diff options
635 files changed, 4634 insertions, 3516 deletions
@@ -35,6 +35,7 @@ Maintainer: | |||
35 | Committers | 35 | Committers |
36 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 36 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
37 | - crass (https://github.com/crass) | 37 | - crass (https://github.com/crass) |
38 | - glitsj16 (https://github.com/glitsj16) | ||
38 | - Fred-Barclay (https://github.com/Fred-Barclay) | 39 | - Fred-Barclay (https://github.com/Fred-Barclay) |
39 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 40 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
40 | - smithsohu (https://github.com/smitsohu) | 41 | - smithsohu (https://github.com/smitsohu) |
@@ -123,6 +124,8 @@ bn0785ac (https://github.com/bn0785ac) | |||
123 | - fix inox, add snox profile | 124 | - fix inox, add snox profile |
124 | BogDan Vatra (https://github.com/bog-dan-ro) | 125 | BogDan Vatra (https://github.com/bog-dan-ro) |
125 | - zoom profile | 126 | - zoom profile |
127 | Brad Ackerman | ||
128 | - blacklist Bitwarden config in disable-passwdmgr.inc | ||
126 | Bruno Nova (https://github.com/brunonova) | 129 | Bruno Nova (https://github.com/brunonova) |
127 | - whitelist fix | 130 | - whitelist fix |
128 | - bash arguments fix | 131 | - bash arguments fix |
@@ -277,7 +280,13 @@ glitsj16 (https://github.com/glitsj16) | |||
277 | - profile fixes: file, strings, claws-mail, | 280 | - profile fixes: file, strings, claws-mail, |
278 | - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 281 | - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
279 | - new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 282 | - new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
280 | - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec | 283 | - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
284 | - new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep | ||
285 | - new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat | ||
286 | - new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore | ||
287 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | ||
288 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | ||
289 | - new profiles: masterpdfeditor | ||
281 | graywolf (https://github.com/graywolf) | 290 | graywolf (https://github.com/graywolf) |
282 | - spelling fix | 291 | - spelling fix |
283 | greigdp (https://github.com/greigdp) | 292 | greigdp (https://github.com/greigdp) |
@@ -436,6 +445,8 @@ Paul Moore <pmoore@redhat.com> | |||
436 | -src/fsec-print/print.c extracted from libseccomp software package | 445 | -src/fsec-print/print.c extracted from libseccomp software package |
437 | Paupiah Yash (https://github.com/CaffeinatedStud) | 446 | Paupiah Yash (https://github.com/CaffeinatedStud) |
438 | - gzip profile | 447 | - gzip profile |
448 | Pawel (https://github.com/grimskies) | ||
449 | - make --join return exit code of the invoked program | ||
439 | Peter Millerchip (https://github.com/pmillerchip) | 450 | Peter Millerchip (https://github.com/pmillerchip) |
440 | - memory allocation fix | 451 | - memory allocation fix |
441 | - --private.keep to --private-home transition | 452 | - --private.keep to --private-home transition |
@@ -98,10 +98,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
98 | ````` | 98 | ````` |
99 | 99 | ||
100 | ````` | 100 | ````` |
101 | # Current development version: 0.9.56.1 | 101 | # Current development version: 0.9.57 |
102 | |||
103 | This is probably a bugfix release: fixes, small features, new profiles. If we end up implementing something major | ||
104 | we'll switch to a regular 0.9.57 release. | ||
105 | 102 | ||
106 | # New Long Term Support (LTS) version | 103 | # New Long Term Support (LTS) version |
107 | 104 | ||
@@ -134,5 +131,7 @@ The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | |||
134 | # New profiles: | 131 | # New profiles: |
135 | 132 | ||
136 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, | 133 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, |
137 | bsdcat, bsdcpio, bsdtar, lzmadec | 134 | bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, |
138 | 135 | lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore, | |
136 | lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh, nirtoshare-send, nitroshare-ui, mencoder, gnome-pie, | ||
137 | masterpdfeditor, QOwnNotes | ||
@@ -3,7 +3,13 @@ firejail (0.9.56.1) baseline; urgency=low | |||
3 | * --disable-mnt rework | 3 | * --disable-mnt rework |
4 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 4 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
5 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 5 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
6 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec | 6 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
7 | * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep | ||
8 | * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat | ||
9 | * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore | ||
10 | * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | ||
11 | * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | ||
12 | * new profiles: masterpdfeditor, QOwnNotes | ||
7 | -- netblue30 <netblue30@yahoo.com> Thu, 11 Oct 2018 08:00:00 -0500 | 13 | -- netblue30 <netblue30@yahoo.com> Thu, 11 Oct 2018 08:00:00 -0500 |
8 | 14 | ||
9 | firejail (0.9.56) baseline; urgency=low | 15 | firejail (0.9.56) baseline; urgency=low |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.56.1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.57. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.56.1' | 583 | PACKAGE_VERSION='0.9.57' |
584 | PACKAGE_STRING='firejail 0.9.56.1' | 584 | PACKAGE_STRING='firejail 0.9.57' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then | |||
1275 | # Omit some internal or obsolete options to make the list less imposing. | 1275 | # Omit some internal or obsolete options to make the list less imposing. |
1276 | # This message is too long to be a string in the A/UX 3.1 sh. | 1276 | # This message is too long to be a string in the A/UX 3.1 sh. |
1277 | cat <<_ACEOF | 1277 | cat <<_ACEOF |
1278 | \`configure' configures firejail 0.9.56.1 to adapt to many kinds of systems. | 1278 | \`configure' configures firejail 0.9.57 to adapt to many kinds of systems. |
1279 | 1279 | ||
1280 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1280 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1281 | 1281 | ||
@@ -1337,7 +1337,7 @@ fi | |||
1337 | 1337 | ||
1338 | if test -n "$ac_init_help"; then | 1338 | if test -n "$ac_init_help"; then |
1339 | case $ac_init_help in | 1339 | case $ac_init_help in |
1340 | short | recursive ) echo "Configuration of firejail 0.9.56.1:";; | 1340 | short | recursive ) echo "Configuration of firejail 0.9.57:";; |
1341 | esac | 1341 | esac |
1342 | cat <<\_ACEOF | 1342 | cat <<\_ACEOF |
1343 | 1343 | ||
@@ -1442,7 +1442,7 @@ fi | |||
1442 | test -n "$ac_init_help" && exit $ac_status | 1442 | test -n "$ac_init_help" && exit $ac_status |
1443 | if $ac_init_version; then | 1443 | if $ac_init_version; then |
1444 | cat <<\_ACEOF | 1444 | cat <<\_ACEOF |
1445 | firejail configure 0.9.56.1 | 1445 | firejail configure 0.9.57 |
1446 | generated by GNU Autoconf 2.69 | 1446 | generated by GNU Autoconf 2.69 |
1447 | 1447 | ||
1448 | Copyright (C) 2012 Free Software Foundation, Inc. | 1448 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF | |||
1744 | This file contains any messages produced by compilers while | 1744 | This file contains any messages produced by compilers while |
1745 | running configure, to aid debugging if configure makes a mistake. | 1745 | running configure, to aid debugging if configure makes a mistake. |
1746 | 1746 | ||
1747 | It was created by firejail $as_me 0.9.56.1, which was | 1747 | It was created by firejail $as_me 0.9.57, which was |
1748 | generated by GNU Autoconf 2.69. Invocation command line was | 1748 | generated by GNU Autoconf 2.69. Invocation command line was |
1749 | 1749 | ||
1750 | $ $0 $@ | 1750 | $ $0 $@ |
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4379 | # report actual input values of CONFIG_FILES etc. instead of their | 4379 | # report actual input values of CONFIG_FILES etc. instead of their |
4380 | # values after options handling. | 4380 | # values after options handling. |
4381 | ac_log=" | 4381 | ac_log=" |
4382 | This file was extended by firejail $as_me 0.9.56.1, which was | 4382 | This file was extended by firejail $as_me 0.9.57, which was |
4383 | generated by GNU Autoconf 2.69. Invocation command line was | 4383 | generated by GNU Autoconf 2.69. Invocation command line was |
4384 | 4384 | ||
4385 | CONFIG_FILES = $CONFIG_FILES | 4385 | CONFIG_FILES = $CONFIG_FILES |
@@ -4433,7 +4433,7 @@ _ACEOF | |||
4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4435 | ac_cs_version="\\ | 4435 | ac_cs_version="\\ |
4436 | firejail config.status 0.9.56.1 | 4436 | firejail config.status 0.9.57 |
4437 | configured by $0, generated by GNU Autoconf 2.69, | 4437 | configured by $0, generated by GNU Autoconf 2.69, |
4438 | with options \\"\$ac_cs_config\\" | 4438 | with options \\"\$ac_cs_config\\" |
4439 | 4439 | ||
diff --git a/configure.ac b/configure.ac index 2084b66f1..d1b827fef 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.56.1, netblue30@yahoo.com, , https://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.57, netblue30@yahoo.com, , https://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index f9320f6c7..674fb2c6a 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Real-time strategy game of ancient warfare | 2 | # Description: Real-time strategy game of ancient warfare |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/0ad.local | 5 | include 0ad.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/0ad | 9 | noblacklist ${HOME}/.cache/0ad |
10 | noblacklist ${HOME}/.config/0ad | 10 | noblacklist ${HOME}/.config/0ad |
11 | noblacklist ${HOME}/.local/share/0ad | 11 | noblacklist ${HOME}/.local/share/0ad |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.cache/0ad | 19 | mkdir ${HOME}/.cache/0ad |
20 | mkdir ${HOME}/.config/0ad | 20 | mkdir ${HOME}/.config/0ad |
@@ -22,7 +22,7 @@ mkdir ${HOME}/.local/share/0ad | |||
22 | whitelist ${HOME}/.cache/0ad | 22 | whitelist ${HOME}/.cache/0ad |
23 | whitelist ${HOME}/.config/0ad | 23 | whitelist ${HOME}/.config/0ad |
24 | whitelist ${HOME}/.local/share/0ad | 24 | whitelist ${HOME}/.local/share/0ad |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
@@ -32,6 +32,7 @@ nogroups | |||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | seccomp | 38 | seccomp |
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 56b38f5a2..10f354f19 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Mathematics based puzzle game | 2 | # Description: Mathematics based puzzle game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/2048-qt.local | 5 | include 2048-qt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/2048-qt | 9 | noblacklist ${HOME}/.config/2048-qt |
10 | noblacklist ${HOME}/.config/xiaoyong | 10 | noblacklist ${HOME}/.config/xiaoyong |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/2048-qt | 18 | mkdir ${HOME}/.config/2048-qt |
19 | mkdir ${HOME}/.config/xiaoyong | 19 | mkdir ${HOME}/.config/xiaoyong |
20 | whitelist ${HOME}/.config/2048-qt | 20 | whitelist ${HOME}/.config/2048-qt |
21 | whitelist ${HOME}/.config/xiaoyong | 21 | whitelist ${HOME}/.config/xiaoyong |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/7z.profile b/etc/7z.profile index e3f27b93f..363e301e2 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/7z.local | 5 | include 7z.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included default.profile | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
@@ -16,10 +16,11 @@ nodbus | |||
16 | nodvd | 16 | nodvd |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
19 | nou2f | ||
19 | novideo | 20 | novideo |
20 | shell none | 21 | shell none |
21 | tracelog | 22 | tracelog |
22 | 23 | ||
23 | private-dev | 24 | private-dev |
24 | 25 | ||
25 | include /etc/firejail/default.profile | 26 | include default.profile |
diff --git a/etc/7za.profile b/etc/7za.profile index e035bf4f5..28e483a8c 100644 --- a/etc/7za.profile +++ b/etc/7za.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for 7za | 1 | # Firejail profile for 7za |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/7za.local | 4 | include 7za.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | # added by included profile |
7 | #include /etc/firejail/globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/7z.profile | 10 | include 7z.profile |
diff --git a/etc/7zr.profile b/etc/7zr.profile index e48c5494e..1b85badbc 100644 --- a/etc/7zr.profile +++ b/etc/7zr.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for 7zr | 1 | # Firejail profile for 7zr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/7zr.local | 4 | include 7zr.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | # added by included profile |
7 | #include /etc/firejail/globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/7z.profile | 10 | include 7z.profile |
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index f1336be3e..e9cc07bd7 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for Cryptocat | 1 | # Firejail profile for Cryptocat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/Cryptocat.local | 4 | include Cryptocat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Cryptocat | 8 | noblacklist ${HOME}/.config/Cryptocat |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index 202bc26f4..2fb21e3cf 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/cyberfox.profile | 6 | include cyberfox.profile |
diff --git a/etc/Discord.profile b/etc/Discord.profile index 951357387..9a8957265 100644 --- a/etc/Discord.profile +++ b/etc/Discord.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for Discord | 1 | # Firejail profile for Discord |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/Discord.local | 4 | include Discord.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/discord | 9 | noblacklist ${HOME}/.config/discord |
@@ -15,4 +15,4 @@ private-bin Discord | |||
15 | private-opt Discord | 15 | private-opt Discord |
16 | 16 | ||
17 | #Redirect | 17 | #Redirect |
18 | include /etc/firejail/discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/DiscordCanary.profile b/etc/DiscordCanary.profile index f7b0e2c56..0624ff949 100644 --- a/etc/DiscordCanary.profile +++ b/etc/DiscordCanary.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for DiscordCanary | 1 | # Firejail profile for DiscordCanary |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/DiscordCanary.local | 4 | include DiscordCanary.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/discordcanary | 9 | noblacklist ${HOME}/.config/discordcanary |
@@ -15,4 +15,4 @@ private-bin DiscordCanary | |||
15 | private-opt DiscordCanary | 15 | private-opt DiscordCanary |
16 | 16 | ||
17 | #Redirect | 17 | #Redirect |
18 | include /etc/firejail/discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile index 01e338ef2..55fd43515 100644 --- a/etc/FossaMail.profile +++ b/etc/FossaMail.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/fossamail.profile | 6 | include fossamail.profile |
diff --git a/etc/Fritzing.profile b/etc/Fritzing.profile index 2e4d235b6..55fb7bae7 100644 --- a/etc/Fritzing.profile +++ b/etc/Fritzing.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Easy-to-use electronic design software | 2 | # Description: Easy-to-use electronic design software |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/Fritzing.local | 5 | include Fritzing.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Fritzing | 9 | noblacklist ${HOME}/.config/Fritzing |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/Gitter.profile b/etc/Gitter.profile index b12dbd450..53e66d108 100644 --- a/etc/Gitter.profile +++ b/etc/Gitter.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/gitter.profile | 6 | include gitter.profile |
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile index 659a41603..2803ebe07 100644 --- a/etc/JDownloader.profile +++ b/etc/JDownloader.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for JDownloader | 1 | # Firejail profile for JDownloader |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/JDownloader.local | 4 | include JDownloader.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.jd | 9 | noblacklist ${HOME}/.jd |
@@ -14,18 +14,18 @@ noblacklist /usr/lib/java | |||
14 | noblacklist /etc/java | 14 | noblacklist /etc/java |
15 | noblacklist /usr/share/java | 15 | noblacklist /usr/share/java |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | mkdir ${HOME}/.jd | 24 | mkdir ${HOME}/.jd |
25 | whitelist ${HOME}/.jd | 25 | whitelist ${HOME}/.jd |
26 | whitelist ${DOWNLOADS} | 26 | whitelist ${DOWNLOADS} |
27 | include /etc/firejail/whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include /etc/firejail/whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | ipc-namespace | 31 | ipc-namespace |
@@ -38,6 +38,7 @@ nonewprivs | |||
38 | noroot | 38 | noroot |
39 | nosound | 39 | nosound |
40 | notv | 40 | notv |
41 | nou2f | ||
41 | novideo | 42 | novideo |
42 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
43 | seccomp | 44 | seccomp |
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index deff02028..6aba2678b 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -1,25 +1,25 @@ | |||
1 | # Firejail profile for Mathematica | 1 | # Firejail profile for Mathematica |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/Mathematica.local | 4 | include Mathematica.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Mathematica | 8 | noblacklist ${HOME}/.Mathematica |
9 | noblacklist ${HOME}/.Wolfram Research | 9 | noblacklist ${HOME}/.Wolfram Research |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.Mathematica | 17 | mkdir ${HOME}/.Mathematica |
18 | mkdir ${HOME}/.Wolfram Research | 18 | mkdir ${HOME}/.Wolfram Research |
19 | whitelist ${HOME}/.Mathematica | 19 | whitelist ${HOME}/.Mathematica |
20 | whitelist ${HOME}/.Wolfram Research | 20 | whitelist ${HOME}/.Wolfram Research |
21 | whitelist ${HOME}/Documents/Wolfram Mathematica | 21 | whitelist ${HOME}/Documents/Wolfram Mathematica |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | nodvd | 25 | nodvd |
diff --git a/etc/Natron.profile b/etc/Natron.profile index b21790fe4..aadd68c5c 100644 --- a/etc/Natron.profile +++ b/etc/Natron.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/natron.profile | 6 | include natron.profile |
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index 558f62f0e..f969cd855 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Search, download or stream files from mediathek.de | 2 | # Description: Search, download or stream files from mediathek.de |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/QMediathekView.local | 5 | include QMediathekView.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/QMediathekView | 9 | noblacklist ${HOME}/.config/QMediathekView |
10 | noblacklist ${HOME}/.local/share/QMediathekView | 10 | noblacklist ${HOME}/.local/share/QMediathekView |
@@ -18,13 +18,13 @@ noblacklist ${HOME}/.local/share/totem | |||
18 | noblacklist ${HOME}/.local/share/xplayer | 18 | noblacklist ${HOME}/.local/share/xplayer |
19 | noblacklist ${HOME}/.mplayer | 19 | noblacklist ${HOME}/.mplayer |
20 | 20 | ||
21 | include /etc/firejail/disable-common.inc | 21 | include disable-common.inc |
22 | include /etc/firejail/disable-devel.inc | 22 | include disable-devel.inc |
23 | include /etc/firejail/disable-interpreters.inc | 23 | include disable-interpreters.inc |
24 | include /etc/firejail/disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
25 | include /etc/firejail/disable-programs.inc | 25 | include disable-programs.inc |
26 | 26 | ||
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | netfilter | 30 | netfilter |
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile new file mode 100644 index 000000000..1135b850b --- /dev/null +++ b/etc/QOwnNotes.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for QOwnNotes | ||
2 | # Description: Plain-text file notepad with markdown support and ownCloud integration | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include QOwnNotes.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/Nextcloud/Notes | ||
11 | noblacklist ${HOME}/.config/PBE | ||
12 | noblacklist ${HOME}/.local/share/PBE | ||
13 | |||
14 | mkdir ${DOCUMENTS} | ||
15 | mkdir ${HOME}/Nextcloud/Notes | ||
16 | mkdir ${HOME}.config/PBE | ||
17 | mkdir ${HOME}/.local/share/PBE | ||
18 | whitelist ${DOCUMENTS} | ||
19 | whitelist ${HOME}/Nextcloud/Notes | ||
20 | whitelist ${HOME}/.config/PBE | ||
21 | whitelist ${HOME}/.local/share/PBE | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-devel.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-xdg.inc | ||
31 | |||
32 | caps.drop all | ||
33 | machine-id | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin QOwnNotes,gio | ||
51 | private-dev | ||
52 | private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | ||
53 | private-tmp | ||
54 | |||
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
diff --git a/etc/Telegram.profile b/etc/Telegram.profile index df6557a90..51e4d9765 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/telegram.profile | 6 | include telegram.profile |
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 6de6cfb30..9937f3883 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: File Manager for Xfce | 2 | # Description: File Manager for Xfce |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/Thunar.local | 5 | include Thunar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/Trash | 9 | noblacklist ${HOME}/.local/share/Trash |
10 | noblacklist ${HOME}/.config/Thunar | 10 | noblacklist ${HOME}/.config/Thunar |
11 | noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 11 | noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | # include /etc/firejail/disable-programs.inc | 17 | # include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/Viber.profile b/etc/Viber.profile index cb9d01e03..01bb49a99 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for Viber | 1 | # Firejail profile for Viber |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/Viber.local | 4 | include Viber.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.ViberPC | 9 | noblacklist ${HOME}/.ViberPC |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.ViberPC | 18 | whitelist ${HOME}/.ViberPC |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index c84b8a4ad..5fe8f1c57 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/virtualbox.profile | 7 | include virtualbox.profile |
diff --git a/etc/XMind.profile b/etc/XMind.profile index ff6258ca2..6b767555c 100644 --- a/etc/XMind.profile +++ b/etc/XMind.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for XMind | 1 | # Firejail profile for XMind |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/XMind.local | 4 | include XMind.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.xmind | 8 | noblacklist ${HOME}/.xmind |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.xmind | 16 | mkdir ${HOME}/.xmind |
17 | whitelist ${HOME}/.xmind | 17 | whitelist ${HOME}/.xmind |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index c0c322b67..a95c8989a 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for Xephyr | 1 | # Firejail profile for Xephyr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/Xephyr.local | 4 | include Xephyr.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # | 8 | # |
9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | 9 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. |
@@ -18,7 +18,7 @@ include /etc/firejail/globals.local | |||
18 | blacklist /media | 18 | blacklist /media |
19 | 19 | ||
20 | whitelist /var/lib/xkb | 20 | whitelist /var/lib/xkb |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | 24 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | # noroot | 29 | # noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 4ae2d20d2..967946a6c 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Virtual Framebuffer 'fake' X server | 2 | # Description: Virtual Framebuffer 'fake' X server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/Xvfb.local | 5 | include Xvfb.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # | 9 | # |
10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | 10 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. |
@@ -20,7 +20,7 @@ include /etc/firejail/globals.local | |||
20 | blacklist /media | 20 | blacklist /media |
21 | 21 | ||
22 | whitelist /var/lib/xkb | 22 | whitelist /var/lib/xkb |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | 26 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | #noroot | 31 | #noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index d757d6f49..010247c6b 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for abrowser | 1 | # Firejail profile for abrowser |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/abrowser.local | 4 | include abrowser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
@@ -18,4 +18,4 @@ whitelist ${HOME}/.mozilla | |||
18 | 18 | ||
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include /etc/firejail/firefox-common.profile | 21 | include firefox-common.profile |
diff --git a/etc/acat.profile b/etc/acat.profile index 08593585c..0b4579035 100644 --- a/etc/acat.profile +++ b/etc/acat.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for acat | 1 | # Firejail profile for acat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/acat.local | 4 | include acat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/adiff.profile b/etc/adiff.profile index 2c114d765..9073b1477 100644 --- a/etc/adiff.profile +++ b/etc/adiff.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for adiff | 1 | # Firejail profile for adiff |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/adiff.local | 4 | include adiff.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 0cbe306e8..4d40e6594 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -1,8 +1,8 @@ | |||
1 | # Firejail profile for akonadi_control | 1 | # Firejail profile for akonadi_control |
2 | # Persistent local customizations | 2 | # Persistent local customizations |
3 | include /etc/firejail/akonadi_control.local | 3 | include akonadi_control.local |
4 | # Persistent global definitions | 4 | # Persistent global definitions |
5 | include /etc/firejail/globals.local | 5 | include globals.local |
6 | 6 | ||
7 | noblacklist ${HOME}/.cache/akonadi* | 7 | noblacklist ${HOME}/.cache/akonadi* |
8 | noblacklist ${HOME}/.config/akonadi* | 8 | noblacklist ${HOME}/.config/akonadi* |
@@ -20,13 +20,13 @@ noblacklist ${HOME}/.local/share/notes | |||
20 | noblacklist /tmp/akonadi-* | 20 | noblacklist /tmp/akonadi-* |
21 | noblacklist /usr/sbin | 21 | noblacklist /usr/sbin |
22 | 22 | ||
23 | include /etc/firejail/disable-common.inc | 23 | include disable-common.inc |
24 | include /etc/firejail/disable-devel.inc | 24 | include disable-devel.inc |
25 | include /etc/firejail/disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include /etc/firejail/disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
27 | include /etc/firejail/disable-programs.inc | 27 | include disable-programs.inc |
28 | 28 | ||
29 | include /etc/firejail/whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
30 | 30 | ||
31 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | 31 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. |
32 | # this affects ubuntu and debian currently | 32 | # this affects ubuntu and debian currently |
@@ -42,6 +42,7 @@ nogroups | |||
42 | noroot | 42 | noroot |
43 | nosound | 43 | nosound |
44 | notv | 44 | notv |
45 | nou2f | ||
45 | novideo | 46 | novideo |
46 | # protocol unix,inet,inet6 | 47 | # protocol unix,inet,inet6 |
47 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 48 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
diff --git a/etc/akregator.profile b/etc/akregator.profile index af8dd2a3e..e7d0b74b9 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -2,26 +2,26 @@ | |||
2 | # Description: RSS/Atom feed aggregator | 2 | # Description: RSS/Atom feed aggregator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/akregator.local | 5 | include akregator.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/akregatorrc | 9 | noblacklist ${HOME}/.config/akregatorrc |
10 | noblacklist ${HOME}/.local/share/akregator | 10 | noblacklist ${HOME}/.local/share/akregator |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkfile ${HOME}/.config/akregatorrc | 18 | mkfile ${HOME}/.config/akregatorrc |
19 | mkdir ${HOME}/.local/share/akregator | 19 | mkdir ${HOME}/.local/share/akregator |
20 | whitelist ${HOME}/.config/akregatorrc | 20 | whitelist ${HOME}/.config/akregatorrc |
21 | whitelist ${HOME}/.local/share/akregator | 21 | whitelist ${HOME}/.local/share/akregator |
22 | whitelist ${HOME}/.local/share/kssl | 22 | whitelist ${HOME}/.local/share/kssl |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
@@ -31,6 +31,7 @@ nogroups | |||
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | # chroot syscalls are needed for setting up the built-in sandbox | 37 | # chroot syscalls are needed for setting up the built-in sandbox |
diff --git a/etc/als.profile b/etc/als.profile index 8cd9a9182..24b8b976b 100644 --- a/etc/als.profile +++ b/etc/als.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for als | 1 | # Firejail profile for als |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/als.local | 4 | include als.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/amarok.profile b/etc/amarok.profile index 3ee50a20b..6f2e6b3cc 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Easy to use media player based on the KDE Platform | 2 | # Description: Easy to use media player based on the KDE Platform |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/amarok.local | 5 | include amarok.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | # seccomp | 29 | # seccomp |
diff --git a/etc/amule.profile b/etc/amule.profile index f052a312f..e969bb1df 100644 --- a/etc/amule.profile +++ b/etc/amule.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Client for the eD2k and Kad networks, like eMule | 2 | # Description: Client for the eD2k and Kad networks, like eMule |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/amule.local | 5 | include amule.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | noblacklist ${HOME}/.aMule | 10 | noblacklist ${HOME}/.aMule |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.aMule | 19 | whitelist ${HOME}/.aMule |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 8f5cd56cc..180e4871b 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for android-studio | 1 | # Firejail profile for android-studio |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/android-studio.local | 4 | include android-studio.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.AndroidStudio* | 8 | noblacklist ${HOME}/.AndroidStudio* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
@@ -16,11 +16,11 @@ noblacklist ${HOME}/.local/share/JetBrains | |||
16 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
17 | noblacklist ${HOME}/.tooling | 17 | noblacklist ${HOME}/.tooling |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
diff --git a/etc/anydesk.profile b/etc/anydesk.profile index 17e083f4e..35b18bab4 100644 --- a/etc/anydesk.profile +++ b/etc/anydesk.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Firejail profile for AnyDesk | 1 | # Firejail profile for AnyDesk |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/anydesk.local | 4 | include anydesk.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.anydesk | 8 | noblacklist ${HOME}/.anydesk |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.anydesk | 16 | mkdir ${HOME}/.anydesk |
17 | whitelist ${HOME}/.anydesk | 17 | whitelist ${HOME}/.anydesk |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/aosp.profile b/etc/aosp.profile index 8622d6acd..a4eea4bad 100644 --- a/etc/aosp.profile +++ b/etc/aosp.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for aosp | 1 | # Firejail profile for aosp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/aosp.local | 4 | include aosp.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
@@ -18,12 +18,12 @@ noblacklist ${HOME}/.repoconfig | |||
18 | noblacklist ${HOME}/.ssh | 18 | noblacklist ${HOME}/.ssh |
19 | noblacklist ${HOME}/.tooling | 19 | noblacklist ${HOME}/.tooling |
20 | 20 | ||
21 | include /etc/firejail/disable-common.inc | 21 | include disable-common.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | 29 | ipc-namespace |
diff --git a/etc/apack.profile b/etc/apack.profile index ad44b227e..bd5e49a01 100644 --- a/etc/apack.profile +++ b/etc/apack.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for apack | 1 | # Firejail profile for apack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/apack.local | 4 | include apack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/apktool.profile b/etc/apktool.profile index d157b1478..bad0c9346 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile | |||
@@ -3,16 +3,16 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/apktool.local | 6 | include apktool.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | include /etc/firejail/disable-xdg.inc | 13 | include disable-xdg.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index 9cd200ef2..7321f4e90 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -3,19 +3,19 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/arch-audit.local | 6 | include arch-audit.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | 10 | ||
11 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index 27b15412f..1b029d1ac 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/archaudit-report.local | 5 | include archaudit-report.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | noblacklist /var/lib/pacman | 10 | noblacklist /var/lib/pacman |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 7d1163174..5c22b57d0 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/ardour5.profile | 6 | include ardour5.profile |
diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 99649cc3f..3c207b5b3 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for ardour5 | 1 | # Firejail profile for ardour5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ardour5.local | 4 | include ardour5.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/ardour4 | 8 | noblacklist ${HOME}/.config/ardour4 |
9 | noblacklist ${HOME}/.config/ardour5 | 9 | noblacklist ${HOME}/.config/ardour5 |
@@ -12,12 +12,12 @@ noblacklist ${HOME}/.vst | |||
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | noblacklist ${MUSIC} | 13 | noblacklist ${MUSIC} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/arduino.profile b/etc/arduino.profile index 9f28cada4..6c2375fae 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: AVR development board IDE and built-in libraries | 2 | # Description: AVR development board IDE and built-in libraries |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/arduino.local | 5 | include arduino.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.arduino15 | 9 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
@@ -17,12 +17,12 @@ noblacklist /usr/lib/java | |||
17 | noblacklist /etc/java | 17 | noblacklist /etc/java |
18 | noblacklist /usr/share/java | 18 | noblacklist /usr/share/java |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
diff --git a/etc/arepack.profile b/etc/arepack.profile index f7a9f724a..f5584b2be 100644 --- a/etc/arepack.profile +++ b/etc/arepack.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for arepack | 1 | # Firejail profile for arepack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/arepack.local | 4 | include arepack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 4231c58ff..3015349b7 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink | 2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/aria2c.local | 5 | include aria2c.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.aria2 | 9 | noblacklist ${HOME}/.aria2 |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | 19 | ipc-namespace |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/ark.profile b/etc/ark.profile index d5a7f45f4..37211682c 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Archive utility | 2 | # Description: Archive utility |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ark.local | 5 | include ark.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/arkrc | 9 | noblacklist ${HOME}/.config/arkrc |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | apparmor | 19 | apparmor |
20 | caps.drop all | 20 | caps.drop all |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/arm.profile b/etc/arm.profile index da9b45928..288dd972a 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Terminal status monitor for Tor relays | 2 | # Description: Terminal status monitor for Tor relays |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/arm.local | 5 | include arm.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.arm | 9 | noblacklist ${HOME}/.arm |
10 | 10 | ||
@@ -14,15 +14,15 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.arm | 23 | mkdir ${HOME}/.arm |
24 | whitelist ${HOME}/.arm | 24 | whitelist ${HOME}/.arm |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | 28 | ipc-namespace |
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
diff --git a/etc/artha.profile b/etc/artha.profile new file mode 100644 index 000000000..7b0c6735b --- /dev/null +++ b/etc/artha.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for artha | ||
2 | # Description: A free cross-platform English thesaurus based on WordNet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include artha.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/artha.conf | ||
10 | noblacklist ${HOME}/.config/enchant | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
21 | net none | ||
22 | no3d | ||
23 | # nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin artha,enchant,notify-send | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc fonts | ||
41 | private-lib libnotify.so.* | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/asunder.profile b/etc/asunder.profile index 9c059ed0a..3167dfe12 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Graphical audio CD ripper and encoder | 2 | # Description: Graphical audio CD ripper and encoder |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/asunder.local | 5 | include asunder.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/asunder | 9 | noblacklist ${HOME}/.config/asunder |
10 | noblacklist ${HOME}/.asunder_album_genre | 10 | noblacklist ${HOME}/.asunder_album_genre |
@@ -12,14 +12,14 @@ noblacklist ${HOME}/.asunder_album_title | |||
12 | noblacklist ${HOME}/.asunder_album_artist | 12 | noblacklist ${HOME}/.asunder_album_artist |
13 | noblacklist ${MUSIC} | 13 | noblacklist ${MUSIC} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
@@ -28,6 +28,7 @@ nodbus | |||
28 | # nogroups | 28 | # nogroups |
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | nou2f | ||
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index a153d08b4..36baee5c4 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | # Firejail profile for atom-beta | 1 | # Firejail profile for atom-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/atom-beta.local | 4 | include atom-beta.local |
5 | # Profile redirect | 5 | # Profile redirect |
6 | include /etc/firejail/atom.profile | 6 | include atom.profile |
diff --git a/etc/atom.profile b/etc/atom.profile index 1ff4e162d..ceb68ef3d 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -2,16 +2,16 @@ | |||
2 | # Description: A hackable text editor for the 21st Century | 2 | # Description: A hackable text editor for the 21st Century |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/atom.local | 5 | include atom.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.atom | 9 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 10 | noblacklist ${HOME}/.config/Atom |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | # net none | 17 | # net none |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
28 | seccomp | 29 | seccomp |
diff --git a/etc/atool.profile b/etc/atool.profile index 161b211eb..b7addf36e 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Tool for managing file archives of various types | 2 | # Description: Tool for managing file archives of various types |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/atool.local | 5 | include atool.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
@@ -15,11 +15,11 @@ noblacklist ${PATH}/perl | |||
15 | noblacklist /usr/lib/perl* | 15 | noblacklist /usr/lib/perl* |
16 | noblacklist /usr/share/perl* | 16 | noblacklist /usr/share/perl* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | # include /etc/firejail/disable-devel.inc | 19 | # include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/atril-previewer.profile b/etc/atril-previewer.profile index 5d841bc0e..3f24acefa 100644 --- a/etc/atril-previewer.profile +++ b/etc/atril-previewer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for atril-previewer | 1 | # Firejail profile for atril-previewer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/atril-previewer.local | 4 | include atril-previewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/atril.profile | 10 | include atril.profile |
diff --git a/etc/atril-thumbnailer.profile b/etc/atril-thumbnailer.profile index 88c74735d..de4a52514 100644 --- a/etc/atril-thumbnailer.profile +++ b/etc/atril-thumbnailer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for atril-thumbnailer | 1 | # Firejail profile for atril-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/atril-thumbnailer.local | 4 | include atril-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/atril.profile | 10 | include atril.profile |
diff --git a/etc/atril.profile b/etc/atril.profile index 6e5286e5f..92fae21d4 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: MATE document viewer | 2 | # Description: MATE document viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/atril.local | 5 | include atril.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/atril | 9 | noblacklist ${HOME}/.cache/atril |
10 | noblacklist ${HOME}/.config/atril | 10 | noblacklist ${HOME}/.config/atril |
@@ -13,14 +13,14 @@ noblacklist ${DOCUMENTS} | |||
13 | #noblacklist ${HOME}/.local/share | 13 | #noblacklist ${HOME}/.local/share |
14 | # it seems to use only ${HOME}/.local/share/webkitgtk | 14 | # it seems to use only ${HOME}/.local/share/webkitgtk |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | include /etc/firejail/disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | # apparmor | 25 | # apparmor |
26 | caps.drop all | 26 | caps.drop all |
@@ -32,6 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix | 37 | protocol unix |
37 | seccomp | 38 | seccomp |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 627c1a72d..93a2f4b3e 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Small and fast audio player which supports lots of formats | 2 | # Description: Small and fast audio player which supports lots of formats |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/audacious.local | 5 | include audacious.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Audaciousrc | 9 | noblacklist ${HOME}/.config/Audaciousrc |
10 | noblacklist ${HOME}/.config/audacious | 10 | noblacklist ${HOME}/.config/audacious |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 685319f7f..4dd412359 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Fast, cross-platform audio editor | 2 | # Description: Fast, cross-platform audio editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/audacity.local | 5 | include audacity.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.audacity-data | 9 | noblacklist ${HOME}/.audacity-data |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -29,6 +29,7 @@ nogroups | |||
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/aunpack.profile b/etc/aunpack.profile index 4f03ac60d..cde9473e3 100644 --- a/etc/aunpack.profile +++ b/etc/aunpack.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for aunpack | 1 | # Firejail profile for aunpack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/aunpack.local | 4 | include aunpack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/atool.profile | 9 | include atool.profile |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index f10abdda8..9656bb3d7 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: 2FA code generator for GNOME | 2 | # Description: 2FA code generator for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/authenticator.local | 5 | include authenticator.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # blacklisted in 'disable-programs.local' | 9 | # blacklisted in 'disable-programs.local' |
10 | noblacklist ${HOME}/.config/Authenticator | 10 | noblacklist ${HOME}/.config/Authenticator |
@@ -13,11 +13,11 @@ noblacklist ${HOME}/.config/Authenticator | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | # apparmor | 22 | # apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -30,8 +30,8 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | # novideo | ||
34 | nou2f | 33 | nou2f |
34 | # novideo | ||
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 823b07c8c..d7228570f 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Advanced Weather Monitoring Program | 2 | # Description: Advanced Weather Monitoring Program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/aweather.local | 5 | include aweather.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/aweather | 9 | noblacklist ${HOME}/.config/aweather |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/aweather | 17 | mkdir ${HOME}/.config/aweather |
18 | whitelist ${HOME}/.config/aweather | 18 | whitelist ${HOME}/.config/aweather |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/awesome.profile b/etc/awesome.profile index 49c1a4aad..5d1bf5071 100644 --- a/etc/awesome.profile +++ b/etc/awesome.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | 2 | # Description: Standards-compliant, fast, light-weight and extensible window manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/awesome.local | 5 | include awesome.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in awesome will run in this profile |
10 | noblacklist ${HOME}/.config/awesome | 10 | noblacklist ${HOME}/.config/awesome |
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 240573f44..5e749cac1 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for baloo_file | 1 | # Firejail profile for baloo_file |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/baloo_file.local | 4 | include baloo_file.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/baloofilerc | 8 | noblacklist ${HOME}/.config/baloofilerc |
9 | noblacklist ${HOME}/.kde/share/config/baloofilerc | 9 | noblacklist ${HOME}/.kde/share/config/baloofilerc |
@@ -12,13 +12,13 @@ noblacklist ${HOME}/.kde4/share/config/baloofilerc | |||
12 | noblacklist ${HOME}/.kde4/share/config/baloorc | 12 | noblacklist ${HOME}/.kde4/share/config/baloorc |
13 | noblacklist ${HOME}/.local/share/baloo | 13 | noblacklist ${HOME}/.local/share/baloo |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | no3d | 24 | no3d |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | # blacklisting of ioprio_set system calls breaks baloo_file | 34 | # blacklisting of ioprio_set system calls breaks baloo_file |
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/baloo_filemetadata_temp_extractor.profile index 87f2949e6..94496ede8 100644 --- a/etc/baloo_filemetadata_temp_extractor.profile +++ b/etc/baloo_filemetadata_temp_extractor.profile | |||
@@ -2,12 +2,12 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/baloo_filemetadata_temp_extractor.local | 5 | include baloo_filemetadata_temp_extractor.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore read-write | 9 | ignore read-write |
10 | read-only ${HOME} | 10 | read-only ${HOME} |
11 | 11 | ||
12 | # Redirect | 12 | # Redirect |
13 | include /etc/firejail/baloo_file.profile | 13 | include baloo_file.profile |
diff --git a/etc/baobab.profile b/etc/baobab.profile index d0c3f2712..c223b138e 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: GNOME disk usage analyzer | 2 | # Description: GNOME disk usage analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/baobab.local | 5 | include baobab.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | # include /etc/firejail/disable-programs.inc | 13 | # include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | net none |
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 43ba5adcb..5f9fc8ef7 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for basilisk | 1 | # Firejail profile for basilisk |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/basilisk.local | 4 | include basilisk.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/moonchild productions/basilisk | 8 | noblacklist ${HOME}/.cache/moonchild productions/basilisk |
9 | noblacklist ${HOME}/.moonchild productions/basilisk | 9 | noblacklist ${HOME}/.moonchild productions/basilisk |
@@ -24,4 +24,4 @@ seccomp | |||
24 | #private-opt basilisk | 24 | #private-opt basilisk |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
27 | include /etc/firejail/firefox-common.profile | 27 | include firefox-common.profile |
diff --git a/etc/beaker.profile b/etc/beaker.profile index 9215576c7..d18429408 100644 --- a/etc/beaker.profile +++ b/etc/beaker.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for beaker | 1 | # Firejail profile for beaker |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/beaker.local | 4 | include beaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Beaker Browser | 8 | noblacklist ${HOME}/.config/Beaker Browser |
9 | 9 | ||
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | 12 | ||
13 | mkdir ${HOME}/.config/Beaker Browser | 13 | mkdir ${HOME}/.config/Beaker Browser |
14 | whitelist ${HOME}/.config/Beaker Browser | 14 | whitelist ${HOME}/.config/Beaker Browser |
15 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | include /etc/firejail/whitelist-common.inc | 16 | include whitelist-common.inc |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include /etc/firejail/electron.profile | 19 | include electron.profile |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 57595e8e2..0691b32c3 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: Bible study tool | 2 | # Description: Bible study tool |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bibletime.local | 5 | include bibletime.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | 9 | blacklist ${HOME}/.bashrc |
10 | 10 | ||
11 | noblacklist ${HOME}/.bibletime | 11 | noblacklist ${HOME}/.bibletime |
12 | noblacklist ${HOME}/.sword | 12 | noblacklist ${HOME}/.sword |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | whitelist ${HOME}/.bibletime | 20 | whitelist ${HOME}/.bibletime |
21 | whitelist ${HOME}/.sword | 21 | whitelist ${HOME}/.sword |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | machine-id | 25 | machine-id |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | seccomp | 37 | seccomp |
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 9b6affe24..46ce0775b 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Bitcoin is a peer-to-peer network based digital currency | 2 | # Description: Bitcoin is a peer-to-peer network based digital currency |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bitcoin-qt.local | 5 | include bitcoin-qt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.bitcoin | 9 | noblacklist ${HOME}/.bitcoin |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.bitcoin | 17 | mkdir ${HOME}/.bitcoin |
18 | mkdir ${HOME}/.config/Bitcoin | 18 | mkdir ${HOME}/.config/Bitcoin |
19 | whitelist ${HOME}/.bitcoin | 19 | whitelist ${HOME}/.bitcoin |
20 | whitelist ${HOME}/.config/Bitcoin | 20 | whitelist ${HOME}/.config/Bitcoin |
21 | 21 | ||
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
@@ -32,6 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | seccomp | 38 | seccomp |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index e663d7799..2c2f88ed5 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: IRC to other chat networks gateway | 2 | # Description: IRC to other chat networks gateway |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bitlbee.local | 5 | include bitlbee.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | # noblacklist /var/log | 11 | # noblacklist /var/log |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | netfilter | 20 | netfilter |
21 | no3d | 21 | no3d |
@@ -23,6 +23,7 @@ nodvd | |||
23 | nonewprivs | 23 | nonewprivs |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/blackbox.profile b/etc/blackbox.profile index 2672c812a..13e83493d 100644 --- a/etc/blackbox.profile +++ b/etc/blackbox.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | 2 | # Description: Standards-compliant, fast, light-weight and extensible window manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/blackbox.local | 5 | include blackbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in awesome will run in this profile |
10 | noblacklist ${HOME}/.blackbox | 10 | noblacklist ${HOME}/.blackbox |
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 49d058ab4..fa850fe1a 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Delete unnecessary files from the system | 2 | # Description: Delete unnecessary files from the system |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bleachbit.local | 5 | include bleachbit.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | noblacklist ${PATH}/python2* |
@@ -12,11 +12,11 @@ noblacklist ${PATH}/python3* | |||
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | # include /etc/firejail/disable-programs.inc | 19 | # include disable-programs.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile index 4b907018e..9da0cb921 100644 --- a/etc/blender-2.8.profile +++ b/etc/blender-2.8.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/blender.profile | 6 | include blender.profile |
diff --git a/etc/blender.profile b/etc/blender.profile index 43a8622f7..77d073cd7 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Very fast and versatile 3D modeller/renderer | 2 | # Description: Very fast and versatile 3D modeller/renderer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/blender.local | 5 | include blender.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/blender | 9 | noblacklist ${HOME}/.config/blender |
10 | 10 | ||
@@ -14,11 +14,11 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | # Allow usage of AMD GPU by OpenCL | 23 | # Allow usage of AMD GPU by OpenCL |
24 | noblacklist /sys/module | 24 | noblacklist /sys/module |
