diff options
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/etr.profile | 41 | ||||
-rw-r--r-- | etc/frozen-bubble.profile | 38 | ||||
-rw-r--r-- | etc/open-invaders.profile | 41 | ||||
-rw-r--r-- | etc/pingus.profile | 41 | ||||
-rw-r--r-- | etc/simutrans.profile | 41 | ||||
-rw-r--r-- | etc/supertux2.profile | 41 | ||||
-rw-r--r-- | etc/unknown-horizons.profile | 40 | ||||
-rw-r--r-- | platform/debian/conffiles | 6 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 7 |
12 files changed, 310 insertions, 2 deletions
@@ -127,4 +127,6 @@ ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted b | |||
127 | ## New profiles: | 127 | ## New profiles: |
128 | 128 | ||
129 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, | 129 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, |
130 | IntelliJ IDEA, Android Studio, electron, riot-web | 130 | IntelliJ IDEA, Android Studio, electron, riot-web, |
131 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux | ||
132 | |||
@@ -7,7 +7,9 @@ firejail (0.9.49) baseline; urgency=low | |||
7 | * enhancement: rework IP address assingment for --net options | 7 | * enhancement: rework IP address assingment for --net options |
8 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 8 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
9 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 9 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
10 | * new profiles: Android Studio, electron, riot-web | 10 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, |
11 | * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux | ||
12 | |||
11 | * bugfixes | 13 | * bugfixes |
12 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 14 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
13 | 15 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0a4d4c4cb..95d9b04a0 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -186,9 +186,12 @@ blacklist ${HOME}/.elinks | |||
186 | blacklist ${HOME}/.emacs | 186 | blacklist ${HOME}/.emacs |
187 | blacklist ${HOME}/.emacs.d | 187 | blacklist ${HOME}/.emacs.d |
188 | blacklist ${HOME}/.filezilla | 188 | blacklist ${HOME}/.filezilla |
189 | blacklist ${HOME}/.emacs | ||
190 | blacklist ${HOME}/.etr | ||
189 | blacklist ${HOME}/.flowblade | 191 | blacklist ${HOME}/.flowblade |
190 | blacklist ${HOME}/.fltk | 192 | blacklist ${HOME}/.fltk |
191 | blacklist ${HOME}/.FontForge | 193 | blacklist ${HOME}/.FontForge |
194 | blacklist ${HOME}/.frozen-bubble | ||
192 | blacklist ${HOME}/.gimp* | 195 | blacklist ${HOME}/.gimp* |
193 | blacklist ${HOME}/.git-credential-cache | 196 | blacklist ${HOME}/.git-credential-cache |
194 | blacklist ${HOME}/.gitconfig | 197 | blacklist ${HOME}/.gitconfig |
@@ -301,6 +304,7 @@ blacklist ${HOME}/.local/share/qpdfview | |||
301 | blacklist ${HOME}/.local/share/scribus | 304 | blacklist ${HOME}/.local/share/scribus |
302 | blacklist ${HOME}/.local/share/spotify | 305 | blacklist ${HOME}/.local/share/spotify |
303 | blacklist ${HOME}/.local/share/steam | 306 | blacklist ${HOME}/.local/share/steam |
307 | blacklist ${HOME}/.local/share/supertux2 | ||
304 | blacklist ${HOME}/.local/share/telepathy | 308 | blacklist ${HOME}/.local/share/telepathy |
305 | blacklist ${HOME}/.local/share/torbrowser | 309 | blacklist ${HOME}/.local/share/torbrowser |
306 | blacklist ${HOME}/.local/share/totem | 310 | blacklist ${HOME}/.local/share/totem |
@@ -325,16 +329,19 @@ blacklist ${HOME}/.mutt/muttrc | |||
325 | blacklist ${HOME}/.muttrc | 329 | blacklist ${HOME}/.muttrc |
326 | blacklist ${HOME}/.nv | 330 | blacklist ${HOME}/.nv |
327 | blacklist ${HOME}/.nylas-mail | 331 | blacklist ${HOME}/.nylas-mail |
332 | blacklist ${HOME}/.openinvaders | ||
328 | blacklist ${HOME}/.openshot | 333 | blacklist ${HOME}/.openshot |
329 | blacklist ${HOME}/.openshot_qt | 334 | blacklist ${HOME}/.openshot_qt |
330 | blacklist ${HOME}/.opera | 335 | blacklist ${HOME}/.opera |
331 | blacklist ${HOME}/.opera-beta | 336 | blacklist ${HOME}/.opera-beta |
337 | blacklist ${HOME}/.pingus | ||
332 | blacklist ${HOME}/.purple | 338 | blacklist ${HOME}/.purple |
