diff options
302 files changed, 2683 insertions, 568 deletions
@@ -533,17 +533,17 @@ rogshdo (https://github.com/rogshdo) | |||
533 | Ruan (https://github.com/ruany) | 533 | Ruan (https://github.com/ruany) |
534 | - fixed hexchat profile | 534 | - fixed hexchat profile |
535 | rusty-snake (https://github.com/rusty-snake) | 535 | rusty-snake (https://github.com/rusty-snake) |
536 | - fixed kdenlive profile | 536 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter |
537 | - added thunderbird-wayland and supertuxkart profiles | 537 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
538 | - fix bible-time, rhythmbox profiles | 538 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
539 | - more blacklists in disable-common.inc | 539 | - added profiles: kid3-qt, kid3-cli, anki, anki |
540 | - fixed some missing paths in disable-programs.inc | 540 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse |
541 | - added ghostwriter profle | 541 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool |
542 | - fix gajim profile, added gajim-history-manager profile | 542 | - hardened profiles: disable-common.inc, disable-programs.inc |
543 | - updates for ~/.cargo | 543 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox |
544 | - added klavaro profile | 544 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl |
545 | - added mypaint, nano, celluoid profiles | 545 | - gnome-mpv was renamed to celluloid |
546 | - various profile hardening | 546 | - updates for ~/.cargo and ~/.python-history |
547 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) | 547 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) |
548 | - fixed ktorrent profile | 548 | - fixed ktorrent profile |
549 | sarneaud (https://github.com/sarneaud) | 549 | sarneaud (https://github.com/sarneaud) |
@@ -102,4 +102,5 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
102 | ## Current development version: 0.9.59 | 102 | ## Current development version: 0.9.59 |
103 | 103 | ||
104 | ## New profiles: | 104 | ## New profiles: |
105 | crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha | 105 | crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders, bzflag, freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles, teeworlds, torcs, tremulous, warsow, lugaru, manaplus, pioneer, scorched3d, widelands, freemind, kid3, kid3-cli, kid3-qt, nomacs, freecol, opencity, openclonk, slashem, vulturesclaw, vultureseye, anki |
106 | |||
@@ -6,8 +6,14 @@ firejail (0.9.59) baseline; urgency=low | |||
6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader | 6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader |
7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor | 7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor |
8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings | 8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings |
9 | * new profiles: code-oss, pragha | 9 | * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag |
10 | * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles | ||
11 | * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus | ||
12 | * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt | ||
13 | * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem | ||
14 | * new profiles: vultureseye, vulturesclaw, anki | ||
10 | * memory-deny-write-execute now also blocks memfd_create | 15 | * memory-deny-write-execute now also blocks memfd_create |
16 | * drop support for flatpak/snap packages | ||
11 | 17 | ||
12 | firejail (0.9.58,2) baseline; urgency=low | 18 | firejail (0.9.58,2) baseline; urgency=low |
13 | * cgroup flag in /etc/firejail/firejail.config file | 19 | * cgroup flag in /etc/firejail/firejail.config file |
diff --git a/etc/Maelstrom.profile b/etc/Maelstrom.profile new file mode 100644 index 000000000..cee49111e --- /dev/null +++ b/etc/Maelstrom.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for Maelstrom | ||
2 | # Description: A space combat game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include Maelstrom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/lib/games/Maelstrom-Scores | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /var/lib/games | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | #nonewprivs | ||
30 | #noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | #protocol unix | ||
35 | #seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin Maelstrom | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/acat.profile b/etc/acat.profile index 0b4579035..f35adf3dc 100644 --- a/etc/acat.profile +++ b/etc/acat.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include acat.local | 4 | include acat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/adiff.profile b/etc/adiff.profile index 9073b1477..f22a27e79 100644 --- a/etc/adiff.profile +++ b/etc/adiff.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include adiff.local | 4 | include adiff.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 4d40e6594..1c16f940e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -22,6 +22,7 @@ noblacklist /usr/sbin | |||
22 | 22 | ||
23 | include disable-common.inc | 23 | include disable-common.inc |
24 | include disable-devel.inc | 24 | include disable-devel.inc |
25 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | 26 | include disable-interpreters.inc |
26 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
27 | include disable-programs.inc | 28 | include disable-programs.inc |
@@ -51,5 +52,3 @@ tracelog | |||
51 | private-dev | 52 | private-dev |
52 | # private-tmp - breaks programs that depend on akonadi | 53 | # private-tmp - breaks programs that depend on akonadi |
53 | 54 | ||
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/als.profile b/etc/als.profile index 24b8b976b..aa7f29337 100644 --- a/etc/als.profile +++ b/etc/als.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include als.local | 4 | include als.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/anki.profile b/etc/anki.profile new file mode 100644 index 000000000..6ab95dd52 --- /dev/null +++ b/etc/anki.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for anki | ||
2 | # Description: flexible, intelligent flashcard program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include anki.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.local/share/Anki2 | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | whitelist ${DOCUMENTS} | ||
29 | whitelist ${HOME}/.local/share/Anki2 | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-bin anki,python* | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl | ||
57 | private-tmp | ||
diff --git a/etc/apack.profile b/etc/apack.profile index bd5e49a01..b09d3d718 100644 --- a/etc/apack.profile +++ b/etc/apack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include apack.local | 4 | include apack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e28733c63..e353326df 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -12,6 +12,7 @@ noblacklist /var/lib/pacman | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/arepack.profile b/etc/arepack.profile index f5584b2be..d23fc21db 100644 --- a/etc/arepack.profile +++ b/etc/arepack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include arepack.local | 4 | include arepack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 10d607c49..6e5a87dab 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -28,7 +28,7 @@ nosound | |||
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6,netlink |
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin aria2c,gzip | 36 | private-bin aria2c,gzip |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,ssl | 39 | private-etc alternatives,ca-certificates,ssl,resolv.conf |
40 | private-lib libreadline.so.* | 40 | private-lib libreadline.so.* |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/ark.profile b/etc/ark.profile index b60674f95..9214e96ff 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/arkrc | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,ba | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/arm.profile b/etc/arm.profile index 217b61d09..d31b962ca 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/artha.profile b/etc/artha.profile index 431fc3ed1..8ef5124de 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -11,14 +11,15 @@ noblacklist ${HOME}/.config/enchant | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
19 | apparmor | ||
18 | caps.drop all | 20 | caps.drop all |
19 | ipc-namespace | 21 | ipc-namespace |
20 | machine-id | 22 | # net none - breaks on Ubuntu |
21 | net none | ||
22 | no3d | 23 | no3d |
23 | # nodbus | 24 | # nodbus |
24 | nodvd | 25 | nodvd |
@@ -37,10 +38,8 @@ disable-mnt | |||
37 | private-bin artha,enchant,notify-send | 38 | private-bin artha,enchant,notify-send |
38 | private-cache | 39 | private-cache |
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,fonts | 41 | private-etc alternatives,machine-id,fonts |
41 | private-lib libnotify.so.* | 42 | private-lib libnotify.so.* |
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 1161c24fe..c579cc280 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${PICTURES} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -38,12 +39,10 @@ shell none | |||
38 | tracelog | 39 | tracelog |
39 | 40 | ||
40 | disable-mnt | 41 | disable-mnt |
41 | private-bin assogiate | 42 | private-bin assogiate,gtk-update-icon-cache |
42 | private-cache | 43 | private-cache |
43 | private-dev | 44 | private-dev |
44 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/asunder.profile b/etc/asunder.profile index 3167dfe12..fa2479051 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${MUSIC} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-tmp | |||
39 | 40 | ||
40 | # mdwe is disabled due to breaking hardware accelerated decoding | 41 | # mdwe is disabled due to breaking hardware accelerated decoding |
41 | # memory-deny-write-execute | 42 | # memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/atool.profile b/etc/atool.profile index c82108cef..b17498e9d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl* | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | # include disable-devel.inc | 20 | # include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
24 | 25 | ||
26 | apparmor | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | hostname atool |
29 | ipc-namespace | ||
30 | machine-id | ||
27 | net none | 31 | net none |
32 | netfilter | ||
28 | no3d | 33 | no3d |
29 | nodvd | 34 | nodvd |
35 | nodbus | ||
30 | nogroups | 36 | nogroups |
31 | nonewprivs | 37 | nonewprivs |
32 | noroot | 38 | noroot |
@@ -39,9 +45,11 @@ seccomp | |||
39 | shell none | 45 | shell none |
40 | tracelog | 46 | tracelog |
41 | 47 | ||
48 | # private-bin atool,perl | ||
42 | private-cache | 49 | private-cache |
43 | # private-bin atool | ||
44 | private-dev | 50 | private-dev |
45 | # without login.defs atool complains and uses UID/GID 1000 by default | 51 | # without login.defs atool complains and uses UID/GID 1000 by default |
46 | private-etc alternatives,passwd,group,login.defs | 52 | private-etc alternatives,passwd,group,login.defs |
47 | private-tmp | 53 | private-tmp |
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/atril.profile b/etc/atril.profile index aca945ba3..2f39af823 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${DOCUMENTS} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -49,5 +50,3 @@ private-tmp | |||
49 | 50 | ||
50 | # webkit gtk killed by memory-deny-write-execute | 51 | # webkit gtk killed by memory-deny-write-execute |
51 | #memory-deny-write-execute | 52 | #memory-deny-write-execute |
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index 590d3ffa3..4d0c93047 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile index 4dd412359..200d3a387 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-dev | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/aunpack.profile b/etc/aunpack.profile index cde9473e3..c119ed9ad 100644 --- a/etc/aunpack.profile +++ b/etc/aunpack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include aunpack.local | 4 | include aunpack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index 7f5090251..f989ab1ba 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -8,12 +8,17 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Authenticator | 9 | noblacklist ${HOME}/.config/Authenticator |
10 | 10 | ||
11 | # Allow python 3.x (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | #noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | #noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
14 | 18 | ||
15 | include disable-common.inc | 19 | include disable-common.inc |
16 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -43,5 +48,3 @@ private-etc alternatives,fonts,ld.so.cache | |||
43 | private-tmp | 48 | private-tmp |
44 | 49 | ||
45 | # memory-deny-write-execute - breaks on Arch | 50 | # memory-deny-write-execute - breaks on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 176d8cae7..f46987cc7 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/baloo | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -46,6 +47,3 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb | |||
46 | private-cache | 47 | private-cache |
47 | private-dev | 48 | private-dev |
48 | private-tmp | 49 | private-tmp |
49 | |||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index fa850fe1a..fae7d8133 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/blender.profile b/etc/blender.profile index 77d073cd7..d23fe0810 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index b6b673976..f964438bc 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | # include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | 17 | ||
18 | apparmor | ||
17 | caps.drop all | 19 | caps.drop all |
18 | hostname bsdtar | 20 | hostname bsdtar |
19 | ipc-namespace | 21 | ipc-namespace |
22 | machine-id | ||
20 | netfilter | 23 | netfilter |
21 | no3d | 24 | no3d |
22 | nodvd | 25 | nodvd |
26 | nodbus | ||
23 | nogroups | 27 | nogroups |
24 | nonewprivs | 28 | nonewprivs |
25 | # noroot | 29 | # noroot |
@@ -34,5 +38,8 @@ tracelog | |||
34 | 38 | ||
35 | # support compressed archives | 39 | # support compressed archives |
36 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 40 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
41 | private-cache | ||
37 | private-dev | 42 | private-dev |
38 | private-etc alternatives,passwd,group,localtime | 43 | private-etc alternatives,passwd,group,localtime |
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index 891476cb1..ff86cbdfc 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,9 +1,11 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # Description: A high-quality data compression program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include bunzip2.local | 5 | include bunzip2.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
7 | 9 | ||
8 | # Redirect | 10 | # Redirect |
9 | include gzip.profile | 11 | include gzip.profile |
diff --git a/etc/bzflag.profile b/etc/bzflag.profile new file mode 100644 index 000000000..94cd40899 --- /dev/null +++ b/etc/bzflag.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for bzflag | ||
2 | # Description: 3D multi-player tank battle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzflag.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bzf | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.bzf | ||
20 | whitelist ${HOME}/.bzf | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin bzflag,bzflag-wrapper,bzfs,bzadmin | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/bzip2.profile b/etc/bzip2.profile new file mode 100644 index 000000000..0f2fdd35a --- /dev/null +++ b/etc/bzip2.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for bzip2 | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzip2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/caja.profile b/etc/caja.profile index 49516de8c..f38110dc9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -18,6 +18,8 @@ noblacklist ${PATH}/python2* | |||
18 | noblacklist ${PATH}/python3* | 18 | noblacklist ${PATH}/python3* |
19 | noblacklist /usr/lib/python2* | 19 | noblacklist /usr/lib/python2* |
20 | noblacklist /usr/lib/python3* | 20 | noblacklist /usr/lib/python3* |
21 | noblacklist /usr/local/lib/python2* | ||
22 | noblacklist /usr/local/lib/python3* | ||
21 | 23 | ||
22 | include disable-common.inc | 24 | include disable-common.inc |
23 | include disable-devel.inc | 25 | include disable-devel.inc |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 1afcd0365..341348ff9 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | # include disable-devel.inc | 23 | # include disable-devel.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 1f61ff9f5..5604a16b9 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* | |||
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localti | |||
47 | private-dev | 48 | private-dev |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index fe2648792..5afbf2d56 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -18,6 +18,7 @@ noblacklist /usr/share/perl* | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -50,5 +51,3 @@ private-lib perl* | |||
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | memory-deny-write-execute | 53 | memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d7dcf87dd..22bda418a 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index a182e5d20..3c7423316 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -6,11 +6,15 @@ include chromium-common.local | |||
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
10 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
11 | 14 | ||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
15 | include disable-programs.inc | 19 | include disable-programs.inc |
16 | 20 | ||
@@ -37,9 +41,5 @@ disable-mnt | |||
37 | private-dev | 41 | private-dev |
38 | # private-tmp - problems with multiple browser sessions | 42 | # private-tmp - problems with multiple browser sessions |
39 | 43 | ||
40 | # breaks DRM binaries | ||
41 | #noexec ${HOME} | ||
42 | noexec /tmp | ||
43 | |||
44 | # the file dialog needs to work without d-bus | 44 | # the file dialog needs to work without d-bus |
45 | env NO_CHROME_KDE_FILE_DIALOG=1 | 45 | env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/clamav.profile b/etc/clamav.profile index a48fa8039..45e7723eb 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -7,6 +7,8 @@ include clamav.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include disable-exec.inc | ||
11 | |||
10 | caps.drop all | 12 | caps.drop all |
11 | ipc-namespace | 13 | ipc-namespace |
12 | net none | 14 | net none |
@@ -30,5 +32,3 @@ private-dev | |||
30 | read-only ${HOME} | 32 | read-only ${HOME} |
31 | 33 | ||
32 | memory-deny-write-execute | 34 | memory-deny-write-execute |
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/clamtk.profile b/etc/clamtk.profile index a93523acc..bc09808cb 100644 --- a/etc/clamtk.profile +++ b/etc/clamtk.profile | |||
@@ -5,6 +5,8 @@ include clamtk.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | include disable-exec.inc | ||
9 | |||
8 | caps.drop all | 10 | caps.drop all |
9 | ipc-namespace | 11 | ipc-namespace |
10 | net none | 12 | net none |
@@ -23,6 +25,3 @@ seccomp | |||
23 | shell none | 25 | shell none |
24 | 26 | ||
25 | private-dev | 27 | private-dev |
26 | |||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index 404e1b8ed..c519ecedb 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -17,6 +17,7 @@ noblacklist /usr/share/perl* | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -25,6 +26,7 @@ mkdir ${HOME}/.claws-mail | |||
25 | whitelist ${HOME}/.claws-mail | 26 | whitelist ${HOME}/.claws-mail |
26 | include whitelist-common.inc | 27 | include whitelist-common.inc |
27 | 28 | ||
29 | apparmor | ||
28 | caps.drop all | 30 | caps.drop all |
29 | net none | 31 | net none |
30 | no3d | 32 | no3d |
@@ -42,13 +44,11 @@ seccomp | |||
42 | shell none | 44 | shell none |
43 | 45 | ||
44 | disable-mnt | 46 | disable-mnt |
45 | private-bin clawsker,perl | 47 | private-bin bash,clawsker,perl,sh,which |
46 | private-cache | 48 | private-cache |
47 | private-dev | 49 | private-dev |
48 | private-etc alternatives,fonts | 50 | private-etc alternatives,fonts |
49 | private-lib girepository-1.*,libgirepository-1.*,perl* | 51 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
50 | private-tmp | 52 | private-tmp |
51 | 53 | ||
52 | # memory-deny-write-execute - breaks on Arch | 54 | # memory-deny-write-execute - breaks on Arch |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/clipit.profile b/etc/clipit.profile index 052d0464b..6e4d3fbaf 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/clipit | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-cache | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index f63e0a552..b6f7e7f9f 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -13,14 +13,21 @@ noblacklist /sbin | |||
13 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | 20 | ||
21 | apparmor | ||
19 | caps.drop all | 22 | caps.drop all |
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
20 | net none | 26 | net none |
21 | no3d | 27 | no3d |
22 | nodbus | 28 | nodbus |
23 | nodvd | 29 | nodvd |
30 | nogroups | ||
24 | nonewprivs | 31 | nonewprivs |
25 | nosound | 32 | nosound |
26 | notv | 33 | notv |
@@ -30,4 +37,7 @@ seccomp | |||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
40 | private-cache | ||
33 | private-dev | 41 | private-dev |
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/crawl-tiles.profile b/etc/crawl-tiles.profile new file mode 100644 index 000000000..39151865e --- /dev/null +++ b/etc/crawl-tiles.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for crawl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | ignore no3d | ||
5 | |||
6 | # Redirect | ||
7 | include crawl.profile | ||
diff --git a/etc/crawl.profile b/etc/crawl.profile new file mode 100644 index 000000000..af78ac738 --- /dev/null +++ b/etc/crawl.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for crawl-tiles | ||
2 | # Description: Roguelike dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include crawl-tiles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.crawl | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.crawl | ||
20 | whitelist ${HOME}/.crawl | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin crawl,crawl-tiles | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 1a11ca2a4..9475bdd2a 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -9,13 +9,16 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/d-feet | 9 | noblacklist ${HOME}/.config/d-feet |
10 | 10 | ||
11 | # Allow python (disabled by disable-interpreters.inc) | 11 | # Allow python (disabled by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | 12 | noblacklist ${PATH}/python2* |