@@ -32,6 +32,7 @@ nogroups | |||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/bless.profile b/etc/bless.profile index 0da3436e8..cc03107a5 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: A full featured hexadecimal editor | 2 | # Description: A full featured hexadecimal editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bless.local | 5 | include bless.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/bless | 9 | noblacklist ${HOME}/.config/bless |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 23ba34d42..ce47cb9ab 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Advanced Gtk+ text editor for web and software development | 2 | # Description: Advanced Gtk+ text editor for web and software development |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bluefish.local | 5 | include bluefish.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/bnox.profile b/etc/bnox.profile index 3207a2923..031f3f4bd 100644 --- a/etc/bnox.profile +++ b/etc/bnox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for bnox | 1 | # Firejail profile for bnox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/bnox.local | 4 | include bnox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/bnox | 8 | noblacklist ${HOME}/.cache/bnox |
9 | noblacklist ${HOME}/.config/bnox | 9 | noblacklist ${HOME}/.config/bnox |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/bnox | |||
14 | whitelist ${HOME}/.config/bnox | 14 | whitelist ${HOME}/.config/bnox |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/brackets.profile b/etc/brackets.profile index 8f1068506..1c03b2119 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for brackets | 1 | # Firejail profile for brackets |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/brackets.local | 4 | include brackets.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Brackets | 8 | noblacklist ${HOME}/.config/Brackets |
9 | #noblacklist /opt/brackets/ | 9 | #noblacklist /opt/brackets/ |
10 | #noblacklist /opt/google/ | 10 | #noblacklist /opt/google/ |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic | 27 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 1c0b5f843..8ab9472ac 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: CD/DVD burning application for GNOME | 2 | # Description: CD/DVD burning application for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/brasero.local | 5 | include brasero.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/brasero | 9 | noblacklist ${HOME}/.config/brasero |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
diff --git a/etc/brave.profile b/etc/brave.profile index 08bcea561..315564b05 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for brave | 1 | # Firejail profile for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/brave.local | 4 | include brave.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/brave | 8 | noblacklist ${HOME}/.config/brave |
9 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
@@ -17,4 +17,4 @@ whitelist ${HOME}/.gnupg | |||
17 | ignore noexec /tmp | 17 | ignore noexec /tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include /etc/firejail/chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/bsdcat.profile b/etc/bsdcat.profile index b900eb4bf..e95dfdf2d 100644 --- a/etc/bsdcat.profile +++ b/etc/bsdcat.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/bsdtar.profile | 6 | include bsdtar.profile |
diff --git a/etc/bsdcpio.profile b/etc/bsdcpio.profile index b900eb4bf..e95dfdf2d 100644 --- a/etc/bsdcpio.profile +++ b/etc/bsdcpio.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/bsdtar.profile | 6 | include bsdtar.profile |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index 57220ef4a..f6864386e 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/bsdtar.local | 5 | include bsdtar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | # include /etc/firejail/disable-devel.inc | 10 | # include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | 16 | ||
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | # noroot | 25 | # noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | nonewprivs | 30 | nonewprivs |
30 | protocol unix | 31 | protocol unix |
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index f483a1d3d..891476cb1 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/bunzip2.local | 4 | include bunzip2.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/gzip.profile | 9 | include gzip.profile |
diff --git a/etc/caja.profile b/etc/caja.profile index 20e690a14..f938792cd 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File manager for the MATE desktop | 2 | # Description: File manager for the MATE desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/caja.local | 5 | include caja.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | 9 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there |
10 | # is already a caja process running on MATE desktops firejail will have no effect. | 10 | # is already a caja process running on MATE desktops firejail will have no effect. |
@@ -19,11 +19,11 @@ noblacklist ${PATH}/python3* | |||
19 | noblacklist /usr/lib/python2* | 19 | noblacklist /usr/lib/python2* |
20 | noblacklist /usr/lib/python3* | 20 | noblacklist /usr/lib/python3* |
21 | 21 | ||
22 | include /etc/firejail/disable-common.inc | 22 | include disable-common.inc |
23 | include /etc/firejail/disable-devel.inc | 23 | include disable-devel.inc |
24 | include /etc/firejail/disable-interpreters.inc | 24 | include disable-interpreters.inc |
25 | include /etc/firejail/disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
26 | # include /etc/firejail/disable-programs.inc | 26 | # include disable-programs.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | netfilter | 29 | netfilter |
diff --git a/etc/calibre.profile b/etc/calibre.profile index 7a5d798c5..5c7d3e1e7 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Powerful and easy to use e-book manager | 2 | # Description: Powerful and easy to use e-book manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/calibre.local | 5 | include calibre.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/calibre | 9 | noblacklist ${HOME}/.cache/calibre |
10 | noblacklist ${HOME}/.config/calibre | 10 | noblacklist ${HOME}/.config/calibre |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/calligra.profile b/etc/calligra.profile index ab2845db4..84a60a196 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: Extensive productivity and creative suite | 2 | # Description: Extensive productivity and creative suite |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/calligra.local | 5 | include calligra.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | ipc-namespace | 16 | ipc-namespace |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 629ab46c1..b9c06a588 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/calligra.profile | 6 | include calligra.profile |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 422dc93e5..1afcd0365 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File searching tool | 2 | # Description: File searching tool |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/catfish.local | 5 | include catfish.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # We can't blacklist much since catfish | 9 | # We can't blacklist much since catfish |
10 | # is for finding files/content | 10 | # is for finding files/content |
@@ -17,14 +17,14 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | # include /etc/firejail/disable-devel.inc | 21 | # include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | whitelist /var/lib/mlocate | 26 | whitelist /var/lib/mlocate |
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | net none | 30 | net none |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index c8b8be04e..601ca58a9 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -3,9 +3,9 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/checkbashisms.local | 6 | include checkbashisms.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
@@ -16,14 +16,14 @@ noblacklist ${PATH}/perl | |||
16 | noblacklist /usr/lib/perl* | 16 | noblacklist /usr/lib/perl* |
17 | noblacklist /usr/share/perl* | 17 | noblacklist /usr/share/perl* |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | 29 | ipc-namespace |
@@ -36,6 +36,7 @@ nonewprivs | |||
36 | noroot | 36 | noroot |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | novideo | 40 | novideo |
40 | protocol unix | 41 | protocol unix |
41 | seccomp | 42 | seccomp |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 0159bddae..134a06c48 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Hierarchical note taking application | 2 | # Description: Hierarchical note taking application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/cherrytree.local | 5 | include cherrytree.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/cherrytree | 9 | noblacklist ${HOME}/.config/cherrytree |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
@@ -15,12 +15,12 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | seccomp | 37 | seccomp |
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index 472841e92..f83052d9a 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Redirect | 4 | # Redirect |
5 | include /etc/firejail/chromium.profile | 5 | include chromium.profile |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index fc3df86db..e7062c5b8 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for chromium-common | 1 | # Firejail profile for chromium-common |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/chromium-common.local | 4 | include chromium-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.pki | 9 | noblacklist ${HOME}/.pki |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.pki | 16 | mkdir ${HOME}/.pki |
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.pki | 18 | whitelist ${HOME}/.pki |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.keep sys_chroot,sys_admin | 23 | caps.keep sys_chroot,sys_admin |
@@ -27,6 +27,7 @@ nodbus | |||
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | shell none | 31 | shell none |
31 | 32 | ||
32 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/chromium.profile b/etc/chromium.profile index a1488e3e9..dab9ce449 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: A web browser built for speed, simplicity, and security | 2 | # Description: A web browser built for speed, simplicity, and security |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/chromium.local | 5 | include chromium.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/chromium | 9 | noblacklist ${HOME}/.cache/chromium |
10 | noblacklist ${HOME}/.config/chromium | 10 | noblacklist ${HOME}/.config/chromium |
@@ -19,4 +19,4 @@ whitelist ${HOME}/.config/chromium-flags.conf | |||
19 | # private-bin chromium,chromium-browser,chromedriver | 19 | # private-bin chromium,chromium-browser,chromedriver |
20 | 20 | ||
21 | # Redirect | 21 | # Redirect |
22 | include /etc/firejail/chromium-common.profile | 22 | include chromium-common.profile |
diff --git a/etc/cin.profile b/etc/cin.profile index 92baef33a..02511c478 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for cin | 1 | # Firejail profile for cin |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/cin.local | 4 | include cin.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.bcast5 | 8 | noblacklist ${HOME}/.bcast5 |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
@@ -21,6 +21,7 @@ nodvd | |||
21 | #nogroups | 21 | #nogroups |
22 | nonewprivs | 22 | nonewprivs |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | noroot | 25 | noroot |
25 | protocol unix | 26 | protocol unix |
26 | 27 | ||
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile index e6a1941b5..26f782384 100644 --- a/etc/cinelerra.profile +++ b/etc/cinelerra.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/cin.profile | 6 | include cin.profile |
diff --git a/etc/clamav.profile b/etc/clamav.profile index cf46b8582..a48fa8039 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -3,9 +3,9 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/clamav.local | 6 | include clamav.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | ipc-namespace | 11 | ipc-namespace |
@@ -18,6 +18,7 @@ nonewprivs | |||
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | nou2f | ||
21 | novideo | 22 | novideo |
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile index f6861dfa1..f146d05ec 100644 --- a/etc/clamdscan.profile +++ b/etc/clamdscan.profile | |||
@@ -4,4 +4,4 @@ quiet | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/clamav.profile | 7 | include clamav.profile |
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile index f6861dfa1..f146d05ec 100644 --- a/etc/clamdtop.profile +++ b/etc/clamdtop.profile | |||
@@ -4,4 +4,4 @@ quiet | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/clamav.profile | 7 | include clamav.profile |
diff --git a/etc/clamscan.profile b/etc/clamscan.profile index f6861dfa1..f146d05ec 100644 --- a/etc/clamscan.profile +++ b/etc/clamscan.profile | |||
@@ -4,4 +4,4 @@ quiet | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/clamav.profile | 7 | include clamav.profile |
diff --git a/etc/clamtk.profile b/etc/clamtk.profile index d916381b2..c3b5f3ce5 100644 --- a/etc/clamtk.profile +++ b/etc/clamtk.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for clamtk | 1 | # Firejail profile for clamtk |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/clamtk.local | 4 | include clamtk.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | ipc-namespace | 9 | ipc-namespace |
@@ -16,6 +16,7 @@ nonewprivs | |||
16 | noroot | 16 | noroot |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
19 | nou2f | ||
19 | novideo | 20 | novideo |
20 | protocol unix | 21 | protocol unix |
21 | seccomp | 22 | seccomp |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index f7f0fccca..f0656385f 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Fast, lightweight and user-friendly GTK+2 based email client | 2 | # Description: Fast, lightweight and user-friendly GTK+2 based email client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/claws-mail.local | 5 | include claws-mail.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.signature | 11 | noblacklist ${HOME}/.signature |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/clementine.profile b/etc/clementine.profile index a72bc39cf..147b0de4b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -2,27 +2,28 @@ | |||
2 | # Description: Modern music player and library organizer | 2 | # Description: Modern music player and library organizer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/clementine.local | 5 | include clementine.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/Clementine | 9 | noblacklist ${HOME}/.cache/Clementine |
10 | noblacklist ${HOME}/.config/Clementine | 10 | noblacklist ${HOME}/.config/Clementine |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
diff --git a/etc/clion.profile b/etc/clion.profile index bcb18114e..e230a740d 100644 --- a/etc/clion.profile +++ b/etc/clion.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for CLion | 1 | # Firejail profile for CLion |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/clion.local | 4 | include clion.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.CLion* | 8 | noblacklist ${HOME}/.CLion* |
9 | noblacklist ${HOME}/.gitconfig | 9 | noblacklist ${HOME}/.gitconfig |
@@ -12,9 +12,9 @@ noblacklist ${HOME}/.local/share/JetBrains | |||
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | noblacklist ${HOME}/.tooling | 13 | noblacklist ${HOME}/.tooling |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/clipit.profile b/etc/clipit.profile index fd6fbd61b..1b3ed8c62 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Lightweight GTK+ clipboard manager | 2 | # Description: Lightweight GTK+ clipboard manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/clipit.local | 5 | include clipit.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/clipit | 9 | noblacklist ${HOME}/.config/clipit |
10 | noblacklist ${HOME}/.local/share/clipit | 10 | noblacklist ${HOME}/.local/share/clipit |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile index 4ff96311d..70277f1ce 100644 --- a/etc/cliqz.profile +++ b/etc/cliqz.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for cliqz | 1 | # Firejail profile for cliqz |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/cliqz.local | 4 | include cliqz.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/cliqz | 8 | noblacklist ${HOME}/.cache/cliqz |
9 | noblacklist ${HOME}/.config/cliqz | 9 | noblacklist ${HOME}/.config/cliqz |
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/cliqz | |||
17 | #private-etc cliqz | 17 | #private-etc cliqz |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include /etc/firejail/firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 5744d462b..ee6600b76 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Lightweight ncurses audio player | 2 | # Description: Lightweight ncurses audio player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/cmus.local | 5 | include cmus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/cmus | 9 | noblacklist ${HOME}/.config/cmus |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/code.profile b/etc/code.profile index ab69008f1..6528b63ff 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Firejail profile for Visual Studio Code | 1 | # Firejail profile for Visual Studio Code |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/code.local | 4 | include code.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.vscode | 8 | noblacklist ${HOME}/.vscode |
9 | noblacklist ${HOME}/.config/Code | 9 | noblacklist ${HOME}/.config/Code |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | net none |
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
26 | seccomp | 27 | seccomp |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 2489e2df4..ca38600d1 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for conkeror | 1 | # Firejail profile for conkeror |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/conkeror.local | 4 | include conkeror.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.conkeror.mozdev.org | 8 | noblacklist ${HOME}/.conkeror.mozdev.org |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | whitelist ${HOME}/.conkeror.mozdev.org | 13 | whitelist ${HOME}/.conkeror.mozdev.org |
14 | whitelist ${HOME}/.conkerorrc | 14 | whitelist ${HOME}/.conkerorrc |
@@ -21,7 +21,7 @@ whitelist ${HOME}/.vimperatorrc | |||
21 | whitelist ${HOME}/.zotero | 21 | whitelist ${HOME}/.zotero |
22 | whitelist ${HOME}/Downloads | 22 | whitelist ${HOME}/Downloads |
23 | whitelist ${HOME}/dwhelper | 23 | whitelist ${HOME}/dwhelper |
24 | include /etc/firejail/whitelist-common.inc | 24 | include whitelist-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
diff --git a/etc/conky.profile b/etc/conky.profile index f6d07d6de..846868be2 100644 --- a/etc/conky.profile +++ b/etc/conky.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Highly configurable system monitor | 2 | # Description: Highly configurable system monitor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/conky.local | 5 | include conky.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | 19 | ipc-namespace |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/corebird.profile b/etc/corebird.profile index c7f8a8874..bf2e97356 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | 2 | # Description: Native Gtk+ Twitter client for the Linux desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/corebird.local | 5 | include corebird.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/corebird | 9 | noblacklist ${HOME}/.config/corebird |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/cower.profile b/etc/cower.profile index dcc388f87..ebd83b326 100644 --- a/etc/cower.profile +++ b/etc/cower.profile | |||
@@ -8,20 +8,20 @@ | |||
8 | quiet | 8 | quiet |
9 | 9 | ||
10 | # Persistent local customizations | 10 | # Persistent local customizations |
11 | include /etc/firejail/cower.local | 11 | include cower.local |
12 | # Persistent global definitions | 12 | # Persistent global definitions |
13 | include /etc/firejail/globals.local | 13 | include globals.local |
14 | 14 | ||
15 | noblacklist ${HOME}/.config/cower/config | 15 | noblacklist ${HOME}/.config/cower/config |
16 | read-only ${HOME}/.config/cower/config | 16 | read-only ${HOME}/.config/cower/config |
17 | 17 | ||
18 | noblacklist /var/lib/pacman | 18 | noblacklist /var/lib/pacman |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | 27 | ipc-namespace |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
diff --git a/etc/cpio.profile b/etc/cpio.profile index 3c7d0748c..f63e0a552 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -3,18 +3,18 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/cpio.local | 6 | include cpio.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | noblacklist /sbin | 12 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 3d3de7268..7a9039ea4 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/Cryptocat.profile | 6 | include Cryptocat.profile |
diff --git a/etc/curl.profile b/etc/curl.profile index e77b8bf4f..d20e00740 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -3,17 +3,17 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/curl.local | 6 | include curl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | noblacklist ${HOME}/.curlrc | 12 | noblacklist ${HOME}/.curlrc |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 81ccbc530..1070b602c 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for cvlc | 1 | # Firejail profile for cvlc |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/cvlc.local | 4 | include cvlc.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # cvlc doesn't like private-bin | 8 | # cvlc doesn't like private-bin |
9 | ignore private-bin | 9 | ignore private-bin |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/vlc.profile | 12 | include vlc.profile |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ce51906ba..fcb448b30 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for cyberfox | 1 | # Firejail profile for cyberfox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/cyberfox.local | 4 | include cyberfox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.8pecxstudios | 8 | noblacklist ${HOME}/.8pecxstudios |
9 | noblacklist ${HOME}/.cache/8pecxstudios | 9 | noblacklist ${HOME}/.cache/8pecxstudios |
@@ -18,4 +18,4 @@ whitelist ${HOME}/.cache/8pecxstudios | |||
18 | #private-etc cyberfox | 18 | #private-etc cyberfox |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include /etc/firejail/firefox-common.profile | 21 | include firefox-common.profile |
diff --git a/etc/darktable.profile b/etc/darktable.profile index 74144e68e..af834f90b 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Virtual lighttable and darkroom for photographers | 2 | # Description: Virtual lighttable and darkroom for photographers |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/darktable.local | 5 | include darktable.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/darktable | 9 | noblacklist ${HOME}/.cache/darktable |
10 | noblacklist ${HOME}/.config/darktable | 10 | noblacklist ${HOME}/.config/darktable |
11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 8f5961647..f751b7bb0 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: A GTK+ audio player for GNU/Linux | 2 | # Description: A GTK+ audio player for GNU/Linux |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/deadbeef.local | 5 | include deadbeef.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/deadbeef | 9 | noblacklist ${HOME}/.config/deadbeef |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/default.profile b/etc/default.profile index f8e54c8d3..27feb7dd1 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for default | 1 | # Firejail profile for default |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/default.local | 4 | include default.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # generic gui profile | 8 | # generic gui profile |
9 | # depending on your usage, you can enable some of the commands below: | 9 | # depending on your usage, you can enable some of the commands below: |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | # include /etc/firejail/disable-devel.inc | 12 | # include disable-devel.inc |
13 | # include /etc/firejail/disable-interpreters.inc | 13 | # include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | #include /etc/firejail/disable-xdg.inc | 16 | #include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # ipc-namespace | 19 | # ipc-namespace |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 27ca036ca..cb8bff07e 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: BitTorrent client written in Python/PyGTK | 2 | # Description: BitTorrent client written in Python/PyGTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/deluge.local | 5 | include deluge.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/deluge | 9 | noblacklist ${HOME}/.config/deluge |
10 | 10 | ||
@@ -14,17 +14,17 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | # include /etc/firejail/disable-devel.inc | 18 | # include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.config/deluge | 23 | mkdir ${HOME}/.config/deluge |
24 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
25 | whitelist ${HOME}/.config/deluge | 25 | whitelist ${HOME}/.config/deluge |
26 | include /etc/firejail/whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | machine-id | 30 | machine-id |
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
diff --git a/etc/desktop.profile b/etc/desktop.profile index 8bfa885a3..bfb1618b2 100644 --- a/etc/desktop.profile +++ b/etc/desktop.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Extend your GitHub workflow beyond your browser with GitHub Desktop | 2 | # Description: Extend your GitHub workflow beyond your browser with GitHub Desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/github-desktop.local | 5 | include github-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.gitconfig | 9 | whitelist ${HOME}/.gitconfig |
10 | whitelist ${HOME}/.config/GitHub Desktop | 10 | whitelist ${HOME}/.config/GitHub Desktop |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index dbfb05798..b3558a038 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Window matching daemon | 2 | # Description: Window matching daemon |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/devilspie.local | 5 | include devilspie.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.devilspie | 9 | noblacklist ${HOME}/.devilspie |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index 3a9a9659a..4ab2634e8 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Window matching daemon (Lua) | 2 | # Description: Window matching daemon (Lua) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/devilspie2.local | 5 | include devilspie2.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/devilspie2 | 9 | noblacklist ${HOME}/.config/devilspie2 |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index da59fc71a..b0226f1e9 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dex2jar.local | 5 | include dex2jar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow access to java | 9 | # Allow access to java |
10 | noblacklist ${PATH}/java | 10 | noblacklist ${PATH}/java |
@@ -12,14 +12,14 @@ noblacklist /usr/lib/java | |||
12 | noblacklist /etc/java | 12 | noblacklist /etc/java |
13 | noblacklist /usr/share/java | 13 | noblacklist /usr/share/java |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | net none | 25 | net none |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/dia.profile b/etc/dia.profile index fdc40980f..a0075acaf 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Diagram editor | 2 | # Description: Diagram editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dia.local | 5 | include dia.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.dia | 9 | noblacklist ${HOME}/.dia |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/dig.profile b/etc/dig.profile index 4b6ab0975..a27ae6be4 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -2,20 +2,20 @@ quiet | |||
2 | # Firejail profile for dig | 2 | # Firejail profile for dig |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dig.local | 5 | include dig.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | # include /etc/firejail/disable-devel.inc | 10 | # include disable-devel.inc |
11 | # include /etc/firejail/disable-interpreters.inc | 11 | # include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | #include /etc/firejail/disable-xdg.inc | 14 | #include disable-xdg.inc |
15 | 15 | ||
16 | whitelist ~/.digrc | 16 | whitelist ~/.digrc |
17 | include /etc/firejail/whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | # ipc-namespace | 21 | # ipc-namespace |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/digikam.profile b/etc/digikam.profile index 470f60779..ccc0a6544 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Digital photo management application for KDE | 2 | # Description: Digital photo management application for KDE |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/digikam.local | 5 | include digikam.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/digikam | 9 | noblacklist ${HOME}/.config/digikam |
10 | noblacklist ${HOME}/.config/digikamrc | 10 | noblacklist ${HOME}/.config/digikamrc |
@@ -12,14 +12,14 @@ noblacklist ${HOME}/.kde/share/apps/digikam | |||
12 | noblacklist ${HOME}/.kde4/share/apps/digikam | 12 | noblacklist ${HOME}/.kde4/share/apps/digikam |
13 | noblacklist ${PICTURES} | 13 | noblacklist ${PICTURES} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
diff --git a/etc/dillo.profile b/etc/dillo.profile index 8c3da1b3e..7103d0285 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Small and fast web browser | 2 | # Description: Small and fast web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dillo.local | 5 | include dillo.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.dillo | 9 | noblacklist ${HOME}/.dillo |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.dillo | 17 | mkdir ${HOME}/.dillo |
18 | mkdir ${HOME}/.fltk | 18 | mkdir ${HOME}/.fltk |
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.dillo | 20 | whitelist ${HOME}/.dillo |
21 | whitelist ${HOME}/.fltk | 21 | whitelist ${HOME}/.fltk |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -28,6 +28,7 @@ nodvd | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
33 | tracelog | 34 | tracelog |
diff --git a/etc/dino.profile b/etc/dino.profile index a39ec8931..9844ce81a 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/dino.local | 4 | include dino.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.local/share/dino | 8 | noblacklist ${HOME}/.local/share/dino |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.local/share/dino | 16 | mkdir ${HOME}/.local/share/dino |
17 | whitelist ${HOME}/.local/share/dino | 17 | whitelist ${HOME}/.local/share/dino |
18 | whitelist ${HOME}/Downloads | 18 | whitelist ${HOME}/Downloads |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ceca17826..e6ba99874 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-common.local | 3 | include disable-common.local |
4 | 4 | ||
5 | # History files in $HOME and clipboard managers | 5 | # History files in $HOME and clipboard managers |
6 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 627856803..5c41692da 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-devel.local | 3 | include disable-devel.local |
4 | 4 | ||
5 | # development tools | 5 | # development tools |
6 | 6 | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 0e0caade1..0d5f5737e 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-interpreters.local | 3 | include disable-interpreters.local |
4 | 4 | ||
5 | # Lua | 5 | # Lua |
6 | blacklist ${PATH}/lua* | 6 | blacklist ${PATH}/lua* |
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6ef11780e..72e1a66ee 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -1,7 +1,8 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-passwdmgr.local | 3 | include disable-passwdmgr.local |
4 | 4 | ||
5 | blacklist ${HOME}/.config/Bitwarden | ||
5 | blacklist ${HOME}/.config/KeePass | 6 | blacklist ${HOME}/.config/KeePass |
6 | blacklist ${HOME}/.config/keepass | 7 | blacklist ${HOME}/.config/keepass |
7 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 251362b77..edf3c7be5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -1,8 +1,9 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-programs.local | 3 | include disable-programs.local |
4 | 4 | ||
5 | blacklist ${HOME}/Monero/wallets | 5 | blacklist ${HOME}/Monero/wallets |
6 | blacklist ${HOME}/Nextcloud/Notes | ||
6 | blacklist ${HOME}/Standard Notes Backups | 7 | blacklist ${HOME}/Standard Notes Backups |
7 | blacklist ${HOME}/snap | 8 | blacklist ${HOME}/snap |
8 | blacklist ${HOME}/.*coin | 9 | blacklist ${HOME}/.*coin |
@@ -52,6 +53,7 @@ blacklist ${HOME}/.config/Beaker Browser | |||
52 | blacklist ${HOME}/.config/Brackets | 53 | blacklist ${HOME}/.config/Brackets |
53 | blacklist ${HOME}/.config/Clementine | 54 | blacklist ${HOME}/.config/Clementine |
54 | blacklist ${HOME}/.config/Code | 55 | blacklist ${HOME}/.config/Code |
56 | blacklist ${HOME}/.config/Code Industry | ||
55 | blacklist ${HOME}/.config/Cryptocat | 57 | blacklist ${HOME}/.config/Cryptocat |
56 | blacklist ${HOME}/.config/Franz | 58 | blacklist ${HOME}/.config/Franz |
57 | blacklist ${HOME}/.config/FreeCAD | 59 | blacklist ${HOME}/.config/FreeCAD |
@@ -72,7 +74,9 @@ blacklist ${HOME}/.config/Mumble | |||
72 | blacklist ${HOME}/.config/MusE | 74 | blacklist ${HOME}/.config/MusE |
73 | blacklist ${HOME}/.config/MuseScore | 75 | blacklist ${HOME}/.config/MuseScore |
74 | blacklist ${HOME}/.config/MusicBrainz | 76 | blacklist ${HOME}/.config/MusicBrainz |
77 | blacklist ${HOME}/.config/Nathan Osman | ||
75 | blacklist ${HOME}/.config/Nylas Mail | 78 | blacklist ${HOME}/.config/Nylas Mail |
79 | blacklist ${HOME}/.config/PBE | ||
76 | blacklist ${HOME}/.config/Qlipper | 80 | blacklist ${HOME}/.config/Qlipper |
77 | blacklist ${HOME}/.config/QMediathekView | 81 | blacklist ${HOME}/.config/QMediathekView |
78 | blacklist ${HOME}/.config/QuiteRss | 82 | blacklist ${HOME}/.config/QuiteRss |
@@ -91,6 +95,7 @@ blacklist ${HOME}/.config/akregatorrc | |||
91 | blacklist ${HOME}/.config/ardour4 | 95 | blacklist ${HOME}/.config/ardour4 |
92 | blacklist ${HOME}/.config/ardour5 | 96 | blacklist ${HOME}/.config/ardour5 |
93 | blacklist ${HOME}/.config/arkrc | 97 | blacklist ${HOME}/.config/arkrc |
98 | blacklist ${HOME}/.config/artha.conf | ||
94 | blacklist ${HOME}/.config/asunder | 99 | blacklist ${HOME}/.config/asunder |
95 | blacklist ${HOME}/.config/atril | 100 | blacklist ${HOME}/.config/atril |
96 | blacklist ${HOME}/.config/audacious | 101 | blacklist ${HOME}/.config/audacious |
@@ -142,6 +147,7 @@ blacklist ${HOME}/.config/ghb | |||
142 | blacklist ${HOME}/.config/globaltime | 147 | blacklist ${HOME}/.config/globaltime |
143 | blacklist ${HOME}/.config/gnome-mplayer | 148 | blacklist ${HOME}/.config/gnome-mplayer |
144 | blacklist ${HOME}/.config/gnome-mpv | 149 | blacklist ${HOME}/.config/gnome-mpv |
150 | blacklist ${HOME}/.config/gnome-pie | ||
145 | blacklist ${HOME}/.config/google-chrome | 151 | blacklist ${HOME}/.config/google-chrome |
146 | blacklist ${HOME}/.config/google-chrome-beta | 152 | blacklist ${HOME}/.config/google-chrome-beta |
147 | blacklist ${HOME}/.config/google-chrome-unstable | 153 | blacklist ${HOME}/.config/google-chrome-unstable |
@@ -191,6 +197,7 @@ blacklist ${HOME}/.config/nautilus | |||
191 | blacklist ${HOME}/.config/nemo | 197 | blacklist ${HOME}/.config/nemo |
192 | blacklist ${HOME}/.config/netsurf | 198 | blacklist ${HOME}/.config/netsurf |
193 | blacklist ${HOME}/.config/nheko | 199 | blacklist ${HOME}/.config/nheko |
200 | blacklist ${HOME}/.config/NitroShare | ||
194 | blacklist ${HOME}/.config/okularpartrc | 201 | blacklist ${HOME}/.config/okularpartrc |
195 | blacklist ${HOME}/.config/okularrc | 202 | blacklist ${HOME}/.config/okularrc |
196 | blacklist ${HOME}/.config/onionshare | 203 | blacklist ${HOME}/.config/onionshare |
@@ -368,6 +375,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease | |||
368 | blacklist ${HOME}/.local/share/Empathy | 375 | blacklist ${HOME}/.local/share/Empathy |
369 | blacklist ${HOME}/.local/share/JetBrains | 376 | blacklist ${HOME}/.local/share/JetBrains |
370 | blacklist ${HOME}/.local/share/Mumble | 377 | blacklist ${HOME}/.local/share/Mumble |
378 | blacklist ${HOME}/.local/share/PBE | ||
371 | blacklist ${HOME}/.local/share/QMediathekView | 379 | blacklist ${HOME}/.local/share/QMediathekView |
372 | blacklist ${HOME}/.local/share/QuiteRss | 380 | blacklist ${HOME}/.local/share/QuiteRss |
373 | blacklist ${HOME}/.local/share/Ricochet | 381 | blacklist ${HOME}/.local/share/Ricochet |
@@ -458,6 +466,7 @@ blacklist ${HOME}/.local/share/xplayer | |||
458 | blacklist ${HOME}/.local/share/xreader | 466 | blacklist ${HOME}/.local/share/xreader |
459 | blacklist ${HOME}/.local/share/zathura | 467 | blacklist ${HOME}/.local/share/zathura |
460 | blacklist ${HOME}/.lv2 | 468 | blacklist ${HOME}/.lv2 |
469 | blacklist ${HOME}/.masterpdfeditor | ||
461 | blacklist ${HOME}/.mcabber | 470 | blacklist ${HOME}/.mcabber |
462 | blacklist ${HOME}/.mcabberrc | 471 | blacklist ${HOME}/.mcabberrc |
463 | blacklist ${HOME}/.mediathek3 | 472 | blacklist ${HOME}/.mediathek3 |
diff --git a/etc/disable-xdg.inc b/etc/disable-xdg.inc index 519f00afb..22acf272d 100644 --- a/etc/disable-xdg.inc +++ b/etc/disable-xdg.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-xdg.local | 3 | include disable-xdg.local |
4 | 4 | ||
5 | blacklist ${DOCUMENTS} | 5 | blacklist ${DOCUMENTS} |
6 | blacklist ${MUSIC} | 6 | blacklist ${MUSIC} |
diff --git a/etc/discord-canary.profile b/etc/discord-canary.profile index b6958cbd3..12b5433b2 100644 --- a/etc/discord-canary.profile +++ b/etc/discord-canary.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for discord-canary | 1 | # Firejail profile for discord-canary |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/discord-canary.local | 4 | include discord-canary.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/discordcanary | 9 | noblacklist ${HOME}/.config/discordcanary |
@@ -15,4 +15,4 @@ private-bin discord-canary | |||
15 | private-opt discord-canary | 15 | private-opt discord-canary |
16 | 16 | ||
17 | #Redirect | 17 | #Redirect |
18 | include /etc/firejail/discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index babef37b1..9c6a40e8a 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Firejail profile for discord | 1 | # Firejail profile for discord |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/discord-common.local | 4 | include discord-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
15 | 15 | ||
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | notv | 22 | notv |
23 | nou2f | ||
23 | novideo | 24 | novideo |
24 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
25 | seccomp | 26 | seccomp |
diff --git a/etc/discord.profile b/etc/discord.profile index 63aed5eca..62c4a5658 100644 --- a/etc/discord.profile +++ b/etc/discord.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for discord | 1 | # Firejail profile for discord |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/discord.local | 4 | include discord.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/discord | 9 | noblacklist ${HOME}/.config/discord |
@@ -15,4 +15,4 @@ private-bin discord | |||
15 | private-opt discord | 15 | private-opt discord |
16 | 16 | ||
17 | #Redirect | 17 | #Redirect |
18 | include /etc/firejail/discord-common.profile | 18 | include discord-common.profile |
diff --git a/etc/display.profile b/etc/display.profile index 41a426375..3182aebbe 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for display | 1 | # Firejail profile for display |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/display.local | 4 | include display.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${PICTURES} | 8 | noblacklist ${PICTURES} |
9 | 9 | ||
@@ -13,14 +13,14 @@ noblacklist ${PATH}/python3* | |||
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | include /etc/firejail/disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | net none | 26 | net none |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/dnox.profile b/etc/dnox.profile index 505884ca6..e02395771 100644 --- a/etc/dnox.profile +++ b/etc/dnox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for dnox | 1 | # Firejail profile for dnox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/dnox.local | 4 | include dnox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/dnox | 8 | noblacklist ${HOME}/.cache/dnox |
9 | noblacklist ${HOME}/.config/dnox | 9 | noblacklist ${HOME}/.config/dnox |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/dnox | |||
14 | whitelist ${HOME}/.config/dnox | 14 | whitelist ${HOME}/.config/dnox |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ce73d7e72..0dc0cc793 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Tool for securing communications between a client and a DNS resolver | 2 | # Description: Tool for securing communications between a client and a DNS resolver |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dnscrypt-proxy.local | 5 | include dnscrypt-proxy.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist /sbin | 11 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 21 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
22 | no3d | 22 | no3d |
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 29 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
29 | 30 | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d68806945..bb41b71d1 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Small caching DNS proxy and DHCP/TFTP server | 2 | # Description: Small caching DNS proxy and DHCP/TFTP server |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dnsmasq.local | 5 | include dnsmasq.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist /sbin | 11 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid | 21 | caps.keep net_admin,net_bind_service,net_raw,setgid,setuid |
22 | no3d | 22 | no3d |
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
29 | seccomp | 30 | seccomp |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 819998edf..936876ddf 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File manager | 2 | # Description: File manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dolphin.local | 5 | include dolphin.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | 9 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 |
10 | 10 | ||
@@ -13,12 +13,12 @@ noblacklist ${HOME}/.local/share/Trash | |||
13 | # noblacklist ${HOME}/.config/dolphinrc | 13 | # noblacklist ${HOME}/.config/dolphinrc |
14 | # noblacklist ${HOME}/.local/share/dolphin | 14 | # noblacklist ${HOME}/.local/share/dolphin |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | 20 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files |
21 | # include /etc/firejail/disable-programs.inc | 21 | # include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index 4e1227a0f..075a24c92 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/dooble.profile | 6 | include dooble.profile |
diff --git a/etc/dooble.profile b/etc/dooble.profile index df68a4aef..bc4a4c348 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for dooble | 1 | # Firejail profile for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/dooble-qt4.local | 4 | include dooble-qt4.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.dooble | 9 | noblacklist ${HOME}/.dooble |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.dooble | 17 | mkdir ${HOME}/.dooble |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.dooble | 19 | whitelist ${HOME}/.dooble |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index 319daf407..17ccc9b9a 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS | 2 | # Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dosbox.local | 5 | include dosbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.dosbox | 9 | noblacklist ${HOME}/.dosbox |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 9f41bf87a..cdf941acd 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: A multimedia player where the focus is on simplicity, instead of features | 2 | # Description: A multimedia player where the focus is on simplicity, instead of features |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/dragon.local | 5 | include dragon.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/dragonplayerrc | 9 | noblacklist ${HOME}/.config/dragonplayerrc |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 24b69e118..1b242d422 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for dropbox | 1 | # Firejail profile for dropbox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/dropbox.local | 4 | include dropbox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/autostart | 8 | noblacklist ${HOME}/.config/autostart |
9 | noblacklist ${HOME}/.dropbox | 9 | noblacklist ${HOME}/.dropbox |
10 | noblacklist ${HOME}/.dropbox-dist | 10 | noblacklist ${HOME}/.dropbox-dist |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.dropbox | 18 | mkdir ${HOME}/.dropbox |
19 | mkdir ${HOME}/.dropbox-dist | 19 | mkdir ${HOME}/.dropbox-dist |
@@ -23,7 +23,7 @@ whitelist ${HOME}/.config/autostart/dropbox.desktop | |||
23 | whitelist ${HOME}/.dropbox | 23 | whitelist ${HOME}/.dropbox |
24 | whitelist ${HOME}/.dropbox-dist | 24 | whitelist ${HOME}/.dropbox-dist |
25 | whitelist ${HOME}/Dropbox | 25 | whitelist ${HOME}/Dropbox |
26 | include /etc/firejail/whitelist-common.inc | 26 | include whitelist-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | netfilter | 29 | netfilter |
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 6fac08a5d..ddf967e55 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Control your desktop using mouse gestures | 2 | # Description: Control your desktop using mouse gestures |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/easystroke.local | 5 | include easystroke.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.easystroke | 9 | noblacklist ${HOME}/.easystroke |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index 1e28b854a..b2fd635b1 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile | |||
@@ -5,4 +5,4 @@ net none | |||
5 | nodbus | 5 | nodbus |
6 | 6 | ||
7 | # Redirect | 7 | # Redirect |
8 | include /etc/firejail/calibre.profile | 8 | include calibre.profile |
diff --git a/etc/electron.profile b/etc/electron.profile index ccfde78bb..c24100f17 100644 --- a/etc/electron.profile +++ b/etc/electron.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Build cross platform desktop apps with web technologies | 2 | # Description: Build cross platform desktop apps with web technologies |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/electron.local | 5 | include electron.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | 10 | include disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
14 | 14 | ||
diff --git a/etc/electrum.profile b/etc/electrum.profile index b3e1ab36f..d24a31299 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Lightweight Bitcoin wallet | 2 | # Description: Lightweight Bitcoin wallet |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/electrum.local | 5 | include electrum.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.electrum | 9 | noblacklist ${HOME}/.electrum |
10 | 10 | ||
@@ -14,17 +14,17 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | mkdir ${HOME}/.electrum | 24 | mkdir ${HOME}/.electrum |
25 | whitelist ${HOME}/.electrum | 25 | whitelist ${HOME}/.electrum |
26 | include /etc/firejail/whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | ipc-namespace | 30 | ipc-namespace |
@@ -37,6 +37,7 @@ nonewprivs | |||
37 | noroot | 37 | noroot |
38 | nosound | 38 | nosound |
39 | notv | 39 | notv |
40 | nou2f | ||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
diff --git a/etc/elinks.profile b/etc/elinks.profile index bafc19e1a..6643c5fda 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Advanced text-mode WWW browser | 2 | # Description: Advanced text-mode WWW browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/elinks.local | 5 | include elinks.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.elinks | 11 | noblacklist ${HOME}/.elinks |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/emacs.profile b/etc/emacs.profile index 90b25bfcf..c2057f6fb 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -2,16 +2,16 @@ | |||
2 | # Description: GNU Emacs editor | 2 | # Description: GNU Emacs editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/emacs.local | 5 | include emacs.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.emacs | 9 | noblacklist ${HOME}/.emacs |
10 | noblacklist ${HOME}/.emacs.d | 10 | noblacklist ${HOME}/.emacs.d |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 007b51c35..5ca640d30 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: GNOME multi-protocol chat and call client | 2 | # Description: GNOME multi-protocol chat and call client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/empathy.local | 5 | include empathy.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/enchant-2.profile b/etc/enchant-2.profile index ba7573289..295d74a38 100644 --- a/etc/enchant-2.profile +++ b/etc/enchant-2.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for enchant-2 | 1 | # Firejail profile for enchant-2 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/enchant-2.local | 4 | include enchant-2.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/enchant.profile | 9 | include enchant.profile |
diff --git a/etc/enchant-lsmod-2.profile b/etc/enchant-lsmod-2.profile index 1b646eef6..991ea63ef 100644 --- a/etc/enchant-lsmod-2.profile +++ b/etc/enchant-lsmod-2.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for enchant-lsmod-2 | 1 | # Firejail profile for enchant-lsmod-2 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/enchant-lsmod-2.local | 4 | include enchant-lsmod-2.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/enchant.profile | 9 | include enchant.profile |
diff --git a/etc/enchant-lsmod.profile b/etc/enchant-lsmod.profile index 3452b0421..d7bcae6a0 100644 --- a/etc/enchant-lsmod.profile +++ b/etc/enchant-lsmod.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for enchant-lsmod | 1 | # Firejail profile for enchant-lsmod |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/enchant-lsmod.local | 4 | include enchant-lsmod.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/enchant.profile | 9 | include enchant.profile |
diff --git a/etc/enchant.profile b/etc/enchant.profile index cf7d76b4c..e29e542ab 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Wrapper for various spell checker engines | 2 | # Description: Wrapper for various spell checker engines |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/enchant.local | 5 | include enchant.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | 9 | noblacklist ${HOME}/.config/enchant |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index eaf246d3c..b9f2632c4 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Archive manager for MATE | 2 | # Description: Archive manager for MATE |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/engrampa.local | 5 | include engrampa.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include whitelist-var-common.inc |
16 | 16 | ||
17 | apparmor | 17 | apparmor |
18 | caps.drop all | 18 | caps.drop all |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/enox.profile b/etc/enox.profile index 46f409346..d8ac8b24a 100644 --- a/etc/enox.profile +++ b/etc/enox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for enox | 1 | # Firejail profile for enox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/enox.local | 4 | include enox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/Enox | 8 | noblacklist ${HOME}/.cache/Enox |
9 | noblacklist ${HOME}/.config/Enox | 9 | noblacklist ${HOME}/.config/Enox |
@@ -16,4 +16,4 @@ whitelist ${HOME}/.cache/Enox | |||
16 | whitelist ${HOME}/.config/Enox | 16 | whitelist ${HOME}/.config/Enox |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include /etc/firejail/chromium-common.profile | 19 | include chromium-common.profile |
diff --git a/etc/enpass.profile b/etc/enpass.profile index 3a30f8b04..3208c9454 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # This file is overwritten after every install/update. | 1 | # This file is overwritten after every install/update. |
2 | # Persistent local customisations | 2 | # Persistent local customisations |
3 | include /etc/firejail/enpass.local | 3 | include enpass.local |
4 | # Persistent global definitions | 4 | # Persistent global definitions |
5 | include /etc/firejail/globals.local | 5 | include globals.local |
6 | 6 | ||
7 | noblacklist ${HOME}/.config/Sinew Software Systems | 7 | noblacklist ${HOME}/.config/Sinew Software Systems |
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | machine-id | 20 | machine-id |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/eog.profile b/etc/eog.profile index 017fe5c75..8cb64009c 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Eye of GNOME graphics viewer program | 2 | # Description: Eye of GNOME graphics viewer program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/eog.local | 5 | include eog.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.config/eog | 10 | noblacklist ${HOME}/.config/eog |
11 | noblacklist ${HOME}/.local/share/Trash | 11 | noblacklist ${HOME}/.local/share/Trash |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | 22 | # apparmor - makes settings immutable |
23 | caps.drop all | 23 | caps.drop all |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/eom.profile b/etc/eom.profile index a0ce712c8..7d84cd3b4 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Eye of MATE graphics viewer program | 2 | # Description: Eye of MATE graphics viewer program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/eom.local | 5 | include eom.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.config/mate/eom | 10 | noblacklist ${HOME}/.config/mate/eom |
11 | noblacklist ${HOME}/.local/share/Trash | 11 | noblacklist ${HOME}/.local/share/Trash |
12 | noblacklist ${HOME}/.steam | 12 | noblacklist ${HOME}/.steam |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | 22 | # apparmor - makes settings immutable |
23 | caps.drop all | 23 | caps.drop all |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index b04cf72b4..6868ca391 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Clone of Boulder Dash game | 2 | # Description: Clone of Boulder Dash game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/epiphany.local | 5 | include epiphany.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/epiphany | 9 | noblacklist ${HOME}/.cache/epiphany |
10 | noblacklist ${HOME}/.config/epiphany | 10 | noblacklist ${HOME}/.config/epiphany |
11 | noblacklist ${HOME}/.local/share/epiphany | 11 | noblacklist ${HOME}/.local/share/epiphany |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/epiphany | 18 | mkdir ${HOME}/.cache/epiphany |
19 | mkdir ${HOME}/.config/epiphany | 19 | mkdir ${HOME}/.config/epiphany |
@@ -22,7 +22,7 @@ whitelist ${DOWNLOADS} | |||
22 | whitelist ${HOME}/.cache/epiphany | 22 | whitelist ${HOME}/.cache/epiphany |
23 | whitelist ${HOME}/.config/epiphany | 23 | whitelist ${HOME}/.config/epiphany |
