diff options
58 files changed, 936 insertions, 17 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile new file mode 100644 index 000000000..558f62f0e --- /dev/null +++ b/etc/QMediathekView.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for QMediathekView | ||
2 | # Description: Search, download or stream files from mediathek.de | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/QMediathekView.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QMediathekView | ||
10 | noblacklist ${HOME}/.local/share/QMediathekView | ||
11 | |||
12 | noblacklist ${HOME}/.config/mpv | ||
13 | noblacklist ${HOME}/.config/smplayer | ||
14 | noblacklist ${HOME}/.config/totem | ||
15 | noblacklist ${HOME}/.config/vlc | ||
16 | noblacklist ${HOME}/.config/xplayer | ||
17 | noblacklist ${HOME}/.local/share/totem | ||
18 | noblacklist ${HOME}/.local/share/xplayer | ||
19 | noblacklist ${HOME}/.mplayer | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-devel.inc | ||
23 | include /etc/firejail/disable-interpreters.inc | ||
24 | include /etc/firejail/disable-passwdmgr.inc | ||
25 | include /etc/firejail/disable-programs.inc | ||
26 | |||
27 | include /etc/firejail/whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | # no3d | ||
32 | # nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer | ||
46 | private-cache | ||
47 | private-dev | ||
48 | # private-etc none | ||
49 | # private-lib | ||
50 | private-tmp | ||
51 | |||
52 | # memory-deny-write-execute - breaks on Arch | ||
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile new file mode 100644 index 000000000..4231c58ff --- /dev/null +++ b/etc/aria2c.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for aria2c | ||
2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/aria2c.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.aria2 | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | netfilter | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | # private | ||
36 | private-bin aria2c,gzip | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc ca-certificates,ssl | ||
40 | private-lib libreadline.so.* | ||
41 | private-tmp | ||
42 | |||
43 | memory-deny-write-execute | ||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/artha.profile b/etc/artha.profile new file mode 100644 index 000000000..befe9295f --- /dev/null +++ b/etc/artha.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for artha | ||
2 | # Description: A free cross-platform English thesaurus based on WordNet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/artha.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/artha.conf | ||
10 | noblacklist ${HOME}/.config/enchant | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
21 | net none | ||
22 | no3d | ||
23 | # nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin artha,enchant,notify-send | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc fonts | ||
41 | private-lib libnotify.so.* | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/authenticator.profile b/etc/authenticator.profile new file mode 100644 index 000000000..f10abdda8 --- /dev/null +++ b/etc/authenticator.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for authenticator | ||
2 | # Description: 2FA code generator for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/authenticator.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # blacklisted in 'disable-programs.local' | ||
10 | noblacklist ${HOME}/.config/Authenticator | ||
11 | |||
12 | # Allow python 3.x (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | include /etc/firejail/disable-common.inc | ||
17 | include /etc/firejail/disable-devel.inc | ||
18 | include /etc/firejail/disable-interpreters.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | include /etc/firejail/disable-programs.inc | ||
21 | |||
22 | # apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | no3d | ||
26 | # nodbus - makes settings immutable | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | # novideo | ||
34 | nou2f | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | # private-bin authenticator | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc fonts,ld.so.cache | ||
