diff options
39 files changed, 724 insertions, 20 deletions
@@ -178,4 +178,4 @@ Run ./profstats -h for help. | |||
178 | ### New profiles: | 178 | ### New profiles: |
179 | 179 | ||
180 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | 180 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, |
181 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex | 181 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop |
@@ -18,7 +18,11 @@ firejail (0.9.63) baseline; urgency=low | |||
18 | * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux | 18 | * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux |
19 | * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row | 19 | * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row |
20 | * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin | 20 | * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin |
21 | * new profiles: gnome-tetravex | 21 | * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars |
22 | * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless | ||
23 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers | ||
24 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more | ||
25 | * new profiles: swell-foop | ||
22 | 26 | ||
23 | firejail (0.9.62) baseline; urgency=low | 27 | firejail (0.9.62) baseline; urgency=low |
24 | * added file-copy-limit in /etc/firejail/firejail.config | 28 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/etc/blobwars.profile b/etc/blobwars.profile new file mode 100644 index 000000000..c0fa5ab91 --- /dev/null +++ b/etc/blobwars.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for blobwars | ||
2 | # Description: Mission and Objective based 2D Platform Game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blobwars.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.parallelrealities/blobwars | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.parallelrealities/blobwars | ||
20 | whitelist ${HOME}/.parallelrealities/blobwars | ||
21 | whitelist /usr/share/blobwars | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin blobwars | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
diff --git a/etc/dig.profile b/etc/dig.profile index 270a95c05..f283db962 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -25,6 +25,7 @@ include disable-xdg.inc | |||
25 | #mkfile ${HOME}/.digrc -- see #903 | 25 | #mkfile ${HOME}/.digrc -- see #903 |
26 | whitelist ${HOME}/.digrc | 26 | whitelist ${HOME}/.digrc |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
30 | 31 | ||
@@ -32,6 +33,7 @@ apparmor | |||
32 | caps.drop all | 33 | caps.drop all |
33 | ipc-namespace | 34 | ipc-namespace |
34 | machine-id | 35 | machine-id |
36 | memory-deny-write-execute | ||
35 | netfilter | 37 | netfilter |
36 | no3d | 38 | no3d |
37 | nodbus | 39 | nodbus |
@@ -49,7 +51,6 @@ shell none | |||
49 | tracelog | 51 | tracelog |
50 | 52 | ||
51 | disable-mnt | 53 | disable-mnt |
52 | private | ||
53 | private-bin bash,dig,sh | 54 | private-bin bash,dig,sh |
54 | private-dev | 55 | private-dev |
55 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) | 56 | # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 5bb2f851a..afedd0966 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -10,6 +10,7 @@ blacklist ${HOME}/SoftMaker | |||
10 | blacklist ${HOME}/Standard Notes Backups | 10 | blacklist ${HOME}/Standard Notes Backups |
11 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 | 11 | blacklist ${HOME}/TeamSpeak3-Client-linux_x86 |
12 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 | 12 | blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 |
13 | blacklist ${HOME}/hyperrogue.ini | ||
13 | blacklist ${HOME}/mps | 14 | blacklist ${HOME}/mps |
14 | blacklist ${HOME}/wallet.dat | 15 | blacklist ${HOME}/wallet.dat |
15 | blacklist ${HOME}/.*coin | 16 | blacklist ${HOME}/.*coin |
@@ -410,6 +411,7 @@ blacklist ${HOME}/.jak | |||
410 | blacklist ${HOME}/.java | 411 | blacklist ${HOME}/.java |
411 | blacklist ${HOME}/.jd | 412 | blacklist ${HOME}/.jd |
412 | blacklist ${HOME}/.jitsi | 413 | blacklist ${HOME}/.jitsi |
414 | blacklist ${HOME}/.jumpnbump | ||
413 | blacklist ${HOME}/.kde/share/apps/digikam | 415 | blacklist ${HOME}/.kde/share/apps/digikam |
414 | blacklist ${HOME}/.kde/share/apps/gwenview | 416 | blacklist ${HOME}/.kde/share/apps/gwenview |
415 | blacklist ${HOME}/.kde/share/apps/kaffeine | 417 | blacklist ${HOME}/.kde/share/apps/kaffeine |
@@ -532,6 +534,7 @@ blacklist ${HOME}/.local/share/epiphany | |||
532 | blacklist ${HOME}/.local/share/evolution | 534 | blacklist ${HOME}/.local/share/evolution |
533 | blacklist ${HOME}/.local/share/feedreader | 535 | blacklist ${HOME}/.local/share/feedreader |
534 | blacklist ${HOME}/.local/share/feral-interactive | 536 | blacklist ${HOME}/.local/share/feral-interactive |
537 | blacklist ${HOME}/.local/share/five-or-more | ||
535 | blacklist ${HOME}/.local/share/freecol | 538 | blacklist ${HOME}/.local/share/freecol |
536 | blacklist ${HOME}/.local/share/gajim | 539 | blacklist ${HOME}/.local/share/gajim |
537 | blacklist ${HOME}/.local/share/geary | 540 | blacklist ${HOME}/.local/share/geary |