24 | whitelist ${HOME}/.local/share/epiphany | 24 | whitelist ${HOME}/.local/share/epiphany |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
diff --git a/etc/etr.profile b/etc/etr.profile index 5c01636cc..6c3db897b 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Firejail profile for etr | 1 | # Firejail profile for etr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/etr.local | 4 | include etr.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.etr | 8 | noblacklist ${HOME}/.etr |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | mkdir ${HOME}/.etr | 14 | mkdir ${HOME}/.etr |
15 | whitelist ${HOME}/.etr | 15 | whitelist ${HOME}/.etr |
16 | include /etc/firejail/whitelist-common.inc | 16 | include whitelist-common.inc |
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | protocol unix,netlink | 28 | protocol unix,netlink |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile index d5bc6db33..e43bb2da8 100644 --- a/etc/evince-previewer.profile +++ b/etc/evince-previewer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | 1 | # Firejail profile for evince-previewer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/evince-previewer.local | 4 | include evince-previewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/evince.profile | 10 | include evince.profile |
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile index abc21632d..4036e1ecb 100644 --- a/etc/evince-thumbnailer.profile +++ b/etc/evince-thumbnailer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | 1 | # Firejail profile for evince-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/evince-thumbnailer.local | 4 | include evince-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/evince.profile | 10 | include evince.profile |
diff --git a/etc/evince.profile b/etc/evince.profile index ea46ccc40..1702daeff 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Document (PostScript, PDF) viewer | 2 | # Description: Document (PostScript, PDF) viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/evince.local | 5 | include evince.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/evince | 9 | noblacklist ${HOME}/.config/evince |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/evolution.profile b/etc/evolution.profile index f691b3c3d..1cce0656c 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Groupware suite with mail client and organizer | 2 | # Description: Groupware suite with mail client and organizer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/evolution.local | 5 | include evolution.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | 9 | noblacklist /var/mail |
10 | noblacklist /var/spool/mail | 10 | noblacklist /var/spool/mail |
@@ -15,11 +15,11 @@ noblacklist ${HOME}/.gnupg | |||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | 16 | noblacklist ${HOME}/.pki |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 2666397f4..3eac35bac 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/exiftool.local | 5 | include exiftool.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
@@ -13,11 +13,11 @@ noblacklist ${PATH}/perl | |||
13 | noblacklist /usr/lib/perl* | 13 | noblacklist /usr/lib/perl* |
14 | noblacklist /usr/share/perl* | 14 | noblacklist /usr/share/perl* |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | net none | 23 | net none |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/falkon.profile b/etc/falkon.profile index 41e1386dd..9fd446fe1 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: Lightweight web browser based on Qt WebEngine | 2 | # Description: Lightweight web browser based on Qt WebEngine |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/falkon.local | 5 | include falkon.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/falkon | 9 | noblacklist ${HOME}/.cache/falkon |
10 | noblacklist ${HOME}/.config/falkon | 10 | noblacklist ${HOME}/.config/falkon |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.cache/falkon | 19 | whitelist ${HOME}/.cache/falkon |
20 | whitelist ${HOME}/.config/falkon | 20 | whitelist ${HOME}/.config/falkon |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | # blacklisting of chroot system calls breaks falkon | 33 | # blacklisting of chroot system calls breaks falkon |
33 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 34 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c5afde9ec..701f14dce 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: E-book reader | 2 | # Description: E-book reader |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/fbreader.local | 5 | include fbreader.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.FBReader | 9 | noblacklist ${HOME}/.FBReader |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/feh.profile b/etc/feh.profile index 197581ae7..ddf0fa154 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: imlib2 based image viewer | 2 | # Description: imlib2 based image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/feh.local | 5 | include feh.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | net none |
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index d9b347d70..46d0bd08e 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder | 2 | # Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/fetchmail.local | 5 | include fetchmail.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.fetchmailrc | 9 | noblacklist ${HOME}/.fetchmailrc |
10 | noblacklist ${HOME}/.netrc | 10 | noblacklist ${HOME}/.netrc |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 09574ffb7..8aa6198df 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -3,17 +3,17 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/ffmpeg.local | 6 | include ffmpeg.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
@@ -22,6 +22,7 @@ nodbus | |||
22 | nodvd | 22 | nodvd |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | nonewprivs | 27 | nonewprivs |
27 | noroot | 28 | noroot |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 11883f03e..d79b4de4b 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Archive manager for GNOME | 2 | # Description: Archive manager for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/file-roller.local | 5 | include file-roller.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include whitelist-var-common.inc |
16 | 16 | ||
17 | apparmor | 17 | apparmor |
18 | caps.drop all | 18 | caps.drop all |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/file.profile b/etc/file.profile index fbeea83a8..daf2a524e 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -3,15 +3,15 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/file.local | 6 | include file.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | hostname file | 17 | hostname file |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 7a5ad4301..2e77937ea 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Full-featured graphical FTP/FTPS/SFTP client | 2 | # Description: Full-featured graphical FTP/FTPS/SFTP client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/filezilla.local | 5 | include filezilla.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/filezilla | 9 | noblacklist ${HOME}/.config/filezilla |
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
@@ -15,11 +15,11 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/firefox-beta.profile b/etc/firefox-beta.profile index f9924fee5..ee158703d 100644 --- a/etc/firefox-beta.profile +++ b/etc/firefox-beta.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for firefox-beta | 1 | # Firejail profile for firefox-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-beta.local | 4 | include firefox-beta.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/firefox.profile | 10 | include firefox.profile |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index f5fd4aa5b..7a0c3e99f 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | # This file is overwritten during software install. | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.config/kgetrc | 5 | noblacklist ${HOME}/.config/kgetrc |
6 | noblacklist ${HOME}/.config/okularpartrc | 6 | noblacklist ${HOME}/.config/okularpartrc |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 8ed26e22f..253f1b3bd 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -1,26 +1,26 @@ | |||
1 | # Firejail profile for firefox-common | 1 | # Firejail profile for firefox-common |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-common.local | 4 | include firefox-common.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include /etc/firejail/globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # uncomment the following line to allow access to common programs/addons/plugins | 9 | # uncomment the following line to allow access to common programs/addons/plugins |
10 | #include /etc/firejail/firefox-common-addons.inc | 10 | #include firefox-common-addons.inc |
11 | 11 | ||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.pki | 19 | mkdir ${HOME}/.pki |
20 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
21 | whitelist ${HOME}/.pki | 21 | whitelist ${HOME}/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
@@ -35,6 +35,7 @@ nogroups | |||
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 40 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
40 | shell none | 41 | shell none |
diff --git a/etc/firefox-developer-edition.profile b/etc/firefox-developer-edition.profile index 7458d9e10..56a0485cb 100644 --- a/etc/firefox-developer-edition.profile +++ b/etc/firefox-developer-edition.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # Description: Developer Edition of the popular Firefox web browser | 2 | # Description: Developer Edition of the popular Firefox web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/firefox-developer-edition.local | 5 | include firefox-developer-edition.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include /etc/firejail/firefox.profile | 11 | include firefox.profile |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 9821c7150..0ba04d9c1 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for firefox-esr | 1 | # Firejail profile for firefox-esr |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-esr.local | 4 | include firefox-esr.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/firefox.profile | 10 | include firefox.profile |
diff --git a/etc/firefox-nightly.profile b/etc/firefox-nightly.profile index 302f6eb24..6f3838e33 100644 --- a/etc/firefox-nightly.profile +++ b/etc/firefox-nightly.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for firefox-nightly | 1 | # Firejail profile for firefox-nightly |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-nightly.local | 4 | include firefox-nightly.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/firefox.profile | 10 | include firefox.profile |
diff --git a/etc/firefox-wayland.profile b/etc/firefox-wayland.profile index 806d50e31..e47ca32f9 100644 --- a/etc/firefox-wayland.profile +++ b/etc/firefox-wayland.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for firefox-wayland | 1 | # Firejail profile for firefox-wayland |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/firefox-wayland.local | 4 | include firefox-wayland.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/firefox.profile | 10 | include firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index c968e964e..830bbc6a7 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Safe and easy web browser from Mozilla | 2 | # Description: Safe and easy web browser from Mozilla |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/firefox.local | 5 | include firefox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/mozilla | 9 | noblacklist ${HOME}/.cache/mozilla |
10 | noblacklist ${HOME}/.mozilla | 10 | noblacklist ${HOME}/.mozilla |
@@ -20,4 +20,4 @@ whitelist ${HOME}/.mozilla | |||
20 | #private-etc firefox | 20 | #private-etc firefox |
21 | 21 | ||
22 | # Redirect | 22 | # Redirect |
23 | include /etc/firejail/firefox-common.profile | 23 | include firefox-common.profile |
diff --git a/etc/firejail.config b/etc/firejail.config index 91a03f095..d7106e76c 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -22,7 +22,8 @@ | |||
22 | # dbus yes | 22 | # dbus yes |
23 | 23 | ||
24 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 24 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
25 | # to these directories is enabled. | 25 | # to these directories is enabled. Unlike --disable-mnt profile option this |
26 | # cannot be overridden by --noblacklist. | ||
26 | # disable-mnt no | 27 | # disable-mnt no |
27 | 28 | ||
28 | # Enable or disable file transfer support, default enabled. | 29 | # Enable or disable file transfer support, default enabled. |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index e4987280a..32e416b34 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Powerful yet simple-to-use screenshot software | 2 | # Description: Powerful yet simple-to-use screenshot software |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/flameshot.local | 5 | include flameshot.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | 19 | ipc-namespace |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 63f9d19a9..b841bce75 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for flashpeak-slimjet | 1 | # Firejail profile for flashpeak-slimjet |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/flashpeak-slimjet.local | 4 | include flashpeak-slimjet.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/slimjet | 8 | noblacklist ${HOME}/.cache/slimjet |
9 | noblacklist ${HOME}/.config/slimjet | 9 | noblacklist ${HOME}/.config/slimjet |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/slimjet | |||
14 | whitelist ${HOME}/.config/slimjet | 14 | whitelist ${HOME}/.config/slimjet |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index bc95a2b51..4628b85ee 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Non-linear video editor | 2 | # Description: Non-linear video editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/flowblade.local | 5 | include flowblade.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/flowblade | 9 | noblacklist ${HOME}/.config/flowblade |
10 | noblacklist ${HOME}/.flowblade | 10 | noblacklist ${HOME}/.flowblade |
@@ -15,11 +15,11 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/fluxbox.profile b/etc/fluxbox.profile index 5fafef95a..c296c0491 100644 --- a/etc/fluxbox.profile +++ b/etc/fluxbox.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | 2 | # Description: Standards-compliant, fast, light-weight and extensible window manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/fluxbox.local | 5 | include fluxbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in awesome will run in this profile |
10 | noblacklist ${HOME}/.fluxbox | 10 | noblacklist ${HOME}/.fluxbox |
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 2ae80964d..2a833de06 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Font editor | 2 | # Description: Font editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/fontforge.local | 5 | include fontforge.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.FontForge | 9 | noblacklist ${HOME}/.FontForge |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
@@ -15,12 +15,12 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 4316c0988..e821f6f65 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for fossamail | 1 | # Firejail profile for fossamail |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/fossamail.local | 4 | include fossamail.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/fossamail | 8 | noblacklist ${HOME}/.cache/fossamail |
9 | noblacklist ${HOME}/.fossamail | 9 | noblacklist ${HOME}/.fossamail |
@@ -15,8 +15,8 @@ mkdir ${HOME}/.gnupg | |||
15 | whitelist ${HOME}/.cache/fossamail | 15 | whitelist ${HOME}/.cache/fossamail |
16 | whitelist ${HOME}/.fossamail | 16 | whitelist ${HOME}/.fossamail |
17 | whitelist ${HOME}/.gnupg | 17 | whitelist ${HOME}/.gnupg |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | # allow browsers | 20 | # allow browsers |
21 | # Redirect | 21 | # Redirect |
22 | include /etc/firejail/firefox.profile | 22 | include firefox.profile |
diff --git a/etc/franz.profile b/etc/franz.profile index fbe1c0f65..5ce8954c4 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for franz | 1 | # Firejail profile for franz |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/franz.local | 4 | include franz.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/Franz | 8 | noblacklist ${HOME}/.cache/Franz |
9 | noblacklist ${HOME}/.config/Franz | 9 | noblacklist ${HOME}/.config/Franz |
10 | noblacklist ${HOME}/.pki | 10 | noblacklist ${HOME}/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/Franz | 17 | mkdir ${HOME}/.cache/Franz |
18 | mkdir ${HOME}/.config/Franz | 18 | mkdir ${HOME}/.config/Franz |
@@ -21,7 +21,7 @@ whitelist ${DOWNLOADS} | |||
21 | whitelist ${HOME}/.cache/Franz | 21 | whitelist ${HOME}/.cache/Franz |
22 | whitelist ${HOME}/.config/Franz | 22 | whitelist ${HOME}/.config/Franz |
23 | whitelist ${HOME}/.pki | 23 | whitelist ${HOME}/.pki |
24 | include /etc/firejail/whitelist-common.inc | 24 | include whitelist-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
@@ -30,6 +30,7 @@ nogroups | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
diff --git a/etc/freecad.profile b/etc/freecad.profile index 934f1d0fb..11fe3245c 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Extensible Open Source CAx program | 2 | # Description: Extensible Open Source CAx program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/freecad.local | 5 | include freecad.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/FreeCAD | 9 | noblacklist ${HOME}/.config/FreeCAD |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | 20 | ipc-namespace |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index f8bbff593..d98b05e65 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/freecad.profile | 6 | include freecad.profile |
diff --git a/etc/freshclam.profile b/etc/freshclam.profile index 4e224dd3e..2dd55d8cc 100644 --- a/etc/freshclam.profile +++ b/etc/freshclam.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/clamav.local | 5 | include clamav.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | caps.keep setgid,setuid | 10 | caps.keep setgid,setuid |
@@ -16,6 +16,7 @@ nogroups | |||
16 | nonewprivs | 16 | nonewprivs |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
19 | nou2f | ||
19 | novideo | 20 | novideo |
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 279e5d403..3697252e7 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Cool game where you pop out the bubbles | 2 | # Description: Cool game where you pop out the bubbles |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/frozen-bubble.local | 5 | include frozen-bubble.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.frozen-bubble | 9 | noblacklist ${HOME}/.frozen-bubble |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.frozen-bubble | 17 | mkdir ${HOME}/.frozen-bubble |
18 | whitelist ${HOME}/.frozen-bubble | 18 | whitelist ${HOME}/.frozen-bubble |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | net none | 23 | net none |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | protocol unix,netlink | 31 | protocol unix,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 90ba59954..b60437c6e 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: GTK+-based Jabber client | 2 | # Description: GTK+-based Jabber client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gajim.local | 5 | include gajim.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/gajim | 9 | noblacklist ${HOME}/.cache/gajim |
10 | noblacklist ${HOME}/.config/gajim | 10 | noblacklist ${HOME}/.config/gajim |
@@ -15,11 +15,11 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/lib64/python3* | 16 | noblacklist /usr/lib64/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | mkdir ${HOME}/.cache/gajim | 24 | mkdir ${HOME}/.cache/gajim |
25 | mkdir ${HOME}/.config/gajim | 25 | mkdir ${HOME}/.config/gajim |
@@ -29,7 +29,7 @@ whitelist ${HOME}/.cache/gajim | |||
29 | whitelist ${HOME}/.config/gajim | 29 | whitelist ${HOME}/.config/gajim |
30 | whitelist ${HOME}/.local/share/gajim | 30 | whitelist ${HOME}/.local/share/gajim |
31 | whitelist ${HOME}/Downloads | 31 | whitelist ${HOME}/Downloads |
32 | include /etc/firejail/whitelist-common.inc | 32 | include whitelist-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
@@ -38,6 +38,7 @@ nogroups | |||
38 | nonewprivs | 38 | nonewprivs |
39 | noroot | 39 | noroot |
40 | notv | 40 | notv |
41 | nou2f | ||
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
43 | 44 | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index 699fb7d78..323c880a8 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Scientific calculator | 2 | # Description: Scientific calculator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/galculator.local | 5 | include galculator.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/galculator | 9 | noblacklist ${HOME}/.config/galculator |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/galculator | 17 | mkdir ${HOME}/.config/galculator |
18 | whitelist ${HOME}/.config/galculator | 18 | whitelist ${HOME}/.config/galculator |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/gcloud.profile b/etc/gcloud.profile index 195dc9302..5aa73b38f 100644 --- a/etc/gcloud.profile +++ b/etc/gcloud.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for gcloud | 1 | # Firejail profile for gcloud |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gcloud.local | 4 | include gcloud.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.boto | 8 | noblacklist ${HOME}/.boto |
9 | noblacklist ${HOME}/.config/gcloud | 9 | noblacklist ${HOME}/.config/gcloud |
10 | noblacklist /var/run/docker.sock | 10 | noblacklist /var/run/docker.sock |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | apparmor | 16 | apparmor |
17 | caps.drop all | 17 | caps.drop all |
@@ -24,6 +24,7 @@ nodvd | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/geany.profile b/etc/geany.profile index d69bca1ad..a236ea2c5 100644 --- a/etc/geany.profile +++ b/etc/geany.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: Fast and lightweight IDE | 2 | # Description: Fast and lightweight IDE |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/geany.local | 5 | include geany.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/geany | 9 | noblacklist ${HOME}/.config/geany |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
diff --git a/etc/geary.profile b/etc/geary.profile index 735206da2..a21eed9f1 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Lightweight email client designed for the GNOME desktop | 2 | # Description: Lightweight email client designed for the GNOME desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/geary.local | 5 | include geary.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Users have Geary set to open a browser by clicking a link in an email | 9 | # Users have Geary set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 10 | # We are not allowed to blacklist browser-specific directories |
@@ -20,7 +20,7 @@ whitelist ${HOME}/.gnupg | |||
20 | whitelist ${HOME}/.config/geary | 20 | whitelist ${HOME}/.config/geary |
21 | whitelist ${HOME}/.local/share/geary | 21 | whitelist ${HOME}/.local/share/geary |
22 | 22 | ||
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | 24 | ||
25 | ignore nodbus | 25 | ignore nodbus |
26 | ignore private-tmp | 26 | ignore private-tmp |
@@ -29,4 +29,4 @@ read-only ${HOME}/.config/mimeapps.list | |||
29 | 29 | ||
30 | # allow browsers | 30 | # allow browsers |
31 | # Redirect | 31 | # Redirect |
32 | include /etc/firejail/firefox.profile | 32 | include firefox.profile |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 1a4d9634a..d537f1294 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Official text editor of the GNOME desktop environment | 2 | # Description: Official text editor of the GNOME desktop environment |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gedit.local | 5 | include gedit.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/enchant | 9 | noblacklist ${HOME}/.config/enchant |
10 | noblacklist ${HOME}/.config/gedit | 10 | noblacklist ${HOME}/.config/gedit |
11 | noblacklist ${HOME}/.gitconfig | 11 | noblacklist ${HOME}/.gitconfig |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | # include /etc/firejail/disable-devel.inc | 14 | # include disable-devel.inc |
15 | # include /etc/firejail/disable-interpreters.inc | 15 | # include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | # apparmor - makes settings immutable | 21 | # apparmor - makes settings immutable |
22 | caps.drop all | 22 | caps.drop all |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 3fbe245d6..a7d82b5fb 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Image viewer using GTK+ | 2 | # Description: Image viewer using GTK+ |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/geeqie.local | 5 | include geeqie.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/geeqie | 9 | noblacklist ${HOME}/.cache/geeqie |
10 | noblacklist ${HOME}/.config/geeqie | 10 | noblacklist ${HOME}/.config/geeqie |
11 | noblacklist ${HOME}/.local/share/geeqie | 11 | noblacklist ${HOME}/.local/share/geeqie |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | nodvd | 20 | nodvd |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/ghb.profile b/etc/ghb.profile index de6244a32..1cb09ddde 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/handbrake.profile | 6 | include handbrake.profile |
diff --git a/etc/gimp-2.10.profile b/etc/gimp-2.10.profile index a4e04af20..d42307710 100644 --- a/etc/gimp-2.10.profile +++ b/etc/gimp-2.10.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/gimp.profile | 6 | include gimp.profile |
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile index a4e04af20..d42307710 100644 --- a/etc/gimp-2.8.profile +++ b/etc/gimp-2.8.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/gimp.profile | 6 | include gimp.profile |
diff --git a/etc/gimp.profile b/etc/gimp.profile index fa27d2cea..9b14b1fe8 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: GNU Image Manipulation Program | 2 | # Description: GNU Image Manipulation Program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gimp.local | 5 | include gimp.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/GIMP | 9 | noblacklist ${HOME}/.config/GIMP |
10 | noblacklist ${HOME}/.gimp* | 10 | noblacklist ${HOME}/.gimp* |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/git.profile b/etc/git.profile index 9c8d22fd3..7d4392c80 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -3,9 +3,9 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/git.local | 6 | include git.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
@@ -17,9 +17,9 @@ noblacklist ${HOME}/.ssh | |||
17 | noblacklist ${HOME}/.vim | 17 | noblacklist ${HOME}/.vim |
18 | noblacklist ${HOME}/.viminfo | 18 | noblacklist ${HOME}/.viminfo |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
diff --git a/etc/gitg.profile b/etc/gitg.profile index 87d8c0a1f..f6d78cc54 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Git repository viewer | 2 | # Description: Git repository viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gitg.local | 5 | include gitg.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.gitconfig | 9 | noblacklist ${HOME}/.gitconfig |
10 | noblacklist ${HOME}/.local/share/gitg | 10 | noblacklist ${HOME}/.local/share/gitg |
11 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | no3d | 22 | no3d |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/gitter.profile b/etc/gitter.profile index b5bedb66d..d8439fa79 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for gitter | 1 | # Firejail profile for gitter |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gitter.local | 4 | include gitter.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/autostart | 8 | noblacklist ${HOME}/.config/autostart |
9 | noblacklist ${HOME}/.config/Gitter | 9 | noblacklist ${HOME}/.config/Gitter |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/autostart | 18 | whitelist ${HOME}/.config/autostart |
19 | whitelist ${HOME}/.config/Gitter | 19 | whitelist ${HOME}/.config/Gitter |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | machine-id | 23 | machine-id |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/gjs.profile b/etc/gjs.profile index a603ad695..9c7aa5700 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Mozilla-based javascript bindings for the GNOME platform | 2 | # Description: Mozilla-based javascript bindings for the GNOME platform |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gjs.local | 5 | include gjs.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
10 | 10 | ||
@@ -13,11 +13,11 @@ noblacklist ${HOME}/.cache/org.gnome.Books | |||
13 | noblacklist ${HOME}/.config/libreoffice | 13 | noblacklist ${HOME}/.config/libreoffice |
14 | noblacklist ${HOME}/.local/share/gnome-photos | 14 | noblacklist ${HOME}/.local/share/gnome-photos |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/globaltime.profile b/etc/globaltime.profile index e414abf8c..c007fb0cc 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for globaltime | 1 | # Firejail profile for globaltime |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/globaltime.local | 4 | include globaltime.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/globaltime | 8 | noblacklist ${HOME}/.config/globaltime |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 62b67b942..ce83fbb66 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Sliding tile puzzle game | 2 | # Description: Sliding tile puzzle game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-2048.local | 5 | include gnome-2048.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/gnome-2048 | 9 | noblacklist ${HOME}/.local/share/gnome-2048 |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.local/share/gnome-2048 | 19 | mkdir ${HOME}/.local/share/gnome-2048 |
20 | whitelist ${HOME}/.local/share/gnome-2048 | 20 | whitelist ${HOME}/.local/share/gnome-2048 |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -26,6 +26,7 @@ nodvd | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 6fc2671d8..c748cf7e3 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for gnome-books | 1 | # Firejail profile for gnome-books |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gnome-books.local | 4 | include gnome-books.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/org.gnome.Books | 10 | noblacklist ${HOME}/.cache/org.gnome.Books |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 3b7e3d53a..dffe16263 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -2,14 +2,14 @@ | |||
2 | # Description: IDE for GNOME | 2 | # Description: IDE for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-builder.local | 5 | include gnome-builder.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | ipc-namespace | 15 | ipc-namespace |
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | 21 | notv |
22 | nou2f | ||
22 | novideo | 23 | novideo |
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 315564ee5..7974211c7 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -3,19 +3,19 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/gnome-calculator.local | 6 | include gnome-calculator.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-common.inc | 17 | include whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | # apparmor - makes settings immutable | 20 | # apparmor - makes settings immutable |
21 | caps.drop all | 21 | caps.drop all |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 74194cb33..fbd8c22c0 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Simple chess game | 2 | # Description: Simple chess game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-chess.local | 5 | include gnome-chess.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/gnome-chess | 9 | noblacklist ${HOME}/.local/share/gnome-chess |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | no3d | 21 | no3d |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index a914c302f..54356a1b7 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Simple GNOME app with stopwatch, timer, and world clock support | 2 | # Description: Simple GNOME app with stopwatch, timer, and world clock support |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-clocks.local | 5 | include gnome-clocks.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 91593c89b..2a13b3b27 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Contacts manager for GNOME | 2 | # Description: Contacts manager for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-contacts.local | 5 | include gnome-contacts.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 44886d562..36b69ce90 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Document manager for GNOME | 2 | # Description: Document manager for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-documents.local | 5 | include gnome-documents.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/libreoffice | 11 | noblacklist ${HOME}/.config/libreoffice |
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index e11d6eb5d..c616b7381 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Font viewer for GNOME | 2 | # Description: Font viewer for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-font-viewer.local | 5 | include gnome-font-viewer.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index edb895794..f89684219 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Viewer for the systemd journal | 2 | # Description: Viewer for the systemd journal |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-logs.local | 5 | include gnome-logs.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | whitelist /var/log/journal | 16 | whitelist /var/log/journal |
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index f8ff61d84..d27d90d29 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Map application for GNOME | 2 | # Description: Map application for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-maps.local | 5 | include gnome-maps.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/champlain | 11 | noblacklist ${HOME}/.cache/champlain |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 9ba4969e5..3dd623ea9 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -2,25 +2,26 @@ | |||
2 | # Description: GTK/Gnome interface around MPlayer | 2 | # Description: GTK/Gnome interface around MPlayer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-mplayer.local | 5 | include gnome-mplayer.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gnome-mplayer | 9 | noblacklist ${HOME}/.config/gnome-mplayer |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nou2f | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/gnome-mpv.profile b/etc/gnome-mpv.profile index 84a70c4c5..ffb04add1 100644 --- a/etc/gnome-mpv.profile +++ b/etc/gnome-mpv.profile | |||
@@ -2,28 +2,29 @@ | |||
2 | # Description: Simple GTK+ frontend for mpv | 2 | # Description: Simple GTK+ frontend for mpv |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-mpv.local | 5 | include gnome-mpv.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gnome-mpv | 9 | noblacklist ${HOME}/.config/gnome-mpv |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | nodbus | 23 | nodbus |
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nou2f | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 819c40c98..54e055358 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: GNOME music player | 2 | # Description: GNOME music player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-music.local | 5 | include gnome-music.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/gnome-music | 9 | noblacklist ${HOME}/.local/share/gnome-music |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
@@ -15,14 +15,14 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
@@ -31,6 +31,7 @@ nogroups | |||
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 5a3ac53d8..2e3356607 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Access, organize and share your photos with GNOME | 2 | # Description: Access, organize and share your photos with GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-photos.local | 5 | include gnome-photos.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
10 | 10 | ||
11 | noblacklist ${HOME}/.local/share/gnome-photos | 11 | noblacklist ${HOME}/.local/share/gnome-photos |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile new file mode 100644 index 000000000..cef741eb3 --- /dev/null +++ b/etc/gnome-pie.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome-pie | ||
2 | # Description: Alternative AppMenu | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-pie.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-pie | ||
10 | |||
11 | #include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | #include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | #include disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-cache | ||
36 | private-dev | ||
37 | private-etc fonts | ||
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
39 | private-tmp | ||
40 | |||
41 | memory-deny-write-execute | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index ed6d341eb..761c604ff 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Recipe application for GNOME | 2 | # Description: Recipe application for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-recipes.local | 5 | include gnome-recipes.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | noblacklist ${HOME}/.local/share/gnome-recipes | 10 | noblacklist ${HOME}/.local/share/gnome-recipes |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/gnome-recipes | 18 | mkdir ${HOME}/.cache/gnome-recipes |
19 | whitelist ${HOME}/.cache/gnome-recipes | 19 | whitelist ${HOME}/.cache/gnome-recipes |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/gnome-ring.profile b/etc/gnome-ring.profile index cbc79320e..f660df690 100644 --- a/etc/gnome-ring.profile +++ b/etc/gnome-ring.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for gnome-ring | 1 | # Firejail profile for gnome-ring |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gnome-ring.local | 4 | include gnome-ring.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.local/share/gnome-ring | 8 | noblacklist ${HOME}/.local/share/gnome-ring |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | 19 | ipc-namespace |
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index e670ba22f..4b54d9627 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash | 2 | # Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-twitch.local | 5 | include gnome-twitch.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/gnome-twitch | 9 | noblacklist ${HOME}/.cache/gnome-twitch |
10 | noblacklist ${HOME}/.local/share/gnome-twitch | 10 | noblacklist ${HOME}/.local/share/gnome-twitch |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/gnome-twitch | 18 | mkdir ${HOME}/.cache/gnome-twitch |
19 | mkdir ${HOME}/.local/share/gnome-twitch | 19 | mkdir ${HOME}/.local/share/gnome-twitch |
20 | whitelist ${HOME}/.cache/gnome-twitch | 20 | whitelist ${HOME}/.cache/gnome-twitch |
21 | whitelist ${HOME}/.local/share/gnome-twitch | 21 | whitelist ${HOME}/.local/share/gnome-twitch |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | nodvd | 25 | nodvd |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 4d28278b1..6b5f5480d 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Access current conditions and forecasts | 2 | # Description: Access current conditions and forecasts |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gnome-weather.local | 5 | include gnome-weather.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 9 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/libgweather | 11 | noblacklist ${HOME}/.cache/libgweather |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/goobox.profile b/etc/goobox.profile index ba949f1c9..3cc159eb2 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: CD player and ripper with GNOME 3 integration | 2 | # Description: CD player and ripper with GNOME 3 integration |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/goobox.local | 5 | include goobox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index ab16558ea..73101f509 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for google-chrome-beta | 1 | # Firejail profile for google-chrome-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/google-chrome-beta.local | 4 | include google-chrome-beta.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 8 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 9 | noblacklist ${HOME}/.config/google-chrome-beta |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/google-chrome-beta | |||
14 | whitelist ${HOME}/.config/google-chrome-beta | 14 | whitelist ${HOME}/.config/google-chrome-beta |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 6ade19021..55868e0b7 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/google-chrome.profile | 6 | include google-chrome.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index b7d0eccf3..50e9923aa 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for google-chrome-unstable | 1 | # Firejail profile for google-chrome-unstable |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/google-chrome-unstable.local | 4 | include google-chrome-unstable.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 8 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 9 | noblacklist ${HOME}/.config/google-chrome-unstable |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/google-chrome-unstable | |||
14 | whitelist ${HOME}/.config/google-chrome-unstable | 14 | whitelist ${HOME}/.config/google-chrome-unstable |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 6e44190ae..c69e98271 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for google-chrome | 1 | # Firejail profile for google-chrome |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/google-chrome.local | 4 | include google-chrome.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/google-chrome | 8 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 9 | noblacklist ${HOME}/.config/google-chrome |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/google-chrome | |||
14 | whitelist ${HOME}/.config/google-chrome | 14 | whitelist ${HOME}/.config/google-chrome |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/google-earth.profile b/etc/google-earth.profile index bafa716d1..6e5f99745 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for google-earth | 1 | # Firejail profile for google-earth |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/google-earth.local | 4 | include google-earth.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google | 8 | noblacklist ${HOME}/.config/Google |
9 | noblacklist ${HOME}/.googleearth/Cache/ | 9 | noblacklist ${HOME}/.googleearth/Cache/ |
@@ -11,11 +11,11 @@ noblacklist ${HOME}/.googleearth/Temp/ | |||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | 11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml |
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | 12 | noblacklist ${HOME}/.googleearth/myplaces.kml |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.config/Google | 20 | mkdir ${HOME}/.config/Google |
21 | mkdir ${HOME}/.googleearth/Cache/ | 21 | mkdir ${HOME}/.googleearth/Cache/ |
@@ -27,7 +27,7 @@ whitelist ${HOME}/.googleearth/Cache/ | |||
27 | whitelist ${HOME}/.googleearth/Temp/ | 27 | whitelist ${HOME}/.googleearth/Temp/ |
28 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | 28 | whitelist ${HOME}/.googleearth/myplaces.backup.kml |
29 | whitelist ${HOME}/.googleearth/myplaces.kml | 29 | whitelist ${HOME}/.googleearth/myplaces.kml |
30 | include /etc/firejail/whitelist-common.inc | 30 | include whitelist-common.inc |
31 | 31 | ||
32 | caps.drop all | 32 | caps.drop all |
33 | ipc-namespace | 33 | ipc-namespace |
@@ -37,6 +37,7 @@ nogroups | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | notv | 39 | notv |
40 | nou2f | ||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 7a19cc676..4932c9e42 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for google-play-music-desktop-player | 1 | # Firejail profile for google-play-music-desktop-player |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/google-play-music-desktop-player.local | 4 | include google-play-music-desktop-player.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player | 8 | noblacklist ${HOME}/.config/Google Play Music Desktop Player |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | # whitelist ${HOME}/.config/pulse | 16 | # whitelist ${HOME}/.config/pulse |
17 | # whitelist ${HOME}/.pulse | 17 | # whitelist ${HOME}/.pulse |
18 | whitelist ${HOME}/.config/Google Play Music Desktop Player | 18 | whitelist ${HOME}/.config/Google Play Music Desktop Player |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
diff --git a/etc/gpa.profile b/etc/gpa.profile index c890beb2e..ce7c8496d 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: GNU Privacy Assistant (GPA) | 2 | # Description: GNU Privacy Assistant (GPA) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gpa.local | 5 | include gpa.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 0cc17b366..7181837d5 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: GNU privacy guard - cryptographic agent | 2 | # Description: GNU privacy guard - cryptographic agent |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gpg-agent.local | 5 | include gpg-agent.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 259a95807..e920b9072 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: GNU Privacy Guard -- minimalist public key operations | 2 | # Description: GNU Privacy Guard -- minimalist public key operations |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gpg.local | 5 | include gpg.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 04aecc782..d3e1123f3 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Lightweight image viewer | 2 | # Description: Lightweight image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gpicview.local | 5 | include gpicview.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gpicview | 9 | noblacklist ${HOME}/.config/gpicview |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index ea60e7287..76a10f697 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Satellite tracking program | 2 | # Description: Satellite tracking program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gpredict.local | 5 | include gpredict.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Gpredict | 9 | noblacklist ${HOME}/.config/Gpredict |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${HOME}/.config/Gpredict | 17 | whitelist ${HOME}/.config/Gpredict |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/gradio.profile b/etc/gradio.profile index bba92a0bc..e7f415090 100644 --- a/etc/gradio.profile +++ b/etc/gradio.profile | |||
@@ -1,25 +1,25 @@ | |||
1 | # Firejail profile for gradio | 1 | # Firejail profile for gradio |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gradio.local | 4 | include gradio.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/gradio | 8 | noblacklist ${HOME}/.cache/gradio |
9 | noblacklist ${HOME}/.local/share/gradio | 9 | noblacklist ${HOME}/.local/share/gradio |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/gradio | 17 | mkdir ${HOME}/.cache/gradio |
18 | mkdir ${HOME}/.local/share/gradio | 18 | mkdir ${HOME}/.local/share/gradio |
19 | whitelist ${HOME}/.cache/gradio | 19 | whitelist ${HOME}/.cache/gradio |
20 | whitelist ${HOME}/.local/share/gradio | 20 | whitelist ${HOME}/.local/share/gradio |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
diff --git a/etc/gtar.profile b/etc/gtar.profile index d4bf18f95..12acb8356 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/tar.profile | 6 | include tar.profile |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 6c4de8bf0..77de59802 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Image viewer and browser | 2 | # Description: Image viewer and browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gthumb.local | 5 | include gthumb.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gthumb | 9 | noblacklist ${HOME}/.config/gthumb |
10 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | nodvd | 20 | nodvd |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 775c79521..22457c547 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for guayadeque | 1 | # Firejail profile for guayadeque |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/guayadeque.local | 4 | include guayadeque.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.guayadeque | 8 | noblacklist ${HOME}/.guayadeque |
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
26 | seccomp | 27 | seccomp |
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 88e441b14..13db746f8 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Unicode character picker and font browser | 2 | # Description: Unicode character picker and font browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gucharmap.local | 5 | include gucharmap.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile index 8ea523df7..fe35f8fe7 100644 --- a/etc/gunzip.profile +++ b/etc/gunzip.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for gunzip | 1 | # Firejail profile for gunzip |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/gunzip.local | 4 | include gunzip.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include /etc/firejail/gzip.profile | 9 | include gzip.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index cf9b27e0f..8723b0135 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Image viewer | 2 | # Description: Image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/gwenview.local | 5 | include gwenview.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/GIMP | 9 | noblacklist ${HOME}/.config/GIMP |
10 | noblacklist ${HOME}/.config/gwenviewrc | 10 | noblacklist ${HOME}/.config/gwenviewrc |
@@ -17,13 +17,13 @@ noblacklist ${HOME}/.kde4/share/config/gwenviewrc | |||
17 | noblacklist ${HOME}/.local/share/gwenview | 17 | noblacklist ${HOME}/.local/share/gwenview |
18 | noblacklist ${HOME}/.local/share/org.kde.gwenview | 18 | noblacklist ${HOME}/.local/share/org.kde.gwenview |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | apparmor | 28 | apparmor |
29 | caps.drop all | 29 | caps.drop all |
@@ -34,6 +34,7 @@ nogroups | |||
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix | 39 | protocol unix |
39 | seccomp | 40 | seccomp |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 9157d398a..16ca6b94d 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/gzip.local | 6 | include gzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -17,10 +17,11 @@ nodbus | |||
17 | nodvd | 17 | nodvd |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | nou2f | ||
20 | novideo | 21 | novideo |
21 | shell none | 22 | shell none |
22 | tracelog | 23 | tracelog |
23 | 24 | ||
24 | private-dev | 25 | private-dev |
25 | 26 | ||
26 | include /etc/firejail/default.profile | 27 | include default.profile |
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index de6244a32..1cb09ddde 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/handbrake.profile | 6 | include handbrake.profile |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 32da097ce..a98f80bc7 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | 2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/handbrake.local | 5 | include handbrake.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ghb | 9 | noblacklist ${HOME}/.config/ghb |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
@@ -26,6 +26,7 @@ nodbus | |||
26 | nogroups | 26 | nogroups |
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 8bc861dde..bf4836c45 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -3,20 +3,20 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/hashcat.local | 6 | include hashcat.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.hashcat | 10 | noblacklist ${HOME}/.hashcat |
11 | noblacklist /usr/include | 11 | noblacklist /usr/include |
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 542771639..4dfb40890 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Funny turn-based artillery game, featuring fighting hedgehogs | 2 | # Description: Funny turn-based artillery game, featuring fighting hedgehogs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/hedgewars.local | 5 | include hedgewars.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.hedgewars | 9 | noblacklist ${HOME}/.hedgewars |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.hedgewars | 17 | mkdir ${HOME}/.hedgewars |
18 | whitelist ${HOME}/.hedgewars | 18 | whitelist ${HOME}/.hedgewars |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | seccomp | 29 | seccomp |
29 | tracelog | 30 | tracelog |
30 | 31 | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a2c163e6a..783f91e82 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: IRC client for X based on X-Chat 2 | 2 | # Description: IRC client for X based on X-Chat 2 |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/hexchat.local | 5 | include hexchat.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
10 | noblacklist /usr/share/perl* | 10 | noblacklist /usr/share/perl* |
@@ -15,16 +15,16 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | mkdir ${HOME}/.config/hexchat | 24 | mkdir ${HOME}/.config/hexchat |
25 | whitelist ${HOME}/.config/hexchat | 25 | whitelist ${HOME}/.config/hexchat |
26 | include /etc/firejail/whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | machine-id | 30 | machine-id |
@@ -36,6 +36,7 @@ nonewprivs | |||
36 | noroot | 36 | noroot |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | novideo | 40 | novideo |
40 | protocol unix,inet,inet6 | 41 | protocol unix,inet,inet6 |
41 | seccomp | 42 | seccomp |
diff --git a/etc/highlight.profile b/etc/highlight.profile index d313f2769..ae2cce0b4 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Universal source code to formatted text converter | 2 | # Description: Universal source code to formatted text converter |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/highlight.local | 5 | include highlight.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/hugin.profile b/etc/hugin.profile index 35505c698..1e235f381 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Panorama photo stitcher | 2 | # Description: Panorama photo stitcher |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/hugin.local | 5 | include hugin.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.hugin | 9 | noblacklist ${HOME}/.hugin |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | 21 | net none |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/i3.profile b/etc/i3.profile index efbc1f6e7..c1ca0e413 100644 --- a/etc/i3.profile +++ b/etc/i3.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | 2 | # Description: Standards-compliant, fast, light-weight and extensible window manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/i3.local | 5 | include i3.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in awesome will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/icecat.profile b/etc/icecat.profile index 42e762c21..660343a29 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for icecat | 1 | # Firejail profile for icecat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/icecat.local | 4 | include icecat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