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | #noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -29,8 +32,7 @@ include whitelist-var-common.inc | |||
29 | apparmor | 32 | apparmor |
30 | caps.drop all | 33 | caps.drop all |
31 | ipc-namespace | 34 | ipc-namespace |
32 | machine-id | 35 | # net none - breaks on Ubuntu |
33 | net none | ||
34 | no3d | 36 | no3d |
35 | nodvd | 37 | nodvd |
36 | nogroups | 38 | nogroups |
@@ -48,9 +50,7 @@ disable-mnt | |||
48 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
49 | private-cache | 51 | private-cache |
50 | private-dev | 52 | private-dev |
51 | private-etc alternatives,dbus-1,fonts | 53 | private-etc alternatives,dbus-1,fonts,machine-id |
52 | private-tmp | 54 | private-tmp |
53 | 55 | ||
54 | # memory-deny-write-execute - Breaks on Arch | 56 | # memory-deny-write-execute - Breaks on Arch |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index abaf5acd5..6b7f8f112 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -6,8 +6,11 @@ include dconf-editor.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,8 +20,7 @@ include whitelist-common.inc | |||
17 | 20 | ||
18 | apparmor | 21 | apparmor |
19 | caps.drop all | 22 | caps.drop all |
20 | machine-id | 23 | # net none - breaks application on older versions |
21 | net none | ||
22 | no3d | 24 | no3d |
23 | nodvd | 25 | nodvd |
24 | nogroups | 26 | nogroups |
@@ -37,10 +39,8 @@ disable-mnt | |||
37 | private-bin dconf-editor | 39 | private-bin dconf-editor |
38 | private-cache | 40 | private-cache |
39 | private-dev | 41 | private-dev |
40 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts,machine-id |
41 | private-lib | 43 | private-lib |
42 | private-tmp | 44 | private-tmp |
43 | 45 | ||
44 | # memory-deny-write-execute | 46 | # memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/dconf.profile b/etc/dconf.profile index d2376cc35..6ffcddaf5 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,8 +6,11 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,5 +47,3 @@ private-lib | |||
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | memory-deny-write-execute | 49 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/default.profile b/etc/default.profile index 917e42287..3eacf9546 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -10,11 +10,13 @@ include globals.local | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | # include disable-devel.inc |
13 | # include disable-exec.inc | ||
13 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | #include disable-xdg.inc | 17 | # include disable-xdg.inc |
17 | 18 | ||
19 | # apparmor | ||
18 | caps.drop all | 20 | caps.drop all |
19 | # ipc-namespace | 21 | # ipc-namespace |
20 | netfilter | 22 | netfilter |
@@ -42,5 +44,3 @@ seccomp | |||
42 | # private-tmp | 44 | # private-tmp |
43 | 45 | ||
44 | # memory-deny-write-execute | 46 | # memory-deny-write-execute |
45 | # noexec ${HOME} | ||
46 | # noexec /tmp | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index 8df6e028f..e86c84272 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | # include disable-devel.inc | 20 | # include disable-devel.inc |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 7f00e55e7..4e618b7ea 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -18,8 +19,7 @@ include whitelist-common.inc | |||
18 | 19 | ||
19 | apparmor | 20 | apparmor |
20 | caps.drop all | 21 | caps.drop all |
21 | machine-id | 22 | # net none - makes settings immutable |
22 | net none | ||
23 | # nodbus - makes settings immutable | 23 | # nodbus - makes settings immutable |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
@@ -38,11 +38,9 @@ disable-mnt | |||
38 | private-bin devhelp | 38 | private-bin devhelp |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 44 | # memory-deny-write-execute - Breaks on Arch |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | 45 | ||
48 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index ffab615d1..2d100c4b0 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.devilspie | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,7 +45,5 @@ private-lib gconv | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
49 | 48 | ||
50 | read-only ${HOME} | 49 | read-only ${HOME} |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index b89bf122b..2f599366b 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/devilspie2 | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,7 +45,5 @@ private-lib gconv | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
49 | 48 | ||
50 | read-only ${HOME} | 49 | read-only ${HOME} |
diff --git a/etc/dig.profile b/etc/dig.profile index 23970d9d0..1843f6e46 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.digrc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | # include disable-devel.inc | 13 | # include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | # include disable-interpreters.inc | 15 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -49,5 +50,3 @@ private-lib | |||
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | memory-deny-write-execute | 52 | memory-deny-write-execute |
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index cc0e98ba3..e9c89a1b9 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${PICTURES} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -40,5 +41,3 @@ shell none | |||
40 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies |
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc new file mode 100644 index 000000000..ee3391730 --- /dev/null +++ b/etc/disable-exec.inc | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-exec.local | ||
4 | |||
5 | noexec ${HOME} | ||
6 | noexec ${RUNUSER} | ||
7 | noexec /dev/shm | ||
8 | noexec /tmp | ||
9 | # /var is noexec by default for unprivileged users | ||
10 | # except there is a writable-var option, so just in case: | ||
11 | noexec /var | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 971e00f18..96fd80daf 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -6,7 +6,6 @@ blacklist ${HOME}/Arduino | |||
6 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/Standard Notes Backups | 8 | blacklist ${HOME}/Standard Notes Backups |
9 | blacklist ${HOME}/snap | ||
10 | blacklist ${HOME}/wallet.dat | 9 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 10 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 11 | blacklist ${HOME}/.8pecxstudios |
@@ -49,8 +48,10 @@ blacklist ${HOME}/.bcast5 | |||
49 | blacklist ${HOME}/.bibletime | 48 | blacklist ${HOME}/.bibletime |
50 | blacklist ${HOME}/.bitcoin | 49 | blacklist ${HOME}/.bitcoin |
51 | blacklist ${HOME}/.bogofilter | 50 | blacklist ${HOME}/.bogofilter |
51 | blacklist ${HOME}/.bzf | ||
52 | blacklist ${HOME}/.claws-mail | 52 | blacklist ${HOME}/.claws-mail |
53 | blacklist ${HOME}/.cliqz | 53 | blacklist ${HOME}/.cliqz |
54 | blacklist ${HOME}/.clonk | ||
54 | blacklist ${HOME}/.config/0ad | 55 | blacklist ${HOME}/.config/0ad |
55 | blacklist ${HOME}/.config/2048-qt | 56 | blacklist ${HOME}/.config/2048-qt |
56 | blacklist ${HOME}/.config/Atom | 57 | blacklist ${HOME}/.config/Atom |
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player | |||
77 | blacklist ${HOME}/.config/Gpredict | 78 | blacklist ${HOME}/.config/Gpredict |
78 | blacklist ${HOME}/.config/INRIA | 79 | blacklist ${HOME}/.config/INRIA |
79 | blacklist ${HOME}/.config/InSilmaril | 80 | blacklist ${HOME}/.config/InSilmaril |
81 | blacklist ${HOME}/.config/Kid3 | ||
80 | blacklist ${HOME}/.config/Luminance | 82 | blacklist ${HOME}/.config/Luminance |
81 | blacklist ${HOME}/.config/Meltytech | 83 | blacklist ${HOME}/.config/Meltytech |
82 | blacklist ${HOME}/.config/Mendeley Ltd. | 84 | blacklist ${HOME}/.config/Mendeley Ltd. |
@@ -156,6 +158,7 @@ blacklist ${HOME}/.config/falkon | |||
156 | blacklist ${HOME}/.config/filezilla | 158 | blacklist ${HOME}/.config/filezilla |
157 | blacklist ${HOME}/.config/flowblade | 159 | blacklist ${HOME}/.config/flowblade |
158 | blacklist ${HOME}/.config/font-manager | 160 | blacklist ${HOME}/.config/font-manager |
161 | blacklist ${HOME}/.config/freecol | ||
159 | blacklist ${HOME}/.config/gajim | 162 | blacklist ${HOME}/.config/gajim |
160 | blacklist ${HOME}/.config/galculator | 163 | blacklist ${HOME}/.config/galculator |
161 | blacklist ${HOME}/.config/gconf | 164 | blacklist ${HOME}/.config/gconf |
@@ -190,6 +193,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc | |||
190 | blacklist ${HOME}/.config/katevirc | 193 | blacklist ${HOME}/.config/katevirc |
191 | blacklist ${HOME}/.config/kdenliverc | 194 | blacklist ${HOME}/.config/kdenliverc |
192 | blacklist ${HOME}/.config/kgetrc | 195 | blacklist ${HOME}/.config/kgetrc |
196 | blacklist ${HOME}/.config/kid3rc | ||
193 | blacklist ${HOME}/.config/klavaro | 197 | blacklist ${HOME}/.config/klavaro |
194 | blacklist ${HOME}/.config/klipperrc | 198 | blacklist ${HOME}/.config/klipperrc |
195 | blacklist ${HOME}/.config/kmail2rc | 199 | blacklist ${HOME}/.config/kmail2rc |
@@ -203,8 +207,10 @@ blacklist ${HOME}/.config/ktorrentrc | |||
203 | blacklist ${HOME}/.config/leafpad | 207 | blacklist ${HOME}/.config/leafpad |
204 | blacklist ${HOME}/.config/libreoffice | 208 | blacklist ${HOME}/.config/libreoffice |
205 | blacklist ${HOME}/.config/liferea | 209 | blacklist ${HOME}/.config/liferea |
210 | blacklist ${HOME}/.config/lugaru | ||
206 | blacklist ${HOME}/.config/lximage-qt | 211 | blacklist ${HOME}/.config/lximage-qt |
207 | blacklist ${HOME}/.config/mailtransports | 212 | blacklist ${HOME}/.config/mailtransports |
213 | blacklist ${HOME}/.config/mana | ||
208 | blacklist ${HOME}/.config/mate-calc | 214 | blacklist ${HOME}/.config/mate-calc |
209 | blacklist ${HOME}/.config/mate/eom | 215 | blacklist ${HOME}/.config/mate/eom |
210 | blacklist ${HOME}/.config/mate/mate-dictionary | 216 | blacklist ${HOME}/.config/mate/mate-dictionary |
@@ -223,6 +229,7 @@ blacklist ${HOME}/.config/nemo | |||
223 | blacklist ${HOME}/.config/netsurf | 229 | blacklist ${HOME}/.config/netsurf |
224 | blacklist ${HOME}/.config/nheko | 230 | blacklist ${HOME}/.config/nheko |
225 | blacklist ${HOME}/.config/NitroShare | 231 | blacklist ${HOME}/.config/NitroShare |
232 | blacklist ${HOME}/.config/nomacs | ||
226 | blacklist ${HOME}/.config/obs-studio | 233 | blacklist ${HOME}/.config/obs-studio |
227 | blacklist ${HOME}/.config/okularpartrc | 234 | blacklist ${HOME}/.config/okularpartrc |
228 | blacklist ${HOME}/.config/okularrc | 235 | blacklist ${HOME}/.config/okularrc |
@@ -296,6 +303,7 @@ blacklist ${HOME}/.config/yandex-browser-beta | |||
296 | blacklist ${HOME}/.config/zathura | 303 | blacklist ${HOME}/.config/zathura |
297 | blacklist ${HOME}/.config/zoomus.conf | 304 | blacklist ${HOME}/.config/zoomus.conf |
298 | blacklist ${HOME}/.conkeror.mozdev.org | 305 | blacklist ${HOME}/.conkeror.mozdev.org |
306 | blacklist ${HOME}/.crawl | ||
299 | blacklist ${HOME}/.curlrc | 307 | blacklist ${HOME}/.curlrc |
300 | blacklist ${HOME}/.dashcore | 308 | blacklist ${HOME}/.dashcore |
301 | blacklist ${HOME}/.devilspie | 309 | blacklist ${HOME}/.devilspie |
@@ -318,6 +326,9 @@ blacklist ${HOME}/.filezilla | |||
318 | blacklist ${HOME}/.flowblade | 326 | blacklist ${HOME}/.flowblade |
319 | blacklist ${HOME}/.fltk | 327 | blacklist ${HOME}/.fltk |
320 | blacklist ${HOME}/.fossamail | 328 | blacklist ${HOME}/.fossamail |
329 | blacklist ${HOME}/.freeciv | ||
330 | blacklist ${HOME}/.freecol | ||
331 | blacklist ${HOME}/.freemind | ||
321 | blacklist ${HOME}/.frozen-bubble | 332 | blacklist ${HOME}/.frozen-bubble |
322 | blacklist ${HOME}/.gimp* | 333 | blacklist ${HOME}/.gimp* |
323 | blacklist ${HOME}/.git-credential-cache | 334 | blacklist ${HOME}/.git-credential-cache |
@@ -404,12 +415,14 @@ blacklist ${HOME}/.killingfloor | |||
404 | blacklist ${HOME}/.kino-history | 415 | blacklist ${HOME}/.kino-history |
405 | blacklist ${HOME}/.kinorc | 416 | blacklist ${HOME}/.kinorc |
406 | blacklist ${HOME}/.kodi | 417 | blacklist ${HOME}/.kodi |
418 | blacklist ${HOME}/.lincity-ng | ||
407 | blacklist ${HOME}/.linphone-history.db | 419 | blacklist ${HOME}/.linphone-history.db |
408 | blacklist ${HOME}/.linphonerc | 420 | blacklist ${HOME}/.linphonerc |
409 | blacklist ${HOME}/.lmmsrc.xml | 421 | blacklist ${HOME}/.lmmsrc.xml |
410 | blacklist ${HOME}/.local/lib/vivaldi | 422 | blacklist ${HOME}/.local/lib/vivaldi |
411 | blacklist ${HOME}/.local/share/0ad | 423 | blacklist ${HOME}/.local/share/0ad |
412 | blacklist ${HOME}/.local/share/3909/PapersPlease | 424 | blacklist ${HOME}/.local/share/3909/PapersPlease |
425 | blacklist ${HOME}/.local/share/Anki2 | ||
413 | blacklist ${HOME}/.local/share/Empathy | 426 | blacklist ${HOME}/.local/share/Empathy |
414 | blacklist ${HOME}/.local/share/JetBrains | 427 | blacklist ${HOME}/.local/share/JetBrains |
415 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 428 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
@@ -437,6 +450,7 @@ blacklist ${HOME}/.local/share/data/Mendeley Ltd. | |||
437 | blacklist ${HOME}/.local/share/data/Mumble | 450 | blacklist ${HOME}/.local/share/data/Mumble |
438 | blacklist ${HOME}/.local/share/data/MusE | 451 | blacklist ${HOME}/.local/share/data/MusE |
439 | blacklist ${HOME}/.local/share/data/MuseScore | 452 | blacklist ${HOME}/.local/share/data/MuseScore |
453 | blacklist ${HOME}/.local/share/data/nomacs | ||
440 | blacklist ${HOME}/.local/share/data/qBittorrent | 454 | blacklist ${HOME}/.local/share/data/qBittorrent |
441 | blacklist ${HOME}/.local/share/dino | 455 | blacklist ${HOME}/.local/share/dino |
442 | blacklist ${HOME}/.local/share/dolphin | 456 | blacklist ${HOME}/.local/share/dolphin |
@@ -445,6 +459,7 @@ blacklist ${HOME}/.local/share/epiphany | |||
445 | blacklist ${HOME}/.local/share/evolution | 459 | blacklist ${HOME}/.local/share/evolution |
446 | blacklist ${HOME}/.local/share/feedreader | 460 | blacklist ${HOME}/.local/share/feedreader |
447 | blacklist ${HOME}/.local/share/feral-interactive | 461 | blacklist ${HOME}/.local/share/feral-interactive |
462 | blacklist ${HOME}/.local/share/freecol | ||
448 | blacklist ${HOME}/.local/share/gajim | 463 | blacklist ${HOME}/.local/share/gajim |
449 | blacklist ${HOME}/.local/share/geary | 464 | blacklist ${HOME}/.local/share/geary |
450 | blacklist ${HOME}/.local/share/geeqie | 465 | blacklist ${HOME}/.local/share/geeqie |
@@ -472,6 +487,8 @@ blacklist ${HOME}/.local/share/kwrite | |||
472 | blacklist ${HOME}/.local/share/liferea | 487 | blacklist ${HOME}/.local/share/liferea |
473 | blacklist ${HOME}/.local/share/local-mail | 488 | blacklist ${HOME}/.local/share/local-mail |
474 | blacklist ${HOME}/.local/share/lollypop | 489 | blacklist ${HOME}/.local/share/lollypop |
490 | blacklist ${HOME}/.local/share/lugaru | ||
491 | blacklist ${HOME}/.local/share/mana | ||
475 | blacklist ${HOME}/.local/share/maps-places.json | 492 | blacklist ${HOME}/.local/share/maps-places.json |
476 | blacklist ${HOME}/.local/share/meld | 493 | blacklist ${HOME}/.local/share/meld |
477 | blacklist ${HOME}/.local/share/midori | 494 | blacklist ${HOME}/.local/share/midori |
@@ -483,6 +500,7 @@ blacklist ${HOME}/.local/share/nautilus | |||
483 | blacklist ${HOME}/.local/share/nautilus-python | 500 | blacklist ${HOME}/.local/share/nautilus-python |
484 | blacklist ${HOME}/.local/share/nemo | 501 | blacklist ${HOME}/.local/share/nemo |
485 | blacklist ${HOME}/.local/share/nemo-python | 502 | blacklist ${HOME}/.local/share/nemo-python |
503 | blacklist ${HOME}/.local/share/nomacs | ||
486 | blacklist ${HOME}/.local/share/notes | 504 | blacklist ${HOME}/.local/share/notes |
487 | blacklist ${HOME}/.local/share/ocenaudio | 505 | blacklist ${HOME}/.local/share/ocenaudio |
488 | blacklist ${HOME}/.local/share/okular | 506 | blacklist ${HOME}/.local/share/okular |
@@ -508,6 +526,7 @@ blacklist ${HOME}/.local/share/uzbl | |||
508 | blacklist ${HOME}/.local/share/vlc | 526 | blacklist ${HOME}/.local/share/vlc |
509 | blacklist ${HOME}/.local/share/vpltd | 527 | blacklist ${HOME}/.local/share/vpltd |
510 | blacklist ${HOME}/.local/share/vulkan | 528 | blacklist ${HOME}/.local/share/vulkan |
529 | blacklist ${HOME}/.local/share/warsow-2.1 | ||
511 | blacklist ${HOME}/.local/share/wesnoth | 530 | blacklist ${HOME}/.local/share/wesnoth |
512 | blacklist ${HOME}/.local/share/xplayer | 531 | blacklist ${HOME}/.local/share/xplayer |
513 | blacklist ${HOME}/.local/share/xreader | 532 | blacklist ${HOME}/.local/share/xreader |
@@ -517,6 +536,7 @@ blacklist ${HOME}/.masterpdfeditor | |||
517 | blacklist ${HOME}/.mcabber | 536 | blacklist ${HOME}/.mcabber |
518 | blacklist ${HOME}/.mcabberrc | 537 | blacklist ${HOME}/.mcabberrc |
519 | blacklist ${HOME}/.mediathek3 | 538 | blacklist ${HOME}/.mediathek3 |
539 | blacklist ${HOME}/.megaglest | ||
520 | blacklist ${HOME}/.minetest | 540 | blacklist ${HOME}/.minetest |
521 | blacklist ${HOME}/.moonchild productions/basilisk | 541 | blacklist ${HOME}/.moonchild productions/basilisk |
522 | blacklist ${HOME}/.moonchild productions/pale moon | 542 | blacklist ${HOME}/.moonchild productions/pale moon |
@@ -531,12 +551,16 @@ blacklist ${HOME}/.netactview | |||
531 | blacklist ${HOME}/.neverball | 551 | blacklist ${HOME}/.neverball |
532 | blacklist ${HOME}/.nv | 552 | blacklist ${HOME}/.nv |
533 | blacklist ${HOME}/.nylas-mail | 553 | blacklist ${HOME}/.nylas-mail |
554 | blacklist ${HOME}/.opencity | ||
534 | blacklist ${HOME}/.openinvaders | 555 | blacklist ${HOME}/.openinvaders |
535 | blacklist ${HOME}/.openshot | 556 | blacklist ${HOME}/.openshot |
536 | blacklist ${HOME}/.openshot_qt | 557 | blacklist ${HOME}/.openshot_qt |
558 | blacklist ${HOME}/.openttd | ||
537 | blacklist ${HOME}/.opera | 559 | blacklist ${HOME}/.opera |
538 | blacklist ${HOME}/.opera-beta | 560 | blacklist ${HOME}/.opera-beta |
561 | blacklist ${HOME}/.ostrichriders | ||
539 | blacklist ${HOME}/.pingus | 562 | blacklist ${HOME}/.pingus |
563 | blacklist ${HOME}/.pioneer | ||
540 | blacklist ${HOME}/.purple | 564 | blacklist ${HOME}/.purple |
541 | blacklist ${HOME}/.qemu-launcher | 565 | blacklist ${HOME}/.qemu-launcher |
542 | blacklist ${HOME}/.qmmp | 566 | blacklist ${HOME}/.qmmp |
@@ -546,6 +570,7 @@ blacklist ${HOME}/.remmina | |||
546 | blacklist ${HOME}/.repo_.gitconfig.json | 570 | blacklist ${HOME}/.repo_.gitconfig.json |
547 | blacklist ${HOME}/.repoconfig | 571 | blacklist ${HOME}/.repoconfig |
548 | blacklist ${HOME}/.retroshare | 572 | blacklist ${HOME}/.retroshare |
573 | blacklist ${HOME}/.scorched3d | ||
549 | blacklist ${HOME}/.scribus | 574 | blacklist ${HOME}/.scribus |
550 | blacklist ${HOME}/.scribusrc | 575 | blacklist ${HOME}/.scribusrc |
551 | blacklist ${HOME}/.simutrans | 576 | blacklist ${HOME}/.simutrans |
@@ -560,10 +585,14 @@ blacklist ${HOME}/.sword | |||
560 | blacklist ${HOME}/.sylpheed-2.0 | 585 | blacklist ${HOME}/.sylpheed-2.0 |
561 | blacklist ${HOME}/.synfig | 586 | blacklist ${HOME}/.synfig |
562 | blacklist ${HOME}/.tconn | 587 | blacklist ${HOME}/.tconn |
588 | blacklist ${HOME}/.teeworlds | ||
563 | blacklist ${HOME}/.thunderbird | 589 | blacklist ${HOME}/.thunderbird |
564 | blacklist ${HOME}/.tilp | 590 | blacklist ${HOME}/.tilp |
565 | blacklist ${HOME}/.tooling | 591 | blacklist ${HOME}/.tooling |
566 | blacklist ${HOME}/.tor-browser-* | 592 | blacklist ${HOME}/.tor-browser-* |
593 | blacklist ${HOME}/.tor-browser_* | ||
594 | blacklist ${HOME}/.torcs | ||
595 | blacklist ${HOME}/.tremulous | ||
567 | blacklist ${HOME}/.ts3client | 596 | blacklist ${HOME}/.ts3client |
568 | blacklist ${HOME}/.tuxguitar* | 597 | blacklist ${HOME}/.tuxguitar* |
569 | blacklist ${HOME}/.unknown-horizons | 598 | blacklist ${HOME}/.unknown-horizons |
@@ -572,12 +601,14 @@ blacklist ${HOME}/.viking-maps | |||
572 | blacklist ${HOME}/.vscode | 601 | blacklist ${HOME}/.vscode |
573 | blacklist ${HOME}/.vscode-oss | 602 | blacklist ${HOME}/.vscode-oss |
574 | blacklist ${HOME}/.vst | 603 | blacklist ${HOME}/.vst |
604 | blacklist ${HOME}/.vultures | ||
575 | blacklist ${HOME}/.w3m | 605 | blacklist ${HOME}/.w3m |
576 | blacklist ${HOME}/.warzone2100-3.* | 606 | blacklist ${HOME}/.warzone2100-3.* |
577 | blacklist ${HOME}/.waterfox | 607 | blacklist ${HOME}/.waterfox |
578 | blacklist ${HOME}/.weechat | 608 | blacklist ${HOME}/.weechat |
579 | blacklist ${HOME}/.wget-hsts | 609 | blacklist ${HOME}/.wget-hsts |
580 | blacklist ${HOME}/.wgetrc | 610 | blacklist ${HOME}/.wgetrc |
611 | blacklist ${HOME}/.widelands | ||
581 | blacklist ${HOME}/.wine | 612 | blacklist ${HOME}/.wine |
582 | blacklist ${HOME}/.wireshark | 613 | blacklist ${HOME}/.wireshark |
583 | blacklist ${HOME}/.wine64 | 614 | blacklist ${HOME}/.wine64 |
@@ -620,6 +651,7 @@ blacklist ${HOME}/.cache/falkon | |||
620 | blacklist ${HOME}/.cache/feedreader | 651 | blacklist ${HOME}/.cache/feedreader |
621 | blacklist ${HOME}/.cache/font-manager | 652 | blacklist ${HOME}/.cache/font-manager |
622 | blacklist ${HOME}/.cache/fossamail | 653 | blacklist ${HOME}/.cache/fossamail |
654 | blacklist ${HOME}/.cache/freecol | ||
623 | blacklist ${HOME}/.cache/gajim | 655 | blacklist ${HOME}/.cache/gajim |
624 | blacklist ${HOME}/.cache/geeqie | 656 | blacklist ${HOME}/.cache/geeqie |
625 | blacklist ${HOME}/.cache/google-chrome | 657 | blacklist ${HOME}/.cache/google-chrome |
@@ -684,6 +716,7 @@ blacklist ${HOME}/.cache/transmission | |||
684 | blacklist ${HOME}/.cache/vivaldi | 716 | blacklist ${HOME}/.cache/vivaldi |
685 | blacklist ${HOME}/.cache/vivaldi-snapshot | 717 | blacklist ${HOME}/.cache/vivaldi-snapshot |
686 | blacklist ${HOME}/.cache/vlc | 718 | blacklist ${HOME}/.cache/vlc |
719 | blacklist ${HOME}/.cache/warsow-2.1 | ||
687 | blacklist ${HOME}/.cache/waterfox | 720 | blacklist ${HOME}/.cache/waterfox |
688 | blacklist ${HOME}/.cache/wesnoth | 721 | blacklist ${HOME}/.cache/wesnoth |
689 | blacklist ${HOME}/.cache/xmms2 | 722 | blacklist ${HOME}/.cache/xmms2 |
@@ -692,3 +725,7 @@ blacklist ${HOME}/.cache/yandex-browser | |||
692 | blacklist ${HOME}/.cache/yandex-browser-beta | 725 | blacklist ${HOME}/.cache/yandex-browser-beta |
693 | 726 | ||
694 | blacklist /var/games/nethack | 727 | blacklist /var/games/nethack |
728 | blacklist /var/games/slashem | ||
729 | blacklist /var/games/vulturesclaw | ||
730 | blacklist /var/games/vultureseye | ||
731 | blacklist /var/lib/games/Maelstrom-Scores | ||
diff --git a/etc/display.profile b/etc/display.profile index ff19365ad..e66fa3ae9 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -12,6 +12,8 @@ noblacklist ${PATH}/python2* | |||
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 44156f97e..42529d302 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.easystroke | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
19 | apparmor | ||
17 | caps.drop all | 20 | caps.drop all |
18 | ipc-namespace | ||
19 | machine-id | 21 | machine-id |
20 | net none | 22 | net none |
21 | no3d | 23 | no3d |
