diff options
-rw-r--r-- | etc/7z.profile | 1 | ||||
-rw-r--r-- | etc/atom.profile | 3 | ||||
-rw-r--r-- | etc/bluefish.profile | 36 | ||||
-rw-r--r-- | etc/calligra.profile | 3 | ||||
-rw-r--r-- | etc/cin.profile | 2 | ||||
-rw-r--r-- | etc/cinelerra.profile | 31 | ||||
-rw-r--r-- | etc/cliqz.profile | 83 | ||||
-rw-r--r-- | etc/dia.profile | 1 | ||||
-rw-r--r-- | etc/evince.profile | 1 | ||||
-rw-r--r-- | etc/hugin.profile | 1 | ||||
-rw-r--r-- | etc/inkscape.profile | 2 | ||||
-rw-r--r-- | etc/inox.profile | 4 | ||||
-rw-r--r-- | etc/kdenlive.profile | 2 | ||||
-rw-r--r-- | etc/libreoffice.profile | 1 | ||||
-rw-r--r-- | etc/natron.profile | 1 | ||||
-rw-r--r-- | etc/openshot-qt.profile | 31 | ||||
-rw-r--r-- | etc/pinta.profile | 33 | ||||
-rw-r--r-- | etc/scribus.profile | 1 | ||||
-rw-r--r-- | etc/shotcut.profile | 2 | ||||
-rw-r--r-- | etc/synfigstudio.profile | 3 | ||||
-rw-r--r-- | etc/tar.profile | 1 | ||||
-rw-r--r-- | etc/unrar.profile | 1 | ||||
-rw-r--r-- | etc/unzip.profile | 1 |
23 files changed, 239 insertions, 6 deletions
diff --git a/etc/7z.profile b/etc/7z.profile index ea67bbe19..53900bae6 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -17,6 +17,7 @@ notv | |||
17 | novideo | 17 | novideo |
18 | shell none | 18 | shell none |
19 | tracelog | 19 | tracelog |
20 | caps.drop all | ||
20 | 21 | ||
21 | private-dev | 22 | private-dev |
22 | 23 | ||
diff --git a/etc/atom.profile b/etc/atom.profile index 8629c3dd8..6fb6048b6 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/atom.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noexec ${HOME} | ||
9 | noexec /tmp | ||
8 | noblacklist ~/.atom | 10 | noblacklist ~/.atom |
9 | noblacklist ~/.config/Atom | 11 | noblacklist ~/.config/Atom |
10 | 12 | ||
@@ -23,6 +25,7 @@ notv | |||
23 | novideo | 25 | novideo |
24 | protocol unix,inet,inet6,netlink | 26 | protocol unix,inet,inet6,netlink |
25 | seccomp | 27 | seccomp |
28 | net none | ||
26 | shell none | 29 | shell none |
27 | 30 | ||
28 | private-dev | 31 | private-dev |
diff --git a/etc/bluefish.profile b/etc/bluefish.profile new file mode 100644 index 000000000..a0bceabbe --- /dev/null +++ b/etc/bluefish.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for pluma | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pluma.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/pluma | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | net none | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | private-bin bluefish | ||
31 | private-dev | ||
32 | # private-etc fonts | ||
33 | private-tmp | ||
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile index e90c8efe8..8c7e49121 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -21,9 +21,10 @@ novideo | |||
21 | protocol unix | 21 | protocol unix |
22 | seccomp | 22 | seccomp |
23 | shell none | 23 | shell none |
24 | net none | ||
24 | 25 | ||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 26 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch |
26 | private-dev | 27 | private-dev |
27 | 28 | ||
28 | noexec ${HOME} | 29 | #noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/cin.profile b/etc/cin.profile index eeeda476f..6b3e3888b 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -24,7 +24,7 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | #private-bin cin | 27 | private-bin cin,ffmpeg |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile new file mode 100644 index 000000000..bd75a66a9 --- /dev/null +++ b/etc/cinelerra.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cin.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.bcast | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | net none | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | notv | ||
22 | noroot | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-bin cinelerra | ||
28 | private-dev | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/cliqz.profile b/etc/cliqz.profile new file mode 100644 index 000000000..9c0f44e97 --- /dev/null +++ b/etc/cliqz.profile | |||
@@ -0,0 +1,83 @@ | |||
1 | # Firejail profile for firefox | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/firefox.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.cache/cliqz | ||
9 | noblacklist ~/.config/cliqz | ||
10 | noblacklist ~/.config/okularpartrc | ||
11 | noblacklist ~/.config/okularrc | ||
12 | noblacklist ~/.config/qpdfview | ||
13 | noblacklist ~/.kde/share/apps/okular | ||
14 | noblacklist ~/.kde/share/config/okularpartrc | ||