44 | # private-lib | ||
45 | private-tmp | ||
46 | |||
47 | # memory-deny-write-execute - breaks on Arch | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/bsdcat.profile b/etc/bsdcat.profile new file mode 100644 index 000000000..b900eb4bf --- /dev/null +++ b/etc/bsdcat.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for bsdtar | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/bsdtar.profile | ||
diff --git a/etc/bsdcpio.profile b/etc/bsdcpio.profile new file mode 100644 index 000000000..b900eb4bf --- /dev/null +++ b/etc/bsdcpio.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for bsdtar | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/bsdtar.profile | ||
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index d8ace6aaf..57220ef4a 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -34,6 +34,6 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | # support compressed archives | 36 | # support compressed archives |
37 | private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 37 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
38 | private-dev | 38 | private-dev |
39 | private-etc passwd,group,localtime | 39 | private-etc passwd,group,localtime |
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile new file mode 100644 index 000000000..c8b8be04e --- /dev/null +++ b/etc/checkbashisms.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for checkbashisms | ||
2 | # Description: Lint tool for shell scripts | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include /etc/firejail/checkbashisms.local | ||
7 | # Persistent global definitions | ||
8 | include /etc/firejail/globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/cpan* | ||
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-interpreters.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | include /etc/firejail/disable-programs.inc | ||
24 | include /etc/firejail/disable-xdg.inc | ||
25 | |||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | no3d | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index cb8ae6a80..f7f0fccca 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -18,17 +18,20 @@ include /etc/firejail/disable-programs.inc | |||
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | netfilter | 20 | netfilter |
21 | no3d | ||
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
23 | nonewprivs | 24 | nonewprivs |
24 | noroot | 25 | noroot |
25 | nosound | 26 | nosound |
26 | notv | 27 | notv |
28 | nou2f | ||
27 | novideo | 29 | novideo |
28 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
29 | seccomp | 31 | seccomp |
30 | shell none | 32 | shell none |
31 | 33 | ||
34 | private-cache | ||
32 | private-dev | 35 | private-dev |
33 | private-tmp | 36 | private-tmp |
34 | 37 | ||
diff --git a/etc/desktop.profile b/etc/desktop.profile new file mode 100644 index 000000000..8bfa885a3 --- /dev/null +++ b/etc/desktop.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for desktop | ||
2 | # Description: Extend your GitHub workflow beyond your browser with GitHub Desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/github-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | whitelist ${HOME}/.gitconfig | ||
10 | whitelist ${HOME}/.config/GitHub Desktop | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-interpreters.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | # no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | |||
34 | disable-mnt | ||
35 | # private-bin Atom,desktop | ||
36 | # private-cache | ||
37 | # private-dev | ||
38 | # private-etc none | ||
39 | # private-lib | ||
40 | # private-tmp | ||
41 | |||
42 | # memory-deny-write-execute | ||
43 | # noexec ${HOME} | ||
44 | # noexec /tmp | ||
diff --git a/etc/devilspie.profile b/etc/devilspie.profile new file mode 100644 index 000000000..dbfb05798 --- /dev/null +++ b/etc/devilspie.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for devilspie | ||
