vivaldi
14mkdir ~/.cache
15mkdir ~/.cache/vivaldi 13mkdir ~/.cache/vivaldi
16whitelist ~/.cache/vivaldi 14whitelist ~/.cache/vivaldi
17include /etc/firejail/whitelist-common.inc 15include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 061ae6f78..2fd763f25 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -7,7 +7,14 @@ include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
8 8
9caps.drop all 9caps.drop all
10seccomp
11protocol unix,inet,inet6
12noroot
13netfilter 10netfilter
11nogroups
12nonewprivs
13noroot
14protocol unix,inet,inet6,netlink
15seccomp
16shell none
17
18private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
19private-dev
20private-tmp
diff --git a/etc/w3m.profile b/etc/w3m.profile
new file mode 100644
index 000000000..d765217cf
--- /dev/null
+++ b/etc/w3m.profile
@@ -0,0 +1,23 @@
1# w3m profile
2noblacklist ~/.w3m
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix,inet,inet6
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin w3m
21private-tmp
22private-dev
23private-etc none
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..7c7efade8
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,26 @@
1# Firejail profile for warzone2100
2# Currently supports warzone2100-3.1
3noblacklist ~/.warzone2100-3.1
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9# Whitelist
10mkdir ~/.warzone2100-3.1
11whitelist ~/.warzone2100-3.1
12
13# Call these options
14caps.drop all
15netfilter
16nogroups
17nonewprivs
18noroot
19protocol unix,inet,inet6,netlink
20seccomp
21shell none
22tracelog
23
24private-bin warzone2100
25private-dev
26private-tmp
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 280a5f9d8..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -4,8 +4,12 @@ include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc 4include /etc/firejail/disable-programs.inc
5 5
6caps.drop all 6caps.drop all
7seccomp
8protocol unix,inet,inet6
9netfilter 7netfilter
8nonewprivs
10noroot 9noroot
11netfilter 10protocol unix,inet,inet6
11seccomp
12
13# no private-bin support for various reasons:
14# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
15# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 340ba0db5..bb489ddeb 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -9,20 +9,16 @@ include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc 9include /etc/firejail/disable-passwdmgr.inc
10 10
11caps.drop all 11caps.drop all
12seccomp 12nonewprivs
13protocol unix,inet,inet6
14noroot 13noroot
14protocol unix,inet,inet6
15seccomp
15 16
16private-dev 17private-dev
18private-tmp
17 19
18whitelist /tmp/.X11-unix
19
20mkdir ${HOME}/.local
21mkdir ${HOME}/.local/share
22mkdir ${HOME}/.local/share/wesnoth 20mkdir ${HOME}/.local/share/wesnoth
23mkdir ${HOME}/.config
24mkdir ${HOME}/.config/wesnoth 21mkdir ${HOME}/.config/wesnoth
25mkdir ${HOME}/.cache
26mkdir ${HOME}/.cache/wesnoth 22mkdir ${HOME}/.cache/wesnoth
27whitelist ${HOME}/.local/share/wesnoth 23whitelist ${HOME}/.local/share/wesnoth
28whitelist ${HOME}/.config/wesnoth 24whitelist ${HOME}/.config/wesnoth
diff --git a/etc/wget.profile b/etc/wget.profile
new file mode 100644
index 000000000..d9bca2acc
--- /dev/null
+++ b/etc/wget.profile
@@ -0,0 +1,22 @@
1# wget profile
2quiet
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nonewprivs
10noroot
11nogroups
12nosound
13protocol unix,inet,inet6
14seccomp
15shell none
16
17
18# private-bin wget
19# private-etc resolv.conf
20private-dev
21private-tmp
22
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..d4e69948e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
1# common whitelist for all profiles 1# common whitelist for all profiles
2 2
3whitelist ~/.XCompose
3whitelist ~/.config/mimeapps.list 4whitelist ~/.config/mimeapps.list
4whitelist ~/.icons 5whitelist ~/.icons
5whitelist ~/.config/user-dirs.dirs 6whitelist ~/.config/user-dirs.dirs
@@ -13,16 +14,25 @@ whitelist ~/.fonts.d
13whitelist ~/.fontconfig 14whitelist ~/.fontconfig
14whitelist ~/.fonts.conf 15whitelist ~/.fonts.conf
15whitelist ~/.fonts.conf.d 16whitelist ~/.fonts.conf.d
17whitelist ~/.local/share/fonts
16whitelist ~/.config/fontconfig 18whitelist ~/.config/fontconfig
17whitelist ~/.cache/fontconfig 19whitelist ~/.cache/fontconfig
18 20
19# gtk 21# gtk
20whitelist ~/.gtkrc 22whitelist ~/.gtkrc