@@ -541,6 +544,7 @@ blacklist ${HOME}/.local/share/gitg | |||
541 | blacklist ${HOME}/.local/share/gnome-2048 | 544 | blacklist ${HOME}/.local/share/gnome-2048 |
542 | blacklist ${HOME}/.local/share/gnome-chess | 545 | blacklist ${HOME}/.local/share/gnome-chess |
543 | blacklist ${HOME}/.local/share/gnome-builder | 546 | blacklist ${HOME}/.local/share/gnome-builder |
547 | blacklist ${HOME}/.local/share/gnome-klotski | ||
544 | blacklist ${HOME}/.local/share/gnome-latex | 548 | blacklist ${HOME}/.local/share/gnome-latex |
545 | blacklist ${HOME}/.local/share/gnome-mines | 549 | blacklist ${HOME}/.local/share/gnome-mines |
546 | blacklist ${HOME}/.local/share/gnome-music | 550 | blacklist ${HOME}/.local/share/gnome-music |
@@ -574,6 +578,7 @@ blacklist ${HOME}/.local/share/kwrite | |||
574 | blacklist ${HOME}/.local/share/liferea | 578 | blacklist ${HOME}/.local/share/liferea |
575 | blacklist ${HOME}/.local/share/local-mail | 579 | blacklist ${HOME}/.local/share/local-mail |
576 | blacklist ${HOME}/.local/share/lollypop | 580 | blacklist ${HOME}/.local/share/lollypop |
581 | blacklist ${HOME}/.local/share/love | ||
577 | blacklist ${HOME}/.local/share/lugaru | 582 | blacklist ${HOME}/.local/share/lugaru |
578 | blacklist ${HOME}/.local/share/mana | 583 | blacklist ${HOME}/.local/share/mana |
579 | blacklist ${HOME}/.local/share/maps-places.json | 584 | blacklist ${HOME}/.local/share/maps-places.json |
@@ -609,6 +614,7 @@ blacklist ${HOME}/.local/share/spotify | |||
609 | blacklist ${HOME}/.local/share/steam | 614 | blacklist ${HOME}/.local/share/steam |
610 | blacklist ${HOME}/.local/share/supertux2 | 615 | blacklist ${HOME}/.local/share/supertux2 |
611 | blacklist ${HOME}/.local/share/supertuxkart | 616 | blacklist ${HOME}/.local/share/supertuxkart |
617 | blacklist ${HOME}/.local/share/swell-foop | ||
612 | blacklist ${HOME}/.local/share/telepathy | 618 | blacklist ${HOME}/.local/share/telepathy |
613 | blacklist ${HOME}/.local/share/terasology | 619 | blacklist ${HOME}/.local/share/terasology |
614 | blacklist ${HOME}/.local/share/torbrowser | 620 | blacklist ${HOME}/.local/share/torbrowser |
@@ -624,12 +630,14 @@ blacklist ${HOME}/.local/share/xplayer | |||
624 | blacklist ${HOME}/.local/share/xreader | 630 | blacklist ${HOME}/.local/share/xreader |
625 | blacklist ${HOME}/.local/share/zathura | 631 | blacklist ${HOME}/.local/share/zathura |
626 | blacklist ${HOME}/.lv2 | 632 | blacklist ${HOME}/.lv2 |
633 | blacklist ${HOME}/.magicor | ||
627 | blacklist ${HOME}/.masterpdfeditor | 634 | blacklist ${HOME}/.masterpdfeditor |
628 | blacklist ${HOME}/.mcabber | 635 | blacklist ${HOME}/.mcabber |
629 | blacklist ${HOME}/.mcabberrc | 636 | blacklist ${HOME}/.mcabberrc |
630 | blacklist ${HOME}/.mediathek3 | 637 | blacklist ${HOME}/.mediathek3 |
631 | blacklist ${HOME}/.megaglest | 638 | blacklist ${HOME}/.megaglest |
632 | blacklist ${HOME}/.minetest | 639 | blacklist ${HOME}/.minetest |
640 | blacklist ${HOME}/.mirrormagic | ||
633 | blacklist ${HOME}/.moonchild productions/basilisk | 641 | blacklist ${HOME}/.moonchild productions/basilisk |
634 | blacklist ${HOME}/.moonchild productions/pale moon | 642 | blacklist ${HOME}/.moonchild productions/pale moon |
635 | blacklist ${HOME}/.mozilla | 643 | blacklist ${HOME}/.mozilla |
@@ -655,6 +663,7 @@ blacklist ${HOME}/.openttd | |||
655 | blacklist ${HOME}/.opera | 663 | blacklist ${HOME}/.opera |
656 | blacklist ${HOME}/.opera-beta | 664 | blacklist ${HOME}/.opera-beta |
657 | blacklist ${HOME}/.ostrichriders | 665 | blacklist ${HOME}/.ostrichriders |
666 | blacklist ${HOME}/.parallelrealities/blobwars | ||
658 | blacklist ${HOME}/.penguin-command | 667 | blacklist ${HOME}/.penguin-command |
659 | blacklist ${HOME}/.pingus | 668 | blacklist ${HOME}/.pingus |
660 | blacklist ${HOME}/.pioneer | 669 | blacklist ${HOME}/.pioneer |
@@ -681,6 +690,7 @@ blacklist ${HOME}/.steampid | |||
681 | blacklist ${HOME}/.stellarium | 690 | blacklist ${HOME}/.stellarium |
682 | blacklist ${HOME}/.subversion | 691 | blacklist ${HOME}/.subversion |
683 | blacklist ${HOME}/.surf | 692 | blacklist ${HOME}/.surf |
693 | blacklist ${HOME}/.swb.ini | ||
684 | blacklist ${HOME}/.sword | 694 | blacklist ${HOME}/.sword |
685 | blacklist ${HOME}/.sylpheed-2.0 | 695 | blacklist ${HOME}/.sylpheed-2.0 |
686 | blacklist ${HOME}/.synfig | 696 | blacklist ${HOME}/.synfig |
@@ -716,6 +726,7 @@ blacklist ${HOME}/.widelands | |||
716 | blacklist ${HOME}/.wine | 726 | blacklist ${HOME}/.wine |
717 | blacklist ${HOME}/.wine64 | 727 | blacklist ${HOME}/.wine64 |
718 | blacklist ${HOME}/.wireshark | 728 | blacklist ${HOME}/.wireshark |
729 | blacklist ${HOME}/.wordwarvi | ||
719 | blacklist ${HOME}/.wormux | 730 | blacklist ${HOME}/.wormux |
720 | blacklist ${HOME}/.xiphos | 731 | blacklist ${HOME}/.xiphos |
721 | blacklist ${HOME}/.xmind | 732 | blacklist ${HOME}/.xmind |
diff --git a/etc/five-or-more.profile b/etc/five-or-more.profile new file mode 100644 index 000000000..8e07d2453 --- /dev/null +++ b/etc/five-or-more.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for five-or-more | ||
