14 files changed, 110 insertions, 8 deletions
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 4394416ff..779cd8cdb 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -23,3 +25,6 @@ tracelog
 private-bin audacity
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index b406b9985..7ea55f505 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -9,17 +9,21 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
 # private-bin
 # private-dev
 # private-tmp
 # private-etc
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 603d6345c..efd8b463b 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -11,7 +11,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+no3d
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index cec86812f..3de858618 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -13,9 +13,9 @@ include /etc/firejail/disable-programs.inc
 whitelist ${HOME}/Downloads
 mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
+include /etc/firejail/whitelist-common.inc
 caps.drop all
-machine-id
 netfilter
 no3d
 nogroups
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1bc3eb769..4d96c05c8 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
 whitelist ${DOWNLOADS}
@@ -59,3 +60,6 @@ include /etc/firejail/whitelist-common.inc
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index f5d952e3d..e9366f07d 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -19,6 +19,7 @@ caps.drop all
 netfilter
 #net none                                     
 no3d
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/meld.profile b/etc/meld.profile
new file mode 100644
index 000000000..4b95b866d
--- /dev/null
+++ b/etc/meld.profile
@@ -0,0 +1,29 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/meld.local
+# Firejail profile for meld
+noblacklist ${HOME}/.local/share/meld
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index b1ef6b27e..425841399 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -14,7 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+private-dev
+#private-tmp #Breaks when exiting
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index c81836dfc..536588e4b 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -12,11 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 private-dev
 private-tmp
diff --git a/etc/viking.profile b/etc/viking.profile
new file mode 100644
index 000000000..2b68d731c
--- /dev/null
+++ b/etc/viking.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/viking.local
+# Firejail profile for viking
+noblacklist ${HOME}/.viking
+noblacklist ${HOME}/.viking-maps
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/wget.profile b/etc/wget.profile
index cd156a376..3ba97d95d 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -10,11 +10,11 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-nogroups
 nosound
-no3d
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -22,7 +22,9 @@ shell none
 blacklist /tmp/.X11-unix
 # private-bin wget
-# private-etc resolv.conf
 private-dev
+# private-etc resolv.conf
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 90909edf1..dc224b31c 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc
 #protocol unix,inet,inet6,netlink
 netfilter
+no3d
 nogroups
 nonewprivs
 nosound
@@ -28,3 +29,6 @@ tracelog
 #private-bin wireshark
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fa66da617..025e715e6 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -113,7 +113,7 @@ static void disable_file(OPERATION op, const char *filename) {
                else {
                        if (arg_debug) {
                                if (strcmp(filename, fname))
-                                        printf("Disable %s (requesterd %s)\n", fname, filename);
+                                        printf("Disable %s (requested %s)\n", fname, filename);
                                else
                                        printf("Disable %s\n", fname);
                        }
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
index 566493947..f0c1906a0 100755
--- a/test/utils/audit.exp
+++ b/test/utils/audit.exp
@@ -35,7 +35,7 @@ expect {
 after 100
-send -- "firejail --audit=/usr/lib/firejail/faudit\r"
+send -- "firejail --audit\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "Firejail Audit"

diff --git a/etc/audacity.profile b/etc/audacity.profile index 4394416ff..779cd8cdb 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-passwdmgr.inc
11	include /etc/firejail/disable-programs.inc	11	include /etc/firejail/disable-programs.inc
12		12
13	caps.drop all	13	caps.drop all
		14	net none
14	netfilter	15	netfilter
		16	no3d
15	nogroups	17	nogroups
16	nonewprivs	18	nonewprivs
17	noroot	19	noroot
@@ -23,3 +25,6 @@ tracelog
23	private-bin audacity	25	private-bin audacity
24	private-dev	26	private-dev
25	private-tmp	27	private-tmp
		28
		29	noexec ${HOME}
		30	noexec /tmp


diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index b406b9985..7ea55f505 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile
@@ -9,17 +9,21 @@ include /etc/firejail/disable-devel.inc
9	include /etc/firejail/disable-passwdmgr.inc	9	include /etc/firejail/disable-passwdmgr.inc
10		10
11	caps.drop all	11	caps.drop all
		12	net none
12	netfilter	13	netfilter
		14	no3d
13	nogroups	15	nogroups
14	nonewprivs	16	nonewprivs
15	noroot	17	noroot
16	nosound	18	nosound
17	shell none
18	seccomp
19	protocol unix	19	protocol unix
		20	seccomp
		21	shell none
20		22
21	# private-bin	23	# private-bin
22	# private-dev	24	# private-dev
23	# private-tmp	25	# private-tmp
24	# private-etc	26	# private-etc
25		27
		28	noexec ${HOME}
		29	noexec /tmp


diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 603d6345c..efd8b463b 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile
@@ -11,7 +11,17 @@ include /etc/firejail/disable-devel.inc
11	include /etc/firejail/disable-passwdmgr.inc	11	include /etc/firejail/disable-passwdmgr.inc
12		12
13	caps.drop all	13	caps.drop all
		14	netfilter
		15	no3d
		16	nogroups
14	nonewprivs	17	nonewprivs
15	noroot	18	noroot
16	protocol unix,inet,inet6	19	protocol unix,inet,inet6
17	seccomp	20	seccomp
		21	shell none
		22
		23	private-dev
		24	private-tmp
		25
		26	noexec ${HOME}
		27	noexec /tmp


diff --git a/etc/dino.profile b/etc/dino.profile index cec86812f..3de858618 100644 --- a/etc/dino.profile +++ b/etc/dino.profile
@@ -13,9 +13,9 @@ include /etc/firejail/disable-programs.inc
13	whitelist ${HOME}/Downloads	13	whitelist ${HOME}/Downloads
14	mkdir ${HOME}/.local/share/dino	14	mkdir ${HOME}/.local/share/dino
15	whitelist ${HOME}/.local/share/dino	15	whitelist ${HOME}/.local/share/dino
		16	include /etc/firejail/whitelist-common.inc
16		17
17	caps.drop all	18	caps.drop all
18	machine-id
19	netfilter	19	netfilter
20	no3d	20	no3d
21	nogroups	21	nogroups


diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bc3eb769..4d96c05c8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -21,6 +21,7 @@ nonewprivs
21	noroot	21	noroot
22	protocol unix,inet,inet6,netlink	22	protocol unix,inet,inet6,netlink
23	seccomp	23	seccomp
		24	shell none
24	tracelog	25	tracelog
25		26
26	whitelist ${DOWNLOADS}	27	whitelist ${DOWNLOADS}
@@ -59,3 +60,6 @@ include /etc/firejail/whitelist-common.inc
59	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse	60	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
60	private-dev	61	private-dev
61	private-tmp	62	private-tmp
		63
		64	noexec ${HOME}
		65	noexec /tmp


diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index f5d952e3d..e9366f07d 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile
@@ -19,6 +19,7 @@ caps.drop all
19	netfilter	19	netfilter
20	#net none	20	#net none
21	no3d	21	no3d
		22	nogroups
22	nonewprivs	23	nonewprivs
23	noroot	24	noroot
24	nosound	25	nosound


diff --git a/etc/meld.profile b/etc/meld.profile new file mode 100644 index 000000000..4b95b866d --- /dev/null +++ b/etc/meld.profile
@@ -0,0 +1,29 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include /etc/firejail/meld.local
		4
		5	# Firejail profile for meld
		6	noblacklist ${HOME}/.local/share/meld
		7
		8	include /etc/firejail/disable-common.inc
		9	include /etc/firejail/disable-devel.inc
		10	include /etc/firejail/disable-passwdmgr.inc
		11	include /etc/firejail/disable-programs.inc
		12
		13	caps.drop all
		14	net none
		15	netfilter
		16	no3d
		17	nogroups
		18	nonewprivs
		19	noroot
		20	nosound
		21	protocol unix
		22	seccomp
		23	shell none
		24
		25	private-dev
		26	private-tmp
		27
		28	noexec ${HOME}
		29	noexec /tmp


diff --git a/etc/ssh.profile b/etc/ssh.profile index b1ef6b27e..425841399 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile
@@ -14,7 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc
14		14
15	caps.drop all	15	caps.drop all
16	netfilter	16	netfilter
		17	no3d
		18	nogroups
17	nonewprivs	19	nonewprivs
18	noroot	20	noroot
		21	nosound
19	protocol unix,inet,inet6	22	protocol unix,inet,inet6
20	seccomp	23	seccomp
		24	shell none
		25	tracelog
		26
		27	private-dev
		28	#private-tmp #Breaks when exiting
		29
		30	noexec ${HOME}
		31	noexec /tmp