@@ -33,13 +35,13 @@ seccomp | |||
33 | shell none | 35 | shell none |
34 | 36 | ||
35 | disable-mnt | 37 | disable-mnt |
36 | private-bin easystroke,bash,sh | 38 | # breaks custom shell command functionality |
39 | #private-bin bash,easystroke,sh | ||
37 | private-cache | 40 | private-cache |
38 | private-dev | 41 | private-dev |
39 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts,group,passwd |
40 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 43 | # breaks custom shell command functionality |
44 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
41 | private-tmp | 45 | private-tmp |
42 | 46 | ||
43 | memory-deny-write-execute | 47 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/electrum.profile b/etc/electrum.profile index a290683de..9d5cf7fab 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 7d304feb7..288d8799c 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/enchant | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 670808de2..562e8f542 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | # private-tmp | 39 | # private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 32b648bd9..f296cbcb4 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -23,9 +24,7 @@ apparmor | |||
23 | caps.drop all | 24 | caps.drop all |
24 | ipc-namespace | 25 | ipc-namespace |
25 | machine-id | 26 | machine-id |
26 | net none | ||
27 | no3d | 27 | no3d |
28 | # nodbus - makes settings immutable | ||
29 | nodvd | 28 | nodvd |
30 | nogroups | 29 | nogroups |
31 | nonewprivs | 30 | nonewprivs |
@@ -37,7 +36,10 @@ novideo | |||
37 | protocol unix | 36 | protocol unix |
38 | seccomp | 37 | seccomp |
39 | shell none | 38 | shell none |
39 | tracelog | ||
40 | 40 | ||
41 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
42 | # comment those if you need that functionality | ||
41 | private-bin eog | 43 | private-bin eog |
42 | private-cache | 44 | private-cache |
43 | private-dev | 45 | private-dev |
@@ -46,5 +48,3 @@ private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | |||
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
48 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/eom.profile b/etc/eom.profile index c34331da6..a6007f99c 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -19,11 +19,8 @@ include disable-programs.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | ||
23 | caps.drop all | 22 | caps.drop all |
24 | # net none - makes settings immutable | ||
25 | no3d | 23 | no3d |
26 | # nodbus - makes settings immutable | ||
27 | nodvd | 24 | nodvd |
28 | nogroups | 25 | nogroups |
29 | nonewprivs | 26 | nonewprivs |
@@ -37,6 +34,8 @@ seccomp | |||
37 | shell none | 34 | shell none |
38 | tracelog | 35 | tracelog |
39 | 36 | ||
37 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
38 | # comment those if you need that functionality | ||
40 | private-bin eom | 39 | private-bin eom |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 23bd25986..b4d275d22 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 1838ce273..2ee4aae6f 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -15,6 +15,7 @@ noblacklist /usr/share/perl* | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -39,12 +40,12 @@ seccomp | |||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
42 | private-bin exiftool,perl | 43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening. | ||
45 | #private-bin exiftool,perl | ||
43 | private-cache | 46 | private-cache |
44 | private-dev | 47 | private-dev |
45 | private-etc alternatives | 48 | private-etc alternatives |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||
48 | memory-deny-write-execute | 51 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/feh-network.inc b/etc/feh-network.inc index b74486f4f..f3876475e 100644 --- a/etc/feh-network.inc +++ b/etc/feh-network.inc | |||
@@ -1,2 +1,4 @@ | |||
1 | ignore net none | 1 | ignore net none |
2 | private-etc resolv.conf,ca-certificates,ssl | 2 | netfilter |
3 | protocol unix,inet,inet6 | ||
4 | private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies | ||
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index aa7a91928..a1c311e42 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 51 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile index 6ab35e9a0..3681c40f1 100644 --- a/etc/ffmpegthumbnailer.profile +++ b/etc/ffmpegthumbnailer.profile | |||
@@ -10,6 +10,8 @@ include ffmpegthumbnailer.local | |||
10 | private-bin ffmpegthumbnailer | 10 | private-bin ffmpegthumbnailer |
11 | private-lib libffmpegthumbnailer.so.* | 11 | private-lib libffmpegthumbnailer.so.* |
12 | 12 | ||
13 | # fix for ranger video thumbnails | ||
14 | ignore private-cache | ||
13 | 15 | ||
14 | # Redirect | 16 | # Redirect |
15 | include ffmpeg.profile | 17 | include ffmpeg.profile |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 777efe0e3..ad52b0e97 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -16,11 +17,11 @@ include whitelist-var-common.inc | |||
16 | 17 | ||
17 | apparmor | 18 | apparmor |
18 | caps.drop all | 19 | caps.drop all |
19 | ipc-namespace | 20 | #ipc-namespace - causing issues launching on archlinux |
20 | machine-id | 21 | machine-id |
21 | net none | 22 | # net none - breaks on older Ubuntu versions |
22 | no3d | 23 | no3d |
23 | # nodbus makes settings immutable - comment if you need settings support | 24 | # nodbus - makes settings immutable - comment if you need settings support |
24 | nodbus | 25 | nodbus |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
@@ -41,5 +42,3 @@ private-dev | |||
41 | # private-tmp | 42 | # private-tmp |
42 | 43 | ||
43 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/file.profile b/etc/file.profile index e084e80c2..c304b4efe 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-exec.inc | ||
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
15 | 16 | ||
@@ -41,5 +42,3 @@ private-etc alternatives,magic.mgc,magic,localtime | |||
41 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* | 42 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 2e77937ea..fb96d9d87 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 3089b7ce8..a2a34f33f 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -6,6 +6,9 @@ include firefox-common.local | |||
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line to allow access to common programs/addons/plugins. |
10 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
11 | 14 | ||
@@ -14,6 +17,7 @@ noblacklist ${HOME}/.local/share/pki | |||
14 | 17 | ||
15 | include disable-common.inc | 18 | include disable-common.inc |
16 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
18 | include disable-programs.inc | 22 | include disable-programs.inc |
19 | 23 | ||
@@ -55,7 +59,3 @@ private-dev | |||
55 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 59 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
56 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 60 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache |
57 | private-tmp | 61 | private-tmp |
58 | |||
59 | # Breaks DRM binaries. | ||
60 | #noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 4628b85ee..b57c27936 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 3c57a4327..98952e1cc 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -31,7 +34,7 @@ include whitelist-common.inc | |||
31 | apparmor | 34 | apparmor |
32 | caps.drop all | 35 | caps.drop all |
33 | machine-id | 36 | machine-id |
34 | net none | 37 | # net none - issues on older versions |
35 | no3d | 38 | no3d |
36 | nodvd | 39 | nodvd |
37 | nogroups | 40 | nogroups |
@@ -52,5 +55,3 @@ private-dev | |||
52 | private-tmp | 55 | private-tmp |
53 | 56 | ||
54 | #memory-deny-write-execute - Breaks on Arch | 57 | #memory-deny-write-execute - Breaks on Arch |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 2a833de06..dc4e43b09 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/freeciv-gtk3.profile b/etc/freeciv-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/freeciv-mp-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-mp-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv.profile b/etc/freeciv.profile new file mode 100644 index 000000000..4813379a7 --- /dev/null +++ b/etc/freeciv.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for freeciv | ||
2 | # Description: A multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeciv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freeciv | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.freeciv | ||
20 | whitelist ${HOME}/.freeciv | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile new file mode 100644 index 000000000..7987cc076 --- /dev/null +++ b/etc/freecol.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for freecol | ||
2 | # Description: Turn-based multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freecol.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freecol | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.cache/freecol | ||
12 | noblacklist ${HOME}/.config/freecol | ||
13 | noblacklist ${HOME}/.local/share/freecol | ||
14 | |||
15 | # Allow access to java | ||
16 | noblacklist ${PATH}/java | ||
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | mkdir ${HOME}/.java | ||
30 | mkdir ${HOME}/.cache/freecol | ||
31 | mkdir ${HOME}/.config/freecol | ||
32 | mkdir ${HOME}/.local/share/freecol | ||
33 | whitelist ${HOME}/.freecol | ||
34 | whitelist ${HOME}/.java | ||
35 | whitelist ${HOME}/.cache/freecol | ||
36 | whitelist ${HOME}/.config/freecol | ||
37 | whitelist ${HOME}/.local/share/freecol | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | caps.drop all | ||
42 | ipc-namespace | ||
43 | netfilter | ||
44 | nodbus | ||
45 | nodvd | ||
46 | nogroups | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | disable-mnt | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-tmp | ||
diff --git a/etc/freemind.profile b/etc/freemind.profile new file mode 100644 index 000000000..507bd564d --- /dev/null +++ b/etc/freemind.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for freemind | ||
2 | # Description: Free mind mapping software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freemind.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${PATH}/java | ||
11 | noblacklist /etc/java | ||
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /usr/share/java | ||
14 | noblacklist ${HOME}/.freemind | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink | ||
47 | private-cache | ||
48 | private-dev | ||
49 | #private-etc alternatives,fonts,java | ||
50 | private-tmp | ||
51 | private-opt none | ||
52 | private-srv none | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile index 2dd55d8cc..2bab79e2e 100644 --- a/etc/freshclam.profile +++ b/etc/freshclam.profile | |||
@@ -6,6 +6,7 @@ include clamav.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-exec.inc | ||
9 | 10 | ||
10 | caps.keep setgid,setuid | 11 | caps.keep setgid,setuid |
11 | ipc-namespace | 12 | ipc-namespace |
@@ -32,5 +33,3 @@ writable-var | |||
32 | writable-var-log | 33 | writable-var-log |
33 | 34 | ||
34 | memory-deny-write-execute | 35 | memory-deny-write-execute |
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index 3dd66dc23..bdb40d7e1 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -10,10 +10,13 @@ noblacklist ${HOME}/.cache/gajim | |||
10 | noblacklist ${HOME}/.config/gajim | 10 | noblacklist ${HOME}/.config/gajim |
11 | noblacklist ${HOME}/.local/share/gajim | 11 | noblacklist ${HOME}/.local/share/gajim |
12 | 12 | ||
13 | # Allow Python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | #noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | #noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/lib64/python3* | 18 | #noblacklist /usr/local/lib/python2* |
19 | noblacklist /usr/local/lib/python3* | ||
17 | 20 | ||
18 | include disable-common.inc | 21 | include disable-common.inc |
19 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 509d9bd05..92b400572 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/galculator | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.config/galculator | 19 | mkdir ${HOME}/.config/galculator |
18 | whitelist ${HOME}/.config/galculator | 20 | whitelist ${HOME}/.config/galculator |
@@ -21,6 +23,8 @@ include whitelist-var-common.inc | |||
21 | 23 | ||
22 | apparmor | 24 | apparmor |
23 | caps.drop all | 25 | caps.drop all |
26 | hostname galculator | ||
27 | ipc-namespace | ||
24 | net none | 28 | net none |
25 | nodbus | 29 | nodbus |
26 | nodvd | 30 | nodvd |
@@ -37,7 +41,10 @@ shell none | |||
37 | tracelog | 41 | tracelog |
38 | 42 | ||
39 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | ||
40 | private-dev | 45 | private-dev |
41 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts |
42 | private-lib | 47 | private-lib |
43 | private-tmp | 48 | private-tmp |
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/gcloud.profile b/etc/gcloud.profile index d9df8fd37..a08aebf2c 100644 --- a/etc/gcloud.profile +++ b/etc/gcloud.profile | |||
@@ -5,12 +5,16 @@ include gcloud.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec ${HOME} will break user-local installs of gcloud tooling | ||
9 | ignore noexec ${HOME} | ||
10 | |||
8 | noblacklist ${HOME}/.boto | 11 | noblacklist ${HOME}/.boto |
9 | noblacklist ${HOME}/.config/gcloud | 12 | noblacklist ${HOME}/.config/gcloud |
10 | noblacklist /var/run/docker.sock | 13 | noblacklist /var/run/docker.sock |
11 | 14 | ||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
16 | apparmor | 20 | apparmor |
@@ -34,8 +38,3 @@ disable-mnt | |||
34 | private-dev | 38 | private-dev |
35 | private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache | 39 | private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache |
36 | private-tmp | 40 | private-tmp |
37 | |||
38 | noexec /tmp | ||
39 | |||
40 | # will break user-local installs of gcloud tooling | ||
41 | # noexec ${HOME} | ||
diff --git a/etc/gconf.profile b/etc/gconf.profile index 94af21833..5cc6b87a0 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -8,14 +8,17 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gconf | 9 | noblacklist ${HOME}/.config/gconf |
10 | 10 | ||
11 | # Allow python2 (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | noblacklist ${PATH}/python2* |
13 | #noblacklist ${PATH}/python3* | 13 | #noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | #noblacklist /usr/lib/python3* | 15 | #noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | #noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -53,5 +56,3 @@ private-lib libpython*,python2* | |||
53 | private-tmp | 56 | private-tmp |
54 | 57 | ||
55 | memory-deny-write-execute | 58 | memory-deny-write-execute |
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index a583c534f..6b99ec580 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.python-history | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | # include disable-devel.inc | 15 | # include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | # include disable-interpreters.inc | 17 | # include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell | 45 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index 425fb7bb5..764c68131 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,7 +47,5 @@ private-opt none | |||
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | # memory-deny-write-execute - Breaks on Arch | 49 | # memory-deny-write-execute - Breaks on Arch |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
51 | 50 | ||
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 615e6d01c..76011df19 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -53,5 +54,3 @@ private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dcon | |||
53 | #private-lib | 54 | #private-lib |
54 | private-tmp | 55 | private-tmp |
55 | 56 | ||
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index 9b14b1fe8..91001cd30 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -6,12 +6,17 @@ include gimp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | ||
10 | # if you are not using external plugins, you can disable ignore noexec statement below | ||
11 | ignore noexec ${HOME} | ||
12 | |||
9 | noblacklist ${HOME}/.config/GIMP | 13 | noblacklist ${HOME}/.config/GIMP |
10 | noblacklist ${HOME}/.gimp* | 14 | noblacklist ${HOME}/.gimp* |
11 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${PICTURES} | 16 | noblacklist ${PICTURES} |
13 | 17 | ||
14 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 21 | include disable-programs.inc |
17 | include disable-xdg.inc | 22 | include disable-xdg.inc |
@@ -35,8 +40,3 @@ shell none | |||
35 | 40 | ||
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | ||
40 | # if you are not using external plugins, you can enable noexec statement below | ||
41 | # noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index 575793f58..44e3474f8 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -21,6 +21,7 @@ noblacklist ${HOME}/.vim | |||
21 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
22 | 22 | ||
23 | include disable-common.inc | 23 | include disable-common.inc |
24 | include disable-exec.inc | ||
24 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 26 | include disable-programs.inc |
26 | 27 | ||
@@ -46,5 +47,3 @@ private-cache | |||
46 | private-dev | 47 | private-dev |
47 | 48 | ||
48 | memory-deny-write-execute | 49 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index eb124a4e8..c9ad4831f 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | # memory-deny-write-execute | 48 | # memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 32a7ca918..cb73a9477 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf | 40 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/gnome-keyring.profile b/etc/gnome-keyring.profile index 88898a816..47d8ca2c0 100644 --- a/etc/gnome-keyring.profile +++ b/etc/gnome-keyring.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-dev | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | memory-deny-write-execute | 50 | memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 9ea4fb9f6..c7cbd8388 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,8 +47,6 @@ private-tmp | |||
46 | writable-var-log | 47 | writable-var-log |
47 | 48 | ||
48 | memory-deny-write-execute | 49 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
51 | 50 | ||
52 | # comment this if you export logs to a file in your ${HOME} | 51 | # comment this if you export logs to a file in your ${HOME} |
53 | read-only ${HOME} | 52 | read-only ${HOME} |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 6ce44e7ce..97de9c2be 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/flatpak | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-dev | |||
43 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 44 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies |
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index c4dedcf1c..f31b8af2c 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile index 01c65a5a4..e542181fa 100644 --- a/etc/gnome-pie.profile +++ b/etc/gnome-pie.profile | |||
@@ -16,8 +16,7 @@ include disable-passwdmgr.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
19 | machine-id | 19 | # net none - breaks dbus |
20 | net none | ||
21 | no3d | 20 | no3d |
22 | nodvd | 21 | nodvd |
23 | nogroups | 22 | nogroups |
@@ -34,7 +33,7 @@ shell none | |||
34 | disable-mnt | 33 | disable-mnt |
35 | private-cache | 34 | private-cache |
36 | private-dev | 35 | private-dev |
37 | private-etc alternatives,fonts | 36 | private-etc alternatives,fonts,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 37 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index d856c1f83..931efbbab 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -35,14 +35,17 @@ noblacklist ${PATH}/urxvtcd | |||
35 | noblacklist ${PATH}/xfce4-terminal | 35 | noblacklist ${PATH}/xfce4-terminal |
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | 36 | noblacklist ${PATH}/xfce4-terminal.wrapper |
37 | 37 | ||
38 | # Allow python (disabled by disable-interpreters.inc) | 38 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | noblacklist ${PATH}/python2* | 39 | noblacklist ${PATH}/python2* |
40 | noblacklist ${PATH}/python3* | 40 | noblacklist ${PATH}/python3* |
41 | noblacklist /usr/lib/python2* | 41 | noblacklist /usr/lib/python2* |
42 | noblacklist /usr/lib/python3* | 42 | noblacklist /usr/lib/python3* |
43 | noblacklist /usr/local/lib/python2* | ||
44 | noblacklist /usr/local/lib/python3* | ||
43 | 45 | ||
44 | include disable-common.inc | 46 | include disable-common.inc |
45 | include disable-devel.inc | 47 | include disable-devel.inc |
48 | include disable-exec.inc | ||
46 | include disable-interpreters.inc | 49 | include disable-interpreters.inc |
47 | include disable-passwdmgr.inc | 50 | include disable-passwdmgr.inc |
48 | include disable-programs.inc | 51 | include disable-programs.inc |
@@ -56,7 +59,7 @@ apparmor | |||
56 | caps.keep chown,dac_override,setgid,setuid | 59 | caps.keep chown,dac_override,setgid,setuid |
57 | ipc-namespace | 60 | ipc-namespace |
58 | machine-id | 61 | machine-id |
59 | net none | 62 | #net none - breaks on Ubuntu |
60 | no3d | 63 | no3d |
61 | nodvd | 64 | nodvd |
62 | nogroups | 65 | nogroups |
@@ -73,5 +76,3 @@ private-dev | |||
73 | # private-etc alternatives | 76 | # private-etc alternatives |
74 | writable-var | 77 | writable-var |
75 | 78 | ||
76 | noexec ${HOME} | ||
77 | noexec /tmp | ||
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile index 214a3923f..c6af31ede 100644 --- a/etc/gnome-system-log.profile +++ b/etc/gnome-system-log.profile | |||
@@ -10,6 +10,7 @@ noblacklist /var/log | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -22,8 +23,7 @@ include whitelist-var-common.inc | |||
22 | apparmor | 23 | apparmor |
23 | caps.drop all | 24 | caps.drop all |
24 | ipc-namespace | 25 | ipc-namespace |
25 | machine-id | 26 | # net none - breaks dbus |
26 | net none | ||
27 | no3d | 27 | no3d |
28 | # nodbus | 28 | # nodbus |
29 | nodvd | 29 | nodvd |
@@ -50,8 +50,6 @@ private-tmp | |||
50 | writable-var-log | 50 | writable-var-log |
51 | 51 | ||
52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
55 | 53 | ||
56 | # uncomment this if you never export logs to a file in your ${HOME} | 54 | # uncomment this if you never export logs to a file in your ${HOME} |
57 | #read-only ${HOME} | 55 | #read-only ${HOME} |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 4c66e3772..17371aec0 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/gpicview | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b1bd59307..9507188fc 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -20,7 +21,7 @@ include whitelist-var-common.inc | |||
20 | apparmor | 21 | apparmor |
21 | caps.drop all | 22 | caps.drop all |
22 | machine-id | 23 | machine-id |
23 | net none | 24 | #net none - breaks dbus |