333 | blacklist ${HOME}/.qemu-launcher | 339 | blacklist ${HOME}/.qemu-launcher |
334 | blacklist ${HOME}/.remmina | 340 | blacklist ${HOME}/.remmina |
335 | blacklist ${HOME}/.retroshare | 341 | blacklist ${HOME}/.retroshare |
336 | blacklist ${HOME}/.scribus | 342 | blacklist ${HOME}/.scribus |
337 | blacklist ${HOME}/.scribusrc | 343 | blacklist ${HOME}/.scribusrc |
344 | blacklist ${HOME}/.simutrans | ||
338 | blacklist ${HOME}/.steam | 345 | blacklist ${HOME}/.steam |
339 | blacklist ${HOME}/.steampath | 346 | blacklist ${HOME}/.steampath |
340 | blacklist ${HOME}/.steampid | 347 | blacklist ${HOME}/.steampid |
@@ -347,6 +354,7 @@ blacklist ${HOME}/.tconn | |||
347 | blacklist ${HOME}/.thunderbird | 354 | blacklist ${HOME}/.thunderbird |
348 | blacklist ${HOME}/.tooling | 355 | blacklist ${HOME}/.tooling |
349 | blacklist ${HOME}/.ts3client | 356 | blacklist ${HOME}/.ts3client |
357 | blacklist ${HOME}/.unknow-horizons | ||
350 | blacklist ${HOME}/.viking | 358 | blacklist ${HOME}/.viking |
351 | blacklist ${HOME}/.viking-maps | 359 | blacklist ${HOME}/.viking-maps |
352 | blacklist ${HOME}/.vst | 360 | blacklist ${HOME}/.vst |
diff --git a/etc/etr.profile b/etc/etr.profile new file mode 100644 index 000000000..d7b747995 --- /dev/null +++ b/etc/etr.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/etr.local | ||
7 | |||
8 | ################################ | ||
9 | # Extreme Tux Racer profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.etr | ||
13 | mkdir ~/.etr | ||
14 | whitelist ~/.etr | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin etr | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | |||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile new file mode 100644 index 000000000..52f8e5b3e --- /dev/null +++ b/etc/frozen-bubble.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/frozen-bubble.local | ||
7 | |||
8 | ################################ | ||
9 | # Frozen Bubble profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.frozen-bubble | ||
13 | mkdir ~/.frozen-bubble | ||
14 | whitelist ~/.frozen-bubble | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin frozen-bubble | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile new file mode 100644 index 000000000..f95b0f5a2 --- /dev/null +++ b/etc/open-invaders.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/open-invaders.local | ||
7 | |||
8 | ################################ | ||
9 | # open-invaders profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.openinvaders | ||
13 | mkdir ~/.openinvaders | ||
14 | whitelist ~/.openinvaders | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin open-invaders | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | |||
diff --git a/etc/pingus.profile b/etc/pingus.profile new file mode 100644 index 000000000..b3b479046 --- /dev/null +++ b/etc/pingus.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/pingus.local | ||
7 | |||
8 | ################################ | ||
9 | # Pinugs profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.pingus | ||
13 | mkdir ~/.pingus | ||
14 | whitelist ~/.pingus | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin pingus | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | |||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile new file mode 100644 index 000000000..b1df0ba28 --- /dev/null +++ b/etc/simutrans.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/simutrans.local | ||
7 | |||
8 | ################################ | ||
9 | # simutrans profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.simutrans | ||
13 | mkdir ~/.simutrans | ||
14 | whitelist ~/.simutrans | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin simutrans | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | |||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile new file mode 100644 index 000000000..276e91b05 --- /dev/null +++ b/etc/supertux2.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/supertux2.local | ||
7 | |||
8 | ################################ | ||
