diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-12-17 08:45:35 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-17 08:45:35 +0000 |
commit | f4f6767458208a127084e4c0103fab88761d9056 (patch) | |
tree | ff349c113ca4f3fc70cd9839a1775bb49092cab3 /etc | |
parent | Archiver fixes - drop private-bin (#3832) (diff) | |
download | firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.gz firejail-f4f6767458208a127084e4c0103fab88761d9056.tar.zst firejail-f4f6767458208a127084e4c0103fab88761d9056.zip |
Refactor electron.profile and electron based programs (#3807)
* Refactor electron.profile and electron based programs (1)
* Refactor electron.profile and electron based programs (2)
* Refactor electron.profile and electron based programs (3)
* Refactor electron.profile and electron based programs (4)
* Refactor electron.profile and electron based programs (5)
* Refactor electron.profile and electron based programs (6)
* Refactor electron.profile and electron based programs (7)
* Refactor electron.profile and electron based programs (8)
Diffstat (limited to 'etc')
23 files changed, 199 insertions, 351 deletions
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -6,31 +6,27 @@ include atom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-devel.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | |||
9 | noblacklist ${HOME}/.atom | 21 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 22 | noblacklist ${HOME}/.config/Atom |
11 | 23 | ||
12 | # Allows files commonly used by IDEs | 24 | # Allows files commonly used by IDEs |
13 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
14 | 26 | ||
15 | include disable-common.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.keep sys_admin,sys_chroot | ||
21 | # net none | 27 | # net none |
22 | netfilter | 28 | netfilter |
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | 29 | nosound |
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | |||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | 30 | ||
35 | dbus-user none | 31 | # Redirect |
36 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
@@ -3,17 +3,26 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include beaker.local | 4 | include beaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | ||
8 | 7 | ||
9 | noblacklist ${HOME}/.config/Beaker Browser | 8 | # Disabled until someone reported positive feedback |
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore shell none | ||
17 | ignore disable-mnt | ||
18 | ignore private-cache | ||
19 | ignore private-dev | ||
20 | ignore private-tmp | ||
10 | 21 | ||
11 | include disable-devel.inc | 22 | noblacklist ${HOME}/.config/Beaker Browser |
12 | include disable-interpreters.inc | ||
13 | 23 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 24 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 25 | whitelist ${HOME}/.config/Beaker Browser |
16 | include whitelist-common.inc | ||
17 | 26 | ||
18 | # Redirect | 27 | # Redirect |
19 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -6,33 +6,24 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | 9 | # Disabled until someone reported positive feedback |
10 | ignore include disable-interpreters.inc | ||
11 | ignore include disable-xdg.inc | ||
12 | ignore include whitelist-runuser-common.inc | ||
13 | ignore include whitelist-usr-share-common.inc | ||
14 | ignore apparmor | ||
15 | ignore disable-mnt | ||
16 | ignore private-cache | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
10 | 19 | ||
11 | include disable-common.inc | 20 | ignore noexec ${HOME} |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | 21 | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/BetterDiscord | 22 | whitelist ${HOME}/.config/BetterDiscord |
19 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 24 | ||
35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 27 | |
28 | # Redirect | ||
29 | include electron.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -3,25 +3,39 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include electron.local | 5 | include electron.local |
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 6 | ||
9 | include disable-common.inc | 7 | include disable-common.inc |
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
10 | include disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
11 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | include disable-xdg.inc | ||
12 | 14 | ||
13 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | include whitelist-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # Uncomment the next line (or add it to your chromium-common.local) | ||