24 | no3d | 25 | no3d |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
@@ -35,12 +36,13 @@ seccomp | |||
35 | shell none | 36 | shell none |
36 | 37 | ||
37 | disable-mnt | 38 | disable-mnt |
39 | private-bin gucharmap | ||
38 | private-cache | 40 | private-cache |
39 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts | ||
43 | private-lib | ||
40 | private-tmp | 44 | private-tmp |
41 | 45 | ||
42 | memory-deny-write-execute | 46 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
45 | 47 | ||
46 | read-only ${HOME} | 48 | read-only ${HOME} |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile index fe35f8fe7..aff990ec0 100644 --- a/etc/gunzip.profile +++ b/etc/gunzip.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include gunzip.local | 4 | include gunzip.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include gzip.profile | 10 | include gzip.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 790e4920d..d4af3ed1a 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/org.kde.gwenview | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-dev | |||
47 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
48 | 49 | ||
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 1dbc661a1..27e262f87 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -5,16 +5,24 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include gzip.local | 6 | include gzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | |||
13 | ignore noroot | 15 | ignore noroot |
16 | |||
17 | apparmor | ||
18 | hostname gzip | ||
19 | ipc-namespace | ||
20 | machine-id | ||
14 | net none | 21 | net none |
15 | no3d | 22 | no3d |
16 | nodbus | 23 | nodbus |
17 | nodvd | 24 | nodvd |
25 | nogroups | ||
18 | nosound | 26 | nosound |
19 | notv | 27 | notv |
20 | nou2f | 28 | nou2f |
@@ -22,6 +30,9 @@ novideo | |||
22 | shell none | 30 | shell none |
23 | tracelog | 31 | tracelog |
24 | 32 | ||
33 | private-cache | ||
25 | private-dev | 34 | private-dev |
26 | 35 | ||
36 | memory-deny-write-execute | ||
37 | |||
27 | include default.profile | 38 | include default.profile |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index a98f80bc7..324c629e3 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -35,5 +36,3 @@ shell none | |||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 783f91e82..e8abf4b31 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 24fd29fbe..ade50048e 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${PICTURES} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-dev | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ba0a2c9f9..ecc5e5d35 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -17,9 +17,12 @@ noblacklist ${PATH}/python2* | |||
17 | noblacklist ${PATH}/python3* | 17 | noblacklist ${PATH}/python3* |
18 | noblacklist /usr/lib/python2* | 18 | noblacklist /usr/lib/python2* |
19 | noblacklist /usr/lib/python3* | 19 | noblacklist /usr/lib/python3* |
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
20 | 22 | ||
21 | include disable-common.inc | 23 | include disable-common.inc |
22 | include disable-devel.inc | 24 | include disable-devel.inc |
25 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | 26 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 28 | include disable-programs.inc |
@@ -50,5 +53,3 @@ private-dev | |||
50 | private-tmp | 53 | private-tmp |
51 | 54 | ||
52 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/kate.profile b/etc/kate.profile index 4a78d718f..3035393c4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -6,6 +6,8 @@ include kate.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.config/katemetainfos | 11 | noblacklist ${HOME}/.config/katemetainfos |
10 | noblacklist ${HOME}/.config/katepartrc | 12 | noblacklist ${HOME}/.config/katepartrc |
11 | noblacklist ${HOME}/.config/katerc | 13 | noblacklist ${HOME}/.config/katerc |
@@ -16,6 +18,7 @@ noblacklist ${HOME}/.local/share/kate | |||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | # include disable-devel.inc | 20 | # include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | # include disable-interpreters.inc | 22 | # include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -45,7 +48,4 @@ private-dev | |||
45 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 48 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||
48 | # noexec ${HOME} | ||
49 | noexec /tmp | ||
50 | |||
51 | join-or-start kate | 51 | join-or-start kate |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 8baefaa98..8c641802b 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | # private-lib - problems on Arch | 46 | # private-lib - problems on Arch |
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index f7b5c89b3..82c8c6793 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -6,12 +6,15 @@ include kdenlive.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.cache/kdenlive | 11 | noblacklist ${HOME}/.cache/kdenlive |
10 | noblacklist ${HOME}/.config/kdenliverc | 12 | noblacklist ${HOME}/.config/kdenliverc |
11 | noblacklist ${HOME}/.local/share/kdenlive | 13 | noblacklist ${HOME}/.local/share/kdenlive |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -33,6 +36,3 @@ shell none | |||
33 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt | 36 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt |
34 | private-dev | 37 | private-dev |
35 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 | 38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 |
36 | |||
37 | # noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 357eb435d..44e9c67bb 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${DOCUMENTS} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-etc alternatives,fonts,machine-id | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index f0546beda..33b4509b7 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -16,6 +16,7 @@ noblacklist ${DOCUMENTS} | |||
16 | 16 | ||
17 | include disable-common.inc | 17 | include disable-common.inc |
18 | include disable-devel.inc | 18 | include disable-devel.inc |
19 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 22 | include disable-programs.inc |
@@ -47,8 +48,6 @@ private-tmp | |||
47 | 48 | ||
48 | # 2.2.4 crashes on database open | 49 | # 2.2.4 crashes on database open |
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
52 | 51 | ||
53 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 52 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
54 | join-or-start keepassxc | 53 | join-or-start keepassxc |
diff --git a/etc/kget.profile b/etc/kget.profile index 2ef84a0ee..485edc1a4 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/kget | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | # memory-deny-write-execute | 41 | # memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/kid3-cli.profile b/etc/kid3-cli.profile new file mode 100644 index 000000000..bee62b5d9 --- /dev/null +++ b/etc/kid3-cli.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for kid3-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-cli.local | ||
4 | |||
5 | # Redirect | ||
6 | include kid3.profile | ||
diff --git a/etc/kid3-qt.profile b/etc/kid3-qt.profile new file mode 100644 index 000000000..9bcede077 --- /dev/null +++ b/etc/kid3-qt.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for kid3-qt | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-qt.local | ||
4 | |||
5 | noblacklist ${HOME}/.config/Kid3 | ||
6 | |||
7 | # Redirect | ||
8 | include kid3.profile | ||
diff --git a/etc/kid3.profile b/etc/kid3.profile new file mode 100644 index 000000000..3171e94fe --- /dev/null +++ b/etc/kid3.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for kid3 | ||
2 | # Description: Audio Tag Editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kid3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.config/kid3rc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies | ||
41 | private-tmp | ||
42 | private-opt none | ||
43 | private-srv none | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/klavaro.profile b/etc/klavaro.profile index 04b4a5ae5..5ad5e2699 100644 --- a/etc/klavaro.profile +++ b/etc/klavaro.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/klavaro | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -51,5 +52,3 @@ private-opt none | |||
51 | private-srv none | 52 | private-srv none |
52 | 53 | ||
53 | memory-deny-write-execute | 54 | memory-deny-write-execute |
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 1f8403ef1..009b2c063 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -31,6 +31,7 @@ noblacklist /tmp/akonadi-* | |||
31 | 31 | ||
32 | include disable-common.inc | 32 | include disable-common.inc |
33 | include disable-devel.inc | 33 | include disable-devel.inc |
34 | include disable-exec.inc | ||
34 | include disable-interpreters.inc | 35 | include disable-interpreters.inc |
35 | include disable-passwdmgr.inc | 36 | include disable-passwdmgr.inc |
36 | include disable-programs.inc | 37 | include disable-programs.inc |
@@ -58,5 +59,3 @@ writable-run-user | |||
58 | private-dev | 59 | private-dev |
59 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
60 | 61 | ||
61 | noexec ${HOME} | ||
62 | noexec /tmp | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index 303310591..dad085967 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -6,6 +6,9 @@ include kodi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks plugins | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.kodi | 12 | noblacklist ${HOME}/.kodi |
10 | noblacklist ${MUSIC} | 13 | noblacklist ${MUSIC} |
11 | noblacklist ${PICTURES} | 14 | noblacklist ${PICTURES} |
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
19 | 24 | ||
20 | include disable-common.inc | 25 | include disable-common.inc |
21 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -40,7 +46,3 @@ tracelog | |||
40 | 46 | ||
41 | private-dev | 47 | private-dev |
42 | private-tmp | 48 | private-tmp |
43 | |||
44 | # breaks plugins | ||
45 | #noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/konversation.profile b/etc/konversation.profile index 03c51ccce..19174459c 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde4/share/config/konversationrc | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | # memory-deny-write-execute | 42 | # memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile index 3313106a2..8f275f8df 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -6,6 +6,9 @@ include krita.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} may break krita, see issue #1953 | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/kritarc | 12 | noblacklist ${HOME}/.config/kritarc |
10 | noblacklist ${HOME}/.local/share/krita | 13 | noblacklist ${HOME}/.local/share/krita |
11 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
19 | 24 | ||
20 | include disable-common.inc | 25 | include disable-common.inc |
21 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -45,7 +51,3 @@ shell none | |||
45 | private-cache | 51 | private-cache |
46 | private-dev | 52 | private-dev |
47 | private-tmp | 53 | private-tmp |
48 | |||
49 | # noexec ${HOME} may break krita, see issue #1953 | ||
50 | # noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 7b7571176..f30a1b7e6 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/ktorrent | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -57,5 +58,3 @@ private-dev | |||
57 | private-tmp | 58 | private-tmp |
58 | 59 | ||
59 | # memory-deny-write-execute | 60 | # memory-deny-write-execute |
60 | noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 834f6f2dd..ee07636d3 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/kwin | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,6 +40,3 @@ private-bin kwin_x11 | |||
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg | 41 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index bc4fba97d..9b0640eab 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -17,6 +17,7 @@ noblacklist ${DOCUMENTS} | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -47,7 +48,5 @@ private-dev | |||
47 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
52 | 51 | ||
53 | join-or-start kwrite | 52 | join-or-start kwrite |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 0e6c86b80..6e77cd741 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/share/java | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
24 | 25 | ||
@@ -49,7 +50,5 @@ tracelog | |||
49 | private-dev | 50 | private-dev |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
54 | 53 | ||
55 | join-or-start libreoffice | 54 | join-or-start libreoffice |
diff --git a/etc/liferea.profile b/etc/liferea.profile index c498541d4..5927747b8 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile new file mode 100644 index 000000000..b55ac9a15 --- /dev/null +++ b/etc/lincity-ng.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for lincity-ng | ||
2 | # Description: City simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lincity-ng.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.lincity-ng | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.lincity-ng | ||
20 | whitelist ${HOME}/.lincity-ng | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin lincity-ng | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 047424e5e..c4717965a 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile new file mode 100644 index 000000000..96aeee770 --- /dev/null +++ b/etc/lrunzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrunzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrunzip.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrz.profile b/etc/lrz.profile new file mode 100644 index 000000000..03de48104 --- /dev/null +++ b/etc/lrz.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrz | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrz.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile new file mode 100644 index 000000000..6d95c41a0 --- /dev/null +++ b/etc/lrzcat.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzcat | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzip.profile b/etc/lrzip.profile new file mode 100644 index 000000000..148d23393 --- /dev/null +++ b/etc/lrzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzip.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrztar.profile b/etc/lrztar.profile new file mode 100644 index 000000000..90327c2bb --- /dev/null +++ b/etc/lrztar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrztar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrztar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile new file mode 100644 index 000000000..6aa91cabd --- /dev/null +++ b/etc/lrzuntar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzuntar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzuntar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lugaru.profile b/etc/lugaru.profile new file mode 100644 index 000000000..d81441572 --- /dev/null +++ b/etc/lugaru.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for lugaru | ||
2 | # Description: Ninja rabbit fighting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lugaru.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # note: crashes after entering | ||
10 | |||
11 | noblacklist ${HOME}/.config/lugaru | ||
12 | noblacklist ${HOME}/.local/share/lugaru | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/lugaru | ||
23 | mkdir ${HOME}/.local/share/lugaru | ||
24 | whitelist ${HOME}/.config/lugaru | ||
25 | whitelist ${HOME}/.local/share/lugaru | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | net none | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin lugaru | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 170085117..793cd59bb 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/manaplus.profile b/etc/manaplus.profile new file mode 100644 index 000000000..93d409bf8 --- /dev/null +++ b/etc/manaplus.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for manaplus | ||
2 | # Description: 2D MMORPG client for Evol Online and The Mana World | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include manaplus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mana | ||
10 | noblacklist ${HOME}/.local/share/mana | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/mana | ||
21 | mkdir ${HOME}/.config/mana/mana | ||
22 | mkdir ${HOME}/.local/share/mana | ||
23 | whitelist ${HOME}/.config/mana | ||
24 | whitelist ${HOME}/.local/share/mana | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin manaplus | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index 3d88b1f82..ce6486115 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile | |||
@@ -11,18 +11,18 @@ noblacklist ${HOME}/.masterpdfeditor | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
18 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
19 | 20 | ||
21 | apparmor | ||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | machine-id | 24 | machine-id |
23 | net none | ||
24 | no3d | 25 | no3d |
25 | nodbus | ||
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | nonewprivs | 28 | nonewprivs |
@@ -36,11 +36,9 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | private-bin masterpdfeditor* | 39 | private-bin masterpdfedito* |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 6bb393376..d2681f32d 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -10,6 +10,7 @@ blacklist /tmp/.X11-unix | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-etc alternatives | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/megaglest.profile b/etc/megaglest.profile new file mode 100644 index 000000000..08eae6dfc --- /dev/null +++ b/etc/megaglest.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for megaglest | ||
2 | # Description: 3D multi-player real time strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include megaglest.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.megaglest | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.megaglest | ||
20 | whitelist ${HOME}/.megaglest | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin megaglest,megaglest_editor,megaglest_g3dviewer | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/megaglest_editor.profile b/etc/megaglest_editor.profile new file mode 100644 index 000000000..02aad8084 --- /dev/null +++ b/etc/megaglest_editor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for megaglest | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include megaglest.profile | ||
diff --git a/etc/meld.profile b/etc/meld.profile index 2b87094fb..395771cf2 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -8,17 +8,35 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | 9 | noblacklist ${HOME}/.local/share/meld |
10 | 10 | ||
11 | include disable-common.inc | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | |||
19 | noblacklist ${HOME}/.gitconfig | ||
20 | noblacklist ${HOME}/.ssh | ||
21 | noblacklist ${HOME}/.subversion | ||
22 | |||
23 | # Uncomment the next line if you don't need to compare files in disable-common.inc. | ||
24 | #include disable-common.inc | ||
12 | include disable-devel.inc | 25 | include disable-devel.inc |
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | 28 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 29 | # Uncomment the next line if you don't need to compare files in disable-programs.inc. |
30 | #include disable-programs.inc | ||
15 | 31 | ||
16 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
17 | 33 | ||
34 | apparmor | ||
18 | caps.drop all | 35 | caps.drop all |
19 | net none | 36 | ipc-namespace |
37 | machine-id | ||
38 | netfilter | ||
20 | no3d | 39 | no3d |
21 | nodbus | ||
22 | nodvd | 40 | nodvd |
23 | nogroups | 41 | nogroups |
24 | nonewprivs | 42 | nonewprivs |
@@ -27,14 +45,15 @@ nosound | |||
27 | notv | 45 | notv |
28 | nou2f | 46 | nou2f |
29 | novideo | 47 | novideo |
30 | protocol unix | 48 | protocol unix,inet,inet6 |
31 | seccomp | 49 | seccomp |
32 | shell none | 50 | shell none |
51 | tracelog | ||
33 | 52 | ||
34 | private-bin meld,python* | 53 | private-bin bzr,cvs,git,hg,meld,python*,svn |
35 | private-cache | 54 | private-cache |
36 | private-dev | 55 | private-dev |
56 | # Uncomment the next line if you don't need to compare in /etc. | ||
57 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | ||
37 | private-tmp | 58 | private-tmp |
38 | 59 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile index 046526310..a3d6092f1 100644 --- a/etc/mendeleydesktop.profile +++ b/etc/mendeleydesktop.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2* | |||
19 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
20 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
21 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
22 | 24 | ||
23 | include disable-common.inc | 25 | include disable-common.inc |
24 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/minetest.profile b/etc/minetest.profile index aa50847ea..b3e692446 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.minetest | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.minetest | 19 | mkdir ${HOME}/.minetest |
18 | whitelist ${HOME}/.minetest | 20 | whitelist ${HOME}/.minetest |
@@ -33,13 +35,12 @@ novideo | |||
33 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
34 | seccomp | 36 | seccomp |
35 | shell none | 37 | shell none |
38 | tracelog | ||
36 | 39 | ||
37 | disable-mnt | 40 | disable-mnt |
38 | private-bin minetest | 41 | private-bin minetest |
42 | private-cache | ||
39 | private-dev | 43 | private-dev |
40 | # private-etc needs to be updated, see #1702 | 44 | # private-etc needs to be updated, see #1702 |
41 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 45 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id |
42 | private-tmp | 46 | private-tmp |
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index 48b5070f6..b179ecfaf 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index f057bdd9e..0808c5a1a 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -24,6 +24,7 @@ noblacklist ${VIDEOS} | |||
24 | 24 | ||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
28 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
29 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -57,5 +58,3 @@ private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg | |||
57 | private-dev | 58 | private-dev |
58 | private-tmp | 59 | private-tmp |
59 | 60 | ||
60 | noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index cf113c1bb..c2ae9c6f9 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* | |||
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 27 | include disable-programs.inc |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index 6334ecd41..f23617f8d 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index c1d4f2cbe..1d5953ff7 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -40,4 +41,5 @@ private-dev | |||
40 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
