18 files changed, 29 insertions, 23 deletions
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 8fde9acf9..b82bd4936 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -15,7 +15,6 @@ seccomp
 shell none
 private-bin deluge,sh,python,uname
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index 894c7c70d..9a9113c70 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+net none
 nogroups
 nonewprivs
 noroot
@@ -16,3 +18,5 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
+private-etc fonts
+private-tmp
+\ No newline at end of file
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index de31ce8de..ec098d5fe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -16,6 +16,5 @@ seccomp
 shell none
 private-bin fbreader,FBReader
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
index e3b1ec528..2812effc9 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -16,6 +16,6 @@ seccomp
 shell none
 private-bin feh
-whitelist /tmp/.X11-unix
 private-dev
 private-etc feh
+private-tmp
+\ No newline at end of file
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index fe1d9d20d..a40fceec1 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -17,5 +17,4 @@ shell none
 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 170d0fe10..7875ca6b9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+private-bin firefox,which,sh,dbus-launch,dbus-send,env
+private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-dev
+private-tmp
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 3ffd10add..055d78935 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -17,5 +17,5 @@ shell none
 tracelog
 private-bin gthumb
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index d1a157c3c..65e6a8978 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -12,12 +12,16 @@ nosound
 protocol unix
 seccomp
 netfilter
+net none
 shell none
 tracelog
+seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 private-bin mupdf
 private-tmp
 private-dev
+private-etc fonts
 # mupdf will never write anything
 read-only ${HOME}
diff --git a/etc/pix.profile b/etc/pix.profile
index e21ddadc6..dc8192b01 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -18,5 +18,5 @@ shell none
 tracelog
 private-bin pix
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 67829c9ca..89e0e4c78 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -16,5 +16,4 @@ seccomp
 #shell none
 #private-bin qbittorrent
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 1226a51cd..55bfcd77f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -14,5 +14,5 @@ seccomp
 shell none
 private-bin rtorrent
-whitelist /tmp/.X11-unix
 private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 316cdfec6..fa54ea81b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,5 +19,4 @@ tracelog
 private-bin transmission-gtk
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 51c58e224..100fadc27 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,5 +19,4 @@ tracelog
 private-bin transmission-qt
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index f42e6c69a..3ba28f772 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -16,8 +16,8 @@ shell none
 private-bin uget-gtk
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
 whitelist ${DOWNLOADS}
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 2ddb59d11..bb489ddeb 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -15,8 +15,7 @@ protocol unix,inet,inet6
 seccomp
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 99a8ea90d..6c93a2480 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+net none
 nogroups
 nonewprivs
 noroot
@@ -19,7 +20,7 @@ protocol unix
 private-bin zathura
 private-dev
 private-etc fonts
-whitelist /tmp/.X11-unix
+private-tmp
 read-only ~/
 read-write ~/.local/share/zathura/
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 09dc46bbc..d6113218c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 666a6a8ef..74e8ef4fe 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf
 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
 .br

diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile
@@ -15,7 +15,6 @@ seccomp
15		15
16	shell none	16	shell none
17	private-bin deluge,sh,python,uname	17	private-bin deluge,sh,python,uname
18	whitelist /tmp/.X11-unix
19	private-dev	18	private-dev
20	nosound	19	private-tmp
21		20


diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc
5	include /etc/firejail/disable-passwdmgr.inc	5	include /etc/firejail/disable-passwdmgr.inc
6		6
7	caps.drop all	7	caps.drop all
		8	netfilter
		9	net none
8	nogroups	10	nogroups
9	nonewprivs	11	nonewprivs
10	noroot	12	noroot
@@ -16,3 +18,5 @@ tracelog
16		18
17	private-bin evince,evince-previewer,evince-thumbnailer	19	private-bin evince,evince-previewer,evince-thumbnailer
18	private-dev	20	private-dev
		21	private-etc fonts
		22	private-tmp \ No newline at end of file


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -16,6 +16,5 @@ seccomp
16		16
17	shell none	17	shell none
18	private-bin fbreader,FBReader	18	private-bin fbreader,FBReader
19	whitelist /tmp/.X11-unix
20	private-dev	19	private-dev
21	nosound	20	private-tmp


diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile
@@ -16,6 +16,6 @@ seccomp
16	shell none	16	shell none
17		17
18	private-bin feh	18	private-bin feh
19	whitelist /tmp/.X11-unix
20	private-dev	19	private-dev
21	private-etc feh	20	private-etc feh
		21	private-tmp \ No newline at end of file


diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile
@@ -17,5 +17,4 @@ shell none
17		17
18	private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp	18	private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
19	private-dev	19	private-dev
20		20	private-tmp
21	whitelist /tmp/.X11-unix


diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1
47	include /etc/firejail/whitelist-common.inc	47	include /etc/firejail/whitelist-common.inc
48		48
49	# experimental features	49	# experimental features
50	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse	50
		51	private-bin firefox,which,sh,dbus-launch,dbus-send,env
		52	private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
		53	private-dev
		54	private-tmp


diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile
@@ -17,5 +17,5 @@ shell none
17	tracelog	17	tracelog
18		18
19	private-bin gthumb	19	private-bin gthumb
20	whitelist /tmp/.X11-unix
21	private-dev	20	private-dev
		21	private-tmp \ No newline at end of file


diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile
@@ -12,12 +12,16 @@ nosound
12	protocol unix	12	protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
		15	net none
15	shell none	16	shell none
16	tracelog	17	tracelog
17		18
		19	seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
		20
18	private-bin mupdf	21	private-bin mupdf
19	private-tmp	22	private-tmp
20	private-dev	23	private-dev
		24	private-etc fonts
21		25
22	# mupdf will never write anything	26	# mupdf will never write anything
23	read-only ${HOME}	27	read-only ${HOME}


diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile
@@ -18,5 +18,5 @@ shell none
18	tracelog	18	tracelog
19		19
20	private-bin pix	20	private-bin pix
21	whitelist /tmp/.X11-unix
22	private-dev	21	private-dev
		22	private-tmp \ No newline at end of file


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -16,5 +16,4 @@ seccomp
16	#shell none	16	#shell none
17	#private-bin qbittorrent	17	#private-bin qbittorrent
18	private-dev	18	private-dev
19		19	private-tmp
20	whitelist /tmp/.X11-unix


diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile
@@ -14,5 +14,5 @@ seccomp
14		14
15	shell none	15	shell none
16	private-bin rtorrent	16	private-bin rtorrent
17	whitelist /tmp/.X11-unix
18	private-dev	17	private-dev
		18	private-tmp \ No newline at end of file


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -19,5 +19,4 @@ tracelog
19		19
20	private-bin transmission-gtk	20	private-bin transmission-gtk
21	private-dev	21	private-dev
22		22	private-tmp
23	whitelist /tmp/.X11-unix


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -19,5 +19,4 @@ tracelog
19		19
20	private-bin transmission-qt	20	private-bin transmission-qt
21	private-dev	21	private-dev
22		22	private-tmp
23	whitelist /tmp/.X11-unix


diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile
@@ -16,8 +16,8 @@ shell none
16		16
17	private-bin uget-gtk	17	private-bin uget-gtk
18	private-dev	18	private-dev
		19	private-tmp
19		20
20	whitelist /tmp/.X11-unix
21	whitelist ${DOWNLOADS}	21	whitelist ${DOWNLOADS}
22	mkdir ~/.config/uGet	22	mkdir ~/.config/uGet
23	whitelist ~/.config/uGet	23	whitelist ~/.config/uGet


diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile
@@ -15,8 +15,7 @@ protocol unix,inet,inet6
15	seccomp	15	seccomp
16		16
17	private-dev	17	private-dev
18		18	private-tmp
19	whitelist /tmp/.X11-unix
20		19
21	mkdir ${HOME}/.local/share/wesnoth	20	mkdir ${HOME}/.local/share/wesnoth
22	mkdir ${HOME}/.config/wesnoth	21	mkdir ${HOME}/.config/wesnoth


diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
8		8
9	caps.drop all	9	caps.drop all
10	netfilter	10	netfilter
		11	net none
11	nogroups	12	nogroups
12	nonewprivs	13	nonewprivs
13	noroot	14	noroot
@@ -19,7 +20,7 @@ protocol unix
19	private-bin zathura	20	private-bin zathura
20	private-dev	21	private-dev
21	private-etc fonts	22	private-etc fonts
22	whitelist /tmp/.X11-unix	23	private-tmp
23		24
24	read-only ~/	25	read-only ~/
25	read-write ~/.local/share/zathura/	26	read-write ~/.local/share/zathura/


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 09dc46bbc..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list.
200	All modifications are discarded when the sandbox is closed.	200	All modifications are discarded when the sandbox is closed.
201	.TP	201	.TP
202	\fBprivate-tmp	202	\fBprivate-tmp
203	Mount an empty temporary filesystem on top of /tmp directory.	203	Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
204	.TP	204	.TP
205	\fBread-only file_or_directory	205	\fBread-only file_or_directory
206	Make directory or file read-only.	206	Make directory or file read-only.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 666a6a8ef..74e8ef4fe 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf
1180		1180
1181	.TP	1181	.TP
1182	\fB\-\-private-tmp	1182	\fB\-\-private-tmp
1183	Mount an empty temporary filesystem on top of /tmp directory.	1183	Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
1184	.br	1184	.br
1185		1185
1186	.br	1186	.br