@@ -17,4 +17,4 @@ whitelist ${HOME}/.mozilla | |||
17 | #private-etc icecat | 17 | #private-etc icecat |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include /etc/firejail/firefox-common.profile | 20 | include firefox-common.profile |
diff --git a/etc/icedove.profile b/etc/icedove.profile index 80cff3878..a66309bf1 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for icedove | 1 | # Firejail profile for icedove |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/icedove.local | 4 | include icedove.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Users have icedove set to open a browser by clicking a link in an email | 8 | # Users have icedove set to open a browser by clicking a link in an email |
9 | # We are not allowed to blacklist browser-specific directories | 9 | # We are not allowed to blacklist browser-specific directories |
@@ -18,10 +18,10 @@ mkdir ${HOME}/.icedove | |||
18 | whitelist ${HOME}/.cache/icedove | 18 | whitelist ${HOME}/.cache/icedove |
19 | whitelist ${HOME}/.gnupg | 19 | whitelist ${HOME}/.gnupg |
20 | whitelist ${HOME}/.icedove | 20 | whitelist ${HOME}/.icedove |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | ignore private-tmp | 23 | ignore private-tmp |
24 | 24 | ||
25 | # allow browsers | 25 | # allow browsers |
26 | # Redirect | 26 | # Redirect |
27 | include /etc/firejail/firefox.profile | 27 | include firefox.profile |
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index 51f15aa1b..24a2f4cc3 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for iceweasel | 1 | # Firejail profile for iceweasel |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/iceweasel.local | 4 | include iceweasel.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # private-etc must first be enabled in firefox-common.profile | 8 | # private-etc must first be enabled in firefox-common.profile |
9 | #private-etc iceweasel | 9 | #private-etc iceweasel |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/firefox.profile | 12 | include firefox.profile |
diff --git a/etc/idea.profile b/etc/idea.profile index 623d71734..d56dceb71 100644 --- a/etc/idea.profile +++ b/etc/idea.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for idea | 1 | # Firejail profile for idea |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/idea.local | 4 | include idea.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/idea.sh.profile | 10 | include idea.sh.profile |
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 06328ccbf..bbacef764 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for idea.sh | 1 | # Firejail profile for idea.sh |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/idea.sh.local | 4 | include idea.sh.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.IdeaIC* | 8 | noblacklist ${HOME}/.IdeaIC* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
@@ -16,9 +16,9 @@ noblacklist ${HOME}/.local/share/JetBrains | |||
16 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
17 | noblacklist ${HOME}/.tooling | 17 | noblacklist ${HOME}/.tooling |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/ideaIC.profile b/etc/ideaIC.profile index f7a69fa94..b960b08e5 100644 --- a/etc/ideaIC.profile +++ b/etc/ideaIC.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for ideaIC | 1 | # Firejail profile for ideaIC |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ideaIC.local | 4 | include ideaIC.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/idea.sh.profile | 10 | include idea.sh.profile |
diff --git a/etc/imagej.profile b/etc/imagej.profile index 4de064390..9ff0f9203 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Image processing program with a focus on microscopy images | 2 | # Description: Image processing program with a focus on microscopy images |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/imagej.local | 5 | include imagej.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.imagej | 9 | noblacklist ${HOME}/.imagej |
10 | 10 | ||
@@ -14,11 +14,11 @@ noblacklist /usr/lib/java | |||
14 | noblacklist /etc/java | 14 | noblacklist /etc/java |
15 | noblacklist /usr/share/java | 15 | noblacklist /usr/share/java |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index c9ee18f80..6f860a3d4 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for img2txt | 1 | # Firejail profile for img2txt |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/img2txt.local | 4 | include img2txt.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 56fdfd081..a13f5c378 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Vector-based drawing program | 2 | # Description: Vector-based drawing program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/inkscape.local | 5 | include inkscape.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/inkscape | 9 | noblacklist ${HOME}/.cache/inkscape |
10 | noblacklist ${HOME}/.config/inkscape | 10 | noblacklist ${HOME}/.config/inkscape |
@@ -12,14 +12,14 @@ noblacklist ${HOME}/.inkscape | |||
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | noblacklist ${PICTURES} | 13 | noblacklist ${PICTURES} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/inox.profile b/etc/inox.profile index 652761c54..1b3db73b4 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for inox | 1 | # Firejail profile for inox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/inox.local | 4 | include inox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/inox | 8 | noblacklist ${HOME}/.cache/inox |
9 | noblacklist ${HOME}/.config/inox | 9 | noblacklist ${HOME}/.config/inox |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/inox | |||
14 | whitelist ${HOME}/.config/inox | 14 | whitelist ${HOME}/.config/inox |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile index 1baa07cb7..0a6418d5c 100644 --- a/etc/iridium-browser.profile +++ b/etc/iridium-browser.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/iridium.profile | 6 | include iridium.profile |
diff --git a/etc/iridium.profile b/etc/iridium.profile index 2869c3070..ebb39b0a3 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for iridium | 1 | # Firejail profile for iridium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/iridium.local | 4 | include iridium.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/iridium | 8 | noblacklist ${HOME}/.cache/iridium |
9 | noblacklist ${HOME}/.config/iridium | 9 | noblacklist ${HOME}/.config/iridium |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/iridium | |||
14 | whitelist ${HOME}/.config/iridium | 14 | whitelist ${HOME}/.config/iridium |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/itch.profile b/etc/itch.profile index 2ad669952..c0b4fe6ce 100644 --- a/etc/itch.profile +++ b/etc/itch.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Firejail profile for itch | 1 | # Firejail profile for itch |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/itch.local | 4 | include itch.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # itch.io has native firejail/sandboxing support bundled in | 8 | # itch.io has native firejail/sandboxing support bundled in |
9 | # See https://itch.io/docs/itch/using/sandbox/linux.html | 9 | # See https://itch.io/docs/itch/using/sandbox/linux.html |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/itch | 11 | noblacklist ${HOME}/.config/itch |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/itch | 19 | mkdir ${HOME}/.config/itch |
20 | whitelist ${HOME}/.config/itch | 20 | whitelist ${HOME}/.config/itch |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 3a280dab7..443e6b550 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for jd-gui | 1 | # Firejail profile for jd-gui |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/jd-gui.local | 4 | include jd-gui.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
@@ -14,14 +14,14 @@ noblacklist /usr/lib/java | |||
14 | noblacklist /etc/java | 14 | noblacklist /etc/java |
15 | noblacklist /usr/share/java | 15 | noblacklist /usr/share/java |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | net none | 27 | net none |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix | 38 | protocol unix |
38 | seccomp | 39 | seccomp |
diff --git a/etc/jdownloader.profile b/etc/jdownloader.profile index dbcc85e8d..037d92338 100644 --- a/etc/jdownloader.profile +++ b/etc/jdownloader.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for jdownloader | 1 | # Firejail profile for jdownloader |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/jdownloader.local | 4 | include jdownloader.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/JDownloader.profile | 10 | include JDownloader.profile |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index b3b09f4b1..5a575bb71 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for jitsi | 1 | # Firejail profile for jitsi |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/jitsi.local | 4 | include jitsi.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.jitsi | 8 | noblacklist ${HOME}/.jitsi |
9 | 9 | ||
@@ -13,11 +13,11 @@ noblacklist /usr/lib/java | |||
13 | noblacklist /etc/java | 13 | noblacklist /etc/java |
14 | noblacklist /usr/share/java | 14 | noblacklist /usr/share/java |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | nodvd | 23 | nodvd |
diff --git a/etc/k3b.profile b/etc/k3b.profile index 6b4c15560..8c599d0ca 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Sophisticated CD/DVD burning application | 2 | # Description: Sophisticated CD/DVD burning application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/k3b.local | 5 | include k3b.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/k3brc | 9 | noblacklist ${HOME}/.config/k3brc |
10 | noblacklist ${HOME}/.kde/share/config/k3brc | 10 | noblacklist ${HOME}/.kde/share/config/k3brc |
11 | noblacklist ${HOME}/.kde4/share/config/k3brc | 11 | noblacklist ${HOME}/.kde4/share/config/k3brc |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | no3d | 24 | no3d |
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile index 204c20501..85870da36 100644 --- a/etc/kaffeine.profile +++ b/etc/kaffeine.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Versatile media player for KDE | 2 | # Description: Versatile media player for KDE |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kaffeine.local | 5 | include kaffeine.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/kaffeinerc | 9 | noblacklist ${HOME}/.config/kaffeinerc |
10 | noblacklist ${HOME}/.kde/share/apps/kaffeine | 10 | noblacklist ${HOME}/.kde/share/apps/kaffeine |
@@ -15,20 +15,21 @@ noblacklist ${HOME}/.local/share/kaffeine | |||
15 | noblacklist ${MUSIC} | 15 | noblacklist ${MUSIC} |
16 | noblacklist ${VIDEOS} | 16 | noblacklist ${VIDEOS} |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | nogroups | 29 | nogroups |
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/karbon.profile b/etc/karbon.profile index 3525a3e06..e9e3c2a69 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/krita.profile | 6 | include krita.profile |
diff --git a/etc/kate.profile b/etc/kate.profile index 8a53a56a8..cce36eacc 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Powerful text editor | 2 | # Description: Powerful text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kate.local | 5 | include kate.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/katemetainfos | 9 | noblacklist ${HOME}/.config/katemetainfos |
10 | noblacklist ${HOME}/.config/katepartrc | 10 | noblacklist ${HOME}/.config/katepartrc |
@@ -14,13 +14,13 @@ noblacklist ${HOME}/.config/katesyntaxhighlightingrc | |||
14 | noblacklist ${HOME}/.config/katevirc | 14 | noblacklist ${HOME}/.config/katevirc |
15 | noblacklist ${HOME}/.local/share/kate | 15 | noblacklist ${HOME}/.local/share/kate |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | # include /etc/firejail/disable-devel.inc | 18 | # include disable-devel.inc |
19 | # include /etc/firejail/disable-interpreters.inc | 19 | # include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | # apparmor | 25 | # apparmor |
26 | caps.drop all | 26 | caps.drop all |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix | 38 | protocol unix |
38 | seccomp | 39 | seccomp |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 20ad8f23a..8baefaa98 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -2,16 +2,16 @@ | |||
2 | # Description: Simple and scientific calculator | 2 | # Description: Simple and scientific calculator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kcalc.local | 5 | include kcalc.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkfile ${HOME}/.config/kcalcrc | 16 | mkfile ${HOME}/.config/kcalcrc |
17 | mkfile ${HOME}/.kde/share/config/kcalcrc | 17 | mkfile ${HOME}/.kde/share/config/kcalcrc |
@@ -19,8 +19,8 @@ mkfile ${HOME}/.kde4/share/config/kcalcrc | |||
19 | whitelist ${HOME}/.config/kcalcrc | 19 | whitelist ${HOME}/.config/kcalcrc |
20 | whitelist ${HOME}/.kde/share/config/kcalcrc | 20 | whitelist ${HOME}/.kde/share/config/kcalcrc |
21 | whitelist ${HOME}/.kde4/share/config/kcalcrc | 21 | whitelist ${HOME}/.kde4/share/config/kcalcrc |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix | 38 | protocol unix |
38 | seccomp | 39 | seccomp |
diff --git a/etc/kdeinit4.profile b/etc/kdeinit4.profile index 76de15ccf..cd7c4cae3 100644 --- a/etc/kdeinit4.profile +++ b/etc/kdeinit4.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for kdeinit4 | 1 | # Firejail profile for kdeinit4 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/kdeinit4.local | 4 | include kdeinit4.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # use outside KDE Plasma 4 | 8 | # use outside KDE Plasma 4 |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | # nosound - disabled for knotify | 23 | # nosound - disabled for knotify |
24 | noroot | 24 | noroot |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | notv | 27 | notv |
27 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 4aca10995..2ef44bc7f 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Non-linear video editor | 2 | # Description: Non-linear video editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kdenlive.local | 5 | include kdenlive.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/kdenlive | 9 | noblacklist ${HOME}/.cache/kdenlive |
10 | noblacklist ${HOME}/.config/kdenliverc | 10 | noblacklist ${HOME}/.config/kdenliverc |
11 | noblacklist ${HOME}/.local/share/kdenlive | 11 | noblacklist ${HOME}/.local/share/kdenlive |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | apparmor | 19 | apparmor |
20 | caps.drop all | 20 | caps.drop all |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | protocol unix,netlink | 29 | protocol unix,netlink |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/keepass.profile b/etc/keepass.profile index e27248357..788561a14 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: An easy-to-use password manager | 2 | # Description: An easy-to-use password manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/keepass.local | 5 | include keepass.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/*.kdb | 9 | noblacklist ${HOME}/*.kdb |
10 | noblacklist ${HOME}/*.kdbx | 10 | noblacklist ${HOME}/*.kdbx |
@@ -15,12 +15,12 @@ noblacklist ${HOME}/.local/share/KeePass | |||
15 | noblacklist ${HOME}/.local/share/keepass | 15 | noblacklist ${HOME}/.local/share/keepass |
16 | noblacklist ${DOCUMENTS} | 16 | noblacklist ${DOCUMENTS} |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index d29fc6abc..9e33e08db 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/keepass.profile | 6 | include keepass.profile |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 94aaa5597..fc9386618 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Cross Platform Password Manager | 2 | # Description: Cross Platform Password Manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/keepassx.local | 5 | include keepassx.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/*.kdb | 9 | noblacklist ${HOME}/*.kdb |
10 | noblacklist ${HOME}/*.kdbx | 10 | noblacklist ${HOME}/*.kdbx |
@@ -12,14 +12,14 @@ noblacklist ${HOME}/.config/keepassx | |||
12 | noblacklist ${HOME}/.keepassx | 12 | noblacklist ${HOME}/.keepassx |
13 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | machine-id | 25 | machine-id |
@@ -32,6 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix | 37 | protocol unix |
37 | seccomp | 38 | seccomp |
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 4e74c2cea..fdd27e9f9 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Redirects | 5 | # Redirects |
6 | include /etc/firejail/keepassx.profile | 6 | include keepassx.profile |
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index a00d17878..053344cc2 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Cross Platform Password Manager | 2 | # Description: Cross Platform Password Manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/keepassxc.local | 5 | include keepassxc.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/*.kdb | 9 | noblacklist ${HOME}/*.kdb |
10 | noblacklist ${HOME}/*.kdbx | 10 | noblacklist ${HOME}/*.kdbx |
@@ -14,14 +14,14 @@ noblacklist ${HOME}/.keepassxc | |||
14 | noblacklist ${HOME}/.mozilla | 14 | noblacklist ${HOME}/.mozilla |
15 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | machine-id | 27 | machine-id |
@@ -34,6 +34,7 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix | 39 | protocol unix |
39 | seccomp | 40 | seccomp |
diff --git a/etc/kget.profile b/etc/kget.profile index a32b51626..2ef84a0ee 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Download manager | 2 | # Description: Download manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kget.local | 5 | include kget.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/kgetrc | 9 | noblacklist ${HOME}/.config/kgetrc |
10 | noblacklist ${HOME}/.kde/share/apps/kget | 10 | noblacklist ${HOME}/.kde/share/apps/kget |
@@ -13,13 +13,13 @@ noblacklist ${HOME}/.kde4/share/apps/kget | |||
13 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 13 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
14 | noblacklist ${HOME}/.local/share/kget | 14 | noblacklist ${HOME}/.local/share/kget |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/kino.profile b/etc/kino.profile index cda86ddc6..ead42f9ca 100644 --- a/etc/kino.profile +++ b/etc/kino.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Non-linear editor for Digital Video data | 2 | # Description: Non-linear editor for Digital Video data |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kino.local | 5 | include kino.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.kino-history | 9 | noblacklist ${HOME}/.kino-history |
10 | noblacklist ${HOME}/.kinorc | 10 | noblacklist ${HOME}/.kinorc |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 308a981f7..1f8403ef1 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Full featured graphical email client | 2 | # Description: Full featured graphical email client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kmail.local | 5 | include kmail.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # kmail has problems launching akonadi in debian and ubuntu. | 9 | # kmail has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when kmail is started | 10 | # one solution is to have akonadi already running when kmail is started |
@@ -29,13 +29,13 @@ noblacklist ${HOME}/.local/share/local-mail | |||
29 | noblacklist ${HOME}/.local/share/notes | 29 | noblacklist ${HOME}/.local/share/notes |
30 | noblacklist /tmp/akonadi-* | 30 | noblacklist /tmp/akonadi-* |
31 | 31 | ||
32 | include /etc/firejail/disable-common.inc | 32 | include disable-common.inc |
33 | include /etc/firejail/disable-devel.inc | 33 | include disable-devel.inc |
34 | include /etc/firejail/disable-interpreters.inc | 34 | include disable-interpreters.inc |
35 | include /etc/firejail/disable-passwdmgr.inc | 35 | include disable-passwdmgr.inc |
36 | include /etc/firejail/disable-programs.inc | 36 | include disable-programs.inc |
37 | 37 | ||
38 | include /etc/firejail/whitelist-var-common.inc | 38 | include whitelist-var-common.inc |
39 | 39 | ||
40 | # apparmor | 40 | # apparmor |
41 | caps.drop all | 41 | caps.drop all |
@@ -46,6 +46,7 @@ nonewprivs | |||
46 | noroot | 46 | noroot |
47 | nosound | 47 | nosound |
48 | notv | 48 | notv |
49 | nou2f | ||
49 | novideo | 50 | novideo |
50 | protocol unix,inet,inet6,netlink | 51 | protocol unix,inet,inet6,netlink |
51 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 52 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
diff --git a/etc/knotes.profile b/etc/knotes.profile index 147d2d831..e7ea04873 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Sticky notes application | 2 | # Description: Sticky notes application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/knotes.local | 5 | include knotes.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # knotes has problems launching akonadi in debian and ubuntu. | 9 | # knotes has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when knotes is started | 10 | # one solution is to have akonadi already running when knotes is started |
@@ -14,4 +14,4 @@ noblacklist ${HOME}/.local/share/knotes | |||
14 | 14 | ||
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/kmail.profile | 17 | include kmail.profile |
diff --git a/etc/kodi.profile b/etc/kodi.profile index 9dd7770ad..3a161db4c 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Open Source Home Theatre | 2 | # Description: Open Source Home Theatre |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kodi.local | 5 | include kodi.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.kodi | 9 | noblacklist ${HOME}/.kodi |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
@@ -17,14 +17,14 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.drop all | 30 | caps.drop all |
@@ -32,6 +32,7 @@ netfilter | |||
32 | nogroups | 32 | nogroups |
33 | nonewprivs | 33 | nonewprivs |
34 | noroot | 34 | noroot |
35 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/konversation.profile b/etc/konversation.profile index b66f40600..c679bd61b 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: User friendly Internet Relay Chat (IRC) client for KDE | 2 | # Description: User friendly Internet Relay Chat (IRC) client for KDE |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/konversation.local | 5 | include konversation.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/konversationrc | 9 | noblacklist ${HOME}/.config/konversationrc |
10 | noblacklist ${HOME}/.kde/share/config/konversationrc | 10 | noblacklist ${HOME}/.kde/share/config/konversationrc |
11 | noblacklist ${HOME}/.kde4/share/config/konversationrc | 11 | noblacklist ${HOME}/.kde4/share/config/konversationrc |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/kopete.profile b/etc/kopete.profile index d7829113d..fef415f6e 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Instant messaging and chat application | 2 | # Description: Instant messaging and chat application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kopete.local | 5 | include kopete.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.kde/share/apps/kopete | 9 | noblacklist ${HOME}/.kde/share/apps/kopete |
10 | noblacklist ${HOME}/.kde/share/config/kopeterc | 10 | noblacklist ${HOME}/.kde/share/config/kopeterc |
11 | noblacklist ${HOME}/.kde4/share/apps/kopete | 11 | noblacklist ${HOME}/.kde4/share/apps/kopete |
12 | noblacklist ${HOME}/.kde4/share/config/kopeterc | 12 | noblacklist ${HOME}/.kde4/share/config/kopeterc |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | whitelist /var/lib/winpopup | 20 | whitelist /var/lib/winpopup |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
32 | writable-var | 33 | writable-var |
diff --git a/etc/krita.profile b/etc/krita.profile index 5a1f3d031..bd02522f6 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Pixel-based image manipulation program | 2 | # Description: Pixel-based image manipulation program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/krita.local | 5 | include krita.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/kritarc | 9 | noblacklist ${HOME}/.config/kritarc |
10 | noblacklist ${HOME}/.local/share/krita | 10 | noblacklist ${HOME}/.local/share/krita |
@@ -17,12 +17,12 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
28 | caps.drop all | 28 | caps.drop all |
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | novideo | 39 | novideo |
39 | protocol unix | 40 | protocol unix |
40 | seccomp | 41 | seccomp |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 0b1b9e5de..c64113c15 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Framework for providing different actions given a string query | 2 | # Description: Framework for providing different actions given a string query |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/krunner.local | 5 | include krunner.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # - programs started in krunner run with this generic profile. | 9 | # - programs started in krunner run with this generic profile. |
10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox | 10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
@@ -19,13 +19,13 @@ noblacklist ${HOME}/.kde4/share/config/krunnerrc | |||
19 | # noblacklist ${HOME}/.local/share/baloo | 19 | # noblacklist ${HOME}/.local/share/baloo |
20 | # noblacklist ${HOME}/.mozilla | 20 | # noblacklist ${HOME}/.mozilla |
21 | 21 | ||
22 | include /etc/firejail/disable-common.inc | 22 | include disable-common.inc |
23 | # include /etc/firejail/disable-devel.inc | 23 | # include disable-devel.inc |
24 | # include /etc/firejail/disable-interpreters.inc | 24 | # include disable-interpreters.inc |
25 | # include /etc/firejail/disable-passwdmgr.inc | 25 | # include disable-passwdmgr.inc |
26 | # include /etc/firejail/disable-programs.inc | 26 | # include disable-programs.inc |
27 | 27 | ||
28 | include /etc/firejail/whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | netfilter | 31 | netfilter |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 14ee3322c..4dc635df7 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: BitTorrent client based on the KDE platform | 2 | # Description: BitTorrent client based on the KDE platform |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ktorrent.local | 5 | include ktorrent.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ktorrentrc | 9 | noblacklist ${HOME}/.config/ktorrentrc |
10 | noblacklist ${HOME}/.kde/share/apps/ktorrent | 10 | noblacklist ${HOME}/.kde/share/apps/ktorrent |
@@ -13,11 +13,11 @@ noblacklist ${HOME}/.kde4/share/apps/ktorrent | |||
13 | noblacklist ${HOME}/.kde4/share/config/ktorrentrc | 13 | noblacklist ${HOME}/.kde4/share/config/ktorrentrc |
14 | noblacklist ${HOME}/.local/share/ktorrent | 14 | noblacklist ${HOME}/.local/share/ktorrent |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | mkdir ${HOME}/.kde/share/apps/ktorrent | 22 | mkdir ${HOME}/.kde/share/apps/ktorrent |
23 | mkdir ${HOME}/.kde4/share/apps/ktorrent | 23 | mkdir ${HOME}/.kde4/share/apps/ktorrent |
@@ -32,8 +32,8 @@ whitelist ${HOME}/.kde/share/config/ktorrentrc | |||
32 | whitelist ${HOME}/.kde4/share/apps/ktorrent | 32 | whitelist ${HOME}/.kde4/share/apps/ktorrent |
33 | whitelist ${HOME}/.kde4/share/config/ktorrentrc | 33 | whitelist ${HOME}/.kde4/share/config/ktorrentrc |
34 | whitelist ${HOME}/.local/share/ktorrent | 34 | whitelist ${HOME}/.local/share/ktorrent |
35 | include /etc/firejail/whitelist-common.inc | 35 | include whitelist-common.inc |
36 | include /etc/firejail/whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | 37 | ||
38 | caps.drop all | 38 | caps.drop all |
39 | machine-id | 39 | machine-id |
@@ -45,6 +45,7 @@ nonewprivs | |||
45 | noroot | 45 | noroot |
46 | nosound | 46 | nosound |
47 | notv | 47 | notv |
48 | nou2f | ||
48 | novideo | 49 | novideo |
49 | protocol unix,inet,inet6,netlink | 50 | protocol unix,inet,inet6,netlink |
50 | seccomp | 51 | seccomp |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index ca7c5042d..4cb489577 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for kwin_x11 | 1 | # Firejail profile for kwin_x11 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/kwin_x11.local | 4 | include kwin_x11.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/kwin | 8 | noblacklist ${HOME}/.cache/kwin |
9 | noblacklist ${HOME}/.config/kwinrc | 9 | noblacklist ${HOME}/.config/kwinrc |
10 | noblacklist ${HOME}/.config/kwinrulesrc | 10 | noblacklist ${HOME}/.config/kwinrulesrc |
11 | noblacklist ${HOME}/.local/share/kwin | 11 | noblacklist ${HOME}/.local/share/kwin |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index f080b3ffc..9922cb0b5 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Simple text editor | 2 | # Description: Simple text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/kwrite.local | 5 | include kwrite.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/katepartrc | 9 | noblacklist ${HOME}/.config/katepartrc |
10 | noblacklist ${HOME}/.config/katerc | 10 | noblacklist ${HOME}/.config/katerc |
@@ -15,14 +15,14 @@ noblacklist ${HOME}/.config/kwriterc | |||
15 | noblacklist ${HOME}/.local/share/kwrite | 15 | noblacklist ${HOME}/.local/share/kwrite |
16 | noblacklist ${DOCUMENTS} | 16 | noblacklist ${DOCUMENTS} |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
28 | caps.drop all | 28 | caps.drop all |
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | # nosound - KWrite is using ALSA! | 36 | # nosound - KWrite is using ALSA! |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | novideo | 39 | novideo |
39 | protocol unix | 40 | protocol unix |
40 | seccomp | 41 | seccomp |
diff --git a/etc/lbunzip2.profile b/etc/lbunzip2.profile new file mode 100644 index 000000000..ec9a8f546 --- /dev/null +++ b/etc/lbunzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include gzip.profile | ||
diff --git a/etc/lbzcat.profile b/etc/lbzcat.profile new file mode 100644 index 000000000..ec9a8f546 --- /dev/null +++ b/etc/lbzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include gzip.profile | ||
diff --git a/etc/lbzip2.profile b/etc/lbzip2.profile new file mode 100644 index 000000000..ec9a8f546 --- /dev/null +++ b/etc/lbzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include gzip.profile | ||
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index d3335893f..47ea5606a 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: GTK+ based simple text editor | 2 | # Description: GTK+ based simple text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/leafpad.local | 5 | include leafpad.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/leafpad | 9 | noblacklist ${HOME}/.config/leafpad |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/less.profile b/etc/less.profile index a08d2c547..466539c6b 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/less.local | 6 | include less.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -17,6 +17,7 @@ nodbus | |||
17 | nodvd | 17 | nodvd |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | nou2f | ||
20 | novideo | 21 | novideo |
21 | shell none | 22 | shell none |
22 | tracelog | 23 | tracelog |
@@ -33,4 +34,4 @@ memory-deny-write-execute | |||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | 36 | ||
36 | include /etc/firejail/default.profile | 37 | include default.profile |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 905dd22b9..1a3f6cbd1 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Office productivity suite | 2 | # Description: Office productivity suite |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/libreoffice.local | 5 | include libreoffice.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist /usr/local/sbin | 10 | noblacklist /usr/local/sbin |
@@ -17,12 +17,12 @@ noblacklist /usr/lib/java | |||
17 | noblacklist /etc/java | 17 | noblacklist /etc/java |
18 | noblacklist /usr/share/java | 18 | noblacklist /usr/share/java |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | # Ubuntu 18.04 uses its own apparmor profile | 27 | # Ubuntu 18.04 uses its own apparmor profile |
28 | # uncomment the next line if you are not on Ubuntu | 28 | # uncomment the next line if you are not on Ubuntu |
@@ -36,6 +36,7 @@ nogroups | |||
36 | #nonewprivs - fix for Ubuntu 18.04/Debian 10 | 36 | #nonewprivs - fix for Ubuntu 18.04/Debian 10 |
37 | noroot | 37 | noroot |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | #protocol unix,inet,inet6 - fix for Ubuntu 18.04/Debian 10 | 40 | #protocol unix,inet,inet6 - fix for Ubuntu 18.04/Debian 10 |
40 | #seccomp - fix for Ubuntu 18.04/Debian 10 | 41 | #seccomp - fix for Ubuntu 18.04/Debian 10 |
41 | shell none | 42 | shell none |
diff --git a/etc/liferea.profile b/etc/liferea.profile index 04c649121..c498541d4 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Feed/news/podcast client with plugin support | 2 | # Description: Feed/news/podcast client with plugin support |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/liferea.local | 5 | include liferea.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/liferea | 9 | noblacklist ${HOME}/.cache/liferea |
10 | noblacklist ${HOME}/.config/liferea | 10 | noblacklist ${HOME}/.config/liferea |
@@ -16,11 +16,11 @@ noblacklist ${PATH}/python3* | |||
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | mkdir ${HOME}/.cache/liferea | 25 | mkdir ${HOME}/.cache/liferea |
26 | mkdir ${HOME}/.config/liferea | 26 | mkdir ${HOME}/.config/liferea |
@@ -28,8 +28,8 @@ mkdir ${HOME}/.local/share/liferea | |||
28 | whitelist ${HOME}/.cache/liferea | 28 | whitelist ${HOME}/.cache/liferea |
29 | whitelist ${HOME}/.config/liferea | 29 | whitelist ${HOME}/.config/liferea |
30 | whitelist ${HOME}/.local/share/liferea | 30 | whitelist ${HOME}/.local/share/liferea |
31 | include /etc/firejail/whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include /etc/firejail/whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
@@ -40,6 +40,7 @@ nonewprivs | |||
40 | noroot | 40 | noroot |
41 | # nosound | 41 | # nosound |
42 | notv | 42 | notv |
43 | nou2f | ||
43 | novideo | 44 | novideo |
44 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
45 | seccomp | 46 | seccomp |
diff --git a/etc/linphone.profile b/etc/linphone.profile index b469b9711..feb4037fb 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: SIP softphone - graphical client | 2 | # Description: SIP softphone - graphical client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/linphone.local | 5 | include linphone.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.linphone-history.db | 9 | noblacklist ${HOME}/.linphone-history.db |
10 | noblacklist ${HOME}/.linphonerc | 10 | noblacklist ${HOME}/.linphonerc |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkfile ${HOME}/.linphone-history.db | 18 | mkfile ${HOME}/.linphone-history.db |
19 | mkfile ${HOME}/.linphonerc | 19 | mkfile ${HOME}/.linphonerc |
20 | whitelist ${HOME}/.linphone-history.db | 20 | whitelist ${HOME}/.linphone-history.db |
21 | whitelist ${HOME}/.linphonerc | 21 | whitelist ${HOME}/.linphonerc |
22 | whitelist ${HOME}/Downloads | 22 | whitelist ${HOME}/Downloads |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -30,6 +30,7 @@ nogroups | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
diff --git a/etc/lmms.profile b/etc/lmms.profile index d3ef1b40e..6c81b9172 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Linux Multimedia Studio | 2 | # Description: Linux Multimedia Studio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/lmms.local | 5 | include lmms.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.lmmsrc.xml | 9 | noblacklist ${HOME}/.lmmsrc.xml |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/lobase.profile b/etc/lobase.profile index c702a4ece..ea0f84631 100644 --- a/etc/lobase.profile +++ b/etc/lobase.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/localc.profile b/etc/localc.profile index c702a4ece..ea0f84631 100644 --- a/etc/localc.profile +++ b/etc/localc.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/lodraw.profile b/etc/lodraw.profile index c702a4ece..ea0f84631 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/loffice.profile b/etc/loffice.profile index c702a4ece..ea0f84631 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index c702a4ece..ea0f84631 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/loimpress.profile b/etc/loimpress.profile index c702a4ece..ea0f84631 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index efd40e899..6e53fc62b 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Music player for GNOME | 2 | # Description: Music player for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/lollypop.local | 5 | include lollypop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/lollypop | 9 | noblacklist ${HOME}/.local/share/lollypop |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
@@ -15,14 +15,14 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
@@ -31,6 +31,7 @@ nogroups | |||
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
diff --git a/etc/lomath.profile b/etc/lomath.profile index c702a4ece..ea0f84631 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/loweb.profile b/etc/loweb.profile index c702a4ece..ea0f84631 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/lowriter.profile b/etc/lowriter.profile index c702a4ece..ea0f84631 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index a4ccefb6d..38f2ab10c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Graphical user interface providing a workflow for HDR imaging | 2 | # Description: Graphical user interface providing a workflow for HDR imaging |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/luminance-hdr.local | 5 | include luminance-hdr.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Luminance | 9 | noblacklist ${HOME}/.config/Luminance |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 4b3c457f6..c275a69c8 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Image viewer for LXQt | 2 | # Description: Image viewer for LXQt |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/lximage-qt.local | 5 | include lximage-qt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/lximage-qt | 9 | noblacklist ${HOME}/.config/lximage-qt |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index 7c3334075..e0c03db50 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: LXDE music player | 2 | # Description: LXDE music player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/lxmusic.local | 5 | include lxmusic.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/xmms2 | 9 | noblacklist ${HOME}/.cache/xmms2 |
10 | noblacklist ${HOME}/.config/xmms2 | 10 | noblacklist ${HOME}/.config/xmms2 |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/lynx.profile b/etc/lynx.profile index f5ec44fda..e8d44823b 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Classic non-graphical (text-mode) web browser | 2 | # Description: Classic non-graphical (text-mode) web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/lynx.local | 5 | include lynx.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/lzcat.profile b/etc/lzcat.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzdiff.profile b/etc/lzdiff.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzip.profile b/etc/lzip.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzip.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzless.profile b/etc/lzless.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzma.profile b/etc/lzma.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzmadec.profile b/etc/lzmadec.profile index 7c26620dd..9ba22601b 100644 --- a/etc/lzmadec.profile +++ b/etc/lzmadec.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/xzdec.profile | 7 | include xzdec.profile |
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzmainfo.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/lzmore.profile b/etc/lzmore.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/lzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 4107d91ad..170085117 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for macrofusion | 1 | # Firejail profile for macrofusion |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/macrofusion.local | 4 | include macrofusion.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mfusion | 8 | noblacklist ${HOME}/.config/mfusion |
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
@@ -14,12 +14,12 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | ipc-namespace | 25 | ipc-namespace |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/makepkg.profile b/etc/makepkg.profile index ac337b9a1..317a3dd78 100644 --- a/etc/makepkg.profile +++ b/etc/makepkg.profile | |||
@@ -10,9 +10,9 @@ | |||
10 | 10 | ||
11 | quiet | 11 | quiet |
12 | # Persistent local customizations | 12 | # Persistent local customizations |
13 | include /etc/firejail/makepkg.local | 13 | include makepkg.local |
14 | # Persistent global definitions | 14 | # Persistent global definitions |
15 | include /etc/firejail/globals.local | 15 | include globals.local |
16 | 16 | ||
17 | 17 | ||
18 | # Enable severely restricted access to ${HOME}/.gnupg | 18 | # Enable severely restricted access to ${HOME}/.gnupg |
@@ -30,9 +30,9 @@ blacklist ${HOME}/.gnupg/openpgp-revocs.d | |||
30 | # Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only} | 30 | # Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only} |
31 | noblacklist /var/lib/pacman | 31 | noblacklist /var/lib/pacman |
32 | 32 | ||
33 | include /etc/firejail/disable-common.inc | 33 | include disable-common.inc |
34 | include /etc/firejail/disable-passwdmgr.inc | 34 | include disable-passwdmgr.inc |
35 | include /etc/firejail/disable-programs.inc | 35 | include disable-programs.inc |
36 | 36 | ||
37 | caps.drop all | 37 | caps.drop all |
38 | ipc-namespace | 38 | ipc-namespace |
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile new file mode 100644 index 000000000..e35ddd2a7 --- /dev/null +++ b/etc/masterpdfeditor.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for masterpdfeditor | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Code Industry | ||
10 | noblacklist ${HOME}/.masterpdfeditor | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | # disable-mnt | ||
40 | # private | ||
41 | private-bin masterpdfeditor* | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts | ||
45 | # private-lib | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/masterpdfeditor4.profile b/etc/masterpdfeditor4.profile new file mode 100644 index 000000000..5612fdaa4 --- /dev/null +++ b/etc/masterpdfeditor4.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor4 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor4.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include masterpdfeditor.profile | ||
diff --git a/etc/masterpdfeditor5.profile b/etc/masterpdfeditor5.profile new file mode 100644 index 000000000..8669ceb11 --- /dev/null +++ b/etc/masterpdfeditor5.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor5 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include masterpdfeditor5.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include masterpdfeditor.profile | ||
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 874fcf8cb..e3220076d 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: MATE desktop calculator | 2 | # Description: MATE desktop calculator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mate-calc.local | 5 | include mate-calc.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mate-calc | 9 | noblacklist ${HOME}/.config/mate-calc |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${HOME}/.cache/mate-calc | 17 | whitelist ${HOME}/.cache/mate-calc |
18 | whitelist ${HOME}/.config/caja | 18 | whitelist ${HOME}/.config/caja |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile index 43bb3ebb4..442acf8ff 100644 --- a/etc/mate-calculator.profile +++ b/etc/mate-calculator.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/mate-calc.profile | 6 | include mate-calc.profile |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index c3a3ee446..1ba744d5a 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # Firejail profile for mate-color-select | 1 | # Firejail profile for mate-color-select |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/mate-color-select.local | 4 | include mate-color-select.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | whitelist ${HOME}/.config/gtk-3.0 | 15 | whitelist ${HOME}/.config/gtk-3.0 |
16 | whitelist ${HOME}/.fonts | 16 | whitelist ${HOME}/.fonts |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index b0bd99519..ba179dfdd 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for mate-dictionary | 1 | # Firejail profile for mate-dictionary |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/mate-dictionary.local | 4 | include mate-dictionary.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mate/mate-dictionary | 8 | noblacklist ${HOME}/.config/mate/mate-dictionary |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | whitelist ${HOME}/.config/mate/mate-dictionary | 16 | whitelist ${HOME}/.config/mate/mate-dictionary |
17 | whitelist ${HOME}/.config/gtk-3.0 | 17 | whitelist ${HOME}/.config/gtk-3.0 |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/mathematica.profile b/etc/mathematica.profile index 984ea9e97..5f29181cd 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/Mathematica.profile | 6 | include Mathematica.profile |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 0ed8952e5..ea4cb0250 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Small Jabber (XMPP) console client | 2 | # Description: Small Jabber (XMPP) console client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mcabber.local | 5 | include mcabber.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.mcabber | 9 | noblacklist ${HOME}/.mcabber |
10 | noblacklist ${HOME}/.mcabberrc | 10 | noblacklist ${HOME}/.mcabberrc |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol inet,inet6 | 27 | protocol inet,inet6 |
27 | seccomp | 28 | seccomp |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 7556098a7..115444e0f 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Command-line utility for reading information from audio/video files | 2 | # Description: Command-line utility for reading information from audio/video files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mediainfo.local | 5 | include mediainfo.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index e53ced860..06e140990 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: View streams from German public television stations | 2 | # Description: View streams from German public television stations |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mediathekview.local | 5 | include mediathekview.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mpv | 9 | noblacklist ${HOME}/.config/mpv |
10 | noblacklist ${HOME}/.config/smplayer | 10 | noblacklist ${HOME}/.config/smplayer |
@@ -23,13 +23,13 @@ noblacklist /usr/lib/java | |||
23 | noblacklist /etc/java | 23 | noblacklist /etc/java |
24 | noblacklist /usr/share/java | 24 | noblacklist /usr/share/java |
25 | 25 | ||
26 | include /etc/firejail/disable-common.inc | 26 | include disable-common.inc |
27 | include /etc/firejail/disable-devel.inc | 27 | include disable-devel.inc |
28 | include /etc/firejail/disable-interpreters.inc | 28 | include disable-interpreters.inc |
29 | include /etc/firejail/disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
30 | include /etc/firejail/disable-programs.inc | 30 | include disable-programs.inc |
31 | 31 | ||
32 | include /etc/firejail/whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
@@ -38,6 +38,7 @@ nogroups | |||
38 | nonewprivs | 38 | nonewprivs |
39 | noroot | 39 | noroot |
40 | notv | 40 | notv |
41 | nou2f | ||
41 | novideo | 42 | novideo |
42 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
43 | seccomp | 44 | seccomp |
diff --git a/etc/meld.profile b/etc/meld.profile index 1a7935800..2b87094fb 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Graphical tool to diff and merge files | 2 | # Description: Graphical tool to diff and merge files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/meld.local | 5 | include meld.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | 9 | noblacklist ${HOME}/.local/share/meld |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/mencoder.profile b/etc/mencoder.profile new file mode 100644 index 000000000..136412d11 --- /dev/null +++ b/etc/mencoder.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for mencoder | ||
2 | # Description: Free command line video decoding, encoding and filtering tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mencoder.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | net none | ||
17 | no3d | ||
18 | nodbus | ||
19 | nosound | ||
20 | notv | ||
21 | nou2f | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin mencoder | ||
27 | |||
28 | include mplayer.profile | ||
diff --git a/etc/midori.profile b/etc/midori.profile index 7c56910a7..6a69f2282 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Lightweight web browser | 2 | # Description: Lightweight web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/midori.local | 5 | include midori.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/midori | 9 | noblacklist ${HOME}/.config/midori |
10 | noblacklist ${HOME}/.local/share/midori | 10 | noblacklist ${HOME}/.local/share/midori |
@@ -12,10 +12,10 @@ noblacklist ${HOME}/.local/share/midori | |||
12 | # noblacklist ${HOME}/.local/share/webkitgtk | 12 | # noblacklist ${HOME}/.local/share/webkitgtk |
13 | noblacklist ${HOME}/.pki | 13 | noblacklist ${HOME}/.pki |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.cache/midori | 20 | mkdir ${HOME}/.cache/midori |
21 | mkdir ${HOME}/.config/midori | 21 | mkdir ${HOME}/.config/midori |
@@ -33,7 +33,7 @@ whitelist ${HOME}/.local/share/midori | |||
33 | whitelist ${HOME}/.local/share/webkit | 33 | whitelist ${HOME}/.local/share/webkit |
34 | whitelist ${HOME}/.local/share/webkitgtk | 34 | whitelist ${HOME}/.local/share/webkitgtk |
35 | whitelist ${HOME}/.pki | 35 | whitelist ${HOME}/.pki |
36 | include /etc/firejail/whitelist-common.inc | 36 | include whitelist-common.inc |
37 | 37 | ||
38 | caps.drop all | 38 | caps.drop all |
39 | netfilter | 39 | netfilter |
diff --git a/etc/min.profile b/etc/min.profile index 91c6fce3c..3029c2952 100644 --- a/etc/min.profile +++ b/etc/min.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: A faster, smarter web browser. | 2 | # Description: A faster, smarter web browser. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/min.local | 5 | include min.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Min | 9 | noblacklist ${HOME}/.config/Min |
10 | 10 | ||
11 | noblacklist ${HOME}/.pki | 11 | noblacklist ${HOME}/.pki |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.pki | 18 | mkdir ${HOME}/.pki |
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.pki | 20 | whitelist ${HOME}/.pki |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | # ipc-namespace | 25 | # ipc-namespace |
@@ -33,6 +33,7 @@ nogroups | |||
33 | nonewprivs | 33 | nonewprivs |
34 | noroot | 34 | noroot |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | seccomp | 38 | seccomp |
38 | shell none | 39 | shell none |
diff --git a/etc/minetest.profile b/etc/minetest.profile index 3e06b6d30..17b39f7c6 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Multiplayer infinite-world block sandbox | 2 | # Description: Multiplayer infinite-world block sandbox |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/minetest.local | 5 | include minetest.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.minetest | 9 | noblacklist ${HOME}/.minetest |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.minetest | 17 | mkdir ${HOME}/.minetest |
18 | whitelist ${HOME}/.minetest | 18 | whitelist ${HOME}/.minetest |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 421637509..4500f74a5 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Simple Xfce oriented text editor | 2 | # Description: Simple Xfce oriented text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mousepad.local | 5 | include mousepad.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Mousepad | 9 | noblacklist ${HOME}/.config/Mousepad |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 709f2ef89..4f0977c40 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Music Player Daemon | 2 | # Description: Music Player Daemon |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mpd.local | 5 | include mpd.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mpd | 9 | noblacklist ${HOME}/.config/mpd |
10 | noblacklist ${HOME}/.mpd | 10 | noblacklist ${HOME}/.mpd |
11 | noblacklist ${HOME}/.mpdconf | 11 | noblacklist ${HOME}/.mpdconf |
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nodvd | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 29ef21b9d..8c0b50eca 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -2,28 +2,29 @@ | |||
2 | # Description: Movie player for Unix-like systems | 2 | # Description: Movie player for Unix-like systems |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mplayer.local | 5 | include mplayer.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.mplayer | 9 | noblacklist ${HOME}/.mplayer |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | noblacklist ${VIDEOS} | 11 | noblacklist ${VIDEOS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
24 | # nogroups | 24 | # nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nou2f | ||
27 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 5747cd3fa..3d73a8eae 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Video player based on MPlayer/mplayer2 | 2 | # Description: Video player based on MPlayer/mplayer2 |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mpv.local | 5 | include mpv.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mpv | 9 | noblacklist ${HOME}/.config/mpv |
10 | noblacklist ${HOME}/.netrc | 10 | noblacklist ${HOME}/.netrc |
@@ -17,14 +17,14 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.drop all | 30 | caps.drop all |
@@ -34,6 +34,7 @@ nodbus | |||
34 | nogroups | 34 | nogroups |
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | nou2f | ||
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
39 | shell none | 40 | shell none |
diff --git a/etc/ms-excel.profile b/etc/ms-excel.profile index 4fb8c6fc1..e103baf19 100644 --- a/etc/ms-excel.profile +++ b/etc/ms-excel.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Excel | 1 | # Firejail profile for Microsoft Office Online - Excel |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-excel.local | 4 | include ms-excel.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-excel-online | 8 | noblacklist ${HOME}/.cache/ms-excel-online |
9 | private-bin ms-excel | 9 | private-bin ms-excel |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/ms-office.profile | 12 | include ms-office.profile |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index cedc5eff4..6c8cb213f 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for Microsoft Office Online | 1 | # Firejail profile for Microsoft Office Online |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-office.local | 4 | include ms-office.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-office-online | 8 | noblacklist ${HOME}/.cache/ms-office-online |