44 | memory-deny-write-execute | ||
43 | read-only ${HOME} | 45 | read-only ${HOME} |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 5f009c681..9750a31f4 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${MUSIC} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -38,6 +39,3 @@ tracelog | |||
38 | 39 | ||
39 | # private-bin musescore,mscore | 40 | # private-bin musescore,mscore |
40 | private-tmp | 41 | private-tmp |
41 | |||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 21fd841cf..615bb60d1 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${PICTURES} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-etc alternatives,fonts,gtk-3.0,dconf | 45 | private-etc alternatives,fonts,gtk-3.0,dconf |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/nano.profile b/etc/nano.profile index ed172b37c..50e251d49 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.nanorc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-dev | |||
43 | private-etc alternatives,nanorc | 44 | private-etc alternatives,nanorc |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/natron.profile b/etc/natron.profile index 790fe437d..85e23c759 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,11 +5,13 @@ include natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow access to python | 8 | # Allow python (blacklisted by disable-interpreters.inc) |
9 | noblacklist ${PATH}/python2* | 9 | noblacklist ${PATH}/python2* |
10 | noblacklist ${PATH}/python3* | 10 | noblacklist ${PATH}/python3* |
11 | noblacklist /usr/lib/python2* | 11 | noblacklist /usr/lib/python2* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | noblacklist /usr/local/lib/python2* | ||
14 | noblacklist /usr/local/lib/python3* | ||
13 | 15 | ||
14 | noblacklist ${HOME}/.Natron | 16 | noblacklist ${HOME}/.Natron |
15 | noblacklist ${HOME}/.cache/INRIA/Natron | 17 | noblacklist ${HOME}/.cache/INRIA/Natron |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index b5e65e3ee..1d68ef8e3 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2* | |||
19 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
20 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
21 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
22 | 24 | ||
23 | include disable-common.inc | 25 | include disable-common.inc |
24 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/nemo.profile b/etc/nemo.profile index 8da094015..2364ea4a7 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
diff --git a/etc/netactview.profile b/etc/netactview.profile index 58235c31b..c91822a9d 100644 --- a/etc/netactview.profile +++ b/etc/netactview.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.netactview | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-lib | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | memory-deny-write-execute | 50 | memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile new file mode 100644 index 000000000..771430337 --- /dev/null +++ b/etc/nethack-vultures.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for nethack-vultures | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nethack.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | noblacklist ${HOME}/.vultures | ||
11 | noblacklist /var/log | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.vultures | ||
20 | whitelist ${HOME}/.vultures | ||
21 | whitelist /var/log/vultures | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | #nonewprivs | ||
32 | #noroot | ||
33 | notv | ||
34 | novideo | ||
35 | #protocol unix,netlink | ||
36 | #seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | #private | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | writable-var | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile index bf8fff7cd..4d2c5bdf2 100644 --- a/etc/nitroshare.profile +++ b/etc/nitroshare.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/nomacs.profile b/etc/nomacs.profile new file mode 100644 index 000000000..4bda5cbce --- /dev/null +++ b/etc/nomacs.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for nomacs | ||
2 | # Description: a fast and small image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nomacs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nomacs | ||
10 | noblacklist ${HOME}/.local/share/nomacs | ||
11 | noblacklist ${HOME}/.local/share/data/nomacs | ||
12 | noblacklist ${PICTURES} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | #private-bin nomacs | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs | ||
44 | private-tmp | ||
45 | |||
46 | memory-deny-write-execute | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/obs.profile b/etc/obs.profile index 87afdc222..5e3ce092a 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index be218e3a8..ceeb59384 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | # memory-deny-write-execute - breaks on Arch | 50 | # memory-deny-write-execute - breaks on Arch |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 0192a1d3d..48e45ca3f 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -20,6 +20,7 @@ noblacklist ${DOCUMENTS} | |||
20 | 20 | ||
21 | include disable-common.inc | 21 | include disable-common.inc |
22 | include disable-devel.inc | 22 | include disable-devel.inc |
23 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | 24 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 26 | include disable-programs.inc |
@@ -52,7 +53,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | |||
52 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
53 | 54 | ||
54 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
57 | 56 | ||
58 | join-or-start okular | 57 | join-or-start okular |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 1955901b0..75f6194a6 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/onionshare | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | noblacklist /usr/local/lib/python3* | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/opencity.profile b/etc/opencity.profile new file mode 100644 index 000000000..6a27c8095 --- /dev/null +++ b/etc/opencity.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for opencity | ||
2 | # Description: Full 3D city simulator game project | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include opencity.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.opencity | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.opencity | ||
20 | whitelist ${HOME}/.opencity | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin opencity | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/openclonk.profile b/etc/openclonk.profile new file mode 100644 index 000000000..02663c2f4 --- /dev/null +++ b/etc/openclonk.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for openclonk | ||
2 | # Description: Multiplayer action, tactics and skill game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openclonk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.clonk | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.clonk | ||
20 | whitelist ${HOME}/.clonk | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openclonk,c4group | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile index e383ecf06..cfda1d0ce 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -40,5 +43,3 @@ shell none | |||
40 | private-dev | 43 | private-dev |
41 | private-tmp | 44 | private-tmp |
42 | 45 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/openttd.profile b/etc/openttd.profile new file mode 100644 index 000000000..5de4d325d --- /dev/null +++ b/etc/openttd.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for openttd | ||
2 | # Description: Transport system simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openttd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openttd | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.openttd | ||
20 | whitelist ${HOME}/.openttd | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openttd | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/ostrichriders.profile b/etc/ostrichriders.profile new file mode 100644 index 000000000..bef784126 --- /dev/null +++ b/etc/ostrichriders.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for ostrichriders | ||
2 | # Description: Knights flying on ostriches compete against other riders | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ostrichriders.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ostrichriders | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.ostrichriders | ||
20 | whitelist ${HOME}/.ostrichriders | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin ostrichriders | ||
42 | private-cache | ||
43 | # private-dev should be commented for controllers | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/patch.profile b/etc/patch.profile index c0937bfc5..9515bffdf 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-xdg.inc | 17 | include disable-xdg.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-lib libfakeroot | 40 | private-lib libfakeroot |
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 6bda9e7d3..18b9b7fc6 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pavucontrol.ini | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -19,7 +20,7 @@ include whitelist-var-common.inc | |||
19 | 20 | ||
20 | apparmor | 21 | apparmor |
21 | caps.drop all | 22 | caps.drop all |
22 | ipc-namespace | 23 | #ipc-namespace |
23 | net none | 24 | net none |
24 | no3d | 25 | no3d |
25 | nodbus | 26 | nodbus |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index d9f721578..98a9f1840 100644 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile | |||
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS} | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0,xdg | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/picard.profile b/etc/picard.profile index dc13d7d6e..26002e14d 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 91a204557..444478149 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,14 +6,24 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | mkdir ${HOME}/.purple | ||
9 | noblacklist ${HOME}/.purple | 10 | noblacklist ${HOME}/.purple |
11 | whitelist ${HOME}/.purple | ||
12 | |||
13 | ignore noexec ${RUNUSER} | ||
14 | ignore noexec /dev/shm | ||
10 | 15 | ||
11 | include disable-common.inc | 16 | include disable-common.inc |
12 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
16 | 25 | ||
26 | apparmor | ||
17 | caps.drop all | 27 | caps.drop all |
18 | netfilter | 28 | netfilter |
19 | nodvd | 29 | nodvd |
@@ -24,13 +34,10 @@ notv | |||
24 | nou2f | 34 | nou2f |
25 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
26 | seccomp | 36 | seccomp |
27 | shell none | 37 | # shell none |
28 | tracelog | 38 | tracelog |
29 | 39 | ||
30 | private-bin pidgin | 40 | # private-bin pidgin |
31 | private-cache | 41 | private-cache |
32 | private-dev | 42 | private-dev |
33 | private-tmp | 43 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/pioneer.profile b/etc/pioneer.profile new file mode 100644 index 000000000..a240aa5fc --- /dev/null +++ b/etc/pioneer.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for pioneer | ||
2 | # Description: A game of lonely space adventure | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pioneer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.pioneer | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.pioneer | ||
20 | whitelist ${HOME}/.pioneer | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin pioneer,modelcompiler,savegamedump | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile index b201dcfea..6492ace7b 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 5bd6fd357..ac7922833 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index c97c27435..2f287223b 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -20,6 +20,8 @@ noblacklist ${PATH}/python2* | |||
20 | noblacklist ${PATH}/python3* | 20 | noblacklist ${PATH}/python3* |
21 | noblacklist /usr/lib/python2* | 21 | noblacklist /usr/lib/python2* |
22 | noblacklist /usr/lib/python3* | 22 | noblacklist /usr/lib/python3* |
23 | noblacklist /usr/local/lib/python2* | ||
24 | noblacklist /usr/local/lib/python3* | ||
23 | 25 | ||
24 | # Allow perl (blacklisted by disable-interpreters.inc) | 26 | # Allow perl (blacklisted by disable-interpreters.inc) |
25 | noblacklist ${PATH}/cpan* | 27 | noblacklist ${PATH}/cpan* |
diff --git a/etc/pluma.profile b/etc/pluma.profile index a8b1e4cc6..25142bc18 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pluma | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -42,7 +43,5 @@ private-lib pluma | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | 46 | ||
48 | join-or-start pluma | 47 | join-or-start pluma |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 92cae0f97..63ae156a1 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index bfe8b614e..3caaacf09 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -5,7 +5,6 @@ include pycharm-community.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/snap | ||
9 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
10 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
11 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7b1f05574..b0a6a0016 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -16,9 +16,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -59,5 +62,3 @@ private-dev | |||
59 | private-tmp | 62 | private-tmp |
60 | 63 | ||
61 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
62 | noexec ${HOME} | ||
63 | noexec /tmp | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 06598c769..6cb3fe4cd 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 3dc4c6a30..0ca5a5ef0 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/tox | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.config/tox | 19 | mkdir ${HOME}/.config/tox |
18 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
@@ -20,9 +22,11 @@ whitelist ${HOME}/.config/tox | |||
20 | include whitelist-common.inc | 22 | include whitelist-common.inc |
21 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
22 | 24 | ||
25 | apparmor | ||
23 | caps.drop all | 26 | caps.drop all |
24 | ipc-namespace | 27 | ipc-namespace |
25 | netfilter | 28 | netfilter |
29 | nodbus | ||
26 | nodvd | 30 | nodvd |
27 | nogroups | 31 | nogroups |
28 | nonewprivs | 32 | nonewprivs |
@@ -36,9 +40,9 @@ tracelog | |||
36 | 40 | ||
37 | disable-mnt | 41 | disable-mnt |
38 | private-bin qtox | 42 | private-bin qtox |
39 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse | 43 | private-cache |
40 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse | ||
41 | private-tmp | 46 | private-tmp |
42 | 47 | ||
43 | noexec ${HOME} | 48 | memory-deny-write-execute |
44 | noexec /tmp | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index ac9f9bfd9..9e3853a09 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | # with >=llvm-4 mesa drivers need llvm stuff | 21 | # with >=llvm-4 mesa drivers need llvm stuff |
20 | noblacklist /usr/lib/llvm* | 22 | noblacklist /usr/lib/llvm* |
diff --git a/etc/ranger.profile b/etc/ranger.profile index ee1ef0f9d..1e50ca9fa 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | # Allow perl | 21 | # Allow perl |
20 | # noblacklist ${PATH}/cpan* | 22 | # noblacklist ${PATH}/cpan* |
diff --git a/etc/redshift.profile b/etc/redshift.profile index 351b54075..e60877172 100644 --- a/etc/redshift.profile +++ b/etc/redshift.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/redshift.conf | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/regextester.profile b/etc/regextester.profile index 19d6a89f4..c7c59bec2 100644 --- a/etc/regextester.profile +++ b/etc/regextester.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -45,8 +46,6 @@ private-lib libgranite.so.* | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
50 | 49 | ||
51 | # never write anything | 50 | # never write anything |
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 6b673a924..df874f378 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/rhythmbox | |||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | # rhythmbox is using Python | 14 | # rhythmbox is using Python |
15 | include disable-exec.inc | ||
15 | #include disable-interpreters.inc | 16 | #include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-bin rhythmbox | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/scorched3d.profile b/etc/scorched3d.profile new file mode 100644 index 000000000..e94d436cf --- /dev/null +++ b/etc/scorched3d.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for scorched3d | ||
2 | # Description: Game based loosely on the classic DOS game Scorched Earth | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scorched3d.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.scorched3d | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.scorched3d | ||
20 | whitelist ${HOME}/.scorched3d | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index a8e510b8a..5bec43d85 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -31,6 +31,8 @@ noblacklist ${PATH}/python2* | |||
31 | noblacklist ${PATH}/python3* | 31 | noblacklist ${PATH}/python3* |
32 | noblacklist /usr/lib/python2* | 32 | noblacklist /usr/lib/python2* |
33 | noblacklist /usr/lib/python3* | 33 | noblacklist /usr/lib/python3* |
34 | noblacklist /usr/local/lib/python2* | ||
35 | noblacklist /usr/local/lib/python3* | ||
34 | 36 | ||
35 | include disable-common.inc | 37 | include disable-common.inc |
36 | include disable-devel.inc | 38 | include disable-devel.inc |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 01a056767..d78b51766 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile new file mode 100644 index 000000000..1beb0edc6 --- /dev/null +++ b/etc/seahorse-daemon.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for seahorse-daemon | ||
2 | # Description: PGP encryption and signing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-daemon.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | ||
15 | include seahorse.profile | ||
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index bbab69162..96f365a4b 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,22 +7,11 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # dconf | 10 | noblacklist ${DOWNLOADS} |
11 | mkdir ${HOME}/.config/dconf | ||
12 | whitelist ${HOME}/.config/dconf | ||
13 | 11 | ||
14 | include disable-xdg.inc | ||
15 | include whitelist-var-common.inc | ||
16 | |||
17 | apparmor | ||
18 | ipc-namespace | ||
19 | |||
20 | disable-mnt | ||
21 | private-tmp | 12 | private-tmp |
22 | 13 | ||
23 | memory-deny-write-execute | 14 | memory-deny-write-execute |
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
26 | 15 | ||
27 | # Redirect | 16 | # Redirect |
28 | include gpg.profile | 17 | include seahorse.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0bf3b89fd..cd9f6c767 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -4,22 +4,57 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include seahorse.local | 5 | include seahorse.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # dconf | 9 | # dconf |
11 | mkdir ${HOME}/.config/dconf | 10 | noblacklist ${HOME}/.config/dconf |
12 | whitelist ${HOME}/.config/dconf | 11 | whitelist ${HOME}/.config/dconf |
13 | 12 | ||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | ||
16 | whitelist ${HOME}/.gnupg | ||
17 | |||
14 | # ssh | 18 | # ssh |
19 | whitelist /etc/ld.so.preload | ||
15 | noblacklist /etc/ssh | 20 | noblacklist /etc/ssh |
21 | whitelist /etc/ssh | ||
16 | noblacklist /tmp/ssh-* | 22 | noblacklist /tmp/ssh-* |
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
17 | noblacklist ${HOME}/.ssh | 25 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | ||
18 | 27 | ||
28 | include disable-common.inc | ||
29 | include disable-devel.inc | ||
30 | include disable-exec.inc | ||
31 | include disable-interpreters.inc | ||
32 | include disable-passwdmgr.inc | ||
33 | include disable-programs.inc | ||
34 | include disable-xdg.inc | ||
35 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
20 | 37 | ||
21 | apparmor | 38 | apparmor |
22 | ipc-namespace | 39 | caps.drop all |
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6 | ||
52 | seccomp | ||
53 | # shell none - causes gpg to hang | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
23 | 59 | ||
24 | # Redirect | 60 | writable-run-user |
25 | include gpg.profile | ||
diff --git a/etc/server.profile b/etc/server.profile index 8da4853e7..686268a18 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -17,10 +17,11 @@ noblacklist /usr/sbin | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | ||
20 | # include disable-interpreters.inc | 21 | # include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | #include disable-xdg.inc | 24 | # include disable-xdg.inc |
24 | 25 | ||
25 | caps | 26 | caps |
26 | # ipc-namespace | 27 | # ipc-namespace |
@@ -48,5 +49,3 @@ private-dev | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
51 | # noexec ${HOME} | ||
52 | # noexec /tmp | ||
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index 6862d51ee..ead475e07 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${VIDEOS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,7 +18,6 @@ include disable-xdg.inc | |||
17 | 18 | ||
18 | apparmor | 19 | apparmor |
19 | caps.drop all | 20 | caps.drop all |
20 | net none | ||
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
@@ -35,5 +35,3 @@ private-dev | |||
35 | private-tmp | 35 | private-tmp |
36 | 36 | ||
37 | memory-deny-write-execute | 37 | memory-deny-write-execute |
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/slashem.profile b/etc/slashem.profile new file mode 100644 index 000000000..0a372ce5f --- /dev/null +++ b/etc/slashem.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for slashem | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include slashem.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | noblacklist /var/games/slashem | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /var/games/slashem | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | no3d | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | #nonewprivs | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | #protocol unix,netlink | ||
35 | #seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | #private | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | writable-var | ||
44 | |||
45 | #memory-deny-write-execute | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 57ab2cde6..e347d23d6 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -36,5 +37,3 @@ private-bin smplayer,smtube,mplayer,mpv | |||
36 | private-dev | 37 | private-dev |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index d34ccf901..4d6e80840 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -13,9 +13,12 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -23,8 +26,10 @@ include disable-xdg.inc | |||
23 | 26 | ||
24 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