2 | # Description: Window matching daemon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/devilspie.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.devilspie | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin devilspie | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc none | ||
41 | private-lib gconv | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
48 | # devilspie will never write anything | ||
49 | read-only ${HOME} | ||
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile new file mode 100644 index 000000000..3a9a9659a --- /dev/null +++ b/etc/devilspie2.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for devilspie2 | ||
2 | # Description: Window matching daemon (Lua) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/devilspie2.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/devilspie2 | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin devilspie2 | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc none | ||
41 | private-lib gconv | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
48 | # devilspie2 will never write anything | ||
49 | read-only ${HOME} | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 94254931e..ceca17826 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -273,6 +273,9 @@ blacklist ${HOME}/.local/share/Trash | |||
273 | read-only ${HOME}/.config/menus | 273 | read-only ${HOME}/.config/menus |
274 | read-only ${HOME}/.local/share/applications | 274 | read-only ${HOME}/.local/share/applications |
275 | 275 | ||
276 | # Write-protection for thumbnailer dir | ||
277 | read-only ${HOME}/.local/share/thumbnailers | ||
278 | |||
276 | # top secret | 279 | # top secret |
277 | blacklist ${HOME}/*.kdb | 280 | blacklist ${HOME}/*.kdb |
278 | blacklist ${HOME}/*.kdbx | 281 | blacklist ${HOME}/*.kdbx |
@@ -314,9 +317,11 @@ blacklist /var/backup | |||
314 | # cloud provider configuration | 317 | # cloud provider configuration |
315 | blacklist ${HOME}/.aws | 318 | blacklist ${HOME}/.aws |
316 | blacklist ${HOME}/.boto | 319 | blacklist ${HOME}/.boto |
317 | blacklist /etc/boto.cfg | ||
318 | blacklist ${HOME}/.config/gcloud | 320 | blacklist ${HOME}/.config/gcloud |
319 | blacklist ${HOME}/.kube | 321 | blacklist ${HOME}/.kube |
322 | blacklist ${HOME}/.passwd-s3fs | ||
323 | blacklist ${HOME}/.s3cmd | ||
324 | blacklist /etc/boto.cfg | ||
320 | 325 | ||
321 | # system directories | 326 | # system directories |
322 | blacklist /sbin | 327 | blacklist /sbin |
@@ -388,14 +393,14 @@ blacklist /vmlinuz* | |||
388 | # snapshot files | 393 | # snapshot files |
389 | blacklist /.snapshots | 394 | blacklist /.snapshots |
390 | 395 | ||
391 | # complement noexec ${HOME} and noexec /tmp | ||
392 | noexec /tmp/.X11-unix | ||
393 | |||
394 | # flatpak | 396 | # flatpak |
395 | blacklist ${HOME}/*.config/flatpak | 397 | blacklist ${HOME}/.config/flatpak |
396 | blacklist ${HOME}/*.var | 398 | blacklist ${HOME}/.local/share/flatpak |
397 | blacklist ${HOME}/*.local/share/flatpak | 399 | blacklist ${HOME}/.var |
398 | blacklist /var/lib/flatpak | ||
399 | blacklist /usr/share/flatpak | 400 | blacklist /usr/share/flatpak |
401 | blacklist /var/lib/flatpak | ||
400 | # most of the time bwrap is SUID binary | 402 | # most of the time bwrap is SUID binary |
401 | blacklist ${PATH}/bwrap | 403 | blacklist ${PATH}/bwrap |
404 | |||
405 | # complement noexec ${HOME} and noexec /tmp | ||
406 | noexec /tmp/.X11-unix | ||
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6ef11780e..19fd871d3 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-passwdmgr.local | 3 | include /etc/firejail/disable-passwdmgr.local |
4 | 4 | ||
5 | blacklist ${HOME}/.config/Bitwarden | ||
5 | blacklist ${HOME}/.config/KeePass | 6 | blacklist ${HOME}/.config/KeePass |
6 | blacklist ${HOME}/.config/keepass | 7 | blacklist ${HOME}/.config/keepass |
7 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1213e4f24..0f48a320b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule | |||
32 | blacklist ${HOME}/.android | 32 | blacklist ${HOME}/.android |
33 | blacklist ${HOME}/.anydesk | 33 | blacklist ${HOME}/.anydesk |
34 | blacklist ${HOME}/.arduino15 | 34 | blacklist ${HOME}/.arduino15 |
35 | blacklist ${HOME}/.aria2 | ||