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc | ||
14 | 24 | ||
15 | apparmor | 25 | apparmor |
16 | caps.drop all | 26 | caps.keep sys_admin,sys_chroot |
17 | netfilter | 27 | netfilter |
18 | nodvd | 28 | nodvd |
19 | nogroups | 29 | nogroups |
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | 30 | notv |
23 | protocol unix,inet,inet6,netlink | 31 | nou2f |
24 | seccomp | 32 | novideo |
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
25 | 39 | ||
26 | dbus-user none | 40 | dbus-user none |
27 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..20a5d609e 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -8,24 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/FreeTube | 9 | noblacklist ${HOME}/.config/FreeTube |
10 | 10 | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | 11 | include disable-shell.inc |
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/FreeTube | 13 | mkdir ${HOME}/.config/FreeTube |
18 | whitelist ${HOME}/.config/FreeTube | 14 | whitelist ${HOME}/.config/FreeTube |
19 | 15 | ||
20 | seccomp !chroot | ||
21 | shell none | ||
22 | |||
23 | disable-mnt | ||
24 | private-bin freetube | 16 | private-bin freetube |
25 | private-cache | ||
26 | private-dev | ||
27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
28 | private-tmp | ||
29 | 18 | ||
30 | # Redirect | 19 | # Redirect |
31 | include electron.profile | 20 | include electron.profile |
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -6,43 +6,35 @@ include github-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: On debian-based distributions the binary might be located in | ||
10 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
11 | # If that's the case you can start GitHub Desktop with firejail via | ||
12 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
13 | |||
14 | # Disabled until someone reported positive feedback | ||
15 | ignore include disable-xdg.inc | ||
16 | ignore whitelist ${DOWNLOADS} | ||
17 | ignore include whitelist-common.inc | ||
18 | ignore include whitelist-runuser-common.inc | ||
19 | ignore include whitelist-usr-share-common.inc | ||
20 | ignore include whitelist-var-common.inc | ||
21 | ignore apparmor | ||
22 | ignore dbus-user none | ||
23 | ignore dbus-system none | ||
24 | |||
9 | noblacklist ${HOME}/.config/GitHub Desktop | 25 | noblacklist ${HOME}/.config/GitHub Desktop |
10 | noblacklist ${HOME}/.config/git | 26 | noblacklist ${HOME}/.config/git |
11 | noblacklist ${HOME}/.gitconfig | 27 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 28 | noblacklist ${HOME}/.git-credentials |
13 | 29 | ||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | # no3d | 30 | # no3d |
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | 31 | nosound |
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 32 | ||
35 | # Note: On debian-based distributions the binary might be located in | ||
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
37 | # If that's the case you can start GitHub Desktop with firejail via | ||
38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin github-desktop | 33 | # private-bin github-desktop |
42 | private-cache | ||
43 | ?HAS_APPIMAGE: ignore private-dev | 34 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | ||
45 | # private-lib | 35 | # private-lib |
46 | private-tmp | ||
47 | 36 | ||
48 | # memory-deny-write-execute | 37 | # memory-deny-write-execute |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | ignore shell none | ||
13 | |||
9 | ignore noexec /tmp | 14 | ignore noexec /tmp |
10 | 15 | ||
11 | noblacklist ${HOME}/.config/Jitsi Meet | 16 | noblacklist ${HOME}/.config/Jitsi Meet |
12 | 17 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | nowhitelist ${DOWNLOADS} | 18 | nowhitelist ${DOWNLOADS} |
19 | 19 | ||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | |||
22 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
23 | 22 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | seccomp !chroot | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,jitsi-meet-desktop |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 1b97eda9b..a7c091196 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -10,31 +10,16 @@ ignore dbus-user | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.config/nuclear | 11 | noblacklist ${HOME}/.config/nuclear |
12 | 12 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-shell.inc | 13 | include disable-shell.inc |
17 | include disable-xdg.inc | ||