2 | # Description: GNOME port of the once-popular Colour Lines game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include five-or-more.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/five-or-more | ||
10 | |||
11 | mkdir ${HOME}/.local/share/five-or-more | ||
12 | whitelist ${HOME}/.local/share/five-or-more | ||
13 | |||
14 | whitelist /usr/share/five-or-more | ||
15 | |||
16 | private-bin five-or-more | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/four-in-a-row.profile b/etc/four-in-a-row.profile index b468c3435..29f6d1370 100644 --- a/etc/four-in-a-row.profile +++ b/etc/four-in-a-row.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for four-in-a-row | 1 | # Firejail profile for four-in-a-row |
2 | # Description: Sliding tile puzzle game | 2 | # Description: four-in-a-row game for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include four-in-a-row.local | 5 | include four-in-a-row.local |
diff --git a/etc/gnome-klotski.profile b/etc/gnome-klotski.profile new file mode 100644 index 000000000..69b4b0341 --- /dev/null +++ b/etc/gnome-klotski.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for gnome-klotski | ||
2 | # Description: Sliding block puzzles game for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-klotski.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-klotski | ||
10 | |||
11 | mkdir ${HOME}/.local/share/gnome-klotski | ||
12 | whitelist ${HOME}/.local/share/gnome-klotski | ||
13 | |||
14 | private-bin gnome-klotski | ||
15 | |||
16 | # Redirect | ||
17 | include gnome_games-common.profile | ||
diff --git a/etc/gnome-mahjongg.profile b/etc/gnome-mahjongg.profile index 653c5f949..04aee8494 100644 --- a/etc/gnome-mahjongg.profile +++ b/etc/gnome-mahjongg.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-mahjongg | 1 | # Firejail profile for gnome-mahjongg |
2 | # Description: Sliding tile puzzle game | 2 | # Description: A matching game played with Mahjongg tiles |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-mahjongg.local | 5 | include gnome-mahjongg.local |
diff --git a/etc/gnome-mines.profile b/etc/gnome-mines.profile index 9cae75524..9209b9ac3 100644 --- a/etc/gnome-mines.profile +++ b/etc/gnome-mines.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-mines | 1 | # Firejail profile for gnome-mines |
2 | # Description: Sliding tile puzzle game | 2 | # Description: The popular logic puzzle minesweeper |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-mines.local | 5 | include gnome-mines.local |
diff --git a/etc/gnome-nibbles.profile b/etc/gnome-nibbles.profile index 4e42b6b15..5d4241c80 100644 --- a/etc/gnome-nibbles.profile +++ b/etc/gnome-nibbles.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-nibbles | 1 | # Firejail profile for gnome-nibbles |
2 | # Description: Sliding tile puzzle game | 2 | # Description: A worm game for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-nibbles.local | 5 | include gnome-nibbles.local |
diff --git a/etc/gnome-robots.profile b/etc/gnome-robots.profile index 888324a5c..b720bddd3 100644 --- a/etc/gnome-robots.profile +++ b/etc/gnome-robots.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-robots | 1 | # Firejail profile for gnome-robots |
2 | # Description: Sliding tile puzzle game | 2 | # Description: Based on classic BSD Robots |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-robots.local | 5 | include gnome-robots.local |
diff --git a/etc/gnome-sudoku.profile b/etc/gnome-sudoku.profile index b41bccd1e..fb50723ce 100644 --- a/etc/gnome-sudoku.profile +++ b/etc/gnome-sudoku.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-sudoku | 1 | # Firejail profile for gnome-sudoku |
2 | # Description: Sliding tile puzzle game | 2 | # Description: puzzle game for the popular Japanese sudoku logic puzzle |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-sudoku.local | 5 | include gnome-sudoku.local |
diff --git a/etc/gnome-taquin.profile b/etc/gnome-taquin.profile index efd64d455..83683918e 100644 --- a/etc/gnome-taquin.profile +++ b/etc/gnome-taquin.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-taquin | 1 | # Firejail profile for gnome-taquin |
2 | # Description: Sliding tile puzzle game | 2 | # Description: A sliding puzzle game for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-taquin.local | 5 | include gnome-taquin.local |
diff --git a/etc/gnome-tetravex.profile b/etc/gnome-tetravex.profile index e9622539c..032242f54 100644 --- a/etc/gnome-tetravex.profile +++ b/etc/gnome-tetravex.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gnome-tetravex | 1 | # Firejail profile for gnome-tetravex |
2 | # Description: Sliding tile puzzle game | 2 | # Description: A simple puzzle game for GNOME |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gnome-tetravex.local | 5 | include gnome-tetravex.local |
diff --git a/etc/gravity-beams-and-evaporating-stars.profile b/etc/gravity-beams-and-evaporating-stars.profile new file mode 100644 index 000000000..a0ffa0d88 --- /dev/null +++ b/etc/gravity-beams-and-evaporating-stars.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for gravity-beams-and-evaporating-stars | ||