25 | 28 | ||
29 | apparmor | ||
26 | caps.drop all | 30 | caps.drop all |
27 | net none | 31 | ipc-namespace |
32 | machine-id | ||
28 | no3d | 33 | no3d |
29 | nodvd | 34 | nodvd |
30 | nogroups | 35 | nogroups |
@@ -42,5 +47,3 @@ private-cache | |||
42 | private-dev | 47 | private-dev |
43 | private-tmp | 48 | private-tmp |
44 | 49 | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 8122079e1..4758871d3 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -42,5 +43,3 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id, | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 02b66955f..8aafca8aa 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -16,7 +16,6 @@ include disable-common.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | shell none | ||
20 | caps.drop all | 19 | caps.drop all |
21 | netfilter | 20 | netfilter |
22 | no3d | 21 | no3d |
@@ -26,4 +25,6 @@ noroot | |||
26 | notv | 25 | notv |
27 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
28 | seccomp | 27 | seccomp |
28 | shell none | ||
29 | |||
29 | writable-run-user | 30 | writable-run-user |
diff --git a/etc/ssh.profile b/etc/ssh.profile index de627dcf0..4c8af65b8 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-* | |||
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
@@ -36,6 +37,4 @@ private-dev | |||
36 | # private-tmp # Breaks when exiting | 37 | # private-tmp # Breaks when exiting |
37 | 38 | ||
38 | memory-deny-write-execute | 39 | memory-deny-write-execute |
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
41 | writable-run-user | 40 | writable-run-user |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index ba7248b73..5458120ef 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Standard Notes | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg | 42 | private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg |
42 | 43 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 2b01eca88..a61038157 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -1,66 +1,75 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | 4 | include start-tor-browser.desktop.local | |
5 | noblacklist ${HOME}/.tor-browser-ar: | 5 | |
6 | mkdir ${HOME}/.tor-browser-ar: | 6 | |
7 | whitelist ${HOME}/.tor-browser-ar: | 7 | noblacklist ${HOME}/.tor-browser-* |
8 | 8 | noblacklist ${HOME}/.tor-browser_* | |
9 | noblacklist ${HOME}/.tor-browser-en: | 9 | |
10 | mkdir ${HOME}/.tor-browser-en: | 10 | whitelist ${HOME}/.tor-browser-ar |
11 | whitelist ${HOME}/.tor-browser-en: | 11 | whitelist ${HOME}/.tor-browser-ca |
12 | 12 | whitelist ${HOME}/.tor-browser-cs | |
13 | noblacklist ${HOME}/.tor-browser-en-us: | 13 | whitelist ${HOME}/.tor-browser-da |
14 | mkdir ${HOME}/.tor-browser-en-us: | 14 | whitelist ${HOME}/.tor-browser-de |
15 | whitelist ${HOME}/.tor-browser-en-us: | 15 | whitelist ${HOME}/.tor-browser-el |
16 | 16 | whitelist ${HOME}/.tor-browser-en | |
17 | noblacklist ${HOME}/.tor-browser-es: | 17 | whitelist ${HOME}/.tor-browser-en-us |
18 | mkdir ${HOME}/.tor-browser-es: | 18 | whitelist ${HOME}/.tor-browser-es |
19 | whitelist ${HOME}/.tor-browser-es: | 19 | whitelist ${HOME}/.tor-browser-es-es |
20 | 20 | whitelist ${HOME}/.tor-browser-fa | |
21 | noblacklist ${HOME}/.tor-browser-es-es: | 21 | whitelist ${HOME}/.tor-browser-fr |
22 | mkdir ${HOME}/.tor-browser-es-es: | 22 | whitelist ${HOME}/.tor-browser-ga-ie |
23 | whitelist ${HOME}/.tor-browser-es-es: | 23 | whitelist ${HOME}/.tor-browser-he |
24 | 24 | whitelist ${HOME}/.tor-browser-hu | |
25 | noblacklist ${HOME}/.tor-browser-fa: | 25 | whitelist ${HOME}/.tor-browser-id |
26 | mkdir ${HOME}/.tor-browser-fa: | 26 | whitelist ${HOME}/.tor-browser-is |
27 | whitelist ${HOME}/.tor-browser-fa: | 27 | whitelist ${HOME}/.tor-browser-it |
28 | 28 | whitelist ${HOME}/.tor-browser-ja | |
29 | noblacklist ${HOME}/.tor-browser-fr: | 29 | whitelist ${HOME}/.tor-browser-ka |
30 | mkdir ${HOME}/.tor-browser-fr: | 30 | whitelist ${HOME}/.tor-browser-ko |
31 | whitelist ${HOME}/.tor-browser-fr: | 31 | whitelist ${HOME}/.tor-browser-nb |
32 | 32 | whitelist ${HOME}/.tor-browser-nl | |
33 | noblacklist ${HOME}/.tor-browser-it: | 33 | whitelist ${HOME}/.tor-browser-pl |
34 | mkdir ${HOME}/.tor-browser-it: | 34 | whitelist ${HOME}/.tor-browser-pt-br |
35 | whitelist ${HOME}/.tor-browser-it: | 35 | whitelist ${HOME}/.tor-browser-ru |
36 | 36 | whitelist ${HOME}/.tor-browser-sv-se | |
37 | noblacklist ${HOME}/.tor-browser-ja: | 37 | whitelist ${HOME}/.tor-browser-tr |
38 | mkdir ${HOME}/.tor-browser-ja: | 38 | whitelist ${HOME}/.tor-browser-vi |
39 | whitelist ${HOME}/.tor-browser-ja: | 39 | whitelist ${HOME}/.tor-browser-zh-cn |
40 | 40 | whitelist ${HOME}/.tor-browser-zh-tw | |
41 | noblacklist ${HOME}/.tor-browser-ko: | 41 | |
42 | mkdir ${HOME}/.tor-browser-ko: | 42 | whitelist ${HOME}/.tor-browser_ar |
43 | whitelist ${HOME}/.tor-browser-ko: | 43 | whitelist ${HOME}/.tor-browser_ca |
44 | 44 | whitelist ${HOME}/.tor-browser_cs | |
45 | noblacklist ${HOME}/.tor-browser-pl: | 45 | whitelist ${HOME}/.tor-browser_da |
46 | mkdir ${HOME}/.tor-browser-pl: | 46 | whitelist ${HOME}/.tor-browser_de |
47 | whitelist ${HOME}/.tor-browser-pl: | 47 | whitelist ${HOME}/.tor-browser_el |
48 | 48 | whitelist ${HOME}/.tor-browser_en | |
49 | noblacklist ${HOME}/.tor-browser-pt-br: | 49 | whitelist ${HOME}/.tor-browser_en_US |
50 | mkdir ${HOME}/.tor-browser-pt-br: | 50 | whitelist ${HOME}/.tor-browser_es |
51 | whitelist ${HOME}/.tor-browser-pt-br: | 51 | whitelist ${HOME}/.tor-browser_es-ES |
52 | 52 | whitelist ${HOME}/.tor-browser_fa | |
53 | noblacklist ${HOME}/.tor-browser-ru: | 53 | whitelist ${HOME}/.tor-browser_fr |
54 | mkdir ${HOME}/.tor-browser-ru: | 54 | whitelist ${HOME}/.tor-browser_ga-IE |
55 | whitelist ${HOME}/.tor-browser-ru: | 55 | whitelist ${HOME}/.tor-browser_he |
56 | 56 | whitelist ${HOME}/.tor-browser_hu | |
57 | noblacklist ${HOME}/.tor-browser-vi: | 57 | whitelist ${HOME}/.tor-browser_id |
58 | mkdir ${HOME}/.tor-browser-vi: | 58 | whitelist ${HOME}/.tor-browser_is |
59 | whitelist ${HOME}/.tor-browser-vi: | 59 | whitelist ${HOME}/.tor-browser_it |
60 | 60 | whitelist ${HOME}/.tor-browser_ja | |
61 | noblacklist ${HOME}/.tor-browser-zh-cn: | 61 | whitelist ${HOME}/.tor-browser_ka |
62 | mkdir ${HOME}/.tor-browser-zh-cn: | 62 | whitelist ${HOME}/.tor-browser_ko |
63 | whitelist ${HOME}/.tor-browser-zh-cn: | 63 | whitelist ${HOME}/.tor-browser_nb |
64 | whitelist ${HOME}/.tor-browser_nl | ||
65 | whitelist ${HOME}/.tor-browser_pl | ||
66 | whitelist ${HOME}/.tor-browser_pt-BR | ||
67 | whitelist ${HOME}/.tor-browser_ru | ||
68 | whitelist ${HOME}/.tor-browser_sv-SE | ||
69 | whitelist ${HOME}/.tor-browser_tr | ||
70 | whitelist ${HOME}/.tor-browser_vi | ||
71 | whitelist ${HOME}/.tor-browser_zh-CN | ||
72 | whitelist ${HOME}/.tor-browser_zh-TW | ||
64 | 73 | ||
65 | # Redirect | 74 | # Redirect |
66 | include torbrowser-launcher.profile | 75 | include torbrowser-launcher.profile |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index b0cb52a0f..8acf77349 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -5,9 +5,11 @@ include start-tor-browser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
8 | 9 | ||
9 | include disable-common.inc | 10 | include disable-common.inc |
10 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -36,5 +38,3 @@ private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,r | |||
36 | private-dev | 38 | private-dev |
37 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 39 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
38 | private-tmp | 40 | private-tmp |
39 | |||
40 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 9d348347e..8f08b18f0 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -36,6 +36,8 @@ noblacklist ${PATH}/python2* | |||
36 | noblacklist ${PATH}/python3* | 36 | noblacklist ${PATH}/python3* |
37 | noblacklist /usr/lib/python2* | 37 | noblacklist /usr/lib/python2* |
38 | noblacklist /usr/lib/python3* | 38 | noblacklist /usr/lib/python3* |
39 | noblacklist /usr/local/lib/python2* | ||
40 | noblacklist /usr/local/lib/python3* | ||
39 | 41 | ||
40 | include disable-common.inc | 42 | include disable-common.inc |
41 | include disable-devel.inc | 43 | include disable-devel.inc |
diff --git a/etc/strings.profile b/etc/strings.profile index ca7bd0922..0caecdf7b 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | include disable-exec.inc | ||
11 | 12 | ||
12 | ignore noroot | 13 | ignore noroot |
13 | net none | 14 | net none |
@@ -28,7 +29,5 @@ private-etc alternatives | |||
28 | private-lib libfakeroot | 29 | private-lib libfakeroot |
29 | 30 | ||
30 | memory-deny-write-execute | 31 | memory-deny-write-execute |
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
33 | 32 | ||
34 | include default.profile | 33 | include default.profile |
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index 009cf65df..c07131893 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -42,5 +45,3 @@ private-etc alternatives,fonts | |||
42 | private-tmp | 45 | private-tmp |
43 | 46 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 47 | # memory-deny-write-execute - Breaks on Arch |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 696ac4de0..60d80ecd4 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/supertuxkart | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
@@ -51,5 +52,3 @@ private-tmp | |||
51 | private-opt none | 52 | private-opt none |
52 | private-srv none | 53 | private-srv none |
53 | 54 | ||
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index eedf4c4b4..3cfea5c5e 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | # memory-deny-write-execute - Breaks GUI on Arch | 46 | # memory-deny-write-execute - Breaks GUI on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/tar.profile b/etc/tar.profile index e1cfe9c80..14fc00d21 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -10,12 +10,20 @@ include tar.local | |||
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
13 | hostname tar | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | |||
14 | ignore noroot | 16 | ignore noroot |
17 | |||
18 | apparmor | ||
19 | hostname tar | ||
20 | ipc-namespace | ||
21 | machine-id | ||
15 | net none | 22 | net none |
16 | no3d | 23 | no3d |
17 | nodbus | 24 | nodbus |
18 | nodvd | 25 | nodvd |
26 | nogroups | ||
19 | nosound | 27 | nosound |
20 | notv | 28 | notv |
21 | nou2f | 29 | nou2f |
@@ -25,10 +33,13 @@ tracelog | |||
25 | 33 | ||
26 | # support compressed archives | 34 | # support compressed archives |
27 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 35 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
36 | private-cache | ||
28 | private-dev | 37 | private-dev |
29 | private-etc alternatives,passwd,group,localtime | 38 | private-etc alternatives,passwd,group,localtime |
30 | private-lib libfakeroot | 39 | private-lib libfakeroot |
31 | 40 | ||
41 | memory-deny-write-execute | ||
42 | |||
32 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
33 | writable-var | 44 | writable-var |
34 | 45 | ||
diff --git a/etc/teeworlds.profile b/etc/teeworlds.profile new file mode 100644 index 000000000..782f337d3 --- /dev/null +++ b/etc/teeworlds.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for teeworlds | ||
2 | # Description: Online multi-player platform 2D shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teeworlds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.teeworlds | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.teeworlds | ||
20 | whitelist ${HOME}/.teeworlds | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin teeworlds | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/tor-browser-ca.profile b/etc/tor-browser-ca.profile new file mode 100644 index 000000000..db70a7109 --- /dev/null +++ b/etc/tor-browser-ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ca | ||
7 | whitelist ${HOME}/.tor-browser-ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-cs.profile b/etc/tor-browser-cs.profile new file mode 100644 index 000000000..77b271b68 --- /dev/null +++ b/etc/tor-browser-cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-cs | ||
7 | whitelist ${HOME}/.tor-browser-cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-da.profile b/etc/tor-browser-da.profile new file mode 100644 index 000000000..3b9fff9a4 --- /dev/null +++ b/etc/tor-browser-da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-da | ||
7 | whitelist ${HOME}/.tor-browser-da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-de.profile b/etc/tor-browser-de.profile new file mode 100644 index 000000000..3b4f7f94f --- /dev/null +++ b/etc/tor-browser-de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-de | ||
7 | whitelist ${HOME}/.tor-browser-de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-el.profile b/etc/tor-browser-el.profile new file mode 100644 index 000000000..b978b6042 --- /dev/null +++ b/etc/tor-browser-el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-el | ||
7 | whitelist ${HOME}/.tor-browser-el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ga-ie.profile b/etc/tor-browser-ga-ie.profile new file mode 100644 index 000000000..994897a87 --- /dev/null +++ b/etc/tor-browser-ga-ie.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ga-ie | ||
7 | whitelist ${HOME}/.tor-browser-ga-ie | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-he.profile b/etc/tor-browser-he.profile new file mode 100644 index 000000000..6367b4c0a --- /dev/null +++ b/etc/tor-browser-he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-he | ||
7 | whitelist ${HOME}/.tor-browser-he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-hu.profile b/etc/tor-browser-hu.profile new file mode 100644 index 000000000..68e79833e --- /dev/null +++ b/etc/tor-browser-hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-hu | ||
7 | whitelist ${HOME}/.tor-browser-hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-id.profile b/etc/tor-browser-id.profile new file mode 100644 index 000000000..85b455ba2 --- /dev/null +++ b/etc/tor-browser-id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-id | ||
7 | whitelist ${HOME}/.tor-browser-id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-is.profile b/etc/tor-browser-is.profile new file mode 100644 index 000000000..48e88db71 --- /dev/null +++ b/etc/tor-browser-is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-is | ||
7 | whitelist ${HOME}/.tor-browser-is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ka.profile b/etc/tor-browser-ka.profile new file mode 100644 index 000000000..173b85e5c --- /dev/null +++ b/etc/tor-browser-ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ka | ||
7 | whitelist ${HOME}/.tor-browser-ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nb.profile b/etc/tor-browser-nb.profile new file mode 100644 index 000000000..d1352dd80 --- /dev/null +++ b/etc/tor-browser-nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nb | ||
7 | whitelist ${HOME}/.tor-browser-nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nl.profile b/etc/tor-browser-nl.profile new file mode 100644 index 000000000..d4443cca2 --- /dev/null +++ b/etc/tor-browser-nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nl | ||
7 | whitelist ${HOME}/.tor-browser-nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-sv-se.profile b/etc/tor-browser-sv-se.profile new file mode 100644 index 000000000..c8544262f --- /dev/null +++ b/etc/tor-browser-sv-se.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-sv-se | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-sv-se | ||
7 | whitelist ${HOME}/.tor-browser-sv-se | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-tr.profile b/etc/tor-browser-tr.profile new file mode 100644 index 000000000..2343fa8de --- /dev/null +++ b/etc/tor-browser-tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-tr | ||
7 | whitelist ${HOME}/.tor-browser-tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-zh-tw.profile b/etc/tor-browser-zh-tw.profile new file mode 100644 index 000000000..6fe09c6c1 --- /dev/null +++ b/etc/tor-browser-zh-tw.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-tw | ||
7 | whitelist ${HOME}/.tor-browser-zh-tw | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ar.profile b/etc/tor-browser_ar.profile new file mode 100644 index 000000000..1e1f5ce35 --- /dev/null +++ b/etc/tor-browser_ar.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ar | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ar | ||
7 | whitelist ${HOME}/.tor-browser_ar | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ca.profile b/etc/tor-browser_ca.profile new file mode 100644 index 000000000..e114b6051 --- /dev/null +++ b/etc/tor-browser_ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ca | ||
7 | whitelist ${HOME}/.tor-browser_ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_cs.profile b/etc/tor-browser_cs.profile new file mode 100644 index 000000000..498068bc6 --- /dev/null +++ b/etc/tor-browser_cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_cs | ||
7 | whitelist ${HOME}/.tor-browser_cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_da.profile b/etc/tor-browser_da.profile new file mode 100644 index 000000000..5c25c03c8 --- /dev/null +++ b/etc/tor-browser_da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_da | ||
7 | whitelist ${HOME}/.tor-browser_da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_de.profile b/etc/tor-browser_de.profile new file mode 100644 index 000000000..d530e7dbe --- /dev/null +++ b/etc/tor-browser_de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_de | ||
7 | whitelist ${HOME}/.tor-browser_de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_el.profile b/etc/tor-browser_el.profile new file mode 100644 index 000000000..67d5ab440 --- /dev/null +++ b/etc/tor-browser_el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_el | ||
7 | whitelist ${HOME}/.tor-browser_el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en-US.profile b/etc/tor-browser_en-US.profile new file mode 100644 index 000000000..b298ab2b8 --- /dev/null +++ b/etc/tor-browser_en-US.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en-US | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en-US | ||
7 | whitelist ${HOME}/.tor-browser_en-US | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en.profile b/etc/tor-browser_en.profile new file mode 100644 index 000000000..6bb0616b1 --- /dev/null +++ b/etc/tor-browser_en.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en | ||
7 | whitelist ${HOME}/.tor-browser_en | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es-ES.profile b/etc/tor-browser_es-ES.profile new file mode 100644 index 000000000..78f57ffe5 --- /dev/null +++ b/etc/tor-browser_es-ES.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es-ES | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es-ES | ||
7 | whitelist ${HOME}/.tor-browser_es-ES | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es.profile b/etc/tor-browser_es.profile new file mode 100644 index 000000000..ea34a07c9 --- /dev/null +++ b/etc/tor-browser_es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es | ||
7 | whitelist ${HOME}/.tor-browser_es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fa.profile b/etc/tor-browser_fa.profile new file mode 100644 index 000000000..fbc416ce5 --- /dev/null +++ b/etc/tor-browser_fa.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fa | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fa | ||
7 | whitelist ${HOME}/.tor-browser_fa | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fr.profile b/etc/tor-browser_fr.profile new file mode 100644 index 000000000..caea6db5b --- /dev/null +++ b/etc/tor-browser_fr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fr | ||
7 | whitelist ${HOME}/.tor-browser_fr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ga-IE.profile b/etc/tor-browser_ga-IE.profile new file mode 100644 index 000000000..6342daebf --- /dev/null +++ b/etc/tor-browser_ga-IE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ga-IE | ||
7 | whitelist ${HOME}/.tor-browser_ga-IE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_he.profile b/etc/tor-browser_he.profile new file mode 100644 index 000000000..cc4150620 --- /dev/null +++ b/etc/tor-browser_he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_he | ||
7 | whitelist ${HOME}/.tor-browser_he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_hu.profile b/etc/tor-browser_hu.profile new file mode 100644 index 000000000..952a0b68a --- /dev/null +++ b/etc/tor-browser_hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_hu | ||
7 | whitelist ${HOME}/.tor-browser_hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_id.profile b/etc/tor-browser_id.profile new file mode 100644 index 000000000..a006b27c0 --- /dev/null +++ b/etc/tor-browser_id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_id | ||
7 | whitelist ${HOME}/.tor-browser_id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_is.profile b/etc/tor-browser_is.profile new file mode 100644 index 000000000..038e0fabb --- /dev/null +++ b/etc/tor-browser_is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_is | ||
7 | whitelist ${HOME}/.tor-browser_is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_it.profile b/etc/tor-browser_it.profile new file mode 100644 index 000000000..3d2566994 --- /dev/null +++ b/etc/tor-browser_it.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_it | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_it | ||
7 | whitelist ${HOME}/.tor-browser_it | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ja.profile b/etc/tor-browser_ja.profile new file mode 100644 index 000000000..08c942bcd --- /dev/null +++ b/etc/tor-browser_ja.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ja | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ja | ||
7 | whitelist ${HOME}/.tor-browser_ja | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ka.profile b/etc/tor-browser_ka.profile new file mode 100644 index 000000000..97664be4d --- /dev/null +++ b/etc/tor-browser_ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ka | ||
7 | whitelist ${HOME}/.tor-browser_ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ko.profile b/etc/tor-browser_ko.profile new file mode 100644 index 000000000..98cf1e3e1 --- /dev/null +++ b/etc/tor-browser_ko.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ko | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ko | ||
7 | whitelist ${HOME}/.tor-browser_ko | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nb.profile b/etc/tor-browser_nb.profile new file mode 100644 index 000000000..6df840573 --- /dev/null +++ b/etc/tor-browser_nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nb | ||
7 | whitelist ${HOME}/.tor-browser_nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nl.profile b/etc/tor-browser_nl.profile new file mode 100644 index 000000000..3f545f888 --- /dev/null +++ b/etc/tor-browser_nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nl | ||
7 | whitelist ${HOME}/.tor-browser_nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pl.profile b/etc/tor-browser_pl.profile new file mode 100644 index 000000000..4e04dc027 --- /dev/null +++ b/etc/tor-browser_pl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pl | ||
7 | whitelist ${HOME}/.tor-browser_pl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pt-BR.profile b/etc/tor-browser_pt-BR.profile new file mode 100644 index 000000000..7f864886c --- /dev/null +++ b/etc/tor-browser_pt-BR.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pt-BR | ||
7 | whitelist ${HOME}/.tor-browser_pt-BR | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ru.profile b/etc/tor-browser_ru.profile new file mode 100644 index 000000000..2fae6fbe7 --- /dev/null +++ b/etc/tor-browser_ru.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ru | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ru | ||
7 | whitelist ${HOME}/.tor-browser_ru | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_sv-SE.profile b/etc/tor-browser_sv-SE.profile new file mode 100644 index 000000000..2157f8d2b --- /dev/null +++ b/etc/tor-browser_sv-SE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_sv-SE | ||
7 | whitelist ${HOME}/.tor-browser_sv-SE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_tr.profile b/etc/tor-browser_tr.profile new file mode 100644 index 000000000..20ac246ca --- /dev/null +++ b/etc/tor-browser_tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_tr | ||
7 | whitelist ${HOME}/.tor-browser_tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_vi.profile b/etc/tor-browser_vi.profile new file mode 100644 index 000000000..4faa06ff6 --- /dev/null +++ b/etc/tor-browser_vi.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_vi | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_vi | ||
7 | whitelist ${HOME}/.tor-browser_vi | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-CN.profile b/etc/tor-browser_zh-CN.profile new file mode 100644 index 000000000..e4d8215e6 --- /dev/null +++ b/etc/tor-browser_zh-CN.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-CN | ||
7 | whitelist ${HOME}/.tor-browser_zh-CN | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-TW.profile b/etc/tor-browser_zh-TW.profile new file mode 100644 index 000000000..8a28015a6 --- /dev/null +++ b/etc/tor-browser_zh-TW.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-TW | ||
7 | whitelist ${HOME}/.tor-browser_zh-TW | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 2b1cc6549..c7c810cda 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -6,6 +6,8 @@ include torbrowser-launcher.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.config/torbrowser | 11 | noblacklist ${HOME}/.config/torbrowser |
10 | noblacklist ${HOME}/.local/share/torbrowser | 12 | noblacklist ${HOME}/.local/share/torbrowser |
11 | 13 | ||
@@ -14,9 +16,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
17 | 21 | ||
18 | include disable-common.inc | 22 | include disable-common.inc |
19 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -51,5 +56,3 @@ private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,r | |||
51 | private-dev | 56 | private-dev |
52 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 57 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
53 | private-tmp | 58 | private-tmp |
54 | |||
55 | noexec /tmp | ||
diff --git a/etc/torcs.profile b/etc/torcs.profile new file mode 100644 index 000000000..d9c59b276 --- /dev/null +++ b/etc/torcs.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for torcs | ||
2 | # Description: The Open Racing Car Simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include torcs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.torcs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.torcs | ||
20 | whitelist ${HOME}/.torcs | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/totem.profile b/etc/totem.profile index fd473b03c..f541d3cc2 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 40 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/transgui.profile b/etc/transgui.profile index 83191ab58..8043bfa01 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transgui | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2 | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | memory-deny-write-execute | 51 | memory-deny-write-execute |
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 65682df52..60732bcf2 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-lib | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c101e18b5..c67200826 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-lib | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 6fd310a73..29df63573 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-tmp | |||
47 | 48 | ||
48 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 | 49 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 |
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index f35eb0036..9fda5245f 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -46,5 +47,3 @@ private-dev | |||
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 | 49 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index a2e950176..3e3ad1a07 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -7,11 +7,13 @@ include transmission-remote-cli.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (disabled by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | noblacklist ${PATH}/python2* |
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | mkdir ${HOME}/.cache/transmission | 18 | mkdir ${HOME}/.cache/transmission |
17 | mkdir ${HOME}/.config/transmission | 19 | mkdir ${HOME}/.config/transmission |
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index 7e6f67317..d9ba7be71 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-lib | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 691b8959e..58f7af47c 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-lib | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/tremulous.profile b/etc/tremulous.profile new file mode 100644 index 000000000..a56ac2c07 --- /dev/null +++ b/etc/tremulous.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for tremulous | ||
2 | # Description: First Person Shooter game based on the Quake 3 engine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tremulous.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.tremulous | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.tremulous | ||
20 | whitelist ${HOME}/.tremulous | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin tremulous,tremulous-wrapper,tremded | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 7e6b35d13..dbee819cd 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 94b6c2052..f9fb1cefe 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -14,10 +14,12 @@ noblacklist ${HOME}/.steam | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | 21 | ||
22 | apparmor | ||
21 | caps.drop all | 23 | caps.drop all |
22 | net none | 24 | net none |
23 | no3d | 25 | no3d |
@@ -38,10 +40,8 @@ tracelog | |||
38 | private-bin viewnior | 40 | private-bin viewnior |
39 | private-cache | 41 | private-cache |
40 | private-dev | 42 | private-dev |
41 | private-etc alternatives,fonts | 43 | private-etc alternatives,fonts,machine-id |
42 | private-tmp | 44 | private-tmp |
43 | 45 | ||
44 | # memory-deny-write-executes breaks on Arch - see issue #1808 | 46 | # memory-deny-write-executes breaks on Arch - see issue #1808 |
45 | #memory-deny-write-execute | 47 | #memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 370180b6b..64ac7a4f0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${VIDEOS} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-tmp | |||
39 | 40 | ||
40 | # mdwe is disabled due to breaking hardware accelerated decoding | 41 | # mdwe is disabled due to breaking hardware accelerated decoding |
41 | #memory-deny-write-execute | 42 | #memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/vulturesclaw.profile b/etc/vulturesclaw.profile new file mode 100644 index 000000000..2e9078a7b --- /dev/null +++ b/etc/vulturesclaw.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vulturesclaw | ||
5 | whitelist /var/games/vulturesclaw | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/vultureseye.profile b/etc/vultureseye.profile new file mode 100644 index 000000000..44c263cfc --- /dev/null +++ b/etc/vultureseye.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vultureseye | ||
5 | whitelist /var/games/vultureseye | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/warsow.profile b/etc/warsow.profile new file mode 100644 index 000000000..e884ab07a --- /dev/null +++ b/etc/warsow.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for warsow | ||
2 | # Description: Fast paced 3D first person shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warsow.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.cache/warsow-2.1 | ||
12 | noblacklist ${HOME}/.local/share/warsow-2.1 | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/warsow-2.1 | ||
23 | mkdir ${HOME}/.local/share/warsow-2.1 | ||
24 | whitelist ${HOME}/.cache/warsow-2.1 | ||
25 | whitelist ${HOME}/.local/share/warsow-2.1 | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin warsow | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
diff --git a/etc/widelands.profile b/etc/widelands.profile new file mode 100644 index 000000000..c6b5f27da --- /dev/null +++ b/etc/widelands.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for widelands | ||
2 | # Description: Open source realtime-strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include widelands.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.widelands | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.widelands | ||
20 | whitelist ${HOME}/.widelands | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin widelands | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index a08b97d05..9b9757cd5 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -18,6 +18,7 @@ noblacklist /usr/share/lua | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-dev | |||
48 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies | 49 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/xed.profile b/etc/xed.profile index cd565f684..117f48f83 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -12,9 +12,12 @@ noblacklist ${PATH}/python2* | |||
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -47,5 +50,3 @@ private-tmp | |||
47 | 50 | ||
48 | # xed uses python plugins, memory-deny-write-execute breaks python | 51 | # xed uses python plugins, memory-deny-write-execute breaks python |
49 | # memory-deny-write-execute | 52 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile index 9c8c5c531..952625ef8 100644 --- a/etc/xfce4-mixer.profile +++ b/etc/xfce4-mixer.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-etc alternatives,asound.conf,fonts,pulse,machine-id | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0df879d7c..b4932c99e 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -15,9 +15,12 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
23 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 24 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 26 | include disable-programs.inc |
@@ -43,5 +46,3 @@ private-dev | |||
43 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 46 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index 2ff6c2a5d..d967c1da2 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -21,6 +21,8 @@ noblacklist ${PATH}/python2* | |||
21 | noblacklist ${PATH}/python3* | 21 | noblacklist ${PATH}/python3* |
22 | noblacklist /usr/lib/python2* | 22 | noblacklist /usr/lib/python2* |
23 | noblacklist /usr/lib/python3* | 23 | noblacklist /usr/lib/python3* |
24 | noblacklist /usr/local/lib/python2* | ||
25 | noblacklist /usr/local/lib/python3* | ||
24 | 26 | ||
25 | include disable-common.inc | 27 | include disable-common.inc |
26 | include disable-devel.inc | 28 | include disable-devel.inc |
diff --git a/etc/xreader.profile b/etc/xreader.profile index e0a3ddee3..643c5a317 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -42,5 +43,3 @@ private-etc alternatives,fonts,ld.so.cache | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index c73630053..b483e9404 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 0878c91ef..621ffb2b0 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3* | |||
19 | noblacklist /usr/local/lib/python2* | 19 | noblacklist /usr/local/lib/python2* |
20 | noblacklist /usr/local/lib/python3* | 20 | noblacklist /usr/local/lib/python3* |
21 | 21 | ||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | |||
22 | include disable-common.inc | 25 | include disable-common.inc |
23 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -28,10 +32,13 @@ include disable-xdg.inc | |||
28 | 32 | ||
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
35 | apparmor | ||
31 | caps.drop all | 36 | caps.drop all |
32 | ipc-namespace | 37 | ipc-namespace |
38 | machine-id | ||
33 | netfilter | 39 | netfilter |
34 | no3d | 40 | no3d |
41 | nodbus | ||
35 | nodvd | 42 | nodvd |
36 | nogroups | 43 | nogroups |
37 | nonewprivs | 44 | nonewprivs |
@@ -45,8 +52,11 @@ seccomp | |||
45 | shell none | 52 | shell none |
46 | tracelog | 53 | tracelog |
47 | 54 | ||
55 | disable-mnt | ||
56 | private-bin youtube-dl,python*,ffmpeg | ||
57 | private-cache | ||
48 | private-dev | 58 | private-dev |
59 | private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types | ||
60 | private-tmp | ||
49 | 61 | ||
50 | # breaks when installed via pip | 62 | # memory-deny-write-execute - breaks on Arch |
51 | #noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/zpaq.profile b/etc/zpaq.profile new file mode 100644 index 000000000..6d4501e4f --- /dev/null +++ b/etc/zpaq.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for zpaq | ||
2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zpaq.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # mdwx breaks 'list' functionality | ||
11 | ignore memory-deny-write-execute | ||
12 | |||
13 | |||
14 | # Redirect | ||
15 | include cpio.profile | ||
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 525d9b6f9..a40b5a824 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -227,7 +227,7 @@ void fix_desktop_files(char *homedir) { | |||
227 | continue; | 227 | continue; |
228 | } | 228 | } |
229 | 229 | ||
230 | // try to decide if we need to covert this file | 230 | // try to decide if we need to convert this file |
231 | char *change_exec = NULL; | 231 | char *change_exec = NULL; |
232 | int change_dbus = 0; | 232 | int change_dbus = 0; |
233 | 233 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6bb9765bd..d5c502a67 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -12,6 +12,7 @@ FossaMail | |||
12 | Fritzing | 12 | Fritzing |
13 | Gitter | 13 | Gitter |
14 | JDownloader | 14 | JDownloader |
15 | Maelstrom | ||
15 | Mathematica | 16 | Mathematica |
16 | Natron | 17 | Natron |
17 | QMediathekView | 18 | QMediathekView |
@@ -68,6 +69,9 @@ brackets | |||
68 | brasero | 69 | brasero |
69 | brave | 70 | brave |
70 | brave-browser | 71 | brave-browser |
72 | bunzip2 | ||
73 | bzflag | ||
74 | bzip2 | ||
71 | calibre | 75 | calibre |
72 | calligra | 76 | calligra |
73 | calligraauthor | 77 | calligraauthor |
@@ -102,6 +106,8 @@ code-oss | |||
102 | conkeror | 106 | conkeror |
103 | conky | 107 | conky |
104 | corebird | 108 | corebird |
109 | crawl | ||
110 | crawl-tiles | ||
105 | crow | 111 | crow |
106 | cryptocat | 112 | cryptocat |
107 | cvlc | 113 | cvlc |
@@ -177,6 +183,11 @@ fossamail | |||
177 | franz | 183 | franz |
178 | freecad | 184 | freecad |
179 | freecadcmd | 185 | freecadcmd |
186 | freeciv | ||
187 | freeciv-gtk3 | ||
188 | freeciv-mp-gtk3 | ||
189 | freecol | ||
190 | freemind | ||
180 | freshclam | 191 | freshclam |
181 | frozen-bubble | 192 | frozen-bubble |
182 | gajim | 193 | gajim |
@@ -272,6 +283,9 @@ keepassx | |||
272 | keepassx2 | 283 | keepassx2 |
273 | keepassxc | 284 | keepassxc |
274 | kget | 285 | kget |
286 | kid3 | ||
287 | kid3-cli | ||
288 | kid3-qt | ||
275 | kino | 289 | kino |
276 | klavaro | 290 | klavaro |
277 | kmail | 291 | kmail |
@@ -288,6 +302,7 @@ leafpad | |||
288 | less | 302 | less |
289 | libreoffice | 303 | libreoffice |
290 | liferea | 304 | liferea |
305 | lincity-ng | ||
291 | linphone | 306 | linphone |
292 | lmms | 307 | lmms |
293 | lobase | 308 | lobase |
@@ -300,11 +315,18 @@ lollypop | |||
300 | lomath | 315 | lomath |
301 | loweb | 316 | loweb |
302 | lowriter | 317 | lowriter |
318 | lrunzip | ||
319 | lrz | ||
320 | lrzcat | ||
321 | lrzip | ||
322 | lrztar | ||
323 | lrzuntar | ||
303 | luminance-hdr | 324 | luminance-hdr |
304 | lximage-qt | 325 | lximage-qt |
305 | lxmusic | 326 | lxmusic |
306 | lynx | 327 | lynx |
307 | macrofusion | 328 | macrofusion |
329 | manaplus | ||
308 | masterpdfeditor | 330 | masterpdfeditor |
309 | masterpdfeditor4 | 331 | masterpdfeditor4 |
310 | masterpdfeditor5 | 332 | masterpdfeditor5 |
@@ -316,6 +338,8 @@ mathematica | |||
316 | mcabber | 338 | mcabber |
317 | mediainfo | 339 | mediainfo |
318 | mediathekview | 340 | mediathekview |
341 | megaglest | ||
342 | megaglest_editor | ||
319 | meld | 343 | meld |
320 | mencoder | 344 | mencoder |
321 | mendeleydesktop | 345 | mendeleydesktop |
@@ -355,6 +379,7 @@ nitroshare-cli | |||
355 | nitroshare-nmh | 379 | nitroshare-nmh |
356 | nitroshare-send | 380 | nitroshare-send |
357 | nitroshare-ui | 381 | nitroshare-ui |
382 | nomacs | ||
358 | nylas | 383 | nylas |
359 | nyx | 384 | nyx |
360 | obs | 385 | obs |
@@ -363,11 +388,14 @@ odt2txt | |||
363 | okular | 388 | okular |
364 | onionshare-gui | 389 | onionshare-gui |
365 | open-invaders | 390 | open-invaders |
391 | opencity | ||
366 | openshot | 392 | openshot |
367 | openshot-qt | 393 | openshot-qt |
394 | openttd | ||
368 | opera | 395 | opera |
369 | opera-beta | 396 | opera-beta |
370 | orage | 397 | orage |
398 | ostrichriders | ||
371 | palemoon | 399 | palemoon |
372 | parole | 400 | parole |
373 | patch | 401 | patch |
@@ -382,6 +410,7 @@ pidgin | |||
382 | #ping - disabled until we fix #1912 | 410 | #ping - disabled until we fix #1912 |
383 | pingus | 411 | pingus |
384 | pinta | 412 | pinta |
413 | pioneer | ||
385 | pithos | 414 | pithos |
386 | pitivi | 415 | pitivi |
387 | pix | 416 | pix |
@@ -420,9 +449,11 @@ rtorrent | |||
420 | runenpass.sh | 449 | runenpass.sh |
421 | sayonara | 450 | sayonara |
422 | scallion | 451 | scallion |
452 | scorched3d | ||
423 | scribus | 453 | scribus |
424 | sdat2img | 454 | sdat2img |
425 | seahorse | 455 | seahorse |
456 | seahorse-daemon | ||
426 | seahorse-tool | 457 | seahorse-tool |
427 | seamonkey | 458 | seamonkey |
428 | seamonkey-bin | 459 | seamonkey-bin |
@@ -438,6 +469,7 @@ skanlite | |||
438 | skype | 469 | skype |
439 | skypeforlinux | 470 | skypeforlinux |
440 | slack | 471 | slack |
472 | slashem | ||
441 | smplayer | 473 | smplayer |
442 | smtube | 474 | smtube |
443 | snox | 475 | snox |
@@ -464,6 +496,7 @@ synfigstudio | |||
464 | sysprof | 496 | sysprof |
465 | sysprof-cli | 497 | sysprof-cli |
466 | teamspeak3 | 498 | teamspeak3 |
499 | teeworlds | ||
467 | telegram | 500 | telegram |
468 | telegram-desktop | 501 | telegram-desktop |
469 | terasology | 502 | terasology |
@@ -472,21 +505,38 @@ thunderbird-beta | |||
472 | thunderbird-wayland | 505 | thunderbird-wayland |
473 | tilp | 506 | tilp |
474 | tor-browser-ar | 507 | tor-browser-ar |
508 | tor-browser-ca | ||
509 | tor-browser-cs | ||
510 | tor-browser-da | ||
511 | tor-browser-de | ||
512 | tor-browser-el | ||
475 | tor-browser-en | 513 | tor-browser-en |
476 | tor-browser-en-us | 514 | tor-browser-en-us |
477 | tor-browser-es | 515 | tor-browser-es |
478 | tor-browser-es-es | 516 | tor-browser-es-es |
479 | tor-browser-fa | 517 | tor-browser-fa |
480 | tor-browser-fr | 518 | tor-browser-fr |
519 | tor-browser-ga-ie | ||
520 | tor-browser-he | ||
521 | tor-browser-hu | ||
522 | tor-browser-id | ||
523 | tor-browser-is | ||
481 | tor-browser-it | 524 | tor-browser-it |
482 | tor-browser-ja | 525 | tor-browser-ja |
526 | tor-browser-ka | ||
483 | tor-browser-ko | 527 | tor-browser-ko |
484 | torbrowser-launcher | 528 | tor-browser-nb |
529 | tor-browser-nl | ||
485 | tor-browser-pl | 530 | tor-browser-pl |
486 | tor-browser-pt-br | 531 | tor-browser-pt-br |
487 | tor-browser-ru | 532 | tor-browser-ru |
533 | tor-browser-sv-se | ||
534 | tor-browser-tr | ||
488 | tor-browser-vi | 535 | tor-browser-vi |
489 | tor-browser-zh-cn | 536 | tor-browser-zh-cn |
537 | tor-browser-zh-tw | ||
538 | torbrowser-launcher | ||
539 | torcs | ||
490 | totem | 540 | totem |
491 | tracker | 541 | tracker |
492 | transgui | 542 | transgui |
@@ -500,6 +550,7 @@ transmission-remote | |||
500 | transmission-remote-cli | 550 | transmission-remote-cli |
501 | transmission-remote-gtk | 551 | transmission-remote-gtk |
502 | transmission-show | 552 | transmission-show |
553 | tremulous | ||
503 | truecraft | 554 | truecraft |
504 | tuxguitar | 555 | tuxguitar |
505 | uefitool | 556 | uefitool |
@@ -517,8 +568,11 @@ vivaldi-snapshot | |||
517 | vivaldi-stable | 568 | vivaldi-stable |
518 | vlc | 569 | vlc |
519 | vscodium | 570 | vscodium |
571 | vulturesclaw | ||
572 | vultureseye | ||
520 | vym | 573 | vym |
521 | w3m | 574 | w3m |
575 | warsow | ||
522 | warzone2100 | 576 | warzone2100 |
523 | waterfox | 577 | waterfox |
524 | webstorm | 578 | webstorm |
@@ -527,6 +581,7 @@ weechat-curses | |||
527 | wesnoth | 581 | wesnoth |
528 | wget | 582 | wget |
529 | whois | 583 | whois |
584 | widelands | ||
530 | wine | 585 | wine |
531 | wire-desktop | 586 | wire-desktop |
532 | wireshark | 587 | wireshark |
@@ -560,3 +615,4 @@ zaproxy | |||
560 | zart | 615 | zart |
561 | zathura | 616 | zathura |
562 | zoom | 617 | zoom |
618 | zpaq | ||
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index 00dbad073..23a66ba67 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -59,8 +59,8 @@ int which(const char *program) { | |||
59 | char *ptr = strtok(path2, ":"); | 59 | char *ptr = strtok(path2, ":"); |
60 | while (ptr) { | 60 | while (ptr) { |
61 | // Ubuntu 18.04 is adding /snap/bin to PATH; | 61 | // Ubuntu 18.04 is adding /snap/bin to PATH; |
62 | // they populate /snap/bin with simbolic links to /usr/bin/ programs; | 62 | // they populate /snap/bin with symbolic links to /usr/bin/ programs; |
63 | // most simlinked programs are not installed by default. | 63 | // most symlinked programs are not installed by default. |
64 | // Removing /snap/bin from our search | 64 | // Removing /snap/bin from our search |
65 | if (strcmp(ptr, "/snap/bin") != 0) { | 65 | if (strcmp(ptr, "/snap/bin") != 0) { |