35 | blacklist ${HOME}/.arm | 36 | blacklist ${HOME}/.arm |
36 | blacklist ${HOME}/.asunder_album_genre | 37 | blacklist ${HOME}/.asunder_album_genre |
37 | blacklist ${HOME}/.asunder_album_title | 38 | blacklist ${HOME}/.asunder_album_title |
@@ -46,15 +47,18 @@ blacklist ${HOME}/.config/0ad | |||
46 | blacklist ${HOME}/.config/2048-qt | 47 | blacklist ${HOME}/.config/2048-qt |
47 | blacklist ${HOME}/.config/Atom | 48 | blacklist ${HOME}/.config/Atom |
48 | blacklist ${HOME}/.config/Audaciousrc | 49 | blacklist ${HOME}/.config/Audaciousrc |
50 | blacklist ${HOME}/.config/Authenticator | ||
49 | blacklist ${HOME}/.config/Beaker Browser | 51 | blacklist ${HOME}/.config/Beaker Browser |
50 | blacklist ${HOME}/.config/Brackets | 52 | blacklist ${HOME}/.config/Brackets |
51 | blacklist ${HOME}/.config/Clementine | 53 | blacklist ${HOME}/.config/Clementine |
52 | blacklist ${HOME}/.config/Code | 54 | blacklist ${HOME}/.config/Code |
55 | blacklist ${HOME}/.config/Code Industry | ||
53 | blacklist ${HOME}/.config/Cryptocat | 56 | blacklist ${HOME}/.config/Cryptocat |
54 | blacklist ${HOME}/.config/Franz | 57 | blacklist ${HOME}/.config/Franz |
55 | blacklist ${HOME}/.config/FreeCAD | 58 | blacklist ${HOME}/.config/FreeCAD |
56 | blacklist ${HOME}/.config/Fritzing | 59 | blacklist ${HOME}/.config/Fritzing |
57 | blacklist ${HOME}/.config/GIMP | 60 | blacklist ${HOME}/.config/GIMP |
61 | blacklist ${HOME}/.config/GitHub Desktop | ||
58 | blacklist ${HOME}/.config/Gitter | 62 | blacklist ${HOME}/.config/Gitter |
59 | blacklist ${HOME}/.config/Google | 63 | blacklist ${HOME}/.config/Google |
60 | blacklist ${HOME}/.config/Google Play Music Desktop Player | 64 | blacklist ${HOME}/.config/Google Play Music Desktop Player |
@@ -63,13 +67,16 @@ blacklist ${HOME}/.config/INRIA | |||
63 | blacklist ${HOME}/.config/InSilmaril | 67 | blacklist ${HOME}/.config/InSilmaril |
64 | blacklist ${HOME}/.config/Luminance | 68 | blacklist ${HOME}/.config/Luminance |
65 | blacklist ${HOME}/.config/Meltytech | 69 | blacklist ${HOME}/.config/Meltytech |
70 | blacklist ${HOME}/.config/Min | ||
66 | blacklist ${HOME}/.config/Mousepad | 71 | blacklist ${HOME}/.config/Mousepad |
67 | blacklist ${HOME}/.config/Mumble | 72 | blacklist ${HOME}/.config/Mumble |
68 | blacklist ${HOME}/.config/MusE | 73 | blacklist ${HOME}/.config/MusE |
69 | blacklist ${HOME}/.config/MuseScore | 74 | blacklist ${HOME}/.config/MuseScore |
70 | blacklist ${HOME}/.config/MusicBrainz | 75 | blacklist ${HOME}/.config/MusicBrainz |
76 | blacklist ${HOME}/.config/Nathan Osman | ||
71 | blacklist ${HOME}/.config/Nylas Mail | 77 | blacklist ${HOME}/.config/Nylas Mail |
72 | blacklist ${HOME}/.config/Qlipper | 78 | blacklist ${HOME}/.config/Qlipper |
79 | blacklist ${HOME}/.config/QMediathekView | ||
73 | blacklist ${HOME}/.config/QuiteRss | 80 | blacklist ${HOME}/.config/QuiteRss |
74 | blacklist ${HOME}/.config/QuiteRssrc | 81 | blacklist ${HOME}/.config/QuiteRssrc |
75 | blacklist ${HOME}/.config/Rambox | 82 | blacklist ${HOME}/.config/Rambox |
@@ -86,6 +93,7 @@ blacklist ${HOME}/.config/akregatorrc | |||
86 | blacklist ${HOME}/.config/ardour4 | 93 | blacklist ${HOME}/.config/ardour4 |
87 | blacklist ${HOME}/.config/ardour5 | 94 | blacklist ${HOME}/.config/ardour5 |
88 | blacklist ${HOME}/.config/arkrc | 95 | blacklist ${HOME}/.config/arkrc |
96 | blacklist ${HOME}/.config/artha.conf | ||
89 | blacklist ${HOME}/.config/asunder | 97 | blacklist ${HOME}/.config/asunder |
90 | blacklist ${HOME}/.config/atril | 98 | blacklist ${HOME}/.config/atril |
91 | blacklist ${HOME}/.config/audacious | 99 | blacklist ${HOME}/.config/audacious |
@@ -111,6 +119,7 @@ blacklist ${HOME}/.config/corebird | |||
111 | blacklist ${HOME}/.config/darktable | 119 | blacklist ${HOME}/.config/darktable |
112 | blacklist ${HOME}/.config/deadbeef | 120 | blacklist ${HOME}/.config/deadbeef |
113 | blacklist ${HOME}/.config/deluge | 121 | blacklist ${HOME}/.config/deluge |
122 | blacklist ${HOME}/.config/devilspie2 | ||
114 | blacklist ${HOME}/.config/digikam | 123 | blacklist ${HOME}/.config/digikam |