2 | # Description: a game about hurling asteroids into the sun | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gravity-beams-and-evaporating-stars.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/gravity-beams-and-evaporating-stars | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | disable-mnt | ||
39 | private | ||
40 | private-bin gravity-beams-and-evaporating-stars | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc fonts,machine-id | ||
44 | private-tmp | ||
diff --git a/etc/hyperrogue.profile b/etc/hyperrogue.profile new file mode 100644 index 000000000..e6b385de9 --- /dev/null +++ b/etc/hyperrogue.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for hyperrogue | ||
2 | # Description: An SDL roguelike in a non-euclidean world | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include hyperrogue.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/hyperrogue.ini | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkfile ${HOME}/hyperrogue.ini | ||
20 | whitelist ${HOME}/hyperrogue.ini | ||
21 | whitelist /usr/share/hyperrogue | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin hyperrogue | ||
44 | private-cache | ||
45 | private-cwd ${HOME} | ||
46 | private-dev | ||
47 | private-etc fonts,machine-id | ||
48 | private-tmp | ||
diff --git a/etc/jumpnbump-menu.profile b/etc/jumpnbump-menu.profile new file mode 100644 index 000000000..b1852b015 --- /dev/null +++ b/etc/jumpnbump-menu.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for jumpnbump-menu | ||
2 | # Description: Level selection and config menu for the Jump 'n Bump game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jumpnbump-menu.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | include allow-python3.inc | ||
11 | |||
12 | private-bin jumpnbump-menu,python3* | ||
13 | |||
14 | # Redirect | ||
15 | include jumpnbump.profile | ||
diff --git a/etc/jumpnbump.profile b/etc/jumpnbump.profile new file mode 100644 index 000000000..c8167e1dc --- /dev/null +++ b/etc/jumpnbump.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for jumpnbump | ||
2 | # Description: Cute multiplayer platform game with bunnies | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jumpnbump.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.jumpnbump | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.jumpnbump | ||
20 | whitelist ${HOME}/.jumpnbump | ||
21 | whitelist /usr/share/jumpnbump | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin jumpnbump | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc none | ||
47 | private-tmp | ||
diff --git a/etc/lightsoff.profile b/etc/lightsoff.profile index 65c8bd78d..27185709a 100644 --- a/etc/lightsoff.profile +++ b/etc/lightsoff.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for lightsoff | 1 | # Firejail profile for lightsoff |
2 | # Description: Sliding tile puzzle game | 2 | # Description: GNOME Lightsoff game |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include lightsoff.local | 5 | include lightsoff.local |
diff --git a/etc/magicor.profile b/etc/magicor.profile new file mode 100644 index 000000000..c34e7b6f2 --- /dev/null +++ b/etc/magicor.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for magicor | ||
2 | # Description: Push ice blocks around to extinguish all fires | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include magicor.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.magicor | ||
10 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.magicor | ||
23 | whitelist ${HOME}/.magicor | ||
24 | whitelist /usr/share/magicor | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | net none | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin magicor,python2* | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc machine-id | ||
49 | private-tmp | ||
diff --git a/etc/mindless.profile b/etc/mindless.profile new file mode 100644 index 000000000..4f33404eb --- /dev/null +++ b/etc/mindless.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for mindless | ||
2 | # Description: figure out the secret code | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mindless.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/mindless | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private | ||
42 | private-bin mindless | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc fonts | ||
46 | private-tmp | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/mirrormagic.profile b/etc/mirrormagic.profile new file mode 100644 index 000000000..8892ca94d --- /dev/null +++ b/etc/mirrormagic.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for mirrormagic | ||
2 | # Description: Puzzle game where you steer a beam of light using mirrors | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mirrormagic.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mirrormagic | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.mirrormagic | ||
20 | whitelist ${HOME}/.mirrormagic | ||
21 | whitelist /usr/share/mirrormagic | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin mirrormagic | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc machine-id | ||