diff --git a/etc/steam.profile b/etc/steam.profile index c81836dfc..536588e4b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -12,11 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc
12		12
13	caps.drop all	13	caps.drop all
14	netfilter	14	netfilter
		15	nogroups
15	nonewprivs	16	nonewprivs
16	noroot	17	noroot
17	protocol unix,inet,inet6,netlink	18	protocol unix,inet,inet6,netlink
18	seccomp	19	seccomp
19	shell none	20	shell none
		21	tracelog
20		22
21	private-dev	23	private-dev
22	private-tmp	24	private-tmp


diff --git a/etc/viking.profile b/etc/viking.profile new file mode 100644 index 000000000..2b68d731c --- /dev/null +++ b/etc/viking.profile
@@ -0,0 +1,30 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include /etc/firejail/viking.local
		4
		5	# Firejail profile for viking
		6
		7	noblacklist ${HOME}/.viking
		8	noblacklist ${HOME}/.viking-maps
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-programs.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-devel.inc
		14
		15	caps.drop all
		16	netfilter
		17	no3d
		18	nogroups
		19	nonewprivs
		20	noroot
		21	nosound
		22	protocol unix,inet,inet6
		23	seccomp
		24	shell none
		25
		26	private-dev
		27	private-tmp
		28
		29	noexec ${HOME}
		30	noexec /tmp


diff --git a/etc/wget.profile b/etc/wget.profile index cd156a376..3ba97d95d 100644 --- a/etc/wget.profile +++ b/etc/wget.profile
@@ -10,11 +10,11 @@ include /etc/firejail/disable-passwdmgr.inc
10		10
11	caps.drop all	11	caps.drop all
12	netfilter	12	netfilter
		13	no3d
		14	nogroups
13	nonewprivs	15	nonewprivs
14	noroot	16	noroot
15	nogroups
16	nosound	17	nosound
17	no3d
18	protocol unix,inet,inet6	18	protocol unix,inet,inet6
19	seccomp	19	seccomp
20	shell none	20	shell none
@@ -22,7 +22,9 @@ shell none
22	blacklist /tmp/.X11-unix	22	blacklist /tmp/.X11-unix
23		23
24	# private-bin wget	24	# private-bin wget
25	# private-etc resolv.conf
26	private-dev	25	private-dev
		26	# private-etc resolv.conf
27	private-tmp	27	private-tmp
28		28
		29	noexec ${HOME}
		30	noexec /tmp


diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 90909edf1..dc224b31c 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile
@@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc
18	#protocol unix,inet,inet6,netlink	18	#protocol unix,inet,inet6,netlink
19		19
20	netfilter	20	netfilter
		21	no3d
21	nogroups	22	nogroups
22	nonewprivs	23	nonewprivs
23	nosound	24	nosound
@@ -28,3 +29,6 @@ tracelog
28	#private-bin wireshark	29	#private-bin wireshark
29	private-dev	30	private-dev
30	private-tmp	31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fa66da617..025e715e6 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -113,7 +113,7 @@ static void disable_file(OPERATION op, const char *filename) {
113	else {	113	else {
114	if (arg_debug) {	114	if (arg_debug) {
115	if (strcmp(filename, fname))	115	if (strcmp(filename, fname))
116	printf("Disable %s (requesterd %s)\n", fname, filename);	116	printf("Disable %s (requested %s)\n", fname, filename);
117	else	117	else
118	printf("Disable %s\n", fname);	118	printf("Disable %s\n", fname);
119	}	119	}


diff --git a/test/utils/audit.exp b/test/utils/audit.exp index 566493947..f0c1906a0 100755 --- a/test/utils/audit.exp +++ b/test/utils/audit.exp
@@ -35,7 +35,7 @@ expect {
35	after 100	35	after 100
36		36
37		37
38	send -- "firejail --audit=/usr/lib/firejail/faudit\r"	38	send -- "firejail --audit\r"
39	expect {	39	expect {
40	timeout {puts "TESTING ERROR 6\n";exit}	40	timeout {puts "TESTING ERROR 6\n";exit}
41	"Firejail Audit"	41	"Firejail Audit"