115 | blacklist ${HOME}/.config/digikamrc | 124 | blacklist ${HOME}/.config/digikamrc |
116 | blacklist ${HOME}/.config/discord | 125 | blacklist ${HOME}/.config/discord |
@@ -136,6 +145,7 @@ blacklist ${HOME}/.config/ghb | |||
136 | blacklist ${HOME}/.config/globaltime | 145 | blacklist ${HOME}/.config/globaltime |
137 | blacklist ${HOME}/.config/gnome-mplayer | 146 | blacklist ${HOME}/.config/gnome-mplayer |
138 | blacklist ${HOME}/.config/gnome-mpv | 147 | blacklist ${HOME}/.config/gnome-mpv |
148 | blacklist ${HOME}/.config/gnome-pie | ||
139 | blacklist ${HOME}/.config/google-chrome | 149 | blacklist ${HOME}/.config/google-chrome |
140 | blacklist ${HOME}/.config/google-chrome-beta | 150 | blacklist ${HOME}/.config/google-chrome-beta |
141 | blacklist ${HOME}/.config/google-chrome-unstable | 151 | blacklist ${HOME}/.config/google-chrome-unstable |
@@ -185,6 +195,7 @@ blacklist ${HOME}/.config/nautilus | |||
185 | blacklist ${HOME}/.config/nemo | 195 | blacklist ${HOME}/.config/nemo |
186 | blacklist ${HOME}/.config/netsurf | 196 | blacklist ${HOME}/.config/netsurf |
187 | blacklist ${HOME}/.config/nheko | 197 | blacklist ${HOME}/.config/nheko |
198 | blacklist ${HOME}/.config/NitroShare | ||
188 | blacklist ${HOME}/.config/okularpartrc | 199 | blacklist ${HOME}/.config/okularpartrc |
189 | blacklist ${HOME}/.config/okularrc | 200 | blacklist ${HOME}/.config/okularrc |
190 | blacklist ${HOME}/.config/onionshare | 201 | blacklist ${HOME}/.config/onionshare |
@@ -252,11 +263,13 @@ blacklist ${HOME}/.config/zoomus.conf | |||
252 | blacklist ${HOME}/.conkeror.mozdev.org | 263 | blacklist ${HOME}/.conkeror.mozdev.org |
253 | blacklist ${HOME}/.curlrc | 264 | blacklist ${HOME}/.curlrc |
254 | blacklist ${HOME}/.dashcore | 265 | blacklist ${HOME}/.dashcore |
266 | blacklist ${HOME}/.devilspie | ||
255 | blacklist ${HOME}/.dia | 267 | blacklist ${HOME}/.dia |
256 | blacklist ${HOME}/.dillo | 268 | blacklist ${HOME}/.dillo |
257 | blacklist ${HOME}/.dooble | 269 | blacklist ${HOME}/.dooble |
258 | blacklist ${HOME}/.dosbox | 270 | blacklist ${HOME}/.dosbox |
259 | blacklist ${HOME}/.dropbox* | 271 | blacklist ${HOME}/.dropbox* |
272 | blacklist ${HOME}/.easystroke | ||
260 | blacklist ${HOME}/.electron-cache | 273 | blacklist ${HOME}/.electron-cache |
261 | blacklist ${HOME}/.electrum* | 274 | blacklist ${HOME}/.electrum* |
262 | blacklist ${HOME}/.elinks | 275 | blacklist ${HOME}/.elinks |
@@ -360,6 +373,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease | |||
360 | blacklist ${HOME}/.local/share/Empathy | 373 | blacklist ${HOME}/.local/share/Empathy |
361 | blacklist ${HOME}/.local/share/JetBrains | 374 | blacklist ${HOME}/.local/share/JetBrains |
362 | blacklist ${HOME}/.local/share/Mumble | 375 | blacklist ${HOME}/.local/share/Mumble |
376 | blacklist ${HOME}/.local/share/QMediathekView | ||
363 | blacklist ${HOME}/.local/share/QuiteRss | 377 | blacklist ${HOME}/.local/share/QuiteRss |
364 | blacklist ${HOME}/.local/share/Ricochet | 378 | blacklist ${HOME}/.local/share/Ricochet |
365 | blacklist ${HOME}/.local/share/Steam | 379 | blacklist ${HOME}/.local/share/Steam |
@@ -449,6 +463,7 @@ blacklist ${HOME}/.local/share/xplayer | |||
449 | blacklist ${HOME}/.local/share/xreader | 463 | blacklist ${HOME}/.local/share/xreader |
450 | blacklist ${HOME}/.local/share/zathura | 464 | blacklist ${HOME}/.local/share/zathura |
451 | blacklist ${HOME}/.lv2 | 465 | blacklist ${HOME}/.lv2 |
466 | blacklist ${HOME}/.masterpdfeditor | ||
452 | blacklist ${HOME}/.mcabber | 467 | blacklist ${HOME}/.mcabber |
453 | blacklist ${HOME}/.mcabberrc | 468 | blacklist ${HOME}/.mcabberrc |
454 | blacklist ${HOME}/.mediathek3 | 469 | blacklist ${HOME}/.mediathek3 |
@@ -469,7 +484,6 @@ blacklist ${HOME}/.openshot | |||
469 | blacklist ${HOME}/.openshot_qt | 484 | blacklist ${HOME}/.openshot_qt |
470 | blacklist ${HOME}/.opera | 485 | blacklist ${HOME}/.opera |
471 | blacklist ${HOME}/.opera-beta | 486 | blacklist ${HOME}/.opera-beta |
472 | blacklist ${HOME}/.passwd-s3fs | ||
473 | blacklist ${HOME}/.pingus | 487 | blacklist ${HOME}/.pingus |