18 | 14 | ||
19 | mkdir ${HOME}/.config/nuclear | 15 | mkdir ${HOME}/.config/nuclear |
20 | whitelist ${HOME}/.config/nuclear | 16 | whitelist ${HOME}/.config/nuclear |
21 | include whitelist-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | 17 | ||
26 | no3d | 18 | no3d |
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | 19 | ||
31 | disable-mnt | ||
32 | # private-bin nuclear | 20 | # private-bin nuclear |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
36 | private-opt nuclear | 22 | private-opt nuclear |
37 | private-tmp | ||
38 | 23 | ||
39 | # Redirect | 24 | # Redirect |
40 | include electron.profile | 25 | include electron.profile |
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile index 4372fabe1..e91d25196 100644 --- a/etc/profile-m-z/riot-desktop.profile +++ b/etc/profile-m-z/riot-desktop.profile | |||
@@ -7,7 +7,5 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | seccomp !chroot | ||
11 | |||
12 | # Redirect | 10 | # Redirect |
13 | include riot-web.profile | 11 | include riot-web.profile |
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile index b930adf2b..c48fd1542 100644 --- a/etc/profile-m-z/riot-web.profile +++ b/etc/profile-m-z/riot-web.profile | |||
@@ -4,14 +4,16 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include riot-web.local | 5 | include riot-web.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | ignore noexec /tmp | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.config/Riot | 11 | noblacklist ${HOME}/.config/Riot |
11 | 12 | ||
12 | mkdir ${HOME}/.config/Riot | 13 | mkdir ${HOME}/.config/Riot |
13 | whitelist ${HOME}/.config/Riot | 14 | whitelist ${HOME}/.config/Riot |
14 | include whitelist-common.inc | 15 | whitelist /usr/share/chromium |
16 | whitelist /usr/share/webapps/element | ||
15 | 17 | ||
16 | # Redirect | 18 | # Redirect |
17 | include electron.profile | 19 | include electron.profile |
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile index a574e4e8b..8d3607c75 100644 --- a/etc/profile-m-z/rocketchat.profile +++ b/etc/profile-m-z/rocketchat.profile | |||
@@ -3,14 +3,28 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include rocketchat.local | 4 | include rocketchat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | 7 | |
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-devel.inc | ||
10 | ignore include disable-exec.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore include whitelist-runuser-common.inc | ||
14 | ignore include whitelist-usr-share-common.inc | ||
15 | ignore include whitelist-var-common.inc | ||
16 | ignore nou2f | ||
17 | ignore novideo | ||
18 | ignore shell none | ||
19 | ignore disable-mnt | ||
20 | ignore private-cache | ||
21 | ignore private-dev | ||
22 | ignore private-tmp | ||
8 | 23 | ||
9 | noblacklist ${HOME}/.config/Rocket.Chat | 24 | noblacklist ${HOME}/.config/Rocket.Chat |
10 | 25 | ||
11 | mkdir ${HOME}/.config/Rocket.Chat | 26 | mkdir ${HOME}/.config/Rocket.Chat |
12 | whitelist ${HOME}/.config/Rocket.Chat | 27 | whitelist ${HOME}/.config/Rocket.Chat |
13 | include whitelist-common.inc | ||
14 | 28 | ||
15 | # Redirect | 29 | # Redirect |
16 | include electron.profile | 30 | include electron.profile |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index c28571270..08e1c1f03 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -5,6 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include-xdg.inc | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | ignore private-cache | ||
13 | ignore novideo | ||
14 | |||
8 | ignore noexec /tmp | 15 | ignore noexec /tmp |
9 | 16 | ||
10 | noblacklist ${HOME}/.config/Signal | 17 | noblacklist ${HOME}/.config/Signal |
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 21 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
15 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 22 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
16 | 23 | ||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | 24 | include disable-exec.inc |
20 | include disable-interpreters.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | 25 | ||
24 | mkdir ${HOME}/.config/Signal | 26 | mkdir ${HOME}/.config/Signal |
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.config/Signal | 27 | whitelist ${HOME}/.config/Signal |
27 | include whitelist-common.inc | 28 | |
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | nou2f | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | private-dev | ||
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
42 | private-tmp | ||
43 | 30 | ||