9 | noblacklist ${HOME}/.jak | 9 | noblacklist ${HOME}/.jak |
@@ -14,11 +14,11 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
diff --git a/etc/ms-onenote.profile b/etc/ms-onenote.profile index 520544ab4..1259d55c8 100644 --- a/etc/ms-onenote.profile +++ b/etc/ms-onenote.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Onenote | 1 | # Firejail profile for Microsoft Office Online - Onenote |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-onenote.local | 4 | include ms-onenote.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-onenote-online | 8 | noblacklist ${HOME}/.cache/ms-onenote-online |
9 | private-bin ms-onenote | 9 | private-bin ms-onenote |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/ms-office.profile | 12 | include ms-office.profile |
diff --git a/etc/ms-outlook.profile b/etc/ms-outlook.profile index e438bbdfc..a9fadc2c1 100644 --- a/etc/ms-outlook.profile +++ b/etc/ms-outlook.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Outlook | 1 | # Firejail profile for Microsoft Office Online - Outlook |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-outlook.local | 4 | include ms-outlook.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-outlook-online | 8 | noblacklist ${HOME}/.cache/ms-outlook-online |
9 | private-bin ms-outlook | 9 | private-bin ms-outlook |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/ms-office.profile | 12 | include ms-office.profile |
diff --git a/etc/ms-powerpoint.profile b/etc/ms-powerpoint.profile index 82be095d0..4c096de4e 100644 --- a/etc/ms-powerpoint.profile +++ b/etc/ms-powerpoint.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Powerpoint | 1 | # Firejail profile for Microsoft Office Online - Powerpoint |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-powerpoint.local | 4 | include ms-powerpoint.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-powerpoint-online | 8 | noblacklist ${HOME}/.cache/ms-powerpoint-online |
9 | private-bin ms-powerpoint | 9 | private-bin ms-powerpoint |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/ms-office.profile | 12 | include ms-office.profile |
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile index fa3c4a314..02084d923 100644 --- a/etc/ms-skype.profile +++ b/etc/ms-skype.profile | |||
@@ -1,13 +1,13 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Skype | 1 | # Firejail profile for Microsoft Office Online - Skype |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-skype.local | 4 | include ms-skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-skype-online | 8 | noblacklist ${HOME}/.cache/ms-skype-online |
9 | ignore novideo | 9 | ignore novideo |
10 | private-bin ms-skype | 10 | private-bin ms-skype |
11 | 11 | ||
12 | # Redirect | 12 | # Redirect |
13 | include /etc/firejail/ms-office.profile | 13 | include ms-office.profile |
diff --git a/etc/ms-word.profile b/etc/ms-word.profile index fdcab27a7..f21e987d4 100644 --- a/etc/ms-word.profile +++ b/etc/ms-word.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Firejail profile for Microsoft Office Online - Word | 1 | # Firejail profile for Microsoft Office Online - Word |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ms-word.local | 4 | include ms-word.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/ms-word-online | 8 | noblacklist ${HOME}/.cache/ms-word-online |
9 | private-bin ms-word | 9 | private-bin ms-word |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include /etc/firejail/ms-office.profile | 12 | include ms-office.profile |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 2b63c2032..75e6e2804 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for multimc5 | 1 | # Firejail profile for multimc5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/multimc5.local | 4 | include multimc5.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/multimc | 9 | noblacklist ${HOME}/.local/share/multimc |
@@ -16,17 +16,17 @@ noblacklist /usr/lib/java | |||
16 | noblacklist /etc/java | 16 | noblacklist /etc/java |
17 | noblacklist /usr/share/java | 17 | noblacklist /usr/share/java |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | mkdir ${HOME}/.local/share/multimc | 25 | mkdir ${HOME}/.local/share/multimc |
26 | whitelist ${HOME}/.local/share/multimc | 26 | whitelist ${HOME}/.local/share/multimc |
27 | whitelist ${HOME}/.local/share/multimc5 | 27 | whitelist ${HOME}/.local/share/multimc5 |
28 | whitelist ${HOME}/.multimc5 | 28 | whitelist ${HOME}/.multimc5 |
29 | include /etc/firejail/whitelist-common.inc | 29 | include whitelist-common.inc |
30 | 30 | ||
31 | caps.drop all | 31 | caps.drop all |
32 | netfilter | 32 | netfilter |
@@ -35,6 +35,7 @@ nogroups | |||
35 | nonewprivs | 35 | nonewprivs |
36 | noroot | 36 | noroot |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | novideo | 39 | novideo |
39 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
40 | # seccomp | 41 | # seccomp |
diff --git a/etc/mumble.profile b/etc/mumble.profile index c5af9aa42..276e77c68 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Low latency encrypted VoIP client | 2 | # Description: Low latency encrypted VoIP client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mumble.local | 5 | include mumble.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Mumble | 9 | noblacklist ${HOME}/.config/Mumble |
10 | noblacklist ${HOME}/.local/share/data/Mumble | 10 | noblacklist ${HOME}/.local/share/data/Mumble |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/Mumble | 18 | mkdir ${HOME}/.config/Mumble |
19 | mkdir ${HOME}/.local/share/data/Mumble | 19 | mkdir ${HOME}/.local/share/data/Mumble |
20 | whitelist ${HOME}/.config/Mumble | 20 | whitelist ${HOME}/.config/Mumble |
21 | whitelist ${HOME}/.local/share/data/Mumble | 21 | whitelist ${HOME}/.local/share/data/Mumble |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index b49597e00..011e85c0e 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Lightweight PDF viewer | 2 | # Description: Lightweight PDF viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mupdf.local | 5 | include mupdf.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | machine-id | 21 | machine-id |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index a235c44c8..3798609d2 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Nintendo64 Emulator | 2 | # Description: Nintendo64 Emulator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mupen64plus.local | 5 | include mupen64plus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/mupen64plus | 9 | noblacklist ${HOME}/.config/mupen64plus |
10 | noblacklist ${HOME}/.local/share/mupen64plus | 10 | noblacklist ${HOME}/.local/share/mupen64plus |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | # you'll need to manually whitelist ROM files | 18 | # you'll need to manually whitelist ROM files |
19 | mkdir ${HOME}/.config/mupen64plus | 19 | mkdir ${HOME}/.config/mupen64plus |
20 | mkdir ${HOME}/.local/share/mupen64plus | 20 | mkdir ${HOME}/.local/share/mupen64plus |
21 | whitelist ${HOME}/.config/mupen64plus/ | 21 | whitelist ${HOME}/.config/mupen64plus/ |
22 | whitelist ${HOME}/.local/share/mupen64plus/ | 22 | whitelist ${HOME}/.local/share/mupen64plus/ |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | net none | 26 | net none |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 3eb929bd1..5f009c681 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Free music composition and notation software | 2 | # Description: Free music composition and notation software |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/musescore.local | 5 | include musescore.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/MusE | 9 | noblacklist ${HOME}/.config/MusE |
10 | noblacklist ${HOME}/.config/MuseScore | 10 | noblacklist ${HOME}/.config/MuseScore |
@@ -13,14 +13,14 @@ noblacklist ${HOME}/.local/share/data/MuseScore | |||
13 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
14 | noblacklist ${MUSIC} | 14 | noblacklist ${MUSIC} |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | include /etc/firejail/disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index ba010d6a3..d5fde525e 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for Musixmatch | 1 | # Firejail profile for Musixmatch |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/musixmatch.local | 4 | include musixmatch.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${MUSIC} | 8 | noblacklist ${MUSIC} |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | ipc-namespace | 17 | ipc-namespace |
@@ -24,6 +24,7 @@ noroot | |||
24 | nogroups | 24 | nogroups |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
29 | seccomp | 30 | seccomp |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 6cb09ec78..b092f2333 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading | 2 | # Description: Text-based mailreader supporting MIME, GPG, PGP and threading |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/mutt.local | 5 | include mutt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
@@ -32,11 +32,11 @@ noblacklist ${HOME}/mail | |||
32 | noblacklist ${HOME}/postponed | 32 | noblacklist ${HOME}/postponed |
33 | noblacklist ${HOME}/sent | 33 | noblacklist ${HOME}/sent |
34 | 34 | ||
35 | include /etc/firejail/disable-common.inc | 35 | include disable-common.inc |
36 | include /etc/firejail/disable-devel.inc | 36 | include disable-devel.inc |
37 | include /etc/firejail/disable-interpreters.inc | 37 | include disable-interpreters.inc |
38 | include /etc/firejail/disable-passwdmgr.inc | 38 | include disable-passwdmgr.inc |
39 | include /etc/firejail/disable-programs.inc | 39 | include disable-programs.inc |
40 | 40 | ||
41 | caps.drop all | 41 | caps.drop all |
42 | netfilter | 42 | netfilter |
@@ -47,6 +47,7 @@ nonewprivs | |||
47 | noroot | 47 | noroot |
48 | nosound | 48 | nosound |
49 | notv | 49 | notv |
50 | nou2f | ||
50 | novideo | 51 | novideo |
51 | protocol unix,inet,inet6 | 52 | protocol unix,inet,inet6 |
52 | seccomp | 53 | seccomp |
diff --git a/etc/natron.profile b/etc/natron.profile index 76e909f83..790fe437d 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for natron | 1 | # Firejail profile for natron |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/natron.local | 4 | include natron.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow access to python | 8 | # Allow access to python |
9 | noblacklist ${PATH}/python2* | 9 | noblacklist ${PATH}/python2* |
@@ -16,11 +16,11 @@ noblacklist ${HOME}/.cache/INRIA/Natron | |||
16 | noblacklist ${HOME}/.config/INRIA | 16 | noblacklist ${HOME}/.config/INRIA |
17 | noblacklist /opt/natron | 17 | noblacklist /opt/natron |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | net none | 26 | net none |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 1809a6b3c..13fe9a9e1 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File manager and graphical shell for GNOME | 2 | # Description: File manager and graphical shell for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/nautilus.local | 5 | include nautilus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | 9 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there |
10 | # is already a nautilus process running on gnome desktops firejail will have no effect. | 10 | # is already a nautilus process running on gnome desktops firejail will have no effect. |
@@ -20,11 +20,11 @@ noblacklist ${PATH}/python3* | |||
20 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
21 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | 22 | ||
23 | include /etc/firejail/disable-common.inc | 23 | include disable-common.inc |
24 | include /etc/firejail/disable-devel.inc | 24 | include disable-devel.inc |
25 | include /etc/firejail/disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include /etc/firejail/disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
27 | # include /etc/firejail/disable-programs.inc | 27 | # include disable-programs.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | netfilter | 30 | netfilter |
diff --git a/etc/ncdu.profile b/etc/ncdu.profile index fa566b9fd..ac0fd19b2 100644 --- a/etc/ncdu.profile +++ b/etc/ncdu.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Ncurses disk usage viewer | 2 | # Description: Ncurses disk usage viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ncdu.local | 5 | include ncdu.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | ipc-namespace | 10 | ipc-namespace |
@@ -17,6 +17,7 @@ nonewprivs | |||
17 | noroot | 17 | noroot |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | nou2f | ||
20 | novideo | 21 | novideo |
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
diff --git a/etc/nemo.profile b/etc/nemo.profile index 98e4ba1bd..8da094015 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File manager and graphical shell for Cinnamon | 2 | # Description: File manager and graphical shell for Cinnamon |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/nemo.local | 5 | include nemo.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/nemo | 9 | noblacklist ${HOME}/.config/nemo |
10 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
@@ -17,10 +17,10 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index cb38d9de0..0ddb7bbbe 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: Lightweight and fast web browser | 2 | # Description: Lightweight and fast web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/netsurf.local | 5 | include netsurf.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/netsurf | 9 | noblacklist ${HOME}/.cache/netsurf |
10 | noblacklist ${HOME}/.config/netsurf | 10 | noblacklist ${HOME}/.config/netsurf |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.cache/netsurf | 17 | mkdir ${HOME}/.cache/netsurf |
18 | mkdir ${HOME}/.config/netsurf | 18 | mkdir ${HOME}/.config/netsurf |
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.cache/netsurf | 20 | whitelist ${HOME}/.cache/netsurf |
21 | whitelist ${HOME}/.config/netsurf | 21 | whitelist ${HOME}/.config/netsurf |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
diff --git a/etc/neverball.profile b/etc/neverball.profile index 5e6032ae5..34493485a 100644 --- a/etc/neverball.profile +++ b/etc/neverball.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: 3D floor-tilting game | 2 | # Description: 3D floor-tilting game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/neverball.local | 5 | include neverball.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.neverball | 9 | noblacklist ${HOME}/.neverball |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.neverball | 17 | mkdir ${HOME}/.neverball |
18 | whitelist ${HOME}/.neverball | 18 | whitelist ${HOME}/.neverball |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix,netlink | 30 | protocol unix,netlink |
30 | seccomp | 31 | seccomp |
diff --git a/etc/nheko.profile b/etc/nheko.profile index f216a9fa5..ea99b2f5a 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Desktop IM client for the Matrix protocol | 2 | # Description: Desktop IM client for the Matrix protocol |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/nheko.local | 5 | include nheko.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/nheko | 9 | noblacklist ${HOME}/.config/nheko |
10 | noblacklist ${HOME}/.cache/nheko/nheko | 10 | noblacklist ${HOME}/.cache/nheko/nheko |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/nheko | 18 | mkdir ${HOME}/.config/nheko |
19 | mkdir ${HOME}/.cache/nheko/nheko | 19 | mkdir ${HOME}/.cache/nheko/nheko |
@@ -22,7 +22,7 @@ whitelist ${HOME}/.config/nheko | |||
22 | whitelist ${HOME}/.cache/nheko/nheko | 22 | whitelist ${HOME}/.cache/nheko/nheko |
23 | whitelist ${DOWNLOADS} | 23 | whitelist ${DOWNLOADS} |
24 | 24 | ||
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
diff --git a/etc/nitroshare-cli.profile b/etc/nitroshare-cli.profile new file mode 100644 index 000000000..5ee683711 --- /dev/null +++ b/etc/nitroshare-cli.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include nitroshare.profile | ||
diff --git a/etc/nitroshare-nmh.profile b/etc/nitroshare-nmh.profile new file mode 100644 index 000000000..5ee683711 --- /dev/null +++ b/etc/nitroshare-nmh.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include nitroshare.profile | ||
diff --git a/etc/nitroshare-send.profile b/etc/nitroshare-send.profile new file mode 100644 index 000000000..5ee683711 --- /dev/null +++ b/etc/nitroshare-send.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include nitroshare.profile | ||
diff --git a/etc/nitroshare-ui.profile b/etc/nitroshare-ui.profile new file mode 100644 index 000000000..5ee683711 --- /dev/null +++ b/etc/nitroshare-ui.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include nitroshare.profile | ||
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile new file mode 100644 index 000000000..67c651429 --- /dev/null +++ b/etc/nitroshare.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nitroshare.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Nathan Osman | ||
10 | noblacklist ${HOME}/.config/NitroShare | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | # nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | ||
45 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/nylas.profile b/etc/nylas.profile index 28305a203..263e09198 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for nylas | 1 | # Firejail profile for nylas |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/nylas.local | 4 | include nylas.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Nylas Mail | 8 | noblacklist ${HOME}/.config/Nylas Mail |
9 | noblacklist ${HOME}/.nylas-mail | 9 | noblacklist ${HOME}/.nylas-mail |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/Nylas Mail | 18 | whitelist ${HOME}/.config/Nylas Mail |
19 | whitelist ${HOME}/.nylas-mail | 19 | whitelist ${HOME}/.nylas-mail |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
diff --git a/etc/obs.profile b/etc/obs.profile index 611ecdd67..87afdc222 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for obs | 1 | # Firejail profile for obs |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/obs.local | 4 | include obs.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/obs-studio | 8 | noblacklist ${HOME}/.config/obs-studio |
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
@@ -16,14 +16,14 @@ noblacklist ${PATH}/python3* | |||
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | nodvd | 29 | nodvd |
@@ -31,6 +31,7 @@ nogroups | |||
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 59470f3bb..3a1369b83 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Simple converter from OpenDocument Text to plain text | 2 | # Description: Simple converter from OpenDocument Text to plain text |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/odt2txt.local | 5 | include odt2txt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | 21 | net none |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/okular.profile b/etc/okular.profile index 0f15500af..0192a1d3d 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Universal document viewer | 2 | # Description: Universal document viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/okular.local | 5 | include okular.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/okular | 9 | noblacklist ${HOME}/.cache/okular |
10 | noblacklist ${HOME}/.config/okularpartrc | 10 | noblacklist ${HOME}/.config/okularpartrc |
@@ -18,14 +18,14 @@ noblacklist ${HOME}/.kde4/share/config/okularrc | |||
18 | noblacklist ${HOME}/.local/share/okular | 18 | noblacklist ${HOME}/.local/share/okular |
19 | noblacklist ${DOCUMENTS} | 19 | noblacklist ${DOCUMENTS} |
20 | 20 | ||
21 | include /etc/firejail/disable-common.inc | 21 | include disable-common.inc |
22 | include /etc/firejail/disable-devel.inc | 22 | include disable-devel.inc |
23 | include /etc/firejail/disable-interpreters.inc | 23 | include disable-interpreters.inc |
24 | include /etc/firejail/disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
25 | include /etc/firejail/disable-programs.inc | 25 | include disable-programs.inc |
26 | include /etc/firejail/disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | include /etc/firejail/whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | apparmor | 30 | apparmor |
31 | caps.drop all | 31 | caps.drop all |
@@ -39,6 +39,7 @@ nonewprivs | |||
39 | noroot | 39 | noroot |
40 | nosound | 40 | nosound |
41 | notv | 41 | notv |
42 | nou2f | ||
42 | novideo | 43 | novideo |
43 | protocol unix | 44 | protocol unix |
44 | seccomp | 45 | seccomp |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 1c93ef9b9..1955901b0 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for onionshare-gui | 1 | # Firejail profile for onionshare-gui |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/onionshare-gui.local | 4 | include onionshare-gui.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/onionshare | 8 | noblacklist ${HOME}/.config/onionshare |
9 | 9 | ||
@@ -11,13 +11,13 @@ noblacklist ${HOME}/.config/onionshare | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 1cd9e9537..108398104 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Space Invaders clone | 2 | # Description: Space Invaders clone |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/open-invaders.local | 5 | include open-invaders.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.openinvaders | 9 | noblacklist ${HOME}/.openinvaders |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.openinvaders | 17 | mkdir ${HOME}/.openinvaders |
18 | whitelist ${HOME}/.openinvaders | 18 | whitelist ${HOME}/.openinvaders |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,netlink | 30 | protocol unix,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/openbox.profile b/etc/openbox.profile index 1540b71bd..1fb93c79c 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -2,13 +2,13 @@ | |||
2 | # Description: Standards-compliant, fast, light-weight and extensible window manager | 2 | # Description: Standards-compliant, fast, light-weight and extensible window manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/openbox.local | 5 | include openbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in OpenBox will run in this profile | 9 | # all applications started in OpenBox will run in this profile |
10 | noblacklist ${HOME}/.config/openbox | 10 | noblacklist ${HOME}/.config/openbox |
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile index cbd1f8fe8..b86073b41 100644 --- a/etc/openshot-qt.profile +++ b/etc/openshot-qt.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/openshot.profile | 6 | include openshot.profile |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 242511243..e383ecf06 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Create and edit videos and movies | 2 | # Description: Create and edit videos and movies |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/openshot.local | 5 | include openshot.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.openshot | 9 | noblacklist ${HOME}/.openshot |
10 | noblacklist ${HOME}/.openshot_qt | 10 | noblacklist ${HOME}/.openshot_qt |
@@ -15,13 +15,13 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
@@ -32,6 +32,7 @@ nogroups | |||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 38a3152d2..8658d30c6 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for opera-beta | 1 | # Firejail profile for opera-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/opera-beta.local | 4 | include opera-beta.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/opera | 8 | noblacklist ${HOME}/.cache/opera |
9 | noblacklist ${HOME}/.config/opera-beta | 9 | noblacklist ${HOME}/.config/opera-beta |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/opera | |||
14 | whitelist ${HOME}/.config/opera-beta | 14 | whitelist ${HOME}/.config/opera-beta |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/opera.profile b/etc/opera.profile index 294041c24..b342b3961 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: A fast and secure web browser | 2 | # Description: A fast and secure web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/opera.local | 5 | include opera.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/opera | 9 | noblacklist ${HOME}/.cache/opera |
10 | noblacklist ${HOME}/.config/opera | 10 | noblacklist ${HOME}/.config/opera |
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/opera | |||
18 | whitelist ${HOME}/.opera | 18 | whitelist ${HOME}/.opera |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include /etc/firejail/chromium-common.profile | 21 | include chromium-common.profile |
diff --git a/etc/orage.profile b/etc/orage.profile index 8fc6330d9..29b8ef749 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Calendar for Xfce Desktop Environment | 2 | # Description: Calendar for Xfce Desktop Environment |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/orage.local | 5 | include orage.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/orage | 9 | noblacklist ${HOME}/.config/orage |
10 | noblacklist ${HOME}/.local/share/orage | 10 | noblacklist ${HOME}/.local/share/orage |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/p7zip.profile b/etc/p7zip.profile index f8b2d6f1a..644292f2b 100644 --- a/etc/p7zip.profile +++ b/etc/p7zip.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # Description: 7zr file archiver with high compression ratio | 2 | # Description: 7zr file archiver with high compression ratio |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/p7zip.local | 5 | include p7zip.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | # added by included profile |
8 | #include /etc/firejail/globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include /etc/firejail/7z.profile | 11 | include 7z.profile |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1104acff4..11464e6cf 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for palemoon | 1 | # Firejail profile for palemoon |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/palemoon.local | 4 | include palemoon.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon | 8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon |
9 | noblacklist ${HOME}/.moonchild productions/pale moon | 9 | noblacklist ${HOME}/.moonchild productions/pale moon |
@@ -23,4 +23,4 @@ seccomp | |||
23 | #private-opt palemoon | 23 | #private-opt palemoon |
24 | 24 | ||
25 | # Redirect | 25 | # Redirect |
26 | include /etc/firejail/firefox-common.profile | 26 | include firefox-common.profile |
diff --git a/etc/parole.profile b/etc/parole.profile index 00e1466b4..9ad59d2e6 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Media player based on GStreamer framework | 2 | # Description: Media player based on GStreamer framework |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/parole.local | 5 | include parole.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | noblacklist ${VIDEOS} | 10 | noblacklist ${VIDEOS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/patch.profile b/etc/patch.profile index 8fa6ac966..26542e229 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -3,19 +3,19 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/patch.local | 6 | include patch.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index c7e449166..0c1e95e63 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Extremely fast and lightweight file manager | 2 | # Description: Extremely fast and lightweight file manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pcmanfm.local | 5 | include pcmanfm.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/Trash | 9 | noblacklist ${HOME}/.local/share/Trash |
10 | # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below | 10 | # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below |
11 | # noblacklist ${HOME}/.config/pcmanfm | 11 | # noblacklist ${HOME}/.config/pcmanfm |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | # include /etc/firejail/disable-programs.inc | 17 | # include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | # net none - see issue #1467, computer:/// location broken | 20 | # net none - see issue #1467, computer:/// location broken |
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index f6a615632..f0db20b74 100644 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Firejail profile for pdfchain | 1 | # Firejail profile for pdfchain |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/pdfchain.local | 4 | include pdfchain.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | 20 | ipc-namespace |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 34cf5e44f..3b6116c85 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Simple tool for modifying PDF documents | 2 | # Description: Simple tool for modifying PDF documents |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pdfmod.local | 5 | include pdfmod.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/pdfmod | 9 | noblacklist ${HOME}/.cache/pdfmod |
10 | noblacklist ${HOME}/.config/pdfmod | 10 | noblacklist ${HOME}/.config/pdfmod |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | 23 | ipc-namespace |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index a09ab0a8a..4eed98e88 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: PDF Split and Merge | 2 | # Description: PDF Split and Merge |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pdfsam.local | 5 | include pdfsam.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
@@ -15,12 +15,12 @@ noblacklist /usr/lib/java | |||
15 | noblacklist /etc/java | 15 | noblacklist /etc/java |
16 | noblacklist /usr/share/java | 16 | noblacklist /usr/share/java |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix | 38 | protocol unix |
38 | seccomp | 39 | seccomp |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index d162f45b5..6b2b0fba5 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for pdftotext | 1 | # Firejail profile for pdftotext |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/pdftotext.local | 4 | include pdftotext.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/peek.profile b/etc/peek.profile index edc43d006..06e7b3e62 100644 --- a/etc/peek.profile +++ b/etc/peek.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Firejail profile for peek | 1 | # Firejail profile for peek |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/peek.local | 4 | include peek.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/peek | 8 | noblacklist ${HOME}/.cache/peek |
9 | noblacklist ${PICTURES} | 9 | noblacklist ${PICTURES} |
10 | noblacklist ${VIDEOS} | 10 | noblacklist ${VIDEOS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | net none | 20 | net none |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
diff --git a/etc/picard.profile b/etc/picard.profile index 8474eeda6..dc13d7d6e 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Next-Generation MusicBrainz audio files tagger | 2 | # Description: Next-Generation MusicBrainz audio files tagger |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/picard.local | 5 | include picard.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/MusicBrainz | 9 | noblacklist ${HOME}/.cache/MusicBrainz |
10 | noblacklist ${HOME}/.config/MusicBrainz | 10 | noblacklist ${HOME}/.config/MusicBrainz |
@@ -16,14 +16,14 @@ noblacklist ${PATH}/python3* | |||
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | no3d | 29 | no3d |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index e891f5fd8..91a204557 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Graphical multi-protocol instant messaging client | 2 | # Description: Graphical multi-protocol instant messaging client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pidgin.local | 5 | include pidgin.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.purple | 9 | noblacklist ${HOME}/.purple |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/ping.profile b/etc/ping.profile index 2b20bf8c9..bdd29c1a1 100644 --- a/etc/ping.profile +++ b/etc/ping.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ping.local | 5 | include ping.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-xdg.inc | 14 | include disable-xdg.inc |
15 | include /etc/firejail/whitelist-common.inc | 15 | include whitelist-common.inc |
16 | 16 | ||
17 | caps.keep net_raw | 17 | caps.keep net_raw |
18 | ipc-namespace | 18 | ipc-namespace |
@@ -27,6 +27,7 @@ nogroups | |||
27 | #noroot | 27 | #noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | 32 | ||
32 | # protocol command is built using seccomp; nonewprivs will kill it | 33 | # protocol command is built using seccomp; nonewprivs will kill it |
@@ -47,5 +48,3 @@ private-tmp | |||
47 | #memory-deny-write-execute | 48 | #memory-deny-write-execute |
48 | noexec ${HOME} | 49 | noexec ${HOME} |
49 | noexec /tmp | 50 | noexec /tmp |
50 | |||
51 | |||
diff --git a/etc/pingus.profile b/etc/pingus.profile index 4ce584d1e..f071e664f 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Free Lemmings(TM) clone | 2 | # Description: Free Lemmings(TM) clone |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pingus.local | 5 | include pingus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.pingus | 9 | noblacklist ${HOME}/.pingus |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.pingus | 17 | mkdir ${HOME}/.pingus |
18 | whitelist ${HOME}/.pingus | 18 | whitelist ${HOME}/.pingus |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,netlink | 30 | protocol unix,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/pinta.profile b/etc/pinta.profile index 506918b92..3dfe3cc1b 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Simple drawing/painting program | 2 | # Description: Simple drawing/painting program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pinta.local | 5 | include pinta.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Pinta | 9 | noblacklist ${HOME}/.config/Pinta |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | ipc-namespace | 21 | ipc-namespace |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/pithos.profile b/etc/pithos.profile index cbe7ac9c6..b201dcfea 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Pandora Radio client for the GNOME desktop | 2 | # Description: Pandora Radio client for the GNOME desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pithos.local | 5 | include pithos.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | noblacklist ${PATH}/python2* |
@@ -12,15 +12,15 @@ noblacklist ${PATH}/python3* | |||
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
@@ -30,6 +30,7 @@ nogroups | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 6f6aed117..5bd6fd357 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Non-linear audio/video editor using GStreamer | 2 | # Description: Non-linear audio/video editor using GStreamer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pitivi.local | 5 | include pitivi.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | noblacklist ${HOME}/.config/pitivi | 10 | noblacklist ${HOME}/.config/pitivi |
@@ -15,13 +15,13 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | 27 | ipc-namespace |
@@ -31,6 +31,7 @@ nogroups | |||
31 | nonewprivs | 31 | nonewprivs |
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/pix.profile b/etc/pix.profile index dfc6d780e..9864ed718 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -1,20 +1,20 @@ | |||
1 | # Firejail profile for pix | 1 | # Firejail profile for pix |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/pix.local | 4 | include pix.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/pix | 8 | noblacklist ${HOME}/.config/pix |
9 | noblacklist ${HOME}/.local/share/pix | 9 | noblacklist ${HOME}/.local/share/pix |
10 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | nodvd | 20 | nodvd |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 119baf6b5..707c75cec 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Front-end for Wine | 2 | # Description: Front-end for Wine |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/playonlinux.local | 5 | include playonlinux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.local/share/Steam | 10 | noblacklist ${HOME}/.local/share/Steam |
@@ -22,11 +22,11 @@ noblacklist ${PATH}/perl | |||
22 | noblacklist /usr/lib/perl* | 22 | noblacklist /usr/lib/perl* |
23 | noblacklist /usr/share/perl* | 23 | noblacklist /usr/share/perl* |
24 | 24 | ||
25 | include /etc/firejail/disable-common.inc | 25 | include disable-common.inc |
26 | # playonlinux uses perl | 26 | # playonlinux uses perl |
27 | include /etc/firejail/disable-devel.inc | 27 | include disable-devel.inc |
28 | include /etc/firejail/disable-interpreters.inc | 28 | include disable-interpreters.inc |
29 | include /etc/firejail/disable-programs.inc | 29 | include disable-programs.inc |
30 | 30 | ||
31 | caps.drop all | 31 | caps.drop all |
32 | netfilter | 32 | netfilter |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 832e7a3f4..35b141c1a 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Official text editor of the MATE desktop environment | 2 | # Description: Official text editor of the MATE desktop environment |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/pluma.local | 5 | include pluma.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/pluma | 9 | noblacklist ${HOME}/.config/pluma |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | # apparmor - makes settings immutable | 19 | # apparmor - makes settings immutable |
20 | caps.drop all | 20 | caps.drop all |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/polari.profile b/etc/polari.profile index cb6b0f73c..5fa717cb3 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: Internet Relay Chat (IRC) client | 2 | # Description: Internet Relay Chat (IRC) client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/polari.local | 5 | include polari.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | mkdir ${HOME}/.cache/telepathy | 15 | mkdir ${HOME}/.cache/telepathy |
16 | mkdir ${HOME}/.config/telepathy-account-widgets | 16 | mkdir ${HOME}/.config/telepathy-account-widgets |
@@ -24,7 +24,7 @@ whitelist ${HOME}/.local/share/Empathy | |||
24 | whitelist ${HOME}/.local/share/TpLogger | 24 | whitelist ${HOME}/.local/share/TpLogger |
25 | whitelist ${HOME}/.local/share/telepathy | 25 | whitelist ${HOME}/.local/share/telepathy |
26 | whitelist ${HOME}/.purple | 26 | whitelist ${HOME}/.purple |
27 | include /etc/firejail/whitelist-common.inc | 27 | include whitelist-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | netfilter | 30 | netfilter |
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
40 | shell none | 41 | shell none |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 8fcc19e65..fc37e6fd2 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: A PSP emulator written in C++ | 2 | # Description: A PSP emulator written in C++ |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ppsspp.local | 5 | include ppsspp.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ppsspp | 9 | noblacklist ${HOME}/.config/ppsspp |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | # with >=llvm-4 mesa drivers need llvm stuff | 11 | # with >=llvm-4 mesa drivers need llvm stuff |
12 | noblacklist /usr/lib/llvm* | 12 | noblacklist /usr/lib/llvm* |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index d2612c95c..7ec789440 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Qt-based XMPP/Jabber client | 2 | # Description: Qt-based XMPP/Jabber client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/psi-plus.local | 5 | include psi-plus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/psi+ | 9 | noblacklist ${HOME}/.config/psi+ |
10 | noblacklist ${HOME}/.local/share/psi+ | 10 | noblacklist ${HOME}/.local/share/psi+ |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/psi+ | 18 | mkdir ${HOME}/.cache/psi+ |
19 | mkdir ${HOME}/.config/psi+ | 19 | mkdir ${HOME}/.config/psi+ |
@@ -22,7 +22,7 @@ whitelist ${DOWNLOADS} | |||
22 | whitelist ${HOME}/.cache/psi+ | 22 | whitelist ${HOME}/.cache/psi+ |
23 | whitelist ${HOME}/.config/psi+ | 23 | whitelist ${HOME}/.config/psi+ |
24 | whitelist ${HOME}/.local/share/psi+ | 24 | whitelist ${HOME}/.local/share/psi+ |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
@@ -32,6 +32,7 @@ nogroups | |||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | seccomp | 38 | seccomp |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 02c35b104..eea0d9e9f 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for pybitmessage | 1 | # Firejail profile for pybitmessage |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/pybitmessage.local | 4 | include pybitmessage.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist /sbin | 8 | noblacklist /sbin |
9 | noblacklist /usr/local/sbin | 9 | noblacklist /usr/local/sbin |
@@ -15,13 +15,13 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | 27 | ipc-namespace |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix,inet,inet6,netlink | 38 | protocol unix,inet,inet6,netlink |
38 | seccomp | 39 | seccomp |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index 89bb9dadf..32fdc750f 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for pycharm-community | 1 | # Firejail profile for pycharm-community |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/pycharm-community.local | 4 | include pycharm-community.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/snap | 8 | noblacklist ${HOME}/snap |
9 | noblacklist ${HOME}/.PyCharmCE* | 9 | noblacklist ${HOME}/.PyCharmCE* |
@@ -15,10 +15,10 @@ noblacklist /usr/lib/java | |||
15 | noblacklist /etc/java | 15 | noblacklist /etc/java |
16 | noblacklist /usr/share/java | 16 | noblacklist /usr/share/java |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | machine-id | 24 | machine-id |
@@ -26,6 +26,7 @@ nodvd | |||
26 | nogroups | 26 | nogroups |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | shell none | 31 | shell none |
31 | tracelog | 32 | tracelog |
diff --git a/etc/pycharm-professional.profile b/etc/pycharm-professional.profile index b28082dc4..a14d0268b 100644 --- a/etc/pycharm-professional.profile +++ b/etc/pycharm-professional.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | noblacklist ${HOME}/.PyCharm* | 4 | noblacklist ${HOME}/.PyCharm* |
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/pycharm-community.profile | 7 | include pycharm-community.profile |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 4ba5d3871..b6b94c703 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI | 2 | # Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qbittorrent.local | 5 | include qbittorrent.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/qBittorrent | 9 | noblacklist ${HOME}/.cache/qBittorrent |
10 | noblacklist ${HOME}/.config/qBittorrent | 10 | noblacklist ${HOME}/.config/qBittorrent |
@@ -17,11 +17,11 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | 25 | ||
26 | mkdir ${HOME}/.cache/qBittorrent | 26 | mkdir ${HOME}/.cache/qBittorrent |
27 | mkdir ${HOME}/.config/qBittorrent | 27 | mkdir ${HOME}/.config/qBittorrent |
@@ -31,8 +31,8 @@ whitelist ${HOME}/.cache/qBittorrent | |||
31 | whitelist ${HOME}/.config/qBittorrent | 31 | whitelist ${HOME}/.config/qBittorrent |
32 | whitelist ${HOME}/.config/qBittorrentrc | 32 | whitelist ${HOME}/.config/qBittorrentrc |
33 | whitelist ${HOME}/.local/share/data/qBittorrent | 33 | whitelist ${HOME}/.local/share/data/qBittorrent |
34 | include /etc/firejail/whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include /etc/firejail/whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
36 | 36 | ||
37 | apparmor | 37 | apparmor |
38 | caps.drop all | 38 | caps.drop all |
@@ -45,6 +45,7 @@ nonewprivs | |||
45 | noroot | 45 | noroot |
46 | nosound | 46 | nosound |
47 | notv | 47 | notv |
48 | nou2f | ||
48 | novideo | 49 | novideo |
49 | protocol unix,inet,inet6,netlink | 50 | protocol unix,inet,inet6,netlink |
50 | seccomp | 51 | seccomp |
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 263c71535..ac60384fd 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # Firejail profile for qemu-launcher | 1 | # Firejail profile for qemu-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/qemu-launcher.local | 4 | include qemu-launcher.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.qemu-launcher | 8 | noblacklist ${HOME}/.qemu-launcher |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3ab25e92e..1399328d3 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for qemu-system-x86_64 | 1 | # Firejail profile for qemu-system-x86_64 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/qemu-system-x86_64.local | 4 | include qemu-system-x86_64.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-passwdmgr.inc | 10 | include disable-passwdmgr.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include disable-programs.inc |
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
diff --git a/etc/qlipper.profile b/etc/qlipper.profile index 1293fa30d..ec0b6c64d 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Lightweight and cross-platform clipboard history applet | 2 | # Description: Lightweight and cross-platform clipboard history applet |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qlipper.local | 5 | include qlipper.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Qlipper | 9 | noblacklist ${HOME}/.config/Qlipper |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/qmmp.profile b/etc/qmmp.profile index 9d127731f..66c27a585 100644 --- a/etc/qmmp.profile +++ b/etc/qmmp.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Feature-rich audio player with support of many formats | 2 | # Description: Feature-rich audio player with support of many formats |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qmmp.local | 5 | include qmmp.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.qmmp | 9 | noblacklist ${HOME}/.qmmp |
10 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 3063010cc..06598c769 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Tabbed document viewer | 2 | # Description: Tabbed document viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qpdfview.local | 5 | include qpdfview.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/qpdfview | 9 | noblacklist ${HOME}/.config/qpdfview |
10 | noblacklist ${HOME}/.local/share/qpdfview | 10 | noblacklist ${HOME}/.local/share/qpdfview |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | machine-id | 23 | machine-id |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 3c1697085..450e005f7 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines | 2 | # Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qtox.local | 5 | include qtox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/tox | 9 | noblacklist ${HOME}/.config/tox |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/tox | 17 | mkdir ${HOME}/.config/tox |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.config/tox | 19 | whitelist ${HOME}/.config/tox |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/quassel.profile b/etc/quassel.profile index 69c6aa61b..a78d1edcd 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: Distributed IRC client | 2 | # Description: Distributed IRC client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/quassel.local | 5 | include quassel.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 368a3d996..ce0816114 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: RSS/Atom news feeds reader | 2 | # Description: RSS/Atom news feeds reader |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/quiterss.local | 5 | include quiterss.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/QuiteRss | 9 | noblacklist ${HOME}/.cache/QuiteRss |
10 | noblacklist ${HOME}/.config/QuiteRss | 10 | noblacklist ${HOME}/.config/QuiteRss |
11 | noblacklist ${HOME}/.config/QuiteRssrc | 11 | noblacklist ${HOME}/.config/QuiteRssrc |
12 | noblacklist ${HOME}/.local/share/QuiteRss | 12 | noblacklist ${HOME}/.local/share/QuiteRss |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.cache/QuiteRss | 20 | mkdir ${HOME}/.cache/QuiteRss |
21 | mkdir ${HOME}/.config/QuiteRss | 21 | mkdir ${HOME}/.config/QuiteRss |
@@ -27,7 +27,7 @@ whitelist ${HOME}/.config/QuiteRssrc | |||
27 | whitelist ${HOME}/.local/share/data/QuiteRss | 27 | whitelist ${HOME}/.local/share/data/QuiteRss |
28 | whitelist ${HOME}/.local/share/QuiteRss | 28 | whitelist ${HOME}/.local/share/QuiteRss |
29 | whitelist ${HOME}/quiterssfeeds.opml | 29 | whitelist ${HOME}/quiterssfeeds.opml |
30 | include /etc/firejail/whitelist-common.inc | 30 | include whitelist-common.inc |
31 | 31 | ||
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
@@ -37,6 +37,7 @@ nonewprivs | |||
37 | noroot | 37 | noroot |
38 | nosound | 38 | nosound |
39 | notv | 39 | notv |
40 | nou2f | ||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index e73e8a5e1..efee6ce84 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Firejail profile for qupzilla | 1 | # Firejail profile for qupzilla |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/qupzilla.local | 4 | include qupzilla.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/qupzilla | 8 | noblacklist ${HOME}/.cache/qupzilla |
9 | noblacklist ${HOME}/.config/qupzilla | 9 | noblacklist ${HOME}/.config/qupzilla |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.cache/qupzilla | 18 | whitelist ${HOME}/.cache/qupzilla |
19 | whitelist ${HOME}/.config/qupzilla | 19 | whitelist ${HOME}/.config/qupzilla |
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | # blacklisting of chroot system calls breaks qupzilla | 32 | # blacklisting of chroot system calls breaks qupzilla |
32 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 33 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index d4d8e3b97..ac9f9bfd9 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Keyboard-driven, vim-like browser based on PyQt5 | 2 | # Description: Keyboard-driven, vim-like browser based on PyQt5 |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/qutebrowser.local | 5 | include qutebrowser.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/qutebrowser | 9 | noblacklist ${HOME}/.cache/qutebrowser |
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
@@ -19,10 +19,10 @@ noblacklist /usr/lib/python3* | |||
19 | # with >=llvm-4 mesa drivers need llvm stuff | 19 | # with >=llvm-4 mesa drivers need llvm stuff |
20 | noblacklist /usr/lib/llvm* | 20 | noblacklist /usr/lib/llvm* |
21 | 21 | ||
22 | include /etc/firejail/disable-common.inc | 22 | include disable-common.inc |
23 | include /etc/firejail/disable-devel.inc | 23 | include disable-devel.inc |
24 | include /etc/firejail/disable-interpreters.inc | 24 | include disable-interpreters.inc |
25 | include /etc/firejail/disable-programs.inc | 25 | include disable-programs.inc |
26 | 26 | ||
27 | mkdir ${HOME}/.cache/qutebrowser | 27 | mkdir ${HOME}/.cache/qutebrowser |
28 | mkdir ${HOME}/.config/qutebrowser | 28 | mkdir ${HOME}/.config/qutebrowser |
@@ -31,7 +31,7 @@ whitelist ${DOWNLOADS} | |||
31 | whitelist ${HOME}/.cache/qutebrowser | 31 | whitelist ${HOME}/.cache/qutebrowser |
32 | whitelist ${HOME}/.config/qutebrowser | 32 | whitelist ${HOME}/.config/qutebrowser |
33 | whitelist ${HOME}/.local/share/qutebrowser | 33 | whitelist ${HOME}/.local/share/qutebrowser |
34 | include /etc/firejail/whitelist-common.inc | 34 | include whitelist-common.inc |
35 | 35 | ||
36 | caps.drop all | 36 | caps.drop all |
37 | netfilter | 37 | netfilter |
diff --git a/etc/rambox.profile b/etc/rambox.profile index afe9b41e7..6c65f869b 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Firejail profile for rambox | 1 | # Firejail profile for rambox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/rambox.local | 4 | include rambox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Rambox | 8 | noblacklist ${HOME}/.config/Rambox |
9 | noblacklist ${HOME}/.pki | 9 | noblacklist ${HOME}/.pki |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config/Rambox | 16 | mkdir ${HOME}/.config/Rambox |
17 | mkdir ${HOME}/.pki | 17 | mkdir ${HOME}/.pki |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.config/Rambox | 19 | whitelist ${HOME}/.config/Rambox |
20 | whitelist ${HOME}/.pki | 20 | whitelist ${HOME}/.pki |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
diff --git a/etc/ranger.profile b/etc/ranger.profile index fe4131e88..f582b8dfb 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: File manager with an ncurses frontend written in Python | 2 | # Description: File manager with an ncurses frontend written in Python |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ranger.local | 5 | include ranger.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ranger | 9 | noblacklist ${HOME}/.config/ranger |
10 | 10 | ||
@@ -20,11 +20,11 @@ noblacklist ${PATH}/perl | |||
20 | noblacklist /usr/lib/perl* | 20 | noblacklist /usr/lib/perl* |
21 | noblacklist /usr/share/perl* | 21 | noblacklist /usr/share/perl* |
22 | 22 | ||
23 | include /etc/firejail/disable-common.inc | 23 | include disable-common.inc |
24 | include /etc/firejail/disable-devel.inc | 24 | include disable-devel.inc |
25 | include /etc/firejail/disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include /etc/firejail/disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
27 | include /etc/firejail/disable-programs.inc | 27 | include disable-programs.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | net none | 30 | net none |
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | nou2f | ||
38 | novideo | 39 | novideo |
39 | protocol unix | 40 | protocol unix |
40 | seccomp | 41 | seccomp |
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile index 7271ac2f4..278514538 100644 --- a/etc/redeclipse.profile +++ b/etc/redeclipse.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: Free, casual arena shooter | 2 | # Description: Free, casual arena shooter |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/redeclipse.local | 5 | include redeclipse.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.redeclipse | 9 | noblacklist ${HOME}/.redeclipse |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.redeclipse | 17 | mkdir ${HOME}/.redeclipse |
18 | whitelist ${HOME}/.redeclipse | 18 | whitelist ${HOME}/.redeclipse |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/remmina.profile b/etc/remmina.profile index 51c0f2d17..888f3819f 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: GTK+ Remote Desktop Client | 2 | # Description: GTK+ Remote Desktop Client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/remmina.local | 5 | include remmina.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.remmina | 9 | noblacklist ${HOME}/.remmina |
10 | noblacklist ${HOME}/.config/remmina | 10 | noblacklist ${HOME}/.config/remmina |
11 | noblacklist ${HOME}/.local/share/remmina | 11 | noblacklist ${HOME}/.local/share/remmina |
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | nodvd | 24 | nodvd |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 7dc6470f9..f9b7115ac 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Music player and organizer for GNOME | 2 | # Description: Music player and organizer for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/rhythmbox.local | 5 | include rhythmbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | # rhythmbox is using Python | 13 | # rhythmbox is using Python |