474 | blacklist ${HOME}/.purple | 488 | blacklist ${HOME}/.purple |
475 | blacklist ${HOME}/.qemu-launcher | 489 | blacklist ${HOME}/.qemu-launcher |
@@ -479,7 +493,6 @@ blacklist ${HOME}/.remmina | |||
479 | blacklist ${HOME}/.repo_.gitconfig.json | 493 | blacklist ${HOME}/.repo_.gitconfig.json |
480 | blacklist ${HOME}/.repoconfig | 494 | blacklist ${HOME}/.repoconfig |
481 | blacklist ${HOME}/.retroshare | 495 | blacklist ${HOME}/.retroshare |
482 | blacklist ${HOME}/.s3cmd | ||
483 | blacklist ${HOME}/.scribus | 496 | blacklist ${HOME}/.scribus |
484 | blacklist ${HOME}/.scribusrc | 497 | blacklist ${HOME}/.scribusrc |
485 | blacklist ${HOME}/.simutrans | 498 | blacklist ${HOME}/.simutrans |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index b835ce401..babef37b1 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -26,7 +26,7 @@ seccomp | |||
26 | 26 | ||
27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh | 27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh |
28 | private-dev | 28 | private-dev |
29 | private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies | 29 | private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile new file mode 100644 index 000000000..6fac08a5d --- /dev/null +++ b/etc/easystroke.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for easystroke | ||
2 | # Description: Control your desktop using mouse gestures | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/easystroke.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.easystroke | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | # nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin easystroke | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc fonts | ||
40 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
41 | private-tmp | ||
42 | |||
43 | memory-deny-write-execute | ||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 2ade9c6f6..ea46ccc40 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -40,7 +40,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
40 | private-dev | 40 | private-dev |
41 | private-etc fonts | 41 | private-etc fonts |
42 | 42 | ||
43 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.* | 43 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv |
44 | 44 | ||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
diff --git a/etc/file.profile b/etc/file.profile index 5d1227520..fbeea83a8 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -30,10 +30,11 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | x11 none | 31 | x11 none |
32 | 32 | ||
33 | private-bin file | 33 | #private-bin file |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-etc magic.mgc,magic,localtime | 36 | private-etc magic.mgc,magic,localtime |
36 | private-lib | 37 | private-lib libmagic.so.* |
37 | 38 | ||
38 | memory-deny-write-execute | 39 | memory-deny-write-execute |
39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile new file mode 100644 index 000000000..41f6de346 --- /dev/null +++ b/etc/gnome-pie.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome-pie | ||
2 | # Description: Alternative AppMenu | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/gnome-pie.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-pie | ||
10 | |||
11 | #include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | #include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | #include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-cache | ||
36 | private-dev | ||
37 | private-etc fonts | ||
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
39 | private-tmp | ||
40 | |||
41 | memory-deny-write-execute | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/krunner.profile b/etc/krunner.profile index 6b84e2c7c..0b1b9e5de 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
@@ -11,7 +11,7 @@ include /etc/firejail/globals.local | |||
11 | # with its own profile, if it is sandboxed automatically. | 11 | # with its own profile, if it is sandboxed automatically. |
12 | 12 | ||
13 | # noblacklist ${HOME}/.cache/krunner | 13 | # noblacklist ${HOME}/.cache/krunner |