21whitelist ~/.gtkrc-2.0 23whitelist ~/.gtkrc-2.0
24whitelist ~/.config/gtk-2.0
22whitelist ~/.config/gtk-3.0 25whitelist ~/.config/gtk-3.0
23whitelist ~/.themes 26whitelist ~/.themes
27whitelist ~/.kde/share/config/gtkrc
28whitelist ~/.kde/share/config/gtkrc-2.0
24 29
25# dconf 30# dconf
26mkdir ~/.config
27mkdir ~/.config/dconf 31mkdir ~/.config/dconf
28whitelist ~/.config/dconf 32whitelist ~/.config/dconf
33
34# qt/kde
35whitelist ~/.config/kdeglobals
36whitelist ~/.kde/share/config/oxygenrc
37whitelist ~/.kde/share/config/kdeglobals
38whitelist ~/.kde/share/icons
diff --git a/etc/wine.profile b/etc/wine.profile
index ea6db8511..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc
9 9
10caps.drop all 10caps.drop all
11netfilter 11netfilter
12nonewprivs
12noroot 13noroot
13seccomp 14seccomp
diff --git a/etc/wire.profile b/etc/wire.profile
new file mode 100644
index 000000000..ec8ed8771
--- /dev/null
+++ b/etc/wire.profile
@@ -0,0 +1,23 @@
1# wire messenger profile
2noblacklist ~/.config/Wire
3noblacklist ~/.config/wire
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nonewprivs
13nogroups
14noroot
15protocol unix,inet,inet6,netlink
16seccomp
17shell none
18
19private-tmp
20private-dev
21
22# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
23# To use wire with firejail run "firejail /opt/Wire/wire"
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
new file mode 100644
index 000000000..898fc787e
--- /dev/null
+++ b/etc/wireshark.profile
@@ -0,0 +1,22 @@
1# Firejail profile for
2noblacklist ${HOME}/.config/wireshark
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nogroups
12nonewprivs
13noroot
14nosound
15protocol unix,inet,inet6,netlink
16seccomp
17shell none
18tracelog
19
20private-bin wireshark
21private-dev
22private-tmp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index fcea4245e..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -6,6 +6,9 @@ include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7 7
8caps.drop all 8caps.drop all
9seccomp 9nonewprivs
10protocol unix,inet,inet6
11noroot 10noroot
11protocol unix,inet,inet6
12seccomp
13
14# private-bin requires perl, python, etc.
diff --git a/etc/xed.profile b/etc/xed.profile
new file mode 100644
index 000000000..051710a70
--- /dev/null
+++ b/etc/xed.profile
@@ -0,0 +1,21 @@
1# Firejail profile for Xed
2noblacklist ${HOME}/.config/xed
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10net none
11nogroups
12nonewprivs
13noroot
14nosound
15seccomp
16shell none
17tracelog
18
19private-bin xed
20private-dev
21private-tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
new file mode 100644
index 000000000..1dd24aa61
--- /dev/null
+++ b/etc/xfburn.profile
@@ -0,0 +1,23 @@
1# xfburn profile
2noblacklist ~/.config/xfburn
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16netfilter
17shell none
18tracelog
19
20# private-bin xfburn
21# private-tmp
22# private-dev
23# private-etc fonts
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
new file mode 100644
index 000000000..b7fb6ecf3
--- /dev/null
+++ b/etc/xiphos.profile
@@ -0,0 +1,30 @@
1# Firejail profile for xiphos
2noblacklist ~/.sword
3noblacklist ~/.xiphos
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8include /etc/firejail/disable-programs.inc
9
10blacklist ~/.bashrc
11blacklist ~/.Xauthority
12
13caps.drop all
14netfilter
15nogroups
16nonewprivs
17noroot
18nosound
19protocol unix,inet,inet6
20seccomp
21shell none
22tracelog
23
24private-bin xiphos
25private-etc fonts,resolv.conf,sword
26private-dev
27private-tmp
28
29whitelist ${HOME}/.sword
30whitelist ${HOME}/.xiphos
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
new file mode 100644
index 000000000..b255ffdbb
--- /dev/null
+++ b/etc/xonotic-glx.profile
@@ -0,0 +1,5 @@
1#
2#Profile for xonotic:xonotic-glx
3#
4
5include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
new file mode 100644
index 000000000..783667304
--- /dev/null
+++ b/etc/xonotic-sdl.profile
@@ -0,0 +1,5 @@
1#
2#Profile for xonotic:xonotic-sdl
3#
4
5include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
new file mode 100644
index 000000000..75d649619
--- /dev/null
+++ b/etc/xonotic.profile
@@ -0,0 +1,25 @@
1#
2#Profile for xonotic
3#
4
5#No Blacklist Paths
6noblacklist ${HOME}/.xonotic
7
8#Blacklist Paths