48 | private-tmp | ||
diff --git a/etc/mrrescue.profile b/etc/mrrescue.profile new file mode 100644 index 000000000..869a162f8 --- /dev/null +++ b/etc/mrrescue.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for mrrescue | ||
2 | # Description: Arcade-style fire fighting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mrrescue.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/love | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.local/share/love | ||
20 | whitelist ${HOME}/.local/share/love | ||
21 | whitelist /usr/share/mrrescue | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin love,mrrescue,sh | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc machine-id | ||
47 | private-tmp | ||
diff --git a/etc/mumble.profile b/etc/mumble.profile index 94ccbad0c..a16934806 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -34,7 +34,7 @@ nogroups | |||
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | shell none | 39 | shell none |
40 | tracelog | 40 | tracelog |
diff --git a/etc/nslookup.profile b/etc/nslookup.profile index 4aa1cfcbf..9ed6ef1e9 100644 --- a/etc/nslookup.profile +++ b/etc/nslookup.profile | |||
@@ -21,6 +21,9 @@ include disable-passwdmgr.inc | |||
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | whitelist ${HOME}/.nslookuprc | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
26 | 29 | ||
@@ -28,6 +31,7 @@ apparmor | |||
28 | caps.drop all | 31 | caps.drop all |
29 | ipc-namespace | 32 | ipc-namespace |
30 | machine-id | 33 | machine-id |
34 | memory-deny-write-execute | ||
31 | netfilter | 35 | netfilter |
32 | no3d | 36 | no3d |
33 | nodbus | 37 | nodbus |
@@ -45,7 +49,6 @@ shell none | |||
45 | tracelog | 49 | tracelog |
46 | 50 | ||
47 | disable-mnt | 51 | disable-mnt |
48 | private | ||
49 | private-bin bash,nslookup,sh | 52 | private-bin bash,nslookup,sh |
50 | private-dev | 53 | private-dev |
51 | private-tmp | 54 | private-tmp |
diff --git a/etc/scorched3d-wrapper.profile b/etc/scorched3d-wrapper.profile new file mode 100644 index 000000000..3eed8842b --- /dev/null +++ b/etc/scorched3d-wrapper.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile for scorched3d | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include scorched3d.profile | ||
diff --git a/etc/scorchwentbonkers.profile b/etc/scorchwentbonkers.profile new file mode 100644 index 000000000..fcb3d5f29 --- /dev/null +++ b/etc/scorchwentbonkers.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for scorchwentbonkers | ||
2 | # Description: Realtime remake of Scorched Earth | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scorchwentbonkers.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.swb.ini | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.swb.ini | ||
20 | whitelist ${HOME}/.swb.ini | ||
21 | whitelist /usr/share/scorchwentbonkers | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin scorchwentbonkers | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alsa,asound.conf,machine-id,pulse | ||
47 | private-tmp | ||
diff --git a/etc/seahorse-adventures.profile b/etc/seahorse-adventures.profile new file mode 100644 index 000000000..5fd654eed --- /dev/null +++ b/etc/seahorse-adventures.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for seahorse-adventures | ||
2 | # Description: Help barbie the seahorse float on bubbles to the moon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-adventures.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python2.inc | ||
11 | include allow-python3.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | whitelist /usr/share/seahorse-adventures | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin python*,seahorse-adventures | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc machine-id | ||
48 | private-tmp | ||
diff --git a/etc/slack.profile b/etc/slack.profile index 9a10e38fe..b2828fcb1 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -19,16 +19,12 @@ whitelist ${DOWNLOADS} | |||
19 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | caps.drop all | 22 | caps.keep sys_admin,sys_chroot |
23 | netfilter | 23 | netfilter |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
27 | noroot | ||
28 | notv | 26 | notv |
29 | nou2f | 27 | nou2f |
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp !chroot | ||
32 | shell none | 28 | shell none |
33 | 29 | ||
34 | disable-mnt | 30 | disable-mnt |
@@ -36,4 +32,3 @@ private-bin locale,slack | |||
36 | private-cache | 32 | private-cache |
37 | private-dev | 33 | private-dev |
38 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 34 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
39 | private-tmp | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index cbd59c6e0..a69fdb0f5 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-* | |||
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | # nc can be used as ProxyCommand, e.g. when using tor | 13 | # nc can be used as ProxyCommand, e.g. when using tor |
14 | noblacklist ${PATH}/nc | 14 | noblacklist ${PATH}/nc |
15 | noblacklist ${PATH}/ncat | ||
15 | 16 | ||
16 | include disable-common.inc | 17 | include disable-common.inc |