44 | dbus-user none | 31 | # Redirect |
45 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index 341c25a95..b39763981 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -5,27 +5,24 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore whitelist ${DOWNLOADS} | ||
10 | ignore include whitelist-common.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore private-dev | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
19 | |||
8 | # breaks Skype | 20 | # breaks Skype |
9 | ignore noexec /tmp | 21 | ignore noexec /tmp |
10 | 22 | ||
11 | noblacklist ${HOME}/.config/skypeforlinux | 23 | noblacklist ${HOME}/.config/skypeforlinux |
12 | 24 | ||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.keep sys_admin,sys_chroot | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | notv | ||
26 | shell none | ||
27 | |||
28 | disable-mnt | ||
29 | private-cache | ||
30 | # private-dev - needs /dev/disk | 25 | # private-dev - needs /dev/disk |
31 | private-tmp | 26 | |
27 | # Redirect | ||
28 | include electron.profile | ||
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 8ab3edd63..9ad772cd5 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -5,31 +5,26 @@ include slack.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore apparmor | ||
14 | ignore novideo | ||
15 | ignore private-tmp | ||
16 | ignore dbus-user none | ||
17 | ignore dbus-system none | ||
18 | |||
8 | noblacklist ${HOME}/.config/Slack | 19 | noblacklist ${HOME}/.config/Slack |
9 | 20 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | 21 | include disable-shell.inc |
16 | 22 | ||
17 | mkdir ${HOME}/.config/Slack | 23 | mkdir ${HOME}/.config/Slack |
18 | whitelist ${HOME}/.config/Slack | 24 | whitelist ${HOME}/.config/Slack |
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.keep sys_admin,sys_chroot | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | notv | ||
28 | nou2f | ||
29 | shell none | ||
30 | 25 | ||
31 | disable-mnt | ||
32 | private-bin locale,slack | 26 | private-bin locale,slack |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 27 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
28 | |||
29 | # Redirect | ||
30 | include electron.profile | ||
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index a13c92bc3..eee083332 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -4,33 +4,23 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include teams-for-linux.local | 5 | include teams-for-linux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
9 | 13 | ||
10 | ignore dbus-user none | 14 | ignore dbus-user none |
11 | ignore dbus-system none | 15 | ignore dbus-system none |
12 | 16 | ||
13 | noblacklist ${HOME}/.config/teams-for-linux | 17 | noblacklist ${HOME}/.config/teams-for-linux |
14 | 18 | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/teams-for-linux | 19 | mkdir ${HOME}/.config/teams-for-linux |
20 | whitelist ${HOME}/.config/teams-for-linux | 20 | whitelist ${HOME}/.config/teams-for-linux |
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | nou2f | ||
25 | novideo | ||
26 | shell none | ||
27 | 21 | ||
28 | disable-mnt | ||
29 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | 22 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh |
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | 23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl |
33 | private-tmp | ||
34 | 24 | ||
35 | # Redirect | 25 | # Redirect |
36 | include electron.profile | 26 | include electron.profile |
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index af1365571..c8d98cbaa 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -4,8 +4,14 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include teams.local | 5 | include teams.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore novideo | ||
14 | ignore private-tmp | ||
9 | 15 | ||
10 | # see #3404 | 16 | # see #3404 |
11 | ignore apparmor | 17 | ignore apparmor |
@@ -15,24 +21,10 @@ ignore dbus-system none | |||
15 | noblacklist ${HOME}/.config/teams | 21 | noblacklist ${HOME}/.config/teams |
16 | noblacklist ${HOME}/.config/Microsoft | 22 | noblacklist ${HOME}/.config/Microsoft |
17 | 23 | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/teams | 24 | mkdir ${HOME}/.config/teams |
23 | mkdir ${HOME}/.config/Microsoft | 25 | mkdir ${HOME}/.config/Microsoft |
24 | whitelist ${HOME}/.config/teams | 26 | whitelist ${HOME}/.config/teams |
25 | whitelist ${HOME}/.config/Microsoft | 27 | whitelist ${HOME}/.config/Microsoft |
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | nou2f | ||