15 | noblacklist ~/.kde/share/config/okularrc | ||
16 | noblacklist ~/.kde4/share/apps/okular | ||
17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
18 | noblacklist ~/.kde4/share/config/okularrc | ||
19 | noblacklist ~/.local/share/gnome-shell/extensions | ||
20 | noblacklist ~/.local/share/okular | ||
21 | noblacklist ~/.local/share/qpdfview | ||
22 | |||
23 | noblacklist ~/.pki | ||
24 | |||
25 | include /etc/firejail/disable-common.inc | ||
26 | include /etc/firejail/disable-devel.inc | ||
27 | include /etc/firejail/disable-programs.inc | ||
28 | |||
29 | mkdir ~/.cache/mozilla/firefox | ||
30 | mkdir ~/.mozilla | ||
31 | mkdir ~/.pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ~/.cache/gnome-mplayer/plugin | ||
34 | whitelist ~/.cache/mozilla/firefox | ||
35 | whitelist ~/.config/gnome-mplayer | ||
36 | whitelist ~/.config/okularpartrc | ||
37 | whitelist ~/.config/okularrc | ||
38 | whitelist ~/.config/pipelight-silverlight5.1 | ||
39 | whitelist ~/.config/pipelight-widevine | ||
40 | whitelist ~/.config/qpdfview | ||
41 | whitelist ~/.kde/share/apps/okular | ||
42 | whitelist ~/.kde/share/config/okularpartrc | ||
43 | whitelist ~/.kde/share/config/okularrc | ||
44 | whitelist ~/.kde4/share/apps/okular | ||
45 | whitelist ~/.kde4/share/config/okularpartrc | ||
46 | whitelist ~/.kde4/share/config/okularrc | ||
47 | whitelist ~/.keysnail.js | ||
48 | whitelist ~/.lastpass | ||
49 | whitelist ~/.local/share/gnome-shell/extensions | ||
50 | whitelist ~/.local/share/okular | ||
51 | whitelist ~/.local/share/qpdfview | ||
52 | whitelist ~/.mozilla | ||
53 | whitelist ~/.pentadactyl | ||
54 | whitelist ~/.pentadactylrc | ||
55 | whitelist ~/.pki | ||
56 | whitelist ~/.vimperator | ||
57 | whitelist ~/.vimperatorrc | ||
58 | whitelist ~/.wine-pipelight | ||
59 | whitelist ~/.wine-pipelight64 | ||
60 | whitelist ~/.zotero | ||
61 | whitelist ~/dwhelper | ||
62 | include /etc/firejail/whitelist-common.inc | ||
63 | include /etc/firejail/whitelist-var-common.inc | ||
64 | |||
65 | caps.drop all | ||
66 | netfilter | ||
67 | nodvd | ||
68 | nogroups | ||
69 | nonewprivs | ||
70 | noroot | ||
71 | notv | ||
72 | protocol unix,inet,inet6,netlink | ||
73 | seccomp | ||
74 | shell none | ||
75 | tracelog | ||
76 | |||
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
78 | private-dev | ||
79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
80 | private-tmp | ||
81 | |||
82 | noexec ${HOME} | ||
83 | noexec /tmp | ||
diff --git a/etc/dia.profile b/etc/dia.profile index abe83ac8c..6915318c0 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -25,6 +25,7 @@ novideo | |||
25 | protocol unix | 25 | protocol unix |
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | net none | ||
28 | 29 | ||
29 | disable-mnt | 30 | disable-mnt |
30 | #private-bin dia | 31 | #private-bin dia |
diff --git a/etc/evince.profile b/etc/evince.profile index f503b9a8e..5e7596352 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -28,6 +28,7 @@ protocol unix | |||
28 | seccomp | 28 | seccomp |
29 | shell none | 29 | shell none |
30 | tracelog | 30 | tracelog |
31 | net none | ||
31 | 32 | ||
32 | private-bin evince,evince-previewer,evince-thumbnailer | 33 | private-bin evince,evince-previewer,evince-thumbnailer |
33 | private-dev | 34 | private-dev |
diff --git a/etc/hugin.profile b/etc/hugin.profile index ff88e0d5c..dd7e326c6 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -24,6 +24,7 @@ novideo | |||
24 | protocol unix | 24 | protocol unix |
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | net none | ||
27 | 28 | ||
28 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend | 29 | private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend |
29 | private-dev | 30 | private-dev |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index c062ab8ef..04c1020ab 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -27,7 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin inkscape | 30 | private-bin inkscape,potrace |
31 | private-dev | 31 | private-dev |
32 | private-tmp | 32 | private-tmp |
33 | 33 | ||
diff --git a/etc/inox.profile b/etc/inox.profile index 6273c4de6..ec8d12387 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -24,3 +24,7 @@ include /etc/firejail/whitelist-common.inc | |||
24 | netfilter | 24 | netfilter |
25 | nodvd | 25 | nodvd |
26 | notv | 26 | notv |
27 | nogroups | ||
28 | noroot | ||
29 | shell none | ||