14 | #include /etc/firejail/disable-interpreters.inc | 14 | #include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | # apparmor - makes settings immutable | 21 | # apparmor - makes settings immutable |
22 | caps.drop all | 22 | caps.drop all |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 2e2143a54..cbdc28cf6 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for ricochet | 1 | # Firejail profile for ricochet |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/ricochet.local | 4 | include ricochet.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/Ricochet | 9 | noblacklist ${HOME}/.local/share/Ricochet |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.local/share/Ricochet | 18 | whitelist ${HOME}/.local/share/Ricochet |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index cc8b68ebb..fececd850 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: A glossy Matrix collaboration client for the desktop | 2 | # Description: A glossy Matrix collaboration client for the desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/riot-desktop.local | 5 | include riot-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/riot-web.profile | 10 | include riot-web.profile |
diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 5379223c5..c9f597626 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: A glossy Matrix collaboration client for the web | 2 | # Description: A glossy Matrix collaboration client for the web |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/riot-web.local | 5 | include riot-web.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Riot | 9 | noblacklist ${HOME}/.config/Riot |
10 | 10 | ||
11 | mkdir ${HOME}/.config/Riot | 11 | mkdir ${HOME}/.config/Riot |
12 | whitelist ${HOME}/.config/Riot | 12 | whitelist ${HOME}/.config/Riot |
13 | include /etc/firejail/whitelist-common.inc | 13 | include whitelist-common.inc |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include /etc/firejail/electron.profile | 16 | include electron.profile |
diff --git a/etc/ristretto.profile b/etc/ristretto.profile index bb2a7e95b..e6b22b914 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Lightweight picture-viewer for the Xfce desktop environment | 2 | # Description: Lightweight picture-viewer for the Xfce desktop environment |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ristretto.local | 5 | include ristretto.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ristretto | 9 | noblacklist ${HOME}/.config/ristretto |
10 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile index da92cd938..c95bc3c3d 100644 --- a/etc/rocketchat.profile +++ b/etc/rocketchat.profile | |||
@@ -1,14 +1,14 @@ | |||
1 | # Firejail profile for rocketchat | 1 | # Firejail profile for rocketchat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/rocketchat.local | 4 | include rocketchat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Rocket.Chat | 8 | noblacklist ${HOME}/.config/Rocket.Chat |
9 | 9 | ||
10 | whitelist ${HOME}/.config/Rocket.Chat | 10 | whitelist ${HOME}/.config/Rocket.Chat |
11 | include /etc/firejail/whitelist-common.inc | 11 | include whitelist-common.inc |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include /etc/firejail/electron.profile | 14 | include electron.profile |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index bdc5b9232..0b4d6e1b1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -2,16 +2,16 @@ | |||
2 | # Description: Ncurses BitTorrent client based on LibTorrent from rakshasa | 2 | # Description: Ncurses BitTorrent client based on LibTorrent from rakshasa |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/rtorrent.local | 5 | include rtorrent.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | machine-id | 17 | machine-id |
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
diff --git a/etc/runenpass.sh.profile b/etc/runenpass.sh.profile index 05ffbfe20..794c38d6e 100644 --- a/etc/runenpass.sh.profile +++ b/etc/runenpass.sh.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/enpass.profile | 6 | include enpass.profile |
diff --git a/etc/rview.profile b/etc/rview.profile index 90481b019..b3a6bfbdc 100644 --- a/etc/rview.profile +++ b/etc/rview.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for rview | 1 | # Firejail profile for rview |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/rview.local | 4 | include rview.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/vim.profile | 10 | include vim.profile |
diff --git a/etc/rvim.profile b/etc/rvim.profile index 1070e9376..5481dfe43 100644 --- a/etc/rvim.profile +++ b/etc/rvim.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for rvim | 1 | # Firejail profile for rvim |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/rvim.local | 4 | include rvim.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/vim.profile | 10 | include vim.profile |
diff --git a/etc/sayonara.profile b/etc/sayonara.profile index 8a369be7e..ce86c80f9 100644 --- a/etc/sayonara.profile +++ b/etc/sayonara.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for sayonara player | 1 | # Firejail profile for sayonara player |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/sayonara.local | 4 | include sayonara.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Sayonara | 8 | noblacklist ${HOME}/.Sayonara |
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
diff --git a/etc/scallion.profile b/etc/scallion.profile index 35cd04f8f..b4d0ef240 100644 --- a/etc/scallion.profile +++ b/etc/scallion.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/scallion.local | 5 | include scallion.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${PATH}/llvm* | 9 | noblacklist ${PATH}/llvm* |
10 | noblacklist /usr/lib/llvm* | 10 | noblacklist /usr/lib/llvm* |
@@ -12,13 +12,13 @@ noblacklist ${PATH}/openssl | |||
12 | noblacklist ${PATH}/openssl-1.0 | 12 | noblacklist ${PATH}/openssl-1.0 |
13 | noblacklist ${DOCUMENTS} | 13 | noblacklist ${DOCUMENTS} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
@@ -30,6 +30,7 @@ nonewprivs | |||
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix | 35 | protocol unix |
35 | seccomp | 36 | seccomp |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 375983667..a8e510b8a 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Open Source Desktop Page Layout | 2 | # Description: Open Source Desktop Page Layout |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/scribus.local | 5 | include scribus.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Support for PDF readers comes with Scribus 1.5 and higher | 9 | # Support for PDF readers comes with Scribus 1.5 and higher |
10 | noblacklist ${HOME}/.cache/okular | 10 | noblacklist ${HOME}/.cache/okular |
@@ -32,14 +32,14 @@ noblacklist ${PATH}/python3* | |||
32 | noblacklist /usr/lib/python2* | 32 | noblacklist /usr/lib/python2* |
33 | noblacklist /usr/lib/python3* | 33 | noblacklist /usr/lib/python3* |
34 | 34 | ||
35 | include /etc/firejail/disable-common.inc | 35 | include disable-common.inc |
36 | include /etc/firejail/disable-devel.inc | 36 | include disable-devel.inc |
37 | include /etc/firejail/disable-interpreters.inc | 37 | include disable-interpreters.inc |
38 | include /etc/firejail/disable-passwdmgr.inc | 38 | include disable-passwdmgr.inc |
39 | include /etc/firejail/disable-programs.inc | 39 | include disable-programs.inc |
40 | include /etc/firejail/disable-xdg.inc | 40 | include disable-xdg.inc |
41 | 41 | ||
42 | include /etc/firejail/whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
43 | 43 | ||
44 | caps.drop all | 44 | caps.drop all |
45 | net none | 45 | net none |
@@ -50,6 +50,7 @@ nonewprivs | |||
50 | noroot | 50 | noroot |
51 | nosound | 51 | nosound |
52 | notv | 52 | notv |
53 | nou2f | ||
53 | novideo | 54 | novideo |
54 | protocol unix | 55 | protocol unix |
55 | seccomp | 56 | seccomp |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index a2a54f838..01a056767 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/sdat2img.local | 5 | include sdat2img.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | 9 | # Allow python (blacklisted by disable-interpreters.inc) |
10 | noblacklist ${PATH}/python2* | 10 | noblacklist ${PATH}/python2* |
@@ -12,14 +12,14 @@ noblacklist ${PATH}/python3* | |||
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | net none | 25 | net none |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | novideo | 35 | novideo |
35 | protocol unix | 36 | protocol unix |
36 | seccomp | 37 | seccomp |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index 1ceed99fd..e420d8124 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/seamonkey.profile | 6 | include seamonkey.profile |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b702d8b23..9c38414bb 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: SeaMonkey internet suite | 2 | # Description: SeaMonkey internet suite |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/seamonkey.local | 5 | include seamonkey.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/mozilla | 9 | noblacklist ${HOME}/.cache/mozilla |
10 | noblacklist ${HOME}/.mozilla | 10 | noblacklist ${HOME}/.mozilla |
11 | noblacklist ${HOME}/.pki | 11 | noblacklist ${HOME}/.pki |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/mozilla | 18 | mkdir ${HOME}/.cache/mozilla |
19 | mkdir ${HOME}/.mozilla | 19 | mkdir ${HOME}/.mozilla |
@@ -35,7 +35,7 @@ whitelist ${HOME}/.wine-pipelight | |||
35 | whitelist ${HOME}/.wine-pipelight64 | 35 | whitelist ${HOME}/.wine-pipelight64 |
36 | whitelist ${HOME}/.zotero | 36 | whitelist ${HOME}/.zotero |
37 | whitelist ${HOME}/dwhelper | 37 | whitelist ${HOME}/dwhelper |
38 | include /etc/firejail/whitelist-common.inc | 38 | include whitelist-common.inc |
39 | 39 | ||
40 | caps.drop all | 40 | caps.drop all |
41 | netfilter | 41 | netfilter |
diff --git a/etc/server.profile b/etc/server.profile index 8d3382dee..3526e88ab 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for server | 1 | # Firejail profile for server |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/server.local | 4 | include server.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # generic server profile | 8 | # generic server profile |
9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 9 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
@@ -15,12 +15,12 @@ noblacklist /sbin | |||
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/opt | 16 | # noblacklist /var/opt |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | # include /etc/firejail/disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include /etc/firejail/disable-interpreters.inc | 20 | # include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | #include /etc/firejail/disable-xdg.inc | 23 | #include disable-xdg.inc |
24 | 24 | ||
25 | caps | 25 | caps |
26 | # ipc-namespace | 26 | # ipc-namespace |
@@ -33,6 +33,7 @@ nodvd | |||
33 | # noroot | 33 | # noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | seccomp | 38 | seccomp |
38 | # shell none | 39 | # shell none |
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index 90fc9cb8c..429633a6d 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -3,20 +3,20 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/shellcheck.local | 6 | include shellcheck.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e5a8ce4df..264566dcd 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for shotcut | 1 | # Firejail profile for shotcut |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/shotcut.local | 4 | include shotcut.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Meltytech | 8 | noblacklist ${HOME}/.config/Meltytech |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index c52f45f31..008cd218e 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for signal-desktop | 1 | # Firejail profile for signal-desktop |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/signal-desktop.local | 4 | include signal-desktop.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Signal | 8 | noblacklist ${HOME}/.config/Signal |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config/Signal | 16 | mkdir ${HOME}/.config/Signal |
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | whitelist ${HOME}/.config/Signal | 18 | whitelist ${HOME}/.config/Signal |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index 0fa19e610..5ef96a4ea 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for silentarmy | 1 | # Firejail profile for silentarmy |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/silentarmy.local | 4 | include silentarmy.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | # include /etc/firejail/disable-devel.inc | 10 | # include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 30d2203de..85cb00ef1 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Simple Scanning Utility | 2 | # Description: Simple Scanning Utility |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/simple-scan.local | 5 | include simple-scan.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/simple-scan | 9 | noblacklist ${HOME}/.cache/simple-scan |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 3722d9414..a4e4d892c 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Transportation simulator | 2 | # Description: Transportation simulator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/simutrans.local | 5 | include simutrans.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.simutrans | 9 | noblacklist ${HOME}/.simutrans |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.simutrans | 17 | mkdir ${HOME}/.simutrans |
18 | whitelist ${HOME}/.simutrans | 18 | whitelist ${HOME}/.simutrans |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index f8bca415d..76b050d18 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Image scanner based on the KSane backend | 2 | # Description: Image scanner based on the KSane backend |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/skanlite.local | 5 | include skanlite.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none | 19 | # net none |
diff --git a/etc/skype.profile b/etc/skype.profile index 04f15b454..09b9baa11 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for skype | 1 | # Firejail profile for skype |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/skype.local | 4 | include skype.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Skype | 8 | noblacklist ${HOME}/.Skype |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | notv | 22 | notv |
23 | nou2f | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index c675f0345..bccef9705 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for skypeforlinux | 1 | # Firejail profile for skypeforlinux |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/skypeforlinux.local | 4 | include skypeforlinux.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/skypeforlinux | 8 | noblacklist ${HOME}/.config/skypeforlinux |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
diff --git a/etc/slack.profile b/etc/slack.profile index ba77a16b9..995d49687 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -1,25 +1,25 @@ | |||
1 | # Firejail profile for slack | 1 | # Firejail profile for slack |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/slack.local | 4 | include slack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Slack | 8 | noblacklist ${HOME}/.config/Slack |
9 | noblacklist ${HOME}/Downloads | 9 | noblacklist ${HOME}/Downloads |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config | 17 | mkdir ${HOME}/.config |
18 | mkdir ${HOME}/.config/Slack | 18 | mkdir ${HOME}/.config/Slack |
19 | whitelist ${HOME}/.config/Slack | 19 | whitelist ${HOME}/.config/Slack |
20 | whitelist ${HOME}/Downloads | 20 | whitelist ${HOME}/Downloads |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | name slack | 25 | name slack |
@@ -29,6 +29,7 @@ nogroups | |||
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 6d8355e6f..57ab2cde6 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Complete front-end for MPlayer and mpv | 2 | # Description: Complete front-end for MPlayer and mpv |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/smplayer.local | 5 | include smplayer.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/smplayer | 9 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.mplayer | 10 | noblacklist ${HOME}/.mplayer |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
@@ -27,6 +27,7 @@ netfilter | |||
27 | # nogroups | 27 | # nogroups |
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | nou2f | ||
30 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/smtube.profile b/etc/smtube.profile index 430b4e5cf..24f3db40a 100644 --- a/etc/smtube.profile +++ b/etc/smtube.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: YouTube videos browser | 2 | # Description: YouTube videos browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/smtube.local | 5 | include smtube.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/smplayer | 9 | noblacklist ${HOME}/.config/smplayer |
10 | noblacklist ${HOME}/.config/smtube | 10 | noblacklist ${HOME}/.config/smtube |
@@ -15,19 +15,20 @@ noblacklist ${HOME}/.local/share/vlc | |||
15 | noblacklist ${MUSIC} | 15 | noblacklist ${MUSIC} |
16 | noblacklist ${VIDEOS} | 16 | noblacklist ${VIDEOS} |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include /etc/firejail/whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | nogroups | 33 | nogroups |
33 | nonewprivs | 34 | nonewprivs |
diff --git a/etc/snap.profile b/etc/snap.profile index bcfdc8911..1c6d750e4 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -2,16 +2,16 @@ | |||
2 | # Description: Location of genes from DNA sequence with hidden markov model | 2 | # Description: Location of genes from DNA sequence with hidden markov model |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/snap.local | 5 | include snap.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Generic Ubuntu snap application profile | 9 | # Generic Ubuntu snap application profile |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | whitelist ${HOME}/snap | 16 | whitelist ${HOME}/snap |
17 | include /etc/firejail/whitelist-common.inc | 17 | include whitelist-common.inc |
diff --git a/etc/snox.profile b/etc/snox.profile index 22bb0cdb0..3b3fd1ae1 100644 --- a/etc/snox.profile +++ b/etc/snox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for snox | 1 | # Firejail profile for snox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/snox.local | 4 | include snox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/snox | 8 | noblacklist ${HOME}/.cache/snox |
9 | noblacklist ${HOME}/.config/snox | 9 | noblacklist ${HOME}/.config/snox |
@@ -16,4 +16,4 @@ whitelist ${HOME}/.cache/snox | |||
16 | whitelist ${HOME}/.config/snox | 16 | whitelist ${HOME}/.config/snox |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include /etc/firejail/chromium-common.profile | 19 | include chromium-common.profile |
diff --git a/etc/soffice.profile b/etc/soffice.profile index c702a4ece..ea0f84631 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/libreoffice.profile | 6 | include libreoffice.profile |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 69efe5244..d34ccf901 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: GNOME application to convert audio files into other formats | 2 | # Description: GNOME application to convert audio files into other formats |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/soundconverter.local | 5 | include soundconverter.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
@@ -14,14 +14,14 @@ noblacklist ${PATH}/python3* | |||
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | include /etc/firejail/disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | net none | 27 | net none |
@@ -32,6 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | ||
35 | novideo | 36 | novideo |
36 | protocol unix | 37 | protocol unix |
37 | seccomp | 38 | seccomp |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 18d3a0575..350f10632 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/spectre-meltdown-checker.local | 5 | include spectre-meltdown-checker.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # sudo firejail --allow-debuggers spectre-meltdown-checker | 9 | # sudo firejail --allow-debuggers spectre-meltdown-checker |
10 | 10 | ||
@@ -18,14 +18,14 @@ noblacklist ${PATH}/perl | |||
18 | noblacklist /usr/lib/perl* | 18 | noblacklist /usr/lib/perl* |
19 | noblacklist /usr/share/perl* | 19 | noblacklist /usr/share/perl* |
20 | 20 | ||
21 | include /etc/firejail/disable-common.inc | 21 | include disable-common.inc |
22 | include /etc/firejail/disable-devel.inc | 22 | include disable-devel.inc |
23 | include /etc/firejail/disable-interpreters.inc | 23 | include disable-interpreters.inc |
24 | include /etc/firejail/disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
25 | include /etc/firejail/disable-programs.inc | 25 | include disable-programs.inc |
26 | include /etc/firejail/disable-xdg.inc | 26 | include disable-xdg.inc |
27 | 27 | ||
28 | include /etc/firejail/whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.keep sys_rawio | 30 | caps.keep sys_rawio |
31 | ipc-namespace | 31 | ipc-namespace |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 3adf3183c..f6f31028f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for spotify | 1 | # Firejail profile for spotify |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/spotify.local | 4 | include spotify.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | 8 | blacklist ${HOME}/.bashrc |
9 | blacklist /lost+found | 9 | blacklist /lost+found |
@@ -14,11 +14,11 @@ noblacklist ${HOME}/.cache/spotify | |||
14 | noblacklist ${HOME}/.config/spotify | 14 | noblacklist ${HOME}/.config/spotify |
15 | noblacklist ${HOME}/.local/share/spotify | 15 | noblacklist ${HOME}/.local/share/spotify |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.cache/spotify | 23 | mkdir ${HOME}/.cache/spotify |
24 | mkdir ${HOME}/.config/spotify | 24 | mkdir ${HOME}/.config/spotify |
@@ -26,8 +26,8 @@ mkdir ${HOME}/.local/share/spotify | |||
26 | whitelist ${HOME}/.cache/spotify | 26 | whitelist ${HOME}/.cache/spotify |
27 | whitelist ${HOME}/.config/spotify | 27 | whitelist ${HOME}/.config/spotify |
28 | whitelist ${HOME}/.local/share/spotify | 28 | whitelist ${HOME}/.local/share/spotify |
29 | include /etc/firejail/whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include /etc/firejail/whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
31 | 31 | ||
32 | caps.drop all | 32 | caps.drop all |
33 | netfilter | 33 | netfilter |
@@ -37,6 +37,7 @@ nogroups | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | notv | 39 | notv |
40 | nou2f | ||
40 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
41 | seccomp | 42 | seccomp |
42 | shell none | 43 | shell none |
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 0f030d559..6bdd437cd 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: GUI editor for SQLite databases | 2 | # Description: GUI editor for SQLite databases |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/sqlitebrowser.local | 5 | include sqlitebrowser.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/sqlitebrowser | 9 | noblacklist ${HOME}/.config/sqlitebrowser |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index b71c20231..02b66955f 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/ssh-agent.local | 5 | include ssh-agent.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
@@ -12,9 +12,9 @@ noblacklist /etc/ssh | |||
12 | noblacklist /tmp/ssh-* | 12 | noblacklist /tmp/ssh-* |
13 | noblacklist ${HOME}/.ssh | 13 | noblacklist ${HOME}/.ssh |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | shell none | 19 | shell none |
20 | caps.drop all | 20 | caps.drop all |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 584294f05..de627dcf0 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -3,17 +3,17 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/ssh.local | 6 | include ssh.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist /etc/ssh | 10 | noblacklist /etc/ssh |
11 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | ipc-namespace | 19 | ipc-namespace |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | # noroot - see issue #1543 | 25 | # noroot - see issue #1543 |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 9f62b42c5..4486c8869 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Firejail profile for standardnotes-desktop | 1 | # Firejail profile for standardnotes-desktop |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/standardnotes-desktop.local | 4 | include standardnotes-desktop.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/Standard Notes Backups | 8 | noblacklist ${HOME}/Standard Notes Backups |
9 | noblacklist ${HOME}/.config/Standard Notes | 9 | noblacklist ${HOME}/.config/Standard Notes |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/Standard Notes Backups | 17 | mkdir ${HOME}/Standard Notes Backups |
18 | mkdir ${HOME}/.config/Standard Notes | 18 | mkdir ${HOME}/.config/Standard Notes |
19 | whitelist ${HOME}/Standard Notes Backups | 19 | whitelist ${HOME}/Standard Notes Backups |
20 | whitelist ${HOME}/.config/Standard Notes | 20 | whitelist ${HOME}/.config/Standard Notes |
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
35 | seccomp | 36 | seccomp |
36 | 37 | ||
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index c17815969..2b01eca88 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -63,4 +63,4 @@ mkdir ${HOME}/.tor-browser-zh-cn: | |||
63 | whitelist ${HOME}/.tor-browser-zh-cn: | 63 | whitelist ${HOME}/.tor-browser-zh-cn: |
64 | 64 | ||
65 | # Redirect | 65 | # Redirect |
66 | include /etc/firejail/torbrowser-launcher.profile | 66 | include torbrowser-launcher.profile |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 4d9ebcb2e..d3b0b27e3 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for start-tor-browser | 1 | # Firejail profile for start-tor-browser |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/start-tor-browser.local | 4 | include start-tor-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | include /etc/firejail/disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -23,6 +23,7 @@ nogroups | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 29 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/steam-native.profile b/etc/steam-native.profile index b85b1659b..47608ad28 100644 --- a/etc/steam-native.profile +++ b/etc/steam-native.profile | |||
@@ -2,4 +2,4 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Redirect | 4 | # Redirect |
5 | include /etc/firejail/steam.profile | 5 | include steam.profile |
diff --git a/etc/steam.profile b/etc/steam.profile index 903384ecf..775b6c875 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Valve's Steam digital software delivery system | 2 | # Description: Valve's Steam digital software delivery system |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/steam.local | 5 | include steam.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/.killingfloor | 10 | noblacklist ${HOME}/.killingfloor |
@@ -37,13 +37,13 @@ noblacklist ${PATH}/python3* | |||
37 | noblacklist /usr/lib/python2* | 37 | noblacklist /usr/lib/python2* |
38 | noblacklist /usr/lib/python3* | 38 | noblacklist /usr/lib/python3* |
39 | 39 | ||
40 | include /etc/firejail/disable-common.inc | 40 | include disable-common.inc |
41 | include /etc/firejail/disable-devel.inc | 41 | include disable-devel.inc |
42 | include /etc/firejail/disable-interpreters.inc | 42 | include disable-interpreters.inc |
43 | include /etc/firejail/disable-passwdmgr.inc | 43 | include disable-passwdmgr.inc |
44 | include /etc/firejail/disable-programs.inc | 44 | include disable-programs.inc |
45 | 45 | ||
46 | include /etc/firejail/whitelist-var-common.inc | 46 | include whitelist-var-common.inc |
47 | 47 | ||
48 | caps.drop all | 48 | caps.drop all |
49 | #ipc-namespace | 49 | #ipc-namespace |
@@ -55,6 +55,7 @@ nogroups | |||
55 | nonewprivs | 55 | nonewprivs |
56 | noroot | 56 | noroot |
57 | notv | 57 | notv |
58 | nou2f | ||
58 | # novideo should be commented for VR | 59 | # novideo should be commented for VR |
59 | novideo | 60 | novideo |
60 | protocol unix,inet,inet6,netlink | 61 | protocol unix,inet,inet6,netlink |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index cddbd99d6..7d0000fb3 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -2,25 +2,25 @@ | |||
2 | # Description: Real-time photo-realistic sky generator | 2 | # Description: Real-time photo-realistic sky generator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/stellarium.local | 5 | include stellarium.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/stellarium | 9 | noblacklist ${HOME}/.config/stellarium |
10 | noblacklist ${HOME}/.stellarium | 10 | noblacklist ${HOME}/.stellarium |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.config/stellarium | 18 | mkdir ${HOME}/.config/stellarium |
19 | mkdir ${HOME}/.stellarium | 19 | mkdir ${HOME}/.stellarium |
20 | whitelist ${HOME}/.config/stellarium | 20 | whitelist ${HOME}/.config/stellarium |
21 | whitelist ${HOME}/.stellarium | 21 | whitelist ${HOME}/.stellarium |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include /etc/firejail/whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | machine-id | 26 | machine-id |
@@ -31,6 +31,7 @@ nonewprivs | |||
31 | noroot | 31 | noroot |
32 | nosound | 32 | nosound |
33 | notv | 33 | notv |
34 | nou2f | ||
34 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
35 | seccomp | 36 | seccomp |
36 | shell none | 37 | shell none |
diff --git a/etc/strings.profile b/etc/strings.profile index ae2fbf18f..f243606ec 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/strings.local | 5 | include strings.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included default.profile | 7 | # added by included default.profile |
8 | #include /etc/firejail/globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
@@ -16,6 +16,7 @@ nodbus | |||
16 | nodvd | 16 | nodvd |
17 | nosound | 17 | nosound |
18 | notv | 18 | notv |
19 | nou2f | ||
19 | novideo | 20 | novideo |
20 | shell none | 21 | shell none |
21 | tracelog | 22 | tracelog |
@@ -30,4 +31,4 @@ memory-deny-write-execute | |||
30 | noexec ${HOME} | 31 | noexec ${HOME} |
31 | noexec /tmp | 32 | noexec /tmp |
32 | 33 | ||
33 | include /etc/firejail/default.profile | 34 | include default.profile |
diff --git a/etc/studio.sh.profile b/etc/studio.sh.profile index b4eee28df..d556521e1 100644 --- a/etc/studio.sh.profile +++ b/etc/studio.sh.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile alias for Android Studio | 1 | # Firejail profile alias for Android Studio |
2 | 2 | ||
3 | # Redirect | 3 | # Redirect |
4 | include /etc/firejail/android-studio.profile | 4 | include android-studio.profile |
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 84083e9aa..fc523ce0a 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for supertux2 | 1 | # Firejail profile for supertux2 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/supertux2.local | 4 | include supertux2.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.local/share/supertux2 | 8 | noblacklist ${HOME}/.local/share/supertux2 |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.local/share/supertux2 | 16 | mkdir ${HOME}/.local/share/supertux2 |
17 | whitelist ${HOME}/.local/share/supertux2 | 17 | whitelist ${HOME}/.local/share/supertux2 |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,netlink | 30 | protocol unix,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/surf.profile b/etc/surf.profile index 3d40ea49b..3a1b1f383 100644 --- a/etc/surf.profile +++ b/etc/surf.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Simple web browser by suckless community | 2 | # Description: Simple web browser by suckless community |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/surf.local | 5 | include surf.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.surf | 9 | noblacklist ${HOME}/.surf |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.surf | 16 | mkdir ${HOME}/.surf |
17 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -23,6 +23,7 @@ nodvd | |||
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index 5f30c95ba..64de64eb4 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Light weight e-mail client with GTK+ | 2 | # Description: Light weight e-mail client with GTK+ |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/sylpheed.local | 5 | include sylpheed.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.sylpheed-2.0 | 9 | noblacklist ${HOME}/.sylpheed-2.0 |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | novideo | 26 | novideo |
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 0fc59fd17..9ce1bb183 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Vector-based 2D animation package | 2 | # Description: Vector-based 2D animation package |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/synfigstudio.local | 5 | include synfigstudio.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/synfig | 9 | noblacklist ${HOME}/.config/synfig |
10 | noblacklist ${HOME}/.synfig | 10 | noblacklist ${HOME}/.synfig |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | net none |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
diff --git a/etc/tar.profile b/etc/tar.profile index 7409393c6..cbf421914 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/tar.local | 6 | include tar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -18,6 +18,7 @@ nodbus | |||
18 | nodvd | 18 | nodvd |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | nou2f | ||
21 | novideo | 22 | novideo |
22 | shell none | 23 | shell none |
23 | tracelog | 24 | tracelog |
@@ -28,4 +29,4 @@ private-dev | |||
28 | private-etc passwd,group,localtime | 29 | private-etc passwd,group,localtime |
29 | private-lib | 30 | private-lib |
30 | 31 | ||
31 | include /etc/firejail/default.profile | 32 | include default.profile |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 55a95157d..25928882b 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: TeamSpeak is software for quality voice communication via the Internet | 2 | # Description: TeamSpeak is software for quality voice communication via the Internet |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/teamspeak3.local | 5 | include teamspeak3.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.ts3client | 9 | noblacklist ${HOME}/.ts3client |
10 | noblacklist ${PATH}/openssl | 10 | noblacklist ${PATH}/openssl |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.ts3client | 18 | mkdir ${HOME}/.ts3client |
19 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
20 | whitelist ${HOME}/.ts3client | 20 | whitelist ${HOME}/.ts3client |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | 24 | ipc-namespace |
@@ -29,6 +29,7 @@ nogroups | |||
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile index 9e4855247..ef60bdc8c 100644 --- a/etc/telegram-desktop.profile +++ b/etc/telegram-desktop.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/telegram.profile | 7 | include telegram.profile |
diff --git a/etc/telegram.profile b/etc/telegram.profile index 9ffb9f287..fb2c06a27 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for telegram | 1 | # Firejail profile for telegram |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/telegram.local | 4 | include telegram.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.TelegramDesktop | 8 | noblacklist ${HOME}/.TelegramDesktop |
9 | noblacklist ${HOME}/.local/share/TelegramDesktop | 9 | noblacklist ${HOME}/.local/share/TelegramDesktop |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
diff --git a/etc/terasology.profile b/etc/terasology.profile index fa45eb880..22038e0b4 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for terasology | 1 | # Firejail profile for terasology |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/terasology.local | 4 | include terasology.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 9 | noblacklist ${HOME}/.local/share/terasology |
@@ -14,17 +14,17 @@ noblacklist /usr/lib/java | |||
14 | noblacklist /etc/java | 14 | noblacklist /etc/java |
15 | noblacklist /usr/share/java | 15 | noblacklist /usr/share/java |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.java | 23 | mkdir ${HOME}/.java |
24 | mkdir ${HOME}/.local/share/terasology | 24 | mkdir ${HOME}/.local/share/terasology |
25 | whitelist ${HOME}/.java | 25 | whitelist ${HOME}/.java |
26 | whitelist ${HOME}/.local/share/terasology | 26 | whitelist ${HOME}/.local/share/terasology |
27 | include /etc/firejail/whitelist-common.inc | 27 | include whitelist-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | ipc-namespace | 30 | ipc-namespace |
@@ -36,6 +36,7 @@ nogroups | |||
36 | nonewprivs | 36 | nonewprivs |
37 | noroot | 37 | noroot |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | novideo | 40 | novideo |
40 | protocol unix,inet,inet6 | 41 | protocol unix,inet,inet6 |
41 | seccomp | 42 | seccomp |
diff --git a/etc/thunar.profile b/etc/thunar.profile index 37d10ae0d..0c7a048c4 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/Thunar.profile | 7 | include Thunar.profile |
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile index 73d2419da..2bd06cb14 100644 --- a/etc/thunderbird-beta.profile +++ b/etc/thunderbird-beta.profile | |||
@@ -5,4 +5,4 @@ | |||
5 | whitelist /opt/thunderbird-beta | 5 | whitelist /opt/thunderbird-beta |
6 | 6 | ||
7 | # Redirect | 7 | # Redirect |
8 | include /etc/firejail/thunderbird.profile | 8 | include thunderbird.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 86671d1be..5f1af91be 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Email, RSS and newsgroup client with integrated spam filter | 2 | # Description: Email, RSS and newsgroup client with integrated spam filter |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/thunderbird.local | 5 | include thunderbird.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Users have thunderbird set to open a browser by clicking a link in an email | 9 | # Users have thunderbird set to open a browser by clicking a link in an email |
10 | # We are not allowed to blacklist browser-specific directories | 10 | # We are not allowed to blacklist browser-specific directories |
@@ -38,4 +38,4 @@ writable-run-user | |||
38 | 38 | ||
39 | # allow browsers | 39 | # allow browsers |
40 | # Redirect | 40 | # Redirect |
41 | include /etc/firejail/firefox.profile | 41 | include firefox.profile |
diff --git a/etc/tilp.profile b/etc/tilp.profile index 7d63df630..ecacd1deb 100644 --- a/etc/tilp.profile +++ b/etc/tilp.profile | |||
@@ -1,17 +1,17 @@ | |||
1 | # Firejail profile for tilp | 1 | # Firejail profile for tilp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/tilp.local | 4 | include tilp.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.tilp | 8 | noblacklist ${HOME}/.tilp |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
diff --git a/etc/tor-browser-ar.profile b/etc/tor-browser-ar.profile index a668a05d4..612b2d01b 100644 --- a/etc/tor-browser-ar.profile +++ b/etc/tor-browser-ar.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-ar | |||
7 | whitelist ${HOME}/.tor-browser-ar | 7 | whitelist ${HOME}/.tor-browser-ar |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-en-us.profile b/etc/tor-browser-en-us.profile index 195377f0f..db56dda1b 100644 --- a/etc/tor-browser-en-us.profile +++ b/etc/tor-browser-en-us.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-en-us | |||
7 | whitelist ${HOME}/.tor-browser-en-us | 7 | whitelist ${HOME}/.tor-browser-en-us |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 75aad1a09..ad4110c0e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-en | |||
7 | whitelist ${HOME}/.tor-browser-en | 7 | whitelist ${HOME}/.tor-browser-en |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-es-es.profile b/etc/tor-browser-es-es.profile index b6e5dedbc..1aa586658 100644 --- a/etc/tor-browser-es-es.profile +++ b/etc/tor-browser-es-es.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-es-es | |||
7 | whitelist ${HOME}/.tor-browser-es-es | 7 | whitelist ${HOME}/.tor-browser-es-es |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-es.profile b/etc/tor-browser-es.profile index c607c93e3..a386e3387 100644 --- a/etc/tor-browser-es.profile +++ b/etc/tor-browser-es.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-es | |||
7 | whitelist ${HOME}/.tor-browser-es | 7 | whitelist ${HOME}/.tor-browser-es |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-fa.profile b/etc/tor-browser-fa.profile index 3ce689c21..7f847a7c2 100644 --- a/etc/tor-browser-fa.profile +++ b/etc/tor-browser-fa.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-fa | |||
7 | whitelist ${HOME}/.tor-browser-fa | 7 | whitelist ${HOME}/.tor-browser-fa |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-fr.profile b/etc/tor-browser-fr.profile index 369184aba..bce470ec8 100644 --- a/etc/tor-browser-fr.profile +++ b/etc/tor-browser-fr.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-fr | |||
7 | whitelist ${HOME}/.tor-browser-fr | 7 | whitelist ${HOME}/.tor-browser-fr |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-it.profile b/etc/tor-browser-it.profile index e5d54617d..3c239ca29 100644 --- a/etc/tor-browser-it.profile +++ b/etc/tor-browser-it.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-it | |||
7 | whitelist ${HOME}/.tor-browser-it | 7 | whitelist ${HOME}/.tor-browser-it |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-ja.profile b/etc/tor-browser-ja.profile index a3cfa1987..c52e0f64e 100644 --- a/etc/tor-browser-ja.profile +++ b/etc/tor-browser-ja.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-ja | |||
7 | whitelist ${HOME}/.tor-browser-ja | 7 | whitelist ${HOME}/.tor-browser-ja |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-ko.profile b/etc/tor-browser-ko.profile index 6a7fe905c..8faa5afa1 100644 --- a/etc/tor-browser-ko.profile +++ b/etc/tor-browser-ko.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-ko | |||
7 | whitelist ${HOME}/.tor-browser-ko | 7 | whitelist ${HOME}/.tor-browser-ko |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-pl.profile b/etc/tor-browser-pl.profile index e72d64a3e..08ddd4ae7 100644 --- a/etc/tor-browser-pl.profile +++ b/etc/tor-browser-pl.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-pl | |||
7 | whitelist ${HOME}/.tor-browser-pl | 7 | whitelist ${HOME}/.tor-browser-pl |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-pt-br.profile b/etc/tor-browser-pt-br.profile index d3a5d1b79..9942a3fe8 100644 --- a/etc/tor-browser-pt-br.profile +++ b/etc/tor-browser-pt-br.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-pt-br | |||
7 | whitelist ${HOME}/.tor-browser-pt-br | 7 | whitelist ${HOME}/.tor-browser-pt-br |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-ru.profile b/etc/tor-browser-ru.profile index 22b772b28..6294f8ca0 100644 --- a/etc/tor-browser-ru.profile +++ b/etc/tor-browser-ru.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-ru | |||
7 | whitelist ${HOME}/.tor-browser-ru | 7 | whitelist ${HOME}/.tor-browser-ru |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-vi.profile b/etc/tor-browser-vi.profile index cd1c5b0b3..734c38698 100644 --- a/etc/tor-browser-vi.profile +++ b/etc/tor-browser-vi.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-vi | |||
7 | whitelist ${HOME}/.tor-browser-vi | 7 | whitelist ${HOME}/.tor-browser-vi |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor-browser-zh-cn.profile b/etc/tor-browser-zh-cn.profile index bf1bc75d6..21e813e45 100644 --- a/etc/tor-browser-zh-cn.profile +++ b/etc/tor-browser-zh-cn.profile | |||
@@ -7,4 +7,4 @@ mkdir ${HOME}/.tor-browser-zh-cn | |||
7 | whitelist ${HOME}/.tor-browser-zh-cn | 7 | whitelist ${HOME}/.tor-browser-zh-cn |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/torbrowser-launcher.profile | 10 | include torbrowser-launcher.profile |
diff --git a/etc/tor.profile b/etc/tor.profile index ddaa9806c..04a6c3abb 100644 --- a/etc/tor.profile +++ b/etc/tor.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Anonymizing overlay network for TCP | 2 | # Description: Anonymizing overlay network for TCP |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/tor.local | 5 | include tor.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # How to use: | 9 | # How to use: |
10 | # Create a script called anything (e.g. mytor) | 10 | # Create a script called anything (e.g. mytor) |
@@ -17,12 +17,12 @@ include /etc/firejail/globals.local | |||
17 | # You'll also likely want to disable the system service (if it exists) | 17 | # You'll also likely want to disable the system service (if it exists) |
18 | # Run mytor (or whatever you called the script above) whenever you want to start tor | 18 | # Run mytor (or whatever you called the script above) whenever you want to start tor |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | caps.keep setuid,setgid,net_bind_service,dac_read_search | 27 | caps.keep setuid,setgid,net_bind_service,dac_read_search |
28 | ipc-namespace | 28 | ipc-namespace |
@@ -34,6 +34,7 @@ nogroups | |||
34 | nonewprivs | 34 | nonewprivs |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 307377acc..a9244683f 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Helps download and run the Tor Browser Bundle | 2 | # Description: Helps download and run the Tor Browser Bundle |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/torbrowser-launcher.local | 5 | include torbrowser-launcher.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/torbrowser | 9 | noblacklist ${HOME}/.config/torbrowser |
10 | noblacklist ${HOME}/.local/share/torbrowser | 10 | noblacklist ${HOME}/.local/share/torbrowser |
@@ -15,20 +15,20 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | mkdir ${HOME}/.config/torbrowser | 25 | mkdir ${HOME}/.config/torbrowser |
26 | mkdir ${HOME}/.local/share/torbrowser | 26 | mkdir ${HOME}/.local/share/torbrowser |
27 | whitelist ${DOWNLOADS} | 27 | whitelist ${DOWNLOADS} |
28 | whitelist ${HOME}/.config/torbrowser | 28 | whitelist ${HOME}/.config/torbrowser |
29 | whitelist ${HOME}/.local/share/torbrowser | 29 | whitelist ${HOME}/.local/share/torbrowser |
30 | include /etc/firejail/whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include /etc/firejail/whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
32 | 32 | ||
33 | caps.drop all | 33 | caps.drop all |
34 | netfilter | 34 | netfilter |
@@ -38,6 +38,7 @@ nogroups | |||
38 | nonewprivs | 38 | nonewprivs |
39 | noroot | 39 | noroot |
40 | notv | 40 | notv |
41 | nou2f | ||
41 | novideo | 42 | novideo |
42 | protocol unix,inet,inet6 | 43 | protocol unix,inet,inet6 |
43 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 44 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/totem.profile b/etc/totem.profile index bfa5883e2..3055ea542 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Simple media player for the GNOME desktop based on GStreamer | 2 | # Description: Simple media player for the GNOME desktop based on GStreamer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/totem.local | 5 | include totem.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/totem | 9 | noblacklist ${HOME}/.config/totem |
10 | noblacklist ${HOME}/.local/share/totem | 10 | noblacklist ${HOME}/.local/share/totem |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include /etc/firejail/whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | # apparmor - makes settings immutable | 23 | # apparmor - makes settings immutable |
24 | caps.drop all | 24 | caps.drop all |
@@ -27,6 +27,7 @@ netfilter | |||
27 | nogroups | 27 | nogroups |
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | nou2f | ||
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/tracker.profile b/etc/tracker.profile index 142089c34..6d86b2951 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Metadata database, indexer and search tool | 2 | # Description: Metadata database, indexer and search tool |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/tracker.local | 5 | include tracker.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | 9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 1a22a713c..cc2e4467e 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -2,18 +2,18 @@ | |||
2 | # Description: Lightweight BitTorrent client | 2 | # Description: Lightweight BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transmission-cli.local | 5 | include transmission-cli.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/transmission | 9 | noblacklist ${HOME}/.cache/transmission |
10 | noblacklist ${HOME}/.config/transmission | 10 | noblacklist ${HOME}/.config/transmission |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | machine-id | 19 | machine-id |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 758205ccf..867f9f113 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -2,26 +2,26 @@ | |||
2 | # Description: Lightweight BitTorrent client | 2 | # Description: Lightweight BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transmission-gtk.local | 5 | include transmission-gtk.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/transmission | 9 | noblacklist ${HOME}/.cache/transmission |
10 | noblacklist ${HOME}/.config/transmission | 10 | noblacklist ${HOME}/.config/transmission |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/transmission | 18 | mkdir ${HOME}/.cache/transmission |
19 | mkdir ${HOME}/.config/transmission | 19 | mkdir ${HOME}/.config/transmission |
20 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
21 | whitelist ${HOME}/.cache/transmission | 21 | whitelist ${HOME}/.cache/transmission |
22 | whitelist ${HOME}/.config/transmission | 22 | whitelist ${HOME}/.config/transmission |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index c8eb9e326..81b8f38cf 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -2,26 +2,26 @@ | |||
2 | # Description: Lightweight BitTorrent client | 2 | # Description: Lightweight BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transmission-qt.local | 5 | include transmission-qt.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/transmission | 9 | noblacklist ${HOME}/.cache/transmission |
10 | noblacklist ${HOME}/.config/transmission | 10 | noblacklist ${HOME}/.config/transmission |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.cache/transmission | 18 | mkdir ${HOME}/.cache/transmission |
19 | mkdir ${HOME}/.config/transmission | 19 | mkdir ${HOME}/.config/transmission |
20 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
21 | whitelist ${HOME}/.cache/transmission | 21 | whitelist ${HOME}/.cache/transmission |
22 | whitelist ${HOME}/.config/transmission | 22 | whitelist ${HOME}/.config/transmission |
23 | include /etc/firejail/whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
38 | seccomp | 39 | seccomp |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 06b79effd..248eb977e 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for transmission-show | 1 | # Firejail profile for transmission-show |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/transmission-show.local | 4 | include transmission-show.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/transmission | 8 | noblacklist ${HOME}/.cache/transmission |
9 | noblacklist ${HOME}/.config/transmission | 9 | noblacklist ${HOME}/.config/transmission |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | 18 | machine-id |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/truecraft.profile b/etc/truecraft.profile index 1eb7b65ba..ae1d85473 100644 --- a/etc/truecraft.profile +++ b/etc/truecraft.profile | |||
@@ -1,24 +1,24 @@ | |||
1 | # Firejail profile for truecraft | 1 | # Firejail profile for truecraft |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/truecraft.local | 4 | include truecraft.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/mono | 8 | noblacklist ${HOME}/.config/mono |
9 | noblacklist ${HOME}/.config/truecraft | 9 | noblacklist ${HOME}/.config/truecraft |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.config/mono | 17 | mkdir ${HOME}/.config/mono |
18 | mkdir ${HOME}/.config/truecraft | 18 | mkdir ${HOME}/.config/truecraft |
19 | whitelist ${HOME}/.config/mono | 19 | whitelist ${HOME}/.config/mono |
20 | whitelist ${HOME}/.config/truecraft | 20 | whitelist ${HOME}/.config/truecraft |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | nodvd | 24 | nodvd |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index d467e1a83..1b657d083 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Multitrack guitar tablature editor and player (gp3 to gp5) | 2 | # Description: Multitrack guitar tablature editor and player (gp3 to gp5) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/tuxguitar.local | 5 | include tuxguitar.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/.tuxguitar* | 10 | noblacklist ${HOME}/.tuxguitar* |
@@ -17,14 +17,14 @@ noblacklist /usr/lib/java | |||
17 | noblacklist /etc/java | 17 | noblacklist /etc/java |
18 | noblacklist /usr/share/java | 18 | noblacklist /usr/share/java |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | netfilter | 30 | netfilter |
@@ -34,6 +34,7 @@ nogroups | |||
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | notv | 36 | notv |
37 | nou2f | ||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
39 | seccomp | 40 | seccomp |
diff --git a/etc/uefitool.profile b/etc/uefitool.profile index d4016d061..218b41e15 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for uefitool | 1 | # Firejail profile for uefitool |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/uefitool.local | 4 | include uefitool.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${DOCUMENTS} | 8 | noblacklist ${DOCUMENTS} |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | include /etc/firejail/disable-xdg.inc | 15 | include disable-xdg.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 3c3c685e0..09821b411 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Firejail profile for uget-gtk | 1 | # Firejail profile for uget-gtk |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/uget-gtk.local | 4 | include uget-gtk.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uGet | 8 | noblacklist ${HOME}/.config/uGet |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | mkdir ${HOME}/.config/uGet | 15 | mkdir ${HOME}/.config/uGet |
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | whitelist ${HOME}/.config/uGet | 17 | whitelist ${HOME}/.config/uGet |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | nou2f | ||
27 | novideo | 28 | novideo |
28 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
29 | seccomp | 30 | seccomp |
diff --git a/etc/unbound.profile b/etc/unbound.profile index 5bc350e8d..6e4b5ed1c 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Validating, recursive, caching DNS resolver | 2 | # Description: Validating, recursive, caching DNS resolver |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/unbound.local | 5 | include unbound.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist /sbin | 11 | noblacklist /sbin |