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite | 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
15 | # noblacklist ${HOME}/.config/chromium | 15 | # noblacklist ${HOME}/.config/chromium |
16 | noblacklist ${HOME}/.config/krunnerrc | 16 | noblacklist ${HOME}/.config/krunnerrc |
17 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 17 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
@@ -34,3 +34,5 @@ nonewprivs | |||
34 | noroot | 34 | noroot |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
36 | seccomp | 36 | seccomp |
37 | |||
38 | # private-cache | ||
diff --git a/etc/lbunzip2.profile b/etc/lbunzip2.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbunzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lbzcat.profile b/etc/lbzcat.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lbzip2.profile b/etc/lbzip2.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lzcat.profile b/etc/lzcat.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzdiff.profile b/etc/lzdiff.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzip.profile b/etc/lzip.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzip.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzless.profile b/etc/lzless.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzma.profile b/etc/lzma.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzmadec.profile b/etc/lzmadec.profile new file mode 100644 index 000000000..7c26620dd --- /dev/null +++ b/etc/lzmadec.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for xzdec | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/xzdec.profile | ||
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzmainfo.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzmore.profile b/etc/lzmore.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile new file mode 100644 index 000000000..cc80679fc --- /dev/null +++ b/etc/masterpdfeditor.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for masterpdfeditor | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Code Industry | ||
10 | noblacklist ${HOME}/.masterpdfeditor | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | # disable-mnt | ||
40 | # private | ||
41 | private-bin masterpdfeditor* | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts | ||
45 | # private-lib | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/masterpdfeditor4.profile b/etc/masterpdfeditor4.profile new file mode 100644 index 000000000..7ab9c9421 --- /dev/null +++ b/etc/masterpdfeditor4.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor4 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor4.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include /etc/firejail/masterpdfeditor.profile | ||
diff --git a/etc/masterpdfeditor5.profile b/etc/masterpdfeditor5.profile new file mode 100644 index 000000000..86faf5da0 --- /dev/null +++ b/etc/masterpdfeditor5.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor5 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor5.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include /etc/firejail/masterpdfeditor.profile | ||
diff --git a/etc/mencoder.profile b/etc/mencoder.profile new file mode 100644 index 000000000..9306d268e --- /dev/null +++ b/etc/mencoder.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for mencoder | ||
2 | # Description: Free command line video decoding, encoding and filtering tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/mencoder.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-interpreters.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | net none | ||
17 | no3d | ||
18 | nodbus | ||
19 | nosound | ||
20 | notv | ||
21 | nou2f | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin mencoder | ||
27 | |||
28 | include /etc/firejail/mplayer.profile | ||
diff --git a/etc/min.profile b/etc/min.profile new file mode 100644 index 000000000..91c6fce3c --- /dev/null +++ b/etc/min.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for min | ||
2 | # Description: A faster, smarter web browser. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/min.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Min | ||