30 | caps.keep sys_chroot,sys_admin \ No newline at end of file | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a1a5f957c..10c2909a0 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda | |||
26 | private-dev | 26 | private-dev |
27 | #private-etc fonts,alternatives,X11,pulse,passwd | 27 | #private-etc fonts,alternatives,X11,pulse,passwd |
28 | 28 | ||
29 | noexec ${HOME} | 29 | #noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8d05a557c..9acdc3789 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -27,6 +27,7 @@ protocol unix,inet,inet6 | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | tracelog | 29 | tracelog |
30 | net none | ||
30 | 31 | ||
31 | private-dev | 32 | private-dev |
32 | 33 | ||
diff --git a/etc/natron.profile b/etc/natron.profile index d77539d83..b76649605 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -26,6 +26,7 @@ notv | |||
26 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | net none | ||
29 | 30 | ||
30 | private-bin natron,Natron,NatronRenderer | 31 | private-bin natron,Natron,NatronRenderer |
31 | 32 | ||
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile new file mode 100644 index 000000000..02f4665d6 --- /dev/null +++ b/etc/openshot-qt.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Firejail profile for openshot | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/openshot.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.openshot | ||
9 | noblacklist ${HOME}/.openshot_qt | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | protocol unix,inet,inet6,netlink | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-dev | ||
28 | private-tmp | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile new file mode 100644 index 000000000..2562e1b80 --- /dev/null +++ b/etc/pinta.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for krita | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/krita.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | caps.drop all | ||
14 | ipc-namespace | ||
15 | net none | ||
16 | nodvd | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | nosound | ||
21 | notv | ||
22 | novideo | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-dev | ||
28 | private-tmp | ||
29 | |||
30 | |||
31 | whitelist ~/.config/Pinta | ||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index dd06fa59f..a6e86a7d6 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -36,6 +36,7 @@ notv | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | net none | ||
39 | tracelog | 40 | tracelog |
40 | 41 | ||
41 | #private-bin scribus,gs | 42 | #private-bin scribus,gs |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e30bc1f46..4e8b1da05 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -27,5 +27,5 @@ shell none | |||
27 | #private-bin shotcut,melt,qmelt,nice | 27 | #private-bin shotcut,melt,qmelt,nice |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | #noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index b0014ace6..1758659f2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -25,8 +25,9 @@ novideo | |||
25 | protocol unix | 25 | protocol unix |
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | net none | ||
28 | 29 | ||
29 | #private-bin synfigstudio | 30 | #private-bin synfigstudio,synfig,ffmpeg |
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
32 | 33 | ||
diff --git a/etc/tar.profile b/etc/tar.profile index f14894c25..6ac530b15 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -18,6 +18,7 @@ notv | |||
18 | novideo | 18 | novideo |
19 | shell none | 19 | shell none |
20 | tracelog | 20 | tracelog |
21 | caps.drop all | ||
21 | 22 | ||
22 | # support compressed archives | 23 | # support compressed archives |
23 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 24 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 12559a721..881572521 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -18,6 +18,7 @@ notv | |||
18 | novideo | 18 | novideo |
19 | shell none | 19 | shell none |
20 | tracelog | 20 | tracelog |
21 | caps.drop all | ||
21 | 22 | ||
22 | private-bin unrar | 23 | private-bin unrar |
23 | private-dev | 24 | private-dev |
diff --git a/etc/unzip.profile b/etc/unzip.profile index 9828fa9b4..f913385fb 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -18,6 +18,7 @@ notv | |||
18 | novideo | 18 | novideo |
19 | shell none | 19 | shell none |
20 | tracelog | 20 | tracelog |
21 | caps.drop all | ||
21 | 22 | ||
22 | private-bin unzip | 23 | private-bin unzip |
23 | private-dev | 24 | private-dev |