30 | seccomp !chroot | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private-cache | ||
35 | private-dev | ||
36 | 28 | ||
37 | # Redirect | 29 | # Redirect |
38 | include electron.profile | 30 | include electron.profile |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index 3c50344f1..dcf7ee88b 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -6,31 +6,20 @@ include twitch.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | |||
9 | noblacklist ${HOME}/.config/Twitch | 13 | noblacklist ${HOME}/.config/Twitch |
10 | 14 | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | 15 | include disable-shell.inc |
15 | include disable-xdg.inc | ||
16 | 16 | ||
17 | mkdir ${HOME}/.config/Twitch | 17 | mkdir ${HOME}/.config/Twitch |
18 | whitelist ${HOME}/.config/Twitch | 18 | whitelist ${HOME}/.config/Twitch |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | seccomp !chroot | ||
25 | shell none | ||
26 | 19 | ||
27 | disable-mnt | ||
28 | private-bin twitch | 20 | private-bin twitch |
29 | private-cache | ||
30 | private-dev | ||
31 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
32 | private-opt Twitch | 22 | private-opt Twitch |
33 | private-tmp | ||
34 | 23 | ||
35 | # Redirect | 24 | # Redirect |
36 | include electron.profile | 25 | include electron.profile |
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 187c49ed8..22a84274d 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -4,36 +4,24 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include whalebird.local | 5 | include whalebird.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
9 | 12 | ||
10 | ignore dbus-user none | 13 | ignore dbus-user none |
11 | ignore dbus-system none | 14 | ignore dbus-system none |
12 | 15 | ||
13 | noblacklist ${HOME}/.config/Whalebird | 16 | noblacklist ${HOME}/.config/Whalebird |
14 | 17 | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Whalebird | 18 | mkdir ${HOME}/.config/Whalebird |
21 | whitelist ${HOME}/.config/Whalebird | 19 | whitelist ${HOME}/.config/Whalebird |
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | 20 | ||
25 | no3d | 21 | no3d |
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | shell none | ||
30 | 22 | ||
31 | disable-mnt | ||
32 | private-bin whalebird | 23 | private-bin whalebird |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc fonts,machine-id | 24 | private-etc fonts,machine-id |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index d265c6bae..151cd2adb 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -4,33 +4,29 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include wire-desktop.local | 5 | include wire-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | 9 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. |
11 | 10 | ||
11 | # Disabled until someone reported positive feedback | ||
12 | ignore include disable-exec.inc | ||
13 | ignore include disable-xdg.inc | ||
14 | ignore include whitelist-runuser-common.inc | ||
15 | ignore include whitelist-usr-share-common.inc | ||
16 | ignore include whitelist-var-common.inc | ||
17 | ignore novideo | ||
18 | ignore private-cache | ||
19 | |||
12 | ignore dbus-user none | 20 | ignore dbus-user none |
13 | ignore dbus-system none | 21 | ignore dbus-system none |
14 | 22 | ||
15 | noblacklist ${HOME}/.config/Wire | 23 | noblacklist ${HOME}/.config/Wire |
16 | 24 | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Wire | 25 | mkdir ${HOME}/.config/Wire |
21 | whitelist ${HOME}/.config/Wire | 26 | whitelist ${HOME}/.config/Wire |
22 | include whitelist-common.inc | ||
23 | |||
24 | nou2f | ||
25 | ignore seccomp | ||
26 | seccomp !chroot | ||
27 | shell none | ||
28 | 27 | ||
29 | disable-mnt | ||
30 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop | 28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
31 | private-dev | ||
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl |
33 | private-tmp | ||
34 | 30 | ||
35 | # Redirect | 31 | # Redirect |
36 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index a6c7750a9..92890a3a8 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -6,32 +6,19 @@ include youtube.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | |||
9 | noblacklist ${HOME}/.config/Youtube | 12 | noblacklist ${HOME}/.config/Youtube |
10 | 13 | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | 14 | include disable-shell.inc |
15 | include disable-xdg.inc | ||
16 | 15 | ||
17 | mkdir ${HOME}/.config/Youtube | 16 | mkdir ${HOME}/.config/Youtube |
18 | whitelist ${HOME}/.config/Youtube | 17 | whitelist ${HOME}/.config/Youtube |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | novideo | ||
25 | seccomp !chroot | ||
26 | shell none | ||
27 | 18 | ||
28 | disable-mnt | ||
29 | private-bin youtube | 19 | private-bin youtube |
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
33 | private-opt Youtube | 21 | private-opt Youtube |
34 | private-tmp | ||
35 | 22 | ||
36 | # Redirect | 23 | # Redirect |
37 | include electron.profile | 24 | include electron.profile |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index 3a94a5707..10ff1616a 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -8,31 +8,14 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 9 | noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
10 | 10 | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | 11 | include disable-shell.inc |
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | 13 | mkdir ${HOME}/.config/youtubemusic-nativefier-040164 |
18 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | 14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | 15 | ||
24 | nou2f | ||
25 | novideo | ||
26 | seccomp !chroot | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-bin youtubemusic-nativefier | 16 | private-bin youtubemusic-nativefier |
31 | private-cache | ||
32 | private-dev | ||
33 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
34 | private-opt youtubemusic-nativefier | 18 | private-opt youtubemusic-nativefier |
35 | private-tmp | ||
36 | 19 | ||
37 | # Redirect | 20 | # Redirect |
38 | include electron.profile | 21 | include electron.profile |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 5c37b838b..3f6dd9694 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -10,30 +10,12 @@ ignore dbus-user none | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.config/youtube-music-desktop-app | 11 | noblacklist ${HOME}/.config/youtube-music-desktop-app |
12 | 12 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/youtube-music-desktop-app | 13 | mkdir ${HOME}/.config/youtube-music-desktop-app |
19 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | nou2f | ||
26 | novideo | ||
27 | seccomp !chroot | ||
28 | shell none | ||
29 | 15 | ||
30 | disable-mnt | ||
31 | # private-bin env,ytmdesktop | 16 | # private-bin env,ytmdesktop |
32 | private-cache | ||
33 | private-dev | ||
34 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
35 | # private-opt | 18 | # private-opt |
36 | private-tmp | ||
37 | 19 | ||
38 | # Redirect | 20 | # Redirect |
39 | include electron.profile | 21 | include electron.profile |
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 889e8c02e..e8cd64c93 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -6,16 +6,20 @@ include zoom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore apparmor | ||
11 | ignore novideo | ||
12 | ignore dbus-user none | ||
13 | ignore dbus-system none | ||
14 | |||
15 | # nogroups breaks webcam access on non-systemd systems (see #3711). | ||
16 | # If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local | ||
17 | #ignore nogroups | ||
18 | |||
9 | noblacklist ${HOME}/.config/zoomus.conf | 19 | noblacklist ${HOME}/.config/zoomus.conf |
10 | noblacklist ${HOME}/.zoom | 20 | noblacklist ${HOME}/.zoom |
11 | 21 | ||
12 | include disable-common.inc | 22 | nowhitelist ${DOWNLOADS} |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | 23 | ||
20 | mkdir ${HOME}/.cache/zoom | 24 | mkdir ${HOME}/.cache/zoom |
21 | mkfile ${HOME}/.config/zoomus.conf | 25 | mkfile ${HOME}/.config/zoomus.conf |
@@ -23,29 +27,9 @@ mkdir ${HOME}/.zoom | |||
23 | whitelist ${HOME}/.cache/zoom | 27 | whitelist ${HOME}/.cache/zoom |
24 | whitelist ${HOME}/.config/zoomus.conf | 28 | whitelist ${HOME}/.config/zoomus.conf |
25 | whitelist ${HOME}/.zoom | 29 | whitelist ${HOME}/.zoom |
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | 30 | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | # nogroups breaks webcam access on non-systemd systems (see #3711). | ||
35 | # If you use such a system comment the line below or put 'ignore nogroups' in your zoom.local | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp !chroot | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-cache | ||
48 | private-dev | ||
49 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 | 31 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 |
50 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 32 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
51 | private-tmp | 33 | |
34 | # Redirect | ||
35 | include electron.profile | ||