10 | |||
11 | noblacklist ${HOME}/.pki | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-interpreters.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | mkdir ${HOME}/.pki | ||
19 | whitelist ${DOWNLOADS} | ||
20 | whitelist ${HOME}/.pki | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | include /etc/firejail/whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | # ipc-namespace | ||
26 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
27 | #machine-id | ||
28 | netfilter | ||
29 | # no3d | ||
30 | nodbus | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin min | ||
42 | private-cache | ||
43 | private-dev | ||
44 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
45 | private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/nitroshare-cli.profile b/etc/nitroshare-cli.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-cli.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-nmh.profile b/etc/nitroshare-nmh.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-nmh.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-send.profile b/etc/nitroshare-send.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-send.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-ui.profile b/etc/nitroshare-ui.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-ui.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile new file mode 100644 index 000000000..f02599ac6 --- /dev/null +++ b/etc/nitroshare.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/nitroshare.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Nathan Osman | ||
10 | noblacklist ${HOME}/.config/NitroShare | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | |||
18 | include /etc/firejail/disable-common.inc | ||
19 | include /etc/firejail/disable-devel.inc | ||
20 | include /etc/firejail/disable-interpreters.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | # nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | ||
45 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 6b985f4e8..903384ecf 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -64,7 +64,7 @@ shell none | |||
64 | #tracelog | 64 | #tracelog |
65 | 65 | ||
66 | # private-bin is disabled while in testing, but has been tested working with multiple games | 66 | # private-bin is disabled while in testing, but has been tested working with multiple games |
67 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity | 67 | #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity |
68 | # extra programs are available which might be needed for select games | 68 | # extra programs are available which might be needed for select games |
69 | #private-bin java,java-config,mono | 69 | #private-bin java,java-config,mono |
70 | # picture viewers are needed for viewing screenshots | 70 | # picture viewers are needed for viewing screenshots |
diff --git a/etc/strings.profile b/etc/strings.profile index 5bea9525f..ae2fbf18f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -21,9 +21,13 @@ shell none | |||
21 | tracelog | 21 | tracelog |
22 | 22 | ||
23 | private-bin strings | 23 | private-bin strings |
24 | private-cache | ||
24 | private-dev | 25 | private-dev |
26 | private-etc none | ||
25 | private-lib | 27 | private-lib |
26 | 28 | ||
27 | memory-deny-write-execute | 29 | memory-deny-write-execute |
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
28 | 32 | ||
29 | include /etc/firejail/default.profile | 33 | include /etc/firejail/default.profile |
diff --git a/etc/unlzma.profile b/etc/unlzma.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/unlzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/unxz.profile b/etc/unxz.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/unxz.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzcat.profile b/etc/xzcat.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzgrep.profile b/etc/xzgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzless.profile b/etc/xzless.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzmore.profile b/etc/xzmore.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||