66 | if (find(program, ptr)) { | 66 | if (find(program, ptr)) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 01ddf2a14..4cb10c875 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -57,13 +57,14 @@ | |||
57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | 57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" |
58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
59 | 59 | ||
60 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed | 60 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
61 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 61 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed |
62 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 62 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter |
63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 63 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter |
64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 64 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures |
65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 65 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute |
66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 66 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter |
67 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 68 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 69 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
69 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
@@ -95,7 +96,6 @@ | |||
95 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | 96 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" |
96 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 97 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
97 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 98 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
98 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | ||
99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | 99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" |
100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
@@ -521,6 +521,7 @@ void logsignal(int s); | |||
521 | void logmsg(const char *msg); | 521 | void logmsg(const char *msg); |
522 | void logargs(int argc, char **argv) ; | 522 | void logargs(int argc, char **argv) ; |
523 | void logerr(const char *msg); | 523 | void logerr(const char *msg); |
524 | void set_nice(int inc); | ||
524 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 525 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
525 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 526 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
526 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 527 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 808ead240..70c6ac88a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) { | |||
133 | fslib_duplicate(buf); | 133 | fslib_duplicate(buf); |
134 | } | 134 | } |
135 | fclose(fp); | 135 | fclose(fp); |
136 | unlink(RUN_LIB_FILE); | ||
136 | } | 137 | } |
137 | 138 | ||
138 | 139 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 3d5006236..46dae0271 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -100,9 +100,6 @@ static void extract_command(int argc, char **argv, int index) { | |||
100 | 100 | ||
101 | // build command | 101 | // build command |
102 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); | 102 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); |
103 | |||
104 | if (arg_debug) | ||
105 | printf("Extracted command #%s#\n", cfg.command_line); | ||
106 | } | 103 | } |
107 | 104 | ||
108 | static void extract_nogroups(pid_t pid) { | 105 | static void extract_nogroups(pid_t pid) { |
@@ -290,12 +287,8 @@ pid_t switch_to_child(pid_t pid) { | |||
290 | 287 | ||
291 | void join(pid_t pid, int argc, char **argv, int index) { | 288 | void join(pid_t pid, int argc, char **argv, int index) { |
292 | EUID_ASSERT(); | 289 | EUID_ASSERT(); |
293 | char *homedir = cfg.homedir; | ||
294 | pid_t parent = pid; | ||
295 | |||
296 | extract_command(argc, argv, index); | ||
297 | signal (SIGTERM, signal_handler); | ||
298 | 290 | ||
291 | pid_t parent = pid; | ||
299 | // in case the pid is that of a firejail process, use the pid of the first child process | 292 | // in case the pid is that of a firejail process, use the pid of the first child process |
300 | pid = switch_to_child(pid); | 293 | pid = switch_to_child(pid); |
301 | 294 | ||
@@ -375,19 +368,15 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
375 | EUID_USER(); | 368 | EUID_USER(); |
376 | if (chdir("/") < 0) | 369 | if (chdir("/") < 0) |
377 | errExit("chdir"); | 370 | errExit("chdir"); |
378 | if (homedir) { | 371 | if (cfg.homedir) { |
379 | struct stat s; | 372 | struct stat s; |
380 | if (stat(homedir, &s) == 0) { | 373 | if (stat(cfg.homedir, &s) == 0) { |
381 | /* coverity[toctou] */ | 374 | /* coverity[toctou] */ |
382 | if (chdir(homedir) < 0) | 375 | if (chdir(cfg.homedir) < 0) |
383 | errExit("chdir"); | 376 | errExit("chdir"); |
384 | } | 377 | } |
385 | } | 378 | } |
386 | 379 | ||
387 | // set cpu affinity | ||
388 | if (cfg.cpus) // not available for uid 0 | ||
389 | set_cpu_affinity(); | ||
390 | |||
391 | // set caps filter | 380 | // set caps filter |
392 | EUID_ROOT(); | 381 | EUID_ROOT(); |
393 | if (apply_caps == 1) // not available for uid 0 | 382 | if (apply_caps == 1) // not available for uid 0 |
@@ -418,33 +407,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
418 | } | 407 | } |
419 | 408 | ||
420 | EUID_USER(); | 409 | EUID_USER(); |
421 | // set nice | ||
422 | if (arg_nice) { | ||
423 | errno = 0; | ||
424 | int rv = nice(cfg.nice); | ||
425 | (void) rv; | ||
426 | if (errno) { | ||
427 | fwarning("cannot set nice value\n"); | ||
428 | errno = 0; | ||
429 | } | ||
430 | } | ||
431 | |||
432 | // set environment, add x11 display | ||
433 | env_defaults(); | ||
434 | if (display) { | ||
435 | char *display_str; | ||
436 | if (asprintf(&display_str, ":%d", display) == -1) | ||
437 | errExit("asprintf"); | ||
438 | setenv("DISPLAY", display_str, 1); | ||
439 | free(display_str); | ||
440 | } | ||
441 | |||
442 | if (cfg.command_line == NULL) { | ||
443 | assert(cfg.shell); | ||
444 | cfg.command_line = cfg.shell; | ||
445 | cfg.window_title = cfg.shell; | ||
446 | } | ||
447 | |||
448 | int cwd = 0; | 410 | int cwd = 0; |
449 | if (cfg.cwd) { | 411 | if (cfg.cwd) { |
450 | if (chdir(cfg.cwd) == 0) | 412 | if (chdir(cfg.cwd) == 0) |
@@ -464,8 +426,38 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
464 | } | 426 | } |
465 | } | 427 | } |
466 | 428 | ||
429 | // drop privileges | ||
467 | drop_privs(arg_nogroups); | 430 | drop_privs(arg_nogroups); |
468 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 431 | |
432 | // kill the child in case the parent died | ||
433 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
434 | |||
435 | extract_command(argc, argv, index); | ||
436 | if (cfg.command_line == NULL) { | ||
437 | assert(cfg.shell); | ||
438 | cfg.command_line = cfg.shell; | ||
439 | cfg.window_title = cfg.shell; | ||
440 | } | ||
441 | if (arg_debug) | ||
442 | printf("Extracted command #%s#\n", cfg.command_line); | ||
443 | |||
444 | // set cpu affinity | ||
445 | if (cfg.cpus) // not available for uid 0 | ||
446 | set_cpu_affinity(); | ||
447 | |||
448 | // set nice value | ||
449 | if (arg_nice) | ||
450 | set_nice(cfg.nice); | ||
451 | |||
452 | // add x11 display | ||
453 | if (display) { | ||
454 | char *display_str; | ||
455 | if (asprintf(&display_str, ":%d", display) == -1) | ||
456 | errExit("asprintf"); | ||
457 | setenv("DISPLAY", display_str, 1); | ||
458 | free(display_str); | ||
459 | } | ||
460 | |||
469 | start_application(0, NULL); | 461 | start_application(0, NULL); |
470 | 462 | ||
471 | // it will never get here!!! | 463 | // it will never get here!!! |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e186002af..ece4c2cb5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -866,11 +866,10 @@ static void run_builder(int argc, char **argv) { | |||
866 | (void) argc; | 866 | (void) argc; |
867 | 867 | ||
868 | // drop privileges | 868 | // drop privileges |
869 | EUID_ROOT(); | 869 | if (setresgid(-1, getgid(), getgid()) != 0) |
870 | if (setgid(getgid()) < 0) | 870 | errExit("setresgid"); |
871 | errExit("setgid/getgid"); | 871 | if (setresuid(-1, getuid(), getuid()) != 0) |
872 | if (setuid(getuid()) < 0) | 872 | errExit("setresuid"); |
873 | errExit("setuid/getuid"); | ||
874 | 873 | ||
875 | assert(getenv("LD_PRELOAD") == NULL); | 874 | assert(getenv("LD_PRELOAD") == NULL); |
876 | umask(orig_umask); | 875 | umask(orig_umask); |
@@ -1522,6 +1521,9 @@ int main(int argc, char **argv) { | |||
1522 | if (!ppath) | 1521 | if (!ppath) |
1523 | errExit("strdup"); | 1522 | errExit("strdup"); |
1524 | 1523 | ||
1524 | // checking for strange chars in the file name, no globbing | ||
1525 | invalid_filename(ppath, 0); | ||
1526 | |||
1525 | if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) { | 1527 | if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) { |
1526 | int has_colon = (*ppath == ':'); | 1528 | int has_colon = (*ppath == ':'); |
1527 | char *ptr = ppath; | 1529 | char *ptr = ppath; |
@@ -1623,7 +1625,7 @@ int main(int argc, char **argv) { | |||
1623 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1625 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1624 | arg_writable_var = 1; | 1626 | arg_writable_var = 1; |
1625 | } | 1627 | } |
1626 | else if (strcmp(argv[1], "--keep-var-tmp") == 0) { | 1628 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { |
1627 | arg_keep_var_tmp = 1; | 1629 | arg_keep_var_tmp = 1; |
1628 | } | 1630 | } |
1629 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1631 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9ad4e8ba1..dca36a4d8 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -161,32 +161,29 @@ int check_kernel_procs(void) { | |||
161 | 161 | ||
162 | void run_no_sandbox(int argc, char **argv) { | 162 | void run_no_sandbox(int argc, char **argv) { |
163 | EUID_ASSERT(); | 163 | EUID_ASSERT(); |
164 | // drop privileges | ||
165 | if (setresgid(-1, getgid(), getgid()) != 0) | ||
166 | errExit("setresgid"); | ||
167 | if (setresuid(-1, getuid(), getuid()) != 0) | ||
168 | errExit("setresuid"); | ||
164 | 169 | ||
165 | // process limited subset of options | 170 | // process limited subset of options |
166 | int i; | 171 | int i; |
167 | for (i = 0; i < argc; i++) { | 172 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--debug") == 0) | 173 | if (strcmp(argv[i], "--debug") == 0) |
169 | arg_debug = 1; | 174 | arg_debug = 1; |
170 | else if (strcmp(argv[i], "--shell=none") == 0 || | 175 | else if (strncmp(argv[i], "--shell=", 8) == 0) |
171 | strncmp(argv[i], "--shell=", 8) == 0) | ||
172 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 176 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); |
173 | } | 177 | } |
174 | 178 | ||
175 | // use $SHELL to get shell used in sandbox | 179 | // use $SHELL to get shell used in sandbox, guess shell otherwise |
176 | char *shell = getenv("SHELL"); | 180 | cfg.shell = guess_shell(); |
177 | if (shell && access(shell, R_OK) == 0) | ||
178 | cfg.shell = shell; | ||
179 | |||
180 | // guess shell otherwise | ||
181 | if (!cfg.shell) { | ||
182 | cfg.shell = guess_shell(); | ||
183 | if (arg_debug) | ||
184 | printf("Autoselecting %s as shell\n", cfg.shell); | ||
185 | } | ||
186 | if (!cfg.shell) { | 181 | if (!cfg.shell) { |
187 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | 182 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); |
188 | exit(1); | 183 | exit(1); |
189 | } | 184 | } |
185 | else if (arg_debug) | ||
186 | printf("Selecting %s as shell\n", cfg.shell); | ||
190 | 187 | ||
191 | int prog_index = 0; | 188 | int prog_index = 0; |
192 | // find first non option arg: | 189 | // find first non option arg: |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2effebbaa..a7af4b127 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) { | |||
86 | fs_logger2("tmpfs", RUN_MNT_DIR); | 86 | fs_logger2("tmpfs", RUN_MNT_DIR); |
87 | 87 | ||
88 | #ifdef HAVE_SECCOMP | 88 | #ifdef HAVE_SECCOMP |
89 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | ||
90 | |||
89 | if (arg_seccomp_block_secondary) | 91 | if (arg_seccomp_block_secondary) |
90 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
91 | else { | 93 | else { |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index ee62bba32..a63f29322 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -34,11 +34,10 @@ void run_symlink(int argc, char **argv, int run_as_is) { | |||
34 | return; | 34 | return; |
35 | 35 | ||
36 | // drop privileges | 36 | // drop privileges |
37 | EUID_ROOT(); | 37 | if (setresgid(-1, getgid(), getgid()) != 0) |
38 | if (setgid(getgid()) < 0) | 38 | errExit("setresgid"); |
39 | errExit("setgid/getgid"); | 39 | if (setresuid(-1, getuid(), getuid()) != 0) |
40 | if (setuid(getuid()) < 0) | 40 | errExit("setresuid"); |
41 | errExit("setuid/getuid"); | ||
42 | 41 | ||
43 | // find the real program by looking in PATH | 42 | // find the real program by looking in PATH |
44 | char *p = getenv("PATH"); | 43 | char *p = getenv("PATH"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9bb8e545c..101a16d00 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1038,17 +1038,6 @@ int sandbox(void* sandbox_arg) { | |||
1038 | } | 1038 | } |
1039 | } | 1039 | } |
1040 | 1040 | ||
1041 | // set nice | ||
1042 | if (arg_nice) { | ||
1043 | errno = 0; | ||
1044 | int rv = nice(cfg.nice); | ||
1045 | (void) rv; | ||
1046 | if (errno) { | ||
1047 | fwarning("cannot set nice value\n"); | ||
1048 | errno = 0; | ||
1049 | } | ||
1050 | } | ||
1051 | |||
1052 | EUID_ROOT(); | 1041 | EUID_ROOT(); |
1053 | // clean /tmp/.X11-unix sockets | 1042 | // clean /tmp/.X11-unix sockets |
1054 | fs_x11(); | 1043 | fs_x11(); |
@@ -1064,20 +1053,11 @@ int sandbox(void* sandbox_arg) { | |||
1064 | // save state of nonewprivs | 1053 | // save state of nonewprivs |
1065 | save_nonewprivs(); | 1054 | save_nonewprivs(); |
1066 | 1055 | ||
1067 | // set capabilities | 1056 | // save cpu affinity mask to CPU_CFG file |
1068 | set_caps(); | 1057 | save_cpu(); |
1069 | |||
1070 | // set cpu affinity | ||
1071 | if (cfg.cpus) { | ||
1072 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
1073 | EUID_USER(); | ||
1074 | set_cpu_affinity(); | ||
1075 | EUID_ROOT(); | ||
1076 | } | ||
1077 | 1058 | ||
1078 | // save cgroup in CGROUP_CFG file | 1059 | // save cgroup in CGROUP_CFG file |
1079 | if (cfg.cgroup) | 1060 | save_cgroup(); |
1080 | save_cgroup(); | ||
1081 | 1061 | ||
1082 | // set seccomp | 1062 | // set seccomp |
1083 | #ifdef HAVE_SECCOMP | 1063 | #ifdef HAVE_SECCOMP |
@@ -1118,14 +1098,19 @@ int sandbox(void* sandbox_arg) { | |||
1118 | int rv = unlink(RUN_SECCOMP_MDWX); | 1098 | int rv = unlink(RUN_SECCOMP_MDWX); |
1119 | (void) rv; | 1099 | (void) rv; |
1120 | } | 1100 | } |
1101 | // make seccomp filters read-only | ||
1102 | fs_rdonly(RUN_SECCOMP_DIR); | ||
1121 | #endif | 1103 | #endif |
1122 | 1104 | ||
1105 | // set capabilities | ||
1106 | set_caps(); | ||
1107 | |||
1123 | //**************************************** | 1108 | //**************************************** |
1124 | // communicate progress of sandbox set up | 1109 | // communicate progress of sandbox set up |
1125 | // to --join | 1110 | // to --join |
1126 | //**************************************** | 1111 | //**************************************** |
1127 | 1112 | ||
1128 | FILE *fp = create_ready_for_join_file(); | 1113 | FILE *rj = create_ready_for_join_file(); |
1129 | 1114 | ||
1130 | //**************************************** | 1115 | //**************************************** |
1131 | // create a new user namespace | 1116 | // create a new user namespace |
@@ -1175,10 +1160,23 @@ int sandbox(void* sandbox_arg) { | |||
1175 | } | 1160 | } |
1176 | 1161 | ||
1177 | //**************************************** | 1162 | //**************************************** |
1178 | // drop privileges, fork the application and monitor it | 1163 | // drop privileges |
1179 | //**************************************** | 1164 | //**************************************** |
1180 | drop_privs(arg_nogroups); | 1165 | drop_privs(arg_nogroups); |
1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died | 1166 | |
1167 | // kill the sandbox in case the parent died | ||
1168 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
1169 | |||
1170 | //**************************************** | ||
1171 | // set cpu affinity | ||
1172 | //**************************************** | ||
1173 | |||
1174 | if (cfg.cpus) | ||
1175 | set_cpu_affinity(); | ||
1176 | |||
1177 | //**************************************** | ||
1178 | // fork the application and monitor it | ||
1179 | //**************************************** | ||
1182 | pid_t app_pid = fork(); | 1180 | pid_t app_pid = fork(); |
1183 | if (app_pid == -1) | 1181 | if (app_pid == -1) |
1184 | errExit("fork"); | 1182 | errExit("fork"); |
@@ -1196,13 +1194,15 @@ int sandbox(void* sandbox_arg) { | |||
1196 | printf("AppArmor enabled\n"); | 1194 | printf("AppArmor enabled\n"); |
1197 | } | 1195 | } |
1198 | #endif | 1196 | #endif |
1199 | // set rlimits | 1197 | // set nice and rlimits |
1198 | if (arg_nice) | ||
1199 | set_nice(cfg.nice); | ||
1200 | set_rlimits(); | 1200 | set_rlimits(); |
1201 | // start app | 1201 | |
1202 | start_application(0, fp); | 1202 | start_application(0, rj); |
1203 | } | 1203 | } |
1204 | 1204 | ||
1205 | fclose(fp); | 1205 | fclose(rj); |
1206 | 1206 | ||
1207 | int status = monitor_application(app_pid); // monitor application | 1207 | int status = monitor_application(app_pid); // monitor application |
1208 | flush_stdin(); | 1208 | flush_stdin(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index dd298a31a..3e2cd13d5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -119,12 +119,12 @@ clean_all: | |||
119 | // drop privileges | 119 | // drop privileges |
120 | // - for root group or if nogroups is set, supplementary groups are not configured | 120 | // - for root group or if nogroups is set, supplementary groups are not configured |
121 | void drop_privs(int nogroups) { | 121 | void drop_privs(int nogroups) { |
122 | EUID_ROOT(); | ||
123 | gid_t gid = getgid(); | 122 | gid_t gid = getgid(); |
124 | if (arg_debug) | 123 | if (arg_debug) |
125 | printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups); | 124 | printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups); |
126 | 125 | ||
127 | // configure supplementary groups | 126 | // configure supplementary groups |
127 | EUID_ROOT(); | ||
128 | if (gid == 0 || nogroups) { | 128 | if (gid == 0 || nogroups) { |
129 | if (setgroups(0, NULL) < 0) | 129 | if (setgroups(0, NULL) < 0) |
130 | errExit("setgroups"); | 130 | errExit("setgroups"); |
@@ -135,10 +135,10 @@ void drop_privs(int nogroups) { | |||
135 | clean_supplementary_groups(gid); | 135 | clean_supplementary_groups(gid); |
136 | 136 | ||
137 | // set uid/gid | 137 | // set uid/gid |
138 | if (setgid(getgid()) < 0) | 138 | if (setresgid(-1, getgid(), getgid()) != 0) |
139 | errExit("setgid/getgid"); | 139 | errExit("setresgid"); |
140 | if (setuid(getuid()) < 0) | 140 | if (setresuid(-1, getuid(), getuid()) != 0) |
141 | errExit("setuid/getuid"); | 141 | errExit("setresuid"); |
142 | } | 142 | } |
143 | 143 | ||
144 | 144 | ||
@@ -250,6 +250,16 @@ void logerr(const char *msg) { | |||
250 | closelog(); | 250 | closelog(); |
251 | } | 251 | } |
252 | 252 | ||
253 | |||
254 | void set_nice(int inc) { | ||
255 | errno = 0; | ||
256 | int rv = nice(inc); | ||
257 | (void) rv; | ||
258 | if (errno) | ||
259 | fwarning("cannot set nice value\n"); | ||
260 | } | ||
261 | |||
262 | |||
253 | static int copy_file_by_fd(int src, int dst) { | 263 | static int copy_file_by_fd(int src, int dst) { |
254 | assert(src >= 0); | 264 | assert(src >= 0); |
255 | assert(dst >= 0); | 265 | assert(dst >= 0); |
diff --git a/src/lib/common.c b/src/lib/common.c index 3d701e62f..1678a4092 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -254,7 +254,7 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | |||
254 | if (strncmp(arg, "--", 2) != 0) | 254 | if (strncmp(arg, "--", 2) != 0) |
255 | break; | 255 | break; |
256 | 256 | ||
257 | if (strcmp(arg, "--x11=xorg") == 0) | 257 | if (strcmp(arg, "--x11=xorg") == 0 || strcmp(arg, "--x11=none") == 0) |
258 | return 0; | 258 | return 0; |
259 | 259 | ||
260 | // check x11 xpra or xephyr | 260 | // check x11 xpra or xephyr |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8f5aa777f..eed98710b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -48,6 +48,10 @@ Firejail allows the user to manage application security using security profiles. | |||
48 | Each profile defines a set of permissions for a specific application or group | 48 | Each profile defines a set of permissions for a specific application or group |
49 | of applications. The software includes security profiles for a number of more common | 49 | of applications. The software includes security profiles for a number of more common |
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | .PP | ||
52 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | ||
53 | are not supported. Snap and flatpak packages have their own native management tools and will | ||
54 | not work when sandboxed with Firejail. | ||
51 | 55 | ||
52 | .SH USAGE | 56 | .SH USAGE |
53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, | 57 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
@@ -2496,7 +2500,7 @@ Make a firefox symlink to /usr/bin/firejail: | |||
2496 | .br | 2500 | .br |
2497 | 2501 | ||
2498 | .br | 2502 | .br |
2499 | $ ln -s /usr/bin/firejail /usr/local/bin/firefox | 2503 | $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox |
2500 | .br | 2504 | .br |
2501 | 2505 | ||
2502 | .br | 2506 | .br |
@@ -2536,7 +2540,7 @@ $ firejail --tree | |||
2536 | 1221:netblue:/usr/lib/firefox/firefox | 2540 | 1221:netblue:/usr/lib/firefox/firefox |
2537 | .RE | 2541 | .RE |
2538 | 2542 | ||
2539 | We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details. | 2543 | We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details. |
2540 | 2544 | ||
2541 | .SH EXAMPLES | 2545 | .SH EXAMPLES |
2542 | .TP | 2546 | .TP |
@@ -2603,7 +2607,7 @@ $ firejail --read-only=~/dir[1-4] | |||
2603 | 2607 | ||
2604 | .SH FILE TRANSFER | 2608 | .SH FILE TRANSFER |
2605 | These features allow the user to inspect the filesystem container of an existing sandbox | 2609 | These features allow the user to inspect the filesystem container of an existing sandbox |
2606 | and transfer files from the container to the host filesystem. | 2610 | and transfer files between the container and the host filesystem. |
2607 | 2611 | ||
2608 | .TP | 2612 | .TP |
2609 | \fB\-\-get=name|pid filename | 2613 | \fB\-\-get=name|pid filename |