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-devel.inc
13
14#Whitelist Paths
15mkdir ${HOME}/.xonotic
16whitelist ${HOME}/.xonotic
17include /etc/firejail/whitelist-common.inc
18
19#Options
20caps.drop all
21netfilter
22nonewprivs
23noroot
24protocol unix,inet,inet6
25seccomp
diff --git a/etc/generic.profile b/etc/xpdf.profile
index f2c7d4114..7ea368bbe 100644
--- a/etc/generic.profile
+++ b/etc/xpdf.profile
@@ -1,15 +1,18 @@
1################################ 1################################
2# Generic GUI application profile 2# xpdf application profile
3################################ 3################################
4noblacklist ${HOME}/.xpdfrc
4include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc 6include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc 7include /etc/firejail/disable-passwdmgr.inc
7 8
8#blacklist ${HOME}/.wine
9
10caps.drop all 9caps.drop all
11seccomp 10net none
12protocol unix,inet,inet6 11nonewprivs
13netfilter
14noroot 12noroot
13protocol unix
14shell none
15seccomp
15 16
17private-dev
18private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
new file mode 100644
index 000000000..191d2f67f
--- /dev/null
+++ b/etc/xplayer.profile
@@ -0,0 +1,22 @@
1# Xplayer profile
2noblacklist ~/.config/xplayer
3noblacklist ~/.local/share/xplayer
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nogroups
13nonewprivs
14noroot
15protocol unix,inet,inet6
16seccomp
17shell none
18tracelog
19
20private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
21private-dev
22private-tmp
diff --git a/etc/xpra.profile b/etc/xpra.profile
new file mode 100644
index 000000000..8584e4e5b
--- /dev/null
+++ b/etc/xpra.profile
@@ -0,0 +1,21 @@
1# xpra profile
2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all
8netfilter
9nogroups
10nonewprivs
11noroot
12nosound
13shell none
14seccomp
15protocol unix,inet,inet6
16
17# private-bin
18private-dev
19private-tmp
20# private-etc
21
diff --git a/etc/xreader.profile b/etc/xreader.profile
new file mode 100644
index 000000000..d2a000bd0
--- /dev/null
+++ b/etc/xreader.profile
@@ -0,0 +1,23 @@
1# Xreader profile
2noblacklist ~/.config/xreader
3noblacklist ~/.cache/xreader
4noblacklist ~/.local/share
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12nogroups
13nonewprivs
14noroot
15nosound
16protocol unix
17seccomp
18shell none
19tracelog
20
21private-bin xreader, xreader-previewer, xreader-thumbnailer
22private-dev
23private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
new file mode 100644
index 000000000..ca380b4c7
--- /dev/null
+++ b/etc/xviewer.profile
@@ -0,0 +1,21 @@
1# xviewer profile
2noblacklist ~/.config/xviewer
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-dev
20private-bin xviewer
21private-tmp
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..5b29f7338
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,3 @@
1# xz profile
2quiet
3include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
new file mode 100644
index 000000000..6164e3200
--- /dev/null
+++ b/etc/xzdec.profile
@@ -0,0 +1,14 @@
1# xzdec profile
2quiet
3ignore noroot
4include /etc/firejail/default.profile
5
6blacklist /tmp/.X11-unix
7
8net none
9no3d
10nosound
11shell none
12tracelog
13
14private-dev
diff --git a/etc/zathura.profile b/etc/zathura.profile
new file mode 100644
index 000000000..6c93a2480
--- /dev/null
+++ b/etc/zathura.profile
@@ -0,0 +1,26 @@
1# zathura document viewer profile
2noblacklist ~/.config/zathura
3noblacklist ~/.local/share/zathura
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11net none
12nogroups
13nonewprivs
14noroot
15nosound
16shell none
17seccomp
18protocol unix
19
20private-bin zathura
21private-dev
22private-etc fonts
23private-tmp
24
25read-only ~/
26read-write ~/.local/share/zathura/
diff --git a/etc/zoom.profile b/etc/zoom.profile
new file mode 100644
index 000000000..4c08868cf
--- /dev/null
+++ b/etc/zoom.profile
@@ -0,0 +1,22 @@
1# Firejail profile for zoom.us
2noblacklist ~/.config/zoomus.conf
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8
9# Whitelists
10
11mkdir ~/.zoom
12whitelist ~/.zoom
13
14
15caps.drop all
16netfilter
17nonewprivs
18noroot
19protocol unix,inet,inet6
20seccomp
21
22private-tmp
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-27 04:37:35 +0000