17 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/steam.profile b/etc/steam.profile index c6f0ca145..ef927ba89 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -36,29 +36,37 @@ include disable-interpreters.inc | |||
36 | include disable-passwdmgr.inc | 36 | include disable-passwdmgr.inc |
37 | include disable-programs.inc | 37 | include disable-programs.inc |
38 | 38 | ||
39 | mkdir ${HOME}/.config/unity3d | ||
39 | mkdir ${HOME}/.killingfloor | 40 | mkdir ${HOME}/.killingfloor |
40 | mkdir ${HOME}/.local/share/3909/PapersPlease | 41 | mkdir ${HOME}/.local/share/3909/PapersPlease |
41 | mkdir ${HOME}/.local/share/aspyr-media | 42 | mkdir ${HOME}/.local/share/aspyr-media |
42 | mkdir ${HOME}/.local/share/cdprojektred | 43 | mkdir ${HOME}/.local/share/cdprojektred |
43 | mkdir ${HOME}/.local/share/feral-interactive | 44 | mkdir ${HOME}/.local/share/feral-interactive |
45 | mkdir ${HOME}/.local/share/Paradox Interactive | ||
44 | mkdir ${HOME}/.local/share/Steam | 46 | mkdir ${HOME}/.local/share/Steam |
45 | mkdir ${HOME}/.local/share/SuperHexagon | 47 | mkdir ${HOME}/.local/share/SuperHexagon |
46 | mkdir ${HOME}/.local/share/Terraria | 48 | mkdir ${HOME}/.local/share/Terraria |
47 | mkdir ${HOME}/.local/share/vpltd | 49 | mkdir ${HOME}/.local/share/vpltd |
48 | mkdir ${HOME}/.local/share/vulkan | 50 | mkdir ${HOME}/.local/share/vulkan |
51 | mkdir ${HOME}/.mbwarband | ||
52 | mkdir ${HOME}/.paradoxinteractive | ||
49 | mkdir ${HOME}/.steam | 53 | mkdir ${HOME}/.steam |
50 | mkfile ${HOME}/.steampath | 54 | mkfile ${HOME}/.steampath |
51 | mkfile ${HOME}/.steampid | 55 | mkfile ${HOME}/.steampid |
56 | whitelist ${HOME}/.config/unity3d | ||
52 | whitelist ${HOME}/.killingfloor | 57 | whitelist ${HOME}/.killingfloor |
53 | whitelist ${HOME}/.local/share/3909/PapersPlease | 58 | whitelist ${HOME}/.local/share/3909/PapersPlease |
54 | whitelist ${HOME}/.local/share/aspyr-media | 59 | whitelist ${HOME}/.local/share/aspyr-media |
55 | whitelist ${HOME}/.local/share/cdprojektred | 60 | whitelist ${HOME}/.local/share/cdprojektred |
56 | whitelist ${HOME}/.local/share/feral-interactive | 61 | whitelist ${HOME}/.local/share/feral-interactive |
62 | whitelist ${HOME}/.local/share/Paradox Interactive | ||
57 | whitelist ${HOME}/.local/share/Steam | 63 | whitelist ${HOME}/.local/share/Steam |
58 | whitelist ${HOME}/.local/share/SuperHexagon | 64 | whitelist ${HOME}/.local/share/SuperHexagon |
59 | whitelist ${HOME}/.local/share/Terraria | 65 | whitelist ${HOME}/.local/share/Terraria |
60 | whitelist ${HOME}/.local/share/vpltd | 66 | whitelist ${HOME}/.local/share/vpltd |
61 | whitelist ${HOME}/.local/share/vulkan | 67 | whitelist ${HOME}/.local/share/vulkan |
68 | whitelist ${HOME}/.mbwarband | ||
69 | whitelist ${HOME}/.paradoxinteractive | ||
62 | whitelist ${HOME}/.steam | 70 | whitelist ${HOME}/.steam |
63 | whitelist ${HOME}/.steampath | 71 | whitelist ${HOME}/.steampath |
64 | whitelist ${HOME}/.steampid | 72 | whitelist ${HOME}/.steampid |
diff --git a/etc/swell-foop.profile b/etc/swell-foop.profile new file mode 100644 index 000000000..127d413ad --- /dev/null +++ b/etc/swell-foop.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for swell-foop | ||
2 | # Description: GNOME colored tiles puzzle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include swell-foop.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/swell-foop | ||
10 | |||
11 | mkdir ${HOME}/.local/share/swell-foop | ||
12 | whitelist ${HOME}/.local/share/swell-foop | ||
13 | |||
14 | whitelist /usr/share/swell-foop | ||
15 | |||
16 | private-bin swell-foop | ||
17 | |||
18 | # Redirect | ||
19 | include gnome_games-common.profile | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 1e623f9ce..489de67bb 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -16,10 +16,14 @@ include disable-programs.inc | |||
16 | mkdir ${HOME}/.unknown-horizons | 16 | mkdir ${HOME}/.unknown-horizons |
17 | whitelist ${HOME}/.unknown-horizons | 17 | whitelist ${HOME}/.unknown-horizons |
18 | include whitelist-common.inc | 18 | include whitelist-common.inc |
19 | include whitelist-runuser-common.inc | ||
20 | whitelist /usr/share/unknown-horizons | ||
21 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
20 | 23 | ||
21 | apparmor | 24 | apparmor |
22 | caps.drop all | 25 | caps.drop all |
26 | # memory-deny-write-execute - doesn't work | ||
23 | nodvd | 27 | nodvd |
24 | nogroups | 28 | nogroups |
25 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index 8a0f6774a..193b00a2a 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -50,6 +50,7 @@ whitelist /usr/share/qt4 | |||
50 | whitelist /usr/share/qt5 | 50 | whitelist /usr/share/qt5 |
51 | whitelist /usr/share/sounds | 51 | whitelist /usr/share/sounds |
52 | whitelist /usr/share/tcl8.6 | 52 | whitelist /usr/share/tcl8.6 |
53 | whitelist /usr/share/tcltk | ||
53 | whitelist /usr/share/terminfo | 54 | whitelist /usr/share/terminfo |
54 | whitelist /usr/share/texlive | 55 | whitelist /usr/share/texlive |
55 | whitelist /usr/share/texmf | 56 | whitelist /usr/share/texmf |