9 | # SuperTux profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.local/share/supertux2 | ||
13 | mkdir ~/.local/share/supertux2 | ||
14 | whitelist ~/.local/share/supertux2 | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | net none | ||
31 | nogroups | ||
32 | shell none | ||
33 | #private-bin supertux2 | ||
34 | # private-etc none | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | # nosound | ||
38 | |||
39 | |||
40 | |||
41 | |||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile new file mode 100644 index 000000000..c4e535070 --- /dev/null +++ b/etc/unknown-horizons.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/unknown-horizons.local | ||
7 | |||
8 | ################################ | ||
9 | # Extreme Tux Racer profile | ||
10 | ################################ | ||
11 | |||
12 | noblacklist ~/.unknown-horizons | ||
13 | mkdir ~/.unknown-horizons | ||
14 | whitelist ~/.unknown-horizons | ||
15 | include /etc/firejail/whitelist-common.inc | ||
16 | |||
17 | include /etc/firejail/disable-common.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | |||
21 | caps.drop all | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,netlink,inet,inet6 | ||
25 | seccomp | ||
26 | |||
27 | # | ||
28 | # depending on your usage, you can enable some of the commands below: | ||
29 | # | ||
30 | nogroups | ||
31 | shell none | ||
32 | #private-bin unknown-horizons | ||
33 | # private-etc none | ||
34 | private-dev | ||
35 | private-tmp | ||
36 | # nosound | ||
37 | |||
38 | |||
39 | |||
40 | |||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 852d54c0e..a2e02dd6a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -321,3 +321,9 @@ | |||
321 | /etc/firejail/kwrite.profile | 321 | /etc/firejail/kwrite.profile |
322 | /etc/firejail/geary.profile | 322 | /etc/firejail/geary.profile |
323 | /etc/firejail/liferea.profile | 323 | /etc/firejail/liferea.profile |
324 | /etc/firejail/etr.profile | ||
325 | /etc/firejail/frozen-bubble.profile | ||
326 | /etc/firejail/open-invaders.profile | ||
327 | /etc/firejail/pingus.profile | ||
328 | /etc/firejail/simutrans.profile | ||
329 | /etc/firejail/supertux2.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 025f239ba..b3614bf64 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -59,6 +59,7 @@ empathy | |||
59 | eog | 59 | eog |
60 | eom | 60 | eom |
61 | epiphany | 61 | epiphany |
62 | etr | ||
62 | evince | 63 | evince |
63 | evolution | 64 | evolution |
64 | exiftool | 65 | exiftool |
@@ -71,6 +72,7 @@ firefox-esr | |||
71 | flashpeak-slimjet | 72 | flashpeak-slimjet |
72 | flowblade | 73 | flowblade |
73 | fontforge | 74 | fontforge |
75 | frozen-bubble | ||
74 | FossaMail | 76 | FossaMail |
75 | gajim | 77 | gajim |
76 | galculator | 78 | galculator |
@@ -182,6 +184,7 @@ netsurf | |||
182 | nylas | 184 | nylas |
183 | odt2txt | 185 | odt2txt |
184 | okular | 186 | okular |
187 | open-invaders | ||
185 | openshot | 188 | openshot |
186 | opera | 189 | opera |
187 | opera-beta | 190 | opera-beta |
@@ -192,6 +195,7 @@ pdfsam | |||
192 | pdftotext | 195 | pdftotext |
193 | peek | 196 | peek |
194 | pidgin | 197 | pidgin |
198 | pingus | ||
195 | pithos | 199 | pithos |
196 | pix | 200 | pix |
197 | pluma | 201 | pluma |
@@ -215,6 +219,7 @@ scribus | |||
215 | seamonkey | 219 | seamonkey |
216 | seamonkey-bin | 220 | seamonkey-bin |
217 | simple-scan | 221 | simple-scan |
222 | simutrans | ||
218 | silentarmy | 223 | silentarmy |
219 | skanlite | 224 | skanlite |
220 | skype | 225 | skype |
@@ -229,6 +234,7 @@ start-tor-browser | |||
229 | steam | 234 | steam |
230 | stellarium | 235 | stellarium |
231 | strings | 236 | strings |
237 | supertux2 | ||
232 | synfigstudio | 238 | synfigstudio |
233 | telegram | 239 | telegram |
234 | Telegram | 240 | Telegram |
@@ -241,6 +247,7 @@ transmission-qt | |||
241 | transmission-show | 247 | transmission-show |
242 | uget-gtk | 248 | uget-gtk |
243 | unbound | 249 | unbound |
250 | unknown-horizons | ||
244 | uudeview | 251 | uudeview |
245 | uzbl-browser | 252 | uzbl-browser |
246 | viewnior | 253 | viewnior |