12 | noblacklist /usr/sbin | 12 | noblacklist /usr/sbin |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | include /etc/firejail/disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /var/lib/unbound | 21 | whitelist /var/lib/unbound |
22 | whitelist /var/run | 22 | whitelist /var/run |
@@ -27,6 +27,7 @@ nodvd | |||
27 | nonewprivs | 27 | nonewprivs |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 32 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
32 | writable-var | 33 | writable-var |
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 5b2944a88..f62f018a6 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: 2D realtime strategy simulation | 2 | # Description: 2D realtime strategy simulation |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/unknown-horizons.local | 5 | include unknown-horizons.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.unknown-horizons | 9 | noblacklist ${HOME}/.unknown-horizons |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | mkdir ${HOME}/.unknown-horizons | 15 | mkdir ${HOME}/.unknown-horizons |
16 | whitelist ${HOME}/.unknown-horizons | 16 | whitelist ${HOME}/.unknown-horizons |
17 | include /etc/firejail/whitelist-common.inc | 17 | include whitelist-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | nodvd | 20 | nodvd |
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | notv | 24 | notv |
25 | nou2f | ||
25 | protocol unix,netlink,inet,inet6 | 26 | protocol unix,netlink,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/unlzma.profile b/etc/unlzma.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/unlzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index c8c72f1f3..00fe0887b 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/unrar.local | 6 | include unrar.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -18,6 +18,7 @@ nodbus | |||
18 | nodvd | 18 | nodvd |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | nou2f | ||
21 | novideo | 22 | novideo |
22 | shell none | 23 | shell none |
23 | tracelog | 24 | tracelog |
@@ -27,4 +28,4 @@ private-dev | |||
27 | private-etc passwd,group,localtime | 28 | private-etc passwd,group,localtime |
28 | private-tmp | 29 | private-tmp |
29 | 30 | ||
30 | include /etc/firejail/default.profile | 31 | include default.profile |
diff --git a/etc/unxz.profile b/etc/unxz.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/unxz.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 0b8b0cc50..8e659c256 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/unzip.local | 6 | include unzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -18,6 +18,7 @@ nodbus | |||
18 | nodvd | 18 | nodvd |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | nou2f | ||
21 | novideo | 22 | novideo |
22 | shell none | 23 | shell none |
23 | tracelog | 24 | tracelog |
@@ -29,4 +30,4 @@ private-etc passwd,group,localtime | |||
29 | # GNOME Shell integration (chrome-gnome-shell) | 30 | # GNOME Shell integration (chrome-gnome-shell) |
30 | noblacklist ${HOME}/.local/share/gnome-shell | 31 | noblacklist ${HOME}/.local/share/gnome-shell |
31 | 32 | ||
32 | include /etc/firejail/default.profile | 33 | include default.profile |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index d1130960d..3bd0ebe70 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/uudeview.local | 6 | include uudeview.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | hostname uudeview | 11 | hostname uudeview |
12 | ignore noroot | 12 | ignore noroot |
@@ -15,6 +15,7 @@ nodbus | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | nou2f | ||
18 | novideo | 19 | novideo |
19 | shell none | 20 | shell none |
20 | tracelog | 21 | tracelog |
@@ -24,4 +25,4 @@ private-cache | |||
24 | private-dev | 25 | private-dev |
25 | private-etc ld.so.preload | 26 | private-etc ld.so.preload |
26 | 27 | ||
27 | include /etc/firejail/default.profile | 28 | include default.profile |
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index b8a3fa497..7e6b35d13 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for uzbl-browser | 1 | # Firejail profile for uzbl-browser |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/uzbl-browser.local | 4 | include uzbl-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
@@ -15,10 +15,10 @@ noblacklist ${PATH}/python3* | |||
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.config/uzbl | 23 | mkdir ${HOME}/.config/uzbl |
24 | mkdir ${HOME}/.gnupg | 24 | mkdir ${HOME}/.gnupg |
@@ -29,7 +29,7 @@ whitelist ${HOME}/.config/uzbl | |||
29 | whitelist ${HOME}/.gnupg | 29 | whitelist ${HOME}/.gnupg |
30 | whitelist ${HOME}/.local/share/uzbl | 30 | whitelist ${HOME}/.local/share/uzbl |
31 | whitelist ${HOME}/.password-store | 31 | whitelist ${HOME}/.password-store |
32 | include /etc/firejail/whitelist-common.inc | 32 | include whitelist-common.inc |
33 | 33 | ||
34 | caps.drop all | 34 | caps.drop all |
35 | netfilter | 35 | netfilter |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 08f9fd309..4c22f8e6f 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Simple, fast and elegant image viewer | 2 | # Description: Simple, fast and elegant image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/viewnior.local | 5 | include viewnior.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | 9 | blacklist ${HOME}/.bashrc |
10 | 10 | ||
@@ -12,11 +12,11 @@ noblacklist ${HOME}/.Steam | |||
12 | noblacklist ${HOME}/.config/viewnior | 12 | noblacklist ${HOME}/.config/viewnior |
13 | noblacklist ${HOME}/.steam | 13 | noblacklist ${HOME}/.steam |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | net none | 22 | net none |
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | novideo | 32 | novideo |
32 | protocol unix | 33 | protocol unix |
33 | seccomp | 34 | seccomp |
diff --git a/etc/viking.profile b/etc/viking.profile index 624cb962b..baf268691 100644 --- a/etc/viking.profile +++ b/etc/viking.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: GPS data editor, analyzer and viewer | 2 | # Description: GPS data editor, analyzer and viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/viking.local | 5 | include viking.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.viking | 9 | noblacklist ${HOME}/.viking |
10 | noblacklist ${HOME}/.viking-maps | 10 | noblacklist ${HOME}/.viking-maps |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/vim.profile b/etc/vim.profile index 1f98a018a..e4e759b86 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Vi IMproved - enhanced vi editor | 2 | # Description: Vi IMproved - enhanced vi editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/vim.local | 5 | include vim.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.vim | 9 | noblacklist ${HOME}/.vim |
10 | noblacklist ${HOME}/.viminfo | 10 | noblacklist ${HOME}/.viminfo |
11 | noblacklist ${HOME}/.vimrc | 11 | noblacklist ${HOME}/.vimrc |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -21,6 +21,7 @@ nogroups | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
diff --git a/etc/vimcat.profile b/etc/vimcat.profile index 5067c2fd1..a8f7758e0 100644 --- a/etc/vimcat.profile +++ b/etc/vimcat.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for vimcat | 1 | # Firejail profile for vimcat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/vimcat.local | 4 | include vimcat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/vim.profile | 10 | include vim.profile |
diff --git a/etc/vimdiff.profile b/etc/vimdiff.profile index f89a2c112..53a5c6224 100644 --- a/etc/vimdiff.profile +++ b/etc/vimdiff.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for vimdiff | 1 | # Firejail profile for vimdiff |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/vimdiff.local | 4 | include vimdiff.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/vim.profile | 10 | include vim.profile |
diff --git a/etc/vimpager.profile b/etc/vimpager.profile index 9c59cb82f..ef2c20ef1 100644 --- a/etc/vimpager.profile +++ b/etc/vimpager.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # Description: A vim-based script to use as a PAGER | 2 | # Description: A vim-based script to use as a PAGER |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/vimpager.local | 5 | include vimpager.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include /etc/firejail/vim.profile | 11 | include vim.profile |
diff --git a/etc/vimtutor.profile b/etc/vimtutor.profile index 83851d37e..7330d6da2 100644 --- a/etc/vimtutor.profile +++ b/etc/vimtutor.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for vimtutor | 1 | # Firejail profile for vimtutor |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/vimtutor.local | 4 | include vimtutor.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/vim.profile | 10 | include vim.profile |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index c634348c7..1ef44dd5c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: x86 virtualization solution | 2 | # Description: x86 virtualization solution |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/virtualbox.local | 5 | include virtualbox.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.VirtualBox | 9 | noblacklist ${HOME}/.VirtualBox |
10 | noblacklist ${HOME}/.config/VirtualBox | 10 | noblacklist ${HOME}/.config/VirtualBox |
@@ -13,17 +13,17 @@ noblacklist ${HOME}/VirtualBox VMs | |||
13 | noblacklist /usr/lib/virtualbox | 13 | noblacklist /usr/lib/virtualbox |
14 | noblacklist /usr/lib64/virtualbox | 14 | noblacklist /usr/lib64/virtualbox |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | mkdir ${HOME}/.config/VirtualBox | 20 | mkdir ${HOME}/.config/VirtualBox |
21 | mkdir ${HOME}/VirtualBox VMs | 21 | mkdir ${HOME}/VirtualBox VMs |
22 | whitelist ${HOME}/.config/VirtualBox | 22 | whitelist ${HOME}/.config/VirtualBox |
23 | whitelist ${HOME}/VirtualBox VMs | 23 | whitelist ${HOME}/VirtualBox VMs |
24 | whitelist ${DOWNLOADS} | 24 | whitelist ${DOWNLOADS} |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | caps.drop all | 28 | caps.drop all |
29 | netfilter | 29 | netfilter |
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index d1ceb74f4..bee5d6be6 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/vivaldi.profile | 6 | include vivaldi.profile |
diff --git a/etc/vivaldi-snapshot.profile b/etc/vivaldi-snapshot.profile index f8691025f..ea4a4009f 100644 --- a/etc/vivaldi-snapshot.profile +++ b/etc/vivaldi-snapshot.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for vivaldi-snapshot | 1 | # Firejail profile for vivaldi-snapshot |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/vivaldi-snapshot.local | 4 | include vivaldi-snapshot.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/vivaldi-snapshot | 8 | noblacklist ${HOME}/.cache/vivaldi-snapshot |
9 | noblacklist ${HOME}/.config/vivaldi-snapshot | 9 | noblacklist ${HOME}/.config/vivaldi-snapshot |
@@ -14,4 +14,4 @@ whitelist ${HOME}/.cache/vivaldi-snapshot | |||
14 | whitelist ${HOME}/.config/vivaldi-snapshot | 14 | whitelist ${HOME}/.config/vivaldi-snapshot |
15 | 15 | ||
16 | # Redirect | 16 | # Redirect |
17 | include /etc/firejail/chromium-common.profile | 17 | include chromium-common.profile |
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile index d1ceb74f4..bee5d6be6 100644 --- a/etc/vivaldi-stable.profile +++ b/etc/vivaldi-stable.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/vivaldi.profile | 6 | include vivaldi.profile |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 8b37ca40b..96f1bd99d 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for vivaldi | 1 | # Firejail profile for vivaldi |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/vivaldi.local | 4 | include vivaldi.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/vivaldi | 8 | noblacklist ${HOME}/.cache/vivaldi |
9 | noblacklist ${HOME}/.config/vivaldi | 9 | noblacklist ${HOME}/.config/vivaldi |
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/vivaldi | |||
17 | ignore nodbus | 17 | ignore nodbus |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include /etc/firejail/chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 594a5944b..0395a5a59 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Multimedia player and streamer | 2 | # Description: Multimedia player and streamer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/vlc.local | 5 | include vlc.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/vlc | 9 | noblacklist ${HOME}/.cache/vlc |
10 | noblacklist ${HOME}/.config/vlc | 10 | noblacklist ${HOME}/.config/vlc |
@@ -12,14 +12,14 @@ noblacklist ${HOME}/.local/share/vlc | |||
12 | noblacklist ${MUSIC} | 12 | noblacklist ${MUSIC} |
13 | noblacklist ${VIDEOS} | 13 | noblacklist ${VIDEOS} |
14 | 14 | ||
15 | include /etc/firejail/disable-common.inc | 15 | include disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 16 | include disable-devel.inc |
17 | include /etc/firejail/disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include /etc/firejail/disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include /etc/firejail/disable-programs.inc | 19 | include disable-programs.inc |
20 | include /etc/firejail/disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 24 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
25 | caps.drop all | 25 | caps.drop all |
@@ -28,6 +28,7 @@ netfilter | |||
28 | nogroups | 28 | nogroups |
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/vym.profile b/etc/vym.profile index bb044069d..bb3f6ac56 100644 --- a/etc/vym.profile +++ b/etc/vym.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Mindmapping tool | 2 | # Description: Mindmapping tool |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/vym.local | 5 | include vym.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/InSilmaril | 9 | noblacklist ${HOME}/.config/InSilmaril |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 858b30a5f..c03df49cd 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: WWW browsable pager with excellent tables/frames support | 2 | # Description: WWW browsable pager with excellent tables/frames support |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/w3m.local | 5 | include w3m.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.w3m | 11 | noblacklist ${HOME}/.w3m |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 632a56074..816f2236c 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: 3D real time strategy game | 2 | # Description: 3D real time strategy game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/warzone2100.local | 5 | include warzone2100.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.warzone2100-3.* | 9 | noblacklist ${HOME}/.warzone2100-3.* |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | # mkdir ${HOME}/.warzone2100-3.1 | 17 | # mkdir ${HOME}/.warzone2100-3.1 |
18 | # mkdir ${HOME}/.warzone2100-3.2 | 18 | # mkdir ${HOME}/.warzone2100-3.2 |
19 | whitelist ${HOME}/.warzone2100-3.1 | 19 | whitelist ${HOME}/.warzone2100-3.1 |
20 | whitelist ${HOME}/.warzone2100-3.2 | 20 | whitelist ${HOME}/.warzone2100-3.2 |
21 | include /etc/firejail/whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | notv | 30 | notv |
31 | nou2f | ||
31 | protocol unix,inet,inet6,netlink | 32 | protocol unix,inet,inet6,netlink |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index fdd299bbf..3dc21958d 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for waterfox | 1 | # Firejail profile for waterfox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/waterfox.local | 4 | include waterfox.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
9 | noblacklist ${HOME}/.cache/waterfox | 9 | noblacklist ${HOME}/.cache/waterfox |
@@ -25,4 +25,4 @@ whitelist ${HOME}/.waterfox | |||
25 | #private-etc waterfox | 25 | #private-etc waterfox |
26 | 26 | ||
27 | # Redirect | 27 | # Redirect |
28 | include /etc/firejail/firefox-common.profile | 28 | include firefox-common.profile |
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index 1a77fd833..9a25727a9 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for WebStorm | 1 | # Firejail profile for WebStorm |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/webstorm.local | 4 | include webstorm.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
@@ -17,11 +17,11 @@ noblacklist ${HOME}/.tooling | |||
17 | noblacklist ${PATH}/node | 17 | noblacklist ${PATH}/node |
18 | noblacklist ${HOME}/.nvm | 18 | noblacklist ${HOME}/.nvm |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | include /etc/firejail/disable-devel.inc | 23 | include disable-devel.inc |
24 | include /etc/firejail/disable-interpreters.inc | 24 | include disable-interpreters.inc |
25 | 25 | ||
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | netfilter |
@@ -30,6 +30,7 @@ nogroups | |||
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | notv | 32 | notv |
33 | nou2f | ||
33 | novideo | 34 | novideo |
34 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
35 | seccomp | 36 | seccomp |
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 0da7d45d6..4e9d6826c 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/weechat.profile | 6 | include weechat.profile |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 213271367..99b34048f 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -2,14 +2,14 @@ | |||
2 | # Description: Fast, light and extensible chat client | 2 | # Description: Fast, light and extensible chat client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/weechat.local | 5 | include weechat.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.weechat | 9 | noblacklist ${HOME}/.weechat |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 215d2e72d..a67d3a1b8 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Fantasy turn-based strategy game | 2 | # Description: Fantasy turn-based strategy game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/wesnoth.local | 5 | include wesnoth.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/wesnoth | 9 | noblacklist ${HOME}/.cache/wesnoth |
10 | noblacklist ${HOME}/.config/wesnoth | 10 | noblacklist ${HOME}/.config/wesnoth |
11 | noblacklist ${HOME}/.local/share/wesnoth | 11 | noblacklist ${HOME}/.local/share/wesnoth |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.cache/wesnoth | 19 | mkdir ${HOME}/.cache/wesnoth |
20 | mkdir ${HOME}/.config/wesnoth | 20 | mkdir ${HOME}/.config/wesnoth |
@@ -22,13 +22,14 @@ mkdir ${HOME}/.local/share/wesnoth | |||
22 | whitelist ${HOME}/.cache/wesnoth | 22 | whitelist ${HOME}/.cache/wesnoth |
23 | whitelist ${HOME}/.config/wesnoth | 23 | whitelist ${HOME}/.config/wesnoth |
24 | whitelist ${HOME}/.local/share/wesnoth | 24 | whitelist ${HOME}/.local/share/wesnoth |
25 | include /etc/firejail/whitelist-common.inc | 25 | include whitelist-common.inc |
26 | 26 | ||
27 | caps.drop all | 27 | caps.drop all |
28 | nodvd | 28 | nodvd |
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | 35 | ||
diff --git a/etc/wget.profile b/etc/wget.profile index abe2436d7..213840726 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -3,19 +3,19 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/wget.local | 6 | include wget.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | noblacklist ${HOME}/.wgetrc | 12 | noblacklist ${HOME}/.wgetrc |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index e1fa809b4..38ec5d85d 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -1,5 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # Local customizations come here |
2 | include /etc/firejail/whitelist-common.local | 2 | include whitelist-common.local |
3 | 3 | ||
4 | # common whitelist for all profiles | 4 | # common whitelist for all profiles |
5 | 5 | ||
@@ -13,6 +13,7 @@ whitelist ${HOME}/.config/user-dirs.dirs | |||
13 | read-only ${HOME}/.config/user-dirs.dirs | 13 | read-only ${HOME}/.config/user-dirs.dirs |
14 | whitelist ${HOME}/.drirc | 14 | whitelist ${HOME}/.drirc |
15 | whitelist ${HOME}/.icons | 15 | whitelist ${HOME}/.icons |
16 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit | ||
16 | whitelist ${HOME}/.local/share/applications | 17 | whitelist ${HOME}/.local/share/applications |
17 | read-only ${HOME}/.local/share/applications | 18 | read-only ${HOME}/.local/share/applications |
18 | whitelist ${HOME}/.local/share/icons | 19 | whitelist ${HOME}/.local/share/icons |
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index 024995f20..e2210057b 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc | |||
@@ -1,5 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # Local customizations come here |
2 | include /etc/firejail/whitelist-var-common.local | 2 | include whitelist-var-common.local |
3 | 3 | ||
4 | # common /var whitelist for all profiles | 4 | # common /var whitelist for all profiles |
5 | 5 | ||
diff --git a/etc/whois.profile b/etc/whois.profile index 3ef2e1476..368f8b5bb 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -2,18 +2,18 @@ quiet | |||
2 | # Firejail profile for whois | 2 | # Firejail profile for whois |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/whois.local | 5 | include whois.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include disable-common.inc |
10 | # include /etc/firejail/disable-devel.inc | 10 | # include disable-devel.inc |
11 | # include /etc/firejail/disable-interpreters.inc | 11 | # include disable-interpreters.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | #include /etc/firejail/disable-xdg.inc | 14 | #include disable-xdg.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # ipc-namespace | 19 | # ipc-namespace |
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | novideo | 30 | novideo |
30 | protocol inet,inet6 | 31 | protocol inet,inet6 |
31 | seccomp | 32 | seccomp |
diff --git a/etc/wine.profile b/etc/wine.profile index 88cdd2ffc..34c695cf1 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: A compatibility layer for running Windows programs | 2 | # Description: A compatibility layer for running Windows programs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/wine.local | 5 | include wine.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | 9 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.local/share/Steam | 10 | noblacklist ${HOME}/.local/share/Steam |
@@ -14,10 +14,10 @@ noblacklist ${HOME}/.wine | |||
14 | # with >=llvm-4 mesa drivers need llvm stuff | 14 | # with >=llvm-4 mesa drivers need llvm stuff |
15 | noblacklist /usr/lib/llvm* | 15 | noblacklist /usr/lib/llvm* |
16 | 16 | ||
17 | include /etc/firejail/disable-common.inc | 17 | include disable-common.inc |
18 | include /etc/firejail/disable-devel.inc | 18 | include disable-devel.inc |
19 | include /etc/firejail/disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 64d2cefd5..f464a2fb9 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -1,23 +1,23 @@ | |||
1 | # Firejail profile for wire-desktop | 1 | # Firejail profile for wire-desktop |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/wire-desktop.local | 4 | include wire-desktop.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Wire | 8 | noblacklist ${HOME}/.config/Wire |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include disable-programs.inc |
15 | 15 | ||
16 | mkdir ${HOME}/.config/Wire | 16 | mkdir ${HOME}/.config/Wire |
17 | whitelist ${HOME}/.config/Wire | 17 | whitelist ${HOME}/.config/Wire |
18 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | 19 | ||
20 | include /etc/firejail/whitelist-common.inc | 20 | include whitelist-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | nou2f | ||
29 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile index 26747379a..14978013d 100644 --- a/etc/wireshark-gtk.profile +++ b/etc/wireshark-gtk.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/wireshark.profile | 7 | include wireshark.profile |
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile index 26747379a..14978013d 100644 --- a/etc/wireshark-qt.profile +++ b/etc/wireshark-qt.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/wireshark.profile | 7 | include wireshark.profile |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 330f0140e..4f1142826 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Network traffic analyzer | 2 | # Description: Network traffic analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/wireshark.local | 5 | include wireshark.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/wireshark | 9 | noblacklist ${HOME}/.config/wireshark |
10 | noblacklist ${HOME}/.wireshark | 10 | noblacklist ${HOME}/.wireshark |
@@ -16,14 +16,14 @@ noblacklist /usr/lib/lua | |||
16 | noblacklist /usr/include/lua* | 16 | noblacklist /usr/include/lua* |
17 | noblacklist /usr/share/lua | 17 | noblacklist /usr/share/lua |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | apparmor | 28 | apparmor |
29 | # caps.drop all | 29 | # caps.drop all |
@@ -36,6 +36,7 @@ no3d | |||
36 | nodvd | 36 | nodvd |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | novideo | 40 | novideo |
40 | # protocol unix,inet,inet6,netlink | 41 | # protocol unix,inet,inet6,netlink |
41 | # seccomp - breaks network traffic capture for unprivileged users | 42 | # seccomp - breaks network traffic capture for unprivileged users |
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index ac8f0fe2a..e21b74030 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for x-terminal-emulator | 1 | # Firejail profile for x-terminal-emulator |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/x-terminal-emulator.local | 4 | include x-terminal-emulator.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | ipc-namespace | 9 | ipc-namespace |
@@ -12,6 +12,7 @@ netfilter | |||
12 | nodbus | 12 | nodbus |
13 | nogroups | 13 | nogroups |
14 | noroot | 14 | noroot |
15 | nou2f | ||
15 | protocol unix | 16 | protocol unix |
16 | seccomp | 17 | seccomp |
17 | 18 | ||
diff --git a/etc/xcalc.profile b/etc/xcalc.profile index dd7c66523..1941787b1 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # Firejail profile for xcalc | 1 | # Firejail profile for xcalc |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xcalc.local | 4 | include xcalc.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | include /etc/firejail/disable-common.inc | 8 | include disable-common.inc |
9 | include /etc/firejail/disable-devel.inc | 9 | include disable-devel.inc |
10 | include /etc/firejail/disable-interpreters.inc | 10 | include disable-interpreters.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include disable-programs.inc |
13 | include /etc/firejail/disable-xdg.inc | 13 | include disable-xdg.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | net none |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/xchat.profile b/etc/xchat.profile index af6da1ac5..a94444aab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: IRC client for X similar to AmIRC | 2 | # Description: IRC client for X similar to AmIRC |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xchat.local | 5 | include xchat.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/xchat | 9 | noblacklist ${HOME}/.config/xchat |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | nodvd | 16 | nodvd |
diff --git a/etc/xed.profile b/etc/xed.profile index f65b52658..7dffae05a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for xed | 1 | # Firejail profile for xed |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xed.local | 4 | include xed.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xed | 8 | noblacklist ${HOME}/.config/xed |
9 | 9 | ||
@@ -13,13 +13,13 @@ noblacklist ${PATH}/python3* | |||
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | 15 | ||
16 | include /etc/firejail/disable-common.inc | 16 | include disable-common.inc |
17 | include /etc/firejail/disable-devel.inc | 17 | include disable-devel.inc |
18 | include /etc/firejail/disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include disable-programs.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | # apparmor - makes settings immutable | 24 | # apparmor - makes settings immutable |
25 | caps.drop all | 25 | caps.drop all |
@@ -33,6 +33,7 @@ nonewprivs | |||
33 | noroot | 33 | noroot |
34 | nosound | 34 | nosound |
35 | notv | 35 | notv |
36 | nou2f | ||
36 | novideo | 37 | novideo |
37 | protocol unix | 38 | protocol unix |
38 | seccomp | 39 | seccomp |
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 207e62232..3dc525755 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: CD-burner application for Xfce Desktop Environment | 2 | # Description: CD-burner application for Xfce Desktop Environment |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xfburn.local | 5 | include xfburn.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/xfburn | 9 | noblacklist ${HOME}/.config/xfburn |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index e84c78b24..0dc021ef3 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile | |||
@@ -2,17 +2,17 @@ | |||
2 | # Description: Dictionary plugin for Xfce4 panel | 2 | # Description: Dictionary plugin for Xfce4 panel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xfce4-dict.local | 5 | include xfce4-dict.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/xfce4-dict | 9 | noblacklist ${HOME}/.config/xfce4-dict |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | netfilter | 18 | netfilter |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | nou2f | ||
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 99aeebb7f..df1b575b2 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: Notes application for the Xfce4 desktop | 2 | # Description: Notes application for the Xfce4 desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xfce4-notes.local | 5 | include xfce4-notes.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc | 9 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc |
10 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc | 10 | noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc |
11 | noblacklist ${HOME}/.local/share/notes | 11 | noblacklist ${HOME}/.local/share/notes |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
@@ -25,6 +25,7 @@ nonewprivs | |||
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | novideo | 29 | novideo |
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 703579562..6adfcd819 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -2,24 +2,24 @@ | |||
2 | # Description: Environment for Bible reading, study, and research | 2 | # Description: Environment for Bible reading, study, and research |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xiphos.local | 5 | include xiphos.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${HOME}/.bashrc | 9 | blacklist ${HOME}/.bashrc |
10 | 10 | ||
11 | noblacklist ${HOME}/.sword | 11 | noblacklist ${HOME}/.sword |
12 | noblacklist ${HOME}/.xiphos | 12 | noblacklist ${HOME}/.xiphos |
13 | 13 | ||
14 | include /etc/firejail/disable-common.inc | 14 | include disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 15 | include disable-devel.inc |
16 | include /etc/firejail/disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | whitelist ${HOME}/.sword | 20 | whitelist ${HOME}/.sword |
21 | whitelist ${HOME}/.xiphos | 21 | whitelist ${HOME}/.xiphos |
22 | include /etc/firejail/whitelist-common.inc | 22 | include whitelist-common.inc |
23 | 23 | ||
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix,inet,inet6 | 34 | protocol unix,inet,inet6 |
34 | seccomp | 35 | seccomp |
diff --git a/etc/xmms.profile b/etc/xmms.profile index d016e0c23..7a11e1244 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile | |||
@@ -1,19 +1,19 @@ | |||
1 | # Firejail profile for xmms | 1 | # Firejail profile for xmms |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xmms.local | 4 | include xmms.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.xmms | 8 | noblacklist ${HOME}/.xmms |
9 | noblacklist ${MUSIC} | 9 | noblacklist ${MUSIC} |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | netfilter | 19 | netfilter |
@@ -21,6 +21,7 @@ no3d | |||
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | notv | 23 | notv |
24 | nou2f | ||
24 | novideo | 25 | novideo |
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile index 7a445f6a5..25b2b8c91 100644 --- a/etc/xmr-stak.profile +++ b/etc/xmr-stak.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for xmr-stak | 1 | # Firejail profile for xmr-stak |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xmr-stak.local | 4 | include xmr-stak.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.xmr-stak | 8 | noblacklist ${HOME}/.xmr-stak |
9 | noblacklist /usr/lib/llvm* | 9 | noblacklist /usr/lib/llvm* |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | include /etc/firejail/disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | mkdir ${HOME}/.xmr-stak | 18 | mkdir ${HOME}/.xmr-stak |
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | ipc-namespace | 22 | ipc-namespace |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index 041a063bb..8a44fb587 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/xonotic.profile | 6 | include xonotic.profile |
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 041a063bb..8a44fb587 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile | |||
@@ -3,4 +3,4 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | # Redirect | 5 | # Redirect |
6 | include /etc/firejail/xonotic.profile | 6 | include xonotic.profile |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index a7e8edc0f..054cf4896 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -2,22 +2,22 @@ | |||
2 | # Description: A free, fast-paced crossplatform first-person shooter | 2 | # Description: A free, fast-paced crossplatform first-person shooter |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xonotic.local | 5 | include xonotic.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.xonotic | 9 | noblacklist ${HOME}/.xonotic |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 12 | include disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 13 | include disable-interpreters.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include disable-programs.inc |
16 | 16 | ||
17 | mkdir ${HOME}/.xonotic | 17 | mkdir ${HOME}/.xonotic |
18 | whitelist ${HOME}/.xonotic | 18 | whitelist ${HOME}/.xonotic |
19 | include /etc/firejail/whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include /etc/firejail/whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.drop all |
23 | netfilter | 23 | netfilter |
@@ -27,6 +27,7 @@ nogroups | |||
27 | nonewprivs | 27 | nonewprivs |
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | novideo | 31 | novideo |
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index c12a3437c..4a82942ad 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -2,21 +2,21 @@ | |||
2 | # Description: Portable Document Format (PDF) reader | 2 | # Description: Portable Document Format (PDF) reader |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xpdf.local | 5 | include xpdf.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.xpdfrc | 9 | noblacklist ${HOME}/.xpdfrc |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/xplayer-audio-preview.profile b/etc/xplayer-audio-preview.profile index a422b9989..78252c134 100644 --- a/etc/xplayer-audio-preview.profile +++ b/etc/xplayer-audio-preview.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for xplayer-audio-preview | 1 | # Firejail profile for xplayer-audio-preview |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xplayer-audio-preview.local | 4 | include xplayer-audio-preview.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/xplayer.profile | 10 | include xplayer.profile |
diff --git a/etc/xplayer-video-thumbnailer.profile b/etc/xplayer-video-thumbnailer.profile index 1ec5250bf..ac8986c69 100644 --- a/etc/xplayer-video-thumbnailer.profile +++ b/etc/xplayer-video-thumbnailer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for xplayer-video-thumbnailer | 1 | # Firejail profile for xplayer-video-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xplayer-video-thumbnailer.local | 4 | include xplayer-video-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/xplayer.profile | 10 | include xplayer.profile |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index f51362b6b..b8297295a 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for xplayer | 1 | # Firejail profile for xplayer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xplayer.local | 4 | include xplayer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/xplayer | 8 | noblacklist ${HOME}/.config/xplayer |
9 | noblacklist ${HOME}/.local/share/xplayer | 9 | noblacklist ${HOME}/.local/share/xplayer |
@@ -16,14 +16,14 @@ noblacklist ${PATH}/python3* | |||
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include disable-devel.inc |
21 | include /etc/firejail/disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include disable-programs.inc |
24 | include /etc/firejail/disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | include /etc/firejail/whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
28 | # apparmor - makes settings immutable | 28 | # apparmor - makes settings immutable |
29 | caps.drop all | 29 | caps.drop all |
@@ -32,6 +32,7 @@ netfilter | |||
32 | nogroups | 32 | nogroups |
33 | nonewprivs | 33 | nonewprivs |
34 | noroot | 34 | noroot |
35 | nou2f | ||
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 960c493b9..23f3294bd 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Tool to detach/reattach running X programs | 2 | # Description: Tool to detach/reattach running X programs |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xpra.local | 5 | include xpra.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # | 9 | # |
10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | 10 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. |
@@ -22,11 +22,11 @@ noblacklist ${PATH}/python3* | |||
22 | noblacklist /usr/lib/python2* | 22 | noblacklist /usr/lib/python2* |
23 | noblacklist /usr/lib/python3* | 23 | noblacklist /usr/lib/python3* |
24 | 24 | ||
25 | include /etc/firejail/disable-common.inc | 25 | include disable-common.inc |
26 | include /etc/firejail/disable-devel.inc | 26 | include disable-devel.inc |
27 | include /etc/firejail/disable-interpreters.inc | 27 | include disable-interpreters.inc |
28 | include /etc/firejail/disable-passwdmgr.inc | 28 | include disable-passwdmgr.inc |
29 | include /etc/firejail/disable-programs.inc | 29 | include disable-programs.inc |
30 | 30 | ||
31 | whitelist /var/lib/xkb | 31 | whitelist /var/lib/xkb |
32 | # whitelisting home directory, or including whitelist-common.inc | 32 | # whitelisting home directory, or including whitelist-common.inc |
@@ -41,6 +41,7 @@ nonewprivs | |||
41 | #noroot | 41 | #noroot |
42 | nosound | 42 | nosound |
43 | notv | 43 | notv |
44 | nou2f | ||
44 | novideo | 45 | novideo |
45 | protocol unix | 46 | protocol unix |
46 | seccomp | 47 | seccomp |
diff --git a/etc/xreader-previewer.profile b/etc/xreader-previewer.profile index 4c42c147c..2d7e7644c 100644 --- a/etc/xreader-previewer.profile +++ b/etc/xreader-previewer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for xreader-previewer | 1 | # Firejail profile for xreader-previewer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xreader-previewer.local | 4 | include xreader-previewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/xreader.profile | 10 | include xreader.profile |
diff --git a/etc/xreader-thumbnailer.profile b/etc/xreader-thumbnailer.profile index bc0bcbb67..d463787e6 100644 --- a/etc/xreader-thumbnailer.profile +++ b/etc/xreader-thumbnailer.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # Firejail profile for xreader-thumbnailer | 1 | # Firejail profile for xreader-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xreader-thumbnailer.local | 4 | include xreader-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include /etc/firejail/xreader.profile | 10 | include xreader.profile |
diff --git a/etc/xreader.profile b/etc/xreader.profile index 25e790fe0..a879e8b04 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -2,23 +2,23 @@ | |||
2 | # Description: Document viewer for files like PDF and Postscript. X-Apps Project. | 2 | # Description: Document viewer for files like PDF and Postscript. X-Apps Project. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xreader.local | 5 | include xreader.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/xreader | 9 | noblacklist ${HOME}/.cache/xreader |
10 | noblacklist ${HOME}/.config/xreader | 10 | noblacklist ${HOME}/.config/xreader |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | # Breaks xreader on Mint 18.3 | 20 | # Breaks xreader on Mint 18.3 |
21 | # include /etc/firejail/whitelist-var-common.inc | 21 | # include whitelist-var-common.inc |
22 | 22 | ||
23 | # apparmor | 23 | # apparmor |
24 | caps.drop all | 24 | caps.drop all |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7ecc1ca0b..e6185807e 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -1,22 +1,22 @@ | |||
1 | # Firejail profile for xviewer | 1 | # Firejail profile for xviewer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xviewer.local | 4 | include xviewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Steam | 8 | noblacklist ${HOME}/.Steam |
9 | noblacklist ${HOME}/.config/xviewer | 9 | noblacklist ${HOME}/.config/xviewer |
10 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
11 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | # apparmor - makes settings immutable | 21 | # apparmor - makes settings immutable |
22 | caps.drop all | 22 | caps.drop all |
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | nou2f | ||
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix |
34 | seccomp | 35 | seccomp |
diff --git a/etc/xxd.profile b/etc/xxd.profile index baee905b7..f5072da75 100644 --- a/etc/xxd.profile +++ b/etc/xxd.profile | |||
@@ -2,10 +2,10 @@ | |||
2 | # Description: Tool to make (or reverse) a hex dump | 2 | # Description: Tool to make (or reverse) a hex dump |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/xxd.local | 5 | include xxd.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include /etc/firejail/vim.profile | 11 | include vim.profile |
diff --git a/etc/xz.profile b/etc/xz.profile index cd79eebc6..748dad2e3 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -4,4 +4,4 @@ | |||
4 | 4 | ||
5 | 5 | ||
6 | # Redirect | 6 | # Redirect |
7 | include /etc/firejail/cpio.profile | 7 | include cpio.profile |
diff --git a/etc/xzcat.profile b/etc/xzcat.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 796c1d642..6c12f7d55 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -3,10 +3,10 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/xzdec.local | 6 | include xzdec.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included default.profile | 8 | # added by included default.profile |
9 | #include /etc/firejail/globals.local | 9 | #include globals.local |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
@@ -17,10 +17,11 @@ nodbus | |||
17 | nodvd | 17 | nodvd |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | nou2f | ||
20 | novideo | 21 | novideo |
21 | shell none | 22 | shell none |
22 | tracelog | 23 | tracelog |
23 | 24 | ||
24 | private-dev | 25 | private-dev |
25 | 26 | ||
26 | include /etc/firejail/default.profile | 27 | include default.profile |
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzgrep.profile b/etc/xzgrep.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzless.profile b/etc/xzless.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/xzmore.profile b/etc/xzmore.profile new file mode 100644 index 000000000..748dad2e3 --- /dev/null +++ b/etc/xzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include cpio.profile | ||
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile index fdb7694a5..680bef677 100644 --- a/etc/yandex-browser.profile +++ b/etc/yandex-browser.profile | |||
@@ -1,9 +1,9 @@ | |||
1 | # Firejail profile for yandex-browser | 1 | # Firejail profile for yandex-browser |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/yandex-browser.local | 4 | include yandex-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.cache/yandex-browser | 8 | noblacklist ${HOME}/.cache/yandex-browser |
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 9 | noblacklist ${HOME}/.cache/yandex-browser-beta |
@@ -20,4 +20,4 @@ whitelist ${HOME}/.config/yandex-browser | |||
20 | whitelist ${HOME}/.config/yandex-browser-beta | 20 | whitelist ${HOME}/.config/yandex-browser-beta |
21 | 21 | ||
22 | # Redirect | 22 | # Redirect |
23 | include /etc/firejail/chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 75d4514b6..a9868b5ac 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -3,9 +3,9 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include /etc/firejail/youtube-dl.local | 6 | include youtube-dl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include /etc/firejail/globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.netrc | 10 | noblacklist ${HOME}/.netrc |
11 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
@@ -17,14 +17,14 @@ noblacklist ${PATH}/python3* | |||
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | 19 | ||
20 | include /etc/firejail/disable-common.inc | 20 | include disable-common.inc |
21 | include /etc/firejail/disable-devel.inc | 21 | include disable-devel.inc |
22 | include /etc/firejail/disable-interpreters.inc | 22 | include disable-interpreters.inc |
23 | include /etc/firejail/disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
24 | include /etc/firejail/disable-programs.inc | 24 | include disable-programs.inc |
25 | include /etc/firejail/disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include /etc/firejail/whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | ipc-namespace | 30 | ipc-namespace |
@@ -36,6 +36,7 @@ nonewprivs | |||
36 | noroot | 36 | noroot |
37 | nosound | 37 | nosound |
38 | notv | 38 | notv |
39 | nou2f | ||
39 | novideo | 40 | novideo |
40 | protocol unix,inet,inet6 | 41 | protocol unix,inet,inet6 |
41 | seccomp | 42 | seccomp |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 872719ebc..cc572cbfe 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -2,9 +2,9 @@ | |||
2 | # Description: Integrated penetration testing tool for finding vulnerabilities in web applications | 2 | # Description: Integrated penetration testing tool for finding vulnerabilities in web applications |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/zaproxy.local | 5 | include zaproxy.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/.ZAP | 10 | noblacklist ${HOME}/.ZAP |
@@ -15,17 +15,17 @@ noblacklist /usr/lib/java | |||
15 | noblacklist /etc/java | 15 | noblacklist /etc/java |
16 | noblacklist /usr/share/java | 16 | noblacklist /usr/share/java |
17 | 17 | ||
18 | include /etc/firejail/disable-common.inc | 18 | include disable-common.inc |
19 | include /etc/firejail/disable-devel.inc | 19 | include disable-devel.inc |
20 | include /etc/firejail/disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | mkdir ${HOME}/.ZAP | 24 | mkdir ${HOME}/.ZAP |
25 | whitelist ${HOME}/.java | 25 | whitelist ${HOME}/.java |
26 | whitelist ${HOME}/.ZAP | 26 | whitelist ${HOME}/.ZAP |
27 | include /etc/firejail/whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include /etc/firejail/whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | ipc-namespace | 31 | ipc-namespace |
@@ -37,6 +37,7 @@ nonewprivs | |||
37 | noroot | 37 | noroot |
38 | nosound | 38 | nosound |
39 | notv | 39 | notv |
40 | nou2f | ||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
diff --git a/etc/zart.profile b/etc/zart.profile index a4b22ed5d..32df94841 100644 --- a/etc/zart.profile +++ b/etc/zart.profile | |||
@@ -2,19 +2,19 @@ | |||
2 | # Description: A GUI for G'MIC real-time manipulations on the output of a webcam | 2 | # Description: A GUI for G'MIC real-time manipulations on the output of a webcam |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/zart.local | 5 | include zart.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | 9 | noblacklist ${DOCUMENTS} |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 13 | include disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include disable-programs.inc |
17 | include /etc/firejail/disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | ipc-namespace | 20 | ipc-namespace |
@@ -25,6 +25,7 @@ nogroups | |||
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | notv | 27 | notv |
28 | nou2f | ||
28 | protocol unix | 29 | protocol unix |
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
diff --git a/etc/zathura.profile b/etc/zathura.profile index c1785e332..2eee47fa0 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -2,20 +2,20 @@ | |||
2 | # Description: Document viewer with a minimalistic interface | 2 | # Description: Document viewer with a minimalistic interface |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/zathura.local | 5 | include zathura.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include /etc/firejail/globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/zathura | 9 | noblacklist ${HOME}/.config/zathura |
10 | noblacklist ${HOME}/.local/share/zathura | 10 | noblacklist ${HOME}/.local/share/zathura |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include disable-common.inc |
14 | include /etc/firejail/disable-devel.inc | 14 | include disable-devel.inc |
15 | include /etc/firejail/disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include disable-programs.inc |
18 | include /etc/firejail/disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | machine-id | 21 | machine-id |
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | nou2f | ||
30 | protocol unix | 31 | protocol unix |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/zoom.profile b/etc/zoom.profile index 419c25f18..4fbf7ca01 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -1,21 +1,21 @@ | |||
1 | # Firejail profile for zoom | 1 | # Firejail profile for zoom |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/zoom.local | 4 | include zoom.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/zoomus.conf | 8 | noblacklist ${HOME}/.config/zoomus.conf |
9 | 9 | ||
10 | include /etc/firejail/disable-common.inc | 10 | include disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include disable-devel.inc |
12 | include /etc/firejail/disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include disable-programs.inc |
14 | 14 | ||
15 | mkdir ${HOME}/.zoom | 15 | mkdir ${HOME}/.zoom |
16 | whitelist ${HOME}/.cache/zoom | 16 | whitelist ${HOME}/.cache/zoom |
17 | whitelist ${HOME}/.zoom | 17 | whitelist ${HOME}/.zoom |
18 | include /etc/firejail/whitelist-common.inc | 18 | include whitelist-common.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ddc4b676d..62dc8ae10 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -15,6 +15,7 @@ JDownloader | |||
15 | Mathematica | 15 | Mathematica |
16 | Natron | 16 | Natron |
17 | QMediathekView | 17 | QMediathekView |
18 | QOwnNotes | ||
18 | Telegram | 19 | Telegram |
19 | Viber | 20 | Viber |
20 | VirtualBox | 21 | VirtualBox |
@@ -35,6 +36,7 @@ ardour5 | |||
35 | arduino | 36 | arduino |
36 | ark | 37 | ark |
37 | arm | 38 | arm |
39 | artha | ||
38 | # atom | 40 | # atom |
39 | # atom-beta | 41 | # atom-beta |
40 | asunder | 42 | asunder |
@@ -270,6 +272,8 @@ lximage-qt | |||
270 | lxmusic | 272 | lxmusic |
271 | lynx | 273 | lynx |
272 | macrofusion | 274 | macrofusion |
275 | masterpdfeditor4 | ||
276 | masterpdfeditor5 | ||
273 | mate-calc | 277 | mate-calc |
274 | mate-calculator | 278 | mate-calculator |
275 | mate-color-select | 279 | mate-color-select |
@@ -305,6 +309,7 @@ ncdu | |||
305 | netsurf | 309 | netsurf |
306 | neverball | 310 | neverball |
307 | nheko | 311 | nheko |
312 | nitroshare | ||
308 | nylas | 313 | nylas |
309 | obs | 314 | obs |
310 | odt2txt | 315 | odt2txt |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cae767667..19b8480f8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,6 +32,7 @@ | |||
32 | #define RUN_FIREJAIL_DIR "/run/firejail" | 32 | #define RUN_FIREJAIL_DIR "/run/firejail" |
33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | 33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" |
34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | 34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place |
35 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
35 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 36 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 37 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 38 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
@@ -457,7 +458,8 @@ void fs_mnt(const int enforce); | |||
457 | 458 | ||
458 | // profile.c | 459 | // profile.c |
459 | // find and read the profile specified by name from dir directory | 460 | // find and read the profile specified by name from dir directory |
460 | int profile_find(const char *name, const char *dir); | 461 | int profile_find(const char *name, const char *dir, int add_ext); |
462 | int profile_find_firejail(const char *name, int add_ext); | ||
461 | // read a profile file | 463 | // read a profile file |
462 | void profile_read(const char *fname); | 464 | void profile_read(const char *fname); |
463 | // check profile line; if line == 0, this was generated from a command line option | 465 | // check profile line; if line == 0, this was generated from a command line option |
@@ -495,7 +497,7 @@ int arp_check(const char *dev, uint32_t destaddr); | |||
495 | uint32_t arp_assign(const char *dev, Bridge *br); | 497 | uint32_t arp_assign(const char *dev, Bridge *br); |
496 | 498 | ||
497 | // macros.c | 499 | // macros.c |
498 | char *expand_home(const char *path, const char *homedir); | 500 | char *expand_macros(const char *path); |
499 | char *resolve_macro(const char *name); | 501 | char *resolve_macro(const char *name); |
500 | void invalid_filename(const char *fname, int globbing); | 502 | void invalid_filename(const char *fname, int globbing); |
501 | int is_macro(const char *name); | 503 | int is_macro(const char *name); |
@@ -790,16 +792,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
790 | 792 | ||
791 | // sbox.c | 793 | // sbox.c |
792 | // programs | 794 | // programs |
793 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 795 | #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread |
794 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | 796 | #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread |
797 | |||
798 | //#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | ||
799 | #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter") | ||
800 | |||
795 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 801 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
796 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 802 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
797 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 803 | |
804 | #define PATH_FSECCOMP_MAIN (LIBDIR "/firejail/fseccomp") // when called from main thread | ||
805 | #define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp") // when called from sandbox thread | ||
806 | |||
807 | // FSEC_PRINT is run outside of sandbox by --seccomp.print | ||
808 | // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first | ||
798 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") | 809 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") |
799 | #define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") | 810 | |
800 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 811 | //#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") |
812 | #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize") | ||
813 | |||
814 | //#define PATH_FCOPY (LIBDIR "/firejail/fcopy") | ||
815 | #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy") | ||
816 | |||
801 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 817 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
802 | #define PATH_FLDD (LIBDIR "/firejail/fldd") | 818 | |
819 | //#define PATH_FLDD (LIBDIR "/firejail/fldd") | ||
820 | #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd") | ||
803 | 821 | ||
804 | // bitmapped filters for sbox_run | 822 | // bitmapped filters for sbox_run |
805 | #define SBOX_ROOT (1 << 0) // run the sandbox as root | 823 | #define SBOX_ROOT (1 << 0) // run the sandbox as root |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b958df81a..3ce2c7571 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -257,8 +257,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
257 | 257 | ||
258 | // blacklist files or directories by mounting empty files on top of them | 258 | // blacklist files or directories by mounting empty files on top of them |
259 | void fs_blacklist(void) { | 259 | void fs_blacklist(void) { |
260 | char *homedir = cfg.homedir; | ||
261 | assert(homedir); | ||
262 | ProfileEntry *entry = cfg.profile; | 260 | ProfileEntry *entry = cfg.profile; |
263 | if (!entry) | 261 | if (!entry) |
264 | return; | 262 | return; |
@@ -335,7 +333,7 @@ void fs_blacklist(void) { | |||
335 | enames = calloc(2, sizeof(char *)); | 333 | enames = calloc(2, sizeof(char *)); |
336 | if (!enames) | 334 | if (!enames) |
337 | errExit("calloc"); | 335 | errExit("calloc"); |
338 | enames[0] = expand_home(entry->data + 12, homedir); | 336 | enames[0] = expand_macros(entry->data + 12); |
339 | assert(enames[1] == 0); | 337 | assert(enames[1] == 0); |
340 | } | 338 | } |
341 | 339 | ||
@@ -401,7 +399,7 @@ void fs_blacklist(void) { | |||
401 | } | 399 | } |
402 | 400 | ||
403 | // replace home macro in blacklist array | 401 | // replace home macro in blacklist array |
404 | char *new_name = expand_home(ptr, homedir); | 402 | char *new_name = expand_macros(ptr); |
405 | ptr = new_name; | 403 | ptr = new_name; |
406 | 404 | ||
407 | // expand path macro - look for the file in /usr/local/bin, /usr/local/sbin, /bin, /usr/bin, /sbin and /usr/sbin directories | 405 | // expand path macro - look for the file in /usr/local/bin, /usr/local/sbin, /bin, /usr/bin, /sbin and /usr/sbin directories |
@@ -1197,73 +1195,78 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1197 | } | 1195 | } |
1198 | 1196 | ||
1199 | // check /dev | 1197 | // check /dev |
1200 | fd = openat(parentfd, "dev", O_PATH|O_CLOEXEC); | 1198 | char *dir = "dev"; |
1199 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1201 | if (fd == -1) { | 1200 | if (fd == -1) { |
1202 | fprintf(stderr, "Error: cannot open /dev in chroot directory\n"); | 1201 | if (errno == ENOENT) |
1203 | exit(1); | 1202 | goto error1; |
1203 | else | ||
1204 | goto error2; | ||
1204 | } | 1205 | } |
1205 | if (fstat(fd, &s) == -1) | 1206 | if (fstat(fd, &s) == -1) |
1206 | errExit("fstat"); | 1207 | errExit("fstat"); |
1207 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1208 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1208 | fprintf(stderr, "Error: chroot /dev should be a directory owned by root\n"); | 1209 | goto error3; |
1209 | exit(1); | ||
1210 | } | ||
1211 | close(fd); | 1210 | close(fd); |
1212 | 1211 | ||
1213 | // check /var/tmp | 1212 | // check /var/tmp |
1214 | fd = openat(parentfd, "var/tmp", O_PATH|O_CLOEXEC); | 1213 | dir = "var/tmp"; |
1214 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1215 | if (fd == -1) { | 1215 | if (fd == -1) { |
1216 | fprintf(stderr, "Error: cannot open /var/tmp in chroot directory\n"); | 1216 | if (errno == ENOENT) |
1217 | exit(1); | 1217 | goto error1; |
1218 | else | ||
1219 | goto error2; | ||
1218 | } | 1220 | } |
1219 | if (fstat(fd, &s) == -1) | 1221 | if (fstat(fd, &s) == -1) |
1220 | errExit("fstat"); | 1222 | errExit("fstat"); |
1221 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1223 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1222 | fprintf(stderr, "Error: chroot /var/tmp should be a directory owned by root\n"); | 1224 | goto error3; |
1223 | exit(1); | ||
1224 | } | ||
1225 | close(fd); | 1225 | close(fd); |
1226 | 1226 | ||
1227 | // check /proc | 1227 | // check /proc |
1228 | fd = openat(parentfd, "proc", O_PATH|O_CLOEXEC); | 1228 | dir = "proc"; |
1229 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1229 | if (fd == -1) { | 1230 | if (fd == -1) { |
1230 | fprintf(stderr, "Error: cannot open /proc in chroot directory\n"); | 1231 | if (errno == ENOENT) |
1231 | exit(1); | 1232 | goto error1; |
1233 | else | ||
1234 | goto error2; | ||
1232 | } | 1235 | } |
1233 | if (fstat(fd, &s) == -1) | 1236 | if (fstat(fd, &s) == -1) |
1234 | errExit("fstat"); | 1237 | errExit("fstat"); |
1235 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1238 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1236 | fprintf(stderr, "Error: chroot /proc should be a directory owned by root\n"); | 1239 | goto error3; |
1237 | exit(1); | ||
1238 | } | ||
1239 | close(fd); | 1240 | close(fd); |
1240 | 1241 | ||
1241 | // check /tmp | 1242 | // check /tmp |
1242 | fd = openat(parentfd, "tmp", O_PATH|O_CLOEXEC); | 1243 | dir = "tmp"; |
1244 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1243 | if (fd == -1) { | 1245 | if (fd == -1) { |
1244 | fprintf(stderr, "Error: cannot open /tmp in chroot directory\n"); | 1246 | if (errno == ENOENT) |
1245 | exit(1); | 1247 | goto error1; |
1248 | else | ||
1249 | goto error2; | ||
1246 | } | 1250 | } |
1247 | if (fstat(fd, &s) == -1) | 1251 | if (fstat(fd, &s) == -1) |
1248 | errExit("fstat"); | 1252 | errExit("fstat"); |
1249 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1253 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1250 | fprintf(stderr, "Error: chroot /tmp should be a directory owned by root\n"); | 1254 | goto error3; |
1251 | exit(1); | ||
1252 | } | ||
1253 | close(fd); | 1255 | close(fd); |
1254 | 1256 | ||
1255 | // check /etc | 1257 | // check /etc |
1256 | fd = openat(parentfd, "etc", O_PATH|O_CLOEXEC); | 1258 | dir = "etc"; |
1259 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1257 | if (fd == -1) { | 1260 | if (fd == -1) { |
1258 | fprintf(stderr, "Error: cannot open /etc in chroot directory\n"); | 1261 | if (errno == ENOENT) |
1259 | exit(1); | 1262 | goto error1; |
1263 | else | ||
1264 | goto error2; | ||
1260 | } | 1265 | } |
1261 | if (fstat(fd, &s) == -1) | 1266 | if (fstat(fd, &s) == -1) |
1262 | errExit("fstat"); | 1267 | errExit("fstat"); |
1263 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1268 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1264 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); | 1269 | goto error3; |
1265 | exit(1); | ||
1266 | } | ||
1267 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { | 1270 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1268 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); | 1271 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); |
1269 | exit(1); | 1272 | exit(1); |
@@ -1300,21 +1303,34 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1300 | 1303 | ||
1301 | // check x11 socket directory | 1304 | // check x11 socket directory |
1302 | if (getenv("FIREJAIL_X11")) { | 1305 | if (getenv("FIREJAIL_X11")) { |
1303 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_CLOEXEC); | 1306 | dir = "tmp/.X11-unix"; |
1307 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1304 | if (fd == -1) { | 1308 | if (fd == -1) { |
1305 | fprintf(stderr, "Error: cannot open /tmp/.X11-unix in chroot directory\n"); | 1309 | if (errno == ENOENT) |
1306 | exit(1); | 1310 | goto error1; |
1311 | else | ||
1312 | goto error2; | ||
1307 | } | 1313 | } |
1308 | if (fstat(fd, &s) == -1) | 1314 | if (fstat(fd, &s) == -1) |
1309 | errExit("fstat"); | 1315 | errExit("fstat"); |
1310 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1316 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1311 | fprintf(stderr, "Error: chroot /tmp/.X11-unix should be a directory owned by root\n"); | 1317 | goto error3; |
1312 | exit(1); | ||
1313 | } | ||
1314 | close(fd); | 1318 | close(fd); |
1315 | } | 1319 | } |
1316 | 1320 | ||
1317 | close(parentfd); | 1321 | close(parentfd); |
1322 | return; | ||
1323 | |||
1324 | error1: | ||
1325 | fprintf(stderr, "Error: cannot find /%s in chroot directory\n", dir); | ||
1326 | exit(1); | ||
1327 | error2: | ||
1328 | perror("open"); | ||
1329 | fprintf(stderr, "Error: cannot open /%s in chroot directory\n", dir); | ||
1330 | exit(1); | ||
1331 | error3: | ||
1332 | fprintf(stderr, "Error: chroot /%s should be a directory owned by root\n", dir); | ||
1333 | exit(1); | ||
1318 | } | 1334 | } |
1319 | 1335 | ||
1320 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 1336 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
@@ -1379,6 +1395,16 @@ void fs_chroot(const char *rootdir) { | |||
1379 | ASSERT_PERMS(rundir, 0, 0, 0755); | 1395 | ASSERT_PERMS(rundir, 0, 0, 0755); |
1380 | free(rundir); | 1396 | free(rundir); |
1381 | 1397 | ||
1398 | // create /run/firejail/lib directory in chroot and mount it | ||
1399 | if (asprintf(&rundir, "%s%s", rootdir, RUN_FIREJAIL_LIB_DIR) == -1) | ||
1400 | errExit("asprintf"); | ||
1401 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) | ||
1402 | errExit("mkdir"); | ||
1403 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
1404 | if (mount(RUN_FIREJAIL_LIB_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1405 | errExit("mount bind"); | ||
1406 | free(rundir); | ||
1407 | |||
1382 | // create /run/firejail/mnt directory in chroot and mount the current one | 1408 | // create /run/firejail/mnt directory in chroot and mount the current one |
1383 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) | 1409 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
1384 | errExit("asprintf"); | 1410 | errExit("asprintf"); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 42c67452c..10232fa6e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -355,7 +355,7 @@ void fs_check_private_dir(void) { | |||
355 | invalid_filename(cfg.home_private, 0); // no globbing | 355 | invalid_filename(cfg.home_private, 0); // no globbing |
356 | 356 | ||
357 | // Expand the home directory | 357 | // Expand the home directory |
358 | char *tmp = expand_home(cfg.home_private, cfg.homedir); | 358 | char *tmp = expand_macros(cfg.home_private); |
359 | cfg.home_private = realpath(tmp, NULL); | 359 | cfg.home_private = realpath(tmp, NULL); |
360 | free(tmp); | 360 | free(tmp); |
361 | 361 | ||
@@ -378,7 +378,7 @@ static char *check_dir_or_file(const char *name) { | |||
378 | printf("Private home: checking %s\n", name); | 378 | printf("Private home: checking %s\n", name); |
379 | 379 | ||
380 | // expand home directory | 380 | // expand home directory |
381 | char *fname = expand_home(name, cfg.homedir); | 381 | char *fname = expand_macros(name); |
382 | assert(fname); | 382 | assert(fname); |
383 | 383 | ||
384 | // If it doesn't start with '/', it must be relative to homedir | 384 | // If it doesn't start with '/', it must be relative to homedir |
@@ -393,6 +393,8 @@ static char *check_dir_or_file(const char *name) { | |||
393 | // we allow only files in user home directory or symbolic links to files or directories owned by the user | 393 | // we allow only files in user home directory or symbolic links to files or directories owned by the user |
394 | struct stat s; | 394 | struct stat s; |
395 | if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { | 395 | if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { |
396 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 || fname[strlen(cfg.homedir)] != '/') | ||
397 | goto errexit; | ||
396 | if (stat(fname, &s) == 0) { | 398 | if (stat(fname, &s) == 0) { |
397 | if (s.st_uid != getuid()) { | 399 | if (s.st_uid != getuid()) { |
398 | fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); | 400 | fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1884f6597..1fbb073f4 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -189,7 +189,7 @@ void fs_resolvconf(void) { | |||
189 | char *fs_check_hosts_file(const char *fname) { | 189 | char *fs_check_hosts_file(const char *fname) { |
190 | assert(fname); | 190 | assert(fname); |
191 | invalid_filename(fname, 0); // no globbing | 191 | invalid_filename(fname, 0); // no globbing |
192 | char *rv = expand_home(fname, cfg.homedir); | 192 | char *rv = expand_macros(fname); |
193 | 193 | ||
194 | // no a link | 194 | // no a link |
195 | if (is_link(rv)) | 195 | if (is_link(rv)) |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index ea5edfabe..2c21e5dc7 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -38,6 +38,7 @@ typedef struct liblist_t { | |||
38 | 38 | ||
39 | static LibList libc_list[] = { | 39 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 40 | { "libselinux.so.", 0 }, |
41 | { "libapparmor.so.", 0}, | ||
41 | { "ld-linux-x86-64.so.", 0 }, | 42 | { "ld-linux-x86-64.so.", 0 }, |
42 | { "libanl.so.", 0 }, | 43 | { "libanl.so.", 0 }, |
43 | { "libc.so.", 0 }, | 44 | { "libc.so.", 0 }, |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index b66068a95..913f7502d 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -60,7 +60,7 @@ void fs_mkdir(const char *name) { | |||
60 | 60 | ||
61 | // check directory name | 61 | // check directory name |
62 | invalid_filename(name, 0); // no globbing | 62 | invalid_filename(name, 0); // no globbing |
63 | char *expanded = expand_home(name, cfg.homedir); | 63 | char *expanded = expand_macros(name); |
64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
65 | strncmp(expanded, "/tmp", 4) != 0) { | 65 | strncmp(expanded, "/tmp", 4) != 0) { |
66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | 66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); |
@@ -100,7 +100,7 @@ void fs_mkfile(const char *name) { | |||
100 | 100 | ||
101 | // check file name | 101 | // check file name |
102 | invalid_filename(name, 0); // no globbing | 102 | invalid_filename(name, 0); // no globbing |
103 | char *expanded = expand_home(name, cfg.homedir); | 103 | char *expanded = expand_macros(name); |
104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
105 | strncmp(expanded, "/tmp", 4) != 0) { | 105 | strncmp(expanded, "/tmp", 4) != 0) { |
106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | 106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 38ab7e2f8..235e09291 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -51,7 +51,7 @@ void fs_trace(void) { | |||
51 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); | 51 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); |
52 | if (!fp) | 52 | if (!fp) |
53 | errExit("fopen"); | 53 | errExit("fopen"); |
54 | const char *prefix = LIBDIR "/firejail"; | 54 | const char *prefix = RUN_FIREJAIL_LIB_DIR; |
55 | 55 | ||
56 | if (arg_trace) { | 56 | if (arg_trace) { |
57 | fprintf(fp, "%s/libtrace.so\n", prefix); | 57 | fprintf(fp, "%s/libtrace.so\n", prefix); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 454715a71..1092268f9 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -34,6 +34,7 @@ | |||
34 | 34 | ||
35 | #define EMPTY_STRING ("") | 35 | #define EMPTY_STRING ("") |
36 | #define MAXBUF 4098 | 36 | #define MAXBUF 4098 |
37 | static size_t homedir_len; // cache length of homedir string | ||
37 | 38 | ||
38 | 39 | ||
39 | static int mkpath(const char* path, mode_t mode) { | 40 | static int mkpath(const char* path, mode_t mode) { |
@@ -42,7 +43,7 @@ static int mkpath(const char* path, mode_t mode) { | |||
42 | 43 | ||
43 | // create directories with uid/gid as root or as current user if inside home directory | 44 | // create directories with uid/gid as root or as current user if inside home directory |
44 | int userhome = 0; | 45 | int userhome = 0; |
45 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 46 | if (strncmp(path, cfg.homedir, homedir_len) == 0) { |
46 | EUID_USER(); | 47 | EUID_USER(); |
47 | userhome = 1; | 48 | userhome = 1; |
48 | } | 49 | } |
@@ -123,12 +124,12 @@ static void whitelist_path(ProfileEntry *entry) { | |||
123 | char *wfile = NULL; | 124 | char *wfile = NULL; |
124 | 125 | ||
125 | if (entry->home_dir) { | 126 | if (entry->home_dir) { |
126 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) != 0 || path[strlen(cfg.homedir)] != '/') | 127 | if (strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') |
127 | // either symlink pointing outside home directory | 128 | // either symlink pointing outside home directory |
128 | // or entire home directory, skip the mount | 129 | // or entire home directory, skip the mount |
129 | return; | 130 | return; |
130 | 131 | ||
131 | fname = path + strlen(cfg.homedir) + 1; // strlen("/home/user/") | 132 | fname = path + homedir_len + 1; // strlen("/home/user/") |
132 | 133 | ||
133 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 134 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
134 | errExit("asprintf"); | 135 | errExit("asprintf"); |
@@ -331,6 +332,7 @@ void fs_whitelist(void) { | |||
331 | if (!entry) | 332 | if (!entry) |
332 | return; | 333 | return; |
333 | 334 | ||
335 | homedir_len = strlen(cfg.homedir); | ||
334 | char *new_name = NULL; | 336 | char *new_name = NULL; |
335 | int home_dir = 0; // /home/user directory flag | 337 | int home_dir = 0; // /home/user directory flag |
336 | int tmp_dir = 0; // /tmp directory flag | 338 | int tmp_dir = 0; // /tmp directory flag |
@@ -368,7 +370,7 @@ void fs_whitelist(void) { | |||
368 | char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; | 370 | char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; |
369 | 371 | ||
370 | // replace ~/ or ${HOME} into /home/username or resolve macro | 372 | // replace ~/ or ${HOME} into /home/username or resolve macro |
371 | new_name = expand_home(dataptr, cfg.homedir); | 373 | new_name = expand_macros(dataptr); |
372 | assert(new_name); | 374 | assert(new_name); |
373 | 375 | ||
374 | // mount empty home directory if resolving the macro was not successful | 376 | // mount empty home directory if resolving the macro was not successful |
@@ -430,7 +432,7 @@ void fs_whitelist(void) { | |||
430 | 432 | ||
431 | // if 1 the file was not found; mount an empty directory | 433 | // if 1 the file was not found; mount an empty directory |
432 | if (!nowhitelist_flag) { | 434 | if (!nowhitelist_flag) { |
433 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0 && new_name[strlen(cfg.homedir)] == '/') { | 435 | if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { |
434 | if(!arg_private) | 436 | if(!arg_private) |
435 | home_dir = 1; | 437 | home_dir = 1; |
436 | } | 438 | } |
@@ -483,7 +485,7 @@ void fs_whitelist(void) { | |||
483 | } | 485 | } |
484 | 486 | ||
485 | // check for supported directories | 487 | // check for supported directories |
486 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0 && new_name[strlen(cfg.homedir)] == '/') { | 488 | if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { |
487 | // whitelisting home directory is disabled if --private option is present | 489 | // whitelisting home directory is disabled if --private option is present |
488 | if (arg_private) { | 490 | if (arg_private) { |
489 | if (arg_debug || arg_debug_whitelists) | 491 | if (arg_debug || arg_debug_whitelists) |
@@ -504,7 +506,7 @@ void fs_whitelist(void) { | |||
504 | 506 | ||
505 | // both path and absolute path are in user home, | 507 | // both path and absolute path are in user home, |
506 | // if not check if the symlink destination is owned by the user | 508 | // if not check if the symlink destination is owned by the user |
507 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 || fname[strlen(cfg.homedir)] != '/') { | 509 | if (strncmp(fname, cfg.homedir, homedir_len) != 0 || fname[homedir_len] != '/') { |
508 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { | 510 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
509 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) { | 511 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) { |
510 | free(fname); | 512 | free(fname); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index c2b207c52..c849b200c 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -436,8 +436,18 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
436 | // it will never get here!!! | 436 | // it will never get here!!! |
437 | } | 437 | } |
438 | 438 | ||
439 | int status = 0; | ||
439 | // wait for the child to finish | 440 | // wait for the child to finish |
440 | waitpid(child, NULL, 0); | 441 | waitpid(child, &status, 0); |
441 | flush_stdin(); | 442 | flush_stdin(); |
442 | exit(0); | 443 | |
444 | if (WIFEXITED(status)) { | ||
445 | status = WEXITSTATUS(status); | ||
446 | } else if (WIFSIGNALED(status)) { | ||
447 | status = WTERMSIG(status); | ||
448 | } else { | ||
449 | status = 0; | ||
450 | } | ||
451 | |||
452 | exit(status); | ||
443 | } | 453 | } |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 4bf3d3589..59b5db3d8 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -192,9 +192,8 @@ char *resolve_macro(const char *name) { | |||
192 | // directory (supplied). | 192 | // directory (supplied). |
193 | // The return value is allocated using malloc and must be freed by the caller. | 193 | // The return value is allocated using malloc and must be freed by the caller. |
194 | // The function returns NULL if there are any errors. | 194 | // The function returns NULL if there are any errors. |
195 | char *expand_home(const char *path, const char *homedir) { | 195 | char *expand_macros(const char *path) { |
196 | assert(path); | 196 | assert(path); |
197 | assert(homedir); | ||
198 | 197 | ||
199 | int called_as_root = 0; | 198 | int called_as_root = 0; |
200 | 199 | ||
@@ -210,14 +209,14 @@ char *expand_home(const char *path, const char *homedir) { | |||
210 | // Replace home macro | 209 | // Replace home macro |
211 | char *new_name = NULL; | 210 | char *new_name = NULL; |
212 | if (strncmp(path, "${HOME}", 7) == 0) { | 211 | if (strncmp(path, "${HOME}", 7) == 0) { |
213 | if (asprintf(&new_name, "%s%s", homedir, path + 7) == -1) | 212 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1) |
214 | errExit("asprintf"); | 213 | errExit("asprintf"); |
215 | if(called_as_root) | 214 | if(called_as_root) |
216 | EUID_ROOT(); | 215 | EUID_ROOT(); |
217 | return new_name; | 216 | return new_name; |
218 | } | 217 | } |
219 | else if (*path == '~') { | 218 | else if (*path == '~') { |
220 | if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) | 219 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 1) == -1) |
221 | errExit("asprintf"); | 220 | errExit("asprintf"); |
222 | if(called_as_root) | 221 | if(called_as_root) |
223 | EUID_ROOT(); | 222 | EUID_ROOT(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 315a7260a..29e3df7c6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -456,7 +456,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
456 | #ifdef HAVE_SECCOMP | 456 | #ifdef HAVE_SECCOMP |
457 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 457 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
458 | if (checkcfg(CFG_SECCOMP)) { | 458 | if (checkcfg(CFG_SECCOMP)) { |
459 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); | 459 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); |
460 | exit(rv); | 460 | exit(rv); |
461 | } | 461 | } |
462 | else | 462 | else |
@@ -464,7 +464,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
464 | } | 464 | } |
465 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 465 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
466 | if (checkcfg(CFG_SECCOMP)) { | 466 | if (checkcfg(CFG_SECCOMP)) { |
467 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); | 467 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos"); |
468 | exit(rv); | 468 | exit(rv); |
469 | } | 469 | } |
470 | else | 470 | else |
@@ -482,7 +482,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
482 | exit(0); | 482 | exit(0); |
483 | } | 483 | } |
484 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 484 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
485 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); | 485 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-protocols"); |
486 | exit(rv); | 486 | exit(rv); |
487 | } | 487 | } |
488 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 488 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
@@ -868,6 +868,7 @@ int main(int argc, char **argv) { | |||
868 | 868 | ||
869 | // check if the user is allowed to use firejail | 869 | // check if the user is allowed to use firejail |
870 | init_cfg(argc, argv); | 870 | init_cfg(argc, argv); |
871 | assert(cfg.homedir); | ||
871 | 872 | ||
872 | // get starting timestamp, process --quiet | 873 | // get starting timestamp, process --quiet |
873 | start_timestamp = getticks(); | 874 | start_timestamp = getticks(); |
@@ -1480,12 +1481,37 @@ int main(int argc, char **argv) { | |||
1480 | exit(1); | 1481 | exit(1); |
1481 | } | 1482 | } |
1482 | 1483 | ||
1483 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | 1484 | char *ppath = expand_macros(argv[i] + 10); |
1484 | if (!ppath) | 1485 | if (!ppath) |
1485 | errExit("strdup"); | 1486 | errExit("strdup"); |
1486 | 1487 | ||
1487 | profile_read(ppath); | 1488 | if (access(ppath, R_OK)) { |
1488 | custom_profile = 1; | 1489 | char *ptr = ppath; |
1490 | while (*ptr != '/' && *ptr != '.' && *ptr != '\0') | ||
1491 | ptr++; | ||
1492 | // profile path contains no / or . chars, | ||
1493 | // assume its a profile name | ||
1494 | if (*ptr != '\0') { | ||
1495 | fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath); | ||
1496 | exit(1); | ||
1497 | } | ||
1498 | |||
1499 | // profile was not read in previously, try to see if | ||
1500 | // we were given a profile name. | ||
1501 | if (!profile_find_firejail(ppath, 1)) { | ||
1502 | // do not fall through to default profile, | ||
1503 | // because the user should be notified that | ||
1504 | // given profile arg could not be used. | ||
1505 | fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath); | ||
1506 | exit(1); | ||
1507 | } | ||
1508 | else | ||
1509 | custom_profile = 1; | ||
1510 | } | ||
1511 | else { | ||
1512 | profile_read(ppath); | ||
1513 | custom_profile = 1; | ||
1514 | } | ||
1489 | free(ppath); | 1515 | free(ppath); |
1490 | } | 1516 | } |
1491 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1517 | else if (strcmp(argv[i], "--noprofile") == 0) { |
@@ -2326,21 +2352,8 @@ int main(int argc, char **argv) { | |||
2326 | 2352 | ||
2327 | 2353 | ||
2328 | // load the profile | 2354 | // load the profile |
2329 | if (!arg_noprofile) { | 2355 | if (!arg_noprofile && !custom_profile) { |
2330 | if (!custom_profile) { | 2356 | custom_profile = profile_find_firejail(cfg.command_name, 1); |
2331 | // look for a profile in ~/.config/firejail directory | ||
2332 | char *usercfgdir; | ||
2333 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
2334 | errExit("asprintf"); | ||
2335 | int rv = profile_find(cfg.command_name, usercfgdir); | ||
2336 | free(usercfgdir); | ||
2337 | custom_profile = rv; | ||
2338 | } | ||
2339 | if (!custom_profile) { | ||
2340 | // look for a user profile in /etc/firejail directory | ||
2341 | int rv = profile_find(cfg.command_name, SYSCONFDIR); | ||
2342 | custom_profile = rv; | ||
2343 | } | ||
2344 | } | 2357 | } |
2345 | 2358 | ||
2346 | // use default.profile as the default | 2359 | // use default.profile as the default |
@@ -2351,16 +2364,7 @@ int main(int argc, char **argv) { | |||
2351 | if (arg_debug) | 2364 | if (arg_debug) |
2352 | printf("Attempting to find %s.profile...\n", profile_name); | 2365 | printf("Attempting to find %s.profile...\n", profile_name); |
2353 | 2366 | ||
2354 | // look for the profile in ~/.config/firejail directory | 2367 | custom_profile = profile_find_firejail(profile_name, 1); |
2355 | char *usercfgdir; | ||
2356 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
2357 | errExit("asprintf"); | ||
2358 | custom_profile = profile_find(profile_name, usercfgdir); | ||
2359 | free(usercfgdir); | ||
2360 | |||
2361 | if (!custom_profile) | ||
2362 | // look for the profile in /etc/firejail directory | ||
2363 | custom_profile = profile_find(profile_name, SYSCONFDIR); | ||
2364 | 2368 | ||
2365 | if (!custom_profile) { | 2369 | if (!custom_profile) { |
2366 | fprintf(stderr, "Error: no default.profile installed\n"); | 2370 | fprintf(stderr, "Error: no default.profile installed\n"); |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e3c750767..cdb4c6514 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
157 | char *cstr; | 157 | char *cstr; |
158 | if (asprintf(&cstr, "%d", child) == -1) | 158 | if (asprintf(&cstr, "%d", child) == -1) |
159 | errExit("asprintf"); | 159 | errExit("asprintf"); |
160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); | 160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr); |
161 | free(cstr); | 161 | free(cstr); |
162 | 162 | ||
163 | char *msg; | 163 | char *msg; |
@@ -332,42 +332,42 @@ void network_main(pid_t child) { | |||
332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); |
333 | } | 333 | } |
334 | else | 334 | else |
335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); | 335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); |
336 | } | 336 | } |
337 | 337 | ||
338 | if (cfg.bridge1.configured) { | 338 | if (cfg.bridge1.configured) { |
339 | if (cfg.bridge1.macvlan == 0) | 339 | if (cfg.bridge1.macvlan == 0) |
340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); |
341 | else | 341 | else |
342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); | 342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); |
343 | } | 343 | } |
344 | 344 | ||
345 | if (cfg.bridge2.configured) { | 345 | if (cfg.bridge2.configured) { |
346 | if (cfg.bridge2.macvlan == 0) | 346 | if (cfg.bridge2.macvlan == 0) |
347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | 347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); |
348 | else | 348 | else |
349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); | 349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); |
350 | } | 350 | } |
351 | 351 | ||
352 | if (cfg.bridge3.configured) { | 352 | if (cfg.bridge3.configured) { |
353 | if (cfg.bridge3.macvlan == 0) | 353 | if (cfg.bridge3.macvlan == 0) |
354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | 354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); |
355 | else | 355 | else |
356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); | 356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); |
357 | } | 357 | } |
358 | 358 | ||
359 | // move interfaces in sandbox | 359 | // move interfaces in sandbox |
360 | if (cfg.interface0.configured) { | 360 | if (cfg.interface0.configured) { |
361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); | 361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr); |
362 | } | 362 | } |
363 | if (cfg.interface1.configured) { | 363 | if (cfg.interface1.configured) { |
364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); | 364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr); |
365 | } | 365 | } |
366 | if (cfg.interface2.configured) { | 366 | if (cfg.interface2.configured) { |
367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr); | 367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr); |
368 | } | 368 | } |
369 | if (cfg.interface3.configured) { | 369 | if (cfg.interface3.configured) { |
370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); | 370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr); |
371 | } | 371 | } |
372 | 372 | ||
373 | free(cstr); | 373 | free(cstr); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index f519ed85f..236f7f427 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) { | |||
62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | 62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); |
63 | } | 63 | } |
64 | 64 | ||
65 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
66 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
67 | } | ||
68 | |||
65 | if (stat(RUN_MNT_DIR, &s)) { | 69 | if (stat(RUN_MNT_DIR, &s)) { |
66 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | 70 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); |
67 | } | 71 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index db58d2e0b..c7c8fd9fa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -25,26 +25,29 @@ extern char *xephyr_screen; | |||
25 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
26 | 26 | ||
27 | // find and read the profile specified by name from dir directory | 27 | // find and read the profile specified by name from dir directory |
28 | int profile_find(const char *name, const char *dir) { | 28 | int profile_find(const char *name, const char *dir, int add_ext) { |
29 | EUID_ASSERT(); | 29 | EUID_ASSERT(); |
30 | assert(name); | 30 | assert(name); |
31 | assert(dir); | 31 | assert(dir); |
32 | 32 | ||
33 | int rv = 0; | 33 | int rv = 0; |
34 | DIR *dp; | 34 | DIR *dp; |
35 | char *pname; | 35 | char *pname = NULL; |
36 | if (asprintf(&pname, "%s.profile", name) == -1) | 36 | if (add_ext) |
37 | errExit("asprintf"); | 37 | if (asprintf(&pname, "%s.profile", name) == -1) |
38 | errExit("asprintf"); | ||
39 | else | ||
40 | name = pname; | ||
38 | 41 | ||
39 | dp = opendir (dir); | 42 | dp = opendir (dir); |
40 | if (dp != NULL) { | 43 | if (dp != NULL) { |
41 | struct dirent *ep; | 44 | struct dirent *ep; |
42 | while ((ep = readdir(dp)) != NULL) { | 45 | while ((ep = readdir(dp)) != NULL) { |
43 | if (strcmp(ep->d_name, pname) == 0) { | 46 | if (strcmp(ep->d_name, name) == 0) { |
44 | if (arg_debug) | 47 | if (arg_debug) |
45 | printf("Found %s profile in %s directory\n", name, dir); | 48 | printf("Found %s profile in %s directory\n", name, dir); |
46 | char *etcpname; | 49 | char *etcpname; |
47 | if (asprintf(&etcpname, "%s/%s", dir, pname) == -1) | 50 | if (asprintf(&etcpname, "%s/%s", dir, name) == -1) |
48 | errExit("asprintf"); | 51 | errExit("asprintf"); |
49 | profile_read(etcpname); | 52 | profile_read(etcpname); |
50 | free(etcpname); | 53 | free(etcpname); |
@@ -55,10 +58,26 @@ int profile_find(const char *name, const char *dir) { | |||
55 | (void) closedir (dp); | 58 | (void) closedir (dp); |
56 | } | 59 | } |
57 | 60 | ||
58 | free(pname); | 61 | if (pname) |
62 | free(pname); | ||
59 | return rv; | 63 | return rv; |
60 | } | 64 | } |
61 | 65 | ||
66 | // search and read the profile specified by name from firejail directories | ||
67 | int profile_find_firejail(const char *name, int add_ext) { | ||
68 | // look for a profile in ~/.config/firejail directory | ||
69 | char *usercfgdir; | ||
70 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
71 | errExit("asprintf"); | ||
72 | int rv = profile_find(name, usercfgdir, add_ext); | ||
73 | free(usercfgdir); | ||
74 | |||
75 | if (!rv) | ||
76 | // look for a user profile in /etc/firejail directory | ||
77 | rv = profile_find(name, SYSCONFDIR, add_ext); | ||
78 | |||
79 | return rv; | ||
80 | } | ||
62 | 81 | ||
63 | //*************************************************** | 82 | //*************************************************** |
64 | // run-time profiles | 83 | // run-time profiles |
@@ -113,12 +132,99 @@ void profile_add_ignore(const char *str) { | |||
113 | } | 132 | } |
114 | 133 | ||
115 | 134 | ||
135 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | ||
136 | struct cond_t { | ||
137 | char *name; // conditional name | ||
138 | size_t len; // length of name | ||
139 | bool value; // true if set | ||
140 | } conditionals[] = { | ||
141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, | ||
142 | NULL | ||
143 | }, *cond = conditionals; | ||
144 | char *tmp = ptr, *msg = NULL; | ||
145 | |||
146 | if (*ptr++ != '?') | ||
147 | return 1; | ||
148 | |||
149 | while (cond->name) { | ||
150 | // continue if not this conditional | ||
151 | if (strncmp(ptr, cond->name, cond->len) != 0) { | ||
152 | cond++; | ||
153 | continue; | ||
154 | } | ||
155 | ptr += cond->len; | ||
156 | |||
157 | if (*ptr == ' ') | ||
158 | ptr++; | ||
159 | if (*ptr++ != ':') { | ||
160 | msg = "invalid syntax: colon must come after conditional"; | ||
161 | ptr = tmp; | ||
162 | goto error; | ||
163 | } | ||
164 | if (*ptr == '\0') { | ||
165 | msg = "invalid conditional line: no profile line after conditional"; | ||
166 | ptr = tmp; | ||
167 | goto error; | ||
168 | } | ||
169 | if (*ptr == ' ') | ||
170 | ptr++; | ||
171 | |||
172 | // if set, continue processing statement in caller | ||
173 | if (cond->value) { | ||
174 | // move ptr to start of profile line | ||
175 | ptr = strdup(ptr); | ||
176 | if (!ptr) | ||
177 | errExit("strdup"); | ||
178 | |||
179 | // check that the profile line does not contain either | ||
180 | // quiet or include directives | ||
181 | if ((strncmp(ptr, "quiet", 5) == 0) || | ||
182 | (strncmp(ptr, "include", 7) == 0)) { | ||
183 | msg = "invalid profile line: quiet and include not allowed in conditionals"; | ||
184 | ptr = tmp; | ||
185 | goto error; | ||
186 | } | ||
187 | free(tmp); | ||
188 | |||
189 | // verify syntax, exit in case of error | ||
190 | if (profile_check_line(ptr, lineno, fname)) | ||
191 | profile_add(ptr); | ||
192 | } | ||
193 | // tell caller to ignore | ||
194 | return 0; | ||
195 | } | ||
196 | |||
197 | tmp = ptr; | ||
198 | // get the conditional used | ||
199 | while (*tmp != ':' && *tmp != '\0') | ||
200 | tmp++; | ||
201 | *tmp = '\0'; | ||
202 | |||
203 | // this was a '?' prefix, but didn't match any of the conditionals | ||
204 | msg = "invalid/unsupported conditional"; | ||
205 | |||
206 | error: | ||
207 | fprintf(stderr, "Error: %s (\"%s\"", msg, ptr); | ||
208 | if (lineno == 0) ; | ||
209 | else if (fname != NULL) | ||
210 | fprintf(stderr, " on line %d in %s", lineno, fname); | ||
211 | else | ||
212 | fprintf(stderr, " on line %d in the custom profile", lineno); | ||
213 | fprintf(stderr, ")\n"); | ||
214 | exit(1); | ||
215 | } | ||
216 | |||
217 | |||
116 | // check profile line; if line == 0, this was generated from a command line option | 218 | // check profile line; if line == 0, this was generated from a command line option |
117 | // return 1 if the command is to be added to the linked list of profile commands | 219 | // return 1 if the command is to be added to the linked list of profile commands |
118 | // return 0 if the command was already executed inside the function | 220 | // return 0 if the command was already executed inside the function |
119 | int profile_check_line(char *ptr, int lineno, const char *fname) { | 221 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
120 | EUID_ASSERT(); | 222 | EUID_ASSERT(); |
121 | 223 | ||
224 | // check and process conditional profile lines | ||
225 | if (profile_check_conditional(ptr, lineno, fname) == 0) | ||
226 | return 0; | ||
227 | |||
122 | // check ignore list | 228 | // check ignore list |
123 | if (is_in_ignore_list(ptr)) | 229 | if (is_in_ignore_list(ptr)) |
124 | return 0; | 230 | return 0; |
@@ -1261,7 +1367,7 @@ void profile_read(const char *fname) { | |||
1261 | if (ptr && strlen(ptr) == 6) | 1367 | if (ptr && strlen(ptr) == 6) |
1262 | return; | 1368 | return; |
1263 | 1369 | ||
1264 | fprintf(stderr, "Error: cannot access profile file\n"); | 1370 | fprintf(stderr, "Error: cannot access profile file: %s\n", fname); |
1265 | exit(1); | 1371 | exit(1); |
1266 | } | 1372 | } |
1267 | 1373 | ||
@@ -1323,17 +1429,22 @@ void profile_read(const char *fname) { | |||
1323 | if (strncmp(ptr, "include ", 8) == 0) { | 1429 | if (strncmp(ptr, "include ", 8) == 0) { |
1324 | include_level++; | 1430 | include_level++; |
1325 | 1431 | ||
1326 | // extract profile filename and new skip params | 1432 | // expand macros in front of the include profile file |
1327 | char *newprofile = ptr + 8; // profile name | 1433 | char *newprofile = expand_macros(ptr + 8); |
1328 | 1434 | ||
1329 | // expand ${HOME}/ in front of the new profile file | 1435 | char *ptr2 = newprofile; |
1330 | char *newprofile2 = expand_home(newprofile, cfg.homedir); | 1436 | while (*ptr2 != '/' && *ptr2 != '\0') |
1437 | ptr2++; | ||
1438 | // profile path contains no / chars, do a search | ||
1439 | if (*ptr2 == '\0') { | ||
1440 | profile_find_firejail(newprofile, 0); | ||
1441 | } | ||
1442 | else { | ||
1443 | profile_read(newprofile); | ||
1444 | } | ||
1331 | 1445 | ||
1332 | // recursivity | ||
1333 | profile_read((newprofile2)? newprofile2:newprofile); | ||
1334 | include_level--; | 1446 | include_level--; |
1335 | if (newprofile2) | 1447 | free(newprofile); |
1336 | free(newprofile2); | ||
1337 | free(ptr); | 1448 | free(ptr); |
1338 | continue; | 1449 | continue; |
1339 | } | 1450 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8eede6f93..95732b95e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -530,14 +530,6 @@ static void enforce_filters(void) { | |||
530 | #ifdef HAVE_SECCOMP | 530 | #ifdef HAVE_SECCOMP |
531 | enforce_seccomp = 1; | 531 | enforce_seccomp = 1; |
532 | #endif | 532 | #endif |
533 | if (cfg.seccomp_list_drop) { | ||
534 | free(cfg.seccomp_list_drop); | ||
535 | cfg.seccomp_list_drop = NULL; | ||
536 | } | ||
537 | if (cfg.seccomp_list_keep) { | ||
538 | free(cfg.seccomp_list_keep); | ||
539 | cfg.seccomp_list_keep = NULL; | ||
540 | } | ||
541 | 533 | ||
542 | // disable all capabilities | 534 | // disable all capabilities |
543 | if (arg_caps_default_filter || arg_caps_list) | 535 | if (arg_caps_default_filter || arg_caps_list) |
@@ -547,8 +539,7 @@ static void enforce_filters(void) { | |||
547 | // drop all supplementary groups; /etc/group file inside chroot | 539 | // drop all supplementary groups; /etc/group file inside chroot |
548 | // is controlled by a regular usr | 540 | // is controlled by a regular usr |
549 | arg_nogroups = 1; | 541 | arg_nogroups = 1; |
550 | fmessage("\n** Warning: dropping all Linux capabilities and enforcing **\n"); | 542 | fmessage("\n** Warning: dropping all Linux capabilities **\n"); |
551 | fmessage("** default seccomp filter **\n\n"); | ||
552 | } | 543 | } |
553 | 544 | ||
554 | int sandbox(void* sandbox_arg) { | 545 | int sandbox(void* sandbox_arg) { |
@@ -587,6 +578,9 @@ int sandbox(void* sandbox_arg) { | |||
587 | } | 578 | } |
588 | // ... and mount a tmpfs on top of /run/firejail/mnt directory | 579 | // ... and mount a tmpfs on top of /run/firejail/mnt directory |
589 | preproc_mount_mnt_dir(); | 580 | preproc_mount_mnt_dir(); |
581 | // bind-mount firejail binaries and helper programs | ||
582 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) | ||
583 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | ||
590 | 584 | ||
591 | //**************************** | 585 | //**************************** |
592 | // log sandbox data | 586 | // log sandbox data |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f54e6f744..b8f8b4f2f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -164,7 +164,7 @@ static char *usage_str = | |||
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | 166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
167 | " --profile=filename - use a custom profile.\n" | 167 | " --profile=filename|profile_name - use a custom profile.\n" |
168 | " --profile.print=name|pid - print the name of profile file.\n" | 168 | " --profile.print=name|pid - print the name of profile file.\n" |
169 | " --profile-path=directory - use this directory to look for profile files.\n" | 169 | " --profile-path=directory - use this directory to look for profile files.\n" |
170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 0d1418b43..866ef4653 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -471,11 +471,13 @@ void trim_trailing_slash_or_dot(char *path) { | |||
471 | char *line_remove_spaces(const char *buf) { | 471 | char *line_remove_spaces(const char *buf) { |
472 | EUID_ASSERT(); | 472 | EUID_ASSERT(); |
473 | assert(buf); | 473 | assert(buf); |
474 | if (strlen(buf) == 0) | 474 | size_t len = strlen(buf); |
475 | if (len == 0) | ||
475 | return NULL; | 476 | return NULL; |
477 | assert(len + 1 != 0 && buf[len] == '\0'); | ||
476 | 478 | ||
477 | // allocate memory for the new string | 479 | // allocate memory for the new string |
478 | char *rv = malloc(strlen(buf) + 1); | 480 | char *rv = malloc(len + 1); |
479 | if (rv == NULL) | 481 | if (rv == NULL) |
480 | errExit("malloc"); | 482 | errExit("malloc"); |
481 | 483 | ||
@@ -539,12 +541,14 @@ char *split_comma(char *str) { | |||
539 | char *clean_pathname(const char *path) { | 541 | char *clean_pathname(const char *path) { |
540 | assert(path); | 542 | assert(path); |
541 | size_t len = strlen(path); | 543 | size_t len = strlen(path); |
542 | char *rv = calloc(len + 1, 1); | 544 | assert(len + 1 != 0 && path[len] == '\0'); |
545 | |||
546 | char *rv = malloc(len + 1); | ||
543 | if (!rv) | 547 | if (!rv) |
544 | errExit("calloc"); | 548 | errExit("malloc"); |
545 | 549 | ||
546 | if (len > 0) { | 550 | if (len > 0) { |
547 | int i, j, cnt; | 551 | size_t i, j, cnt; |
548 | for (i = 0, j = 0, cnt = 0; i < len; i++) { | 552 | for (i = 0, j = 0, cnt = 0; i < len; i++) { |
549 | if (path[i] == '/') | 553 | if (path[i] == '/') |
550 | cnt++; | 554 | cnt++; |
@@ -556,18 +560,14 @@ char *clean_pathname(const char *path) { | |||
556 | j++; | 560 | j++; |
557 | } | 561 | } |
558 | } | 562 | } |
563 | rv[j] = '\0'; | ||
559 | 564 | ||
560 | // remove a trailing slash | 565 | // remove a trailing slash |
561 | if (j > 1 && rv[j - 1] == '/') | 566 | if (j > 1 && rv[j - 1] == '/') |
562 | rv[j - 1] = '\0'; | 567 | rv[j - 1] = '\0'; |
563 | |||
564 | size_t new_len = strlen(rv); | ||
565 | if (new_len < len) { | ||
566 | rv = realloc(rv, new_len + 1); | ||
567 | if (!rv) | ||
568 | errExit("realloc"); | ||
569 | } | ||
570 | } | 568 | } |
569 | else | ||
570 | *rv = '\0'; | ||
571 | 571 | ||
572 | return rv; | 572 | return rv; |
573 | } | 573 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 17562c503..e26b5f989 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -5,12 +5,14 @@ profile \- Security profile file syntax for Firejail | |||
5 | .SH USAGE | 5 | .SH USAGE |
6 | .TP | 6 | .TP |
7 | firejail \-\-profile=filename.profile | 7 | firejail \-\-profile=filename.profile |
8 | .RE | ||
9 | firejail \-\-profile=profile_name | ||
8 | 10 | ||
9 | .SH DESCRIPTION | 11 | .SH DESCRIPTION |
10 | Several command line options can be passed to the program using | 12 | Several command line options can be passed to the program using |
11 | profile files. Firejail chooses the profile file as follows: | 13 | profile files. Firejail chooses the profile file as follows: |
12 | 14 | ||
13 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. | 15 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
14 | Example: | 16 | Example: |
15 | .PP | 17 | .PP |
16 | .RS | 18 | .RS |
@@ -21,6 +23,15 @@ Reading profile /home/netblue/icecat.profile | |||
21 | [...] | 23 | [...] |
22 | .RE | 24 | .RE |
23 | 25 | ||
26 | .PP | ||
27 | .RS | ||
28 | $ firejail --profile=icecat icecat-wrapper.sh | ||
29 | .br | ||
30 | Reading profile /etc/firejail/icecat.profile | ||
31 | .br | ||
32 | [...] | ||
33 | .RE | ||
34 | |||
24 | \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or | 35 | \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or |
25 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | 36 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
26 | .PP | 37 | .PP |
@@ -76,6 +87,18 @@ Example: "blacklist ~/My Virtual Machines" | |||
76 | \fB# this is a comment | 87 | \fB# this is a comment |
77 | 88 | ||
78 | .TP | 89 | .TP |
90 | \fB?CONDITIONAL: profile line | ||
91 | Conditionally add profile line. | ||
92 | |||
93 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | ||
94 | |||
95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | ||
96 | |||
97 | Currently the only conditional supported is HAS_APPIMAGE. | ||
98 | |||
99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | ||
100 | |||
101 | .TP | ||
79 | \fBinclude other.profile | 102 | \fBinclude other.profile |
80 | Include other.profile file. | 103 | Include other.profile file. |
81 | 104 | ||
@@ -90,6 +113,10 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" | |||
90 | 113 | ||
91 | Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. | 114 | Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. |
92 | 115 | ||
116 | The file name may also be just the name without the leading directory components. In this case, first the user config directory (${HOME}/.config/firejail) is searched for the file name and if not found then the system configuration directory is search for the file name. Note: Unlike the \-\-profile option which takes a profile name without the '.profile' suffix, include must be given the full file name. | ||
117 | |||
118 | Example: "include firefox.profile" will load "${HOME}/.config/firejail/firefox.profile" file and if it does not exist "${CFG}/firefox.profile" will be loaded. | ||
119 | |||
93 | System configuration files in ${CFG} are overwritten during software installation. | 120 | System configuration files in ${CFG} are overwritten during software installation. |
94 | Persistent configuration at system level is handled in ".local" files. For every | 121 | Persistent configuration at system level is handled in ".local" files. For every |
95 | profile file in ${CFG} directory, the user can create a corresponding .local file | 122 | profile file in ${CFG} directory, the user can create a corresponding .local file |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7427b1009..f7d18536d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -395,7 +395,7 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | |||
395 | 395 | ||
396 | .TP | 396 | .TP |
397 | \fB\-\-disable-mnt | 397 | \fB\-\-disable-mnt |
398 | Disable /mnt, /media, /run/mount and /run/media access. | 398 | Blacklist /mnt, /media, /run/mount and /run/media access. |
399 | .br | 399 | .br |
400 | 400 | ||
401 | .br | 401 | .br |
@@ -1531,7 +1531,7 @@ drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | |||
1531 | 1531 | ||
1532 | 1532 | ||
1533 | .TP | 1533 | .TP |
1534 | \fB\-\-profile=filename | 1534 | \fB\-\-profile=filename_or_profilename |
1535 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 1535 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
1536 | For more information, see \fBSECURITY PROFILES\fR section below. | 1536 | For more information, see \fBSECURITY PROFILES\fR section below. |
1537 | .br | 1537 | .br |
@@ -1681,12 +1681,12 @@ Enable seccomp filter and blacklist the syscalls in the default list (@default). | |||
1681 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1681 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, |
1682 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1682 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, |
1683 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | 1683 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, |
1684 | kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx, | 1684 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, |
1685 | name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | 1685 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, |
1686 | personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg, | 1686 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, |
1687 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | 1687 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, |
1688 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, | 1688 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, |
1689 | swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, | 1689 | swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, |
1690 | vm86, vm86old, vmsplice and vserver. | 1690 | vm86, vm86old, vmsplice and vserver. |
1691 | 1691 | ||
1692 | .br | 1692 | .br |
@@ -2701,7 +2701,7 @@ The owner of the sandbox. | |||
2701 | Several command line options can be passed to the program using | 2701 | Several command line options can be passed to the program using |
2702 | profile files. Firejail chooses the profile file as follows: | 2702 | profile files. Firejail chooses the profile file as follows: |
2703 | 2703 | ||
2704 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. | 2704 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
2705 | Example: | 2705 | Example: |
2706 | .PP | 2706 | .PP |
2707 | .RS | 2707 | .RS |
@@ -2712,6 +2712,15 @@ Reading profile /home/netblue/icecat.profile | |||
2712 | [...] | 2712 | [...] |
2713 | .RE | 2713 | .RE |
2714 | 2714 | ||
2715 | .PP | ||
2716 | .RS | ||
2717 | $ firejail --profile=icecat icecat-wrapper.sh | ||
2718 | .br | ||
2719 | Reading profile /etc/firejail/icecat.profile | ||
2720 | .br | ||
2721 | [...] | ||
2722 | .RE | ||
2723 | |||
2715 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | 2724 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or |
2716 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | 2725 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
2717 | .PP | 2726 | .PP |
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp new file mode 100755 index 000000000..acc42a117 --- /dev/null +++ b/test/filters/apparmor.exp | |||
@@ -0,0 +1,59 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test1 --apparmor\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=test2 --apparmor\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "Child process initialized" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firemon --apparmor\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "test1:firejail --name=test1 --apparmor" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "AppArmor: firejail-default enforce" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "test2:firejail --name=test2 --apparmor" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "AppArmor: firejail-default enforce" | ||
42 | } | ||
43 | after 100 | ||
44 | |||
45 | send -- "firejail --apparmor.print=test1\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 6\n";exit} | ||
48 | "AppArmor: firejail-default enforce" | ||
49 | } | ||
50 | after 100 | ||
51 | |||
52 | send -- "firejail --apparmor.print=test2\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 7\n";exit} | ||
55 | "AppArmor: firejail-default enforce" | ||
56 | } | ||
57 | after 100 | ||
58 | |||
59 | puts "\nall done\n" | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 72d699415..917aa93b6 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -12,6 +12,12 @@ if [ -f /etc/debian_version ]; then | |||
12 | fi | 12 | fi |
13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
14 | 14 | ||
15 | if [ -f /sys/kernel/security/apparmor/profiles ]; then | ||
16 | echo "TESTING: apparmor (test/filters/apparmor.exp)" | ||
17 | ./apparmor.exp | ||
18 | else | ||
19 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | ||
20 | fi | ||
15 | 21 | ||
16 | if [ "$(uname -m)" = "x86_64" ]; then | 22 | if [ "$(uname -m)" = "x86_64" ]; then |
17 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" | 23 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" |