diff --git a/etc/wordwarvi.profile b/etc/wordwarvi.profile new file mode 100644 index 000000000..ea750e172 --- /dev/null +++ b/etc/wordwarvi.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for wordwarvi | ||
2 | # Description: Old school '80's style side scrolling space shoot'em up game. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wordwarvi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.wordwarvi | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.wordwarvi | ||
20 | whitelist ${HOME}/.wordwarvi | ||
21 | whitelist /usr/share/wordwarvi | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | net none | ||
29 | no3d | ||
30 | nodbus | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | |||
43 | disable-mnt | ||
44 | private | ||
45 | private-bin wordwarvi | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,asound.conf,machine-id,pulse | ||
49 | private-tmp | ||
diff --git a/etc/xbill.profile b/etc/xbill.profile new file mode 100644 index 000000000..fc29dced6 --- /dev/null +++ b/etc/xbill.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for xbill | ||
2 | # Description: save your computers from Wingdows [TM] virus | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xbill.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/xbill | ||
18 | whitelist /var/games/xbill/scores | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin xbill | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc none | ||
48 | private-tmp | ||
49 | |||
50 | memory-deny-write-execute | ||
51 | read-only ${HOME} | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e79fd4b14..9d9d4012a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -80,6 +80,7 @@ bleachbit | |||
80 | blender | 80 | blender |
81 | blender-2.8 | 81 | blender-2.8 |
82 | bless | 82 | bless |
83 | blobwars | ||
83 | bluefish | 84 | bluefish |
84 | bnox | 85 | bnox |
85 | brackets | 86 | brackets |
@@ -212,6 +213,7 @@ firefox-esr | |||
212 | firefox-nightly | 213 | firefox-nightly |
213 | firefox-wayland | 214 | firefox-wayland |
214 | firefox-x11 | 215 | firefox-x11 |
216 | five-or-more | ||
215 | flacsplt | 217 | flacsplt |
216 | flameshot | 218 | flameshot |
217 | flashpeak-slimjet | 219 | flashpeak-slimjet |
@@ -271,6 +273,7 @@ gnome-contacts | |||
271 | gnome-documents | 273 | gnome-documents |
272 | gnome-font-viewer | 274 | gnome-font-viewer |
273 | gnome-hexgl | 275 | gnome-hexgl |
276 | gnome-klotski | ||
274 | gnome-latex | 277 | gnome-latex |
275 | gnome-logs | 278 | gnome-logs |
276 | gnome-mahjongg | 279 | gnome-mahjongg |
@@ -309,6 +312,7 @@ gpicview | |||
309 | gpredict | 312 | gpredict |
310 | gradio | 313 | gradio |
311 | gramps | 314 | gramps |
315 | gravity-beams-and-evaporating-stars | ||
312 | gthumb | 316 | gthumb |
313 | guayadeque | 317 | guayadeque |
314 | gucharmap | 318 | gucharmap |
@@ -322,6 +326,7 @@ hexchat | |||
322 | highlight | 326 | highlight |
323 | host | 327 | host |
324 | hugin | 328 | hugin |
329 | hyperrogue | ||
325 | iagno | 330 | iagno |
326 | icecat | 331 | icecat |
327 | icedove | 332 | icedove |
@@ -341,6 +346,8 @@ jd-gui | |||
341 | jdownloader | 346 | jdownloader |
342 | jerry | 347 | jerry |
343 | jitsi | 348 | jitsi |
349 | jumpnbump | ||
350 | jumpnbump-menu | ||
344 | k3b | 351 | k3b |
345 | kaffeine | 352 | kaffeine |
346 | kalgebra | 353 | kalgebra |
@@ -409,6 +416,7 @@ lximage-qt | |||
409 | lxmusic | 416 | lxmusic |
410 | lynx | 417 | lynx |
411 | macrofusion | 418 | macrofusion |
419 | magicor | ||
412 | manaplus | 420 | manaplus |
413 | masterpdfeditor | 421 | masterpdfeditor |
414 | masterpdfeditor4 | 422 | masterpdfeditor4 |
@@ -429,7 +437,9 @@ mendeleydesktop | |||
429 | meteo-qt | 437 | meteo-qt |
430 | midori | 438 | midori |
431 | min | 439 | min |
440 | mindless | ||
432 | minetest | 441 | minetest |
442 | mirrormagic | ||
433 | mousepad | 443 | mousepad |
434 | mp3splt | 444 | mp3splt |
435 | mp3splt-gtk | 445 | mp3splt-gtk |
@@ -449,6 +459,7 @@ mpg123-strip | |||
449 | mplayer | 459 | mplayer |
450 | mpsyt | 460 | mpsyt |
451 | mpv | 461 | mpv |
462 | mrrescue | ||
452 | ms-excel | 463 | ms-excel |
453 | ms-office | 464 | ms-office |
454 | ms-onenote | 465 | ms-onenote |
@@ -578,9 +589,12 @@ runenpass.sh | |||
578 | sayonara | 589 | sayonara |
579 | scallion | 590 | scallion |
580 | scorched3d | 591 | scorched3d |
592 | scorched3d-wrapper | ||
593 | scorchwentbonkers | ||
581 | scribus | 594 | scribus |
582 | sdat2img | 595 | sdat2img |
583 | seahorse | 596 | seahorse |
597 | seahorse-adventures | ||
584 | seahorse-daemon | 598 | seahorse-daemon |
585 | seahorse-tool | 599 | seahorse-tool |
586 | seamonkey | 600 | seamonkey |
@@ -620,6 +634,7 @@ subdownloader | |||
620 | supertux2 | 634 | supertux2 |
621 | supertuxkart | 635 | supertuxkart |
622 | surf | 636 | surf |
637 | swell-foop | ||
623 | sylpheed | 638 | sylpheed |
624 | synfigstudio | 639 | synfigstudio |
625 | sysprof | 640 | sysprof |
@@ -735,7 +750,9 @@ wireshark-qt | |||
735 | wpp | 750 | wpp |
736 | wps | 751 | wps |
737 | wpspdf | 752 | wpspdf |
753 | wordwarvi | ||
738 | x2goclient | 754 | x2goclient |
755 | xbill | ||
739 | xcalc | 756 | xcalc |
740 | xchat | 757 | xchat |
741 | xed | 758 | xed |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 7c6bfce9d..ac02c69bc 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -38,6 +38,7 @@ static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | |||
38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | 38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc |
39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
40 | static int cnt_ssh = 0; | 40 | static int cnt_ssh = 0; |
41 | static int cnt_mdwx = 0; | ||
41 | 42 | ||
42 | static int level = 0; | 43 | static int level = 0; |
43 | static int arg_debug = 0; | 44 | static int arg_debug = 0; |
@@ -51,6 +52,7 @@ static int arg_whitelistvar = 0; | |||
51 | static int arg_whitelistrunuser = 0; | 52 | static int arg_whitelistrunuser = 0; |
52 | static int arg_whitelistusrshare = 0; | 53 | static int arg_whitelistusrshare = 0; |
53 | static int arg_ssh = 0; | 54 | static int arg_ssh = 0; |
55 | static int arg_mdwx = 0; | ||
54 | 56 | ||
55 | static char *profile = NULL; | 57 | static char *profile = NULL; |
56 | 58 | ||
@@ -66,6 +68,7 @@ static void usage(void) { | |||
66 | printf(" --private-dev - print profiles without private-dev\n"); | 68 | printf(" --private-dev - print profiles without private-dev\n"); |
67 | printf(" --private-tmp - print profiles without private-tmp\n"); | 69 | printf(" --private-tmp - print profiles without private-tmp\n"); |
68 | printf(" --seccomp - print profiles without seccomp\n"); | 70 | printf(" --seccomp - print profiles without seccomp\n"); |
71 | printf(" --memory-deny-write-execute - profile without it\n"); | ||
69 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 72 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
70 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); | 73 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n"); |
71 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | 74 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); |
@@ -114,6 +117,8 @@ void process_file(const char *fname) { | |||
114 | cnt_whitelistusrshare++; | 117 | cnt_whitelistusrshare++; |
115 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 118 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
116 | cnt_ssh++; | 119 | cnt_ssh++; |
120 | else if (strncmp(ptr, "memory-deny-write-execute", 25) == 0) | ||
121 | cnt_mdwx++; | ||
117 | else if (strncmp(ptr, "net none", 8) == 0) | 122 | else if (strncmp(ptr, "net none", 8) == 0) |
118 | cnt_netnone++; | 123 | cnt_netnone++; |
119 | else if (strncmp(ptr, "apparmor", 8) == 0) | 124 | else if (strncmp(ptr, "apparmor", 8) == 0) |
@@ -161,6 +166,8 @@ int main(int argc, char **argv) { | |||
161 | arg_caps = 1; | 166 | arg_caps = 1; |
162 | else if (strcmp(argv[i], "--seccomp") == 0) | 167 | else if (strcmp(argv[i], "--seccomp") == 0) |
163 | arg_seccomp = 1; | 168 | arg_seccomp = 1; |
169 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) | ||
170 | arg_mdwx = 1; | ||
164 | else if (strcmp(argv[i], "--noexec") == 0) | 171 | else if (strcmp(argv[i], "--noexec") == 0) |
165 | arg_noexec = 1; | 172 | arg_noexec = 1; |
166 | else if (strcmp(argv[i], "--private-dev") == 0) | 173 | else if (strcmp(argv[i], "--private-dev") == 0) |
@@ -205,6 +212,7 @@ int main(int argc, char **argv) { | |||
205 | int whitelistrunuser = cnt_whitelistrunuser; | 212 | int whitelistrunuser = cnt_whitelistrunuser; |
206 | int whitelistusrshare = cnt_whitelistusrshare; | 213 | int whitelistusrshare = cnt_whitelistusrshare; |
207 | int ssh = cnt_ssh; | 214 | int ssh = cnt_ssh; |
215 | int mdwx = cnt_mdwx; | ||
208 | 216 | ||
209 | // process file | 217 | // process file |
210 | profile = argv[i]; | 218 | profile = argv[i]; |
@@ -242,6 +250,8 @@ int main(int argc, char **argv) { | |||
242 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); | 250 | printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]); |
243 | if (arg_ssh && ssh == cnt_ssh) | 251 | if (arg_ssh && ssh == cnt_ssh) |
244 | printf("No include disable-common.inc found in %s\n", argv[i]); | 252 | printf("No include disable-common.inc found in %s\n", argv[i]); |
253 | if (arg_mdwx && mdwx == cnt_mdwx) | ||
254 | printf("No memory-deny-write-execute found in %s\n", argv[i]); | ||
245 | 255 | ||
246 | assert(level == 0); | 256 | assert(level == 0); |
247 | } | 257 | } |
@@ -255,6 +265,7 @@ int main(int argc, char **argv) { | |||
255 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | 265 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); |
256 | printf(" capabilities\t\t%d\n", cnt_caps); | 266 | printf(" capabilities\t\t%d\n", cnt_caps); |
257 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 267 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
268 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | ||
258 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 269 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
259 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 270 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
260 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 271 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |