aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/ISSUE_TEMPLATE/bug_report.md6
-rw-r--r--.github/workflows/build-extra.yml7
-rw-r--r--.github/workflows/build.yml1
-rw-r--r--.github/workflows/codeql-analysis.yml6
-rw-r--r--.github/workflows/sort.yml5
-rw-r--r--Makefile.in7
-rw-r--r--README30
-rw-r--r--README.md94
-rw-r--r--RELNOTES16
-rw-r--r--SECURITY.md7
-rwxr-xr-xconfigure24
-rw-r--r--configure.ac19
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--etc/inc/allow-bin-sh.inc7
-rw-r--r--etc/inc/allow-common-devel.inc9
-rw-r--r--etc/inc/allow-gjs.inc3
-rw-r--r--etc/inc/allow-nodejs.inc6
-rw-r--r--etc/inc/allow-ssh.inc8
-rw-r--r--etc/inc/archiver-common.inc22
-rw-r--r--etc/inc/disable-common.inc16
-rw-r--r--etc/inc/disable-interpreters.inc5
-rw-r--r--etc/inc/disable-programs.inc31
-rw-r--r--etc/inc/firefox-common-addons.inc3
-rw-r--r--etc/inc/whitelist-usr-share-common.inc1
-rw-r--r--etc/net/nolocal6.net41
-rw-r--r--etc/profile-a-l/7z.profile3
-rw-r--r--etc/profile-a-l/Builder.profile5
-rw-r--r--etc/profile-a-l/Cheese.profile5
-rw-r--r--etc/profile-a-l/Cyberfox.profile5
-rw-r--r--etc/profile-a-l/Documents.profile5
-rw-r--r--etc/profile-a-l/FossaMail.profile5
-rw-r--r--etc/profile-a-l/Gitter.profile5
-rw-r--r--etc/profile-a-l/Logs.profile5
-rw-r--r--etc/profile-a-l/agetpkg.profile60
-rw-r--r--etc/profile-a-l/alacarte.profile1
-rw-r--r--etc/profile-a-l/android-studio.profile4
-rw-r--r--etc/profile-a-l/aosp.profile4
-rw-r--r--etc/profile-a-l/apostrophe.profile3
-rw-r--r--etc/profile-a-l/ar.profile1
-rw-r--r--etc/profile-a-l/ardour4.profile5
-rw-r--r--etc/profile-a-l/atom.profile1
-rw-r--r--etc/profile-a-l/atool.profile4
-rw-r--r--etc/profile-a-l/avidemux.profile53
-rw-r--r--etc/profile-a-l/balsa.profile12
-rw-r--r--etc/profile-a-l/bibletime.profile1
-rw-r--r--etc/profile-a-l/bijiben.profile2
-rw-r--r--etc/profile-a-l/blackbox.profile2
-rw-r--r--etc/profile-a-l/blender-2.8.profile5
-rw-r--r--etc/profile-a-l/brave-browser-beta.profile5
-rw-r--r--etc/profile-a-l/brave-browser-dev.profile5
-rw-r--r--etc/profile-a-l/brave-browser-nightly.profile5
-rw-r--r--etc/profile-a-l/brave-browser-stable.profile5
-rw-r--r--etc/profile-a-l/brave-browser.profile5
-rw-r--r--etc/profile-a-l/bsdcat.profile5
-rw-r--r--etc/profile-a-l/bsdcpio.profile5
-rw-r--r--etc/profile-a-l/bsdtar.profile5
-rw-r--r--etc/profile-a-l/calligra.profile3
-rw-r--r--etc/profile-a-l/calligraauthor.profile5
-rw-r--r--etc/profile-a-l/calligraconverter.profile5
-rw-r--r--etc/profile-a-l/calligraflow.profile5
-rw-r--r--etc/profile-a-l/calligragemini.profile12
-rw-r--r--etc/profile-a-l/calligraplan.profile5
-rw-r--r--etc/profile-a-l/calligraplanwork.profile5
-rw-r--r--etc/profile-a-l/calligrasheets.profile5
-rw-r--r--etc/profile-a-l/calligrastage.profile5
-rw-r--r--etc/profile-a-l/calligrawords.profile5
-rw-r--r--etc/profile-a-l/celluloid.profile6
-rw-r--r--etc/profile-a-l/cheese.profile6
-rw-r--r--etc/profile-a-l/chromium-browser.profile5
-rw-r--r--etc/profile-a-l/chromium-common.profile4
-rw-r--r--etc/profile-a-l/chromium-freeworld.profile5
-rw-r--r--etc/profile-a-l/cinelerra.profile5
-rw-r--r--etc/profile-a-l/clamdscan.profile5
-rw-r--r--etc/profile-a-l/clamdtop.profile5
-rw-r--r--etc/profile-a-l/clamscan.profile5
-rw-r--r--etc/profile-a-l/claws-mail.profile9
-rw-r--r--etc/profile-a-l/clion.profile4
-rw-r--r--etc/profile-a-l/clocks.profile5
-rw-r--r--etc/profile-a-l/com.gitlab.newsflash.profile5
-rw-r--r--etc/profile-a-l/coyim.profile49
-rw-r--r--etc/profile-a-l/cpio.profile1
-rw-r--r--etc/profile-a-l/crawl-tiles.profile5
-rw-r--r--etc/profile-a-l/cryptocat.profile5
-rw-r--r--etc/profile-a-l/dia.profile1
-rw-r--r--etc/profile-a-l/discord-common.profile2
-rw-r--r--etc/profile-a-l/display-im6.q16.profile10
-rw-r--r--etc/profile-a-l/dooble-qt4.profile5
-rw-r--r--etc/profile-a-l/email-common.profile25
-rw-r--r--etc/profile-a-l/evince.profile9
-rw-r--r--etc/profile-a-l/evolution.profile60
-rw-r--r--etc/profile-a-l/file-manager-common.profile2
-rw-r--r--etc/profile-a-l/filezilla.profile4
-rw-r--r--etc/profile-a-l/firefox.profile7
-rw-r--r--etc/profile-a-l/fluxbox.profile2
-rw-r--r--etc/profile-a-l/fractal.profile6
-rw-r--r--etc/profile-a-l/freecadcmd.profile5
-rw-r--r--etc/profile-a-l/freeciv-gtk3.profile5
-rw-r--r--etc/profile-a-l/freeciv-mp-gtk3.profile5
-rw-r--r--etc/profile-a-l/gajim-history-manager.profile5
-rw-r--r--etc/profile-a-l/gajim.profile30
-rw-r--r--etc/profile-a-l/geary.profile79
-rw-r--r--etc/profile-a-l/gfeeds.profile3
-rw-r--r--etc/profile-a-l/ghb.profile5
-rw-r--r--etc/profile-a-l/gimp-2.10.profile5
-rw-r--r--etc/profile-a-l/gimp-2.8.profile5
-rw-r--r--etc/profile-a-l/git-cola.profile5
-rw-r--r--etc/profile-a-l/git.profile4
-rw-r--r--etc/profile-a-l/gitg.profile4
-rw-r--r--etc/profile-a-l/gnome-mpv.profile5
-rw-r--r--etc/profile-a-l/google-chrome-stable.profile5
-rw-r--r--etc/profile-a-l/google-earth-pro.profile27
-rw-r--r--etc/profile-a-l/google-earth.profile15
-rw-r--r--etc/profile-a-l/gtar.profile5
-rw-r--r--etc/profile-a-l/gummi.profile5
-rw-r--r--etc/profile-a-l/guvcview.profile55
-rw-r--r--etc/profile-a-l/gzip.profile4
-rw-r--r--etc/profile-a-l/handbrake-gtk.profile5
-rw-r--r--etc/profile-a-l/hexchat.profile6
-rw-r--r--etc/profile-a-l/i3.profile2
-rw-r--r--etc/profile-a-l/idea.sh.profile4
-rw-r--r--etc/profile-a-l/iridium-browser.profile5
-rw-r--r--etc/profile-a-l/jumpnbump-menu.profile1
-rw-r--r--etc/profile-a-l/kalgebramobile.profile5
-rw-r--r--etc/profile-a-l/karbon.profile5
-rw-r--r--etc/profile-a-l/kazam.profile1
-rw-r--r--etc/profile-a-l/kdiff3.profile52
-rw-r--r--etc/profile-a-l/keepass2.profile5
-rw-r--r--etc/profile-a-l/keepassx2.profile5
-rw-r--r--etc/profile-a-l/keepassxc.profile20
-rw-r--r--etc/profile-a-l/klatexformula_cmdl.profile5
-rw-r--r--etc/profile-a-l/kmail.profile81
-rw-r--r--etc/profile-a-l/krunner.profile4
-rw-r--r--etc/profile-a-l/lbunzip2.profile5
-rw-r--r--etc/profile-a-l/lbzcat.profile5
-rw-r--r--etc/profile-a-l/lbzip2.profile5
-rw-r--r--etc/profile-a-l/liferea.profile11
-rw-r--r--etc/profile-a-l/lobase.profile5
-rw-r--r--etc/profile-a-l/localc.profile5
-rw-r--r--etc/profile-a-l/lodraw.profile5
-rw-r--r--etc/profile-a-l/loffice.profile5
-rw-r--r--etc/profile-a-l/lofromtemplate.profile5
-rw-r--r--etc/profile-a-l/loimpress.profile5
-rw-r--r--etc/profile-a-l/lomath.profile5
-rw-r--r--etc/profile-a-l/loweb.profile5
-rw-r--r--etc/profile-a-l/lowriter.profile5
-rw-r--r--etc/profile-a-l/lsar.profile13
-rw-r--r--etc/profile-a-l/lutris.profile2
-rw-r--r--etc/profile-a-l/lyx.profile5
-rw-r--r--etc/profile-a-l/lzcat.profile5
-rw-r--r--etc/profile-a-l/lzcmp.profile5
-rw-r--r--etc/profile-a-l/lzdiff.profile6
-rw-r--r--etc/profile-a-l/lzegrep.profile5
-rw-r--r--etc/profile-a-l/lzfgrep.profile5
-rw-r--r--etc/profile-a-l/lzgrep.profile5
-rw-r--r--etc/profile-a-l/lzip.profile5
-rw-r--r--etc/profile-a-l/lzless.profile5
-rw-r--r--etc/profile-a-l/lzma.profile5
-rw-r--r--etc/profile-a-l/lzmadec.profile6
-rw-r--r--etc/profile-a-l/lzmainfo.profile5
-rw-r--r--etc/profile-a-l/lzmore.profile5
-rw-r--r--etc/profile-m-z/Maps.profile5
-rw-r--r--etc/profile-m-z/Natron.profile5
-rw-r--r--etc/profile-m-z/Screenshot.profile5
-rw-r--r--etc/profile-m-z/Telegram.profile5
-rw-r--r--etc/profile-m-z/VirtualBox.profile5
-rw-r--r--etc/profile-m-z/marker.profile59
-rw-r--r--etc/profile-m-z/mate-calculator.profile5
-rw-r--r--etc/profile-m-z/mathematica.profile5
-rw-r--r--etc/profile-m-z/mattermost-desktop.profile33
-rw-r--r--etc/profile-m-z/mdr.profile55
-rw-r--r--etc/profile-m-z/megaglest_editor.profile5
-rw-r--r--etc/profile-m-z/meld.profile11
-rw-r--r--etc/profile-m-z/menulibre.profile1
-rw-r--r--etc/profile-m-z/mirage.profile1
-rw-r--r--etc/profile-m-z/mpv.profile3
-rw-r--r--etc/profile-m-z/multimc.profile5
-rw-r--r--etc/profile-m-z/mutt.profile88
-rw-r--r--etc/profile-m-z/mypaint-ora-thumbnailer.profile5
-rw-r--r--etc/profile-m-z/neomutt.profile152
-rw-r--r--etc/profile-m-z/newsboat.profile4
-rw-r--r--etc/profile-m-z/nicotine.profile1
-rw-r--r--etc/profile-m-z/nitroshare-cli.profile5
-rw-r--r--etc/profile-m-z/nitroshare-nmh.profile5
-rw-r--r--etc/profile-m-z/nitroshare-send.profile5
-rw-r--r--etc/profile-m-z/nitroshare-ui.profile5
-rw-r--r--etc/profile-m-z/nodejs-common.profile52
-rw-r--r--etc/profile-m-z/npm.profile29
-rw-r--r--etc/profile-m-z/onboard.profile1
-rw-r--r--etc/profile-m-z/ooffice.profile5
-rw-r--r--etc/profile-m-z/ooviewdoc.profile5
-rw-r--r--etc/profile-m-z/openarena_ded.profile5
-rw-r--r--etc/profile-m-z/openbox.profile2
-rw-r--r--etc/profile-m-z/openoffice.org.profile5
-rw-r--r--etc/profile-m-z/openshot-qt.profile5
-rw-r--r--etc/profile-m-z/openshot.profile9
-rw-r--r--etc/profile-m-z/pkglog.profile59
-rw-r--r--etc/profile-m-z/playonlinux.profile5
-rw-r--r--etc/profile-m-z/plv.profile3
-rw-r--r--etc/profile-m-z/pycharm-professional.profile5
-rw-r--r--etc/profile-m-z/pzstd.profile5
-rw-r--r--etc/profile-m-z/qnapi.profile55
-rw-r--r--etc/profile-m-z/remmina.profile4
-rw-r--r--etc/profile-m-z/runenpass.sh.profile5
-rw-r--r--etc/profile-m-z/seahorse.profile5
-rw-r--r--etc/profile-m-z/seamonkey-bin.profile5
-rw-r--r--etc/profile-m-z/shotwell.profile60
-rw-r--r--etc/profile-m-z/signal-desktop.profile2
-rw-r--r--etc/profile-m-z/smplayer.profile3
-rw-r--r--etc/profile-m-z/soffice.profile5
-rw-r--r--etc/profile-m-z/spectacle.profile3
-rw-r--r--etc/profile-m-z/ssh-agent.profile5
-rw-r--r--etc/profile-m-z/ssh.profile8
-rw-r--r--etc/profile-m-z/steam-native.profile5
-rw-r--r--etc/profile-m-z/steam-runtime.profile5
-rw-r--r--etc/profile-m-z/steam.profile3
-rw-r--r--etc/profile-m-z/straw-viewer.profile5
-rw-r--r--etc/profile-m-z/studio.sh.profile5
-rw-r--r--etc/profile-m-z/sylpheed.profile9
-rw-r--r--etc/profile-m-z/tar.profile12
-rw-r--r--etc/profile-m-z/telegram-desktop.profile5
-rw-r--r--etc/profile-m-z/telegram.profile18
-rw-r--r--etc/profile-m-z/thunar.profile5
-rw-r--r--etc/profile-m-z/thunderbird-beta.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ar.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ca.profile5
-rw-r--r--etc/profile-m-z/tor-browser-cs.profile5
-rw-r--r--etc/profile-m-z/tor-browser-da.profile5
-rw-r--r--etc/profile-m-z/tor-browser-de.profile5
-rw-r--r--etc/profile-m-z/tor-browser-el.profile5
-rw-r--r--etc/profile-m-z/tor-browser-en-us.profile5
-rw-r--r--etc/profile-m-z/tor-browser-en.profile5
-rw-r--r--etc/profile-m-z/tor-browser-es-es.profile5
-rw-r--r--etc/profile-m-z/tor-browser-es.profile5
-rw-r--r--etc/profile-m-z/tor-browser-fa.profile5
-rw-r--r--etc/profile-m-z/tor-browser-fr.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ga-ie.profile5
-rw-r--r--etc/profile-m-z/tor-browser-he.profile5
-rw-r--r--etc/profile-m-z/tor-browser-hu.profile5
-rw-r--r--etc/profile-m-z/tor-browser-id.profile5
-rw-r--r--etc/profile-m-z/tor-browser-is.profile5
-rw-r--r--etc/profile-m-z/tor-browser-it.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ja.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ka.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ko.profile5
-rw-r--r--etc/profile-m-z/tor-browser-nb.profile5
-rw-r--r--etc/profile-m-z/tor-browser-nl.profile5
-rw-r--r--etc/profile-m-z/tor-browser-pl.profile5
-rw-r--r--etc/profile-m-z/tor-browser-pt-br.profile5
-rw-r--r--etc/profile-m-z/tor-browser-ru.profile5
-rw-r--r--etc/profile-m-z/tor-browser-sv-se.profile5
-rw-r--r--etc/profile-m-z/tor-browser-tr.profile5
-rw-r--r--etc/profile-m-z/tor-browser-vi.profile5
-rw-r--r--etc/profile-m-z/tor-browser-zh-cn.profile5
-rw-r--r--etc/profile-m-z/tor-browser-zh-tw.profile5
-rw-r--r--etc/profile-m-z/tor-browser.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ar.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ca.profile5
-rw-r--r--etc/profile-m-z/tor-browser_cs.profile5
-rw-r--r--etc/profile-m-z/tor-browser_da.profile5
-rw-r--r--etc/profile-m-z/tor-browser_de.profile5
-rw-r--r--etc/profile-m-z/tor-browser_el.profile5
-rw-r--r--etc/profile-m-z/tor-browser_en-US.profile5
-rw-r--r--etc/profile-m-z/tor-browser_en.profile5
-rw-r--r--etc/profile-m-z/tor-browser_es-ES.profile5
-rw-r--r--etc/profile-m-z/tor-browser_es.profile5
-rw-r--r--etc/profile-m-z/tor-browser_fa.profile5
-rw-r--r--etc/profile-m-z/tor-browser_fr.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ga-IE.profile5
-rw-r--r--etc/profile-m-z/tor-browser_he.profile5
-rw-r--r--etc/profile-m-z/tor-browser_hu.profile5
-rw-r--r--etc/profile-m-z/tor-browser_id.profile5
-rw-r--r--etc/profile-m-z/tor-browser_is.profile5
-rw-r--r--etc/profile-m-z/tor-browser_it.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ja.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ka.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ko.profile5
-rw-r--r--etc/profile-m-z/tor-browser_nb.profile5
-rw-r--r--etc/profile-m-z/tor-browser_nl.profile5
-rw-r--r--etc/profile-m-z/tor-browser_pl.profile5
-rw-r--r--etc/profile-m-z/tor-browser_pt-BR.profile5
-rw-r--r--etc/profile-m-z/tor-browser_ru.profile5
-rw-r--r--etc/profile-m-z/tor-browser_sv-SE.profile5
-rw-r--r--etc/profile-m-z/tor-browser_tr.profile5
-rw-r--r--etc/profile-m-z/tor-browser_vi.profile5
-rw-r--r--etc/profile-m-z/tor-browser_zh-CN.profile5
-rw-r--r--etc/profile-m-z/tor-browser_zh-TW.profile5
-rw-r--r--etc/profile-m-z/totem.profile3
-rw-r--r--etc/profile-m-z/trojita.profile3
-rw-r--r--etc/profile-m-z/tshark.profile5
-rw-r--r--etc/profile-m-z/tutanota-desktop.profile31
-rw-r--r--etc/profile-m-z/unar.profile13
-rw-r--r--etc/profile-m-z/unlzma.profile5
-rw-r--r--etc/profile-m-z/unrar.profile5
-rw-r--r--etc/profile-m-z/unxz.profile5
-rw-r--r--etc/profile-m-z/unzip.profile5
-rw-r--r--etc/profile-m-z/unzstd.profile5
-rw-r--r--etc/profile-m-z/vmware-view.profile58
-rw-r--r--etc/profile-m-z/vmware.profile5
-rw-r--r--etc/profile-m-z/vscodium.profile5
-rw-r--r--etc/profile-m-z/vulturesclaw.profile5
-rw-r--r--etc/profile-m-z/vultureseye.profile5
-rw-r--r--etc/profile-m-z/warzone2100.profile4
-rw-r--r--etc/profile-m-z/webstorm.profile4
-rw-r--r--etc/profile-m-z/weechat-curses.profile5
-rw-r--r--etc/profile-m-z/wireshark-gtk.profile5
-rw-r--r--etc/profile-m-z/wireshark-qt.profile5
-rw-r--r--etc/profile-m-z/x2goclient.profile4
-rw-r--r--etc/profile-m-z/xonotic-glx.profile5
-rw-r--r--etc/profile-m-z/xonotic-sdl.profile5
-rw-r--r--etc/profile-m-z/xz.profile5
-rw-r--r--etc/profile-m-z/xzcat.profile5
-rw-r--r--etc/profile-m-z/xzcmp.profile5
-rw-r--r--etc/profile-m-z/xzdec.profile1
-rw-r--r--etc/profile-m-z/xzdiff.profile5
-rw-r--r--etc/profile-m-z/xzegrep.profile5
-rw-r--r--etc/profile-m-z/xzfgrep.profile5
-rw-r--r--etc/profile-m-z/xzgrep.profile5
-rw-r--r--etc/profile-m-z/xzless.profile5
-rw-r--r--etc/profile-m-z/xzmore.profile5
-rw-r--r--etc/profile-m-z/yarn.profile29
-rw-r--r--etc/profile-m-z/youtube-viewer.profile3
-rw-r--r--etc/profile-m-z/zstd.profile1
-rw-r--r--etc/profile-m-z/zstdcat.profile5
-rw-r--r--etc/profile-m-z/zstdgrep.profile5
-rw-r--r--etc/profile-m-z/zstdless.profile5
-rw-r--r--etc/profile-m-z/zstdmt.profile5
-rw-r--r--etc/templates/profile.template4
-rw-r--r--etc/templates/syscalls.txt4
-rwxr-xr-xmkasc.sh2
-rwxr-xr-xmkdeb.sh.in2
-rw-r--r--src/fbuilder/build_fs.c4
-rw-r--r--src/fbuilder/build_home.c2
-rw-r--r--src/fbuilder/build_profile.c26
-rw-r--r--src/fcopy/Makefile.in4
-rw-r--r--src/fcopy/main.c33
-rw-r--r--src/firecfg/firecfg.config10
-rw-r--r--src/firejail/appimage.c18
-rw-r--r--src/firejail/checkcfg.c6
-rw-r--r--src/firejail/chroot.c16
-rw-r--r--src/firejail/dbus.c30
-rw-r--r--src/firejail/env.c158
-rw-r--r--src/firejail/firejail.h11
-rw-r--r--src/firejail/fs.c53
-rw-r--r--src/firejail/fs_lib.c88
-rw-r--r--src/firejail/fs_lib2.c10
-rw-r--r--src/firejail/fs_whitelist.c2
-rw-r--r--src/firejail/join.c12
-rw-r--r--src/firejail/main.c58
-rw-r--r--src/firejail/no_sandbox.c2
-rw-r--r--src/firejail/output.c7
-rw-r--r--src/firejail/paths.c10
-rw-r--r--src/firejail/profile.c10
-rw-r--r--src/firejail/pulseaudio.c5
-rw-r--r--src/firejail/run_symlink.c52
-rw-r--r--src/firejail/sandbox.c7
-rw-r--r--src/firejail/sbox.c4
-rw-r--r--src/firejail/seccomp.c46
-rw-r--r--src/firejail/util.c45
-rw-r--r--src/firejail/x11.c61
-rw-r--r--src/firemon/Makefile.in2
-rw-r--r--src/fldd/Makefile.in4
-rw-r--r--src/fldd/main.c6
-rw-r--r--src/fnet/Makefile.in4
-rw-r--r--src/fnet/main.c8
-rw-r--r--src/fnetfilter/Makefile.in4
-rw-r--r--src/fnetfilter/main.c8
-rw-r--r--src/fsec-optimize/Makefile.in4
-rw-r--r--src/fsec-optimize/fsec_optimize.h1
-rw-r--r--src/fsec-optimize/main.c23
-rw-r--r--src/fsec-optimize/optimizer.c6
-rw-r--r--src/fsec-print/Makefile.in4
-rw-r--r--src/fsec-print/fsec_print.h1
-rw-r--r--src/fsec-print/main.c5
-rw-r--r--src/fseccomp/Makefile.in4
-rw-r--r--src/fseccomp/fseccomp.h1
-rw-r--r--src/fseccomp/main.c8
-rw-r--r--src/fseccomp/seccomp_secondary.c2
-rw-r--r--src/include/common.h7
-rw-r--r--src/include/seccomp.h10
-rw-r--r--src/include/syscall_armeabi.h1
-rw-r--r--src/include/syscall_i386.h1
-rw-r--r--src/include/syscall_x86_64.h1
-rw-r--r--src/lib/common.c34
-rw-r--r--src/lib/syscall.c4
-rw-r--r--src/man/firecfg.txt2
-rw-r--r--src/man/firejail-profile.txt7
-rw-r--r--src/man/firejail.txt12
-rw-r--r--src/profstats/main.c24
-rw-r--r--test/Makefile.in3
-rwxr-xr-xtest/compile/compile.sh50
-rwxr-xr-xtest/environment/environment.sh4
-rwxr-xr-xtest/utils/shutdown.exp2
-rwxr-xr-xtest/utils/utils.sh2
393 files changed, 3415 insertions, 734 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 47e099cde..86baecf2f 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -25,15 +25,15 @@ Steps to reproduce the behavior:
25 25
26**Environment** 26**Environment**
27 - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) 27 - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
28 - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) 28 - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
29 29
30**Additional context** 30**Additional context**
31Other context about the problem like related errors to understand the problem. 31Other context about the problem like related errors to understand the problem.
32 32
33**Checklist** 33**Checklist**
34 - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. 34 - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
35 - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) 35 - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
36 - [ ] A short search for duplicates was performed. 36 - [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
37 - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. 37 - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
38 - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. 38 - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
39 - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. 39 - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 1468ef898..40ba00db6 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -1,6 +1,6 @@
1name: Build-extra CI 1name: Build-extra CI
2 2
3on: 3on:
4 push: 4 push:
5 branches: [ master ] 5 branches: [ master ]
6 paths-ignore: 6 paths-ignore:
@@ -19,10 +19,9 @@ on:
19 - RELNOTES 19 - RELNOTES
20 - SECURITY.md 20 - SECURITY.md
21 - 'etc/**' 21 - 'etc/**'
22 22
23jobs: 23jobs:
24 build-clang: 24 build-clang:
25 if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
26 runs-on: ubuntu-20.04 25 runs-on: ubuntu-20.04
27 steps: 26 steps:
28 - uses: actions/checkout@v2 27 - uses: actions/checkout@v2
@@ -31,7 +30,6 @@ jobs:
31 - name: make 30 - name: make
32 run: make 31 run: make
33 scan-build: 32 scan-build:
34 if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
35 runs-on: ubuntu-20.04 33 runs-on: ubuntu-20.04
36 steps: 34 steps:
37 - uses: actions/checkout@v2 35 - uses: actions/checkout@v2
@@ -42,7 +40,6 @@ jobs:
42 - name: scan-build 40 - name: scan-build
43 run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make 41 run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
44 cppcheck: 42 cppcheck:
45 if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
46 runs-on: ubuntu-20.04 43 runs-on: ubuntu-20.04
47 steps: 44 steps:
48 - uses: actions/checkout@v2 45 - uses: actions/checkout@v2
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 99b8a3be5..07ab1431e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,7 +20,6 @@ on:
20 20
21jobs: 21jobs:
22 build_and_test: 22 build_and_test:
23 if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
24 runs-on: ubuntu-20.04 23 runs-on: ubuntu-20.04
25 steps: 24 steps:
26 - uses: actions/checkout@v2 25 - uses: actions/checkout@v2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 301c7fad2..d974d650e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,7 +11,7 @@ on:
11 paths-ignore: 11 paths-ignore:
12 - CONTRIBUTING.md 12 - CONTRIBUTING.md
13 - README 13 - README
14 - README.md 14 - README.md
15 - RELNOTES 15 - RELNOTES
16 - SECURITY.md 16 - SECURITY.md
17 - 'etc/**' 17 - 'etc/**'
@@ -21,7 +21,7 @@ on:
21 paths-ignore: 21 paths-ignore:
22 - CONTRIBUTING.md 22 - CONTRIBUTING.md
23 - README 23 - README
24 - README.md 24 - README.md
25 - RELNOTES 25 - RELNOTES
26 - SECURITY.md 26 - SECURITY.md
27 - 'etc/**' 27 - 'etc/**'
@@ -61,7 +61,7 @@ jobs:
61 with: 61 with:
62 languages: ${{ matrix.language }} 62 languages: ${{ matrix.language }}
63 # If you wish to specify custom queries, you can do so here or in a config file. 63 # If you wish to specify custom queries, you can do so here or in a config file.
64 # By default, queries listed here will override any specified in a config file. 64 # By default, queries listed here will override any specified in a config file.
65 # Prefix the list here with "+" to use these queries and those in the config file. 65 # Prefix the list here with "+" to use these queries and those in the config file.
66 # queries: ./path/to/local/query, your-org/your-repo/queries@main 66 # queries: ./path/to/local/query, your-org/your-repo/queries@main
67 67
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index 55ac065b6..3e717f162 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -1,7 +1,7 @@
1name: sort.py 1name: sort.py
2 2
3on: 3on:
4 push: 4 push:
5 branches: [ master ] 5 branches: [ master ]
6 paths: 6 paths:
7 - 'etc/**' 7 - 'etc/**'
@@ -12,7 +12,6 @@ on:
12 12
13jobs: 13jobs:
14 profile-sort: 14 profile-sort:
15 if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
16 runs-on: ubuntu-20.04 15 runs-on: ubuntu-20.04
17 steps: 16 steps:
18 - uses: actions/checkout@v2 17 - uses: actions/checkout@v2
diff --git a/Makefile.in b/Makefile.in
index 8d4dbc430..593afdacf 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -95,6 +95,7 @@ distclean: clean
95 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ 95 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
96 $(MAKE) -C $$dir distclean; \ 96 $(MAKE) -C $$dir distclean; \
97 done 97 done
98 $(MAKE) -C test distclean
98 rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh 99 rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
99 100
100realinstall: 101realinstall:
@@ -112,9 +113,9 @@ endif
112 install -m 0755 -d $(DESTDIR)$(libdir)/firejail 113 install -m 0755 -d $(DESTDIR)$(libdir)/firejail
113 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config 114 install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
114 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) 115 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
115 # non-dumpable plugins 116 # plugins w/o read permission (non-dumpable)
116 install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) 117 install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
117 install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh 118 install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
118ifeq ($(HAVE_CONTRIB_INSTALL),yes) 119ifeq ($(HAVE_CONTRIB_INSTALL),yes)
119 # contrib scripts 120 # contrib scripts
120 install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh 121 install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
diff --git a/README b/README
index 6c86dcc5a..174b09380 100644
--- a/README
+++ b/README
@@ -12,6 +12,8 @@ Linux namespace support. It supports sandboxing specific users upon login.
12Download: https://sourceforge.net/projects/firejail/files/ 12Download: https://sourceforge.net/projects/firejail/files/
13Build and install: ./configure && make && sudo make install 13Build and install: ./configure && make && sudo make install
14Documentation and support: https://firejail.wordpress.com/ 14Documentation and support: https://firejail.wordpress.com/
15Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
16Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
15Development: https://github.com/netblue30/firejail 17Development: https://github.com/netblue30/firejail
16License: GPL v2 18License: GPL v2
17 19
@@ -40,6 +42,7 @@ Committers
40- curiosityseeker (https://github.com/curiosityseeker) 42- curiosityseeker (https://github.com/curiosityseeker)
41- glitsj16 (https://github.com/glitsj16) 43- glitsj16 (https://github.com/glitsj16)
42- Fred-Barclay (https://github.com/Fred-Barclay) 44- Fred-Barclay (https://github.com/Fred-Barclay)
45- Kelvin M. Klann (https://github.com/kmk3)
43- Kristóf Marussy (https://github.com/kris7t) 46- Kristóf Marussy (https://github.com/kris7t)
44- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) 47- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
45- rusty-snake (https://github.com/rusty-snake) 48- rusty-snake (https://github.com/rusty-snake)
@@ -69,7 +72,8 @@ Adrian L. Shaw (https://github.com/adrianlshaw)
69 - add profanity profile 72 - add profanity profile
70 - add barrirer profile 73 - add barrirer profile
71Aidan Gauland (https://github.com/aidalgol) 74Aidan Gauland (https://github.com/aidalgol)
72 - added electron and riot-web profiles 75 - added electron, riot-web and npm profiles
76 - whitelist Bohemia Interactive config dir for Steam
73Akhil Hans Maulloo (https://github.com/kouul) 77Akhil Hans Maulloo (https://github.com/kouul)
74 - xz profile 78 - xz profile
75Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) 79Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
@@ -159,6 +163,11 @@ Bandie (https://github.com/Bandie)
159 - fixed riot-desktop 163 - fixed riot-desktop
160Barış Ekin Yıldırım (https://github.com/circuitshaker) 164Barış Ekin Yıldırım (https://github.com/circuitshaker)
161 - removing net none from code.profile 165 - removing net none from code.profile
166bbhtt (https://github.com/bbhtt)
167 - improvements to balsa,fractal,gajim,trojita profiles
168 - improvements to nheko, spectral, feh, links, lynx profiles
169 - added alacartem com.github.bleakgrey.tootle, photoflare profiles
170 - add profiles for MS Edge dev build for Linux and Librewolf
162Benjamin Kampmann (https://github.com/ligthyear) 171Benjamin Kampmann (https://github.com/ligthyear)
163 - Forward exit code from child process 172 - Forward exit code from child process
164bitfreak25 (https://github.com/bitfreak25) 173bitfreak25 (https://github.com/bitfreak25)
@@ -178,6 +187,8 @@ Brad Ackerman
178 - blacklist Bitwarden config in disable-passwdmgr.inc 187 - blacklist Bitwarden config in disable-passwdmgr.inc
179briaeros (https://github.com/briaeros) 188briaeros (https://github.com/briaeros)
180 - fix command test in jail_prober.py 189 - fix command test in jail_prober.py
190botherer (https://github.com/botherder)
191 - add CoyIM profile
181Bruno Nova (https://github.com/brunonova) 192Bruno Nova (https://github.com/brunonova)
182 - whitelist fix 193 - whitelist fix
183 - bash arguments fix 194 - bash arguments fix
@@ -301,6 +312,8 @@ Fabian Würfl (https://github.com/BafDyce)
301 - Liferea profile 312 - Liferea profile
302Felipe Barriga Richards (https://github.com/fbarriga) 313Felipe Barriga Richards (https://github.com/fbarriga)
303 - --private-etc fix 314 - --private-etc fix
315fenuks (https://github.com/fenuks)
316 - fix sound in games using FMOD
304Florian Begusch (https://github.com/florianbegusch) 317Florian Begusch (https://github.com/florianbegusch)
305 - (la)tex profiles 318 - (la)tex profiles
306 - fixed transmission-common.profile 319 - fixed transmission-common.profile
@@ -420,6 +433,8 @@ hawkey116477 (https://github.com/hawkeye116477)
420 - updated Waterfox profile 433 - updated Waterfox profile
421Helmut Grohne (https://github.com/helmutg) 434Helmut Grohne (https://github.com/helmutg)
422 - compiler support in the build system - Debian bug #869707 435 - compiler support in the build system - Debian bug #869707
436hhzek0014 (https://github.com/hhzek0014)
437 - updated bibletime.profile
423hlein (https://github.com/hlein) 438hlein (https://github.com/hlein)
424 - strip out \r's from jail prober 439 - strip out \r's from jail prober
425Holger Heinz (https://github.com/hheinz) 440Holger Heinz (https://github.com/hheinz)
@@ -518,7 +533,11 @@ KellerFuchs (https://github.com/KellerFuchs)
518 - fixed Cryptocat profile 533 - fixed Cryptocat profile
519 - make ~/.local read-only 534 - make ~/.local read-only
520Kelvin (https://github.com/kmk3) 535Kelvin (https://github.com/kmk3)
521 - disable ldns utilities 536 - disable ldns utilities, dnssec-*, khost, unbound-host
537 - sort DNS / RUNUSER paths
538 - improve bug_report.md
539 - fix keypassxc
540 - blacklist oksh shell in disable-shell.inc
522Kishore96in (https://github.com/Kishore96in) 541Kishore96in (https://github.com/Kishore96in)
523 - added falkon profile 542 - added falkon profile
524 - kxmlgui fixes 543 - kxmlgui fixes
@@ -610,6 +629,7 @@ Neo00001 (https://github.com/Neo00001)
610 - update virtualbox profile 629 - update virtualbox profile
611 - update telegram profile 630 - update telegram profile
612 - add spectacle profile 631 - add spectacle profile
632 - add kdiff3 profile
613Nick Fox (https://github.com/njfox) 633Nick Fox (https://github.com/njfox)
614 - add a profile alias for code-oss 634 - add a profile alias for code-oss
615 - add code-oss config directory 635 - add code-oss config directory
@@ -620,6 +640,8 @@ Niklas Haas (https://github.com/haasn)
620 - blacklisting for keybase.io's client 640 - blacklisting for keybase.io's client
621Niklas Goerke (https://github.com/Niklas974) 641Niklas Goerke (https://github.com/Niklas974)
622 - update QOwnNotes profile 642 - update QOwnNotes profile
643Nikos Chantziaras (https://github.com/realnc)
644 - fix audio support for Discord
623nyancat18 (https://github.com/nyancat18) 645nyancat18 (https://github.com/nyancat18)
624 - added ardour4, dooble, karbon, krita profiles 646 - added ardour4, dooble, karbon, krita profiles
625Ondra Nekola (https://github.com/satai) 647Ondra Nekola (https://github.com/satai)
@@ -711,6 +733,8 @@ RandomVoid (https://github.com/RandomVoid)
711 - fix building C# projects in Godot 733 - fix building C# projects in Godot
712Raphaël Droz (https://github.com/drzraf) 734Raphaël Droz (https://github.com/drzraf)
713 - zoom profile fixes 735 - zoom profile fixes
736realaltffour (https://github.com/realaltffour)
737 - add lynx support to newsboat profile
714Reiner Herrmann (https://github.com/reinerh) 738Reiner Herrmann (https://github.com/reinerh)
715 - a number of build patches 739 - a number of build patches
716 - man page fixes 740 - man page fixes
@@ -730,6 +754,8 @@ RD PROJEKT (https://github.com/RDProjekt)
730 - support AMD GPU by OpenCL in Blender 754 - support AMD GPU by OpenCL in Blender
731rogshdo (https://github.com/rogshdo) 755rogshdo (https://github.com/rogshdo)
732 - BitlBee profile 756 - BitlBee profile
757rootalc (https://github.com/rootalc)
758 - add nolocal6.net filter
733Ruan (https://github.com/ruany) 759Ruan (https://github.com/ruany)
734 - fixed hexchat profile 760 - fixed hexchat profile
735rusty-snake (https://github.com/rusty-snake) 761rusty-snake (https://github.com/rusty-snake)
diff --git a/README.md b/README.md
index 8d3b3c3bb..db088ddf6 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
1# Firejail 1# Firejail
2[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) 2[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
3[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
4[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
3[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) 5[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
4 6
5Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting 7Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
@@ -22,19 +24,19 @@ implemented directly in Linux kernel and available on any Linux computer.
22<td> 24<td>
23<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98 25<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98
24" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg" 26" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg"
25alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Intro</a> 27alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
26</td> 28</td>
27 29
28<td> 30<td>
29<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU 31<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
30" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" 32" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
31alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Demo</a> 33alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
32</td> 34</td>
33 35
34<td> 36<td>
35<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 37<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
36" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" 38" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
37alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian Install</a> 39alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
38</td> 40</td>
39 41
40 42
@@ -42,13 +44,19 @@ alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian In
42<td> 44<td>
43<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w 45<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
44" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" 46" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
45alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Arch Linux Install</a> 47alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
46 48
47</td> 49</td>
48<td> 50<td>
49<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ 51<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
50" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" 52" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
51alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Disable Network Access</a> 53alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
54
55</td>
56<td>
57<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
58" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
59alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
52 60
53</td> 61</td>
54</tr></table> 62</tr></table>
@@ -67,11 +75,43 @@ Wiki: https://github.com/netblue30/firejail/wiki
67 75
68GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ 76GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
69 77
78Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
79
80Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
70 81
71## Security vulnerabilities 82## Security vulnerabilities
72 83
73We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com 84We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
74 85
86`````
87Security Adivsory - Feb 8, 2021
88
89Summary: A vulnerability resulting in root privilege escalation was discovered in
90Firejail's OverlayFS code,
91
92Versions affected: Firejail software versions starting with 0.9.30.
93Long Term Support (LTS) Firejail branch is not affected by this bug.
94
95Workaround: Disable overlayfs feature at runtime.
96In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
97
98 $ grep overlayfs /etc/firejail/firejail.config
99 # Enable or disable overlayfs features, default enabled.
100 overlayfs no
101
102Fix: The bug is fixed in Firejail version 0.9.64.4
103
104GitHub commit: (file configure.ac)
105https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
106
107Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
108Functional PoC exploit code was provided to Firejail development team.
109A description of the problem is here on Roman's blog:
110
111https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
112https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
113`````
114
75## Installing 115## Installing
76 116
77Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. 117Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
@@ -170,29 +210,31 @@ $ ./profstats *.profile
170Warning: multiple caps in transmission-daemon.profile 210Warning: multiple caps in transmission-daemon.profile
171 211
172Stats: 212Stats:
173 profiles 1031 213 profiles 1064
174 include local profile 1031 (include profile-name.local) 214 include local profile 1064 (include profile-name.local)
175 include globals 1031 (include globals.local) 215 include globals 1064 (include globals.local)
176 blacklist ~/.ssh 1007 (include disable-common.inc) 216 blacklist ~/.ssh 959 (include disable-common.inc)
177 seccomp 976 217 seccomp 975
178 capabilities 1030 218 capabilities 1063
179 noexec 901 (include disable-exec.inc) 219 noexec 944 (include disable-exec.inc)
180 memory-deny-write-execute 221 220 memory-deny-write-execute 229
181 apparmor 555 221 apparmor 605
182 private-bin 544 222 private-bin 564
183 private-dev 897 223 private-dev 932
184 private-etc 435 224 private-etc 462
185 private-tmp 785 225 private-tmp 823
186 whitelist home directory 474 226 whitelist home directory 502
187 whitelist var 699 (include whitelist-var-common.inc) 227 whitelist var 744 (include whitelist-var-common.inc)
188 whitelist run/user 336 (include whitelist-runuser-common.inc 228 whitelist run/user 461 (include whitelist-runuser-common.inc
189 or blacklist ${RUNUSER}) 229 or blacklist ${RUNUSER})
190 whitelist usr/share 359 (include whitelist-usr-share-common.inc 230 whitelist usr/share 451 (include whitelist-usr-share-common.inc
191 net none 333 231 net none 345
192 dbus-user none 523 232 dbus-user none 564
193 dbus-system none 632 233 dbus-user filter 85
234 dbus-system none 696
235 dbus-system filter 7
194``` 236```
195 237
196### New profiles: 238### New profiles:
197 239
198spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo 240vmware-view, display-im6.q16
diff --git a/RELNOTES b/RELNOTES
index 5f5b451e1..f7eb80c89 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,25 @@
1firejail (0.9.65) baseline; urgency=low 1firejail (0.9.65) baseline; urgency=low
2 * filtering environment variables
3 * new profiles: vmware-view, display-im6.q16
4 -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500
5
6firejail (0.9.64.4) baseline; urgency=low
7 * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
8 -- netblue30 <netblue30@yahoo.com> Sun, 7 Feb 2021 09:00:00 -0500
9
10firejail (0.9.64.2) baseline; urgency=low
2 * allow --tmpfs inside $HOME for unprivileged users 11 * allow --tmpfs inside $HOME for unprivileged users
3 * --disable-usertmpfs compile time option 12 * --disable-usertmpfs compile time option
4 * allow AF_BLUETOOTH via --protocol=bluetooth 13 * allow AF_BLUETOOTH via --protocol=bluetooth
5 * Setup guide for new users: contrib/firejail-welcome.sh 14 * Setup guide for new users: contrib/firejail-welcome.sh
15 * implement netns in profiles
16 * added nolocal6.net IPv6 network filter
6 * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer 17 * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
7 * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer 18 * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
8 * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo 19 * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
9 20 * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
10 -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 21 * new profiles: guvcview, pkglog, kdiff3, CoyIM
22 -- netblue30 <netblue30@yahoo.com> Tue, 26 Jan 2021 09:00:00 -0500
11 23
12firejail (0.9.64) baseline; urgency=low 24firejail (0.9.64) baseline; urgency=low
13 * replaced --nowrap option with --wrap in firemon 25 * replaced --nowrap option with --wrap in firemon
diff --git a/SECURITY.md b/SECURITY.md
index 6df34685b..92204da0a 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,9 +4,10 @@
4 4
5| Version | Supported by us | EOL | Supported by distribution | 5| Version | Supported by us | EOL | Supported by distribution |
6| ------- | ------------------ | ---- | --------------------------- 6| ------- | ------------------ | ---- | ---------------------------
7| 0.9.62 | :heavy_check_mark: | | :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 20.04 7| 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable)
8| 0.9.60 | :x: | | :white_check_mark: Ubuntu 19.10 8| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10
9| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, 10 9| 0.9.60 | :x: | 29 Dec 2019 |
10| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10
10| 0.9.56 | :x: | 27 Jan 2019 | 11| 0.9.56 | :x: | 27 Jan 2019 |
11| 0.9.54 | :x: | 18 Sep 2018 | 12| 0.9.54 | :x: | 18 Sep 2018 |
12| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS 13| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS
diff --git a/configure b/configure
index 2cd474b3c..fa2401070 100755
--- a/configure
+++ b/configure
@@ -711,7 +711,6 @@ enable_option_checking
711enable_analyzer 711enable_analyzer
712enable_apparmor 712enable_apparmor
713enable_dbusproxy 713enable_dbusproxy
714enable_overlayfs
715enable_usertmpfs 714enable_usertmpfs
716enable_man 715enable_man
717enable_firetunnel 716enable_firetunnel
@@ -1367,7 +1366,6 @@ Optional Features:
1367 --enable-analyzer enable GCC 10 static analyzer 1366 --enable-analyzer enable GCC 10 static analyzer
1368 --enable-apparmor enable apparmor 1367 --enable-apparmor enable apparmor
1369 --disable-dbusproxy disable dbus proxy 1368 --disable-dbusproxy disable dbus proxy
1370 --disable-overlayfs disable overlayfs
1371 --disable-usertmpfs disable tmpfs as regular user 1369 --disable-usertmpfs disable tmpfs as regular user
1372 --disable-man disable man pages 1370 --disable-man disable man pages
1373 --disable-firetunnel disable firetunnel 1371 --disable-firetunnel disable firetunnel
@@ -3530,20 +3528,18 @@ if test "x$enable_dbusproxy" != "xno"; then :
3530 3528
3531fi 3529fi
3532 3530
3531# overlayfs features temporarely disabled pending fixes
3533HAVE_OVERLAYFS="" 3532HAVE_OVERLAYFS=""
3534# Check whether --enable-overlayfs was given.
3535if test "${enable_overlayfs+set}" = set; then :
3536 enableval=$enable_overlayfs;
3537fi
3538
3539if test "x$enable_overlayfs" != "xno"; then :
3540
3541 HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
3542
3543 3533
3544fi 3534#
3545 3535#AC_ARG_ENABLE([overlayfs],
3546HAVE_USERTMPS="" 3536# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
3537#AS_IF([test "x$enable_overlayfs" != "xno"], [
3538# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
3539# AC_SUBST(HAVE_OVERLAYFS)
3540#])
3541
3542HAVE_USERTMPFS=""
3547# Check whether --enable-usertmpfs was given. 3543# Check whether --enable-usertmpfs was given.
3548if test "${enable_usertmpfs+set}" = set; then : 3544if test "${enable_usertmpfs+set}" = set; then :
3549 enableval=$enable_usertmpfs; 3545 enableval=$enable_usertmpfs;
diff --git a/configure.ac b/configure.ac
index 5c2456a6a..aa2d0fb6b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -66,15 +66,18 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [
66 AC_SUBST(HAVE_DBUSPROXY) 66 AC_SUBST(HAVE_DBUSPROXY)
67]) 67])
68 68
69# overlayfs features temporarely disabled pending fixes
69HAVE_OVERLAYFS="" 70HAVE_OVERLAYFS=""
70AC_ARG_ENABLE([overlayfs], 71AC_SUBST(HAVE_OVERLAYFS)
71 AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) 72#
72AS_IF([test "x$enable_overlayfs" != "xno"], [ 73#AC_ARG_ENABLE([overlayfs],
73 HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" 74# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
74 AC_SUBST(HAVE_OVERLAYFS) 75#AS_IF([test "x$enable_overlayfs" != "xno"], [
75]) 76# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
76 77# AC_SUBST(HAVE_OVERLAYFS)
77HAVE_USERTMPS="" 78#])
79
80HAVE_USERTMPFS=""
78AC_ARG_ENABLE([usertmpfs], 81AC_ARG_ENABLE([usertmpfs],
79 AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) 82 AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
80AS_IF([test "x$enable_usertmpfs" != "xno"], [ 83AS_IF([test "x$enable_usertmpfs" != "xno"], [
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 9563e62ef..65eb690ac 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -22,7 +22,7 @@ syn match fjProtocolList /,/ nextgroup=fjProtocol contained
22 22
23" Syscalls grabbed from: src/include/syscall.h 23" Syscalls grabbed from: src/include/syscall.h
24" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' ' 24" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' '
25syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained 25syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
26" Syscall groups grabbed from: src/fseccomp/syscall.c 26" Syscall groups grabbed from: src/fseccomp/syscall.c
27" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|' 27" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|'
28syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained 28syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
new file mode 100644
index 000000000..d6c295414
--- /dev/null
+++ b/etc/inc/allow-bin-sh.inc
@@ -0,0 +1,7 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include allow-bin-sh.local
4
5noblacklist ${PATH}/bash
6noblacklist ${PATH}/dash
7noblacklist ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 7cd087b14..41643657d 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials
11noblacklist ${HOME}/.gradle 11noblacklist ${HOME}/.gradle
12noblacklist ${HOME}/.java 12noblacklist ${HOME}/.java
13 13
14# Node.js
15noblacklist ${HOME}/.node-gyp
16noblacklist ${HOME}/.npm
17noblacklist ${HOME}/.npmrc
18noblacklist ${HOME}/.yarn
19noblacklist ${HOME}/.yarn-config
20noblacklist ${HOME}/.yarncache
21noblacklist ${HOME}/.yarnrc
22
14# Python 23# Python
15noblacklist ${HOME}/.pylint.d 24noblacklist ${HOME}/.pylint.d
16noblacklist ${HOME}/.python-history 25noblacklist ${HOME}/.python-history
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index f4f9926cd..c1366e093 100644
--- a/etc/inc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -5,7 +5,8 @@ include allow-gjs.local
5noblacklist ${PATH}/gjs 5noblacklist ${PATH}/gjs
6noblacklist ${PATH}/gjs-console 6noblacklist ${PATH}/gjs-console
7noblacklist /usr/lib/gjs 7noblacklist /usr/lib/gjs
8noblacklist /usr/lib64/gjs
9noblacklist /usr/lib/libgjs* 8noblacklist /usr/lib/libgjs*
9noblacklist /usr/lib/libmozjs-*
10noblacklist /usr/lib64/gjs
10noblacklist /usr/lib64/libgjs* 11noblacklist /usr/lib64/libgjs*
11noblacklist /usr/lib64/libmozjs-* 12noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
new file mode 100644
index 000000000..78a4bed80
--- /dev/null
+++ b/etc/inc/allow-nodejs.inc
@@ -0,0 +1,6 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include allow-nodejs.local
4
5noblacklist ${PATH}/node
6noblacklist /usr/include/node
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
new file mode 100644
index 000000000..67c78a483
--- /dev/null
+++ b/etc/inc/allow-ssh.inc
@@ -0,0 +1,8 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include allow-ssh.local
4
5noblacklist ${HOME}/.ssh
6noblacklist /etc/ssh
7noblacklist /etc/ssh/ssh_config
8noblacklist /tmp/ssh-*
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
index 9812e3ebb..74b0b6ef6 100644
--- a/etc/inc/archiver-common.inc
+++ b/etc/inc/archiver-common.inc
@@ -6,20 +6,24 @@ include archiver-common.local
6 6
7blacklist ${RUNUSER} 7blacklist ${RUNUSER}
8 8
9# WARNING: 9# WARNING: Users can (un)restrict file access for **all** archivers by
10# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed 10# commenting/uncommenting the needed include file(s) here or by putting those
11# include file(s) here or by putting those into archiver-common.local. 11# into archiver-common.local.
12# Another option is to do this **per archiver** in the relevant <archiver>.local. 12#
13# Just beware that things tend to break when overtightening profiles. For example, because you only 13# Another option is to do this **per archiver** in the relevant
14# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. 14# <archiver>.local. Just beware that things tend to break when overtightening
15 15# profiles. For example, because you only need to (un)compress files in
16# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. 16# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
17
18# Uncomment the next line (or put it into your archiver-common.local) if you
19# don't need to compress files in disable-common.inc.
17#include disable-common.inc 20#include disable-common.inc
18include disable-devel.inc 21include disable-devel.inc
19include disable-exec.inc 22include disable-exec.inc
20include disable-interpreters.inc 23include disable-interpreters.inc
21include disable-passwdmgr.inc 24include disable-passwdmgr.inc
22# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. 25# Uncomment the next line (or put it into your archiver-common.local) if you
26# don't need to compress files in disable-programs.inc.
23#include disable-programs.inc 27#include disable-programs.inc
24include disable-shell.inc 28include disable-shell.inc
25 29
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index d88506d90..d724e3b52 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc
291read-only ${HOME}/.zshrc.local 291read-only ${HOME}/.zshrc.local
292 292
293# Remote access 293# Remote access
294read-only ${HOME}/.ssh/authorized_keys 294blacklist ${HOME}/.rhosts
295blacklist ${HOME}/.shosts
296blacklist ${HOME}/.ssh/authorized_keys
297blacklist ${HOME}/.ssh/authorized_keys2
298blacklist ${HOME}/.ssh/environment
299blacklist ${HOME}/.ssh/rc
300blacklist /etc/hosts.equiv
301read-only ${HOME}/.ssh/config
302read-only ${HOME}/.ssh/config.d
295 303
296# Initialization files that allow arbitrary command execution 304# Initialization files that allow arbitrary command execution
297read-only ${HOME}/.caffrc 305read-only ${HOME}/.caffrc
@@ -310,6 +318,7 @@ read-only ${HOME}/.msmtprc
310read-only ${HOME}/.mutt/muttrc 318read-only ${HOME}/.mutt/muttrc
311read-only ${HOME}/.muttrc 319read-only ${HOME}/.muttrc
312read-only ${HOME}/.nano 320read-only ${HOME}/.nano
321read-only ${HOME}/.npmrc
313read-only ${HOME}/.pythonrc.py 322read-only ${HOME}/.pythonrc.py
314read-only ${HOME}/.reportbugrc 323read-only ${HOME}/.reportbugrc
315read-only ${HOME}/.tmux.conf 324read-only ${HOME}/.tmux.conf
@@ -318,6 +327,7 @@ read-only ${HOME}/.viminfo
318read-only ${HOME}/.vimrc 327read-only ${HOME}/.vimrc
319read-only ${HOME}/.xmonad 328read-only ${HOME}/.xmonad
320read-only ${HOME}/.xscreensaver 329read-only ${HOME}/.xscreensaver
330read-only ${HOME}/.yarnrc
321read-only ${HOME}/_exrc 331read-only ${HOME}/_exrc
322read-only ${HOME}/_gvimrc 332read-only ${HOME}/_gvimrc
323read-only ${HOME}/_vimrc 333read-only ${HOME}/_vimrc
@@ -345,6 +355,9 @@ read-only ${HOME}/.local/share/mime
345# Write-protection for thumbnailer dir 355# Write-protection for thumbnailer dir
346read-only ${HOME}/.local/share/thumbnailers 356read-only ${HOME}/.local/share/thumbnailers
347 357
358# prevent access to ssh-agent
359blacklist /tmp/ssh-*
360
348# top secret 361# top secret
349blacklist ${HOME}/*.kdb 362blacklist ${HOME}/*.kdb
350blacklist ${HOME}/*.kdbx 363blacklist ${HOME}/*.kdbx
@@ -391,6 +404,7 @@ blacklist /etc/shadow
391blacklist /etc/shadow+ 404blacklist /etc/shadow+
392blacklist /etc/shadow- 405blacklist /etc/shadow-
393blacklist /etc/ssh 406blacklist /etc/ssh
407blacklist /etc/ssh/*
394blacklist /home/.ecryptfs 408blacklist /home/.ecryptfs
395blacklist /home/.fscrypt 409blacklist /home/.fscrypt
396blacklist /var/backup 410blacklist /var/backup
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 4f6f71098..5d8a236fb 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -6,8 +6,8 @@ include disable-interpreters.local
6blacklist ${PATH}/gjs 6blacklist ${PATH}/gjs
7blacklist ${PATH}/gjs-console 7blacklist ${PATH}/gjs-console
8blacklist /usr/lib/gjs 8blacklist /usr/lib/gjs
9blacklist /usr/lib64/gjs
10blacklist /usr/lib/libgjs* 9blacklist /usr/lib/libgjs*
10blacklist /usr/lib64/gjs
11blacklist /usr/lib64/libgjs* 11blacklist /usr/lib64/libgjs*
12 12
13# Lua 13# Lua
@@ -20,6 +20,7 @@ blacklist /usr/lib64/lua
20blacklist /usr/share/lua* 20blacklist /usr/share/lua*
21 21
22# mozjs 22# mozjs
23blacklist /usr/lib/libmozjs-*
23blacklist /usr/lib64/libmozjs-* 24blacklist /usr/lib64/libmozjs-*
24 25
25# Node.js 26# Node.js
@@ -30,8 +31,8 @@ blacklist /usr/include/node
30blacklist ${HOME}/.nvm 31blacklist ${HOME}/.nvm
31 32
32# Perl 33# Perl
33blacklist ${PATH}/cpan*
34blacklist ${PATH}/core_perl 34blacklist ${PATH}/core_perl
35blacklist ${PATH}/cpan*
35blacklist ${PATH}/perl 36blacklist ${PATH}/perl
36blacklist ${PATH}/site_perl 37blacklist ${PATH}/site_perl
37blacklist ${PATH}/vendor_perl 38blacklist ${PATH}/vendor_perl
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7ab11e620..05f82170d 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -50,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title
50blacklist ${HOME}/.atom 50blacklist ${HOME}/.atom
51blacklist ${HOME}/.attic 51blacklist ${HOME}/.attic
52blacklist ${HOME}/.audacity-data 52blacklist ${HOME}/.audacity-data
53blacklist ${HOME}/.avidemux6
53blacklist ${HOME}/.balsa 54blacklist ${HOME}/.balsa
54blacklist ${HOME}/.bcast5 55blacklist ${HOME}/.bcast5
55blacklist ${HOME}/.bibletime 56blacklist ${HOME}/.bibletime
@@ -158,6 +159,7 @@ blacklist ${HOME}/.config/asunder
158blacklist ${HOME}/.config/atril 159blacklist ${HOME}/.config/atril
159blacklist ${HOME}/.config/audacious 160blacklist ${HOME}/.config/audacious
160blacklist ${HOME}/.config/autokey 161blacklist ${HOME}/.config/autokey
162blacklist ${HOME}/.config/avidemux3_qt5rc
161blacklist ${HOME}/.config/aweather 163blacklist ${HOME}/.config/aweather
162blacklist ${HOME}/.config/backintime 164blacklist ${HOME}/.config/backintime
163blacklist ${HOME}/.config/baloofilerc 165blacklist ${HOME}/.config/baloofilerc
@@ -191,6 +193,7 @@ blacklist ${HOME}/.config/cmus
191blacklist ${HOME}/.config/com.github.bleakgrey.tootle 193blacklist ${HOME}/.config/com.github.bleakgrey.tootle
192blacklist ${HOME}/.config/corebird 194blacklist ${HOME}/.config/corebird
193blacklist ${HOME}/.config/cower 195blacklist ${HOME}/.config/cower
196blacklist ${HOME}/.config/coyim
194blacklist ${HOME}/.config/darktable 197blacklist ${HOME}/.config/darktable
195blacklist ${HOME}/.config/deadbeef 198blacklist ${HOME}/.config/deadbeef
196blacklist ${HOME}/.config/deluge 199blacklist ${HOME}/.config/deluge
@@ -253,6 +256,7 @@ blacklist ${HOME}/.config/google-chrome-unstable
253blacklist ${HOME}/.config/gpicview 256blacklist ${HOME}/.config/gpicview
254blacklist ${HOME}/.config/gthumb 257blacklist ${HOME}/.config/gthumb
255blacklist ${HOME}/.config/gummi 258blacklist ${HOME}/.config/gummi
259blacklist ${HOME}/.config/guvcview2
256blacklist ${HOME}/.config/gwenviewrc 260blacklist ${HOME}/.config/gwenviewrc
257blacklist ${HOME}/.config/hexchat 261blacklist ${HOME}/.config/hexchat
258blacklist ${HOME}/.config/homebank 262blacklist ${HOME}/.config/homebank
@@ -274,6 +278,8 @@ blacklist ${HOME}/.config/katevirc
274blacklist ${HOME}/.config/kazam 278blacklist ${HOME}/.config/kazam
275blacklist ${HOME}/.config/kdeconnect 279blacklist ${HOME}/.config/kdeconnect
276blacklist ${HOME}/.config/kdenliverc 280blacklist ${HOME}/.config/kdenliverc
281blacklist ${HOME}/.config/kdiff3fileitemactionrc
282blacklist ${HOME}/.config/kdiff3rc
277blacklist ${HOME}/.config/kfindrc 283blacklist ${HOME}/.config/kfindrc
278blacklist ${HOME}/.config/kgetrc 284blacklist ${HOME}/.config/kgetrc
279blacklist ${HOME}/.config/kid3rc 285blacklist ${HOME}/.config/kid3rc
@@ -318,11 +324,13 @@ blacklist ${HOME}/.config/mpd
318blacklist ${HOME}/.config/mps-youtube 324blacklist ${HOME}/.config/mps-youtube
319blacklist ${HOME}/.config/mpv 325blacklist ${HOME}/.config/mpv
320blacklist ${HOME}/.config/mupen64plus 326blacklist ${HOME}/.config/mupen64plus
327blacklist ${HOME}/.config/mutt
321blacklist ${HOME}/.config/mutter 328blacklist ${HOME}/.config/mutter
322blacklist ${HOME}/.config/mypaint 329blacklist ${HOME}/.config/mypaint
323blacklist ${HOME}/.config/nano 330blacklist ${HOME}/.config/nano
324blacklist ${HOME}/.config/nautilus 331blacklist ${HOME}/.config/nautilus
325blacklist ${HOME}/.config/nemo 332blacklist ${HOME}/.config/nemo
333blacklist ${HOME}/.config/neomutt
326blacklist ${HOME}/.config/netsurf 334blacklist ${HOME}/.config/netsurf
327blacklist ${HOME}/.config/newsbeuter 335blacklist ${HOME}/.config/newsbeuter
328blacklist ${HOME}/.config/newsflash 336blacklist ${HOME}/.config/newsflash
@@ -340,6 +348,7 @@ blacklist ${HOME}/.config/opera
340blacklist ${HOME}/.config/opera-beta 348blacklist ${HOME}/.config/opera-beta
341blacklist ${HOME}/.config/orage 349blacklist ${HOME}/.config/orage
342blacklist ${HOME}/.config/org.gabmus.gfeeds.json 350blacklist ${HOME}/.config/org.gabmus.gfeeds.json
351blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
343blacklist ${HOME}/.config/org.kde.gwenviewrc 352blacklist ${HOME}/.config/org.kde.gwenviewrc
344blacklist ${HOME}/.config/otter 353blacklist ${HOME}/.config/otter
345blacklist ${HOME}/.config/pavucontrol-qt 354blacklist ${HOME}/.config/pavucontrol-qt
@@ -357,6 +366,7 @@ blacklist ${HOME}/.config/psi
357blacklist ${HOME}/.config/psi+ 366blacklist ${HOME}/.config/psi+
358blacklist ${HOME}/.config/qBittorrent 367blacklist ${HOME}/.config/qBittorrent
359blacklist ${HOME}/.config/qBittorrentrc 368blacklist ${HOME}/.config/qBittorrentrc
369blacklist ${HOME}/.config/qnapi.ini
360blacklist ${HOME}/.config/qpdfview 370blacklist ${HOME}/.config/qpdfview
361blacklist ${HOME}/.config/qupzilla 371blacklist ${HOME}/.config/qupzilla
362blacklist ${HOME}/.config/qutebrowser 372blacklist ${HOME}/.config/qutebrowser
@@ -395,6 +405,8 @@ blacklist ${HOME}/.config/tox
395blacklist ${HOME}/.config/transgui 405blacklist ${HOME}/.config/transgui
396blacklist ${HOME}/.config/transmission 406blacklist ${HOME}/.config/transmission
397blacklist ${HOME}/.config/truecraft 407blacklist ${HOME}/.config/truecraft
408blacklist ${HOME}/.config/tuta_integration
409blacklist ${HOME}/.config/tutanota-desktop
398blacklist ${HOME}/.config/tvbrowser 410blacklist ${HOME}/.config/tvbrowser
399blacklist ${HOME}/.config/uGet 411blacklist ${HOME}/.config/uGet
400blacklist ${HOME}/.config/ungoogled-chromium 412blacklist ${HOME}/.config/ungoogled-chromium
@@ -465,10 +477,7 @@ blacklist ${HOME}/.gimp*
465blacklist ${HOME}/.gist 477blacklist ${HOME}/.gist
466blacklist ${HOME}/.gitconfig 478blacklist ${HOME}/.gitconfig
467blacklist ${HOME}/.gnome/gnome-schedule 479blacklist ${HOME}/.gnome/gnome-schedule
468blacklist ${HOME}/.googleearth/Cache 480blacklist ${HOME}/.googleearth
469blacklist ${HOME}/.googleearth/Temp
470blacklist ${HOME}/.googleearth/myplaces.backup.kml
471blacklist ${HOME}/.googleearth/myplaces.kml
472blacklist ${HOME}/.gradle 481blacklist ${HOME}/.gradle
473blacklist ${HOME}/.gramps 482blacklist ${HOME}/.gramps
474blacklist ${HOME}/.guayadeque 483blacklist ${HOME}/.guayadeque
@@ -598,7 +607,9 @@ blacklist ${HOME}/.local/share/baloo
598blacklist ${HOME}/.local/share/barrier 607blacklist ${HOME}/.local/share/barrier
599blacklist ${HOME}/.local/share/bibletime 608blacklist ${HOME}/.local/share/bibletime
600blacklist ${HOME}/.local/share/bijiben 609blacklist ${HOME}/.local/share/bijiben
610blacklist ${HOME}/.local/share/bohemiainteractive
601blacklist ${HOME}/.local/share/caja-python 611blacklist ${HOME}/.local/share/caja-python
612blacklist ${HOME}/.local/share/calligragemini
602blacklist ${HOME}/.local/share/cantata 613blacklist ${HOME}/.local/share/cantata
603blacklist ${HOME}/.local/share/cdprojektred 614blacklist ${HOME}/.local/share/cdprojektred
604blacklist ${HOME}/.local/share/clipit 615blacklist ${HOME}/.local/share/clipit
@@ -707,6 +718,7 @@ blacklist ${HOME}/.local/share/remmina
707blacklist ${HOME}/.local/share/rhythmbox 718blacklist ${HOME}/.local/share/rhythmbox
708blacklist ${HOME}/.local/share/rtv 719blacklist ${HOME}/.local/share/rtv
709blacklist ${HOME}/.local/share/scribus 720blacklist ${HOME}/.local/share/scribus
721blacklist ${HOME}/.local/share/shotwell
710blacklist ${HOME}/.local/share/signal-cli 722blacklist ${HOME}/.local/share/signal-cli
711blacklist ${HOME}/.local/share/sink 723blacklist ${HOME}/.local/share/sink
712blacklist ${HOME}/.local/share/smuxi 724blacklist ${HOME}/.local/share/smuxi
@@ -758,6 +770,9 @@ blacklist ${HOME}/.neverball
758blacklist ${HOME}/.newsbeuter 770blacklist ${HOME}/.newsbeuter
759blacklist ${HOME}/.newsboat 771blacklist ${HOME}/.newsboat
760blacklist ${HOME}/.nicotine 772blacklist ${HOME}/.nicotine
773blacklist ${HOME}/.node-gyp
774blacklist ${HOME}/.npm
775blacklist ${HOME}/.npmrc
761blacklist ${HOME}/.nv 776blacklist ${HOME}/.nv
762blacklist ${HOME}/.nylas-mail 777blacklist ${HOME}/.nylas-mail
763blacklist ${HOME}/.openarena 778blacklist ${HOME}/.openarena
@@ -844,9 +859,12 @@ blacklist ${HOME}/.xmr-stak
844blacklist ${HOME}/.xonotic 859blacklist ${HOME}/.xonotic
845blacklist ${HOME}/.xournalpp 860blacklist ${HOME}/.xournalpp
846blacklist ${HOME}/.xpdfrc 861blacklist ${HOME}/.xpdfrc
862blacklist ${HOME}/.yarn
863blacklist ${HOME}/.yarn-config
864blacklist ${HOME}/.yarncache
865blacklist ${HOME}/.yarnrc
847blacklist ${HOME}/.zoom 866blacklist ${HOME}/.zoom
848blacklist /tmp/akonadi-* 867blacklist /tmp/akonadi-*
849blacklist /tmp/ssh-*
850blacklist /tmp/.wine-* 868blacklist /tmp/.wine-*
851blacklist /var/games/nethack 869blacklist /var/games/nethack
852blacklist /var/games/slashem 870blacklist /var/games/slashem
@@ -902,6 +920,7 @@ blacklist ${HOME}/.cache/evolution
902blacklist ${HOME}/.cache/falkon 920blacklist ${HOME}/.cache/falkon
903blacklist ${HOME}/.cache/feedreader 921blacklist ${HOME}/.cache/feedreader
904blacklist ${HOME}/.cache/flaska.net/trojita 922blacklist ${HOME}/.cache/flaska.net/trojita
923blacklist ${HOME}/.cache/folks
905blacklist ${HOME}/.cache/font-manager 924blacklist ${HOME}/.cache/font-manager
906blacklist ${HOME}/.cache/fossamail 925blacklist ${HOME}/.cache/fossamail
907blacklist ${HOME}/.cache/fractal 926blacklist ${HOME}/.cache/fractal
@@ -948,6 +967,7 @@ blacklist ${HOME}/.cache/librewolf
948blacklist ${HOME}/.cache/liferea 967blacklist ${HOME}/.cache/liferea
949blacklist ${HOME}/.cache/lutris 968blacklist ${HOME}/.cache/lutris
950blacklist ${HOME}/.cache/Mendeley Ltd. 969blacklist ${HOME}/.cache/Mendeley Ltd.
970blacklist ${HOME}/.cache/marker
951blacklist ${HOME}/.cache/matrix-mirage 971blacklist ${HOME}/.cache/matrix-mirage
952blacklist ${HOME}/.cache/microsoft-edge-dev 972blacklist ${HOME}/.cache/microsoft-edge-dev
953blacklist ${HOME}/.cache/midori 973blacklist ${HOME}/.cache/midori
@@ -983,6 +1003,7 @@ blacklist ${HOME}/.cache/qBittorrent
983blacklist ${HOME}/.cache/qupzilla 1003blacklist ${HOME}/.cache/qupzilla
984blacklist ${HOME}/.cache/qutebrowser 1004blacklist ${HOME}/.cache/qutebrowser
985blacklist ${HOME}/.cache/rhythmbox 1005blacklist ${HOME}/.cache/rhythmbox
1006blacklist ${HOME}/.cache/shotwell
986blacklist ${HOME}/.cache/simple-scan 1007blacklist ${HOME}/.cache/simple-scan
987blacklist ${HOME}/.cache/slimjet 1008blacklist ${HOME}/.cache/slimjet
988blacklist ${HOME}/.cache/smuxi 1009blacklist ${HOME}/.cache/smuxi
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 03f09fece..ca7731442 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -58,11 +58,12 @@ whitelist ${HOME}/.wine-pipelight64
58whitelist ${HOME}/.zotero 58whitelist ${HOME}/.zotero
59whitelist ${HOME}/dwhelper 59whitelist ${HOME}/dwhelper
60 60
61# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) 61# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
62noblacklist ${HOME}/.local/share/gnome-shell 62noblacklist ${HOME}/.local/share/gnome-shell
63whitelist ${HOME}/.local/share/gnome-shell 63whitelist ${HOME}/.local/share/gnome-shell
64ignore dbus-user none 64ignore dbus-user none
65ignore dbus-system none 65ignore dbus-system none
66# Allow python (blacklisted by disable-interpreters.inc)
66include allow-python3.inc 67include allow-python3.inc
67 68
68# KeePassXC Browser Integration 69# KeePassXC Browser Integration
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index 45e988602..fe0097934 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -61,6 +61,7 @@ whitelist /usr/share/texlive
61whitelist /usr/share/texmf 61whitelist /usr/share/texmf
62whitelist /usr/share/themes 62whitelist /usr/share/themes
63whitelist /usr/share/thumbnail.so 63whitelist /usr/share/thumbnail.so
64whitelist /usr/share/uim
64whitelist /usr/share/vulkan 65whitelist /usr/share/vulkan
65whitelist /usr/share/X11 66whitelist /usr/share/X11
66whitelist /usr/share/xml 67whitelist /usr/share/xml
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net
new file mode 100644
index 000000000..5a6678d03
--- /dev/null
+++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
1*filter
2:INPUT DROP [0:0]
3:FORWARD DROP [0:0]
4:OUTPUT ACCEPT [0:0]
5
6###################################################################
7# Client filter rejecting local network traffic, with the exception of
8# DNS traffic
9#
10# Usage:
11# firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
12#
13###################################################################
14
15#allow all loopback traffic
16-A INPUT -i lo -j ACCEPT
17
18# no incoming connections
19-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
20
21# allow ping etc.
22-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
23-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
24-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
25# required for ipv6
26-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
27-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
28-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
29-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
30
31# accept dns requests going out to a server on the local network
32-A OUTPUT -p udp --dport 53 -j ACCEPT
33
34# drop all local network traffic
35-A OUTPUT -d FC00::/7 -j DROP
36
37# drop multicast traffic
38# required for ipv6
39-A OUTPUT -d ff02::2 -j ACCEPT
40-A OUTPUT -d ff00::/8 -j DROP
41COMMIT
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 76492c339..b2294c070 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,5 +7,8 @@ include 7z.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Included in archiver-common.inc
10ignore include disable-shell.inc 11ignore include disable-shell.inc
12
13# Redirect
11include archiver-common.inc 14include archiver-common.inc
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile
index 54b437441..e97267bbc 100644
--- a/etc/profile-a-l/Builder.profile
+++ b/etc/profile-a-l/Builder.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-builder 1# Firejail profile for gnome-builder
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Builder.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile
index 5bb5064f0..32aeb4f69 100644
--- a/etc/profile-a-l/Cheese.profile
+++ b/etc/profile-a-l/Cheese.profile
@@ -1,5 +1,10 @@
1# Firejail profile for cheese 1# Firejail profile for cheese
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Cheese.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
index 26a4348c9..5564207fc 100644
--- a/etc/profile-a-l/Cyberfox.profile
+++ b/etc/profile-a-l/Cyberfox.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for cyberfox 1# Firejail profile alias for cyberfox
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Cyberfox.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include cyberfox.profile 10include cyberfox.profile
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile
index 171ab4357..780416d7f 100644
--- a/etc/profile-a-l/Documents.profile
+++ b/etc/profile-a-l/Documents.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-documents 1# Firejail profile for gnome-documents
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Documents.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
index 9e1f61421..3a584ed4e 100644
--- a/etc/profile-a-l/FossaMail.profile
+++ b/etc/profile-a-l/FossaMail.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for fossamail 1# Firejail profile alias for fossamail
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include FossaMail.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include fossamail.profile 10include fossamail.profile
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile
index a8bcb6a54..96b91430c 100644
--- a/etc/profile-a-l/Gitter.profile
+++ b/etc/profile-a-l/Gitter.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for Gitter 1# Firejail profile alias for Gitter
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Gitter.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include gitter.profile 10include gitter.profile
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile
index 431439f17..1a78b86c9 100644
--- a/etc/profile-a-l/Logs.profile
+++ b/etc/profile-a-l/Logs.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-logs 1# Firejail profile for gnome-logs
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Logs.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
new file mode 100644
index 000000000..6d5dab41a
--- /dev/null
+++ b/etc/profile-a-l/agetpkg.profile
@@ -0,0 +1,60 @@
1# Firejail profile for agetpkg
2# Description: CLI tool to list/get/install packages from the Arch Linux Archive
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include agetpkg.local
7# Persistent global definitions
8include globals.local
9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}/wayland-*
12
13# Allow python (blacklisted by disable-interpreters.inc)
14#include allow-python2.inc
15include allow-python3.inc
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-shell.inc
24include disable-xdg.inc
25
26whitelist ${DOWNLOADS}
27include whitelist-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31caps.drop all
32hostname agetpkg
33ipc-namespace
34machine-id
35noautopulse
36netfilter
37no3d
38nodvd
39nogroups
40nonewprivs
41noroot
42nosound
43notv
44nou2f
45novideo
46protocol inet,inet6
47seccomp
48shell none
49tracelog
50
51private-bin agetpkg,python3
52private-cache
53private-dev
54private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
55private-tmp
56
57dbus-user none
58dbus-system none
59
60memory-deny-write-execute
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 98188d2a7..57b5e5d95 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -6,6 +6,7 @@ include alacarte.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Allow python (blacklisted by disable-interpreters.inc)
9include allow-python2.inc 10include allow-python2.inc
10include allow-python3.inc 11include allow-python3.inc
11 12
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 2e4e564dd..2cdd3a90c 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android
10noblacklist ${HOME}/.jack-server 10noblacklist ${HOME}/.jack-server
11noblacklist ${HOME}/.jack-settings 11noblacklist ${HOME}/.jack-settings
12noblacklist ${HOME}/.local/share/JetBrains 12noblacklist ${HOME}/.local/share/JetBrains
13noblacklist ${HOME}/.ssh
14noblacklist ${HOME}/.tooling 13noblacklist ${HOME}/.tooling
15 14
16# Allows files commonly used by IDEs 15# Allows files commonly used by IDEs
17include allow-common-devel.inc 16include allow-common-devel.inc
18 17
18# Allow ssh (blacklisted by disable-common.inc)
19include allow-ssh.inc
20
19include disable-common.inc 21include disable-common.inc
20include disable-passwdmgr.inc 22include disable-passwdmgr.inc
21include disable-programs.inc 23include disable-programs.inc
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index a5b1ba9f1..e7b09283e 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-server
11noblacklist ${HOME}/.jack-settings 11noblacklist ${HOME}/.jack-settings
12noblacklist ${HOME}/.repo_.gitconfig.json 12noblacklist ${HOME}/.repo_.gitconfig.json
13noblacklist ${HOME}/.repoconfig 13noblacklist ${HOME}/.repoconfig
14noblacklist ${HOME}/.ssh
15noblacklist ${HOME}/.tooling 14noblacklist ${HOME}/.tooling
16 15
17# Allows files commonly used by IDEs 16# Allows files commonly used by IDEs
18include allow-common-devel.inc 17include allow-common-devel.inc
19 18
19# Allow ssh (blacklisted by disable-common.inc)
20include allow-ssh.inc
21
20include disable-common.inc 22include disable-common.inc
21include disable-passwdmgr.inc 23include disable-passwdmgr.inc
22include disable-programs.inc 24include disable-programs.inc
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 9c0b92598..4986ac63a 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -9,6 +9,9 @@ include globals.local
9noblacklist ${DOCUMENTS} 9noblacklist ${DOCUMENTS}
10noblacklist ${PICTURES} 10noblacklist ${PICTURES}
11 11
12# Allow lua (blacklisted by disable-interpreters.inc)
13include allow-lua.inc
14
12# Allow python (blacklisted by disable-interpreters.inc) 15# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python3.inc 16include allow-python3.inc
14 17
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index c2b215807..f99934e66 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -7,4 +7,5 @@ include ar.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Redirect
10include archiver-common.inc 11include archiver-common.inc
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile
index 4ad8dd456..5c62c94be 100644
--- a/etc/profile-a-l/ardour4.profile
+++ b/etc/profile-a-l/ardour4.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for ardour5 1# Firejail profile alias for ardour5
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include ardur4.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include ardour5.profile 10include ardour5.profile
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index f21a5febf..5f237ac59 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -25,7 +25,6 @@ noblacklist ${HOME}/.config/Atom
25include allow-common-devel.inc 25include allow-common-devel.inc
26 26
27# net none 27# net none
28netfilter
29nosound 28nosound
30 29
31# Redirect 30# Redirect
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 34af47df2..6e0ecb012 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -9,10 +9,12 @@ include globals.local
9 9
10# Allow perl (blacklisted by disable-interpreters.inc) 10# Allow perl (blacklisted by disable-interpreters.inc)
11include allow-perl.inc 11include allow-perl.inc
12include archiver-common.inc
13 12
14noroot 13noroot
15 14
16# without login.defs atool complains and uses UID/GID 1000 by default 15# without login.defs atool complains and uses UID/GID 1000 by default
17private-etc alternatives,group,login.defs,passwd 16private-etc alternatives,group,login.defs,passwd
18private-tmp 17private-tmp
18
19# Redirect
20include archiver-common.inc
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
new file mode 100644
index 000000000..b5d662d60
--- /dev/null
+++ b/etc/profile-a-l/avidemux.profile
@@ -0,0 +1,53 @@
1# Firejail profile for Avidemux
2# Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks.
3# Persistent local customizations
4include avidemux.local
5# Persistent global definitions
6include globals.local
7
8noblacklist ${HOME}/.avidemux6
9noblacklist ${HOME}/.config/avidemux3_qt5rc
10noblacklist ${VIDEOS}
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.avidemux6
22mkdir ${HOME}/.config/avidemux3_qt5rc
23whitelist ${HOME}/.avidemux6
24whitelist ${HOME}/.config/avidemux3_qt5rc
25whitelist ${VIDEOS}
26include whitelist-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33net none
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39nou2f
40novideo
41protocol unix
42seccomp
43seccomp.block-secondary
44shell none
45tracelog
46
47private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5
48private-cache
49private-dev
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index cda6b1aa0..573776a71 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -9,6 +9,7 @@ include globals.local
9noblacklist ${HOME}/.balsa 9noblacklist ${HOME}/.balsa
10noblacklist ${HOME}/.gnupg 10noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.mozilla 11noblacklist ${HOME}/.mozilla
12noblacklist ${HOME}/.signature
12noblacklist ${HOME}/mail 13noblacklist ${HOME}/mail
13noblacklist /var/mail 14noblacklist /var/mail
14noblacklist /var/spool/mail 15noblacklist /var/spool/mail
@@ -24,10 +25,12 @@ include disable-xdg.inc
24 25
25mkdir ${HOME}/.balsa 26mkdir ${HOME}/.balsa
26mkdir ${HOME}/.gnupg 27mkdir ${HOME}/.gnupg
28mkfile ${HOME}/.signature
27mkdir ${HOME}/mail 29mkdir ${HOME}/mail
28whitelist ${HOME}/.balsa 30whitelist ${HOME}/.balsa
29whitelist ${HOME}/.gnupg 31whitelist ${HOME}/.gnupg
30whitelist ${HOME}/.mozilla/firefox/profiles.ini 32whitelist ${HOME}/.mozilla/firefox/profiles.ini
33whitelist ${HOME}/.signature
31whitelist ${HOME}/mail 34whitelist ${HOME}/mail
32whitelist ${RUNUSER}/gnupg 35whitelist ${RUNUSER}/gnupg
33whitelist /usr/share/balsa 36whitelist /usr/share/balsa
@@ -58,9 +61,9 @@ shell none
58tracelog 61tracelog
59 62
60# disable-mnt 63# disable-mnt
61# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 64# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
62# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. 65# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
63private-bin balsa,balsa-ab 66private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
64private-cache 67private-cache
65private-dev 68private-dev
66private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg 69private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
@@ -71,8 +74,9 @@ writable-var
71dbus-user filter 74dbus-user filter
72dbus-user.own org.desktop.Balsa 75dbus-user.own org.desktop.Balsa
73dbus-user.talk ca.desrt.dconf 76dbus-user.talk ca.desrt.dconf
74dbus-user.talk org.freedesktop.secrets
75dbus-user.talk org.freedesktop.Notifications 77dbus-user.talk org.freedesktop.Notifications
78dbus-user.talk org.freedesktop.secrets
79dbus-user.talk org.gnome.keyring.SystemPrompter
76dbus-system none 80dbus-system none
77 81
78read-only ${HOME}/.mozilla/firefox/profiles.ini 82read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 99e2802eb..235b84be3 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.bibletime
26whitelist ${HOME}/.sword 26whitelist ${HOME}/.sword
27whitelist ${HOME}/.local/share/bibletime 27whitelist ${HOME}/.local/share/bibletime
28whitelist /usr/share/bibletime 28whitelist /usr/share/bibletime
29whitelist /usr/share/doc/bibletime
29whitelist /usr/share/sword 30whitelist /usr/share/sword
30include whitelist-common.inc 31include whitelist-common.inc
31include whitelist-usr-share-common.inc 32include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index dbde3e4de..b074cc0b0 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -57,3 +57,5 @@ dbus-user.own org.gnome.Notes
57dbus-user.talk ca.desrt.dconf 57dbus-user.talk ca.desrt.dconf
58dbus-user.talk org.freedesktop.Tracker1 58dbus-user.talk org.freedesktop.Tracker1
59dbus-system none 59dbus-system none
60
61env WEBKIT_FORCE_SANDBOX=0
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 13e83493d..233f9a96f 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -6,7 +6,7 @@ include blackbox.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# all applications started in awesome will run in this profile 9# all applications started in blackbox will run in this profile
10noblacklist ${HOME}/.blackbox 10noblacklist ${HOME}/.blackbox
11include disable-common.inc 11include disable-common.inc
12 12
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
index b7242c443..55d8fdcf2 100644
--- a/etc/profile-a-l/blender-2.8.profile
+++ b/etc/profile-a-l/blender-2.8.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for blender 1# Firejail profile alias for blender
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include blender-2.8.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include blender.profile 10include blender.profile
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
index 528a6402d..bbe23056f 100644
--- a/etc/profile-a-l/brave-browser-beta.profile
+++ b/etc/profile-a-l/brave-browser-beta.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for brave (beta channel) 1# Firejail profile alias for brave (beta channel)
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include brave-browser-beta.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include brave.profile 10include brave.profile
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
index 4601de119..b3fcc22ee 100644
--- a/etc/profile-a-l/brave-browser-dev.profile
+++ b/etc/profile-a-l/brave-browser-dev.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for brave (development channel) 1# Firejail profile alias for brave (development channel)
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include brave-browser-dev.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include brave.profile 10include brave.profile
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
index 43d3cc724..796c90deb 100644
--- a/etc/profile-a-l/brave-browser-nightly.profile
+++ b/etc/profile-a-l/brave-browser-nightly.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for brave (nightly channel) 1# Firejail profile alias for brave (nightly channel)
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include brave-browser-nightly.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include brave.profile 10include brave.profile
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
index 06d33dea4..fab7f5f14 100644
--- a/etc/profile-a-l/brave-browser-stable.profile
+++ b/etc/profile-a-l/brave-browser-stable.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for brave (release channel) 1# Firejail profile alias for brave (release channel)
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include brave-browser-stable.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include brave.profile 10include brave.profile
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
index e223ecf87..fda337725 100644
--- a/etc/profile-a-l/brave-browser.profile
+++ b/etc/profile-a-l/brave-browser.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for brave 1# Firejail profile alias for brave
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include brave-browser.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include brave.profile 10include brave.profile
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
index 5271ee5d6..ff7d83dad 100644
--- a/etc/profile-a-l/bsdcat.profile
+++ b/etc/profile-a-l/bsdcat.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for bsdtar 1# Firejail profile alias for bsdtar
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include bsdcat.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include bsdtar.profile 10include bsdtar.profile
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
index 5271ee5d6..eb35ef79f 100644
--- a/etc/profile-a-l/bsdcpio.profile
+++ b/etc/profile-a-l/bsdcpio.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for bsdtar 1# Firejail profile alias for bsdtar
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include bsdcpio.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include bsdtar.profile 10include bsdtar.profile
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index c37f4071e..fb4f643c8 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,6 +6,7 @@ include bsdtar.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include archiver-common.inc
10
11private-etc alternatives,group,localtime,passwd 9private-etc alternatives,group,localtime,passwd
10
11# Redirect
12include archiver-common.inc
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index f4ce47018..a14433369 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -27,9 +27,10 @@ nou2f
27novideo 27novideo
28protocol unix 28protocol unix
29seccomp 29seccomp
30seccomp.block-secondary
30shell none 31shell none
31 32
32private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 33private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
33private-dev 34private-dev
34 35
35# dbus-user none 36# dbus-user none
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
index 7804a3b97..ace6c05f8 100644
--- a/etc/profile-a-l/calligraauthor.profile
+++ b/etc/profile-a-l/calligraauthor.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligraauthor.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include calligra.profile 10include calligra.profile
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
index 7804a3b97..b2c23a57b 100644
--- a/etc/profile-a-l/calligraconverter.profile
+++ b/etc/profile-a-l/calligraconverter.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligraconverter.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include calligra.profile 10include calligra.profile
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
index 7804a3b97..ca654b3f3 100644
--- a/etc/profile-a-l/calligraflow.profile
+++ b/etc/profile-a-l/calligraflow.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligraflow.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include calligra.profile 10include calligra.profile
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
new file mode 100644
index 000000000..006c307ab
--- /dev/null
+++ b/etc/profile-a-l/calligragemini.profile
@@ -0,0 +1,12 @@
1# Firejail profile alias for calligra
2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligragemini.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9noblacklist ${HOME}/.local/share/calligragemini
10
11# Redirect
12include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 23dd61175..81dbd4dcd 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligraplan.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan 9noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
5 10
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index 1c283a3cb..bba91b66b 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligraplanwork.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork 9noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
5 10
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 8ef75be71..7bc296047 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligrasheets.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets 9noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
5 10
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index d5c960248..7694abbe4 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligrastage.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage 9noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
5 10
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index 5985b4250..d69d56a95 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for calligra 1# Firejail profile alias for calligra
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include calligrawords.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords 9noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
5 10
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index d379651c7..6a76dc129 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/celluloid
10noblacklist ${HOME}/.config/gnome-mpv 10noblacklist ${HOME}/.config/gnome-mpv
11noblacklist ${HOME}/.config/youtube-dl 11noblacklist ${HOME}/.config/youtube-dl
12 12
13# Allow lua (blacklisted by disable-interpreters.inc)
14include allow-lua.inc
15
13# Allow python (blacklisted by disable-interpreters.inc) 16# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 17include allow-python2.inc
15include allow-python3.inc 18include allow-python3.inc
16 19
17# Allow lua (blacklisted by disable-interpreters.inc)
18include allow-lua.inc
19
20include disable-common.inc 20include disable-common.inc
21include disable-devel.inc 21include disable-devel.inc
22include disable-exec.inc 22include disable-exec.inc
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 337117c4a..aca1f5876 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -19,7 +19,10 @@ include disable-xdg.inc
19 19
20whitelist ${VIDEOS} 20whitelist ${VIDEOS}
21whitelist ${PICTURES} 21whitelist ${PICTURES}
22whitelist /usr/share/gnome-video-effects
22include whitelist-common.inc 23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
23include whitelist-var-common.inc 26include whitelist-var-common.inc
24 27
25apparmor 28apparmor
@@ -43,5 +46,6 @@ private-cache
43private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 46private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
44private-tmp 47private-tmp
45 48
46dbus-user none 49dbus-user filter
50dbus-user.talk ca.desrt.dconf
47dbus-system none 51dbus-system none
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
index f83052d9a..7ad806f5b 100644
--- a/etc/profile-a-l/chromium-browser.profile
+++ b/etc/profile-a-l/chromium-browser.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for chromium 1# Firejail profile alias for chromium
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include chromium-browser.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include chromium.profile 10include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index ce9c652c6..1afb2c6e1 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -34,6 +34,10 @@ include whitelist-var-common.inc
34# if your kernel allows unprivileged userns clone. 34# if your kernel allows unprivileged userns clone.
35#include chromium-common-hardened.inc 35#include chromium-common-hardened.inc
36 36
37# Uncomment or put in your chromium-common.local to allow screen sharing under
38# wayland.
39#whitelist ${RUNUSER}/pipewire-0
40
37apparmor 41apparmor
38caps.keep sys_admin,sys_chroot 42caps.keep sys_admin,sys_chroot
39netfilter 43netfilter
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
index a1de85afa..dadedfbcf 100644
--- a/etc/profile-a-l/chromium-freeworld.profile
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -1,5 +1,10 @@
1# Firejail profile for chromium-freeworld 1# Firejail profile for chromium-freeworld
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include chromium-freeworld.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include chromium.profile 10include chromium.profile
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
index 88a65037e..38297bbae 100644
--- a/etc/profile-a-l/cinelerra.profile
+++ b/etc/profile-a-l/cinelerra.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for cin 1# Firejail profile alias for cin
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include cinelerra.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include cin.profile 10include cin.profile
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
index 4c6c56c5f..b25b46a27 100644
--- a/etc/profile-a-l/clamdscan.profile
+++ b/etc/profile-a-l/clamdscan.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include clamdscan.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include clamav.profile 10include clamav.profile
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
index 4c6c56c5f..8c8cb3880 100644
--- a/etc/profile-a-l/clamdtop.profile
+++ b/etc/profile-a-l/clamdtop.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include clamdtop.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include clamav.profile 10include clamav.profile
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile
index 4c6c56c5f..0bc95e515 100644
--- a/etc/profile-a-l/clamscan.profile
+++ b/etc/profile-a-l/clamscan.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include clamscan.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include clamav.profile 10include clamav.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 69196c578..b4a8303a2 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,10 +18,13 @@ whitelist ${HOME}/.claws-mail
18 18
19whitelist /usr/share/doc/claws-mail 19whitelist /usr/share/doc/claws-mail
20 20
21# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
22
23dbus-user filter
24dbus-user.talk ca.desrt.dconf
25dbus-user.talk org.gnome.keyring.SystemPrompter
21# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) 26# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
22#ignore dbus-user none 27# dbus-user.talk org.freedesktop.Notifications
23#dbus-user filter
24#dbus-user.talk org.freedesktop.Notifications
25 28
26# Redirect 29# Redirect
27include email-common.profile 30include email-common.profile
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index b27d93684..09246ccbc 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -11,9 +11,11 @@ noblacklist ${HOME}/.gitconfig
11noblacklist ${HOME}/.git-credentials 11noblacklist ${HOME}/.git-credentials
12noblacklist ${HOME}/.java 12noblacklist ${HOME}/.java
13noblacklist ${HOME}/.local/share/JetBrains 13noblacklist ${HOME}/.local/share/JetBrains
14noblacklist ${HOME}/.ssh
15noblacklist ${HOME}/.tooling 14noblacklist ${HOME}/.tooling
16 15
16# Allow ssh (blacklisted by disable-common.inc)
17include allow-ssh.inc
18
17include disable-common.inc 19include disable-common.inc
18include disable-passwdmgr.inc 20include disable-passwdmgr.inc
19include disable-programs.inc 21include disable-programs.inc
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile
index da50e7d49..3b3efb9f3 100644
--- a/etc/profile-a-l/clocks.profile
+++ b/etc/profile-a-l/clocks.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-clocks 1# Firejail profile for gnome-clocks
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include clocks.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
index 0628d3d01..1e37da602 100644
--- a/etc/profile-a-l/com.gitlab.newsflash.profile
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for newsflash 1# Firejail profile alias for newsflash
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include com.gitlab.newsflash.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include newsflash.profile 10include newsflash.profile
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
new file mode 100644
index 000000000..75813c494
--- /dev/null
+++ b/etc/profile-a-l/coyim.profile
@@ -0,0 +1,49 @@
1# Firejail profile for coyim
2# Description: GTK Jabber client written in Go
3# This file is overwritten after every install/update
4# Persistent local customizations
5include coyim.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/coyim
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.config/coyim
21whitelist ${HOME}/.config/coyim
22include whitelist-common.inc
23include whitelist-usr-share-common.inc
24include whitelist-runuser-common.inc
25include whitelist-var-common.inc
26
27caps.drop all
28netfilter
29nodvd
30nogroups
31nonewprivs
32noroot
33notv
34nou2f
35protocol unix,inet,inet6
36seccomp
37shell none
38tracelog
39
40disable-mnt
41private-cache
42private-dev
43private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
44private-tmp
45
46dbus-user none
47dbus-system none
48
49#memory-deny-write-execute
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 785308ffd..0e0299655 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -10,4 +10,5 @@ include globals.local
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12 12
13# Redirect
13include archiver-common.inc 14include archiver-common.inc
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
index 39151865e..2e24429fd 100644
--- a/etc/profile-a-l/crawl-tiles.profile
+++ b/etc/profile-a-l/crawl-tiles.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for crawl 1# Firejail profile alias for crawl
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include crawl-titles.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4ignore no3d 9ignore no3d
5 10
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
index 69aa39de2..5362e7a6a 100644
--- a/etc/profile-a-l/cryptocat.profile
+++ b/etc/profile-a-l/cryptocat.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for Cryptocat 1# Firejail profile alias for Cryptocat
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include cryptocat.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include Cryptocat.profile 10include Cryptocat.profile
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index e409eb044..31031edeb 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,6 +9,7 @@ include globals.local
9noblacklist ${HOME}/.dia 9noblacklist ${HOME}/.dia
10noblacklist ${DOCUMENTS} 10noblacklist ${DOCUMENTS}
11 11
12# Allow python (blacklisted by disable-interpreters.inc)
12include allow-python2.inc 13include allow-python2.inc
13include allow-python3.inc 14include allow-python3.inc
14 15
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index e6edbd7eb..b583f1a1d 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -23,7 +23,7 @@ whitelist ${HOME}/.config/BetterDiscord
23whitelist ${HOME}/.local/share/betterdiscordctl 23whitelist ${HOME}/.local/share/betterdiscordctl
24 24
25private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh 25private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
26private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl 26private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
27 27
28# Redirect 28# Redirect
29include electron.profile 29include electron.profile
diff --git a/etc/profile-a-l/display-im6.q16.profile b/etc/profile-a-l/display-im6.q16.profile
new file mode 100644
index 000000000..b80afc3fa
--- /dev/null
+++ b/etc/profile-a-l/display-im6.q16.profile
@@ -0,0 +1,10 @@
1# Firejail profile for display-im6.q16
2# This file is overwritten after every install/update
3# Persistent local customizations
4include display-im6.q16.local
5# Persistent global definitions
6include globals.local
7
8
9# Redirect
10include display.profile
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
index 70a21e11c..99cf0f7f8 100644
--- a/etc/profile-a-l/dooble-qt4.profile
+++ b/etc/profile-a-l/dooble-qt4.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for dooble 1# Firejail profile alias for dooble
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include dooble-qt4.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include dooble.profile 10include dooble.profile
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index df47f478d..6b55c2126 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
8#include globals.local 8#include globals.local
9 9
10noblacklist ${HOME}/.gnupg 10noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.mozilla
11noblacklist ${HOME}/.signature 12noblacklist ${HOME}/.signature
12# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local 13# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
13# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications 14# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
@@ -17,28 +18,34 @@ noblacklist ${DOCUMENTS}
17 18
18include disable-common.inc 19include disable-common.inc
19include disable-devel.inc 20include disable-devel.inc
21include disable-exec.inc
20include disable-interpreters.inc 22include disable-interpreters.inc
21include disable-passwdmgr.inc 23include disable-passwdmgr.inc
22include disable-programs.inc 24include disable-programs.inc
23include disable-xdg.inc 25include disable-xdg.inc
24 26
25whitelist ${DOCUMENTS}
26whitelist ${DOWNLOADS}
27mkfile ${HOME}/.config/mimeapps.list
28mkdir ${HOME}/.gnupg 27mkdir ${HOME}/.gnupg
28mkfile ${HOME}/.config/mimeapps.list
29mkfile ${HOME}/.signature 29mkfile ${HOME}/.signature
30whitelist ${HOME}/.config/mimeapps.list 30whitelist ${HOME}/.config/mimeapps.list
31whitelist ${HOME}/.mozilla/firefox/profiles.ini
31whitelist ${HOME}/.gnupg 32whitelist ${HOME}/.gnupg
32whitelist ${HOME}/.signature 33whitelist ${HOME}/.signature
34whitelist ${DOCUMENTS}
35whitelist ${DOWNLOADS}
33# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local 36# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
34whitelist ${HOME}/Mail 37whitelist ${HOME}/Mail
38whitelist ${RUNUSER}/gnupg
35whitelist /usr/share/gnupg 39whitelist /usr/share/gnupg
36whitelist /usr/share/gnupg2 40whitelist /usr/share/gnupg2
37include whitelist-common.inc 41include whitelist-common.inc
42include whitelist-runuser-common.inc
38include whitelist-usr-share-common.inc 43include whitelist-usr-share-common.inc
39include whitelist-var-common.inc 44include whitelist-var-common.inc
40 45
46apparmor
41caps.drop all 47caps.drop all
48machine-id
42netfilter 49netfilter
43no3d 50no3d
44nodvd 51nodvd
@@ -51,22 +58,26 @@ nou2f
51novideo 58novideo
52protocol unix,inet,inet6 59protocol unix,inet,inet6
53seccomp 60seccomp
61seccomp.block-secondary
54shell none 62shell none
55tracelog 63tracelog
56 64
65# disable-mnt
57private-cache 66private-cache
58private-dev 67private-dev
68private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
59private-tmp 69private-tmp
60
61dbus-user none
62dbus-system none
63
64# encrypting and signing email 70# encrypting and signing email
65writable-run-user 71writable-run-user
66 72
73dbus-system none
74
67# If you want to read local mail stored in /var/mail, add the following to email-common.local: 75# If you want to read local mail stored in /var/mail, add the following to email-common.local:
68#noblacklist /var/mail 76#noblacklist /var/mail
69#noblacklist /var/spool/mail 77#noblacklist /var/spool/mail
70#whitelist /var/mail 78#whitelist /var/mail
71#whitelist /var/spool/mail 79#whitelist /var/spool/mail
72#writable-var 80#writable-var
81
82read-only ${HOME}/.mozilla/firefox/profiles.ini
83read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index c0c16e929..25d5196fc 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,6 +6,10 @@ include evince.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Uncomment this line and the bottom ones to use bookmarks
10# NOTE: This possibly exposes information, including file history from other programs.
11#noblacklist ${HOME}/.local/share/gvfs-metadata
12
9noblacklist ${HOME}/.config/evince 13noblacklist ${HOME}/.config/evince
10noblacklist ${DOCUMENTS} 14noblacklist ${DOCUMENTS}
11 15
@@ -54,5 +58,8 @@ private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf
54private-tmp 58private-tmp
55 59
56# might break two-page-view on some systems 60# might break two-page-view on some systems
57dbus-user none 61dbus-user filter
62# Also uncomment these two lines if you want to use bookmarks
63#dbus-user.talk org.gtk.vfs.Daemon
64#dbus-user.talk org.gtk.vfs.Metadata
58dbus-system none 65dbus-system none
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 1355c4337..422200ffe 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,16 +6,15 @@ include evolution.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist /var/mail
10noblacklist /var/spool/mail
9noblacklist ${HOME}/.bogofilter 11noblacklist ${HOME}/.bogofilter
10noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.mozilla
12noblacklist ${HOME}/.pki
13noblacklist ${HOME}/.cache/evolution 12noblacklist ${HOME}/.cache/evolution
14noblacklist ${HOME}/.config/evolution 13noblacklist ${HOME}/.config/evolution
14noblacklist ${HOME}/.gnupg
15noblacklist ${HOME}/.local/share/evolution 15noblacklist ${HOME}/.local/share/evolution
16noblacklist ${HOME}/.pki
16noblacklist ${HOME}/.local/share/pki 17noblacklist ${HOME}/.local/share/pki
17noblacklist /var/mail
18noblacklist /var/spool/mail
19 18
20include disable-common.inc 19include disable-common.inc
21include disable-devel.inc 20include disable-devel.inc
@@ -23,42 +22,13 @@ include disable-exec.inc
23include disable-interpreters.inc 22include disable-interpreters.inc
24include disable-passwdmgr.inc 23include disable-passwdmgr.inc
25include disable-programs.inc 24include disable-programs.inc
26include disable-shell.inc
27include disable-xdg.inc
28 25
29mkdir ${HOME}/.bogofilter
30mkdir ${HOME}/.gnupg
31mkdir ${HOME}/.pki
32mkdir ${HOME}/.cache/evolution
33mkdir ${HOME}/.config/evolution
34mkdir ${HOME}/.local/share/evolution
35mkdir ${HOME}/.local/share/pki
36whitelist ${HOME}/.bogofilter
37whitelist ${HOME}/.gnupg
38whitelist ${HOME}/.mozilla/firefox/profiles.ini
39whitelist ${HOME}/.pki
40whitelist ${HOME}/.cache/evolution
41whitelist ${HOME}/.config/evolution
42whitelist ${HOME}/.local/share/evolution
43whitelist ${HOME}/.local/share/pki
44whitelist ${DOCUMENTS}
45whitelist ${DOWNLOADS}
46whitelist ${RUNUSER}/gnupg
47whitelist /usr/share/evolution
48whitelist /usr/share/gnupg
49whitelist /usr/share/gnupg2
50whitelist /var/mail
51whitelist /var/spool/mail
52include whitelist-common.inc
53include whitelist-runuser-common.inc 26include whitelist-runuser-common.inc
54include whitelist-usr-share-common.inc
55include whitelist-var-common.inc
56 27
57apparmor
58caps.drop all 28caps.drop all
59netfilter 29netfilter
60# no3d breaks under wayland 30# no3d breaks under wayland
61# no3d 31#no3d
62nodvd 32nodvd
63nogroups 33nogroups
64nonewprivs 34nonewprivs
@@ -70,27 +40,7 @@ novideo
70protocol unix,inet,inet6 40protocol unix,inet,inet6
71seccomp 41seccomp
72shell none 42shell none
73tracelog
74 43
75# disable-mnt
76# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
77# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
78# private-bin evolution
79private-cache
80private-dev 44private-dev
81private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
82private-tmp 45private-tmp
83writable-run-user
84writable-var 46writable-var
85
86dbus-user filter
87dbus-user.own org.gnome.Evolution
88dbus-user.talk ca.desrt.dconf
89# Uncomment to have keyring access
90# dbus-user.talk org.freedesktop.secrets
91dbus-user.talk org.gnome.keyring.SystemPrompter
92dbus-user.talk org.gnome.OnlineAccounts
93dbus-user.talk org.freedesktop.Notifications
94dbus-system none
95
96read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index 24339953b..face34c40 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -15,7 +15,7 @@ ignore noexec ${HOME}
15# Allow lua (blacklisted by disable-interpreters.inc) 15# Allow lua (blacklisted by disable-interpreters.inc)
16include allow-lua.inc 16include allow-lua.inc
17 17
18# Allow perl 18# Allow perl (blacklisted by disable-interpreters.inc)
19include allow-perl.inc 19include allow-perl.inc
20 20
21# Allow python (blacklisted by disable-interpreters.inc) 21# Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 43e877fd0..728929638 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -8,12 +8,14 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/filezilla 9noblacklist ${HOME}/.config/filezilla
10noblacklist ${HOME}/.filezilla 10noblacklist ${HOME}/.filezilla
11noblacklist ${HOME}/.ssh
12 11
13# Allow python (blacklisted by disable-interpreters.inc) 12# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 13include allow-python2.inc
15include allow-python3.inc 14include allow-python3.inc
16 15
16# Allow ssh (blacklisted by disable-common.inc)
17include allow-ssh.inc
18
17include disable-common.inc 19include disable-common.inc
18include disable-devel.inc 20include disable-devel.inc
19include disable-interpreters.inc 21include disable-interpreters.inc
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 772aad7da..20bd9824c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -41,6 +41,13 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
41#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration 41#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
42#dbus-user.talk org.kde.JobViewServer 42#dbus-user.talk org.kde.JobViewServer
43#dbus-user.talk org.kde.kuiserver 43#dbus-user.talk org.kde.kuiserver
44# Uncomment or put in your firefox.local to allow screen sharing under wayland.
45#whitelist ${RUNUSER}/pipewire-0
46#dbus-user.talk org.freedesktop.portal.*
47# Also uncomment or put in your firefox.local if screen sharing sharing still
48# does not work with the above lines (might depend on the portal
49# implementation)
50#ignore noroot
44ignore dbus-user none 51ignore dbus-user none
45 52
46# Redirect 53# Redirect
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index c296c0491..1210f365c 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -6,7 +6,7 @@ include fluxbox.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# all applications started in awesome will run in this profile 9# all applications started in fluxbox will run in this profile
10noblacklist ${HOME}/.fluxbox 10noblacklist ${HOME}/.fluxbox
11include disable-common.inc 11include disable-common.inc
12 12
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index c3af29e15..dede61b71 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -8,6 +8,10 @@ include globals.local
8 8
9noblacklist ${HOME}/.cache/fractal 9noblacklist ${HOME}/.cache/fractal
10 10
11# Allow python (blacklisted by disable-interpreters.inc)
12include allow-python2.inc
13include allow-python3.inc
14
11include disable-common.inc 15include disable-common.inc
12include disable-devel.inc 16include disable-devel.inc
13include disable-exec.inc 17include disable-exec.inc
@@ -49,6 +53,6 @@ private-tmp
49dbus-user filter 53dbus-user filter
50dbus-user.own org.gnome.Fractal 54dbus-user.own org.gnome.Fractal
51dbus-user.talk ca.desrt.dconf 55dbus-user.talk ca.desrt.dconf
52dbus-user.talk org.freedesktop.secrets
53dbus-user.talk org.freedesktop.Notifications 56dbus-user.talk org.freedesktop.Notifications
57dbus-user.talk org.freedesktop.secrets
54dbus-system none 58dbus-system none
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
index 44bf62cfe..2b2cdae29 100644
--- a/etc/profile-a-l/freecadcmd.profile
+++ b/etc/profile-a-l/freecadcmd.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for freecad 1# Firejail profile alias for freecad
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include freecadcms.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include freecad.profile 10include freecad.profile
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
index fa36459e7..bf034a709 100644
--- a/etc/profile-a-l/freeciv-gtk3.profile
+++ b/etc/profile-a-l/freeciv-gtk3.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for freeciv 1# Firejail profile alias for freeciv
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include freeciv-gtk3.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include freeciv.profile 10include freeciv.profile
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
index fa36459e7..942058fa6 100644
--- a/etc/profile-a-l/freeciv-mp-gtk3.profile
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for freeciv 1# Firejail profile alias for freeciv
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include freeciv-mp-gtk3.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include freeciv.profile 10include freeciv.profile
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
index 2ae6dd9d8..945dea146 100644
--- a/etc/profile-a-l/gajim-history-manager.profile
+++ b/etc/profile-a-l/gajim-history-manager.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for gajim-history-manager 1# Firejail profile alias for gajim-history-manager
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include gajim-history-manager.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include gajim.profile 10include gajim.profile
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..125ddf79c 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,6 +6,7 @@ include gajim.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.gnupg
9noblacklist ${HOME}/.cache/gajim 10noblacklist ${HOME}/.cache/gajim
10noblacklist ${HOME}/.config/gajim 11noblacklist ${HOME}/.config/gajim
11noblacklist ${HOME}/.local/share/gajim 12noblacklist ${HOME}/.local/share/gajim
@@ -20,19 +21,27 @@ include disable-exec.inc
20include disable-interpreters.inc 21include disable-interpreters.inc
21include disable-passwdmgr.inc 22include disable-passwdmgr.inc
22include disable-programs.inc 23include disable-programs.inc
23# Comment the following line if you need to whitelist other folders than ~/Downloads 24# Comment the following line if you need to whitelist folders other than ~/Downloads
24include disable-xdg.inc 25include disable-xdg.inc
25 26
27mkdir ${HOME}/.gnupg
26mkdir ${HOME}/.cache/gajim 28mkdir ${HOME}/.cache/gajim
27mkdir ${HOME}/.config/gajim 29mkdir ${HOME}/.config/gajim
28mkdir ${HOME}/.local/share/gajim 30mkdir ${HOME}/.local/share/gajim
31whitelist ${HOME}/.gnupg
29whitelist ${HOME}/.cache/gajim 32whitelist ${HOME}/.cache/gajim
30whitelist ${HOME}/.config/gajim 33whitelist ${HOME}/.config/gajim
31whitelist ${HOME}/.local/share/gajim 34whitelist ${HOME}/.local/share/gajim
32whitelist ${DOWNLOADS} 35whitelist ${DOWNLOADS}
36whitelist ${RUNUSER}/gnupg
37whitelist /usr/share/gnupg
38whitelist /usr/share/gnupg2
33include whitelist-common.inc 39include whitelist-common.inc
40include whitelist-runuser-common.inc
41include whitelist-usr-share-common.inc
34include whitelist-var-common.inc 42include whitelist-var-common.inc
35 43
44apparmor
36caps.drop all 45caps.drop all
37netfilter 46netfilter
38nodvd 47nodvd
@@ -47,9 +56,24 @@ shell none
47tracelog 56tracelog
48 57
49disable-mnt 58disable-mnt
50private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh 59private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
60private-cache
51private-dev 61private-dev
52private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl 62private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
53private-tmp 63private-tmp
64writable-run-user
65
66dbus-user filter
67dbus-user.own org.gajim.Gajim
68dbus-user.talk org.gnome.Mutter.IdleMonitor
69dbus-user.talk ca.desrt.dconf
70dbus-user.talk org.freedesktop.Notifications
71dbus-user.talk org.freedesktop.secrets
72dbus-user.talk org.kde.kwalletd5
73dbus-user.talk org.mpris.MediaPlayer2.*
74dbus-system filter
75dbus-system.talk org.freedesktop.login1
76# Uncomment for location plugin support
77#dbus-system.talk org.freedesktop.GeoClue2
54 78
55join-or-start gajim 79join-or-start gajim
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index f4e5a392f..b11863c6a 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -4,28 +4,83 @@
4# Persistent local customizations 4# Persistent local customizations
5include geary.local 5include geary.local
6# Persistent global definitions 6# Persistent global definitions
7# added by included profile 7include globals.local
8#include globals.local
9
10# Users have Geary set to open a browser by clicking a link in an email
11# We are not allowed to blacklist browser-specific directories
12
13ignore dbus-user filter
14ignore dbus-system none
15ignore private-tmp
16 8
9noblacklist ${HOME}/.cache/evolution
10noblacklist ${HOME}/.cache/folks
17noblacklist ${HOME}/.cache/geary 11noblacklist ${HOME}/.cache/geary
12noblacklist ${HOME}/.config/evolution
18noblacklist ${HOME}/.config/geary 13noblacklist ${HOME}/.config/geary
14noblacklist ${HOME}/.local/share/evolution
19noblacklist ${HOME}/.local/share/geary 15noblacklist ${HOME}/.local/share/geary
16noblacklist ${HOME}/.mozilla
17
18include disable-common.inc
19include disable-devel.inc
20include disable-exec.inc
21include disable-interpreters.inc
22include disable-passwdmgr.inc
23include disable-programs.inc
24include disable-shell.inc
25include disable-xdg.inc
20 26
27mkdir ${HOME}/.cache/evolution
28mkdir ${HOME}/.cache/folks
21mkdir ${HOME}/.cache/geary 29mkdir ${HOME}/.cache/geary
30mkdir ${HOME}/.config/evolution
22mkdir ${HOME}/.config/geary 31mkdir ${HOME}/.config/geary
32mkdir ${HOME}/.local/share/evolution
23mkdir ${HOME}/.local/share/geary 33mkdir ${HOME}/.local/share/geary
34whitelist ${DOWNLOADS}
35whitelist ${HOME}/.cache/evolution
36whitelist ${HOME}/.cache/folks
24whitelist ${HOME}/.cache/geary 37whitelist ${HOME}/.cache/geary
38whitelist ${HOME}/.config/evolution
25whitelist ${HOME}/.config/geary 39whitelist ${HOME}/.config/geary
40whitelist ${HOME}/.local/share/evolution
26whitelist ${HOME}/.local/share/geary 41whitelist ${HOME}/.local/share/geary
42whitelist ${HOME}/.mozilla/firefox/profiles.ini
27whitelist /usr/share/geary 43whitelist /usr/share/geary
44include whitelist-common.inc
45include whitelist-runuser-common.inc
46include whitelist-usr-share-common.inc
47include whitelist-var-common.inc
48
49apparmor
50caps.drop all
51machine-id
52netfilter
53no3d
54nodvd
55nogroups
56nonewprivs
57noroot
58nosound
59notv
60nou2f
61novideo
62protocol unix,inet,inet6
63seccomp
64seccomp.block-secondary
65shell none
66tracelog
67
68# disable-mnt
69# Add 'ignore private-bin' to geary.local for hyperlink support
70private-bin geary
71private-cache
72private-dev
73private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
74private-tmp
75
76dbus-user filter
77dbus-user.own org.gnome.Geary
78dbus-user.talk ca.desrt.dconf
79dbus-user.talk org.freedesktop.secrets
80dbus-user.talk org.gnome.Contacts
81dbus-user.talk org.gnome.OnlineAccounts
82dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
83dbus-user.talk org.gnome.evolution.dataserver.Sources5
84dbus-system none
28 85
29# allow Mozilla browsers 86read-only ${HOME}/.mozilla/firefox/profiles.ini
30# Redirect
31include firefox.profile
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index b8d1b9608..caeb3ce51 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -9,6 +9,7 @@ include globals.local
9noblacklist ${HOME}/.cache/gfeeds 9noblacklist ${HOME}/.cache/gfeeds
10noblacklist ${HOME}/.cache/org.gabmus.gfeeds 10noblacklist ${HOME}/.cache/org.gabmus.gfeeds
11noblacklist ${HOME}/.config/org.gabmus.gfeeds.json 11noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
12noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
12 13
13# Allow python (blacklisted by disable-interpreters.inc) 14# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python3.inc 15include allow-python3.inc
@@ -25,9 +26,11 @@ include disable-xdg.inc
25mkdir ${HOME}/.cache/gfeeds 26mkdir ${HOME}/.cache/gfeeds
26mkdir ${HOME}/.cache/org.gabmus.gfeeds 27mkdir ${HOME}/.cache/org.gabmus.gfeeds
27mkfile ${HOME}/.config/org.gabmus.gfeeds.json 28mkfile ${HOME}/.config/org.gabmus.gfeeds.json
29mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles
28whitelist ${HOME}/.cache/gfeeds 30whitelist ${HOME}/.cache/gfeeds
29whitelist ${HOME}/.cache/org.gabmus.gfeeds 31whitelist ${HOME}/.cache/org.gabmus.gfeeds
30whitelist ${HOME}/.config/org.gabmus.gfeeds.json 32whitelist ${HOME}/.config/org.gabmus.gfeeds.json
33whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
31whitelist /usr/share/gfeeds 34whitelist /usr/share/gfeeds
32include whitelist-common.inc 35include whitelist-common.inc
33include whitelist-runuser-common.inc 36include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile
index 1e7ce2350..c65d7e709 100644
--- a/etc/profile-a-l/ghb.profile
+++ b/etc/profile-a-l/ghb.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for handbrake 1# Firejail profile alias for handbrake
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include ghb.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include handbrake.profile 10include handbrake.profile
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
index dbf49ac22..ea099b0a5 100644
--- a/etc/profile-a-l/gimp-2.10.profile
+++ b/etc/profile-a-l/gimp-2.10.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for gimp 1# Firejail profile alias for gimp
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include gimp-2.10.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include gimp.profile 10include gimp.profile
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
index dbf49ac22..af0793c58 100644
--- a/etc/profile-a-l/gimp-2.8.profile
+++ b/etc/profile-a-l/gimp-2.8.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for gimp 1# Firejail profile alias for gimp
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include gimp-2.8.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include gimp.profile 10include gimp.profile
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 4708078dd..312655b9b 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -11,16 +11,19 @@ ignore noexec ${HOME}
11noblacklist ${HOME}/.gitconfig 11noblacklist ${HOME}/.gitconfig
12noblacklist ${HOME}/.git-credentials 12noblacklist ${HOME}/.git-credentials
13noblacklist ${HOME}/.gnupg 13noblacklist ${HOME}/.gnupg
14noblacklist ${HOME}/.ssh
15noblacklist ${HOME}/.subversion 14noblacklist ${HOME}/.subversion
16noblacklist ${HOME}/.config/git 15noblacklist ${HOME}/.config/git
17noblacklist ${HOME}/.config/git-cola 16noblacklist ${HOME}/.config/git-cola
18# Put your editor,diff viewer config path below and uncomment to load settings 17# Put your editor,diff viewer config path below and uncomment to load settings
19# noblacklist ${HOME}/ 18# noblacklist ${HOME}/
20 19
20# Allow python (blacklisted by disable-interpreters.inc)
21include allow-python2.inc 21include allow-python2.inc
22include allow-python3.inc 22include allow-python3.inc
23 23
24# Allow ssh (blacklisted by disable-common.inc)
25include allow-ssh.inc
26
24include disable-common.inc 27include disable-common.inc
25include disable-devel.inc 28include disable-devel.inc
26include disable-exec.inc 29include disable-exec.inc
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index e5a2f3985..aefb2917d 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -15,10 +15,12 @@ noblacklist ${HOME}/.gitconfig
15noblacklist ${HOME}/.git-credentials 15noblacklist ${HOME}/.git-credentials
16noblacklist ${HOME}/.gnupg 16noblacklist ${HOME}/.gnupg
17noblacklist ${HOME}/.nanorc 17noblacklist ${HOME}/.nanorc
18noblacklist ${HOME}/.ssh
19noblacklist ${HOME}/.vim 18noblacklist ${HOME}/.vim
20noblacklist ${HOME}/.viminfo 19noblacklist ${HOME}/.viminfo
21 20
21# Allow ssh (blacklisted by disable-common.inc)
22include allow-ssh.inc
23
22blacklist /tmp/.X11-unix 24blacklist /tmp/.X11-unix
23blacklist ${RUNUSER}/wayland-* 25blacklist ${RUNUSER}/wayland-*
24 26
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 3d80c1ed2..93b90eb9e 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.config/git
10noblacklist ${HOME}/.gitconfig 10noblacklist ${HOME}/.gitconfig
11noblacklist ${HOME}/.git-credentials 11noblacklist ${HOME}/.git-credentials
12noblacklist ${HOME}/.local/share/gitg 12noblacklist ${HOME}/.local/share/gitg
13noblacklist ${HOME}/.ssh 13
14# Allow ssh (blacklisted by disable-common.inc)
15include allow-ssh.inc
14 16
15include disable-common.inc 17include disable-common.inc
16include disable-devel.inc 18include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
index f5d652732..dfb95d27b 100644
--- a/etc/profile-a-l/gnome-mpv.profile
+++ b/etc/profile-a-l/gnome-mpv.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for celluloid (formerly GNOME MPV) 1# Firejail profile alias for celluloid (formerly GNOME MPV)
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include gnome-mpv.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include celluloid.profile 10include celluloid.profile
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
index a456e8d61..88cd43490 100644
--- a/etc/profile-a-l/google-chrome-stable.profile
+++ b/etc/profile-a-l/google-chrome-stable.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for google-chrome 1# Firejail profile alias for google-chrome
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include google-chrome-stable.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include google-chrome.profile 10include google-chrome.profile
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index c1f919769..1240dc3b7 100644
--- a/etc/profile-a-l/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -1,7 +1,30 @@
1# Firejail profile alias for google-earth 1# Firejail profile for google-earth-pro
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include google-earth-pro.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4private-bin google-earth-pro 9# Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed.
10# See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details.
11# Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906).
12# As an alternative one could use the web version: https://earth.google.com/web/.
13# The desktop version from the AUR can be made to work with firejail by appending the below snippet
14# to /usr/bin/googleearth-pro:
15# <--- snippet --->
16# Post-shutdown cleaning
17#_lock_app_running="${HOME}/.googleearth/instance-running-lock"
18#[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}"
19#_lock_collada_cache="/tmp/geColladaModelCacheLock"
20#[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}"
21#_lock_icon_cache="/tmp/geIconCacheLock"
22#[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}"
23# <--- end of snippet --->
24
25# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
26#ignore private-bin
27private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings
5 28
6# Redirect 29# Redirect
7include google-earth.profile 30include google-earth.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index a331ef8d2..12b1cbafd 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -6,10 +6,7 @@ include google-earth.local
6include globals.local 6include globals.local
7 7
8noblacklist ${HOME}/.config/Google 8noblacklist ${HOME}/.config/Google
9noblacklist ${HOME}/.googleearth/Cache 9noblacklist ${HOME}/.googleearth
10noblacklist ${HOME}/.googleearth/Temp
11noblacklist ${HOME}/.googleearth/myplaces.backup.kml
12noblacklist ${HOME}/.googleearth/myplaces.kml
13 10
14include disable-common.inc 11include disable-common.inc
15include disable-devel.inc 12include disable-devel.inc
@@ -19,15 +16,9 @@ include disable-passwdmgr.inc
19include disable-programs.inc 16include disable-programs.inc
20 17
21mkdir ${HOME}/.config/Google 18mkdir ${HOME}/.config/Google
22mkdir ${HOME}/.googleearth/Cache 19mkdir ${HOME}/.googleearth
23mkdir ${HOME}/.googleearth/Temp
24mkfile ${HOME}/.googleearth/myplaces.backup.kml
25mkfile ${HOME}/.googleearth/myplaces.kml
26whitelist ${HOME}/.config/Google 20whitelist ${HOME}/.config/Google
27whitelist ${HOME}/.googleearth/Cache 21whitelist ${HOME}/.googleearth
28whitelist ${HOME}/.googleearth/Temp
29whitelist ${HOME}/.googleearth/myplaces.backup.kml
30whitelist ${HOME}/.googleearth/myplaces.kml
31include whitelist-common.inc 22include whitelist-common.inc
32 23
33caps.drop all 24caps.drop all
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile
index 2391c121b..e3a02e7bc 100644
--- a/etc/profile-a-l/gtar.profile
+++ b/etc/profile-a-l/gtar.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for tar 1# Firejail profile alias for tar
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include gtar.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include tar.profile 10include tar.profile
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
index 40c268c46..2223c37a1 100644
--- a/etc/profile-a-l/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -8,8 +8,13 @@ include globals.local
8noblacklist ${HOME}/.cache/gummi 8noblacklist ${HOME}/.cache/gummi
9noblacklist ${HOME}/.config/gummi 9noblacklist ${HOME}/.config/gummi
10 10
11# Allow lua (blacklisted by disable-interpreters.inc)
11include allow-lua.inc 12include allow-lua.inc
13
14# Allow perl (blacklisted by disable-interpreters.inc)
12include allow-perl.inc 15include allow-perl.inc
16
17# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python3.inc 18include allow-python3.inc
14 19
15private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex 20private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
new file mode 100644
index 000000000..46fc06940
--- /dev/null
+++ b/etc/profile-a-l/guvcview.profile
@@ -0,0 +1,55 @@
1# Firejail profile for guvcview
2# Description: GTK+ base UVC Viewer
3# This file is overwritten after every install/update
4# Persistent local customizations
5include guvcview.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/guvcview2
10
11noblacklist ${PICTURES}
12noblacklist ${VIDEOS}
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-passwdmgr.inc
19include disable-programs.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23mkdir ${HOME}/.config/guvcview2
24whitelist ${HOME}/.config/guvcview2
25whitelist ${PICTURES}
26whitelist ${VIDEOS}
27include whitelist-common.inc
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34net none
35nodvd
36nogroups
37nonewprivs
38noroot
39notv
40nou2f
41protocol unix,netlink
42seccomp
43seccomp.block-secondary
44shell none
45tracelog
46
47disable-mnt
48private-bin guvcview
49private-cache
50private-dev
51private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 9b59e57e7..035c6459c 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -7,7 +7,9 @@ include gzip.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. 10# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
11# all capabilities this is automatically read-only.
11noblacklist /var/lib/pacman 12noblacklist /var/lib/pacman
12 13
14# Redirect
13include archiver-common.inc 15include archiver-common.inc
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
index 1e7ce2350..42371a853 100644
--- a/etc/profile-a-l/handbrake-gtk.profile
+++ b/etc/profile-a-l/handbrake-gtk.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for handbrake 1# Firejail profile alias for handbrake
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include handbrake-gtk.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include handbrake.profile 10include handbrake.profile
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index 86527aa1f..c60510260 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,13 +8,13 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/hexchat 9noblacklist ${HOME}/.config/hexchat
10 10
11# Allow perl (blacklisted by disable-interpreters.inc)
12include allow-perl.inc
13
11# Allow python (blacklisted by disable-interpreters.inc) 14# Allow python (blacklisted by disable-interpreters.inc)
12include allow-python2.inc 15include allow-python2.inc
13include allow-python3.inc 16include allow-python3.inc
14 17
15# Allow perl (blacklisted by disable-interpreters.inc)
16include allow-perl.inc
17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
20include disable-exec.inc 20include disable-exec.inc
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index c1ca0e413..e96b1843c 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -6,7 +6,7 @@ include i3.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# all applications started in awesome will run in this profile 9# all applications started in i3 will run in this profile
10noblacklist ${HOME}/.config/i3 10noblacklist ${HOME}/.config/i3
11include disable-common.inc 11include disable-common.inc
12 12
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index a7d0d531f..0a048a38a 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android
10noblacklist ${HOME}/.jack-server 10noblacklist ${HOME}/.jack-server
11noblacklist ${HOME}/.jack-settings 11noblacklist ${HOME}/.jack-settings
12noblacklist ${HOME}/.local/share/JetBrains 12noblacklist ${HOME}/.local/share/JetBrains
13noblacklist ${HOME}/.ssh
14noblacklist ${HOME}/.tooling 13noblacklist ${HOME}/.tooling
15 14
16# Allows files commonly used by IDEs 15# Allows files commonly used by IDEs
17include allow-common-devel.inc 16include allow-common-devel.inc
18 17
18# Allow ssh (blacklisted by disable-common.inc)
19include allow-ssh.inc
20
19include disable-common.inc 21include disable-common.inc
20include disable-passwdmgr.inc 22include disable-passwdmgr.inc
21include disable-programs.inc 23include disable-programs.inc
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
index c7ee64d56..20b24cedf 100644
--- a/etc/profile-a-l/iridium-browser.profile
+++ b/etc/profile-a-l/iridium-browser.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for iridium 1# Firejail profile alias for iridium
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include iridium-browser.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include iridium.profile 10include iridium.profile
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index b1852b015..8d391b90f 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -7,6 +7,7 @@ include jumpnbump-menu.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10# Allow python (blacklisted by disable-interpreters.inc)
10include allow-python3.inc 11include allow-python3.inc
11 12
12private-bin jumpnbump-menu,python3* 13private-bin jumpnbump-menu,python3*
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
index d2394fe20..3768d277e 100644
--- a/etc/profile-a-l/kalgebramobile.profile
+++ b/etc/profile-a-l/kalgebramobile.profile
@@ -1,5 +1,10 @@
1# Firejail profile for kalgebramobile 1# Firejail profile for kalgebramobile
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include kalgebramobile.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include kalgebra.profile 10include kalgebra.profile
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index d54d6d3d0..231299a2f 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for krita 1# Firejail profile alias for krita
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include karbon.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.local/share/kxmlgui5/karbon 9noblacklist ${HOME}/.local/share/kxmlgui5/karbon
5 10
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9c095e106..7d9f4c22f 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
12noblacklist ${VIDEOS} 12noblacklist ${VIDEOS}
13noblacklist ${HOME}/.config/kazam 13noblacklist ${HOME}/.config/kazam
14 14
15# Allow python (blacklisted by disable-interpreters.inc)
15include allow-python2.inc 16include allow-python2.inc
16include allow-python3.inc 17include allow-python3.inc
17 18
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
new file mode 100644
index 000000000..41840e3b0
--- /dev/null
+++ b/etc/profile-a-l/kdiff3.profile
@@ -0,0 +1,52 @@
1# Firejail profile for kdiff3
2# Description: KDiff3 is a file and folder diff and merge tool.
3# This file is overwritten after every install/update
4# Persistent local customizations
5include kdiff3.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/kdiff3fileitemactionrc
10noblacklist ${HOME}/.config/kdiff3rc
11
12# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
13#include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
19#include disable-programs.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23include whitelist-runuser-common.inc
24# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
25#include whitelist-usr-share-common.inc
26# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
27#include whitelist-var-common.inc
28
29apparmor
30caps.drop all
31machine-id
32net none
33nodvd
34nogroups
35nonewprivs
36noroot
37nosound
38notv
39nou2f
40novideo
41seccomp
42seccomp.block-secondary
43shell none
44tracelog
45
46disable-mnt
47private-bin kdiff3
48private-cache
49private-dev
50
51dbus-user none
52dbus-system none
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile
index aef236ccc..72f79bef7 100644
--- a/etc/profile-a-l/keepass2.profile
+++ b/etc/profile-a-l/keepass2.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for keepass 1# Firejail profile alias for keepass
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include keepass2.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include keepass.profile 10include keepass.profile
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
index fdd27e9f9..f2704d67f 100644
--- a/etc/profile-a-l/keepassx2.profile
+++ b/etc/profile-a-l/keepassx2.profile
@@ -1,6 +1,11 @@
1# Firejail profile for keepassx2 1# Firejail profile for keepassx2
2# Description: Cross platform password manager 2# Description: Cross platform password manager
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include keepassx2.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirects 10# Redirects
6include keepassx.profile 11include keepassx.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index a3a1b500a..3ad779a12 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -11,10 +11,16 @@ noblacklist ${HOME}/*.kdbx
11noblacklist ${HOME}/.cache/keepassxc 11noblacklist ${HOME}/.cache/keepassxc
12noblacklist ${HOME}/.config/keepassxc 12noblacklist ${HOME}/.config/keepassxc
13noblacklist ${HOME}/.keepassxc 13noblacklist ${HOME}/.keepassxc
14# 2.2.4 needs this path when compiled with "Native messaging browser extension"
15noblacklist ${HOME}/.mozilla
16noblacklist ${DOCUMENTS} 14noblacklist ${DOCUMENTS}
17 15
16# Allow browser profiles, required for browser integration.
17noblacklist ${HOME}/.config/BraveSoftware
18noblacklist ${HOME}/.config/chromium
19noblacklist ${HOME}/.config/google-chrome
20noblacklist ${HOME}/.config/vivaldi
21noblacklist ${HOME}/.local/share/torbrowser
22noblacklist ${HOME}/.mozilla
23
18include disable-common.inc 24include disable-common.inc
19include disable-devel.inc 25include disable-devel.inc
20include disable-exec.inc 26include disable-exec.inc
@@ -29,6 +35,16 @@ include disable-xdg.inc
29#mkdir ${HOME}/Documents/KeePassXC 35#mkdir ${HOME}/Documents/KeePassXC
30#whitelist ${HOME}/Documents/KeePassXC 36#whitelist ${HOME}/Documents/KeePassXC
31# Needed for KeePassXC-Browser 37# Needed for KeePassXC-Browser
38#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
39#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
40#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
41#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
42#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
43#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
44#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
45#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
46#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
47#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
32#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json 48#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
33#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json 49#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
34#mkdir ${HOME}/.cache/keepassxc 50#mkdir ${HOME}/.cache/keepassxc
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
index 9137963c4..3142cbca6 100644
--- a/etc/profile-a-l/klatexformula_cmdl.profile
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for klatexformula_cmdl 1# Firejail profile alias for klatexformula_cmdl
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include klatexformula_cmdl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include klatexformula.profile 10include klatexformula.profile
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 8d99da3cf..ab4ff10b9 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,10 +9,6 @@ include globals.local
9# kmail has problems launching akonadi in debian and ubuntu. 9# kmail has problems launching akonadi in debian and ubuntu.
10# one solution is to have akonadi already running when kmail is started 10# one solution is to have akonadi already running when kmail is started
11 11
12noblacklist ${HOME}/.gnupg
13# noblacklist ${HOME}/.kde/
14# noblacklist ${HOME}/.kde4/
15noblacklist ${HOME}/.mozilla
16noblacklist ${HOME}/.cache/akonadi* 12noblacklist ${HOME}/.cache/akonadi*
17noblacklist ${HOME}/.cache/kmail2 13noblacklist ${HOME}/.cache/kmail2
18noblacklist ${HOME}/.config/akonadi* 14noblacklist ${HOME}/.config/akonadi*
@@ -23,6 +19,7 @@ noblacklist ${HOME}/.config/kmail2rc
23noblacklist ${HOME}/.config/kmailsearchindexingrc 19noblacklist ${HOME}/.config/kmailsearchindexingrc
24noblacklist ${HOME}/.config/mailtransports 20noblacklist ${HOME}/.config/mailtransports
25noblacklist ${HOME}/.config/specialmailcollectionsrc 21noblacklist ${HOME}/.config/specialmailcollectionsrc
22noblacklist ${HOME}/.gnupg
26noblacklist ${HOME}/.local/share/akonadi* 23noblacklist ${HOME}/.local/share/akonadi*
27noblacklist ${HOME}/.local/share/apps/korganizer 24noblacklist ${HOME}/.local/share/apps/korganizer
28noblacklist ${HOME}/.local/share/contacts 25noblacklist ${HOME}/.local/share/contacts
@@ -33,8 +30,6 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
33noblacklist ${HOME}/.local/share/local-mail 30noblacklist ${HOME}/.local/share/local-mail
34noblacklist ${HOME}/.local/share/notes 31noblacklist ${HOME}/.local/share/notes
35noblacklist /tmp/akonadi-* 32noblacklist /tmp/akonadi-*
36noblacklist /var/mail
37noblacklist /var/spool/mail
38 33
39include disable-common.inc 34include disable-common.inc
40include disable-devel.inc 35include disable-devel.inc
@@ -42,73 +37,10 @@ include disable-exec.inc
42include disable-interpreters.inc 37include disable-interpreters.inc
43include disable-passwdmgr.inc 38include disable-passwdmgr.inc
44include disable-programs.inc 39include disable-programs.inc
45include disable-xdg.inc
46 40
47mkdir ${HOME}/.gnupg
48# mkdir ${HOME}/.kde/
49# mkdir ${HOME}/.kde4/
50mkdir ${HOME}/.cache/akonadi*
51mkdir ${HOME}/.cache/kmail2
52mkdir ${HOME}/.config/akonadi*
53mkdir ${HOME}/.config/baloorc
54mkdir ${HOME}/.config/emaildefaults
55mkdir ${HOME}/.config/emailidentities
56mkdir ${HOME}/.config/kmail2rc
57mkdir ${HOME}/.config/kmailsearchindexingrc
58mkdir ${HOME}/.config/mailtransports
59mkdir ${HOME}/.config/specialmailcollectionsrc
60mkdir ${HOME}/.local/share/akonadi*
61mkdir ${HOME}/.local/share/apps/korganizer
62mkdir ${HOME}/.local/share/contacts
63mkdir ${HOME}/.local/share/emailidentities
64mkdir ${HOME}/.local/share/kmail2
65mkdir ${HOME}/.local/share/kxmlgui5/kmail
66mkdir ${HOME}/.local/share/kxmlgui5/kmail2
67mkdir ${HOME}/.local/share/local-mail
68mkdir ${HOME}/.local/share/notes
69mkdir /tmp/akonadi-*
70whitelist ${HOME}/.gnupg
71# whitelist ${HOME}/.kde/
72# whitelist ${HOME}/.kde4/
73whitelist ${HOME}/.mozilla/firefox/profiles.ini
74whitelist ${HOME}/.cache/akonadi*
75whitelist ${HOME}/.cache/kmail2
76whitelist ${HOME}/.config/akonadi*
77whitelist ${HOME}/.config/baloorc
78whitelist ${HOME}/.config/emaildefaults
79whitelist ${HOME}/.config/emailidentities
80whitelist ${HOME}/.config/kmail2rc
81whitelist ${HOME}/.config/kmailsearchindexingrc
82whitelist ${HOME}/.config/mailtransports
83whitelist ${HOME}/.config/specialmailcollectionsrc
84whitelist ${HOME}/.local/share/akonadi*
85whitelist ${HOME}/.local/share/apps/korganizer
86whitelist ${HOME}/.local/share/contacts
87whitelist ${HOME}/.local/share/emailidentities
88whitelist ${HOME}/.local/share/kmail2
89whitelist ${HOME}/.local/share/kxmlgui5/kmail
90whitelist ${HOME}/.local/share/kxmlgui5/kmail2
91whitelist ${HOME}/.local/share/local-mail
92whitelist ${HOME}/.local/share/notes
93whitelist ${DOWNLOADS}
94whitelist ${DOCUMENTS}
95whitelist ${RUNUSER}/gnupg
96whitelist /tmp/akonadi-*
97whitelist /usr/share/akonadi
98whitelist /usr/share/gnupg
99whitelist /usr/share/gnupg2
100whitelist /usr/share/kconf_update
101whitelist /usr/share/kf5
102whitelist /usr/share/kservices5
103whitelist /usr/share/qlogging-categories5
104whitelist /var/mail
105whitelist /var/spool/mail
106include whitelist-common.inc
107include whitelist-runuser-common.inc
108include whitelist-usr-share-common.inc
109include whitelist-var-common.inc 41include whitelist-var-common.inc
110 42
111apparmor 43# apparmor
112caps.drop all 44caps.drop all
113netfilter 45netfilter
114nodvd 46nodvd
@@ -124,14 +56,7 @@ protocol unix,inet,inet6,netlink
124seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set 56seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
125# tracelog 57# tracelog
126 58
127private-cache
128private-dev 59private-dev
129private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
130# private-tmp - interrupts connection to akonadi, breaks opening of email attachments 60# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61# writable-run-user is needed for signing and encrypting emails
131writable-run-user 62writable-run-user
132writable-var
133
134# dbus-user none
135dbus-system none
136
137read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index c64113c15..9cb5eff87 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -6,9 +6,9 @@ include krunner.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# - programs started in krunner run with this generic profile. 9# - programs started in krunner run with this generic profile
10# - when a file is opened in krunner, the file viewer runs in its own sandbox 10# - when a file is opened in krunner, the file viewer runs in its own sandbox
11# with its own profile, if it is sandboxed automatically. 11# with its own profile, if it is sandboxed automatically
12 12
13# noblacklist ${HOME}/.cache/krunner 13# noblacklist ${HOME}/.cache/krunner
14# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* 14# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
index 338d8c8bb..3b5b98493 100644
--- a/etc/profile-a-l/lbunzip2.profile
+++ b/etc/profile-a-l/lbunzip2.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for gzip 1# Firejail profile alias for gzip
2# Description: GNU compression utilities 2# Description: GNU compression utilities
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include lbunzip2.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include gzip.profile 11include gzip.profile
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
index 338d8c8bb..e628ceaae 100644
--- a/etc/profile-a-l/lbzcat.profile
+++ b/etc/profile-a-l/lbzcat.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for gzip 1# Firejail profile alias for gzip
2# Description: GNU compression utilities 2# Description: GNU compression utilities
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include lbzcat.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include gzip.profile 11include gzip.profile
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
index 338d8c8bb..5d7935780 100644
--- a/etc/profile-a-l/lbzip2.profile
+++ b/etc/profile-a-l/lbzip2.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for gzip 1# Firejail profile alias for gzip
2# Description: GNU compression utilities 2# Description: GNU compression utilities
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include lbzip2.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include gzip.profile 11include gzip.profile
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7cfd4fc10..a122e9bbc 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -42,7 +42,7 @@ noroot
42# nosound 42# nosound
43notv 43notv
44nou2f 44nou2f
45# novideo 45novideo
46protocol unix,inet,inet6 46protocol unix,inet,inet6
47seccomp 47seccomp
48shell none 48shell none
@@ -51,3 +51,12 @@ tracelog
51disable-mnt 51disable-mnt
52private-dev 52private-dev
53private-tmp 53private-tmp
54
55dbus-user filter
56dbus-user.own net.sourceforge.liferea
57dbus-user.talk ca.desrt.dconf
58# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
59#dbus-user.talk org.freedesktop.Notifications
60# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
61#dbus-user.talk org.freedesktop.secrets
62dbus-system none
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile
index 8348a57fe..b248d38f7 100644
--- a/etc/profile-a-l/lobase.profile
+++ b/etc/profile-a-l/lobase.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include lobase.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile
index 8348a57fe..a467ef3db 100644
--- a/etc/profile-a-l/localc.profile
+++ b/etc/profile-a-l/localc.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include localc.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile
index 8348a57fe..f1db590ed 100644
--- a/etc/profile-a-l/lodraw.profile
+++ b/etc/profile-a-l/lodraw.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include lodraw.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile
index 8348a57fe..aa291017a 100644
--- a/etc/profile-a-l/loffice.profile
+++ b/etc/profile-a-l/loffice.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include loffice.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
index 8348a57fe..534dc5d14 100644
--- a/etc/profile-a-l/lofromtemplate.profile
+++ b/etc/profile-a-l/lofromtemplate.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include lofromtemplate.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile
index 8348a57fe..a9473d1a6 100644
--- a/etc/profile-a-l/loimpress.profile
+++ b/etc/profile-a-l/loimpress.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include loimpress.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile
index 8348a57fe..8bc388be7 100644
--- a/etc/profile-a-l/lomath.profile
+++ b/etc/profile-a-l/lomath.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include lomath.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile
index 8348a57fe..34b9dcad0 100644
--- a/etc/profile-a-l/loweb.profile
+++ b/etc/profile-a-l/loweb.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include loweb.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile
index 8348a57fe..054ce3a48 100644
--- a/etc/profile-a-l/lowriter.profile
+++ b/etc/profile-a-l/lowriter.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include lowriter.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile
new file mode 100644
index 000000000..faf5bb7f9
--- /dev/null
+++ b/etc/profile-a-l/lsar.profile
@@ -0,0 +1,13 @@
1# Firejail profile for lsar
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include lsar.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10private-bin lsar
11
12# Redirect
13include ar.profile
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 652f571bb..5d05631ec 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -35,7 +35,7 @@ mkdir ${HOME}/.cache/winetricks
35mkdir ${HOME}/.config/lutris 35mkdir ${HOME}/.config/lutris
36mkdir ${HOME}/.local/share/lutris 36mkdir ${HOME}/.local/share/lutris
37# mkdir ${HOME}/.wine 37# mkdir ${HOME}/.wine
38whitelist ${HOME}/Downloads 38whitelist ${DOWNLOADS}
39whitelist ${HOME}/Games 39whitelist ${HOME}/Games
40whitelist ${HOME}/.cache/lutris 40whitelist ${HOME}/.cache/lutris
41whitelist ${HOME}/.cache/winetricks 41whitelist ${HOME}/.cache/winetricks
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index ffde057d5..fa69463d1 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -11,8 +11,13 @@ ignore private-tmp
11noblacklist ${HOME}/.config/LyX 11noblacklist ${HOME}/.config/LyX
12noblacklist ${HOME}/.lyx 12noblacklist ${HOME}/.lyx
13 13
14# Allow lua (blacklisted by disable-interpreters.inc)
14include allow-lua.inc 15include allow-lua.inc
16
17# Allow perl (blacklisted by disable-interpreters.inc)
15include allow-perl.inc 18include allow-perl.inc
19
20# Allow python (blacklisted by disable-interpreters.inc)
16include allow-python2.inc 21include allow-python2.inc
17include allow-python3.inc 22include allow-python3.inc
18 23
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile
index d9c72407f..693a1e167 100644
--- a/etc/profile-a-l/lzcat.profile
+++ b/etc/profile-a-l/lzcat.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzcat.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
index d9c72407f..f2e49fde0 100644
--- a/etc/profile-a-l/lzcmp.profile
+++ b/etc/profile-a-l/lzcmp.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzcmp.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
index f7410b928..1e2e17eee 100644
--- a/etc/profile-a-l/lzdiff.profile
+++ b/etc/profile-a-l/lzdiff.profile
@@ -1,6 +1,12 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include lzdiff.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
4 10
5# Redirect 11# Redirect
6include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
index d9c72407f..ca93f2a8b 100644
--- a/etc/profile-a-l/lzegrep.profile
+++ b/etc/profile-a-l/lzegrep.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzegrep.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
index d9c72407f..97138e9a0 100644
--- a/etc/profile-a-l/lzfgrep.profile
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzfgrep.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
index d9c72407f..fca9a39df 100644
--- a/etc/profile-a-l/lzgrep.profile
+++ b/etc/profile-a-l/lzgrep.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzgrep.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile
index d9c72407f..806375b05 100644
--- a/etc/profile-a-l/lzip.profile
+++ b/etc/profile-a-l/lzip.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzip.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile
index d9c72407f..20cae4a87 100644
--- a/etc/profile-a-l/lzless.profile
+++ b/etc/profile-a-l/lzless.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzless.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile
index d9c72407f..776550bf9 100644
--- a/etc/profile-a-l/lzma.profile
+++ b/etc/profile-a-l/lzma.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzma.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
index 0c5ec1b09..9dac75927 100644
--- a/etc/profile-a-l/lzmadec.profile
+++ b/etc/profile-a-l/lzmadec.profile
@@ -1,6 +1,12 @@
1# Firejail profile alias for xzdec 1# Firejail profile alias for xzdec
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include lzmadec.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
4 10
5# Redirect 11# Redirect
6include xzdec.profile 12include xzdec.profile
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
index d9c72407f..25b65c48f 100644
--- a/etc/profile-a-l/lzmainfo.profile
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzmainfo.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile
index d9c72407f..aa4350ad5 100644
--- a/etc/profile-a-l/lzmore.profile
+++ b/etc/profile-a-l/lzmore.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include lzmore.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile
index c52d2f2da..493a740d7 100644
--- a/etc/profile-m-z/Maps.profile
+++ b/etc/profile-m-z/Maps.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-maps 1# Firejail profile for gnome-maps
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Maps.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile
index 42c22bf67..061e5d83b 100644
--- a/etc/profile-m-z/Natron.profile
+++ b/etc/profile-m-z/Natron.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for natron 1# Firejail profile alias for natron
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Natron.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include natron.profile 10include natron.profile
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
index d4b083736..cfc53c077 100644
--- a/etc/profile-m-z/Screenshot.profile
+++ b/etc/profile-m-z/Screenshot.profile
@@ -1,5 +1,10 @@
1# Firejail profile for gnome-screenshot 1# Firejail profile for gnome-screenshot
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Screenshot.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624 9# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect 10# Redirect
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile
index 310e0237e..6877e1578 100644
--- a/etc/profile-m-z/Telegram.profile
+++ b/etc/profile-m-z/Telegram.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for telegram 1# Firejail profile alias for telegram
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include Telegram.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include telegram.profile 10include telegram.profile
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
index 4c99ae9a3..4f88a26c0 100644
--- a/etc/profile-m-z/VirtualBox.profile
+++ b/etc/profile-m-z/VirtualBox.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for virtualbox 1# Firejail profile alias for virtualbox
2# Description: x86 virtualization solution 2# Description: x86 virtualization solution
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include VirtualBox.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include virtualbox.profile 11include virtualbox.profile
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
new file mode 100644
index 000000000..55865fe72
--- /dev/null
+++ b/etc/profile-m-z/marker.profile
@@ -0,0 +1,59 @@
1# Firejail profile for marker
2# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
3# This file is overwritten after every install/update
4# Persistent local customizations
5include marker.local
6# Persistent global definitions
7include globals.local
8
9# Uncomment (or add to your marker.local) if you need internet access.
10#ignore net none
11#protocol unix,inet,inet6
12#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
13
14noblacklist ${HOME}/.cache/marker
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-shell.inc
23include disable-xdg.inc
24
25whitelist /usr/share/com.github.fabiocolacio.marker
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30apparmor
31caps.drop all
32machine-id
33net none
34netfilter
35no3d
36nodvd
37nogroups
38nonewprivs
39noroot
40nosound
41notv
42nou2f
43novideo
44protocol unix
45seccomp
46seccomp.block-secondary
47shell none
48tracelog
49
50private-bin marker
51private-cache
52private-dev
53private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
54private-tmp
55
56dbus-user filter
57dbus-user.own com.github.fabiocolacio.marker
58dbus-user.talk ca.desrt.dconf
59dbus-system none
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
index bb438f5f0..5c8200ec5 100644
--- a/etc/profile-m-z/mate-calculator.profile
+++ b/etc/profile-m-z/mate-calculator.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for mate-calc 1# Firejail profile alias for mate-calc
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include mate-calculator.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include mate-calc.profile 10include mate-calc.profile
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile
index 964060350..cc73f9d80 100644
--- a/etc/profile-m-z/mathematica.profile
+++ b/etc/profile-m-z/mathematica.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for Mathematica 1# Firejail profile alias for Mathematica
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include mathematica.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include Mathematica.profile 10include Mathematica.profile
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index e4487c8aa..3c2bf4fa3 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -5,42 +5,25 @@ include mattermost-desktop.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# Disabled until someone reported positive feedback
9ignore apparmor
10ignore dbus-user none
11ignore dbus-system none
12
8noblacklist ${HOME}/.config/Mattermost 13noblacklist ${HOME}/.config/Mattermost
9 14
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-programs.inc
15include disable-passwdmgr.inc
16include disable-shell.inc 15include disable-shell.inc
17include disable-xdg.inc
18 16
19mkdir ${HOME}/.config/Mattermost 17mkdir ${HOME}/.config/Mattermost
20whitelist ${DOWNLOADS}
21whitelist ${HOME}/.config/Mattermost 18whitelist ${HOME}/.config/Mattermost
22include whitelist-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27caps.keep sys_admin,sys_chroot
28netfilter
29nodvd
30nogroups
31notv
32nou2f
33novideo
34shell none
35 19
36disable-mnt
37private-cache
38private-dev
39private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl 20private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
40private-tmp
41 21
42# Not tested 22# Not tested
43#dbus-user filter 23#dbus-user filter
44#dbus-user.own com.mattermost.Desktop 24#dbus-user.own com.mattermost.Desktop
45#dbus-user.talk org.freedesktop.Notifications 25#dbus-user.talk org.freedesktop.Notifications
46#dbus-system none 26#dbus-system none
27
28# Redirect
29include electron.profile
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
new file mode 100644
index 000000000..fb97daa27
--- /dev/null
+++ b/etc/profile-m-z/mdr.profile
@@ -0,0 +1,55 @@
1# Firejail profile for mdr
2# Description: A standalone Markdown renderer for the terminal
3# Persistent local customizations
4include mdr.local
5# Persistent global definitions
6include globals.local
7
8blacklist ${RUNUSER}/wayland-*
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-passwdmgr.inc
15include disable-programs.inc
16include disable-shell.inc
17include disable-xdg.inc
18
19whitelist ${DOWNLOADS}
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25hostname mdr
26ipc-namespace
27machine-id
28net none
29no3d
30nodvd
31nogroups
32nonewprivs
33noroot
34nosound
35notv
36nou2f
37novideo
38protocol unix
39seccomp
40shell none
41tracelog
42x11 none
43
44disable-mnt
45private-bin mdr
46private-cache
47private-dev
48private-etc none
49private-lib
50private-tmp
51
52dbus-user none
53dbus-system none
54
55memory-deny-write-execute
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
index 02aad8084..4635573e6 100644
--- a/etc/profile-m-z/megaglest_editor.profile
+++ b/etc/profile-m-z/megaglest_editor.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for megaglest 1# Firejail profile alias for megaglest
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include megaglest_editor.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include megaglest.profile 10include megaglest.profile
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 6ceeb867f..d76522fce 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -6,11 +6,11 @@ include meld.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need 9# If you want to use meld as git mergetool (and maybe some other VCS integrations) you need
10# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path 10# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path
11# Removing the symlink: 11# Removing the symlink:
12# sudo rm /usr/local/bin/meld 12# sudo rm /usr/local/bin/meld
13# Calling by its absolute path (example for git-mergetool): 13# Calling it by its absolute path (example for git mergetool):
14# git config --global mergetool.meld.cmd /usr/bin/meld 14# git config --global mergetool.meld.cmd /usr/bin/meld
15 15
16noblacklist ${HOME}/.config/meld 16noblacklist ${HOME}/.config/meld
@@ -18,14 +18,15 @@ noblacklist ${HOME}/.config/git
18noblacklist ${HOME}/.gitconfig 18noblacklist ${HOME}/.gitconfig
19noblacklist ${HOME}/.git-credentials 19noblacklist ${HOME}/.git-credentials
20noblacklist ${HOME}/.local/share/meld 20noblacklist ${HOME}/.local/share/meld
21noblacklist ${HOME}/.ssh
22noblacklist ${HOME}/.subversion 21noblacklist ${HOME}/.subversion
23 22
24# Allow python (blacklisted by disable-interpreters.inc) 23# Allow python (blacklisted by disable-interpreters.inc)
25include allow-python3.inc
26
27# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. 24# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
28#include allow-python2.inc 25#include allow-python2.inc
26include allow-python3.inc
27
28# Allow ssh (blacklisted by disable-common.inc)
29include allow-ssh.inc
29 30
30# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. 31# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
31#include disable-common.inc 32#include disable-common.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 8a98209a2..e29e4bc70 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -6,6 +6,7 @@ include menulibre.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Allow python (blacklisted by disable-interpreters.inc)
9include allow-python2.inc 10include allow-python2.inc
10include allow-python3.inc 11include allow-python3.inc
11 12
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 7130267e8..e0ebb4895 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/mirage
11noblacklist ${HOME}/.local/share/mirage 11noblacklist ${HOME}/.local/share/mirage
12noblacklist /sbin 12noblacklist /sbin
13 13
14# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 15include allow-python2.inc
15include allow-python3.inc 16include allow-python3.inc
16 17
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 1d87eeb48..1804389c3 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -21,7 +21,7 @@ include globals.local
21# - ... 21# - ...
22# 22#
23# Often these scripts require a shell: 23# Often these scripts require a shell:
24#noblacklist ${PATH}/sh 24#include allow-bin-sh.inc
25#private-bin sh 25#private-bin sh
26 26
27noblacklist ${HOME}/.config/mpv 27noblacklist ${HOME}/.config/mpv
@@ -30,6 +30,7 @@ noblacklist ${HOME}/.netrc
30 30
31# Allow lua (blacklisted by disable-interpreters.inc) 31# Allow lua (blacklisted by disable-interpreters.inc)
32include allow-lua.inc 32include allow-lua.inc
33
33# Allow python (blacklisted by disable-interpreters.inc) 34# Allow python (blacklisted by disable-interpreters.inc)
34include allow-python2.inc 35include allow-python2.inc
35include allow-python3.inc 36include allow-python3.inc
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile
index 338f494c9..2c8b95a26 100644
--- a/etc/profile-m-z/multimc.profile
+++ b/etc/profile-m-z/multimc.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for multimc5 1# Firejail profile alias for multimc5
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include multimc.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include multimc5.profile 10include multimc5.profile
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 1ce12f54f..24782c033 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -1,6 +1,7 @@
1# Firejail profile for mutt 1# Firejail profile for mutt
2# Description: Text-based mailreader supporting MIME, GPG, PGP and threading 2# Description: Text-based mailreader supporting MIME, GPG, PGP and threading
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include mutt.local 6include mutt.local
6# Persistent global definitions 7# Persistent global definitions
@@ -8,15 +9,18 @@ include globals.local
8 9
9noblacklist /var/mail 10noblacklist /var/mail
10noblacklist /var/spool/mail 11noblacklist /var/spool/mail
12noblacklist ${DOCUMENTS}
11noblacklist ${HOME}/.Mail 13noblacklist ${HOME}/.Mail
12noblacklist ${HOME}/.bogofilter 14noblacklist ${HOME}/.bogofilter
13noblacklist ${HOME}/.cache/mutt 15noblacklist ${HOME}/.cache/mutt
16noblacklist ${HOME}/.config/mutt
14noblacklist ${HOME}/.config/nano 17noblacklist ${HOME}/.config/nano
15noblacklist ${HOME}/.elinks 18noblacklist ${HOME}/.elinks
16noblacklist ${HOME}/.emacs 19noblacklist ${HOME}/.emacs
17noblacklist ${HOME}/.emacs.d 20noblacklist ${HOME}/.emacs.d
18noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
19noblacklist ${HOME}/.mail 22noblacklist ${HOME}/.mail
23noblacklist ${HOME}/.mailcap
20noblacklist ${HOME}/.msmtprc 24noblacklist ${HOME}/.msmtprc
21noblacklist ${HOME}/.mutt 25noblacklist ${HOME}/.mutt
22noblacklist ${HOME}/.muttrc 26noblacklist ${HOME}/.muttrc
@@ -34,15 +38,84 @@ noblacklist ${HOME}/sent
34blacklist /tmp/.X11-unix 38blacklist /tmp/.X11-unix
35blacklist ${RUNUSER}/wayland-* 39blacklist ${RUNUSER}/wayland-*
36 40
41# Uncomment or put them in mutt.local for oauth.py,S/MIME
42
43#include allow-perl.inc
44#include allow-python2.inc
45#include allow-python3.inc
46
37include disable-common.inc 47include disable-common.inc
38include disable-devel.inc 48include disable-devel.inc
49include disable-exec.inc
39include disable-interpreters.inc 50include disable-interpreters.inc
40include disable-passwdmgr.inc 51include disable-passwdmgr.inc
41include disable-programs.inc 52include disable-programs.inc
53include disable-xdg.inc
42 54
55mkdir ${HOME}/.Mail
56mkdir ${HOME}/.bogofilter
57mkdir ${HOME}/.cache/mutt
58mkdir ${HOME}/.config/mutt
59mkdir ${HOME}/.config/nano
60mkdir ${HOME}/.elinks
61mkdir ${HOME}/.emacs.d
62mkdir ${HOME}/.gnupg
63mkdir ${HOME}/.mail
64mkdir ${HOME}/.mutt
65mkdir ${HOME}/.vim
66mkdir ${HOME}/.w3m
67mkdir ${HOME}/Mail
68mkdir ${HOME}/mail
69mkdir ${HOME}/postponed
70mkdir ${HOME}/sent
71mkfile ${HOME}/.emacs
72mkfile ${HOME}/.mailcap
73mkfile ${HOME}/.msmtprc
74mkfile ${HOME}/.muttrc
75mkfile ${HOME}/.nanorc
76mkfile ${HOME}/.signature
77mkfile ${HOME}/.viminfo
78mkfile ${HOME}/.vimrc
79whitelist ${DOCUMENTS}
80whitelist ${DOWNLOADS}
81whitelist ${HOME}/.Mail
82whitelist ${HOME}/.bogofilter
83whitelist ${HOME}/.cache/mutt
84whitelist ${HOME}/.config/mutt
85whitelist ${HOME}/.config/nano
86whitelist ${HOME}/.elinks
87whitelist ${HOME}/.emacs
88whitelist ${HOME}/.emacs.d
89whitelist ${HOME}/.gnupg
90whitelist ${HOME}/.mail
91whitelist ${HOME}/.mailcap
92whitelist ${HOME}/.msmtprc
93whitelist ${HOME}/.mutt
94whitelist ${HOME}/.muttrc
95whitelist ${HOME}/.nanorc
96whitelist ${HOME}/.signature
97whitelist ${HOME}/.vim
98whitelist ${HOME}/.viminfo
99whitelist ${HOME}/.vimrc
100whitelist ${HOME}/.w3m
101whitelist ${HOME}/Mail
102whitelist ${HOME}/mail
103whitelist ${HOME}/postponed
104whitelist ${HOME}/sent
105whitelist /usr/share/gnupg
106whitelist /usr/share/gnupg2
107whitelist /usr/share/mutt
108whitelist /var/mail
109whitelist /var/spool/mail
110include whitelist-common.inc
43include whitelist-runuser-common.inc 111include whitelist-runuser-common.inc
112include whitelist-usr-share-common.inc
113include whitelist-var-common.inc
44 114
115apparmor
45caps.drop all 116caps.drop all
117ipc-namespace
118machine-id
46netfilter 119netfilter
47no3d 120no3d
48nodvd 121nodvd
@@ -55,8 +128,23 @@ nou2f
55novideo 128novideo
56protocol unix,inet,inet6 129protocol unix,inet,inet6
57seccomp 130seccomp
131seccomp.block-secondary
58shell none 132shell none
133tracelog
59 134
135# disable-mnt
136private-cache
60private-dev 137private-dev
138private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
139private-tmp
61writable-run-user 140writable-run-user
62writable-var 141writable-var
142
143dbus-user none
144dbus-system none
145
146memory-deny-write-execute
147read-only ${HOME}/.elinks
148read-only ${HOME}/.nanorc
149read-only ${HOME}/.signature
150read-only ${HOME}/.w3m
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
index 59b3024ed..4b4745918 100644
--- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for mypaint-ora-thumbnailer 1# Firejail profile alias for mypaint-ora-thumbnailer
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include mypaint-ora-thumbnailer.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include mypaint.profile 10include mypaint.profile
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
new file mode 100644
index 000000000..26865b90a
--- /dev/null
+++ b/etc/profile-m-z/neomutt.profile
@@ -0,0 +1,152 @@
1# Firejail profile for neomutt
2# Description: Mutt fork with advanced features and better documentation
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include neomutt.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${DOCUMENTS}
11noblacklist ${HOME}/.Mail
12noblacklist ${HOME}/.bogofilter
13noblacklist ${HOME}/.config/mutt
14noblacklist ${HOME}/.config/nano
15noblacklist ${HOME}/.config/neomutt
16noblacklist ${HOME}/.elinks
17noblacklist ${HOME}/.emacs
18noblacklist ${HOME}/.emacs.d
19noblacklist ${HOME}/.gnupg
20noblacklist ${HOME}/.mail
21noblacklist ${HOME}/.mailcap
22noblacklist ${HOME}/.msmtprc
23noblacklist ${HOME}/.mutt
24noblacklist ${HOME}/.muttrc
25noblacklist ${HOME}/.nanorc
26noblacklist ${HOME}/.neomutt
27noblacklist ${HOME}/.neomuttrc
28noblacklist ${HOME}/.signature
29noblacklist ${HOME}/.vim
30noblacklist ${HOME}/.viminfo
31noblacklist ${HOME}/.vimrc
32noblacklist ${HOME}/.w3m
33noblacklist ${HOME}/Mail
34noblacklist ${HOME}/mail
35noblacklist ${HOME}/postponed
36noblacklist ${HOME}/sent
37noblacklist /var/mail
38noblacklist /var/spool/mail
39
40blacklist /tmp/.X11-unix
41blacklist ${RUNUSER}/wayland-*
42
43include allow-lua.inc
44
45include disable-common.inc
46include disable-devel.inc
47include disable-exec.inc
48include disable-interpreters.inc
49include disable-passwdmgr.inc
50include disable-programs.inc
51include disable-xdg.inc
52
53mkdir ${HOME}/.Mail
54mkdir ${HOME}/.bogofilter
55mkdir ${HOME}/.config/mutt
56mkdir ${HOME}/.config/nano
57mkdir ${HOME}/.config/neomutt
58mkdir ${HOME}/.elinks
59mkdir ${HOME}/.emacs.d
60mkdir ${HOME}/.gnupg
61mkdir ${HOME}/.mail
62mkdir ${HOME}/.mutt
63mkdir ${HOME}/.neomutt
64mkdir ${HOME}/.vim
65mkdir ${HOME}/.w3m
66mkdir ${HOME}/Mail
67mkdir ${HOME}/mail
68mkdir ${HOME}/postponed
69mkdir ${HOME}/sent
70mkfile ${HOME}/.emacs
71mkfile ${HOME}/.mailcap
72mkfile ${HOME}/.msmtprc
73mkfile ${HOME}/.muttrc
74mkfile ${HOME}/.nanorc
75mkfile ${HOME}/.neomuttrc
76mkfile ${HOME}/.signature
77mkfile ${HOME}/.viminfo
78mkfile ${HOME}/.vimrc
79whitelist ${DOCUMENTS}
80whitelist ${DOWNLOADS}
81whitelist ${HOME}/.Mail
82whitelist ${HOME}/.bogofilter
83whitelist ${HOME}/.config/mutt
84whitelist ${HOME}/.config/nano
85whitelist ${HOME}/.config/neomutt
86whitelist ${HOME}/.elinks
87whitelist ${HOME}/.emacs
88whitelist ${HOME}/.emacs.d
89whitelist ${HOME}/.gnupg
90whitelist ${HOME}/.mail
91whitelist ${HOME}/.mailcap
92whitelist ${HOME}/.msmtprc
93whitelist ${HOME}/.mutt
94whitelist ${HOME}/.muttrc
95whitelist ${HOME}/.nanorc
96whitelist ${HOME}/.neomutt
97whitelist ${HOME}/.neomuttrc
98whitelist ${HOME}/.signature
99whitelist ${HOME}/.vim
100whitelist ${HOME}/.viminfo
101whitelist ${HOME}/.vimrc
102whitelist ${HOME}/.w3m
103whitelist ${HOME}/Mail
104whitelist ${HOME}/mail
105whitelist ${HOME}/postponed
106whitelist ${HOME}/sent
107whitelist /usr/share/gnupg
108whitelist /usr/share/gnupg2
109whitelist /usr/share/neomutt
110whitelist /var/mail
111whitelist /var/spool/mail
112include whitelist-common.inc
113include whitelist-runuser-common.inc
114include whitelist-usr-share-common.inc
115include whitelist-var-common.inc
116
117apparmor
118caps.drop all
119ipc-namespace
120machine-id
121netfilter
122no3d
123nodvd
124nogroups
125nonewprivs
126noroot
127nosound
128notv
129nou2f
130novideo
131protocol unix,inet,inet6
132seccomp
133seccomp.block-secondary
134shell none
135tracelog
136
137# disable-mnt
138private-cache
139private-dev
140private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
141private-tmp
142writable-run-user
143writable-var
144
145dbus-user none
146dbus-system none
147
148memory-deny-write-execute
149read-only ${HOME}/.elinks
150read-only ${HOME}/.nanorc
151read-only ${HOME}/.signature
152read-only ${HOME}/.w3m
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index a7bac6286..85b780ced 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -38,10 +38,10 @@ seccomp
38shell none 38shell none
39 39
40disable-mnt 40disable-mnt
41private-bin newsboat 41private-bin gzip,lynx,newsboat,sh
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo 44private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
45private-tmp 45private-tmp
46 46
47dbus-user none 47dbus-user none
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 6c363345e..3bf32a3db 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9noblacklist ${HOME}/.nicotine 9noblacklist ${HOME}/.nicotine
10 10
11# Allow python (blacklisted by disable-interpreters.inc)
11include allow-python2.inc 12include allow-python2.inc
12 13
13include disable-common.inc 14include disable-common.inc
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
index d9cb2edc5..13c6b59ae 100644
--- a/etc/profile-m-z/nitroshare-cli.profile
+++ b/etc/profile-m-z/nitroshare-cli.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for nitroshare 1# Firejail profile alias for nitroshare
2# Description: Network File Transfer Application 2# Description: Network File Transfer Application
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include nitroshare-cli.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include nitroshare.profile 11include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
index d9cb2edc5..513d26703 100644
--- a/etc/profile-m-z/nitroshare-nmh.profile
+++ b/etc/profile-m-z/nitroshare-nmh.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for nitroshare 1# Firejail profile alias for nitroshare
2# Description: Network File Transfer Application 2# Description: Network File Transfer Application
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include nitroshare-nmh.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include nitroshare.profile 11include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
index d9cb2edc5..6edff3cce 100644
--- a/etc/profile-m-z/nitroshare-send.profile
+++ b/etc/profile-m-z/nitroshare-send.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for nitroshare 1# Firejail profile alias for nitroshare
2# Description: Network File Transfer Application 2# Description: Network File Transfer Application
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include nitroshare-send.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include nitroshare.profile 11include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
index d9cb2edc5..ba5f8edf5 100644
--- a/etc/profile-m-z/nitroshare-ui.profile
+++ b/etc/profile-m-z/nitroshare-ui.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for nitroshare 1# Firejail profile alias for nitroshare
2# Description: Network File Transfer Application 2# Description: Network File Transfer Application
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include nitroshare-ui.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include nitroshare.profile 11include nitroshare.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
new file mode 100644
index 000000000..c12fc9a78
--- /dev/null
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,52 @@
1# Firejail profile for Node.js
2# Description: Common profile for npm/yarn
3# This file is overwritten after every install/update
4# Persistent local customizations
5include nodejs-common.local
6# Persistent global definitions
7# added by caller profile
8#include globals.local
9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}
12
13ignore noexec ${HOME}
14
15include allow-bin-sh.inc
16
17include disable-common.inc
18include disable-exec.inc
19include disable-passwdmgr.inc
20include disable-programs.inc
21include disable-shell.inc
22include disable-xdg.inc
23
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28caps.drop all
29ipc-namespace
30machine-id
31netfilter
32no3d
33nodvd
34nogroups
35nonewprivs
36noroot
37nosound
38notv
39nou2f
40novideo
41protocol unix,inet,inet6,netlink
42seccomp
43seccomp.block-secondary
44shell none
45
46disable-mnt
47private-dev
48private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
49private-tmp
50
51dbus-user none
52dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
new file mode 100644
index 000000000..e95e875be
--- /dev/null
+++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,29 @@
1# Firejail profile for npm
2# Description: The Node.js Package Manager
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include npm.local
7# Persistent global definitions
8include globals.local
9
10ignore read-only ${HOME}/.npm-packages
11ignore read-only ${HOME}/.npmrc
12
13noblacklist ${HOME}/.node-gyp
14noblacklist ${HOME}/.npm
15noblacklist ${HOME}/.npmrc
16
17# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
18# and uncomment the lines below.
19#mkdir ${HOME}/.node-gyp
20#mkdir ${HOME}/.npm
21#mkfile ${HOME}/.npmrc
22#whitelist ${HOME}/.node-gyp
23#whitelist ${HOME}/.npm
24#whitelist ${HOME}/.npmrc
25#whitelist ${HOME}/Projects
26#include whitelist-common.inc
27
28# Redirect
29include nodejs-common.profile
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index f7cb8790b..152bd7ac5 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/onboard 9noblacklist ${HOME}/.config/onboard
10 10
11# Allow python (blacklisted by disable-interpreters.inc)
11include allow-python2.inc 12include allow-python2.inc
12include allow-python3.inc 13include allow-python3.inc
13 14
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile
index 8348a57fe..8df7b502b 100644
--- a/etc/profile-m-z/ooffice.profile
+++ b/etc/profile-m-z/ooffice.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include ooffice.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
index 8348a57fe..c55d58ba7 100644
--- a/etc/profile-m-z/ooviewdoc.profile
+++ b/etc/profile-m-z/ooviewdoc.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include ooviewdoc.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
index c529e7e11..d70fbc101 100644
--- a/etc/profile-m-z/openarena_ded.profile
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for openarena 1# Firejail profile alias for openarena
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include openarena_ded.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include openarena.profile 10include openarena.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 1fb93c79c..b49fd9932 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -6,7 +6,7 @@ include openbox.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# all applications started in OpenBox will run in this profile 9# all applications started in openbox will run in this profile
10noblacklist ${HOME}/.config/openbox 10noblacklist ${HOME}/.config/openbox
11include disable-common.inc 11include disable-common.inc
12 12
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
index 8348a57fe..4221db409 100644
--- a/etc/profile-m-z/openoffice.org.profile
+++ b/etc/profile-m-z/openoffice.org.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include openoffice.org.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
index 2f886d2ac..c1a030556 100644
--- a/etc/profile-m-z/openshot-qt.profile
+++ b/etc/profile-m-z/openshot-qt.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for openshot 1# Firejail profile alias for openshot
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include openshot-qt.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include openshot.profile 10include openshot.profile
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index e1839c724..ac960345a 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -19,6 +19,10 @@ include disable-interpreters.inc
19include disable-passwdmgr.inc 19include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21 21
22whitelist /usr/share/blender
23whitelist /usr/share/inkscape
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 26include whitelist-var-common.inc
23 27
24apparmor 28apparmor
@@ -32,11 +36,14 @@ notv
32nou2f 36nou2f
33protocol unix,inet,inet6,netlink 37protocol unix,inet,inet6,netlink
34seccomp 38seccomp
39seccomp.block-secondary
35shell none 40shell none
36tracelog 41tracelog
37 42
43private-bin blender,inkscape,openshot,openshot-qt,python3*
44private-cache
38private-dev 45private-dev
39private-tmp 46private-tmp
40 47
41dbus-user none 48dbus-user filter
42dbus-system none 49dbus-system none
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
new file mode 100644
index 000000000..cc4f016c5
--- /dev/null
+++ b/etc/profile-m-z/pkglog.profile
@@ -0,0 +1,59 @@
1# Firejail profile for pklog
2# Description: Reports log of package updates
3# This file is overwritten after every install/update
4# Persistent local customizations
5include pkglog.local
6# Persistent global definitions
7include globals.local
8
9# Allow python (blacklisted by disable-interpreters.inc)
10include allow-python3.inc
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20whitelist /var/log/apt/history.log
21whitelist /var/log/dnf.rpm.log
22whitelist /var/log/pacman.log
23
24apparmor
25caps.drop all
26ipc-namespace
27machine-id
28net none
29no3d
30nodvd
31nogroups
32nonewprivs
33noroot
34nosound
35notv
36nou2f
37novideo
38seccomp
39shell none
40tracelog
41
42disable-mnt
43private
44private-bin pkglog,python*
45private-cache
46private-dev
47private-etc alternatives
48private-opt none
49private-tmp
50writable-var-log
51
52dbus-user none
53dbus-system none
54
55memory-deny-write-execute
56read-only ${HOME}
57read-only /var/log/apt/history.log
58read-only /var/log/dnf.rpm.log
59read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 0ebef226a..8e98905b5 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -12,9 +12,12 @@ noblacklist ${HOME}/.PlayOnLinux
12# nc is needed to run playonlinux 12# nc is needed to run playonlinux
13noblacklist ${PATH}/nc 13noblacklist ${PATH}/nc
14 14
15# Allow perl (blacklisted by disable-interpreters.inc)
16include allow-perl.inc
17
18# Allow python (blacklisted by disable-interpreters.inc)
15include allow-python2.inc 19include allow-python2.inc
16include allow-python3.inc 20include allow-python3.inc
17include allow-perl.inc
18 21
19# Redirect 22# Redirect
20include wine.profile 23include wine.profile
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 7ff59ea77..7f7ae4204 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
18 18
19mkdir ${HOME}/.config/PacmanLogViewer 19mkdir ${HOME}/.config/PacmanLogViewer
20whitelist ${HOME}/.config/PacmanLogViewer 20whitelist ${HOME}/.config/PacmanLogViewer
21whitelist /var/log/pacman* 21whitelist /var/log/pacman.log
22include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
24include whitelist-runuser-common.inc 24include whitelist-runuser-common.inc
@@ -57,3 +57,4 @@ dbus-system none
57#memory-deny-write-execute - breaks opening file-chooser 57#memory-deny-write-execute - breaks opening file-chooser
58read-only ${HOME} 58read-only ${HOME}
59read-write ${HOME}/.config/PacmanLogViewer 59read-write ${HOME}/.config/PacmanLogViewer
60read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index a14d0268b..b754a18c9 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -1,5 +1,10 @@
1# Firejail profilen alias for pycharm-professional 1# Firejail profilen alias for pycharm-professional
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include pyucharm-professional.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.PyCharm* 9noblacklist ${HOME}/.PyCharm*
5 10
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile
index ce9af3286..b0a4c6be8 100644
--- a/etc/profile-m-z/pzstd.profile
+++ b/etc/profile-m-z/pzstd.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include pzstd.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
new file mode 100644
index 000000000..0d1f9c3de
--- /dev/null
+++ b/etc/profile-m-z/qnapi.profile
@@ -0,0 +1,55 @@
1# Firejail profile for qnapi
2# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24
3# This file is overwritten after every install/update
4# Persistent local customizations
5include qnapi.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/qnapi.ini
10
11ignore noexec /tmp
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-xdg.inc
21
22mkfile ${HOME}/.config/qnapi.ini
23whitelist ${HOME}/.config/qnapi.ini
24whitelist ${DOWNLOADS}
25include whitelist-common.inc
26include whitelist-usr-share-common.inc
27include whitelist-runuser-common.inc
28include whitelist-var-common.inc
29
30apparmor
31caps.drop all
32ipc-namespace
33netfilter
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix,inet,inet6,netlink
43seccomp
44shell none
45tracelog
46
47private-bin 7z,qnapi
48private-cache
49private-dev
50private-etc alternatives,fonts
51private-opt none
52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 6311c91df..d4c7bdf31 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -9,7 +9,9 @@ include globals.local
9noblacklist ${HOME}/.remmina 9noblacklist ${HOME}/.remmina
10noblacklist ${HOME}/.config/remmina 10noblacklist ${HOME}/.config/remmina
11noblacklist ${HOME}/.local/share/remmina 11noblacklist ${HOME}/.local/share/remmina
12noblacklist ${HOME}/.ssh 12
13# Allow ssh (blacklisted by disable-common.inc)
14include allow-ssh.inc
13 15
14include disable-common.inc 16include disable-common.inc
15include disable-devel.inc 17include disable-devel.inc
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
index 64432c171..304bda87b 100644
--- a/etc/profile-m-z/runenpass.sh.profile
+++ b/etc/profile-m-z/runenpass.sh.profile
@@ -1,5 +1,10 @@
1# Firejail alias profile for enpass 1# Firejail alias profile for enpass
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include runenpass.sh.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include enpass.profile 10include enpass.profile
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 8bb1f53a7..065409e78 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -9,8 +9,9 @@ include globals.local
9blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
10 10
11noblacklist ${HOME}/.gnupg 11noblacklist ${HOME}/.gnupg
12noblacklist ${HOME}/.ssh 12
13noblacklist /tmp/ssh-* 13# Allow ssh (blacklisted by disable-common.inc)
14include allow-ssh.inc
14 15
15include disable-common.inc 16include disable-common.inc
16include disable-devel.inc 17include disable-devel.inc
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
index 532294950..f9cb08432 100644
--- a/etc/profile-m-z/seamonkey-bin.profile
+++ b/etc/profile-m-z/seamonkey-bin.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for seamonkey 1# Firejail profile alias for seamonkey
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include seamonkey-bin.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include seamonkey.profile 10include seamonkey.profile
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
new file mode 100644
index 000000000..749029530
--- /dev/null
+++ b/etc/profile-m-z/shotwell.profile
@@ -0,0 +1,60 @@
1# Firejail profile for shotwell
2# Description: A digital photo organizer designed for the GNOME desktop environment
3# This file is overwritten after every install/update
4# Persistent local customizations
5include shotwell.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/shotwell
10noblacklist ${HOME}/.local/share/shotwell
11
12noblacklist ${PICTURES}
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-xdg.inc
21
22mkdir ${HOME}/.cache/shotwell
23mkdir ${HOME}/.local/share/shotwell
24whitelist ${HOME}/.cache/shotwell
25whitelist ${HOME}/.local/share/shotwell
26whitelist ${PICTURES}
27include whitelist-common.inc
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34machine-id
35netfilter
36nodvd
37nogroups
38nonewprivs
39noroot
40nosound
41notv
42nou2f
43novideo
44protocol unix
45seccomp
46shell none
47tracelog
48
49private-bin shotwell
50private-cache
51private-dev
52private-etc alternatives,fonts,machine-id
53private-opt none
54private-tmp
55
56dbus-user filter
57dbus-user.own org.gnome.Shotwell
58dbus-user.talk ca.desrt.dconf
59dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
60dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 08e1c1f03..666a37def 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,8 +21,6 @@ noblacklist ${HOME}/.mozilla
21whitelist ${HOME}/.mozilla/firefox/profiles.ini 21whitelist ${HOME}/.mozilla/firefox/profiles.ini
22read-only ${HOME}/.mozilla/firefox/profiles.ini 22read-only ${HOME}/.mozilla/firefox/profiles.ini
23 23
24include disable-exec.inc
25
26mkdir ${HOME}/.config/Signal 24mkdir ${HOME}/.config/Signal
27whitelist ${HOME}/.config/Signal 25whitelist ${HOME}/.config/Signal
28 26
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 8ffc47ff6..9d6db4cdb 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -10,7 +10,10 @@ noblacklist ${HOME}/.config/smplayer
10noblacklist ${HOME}/.config/youtube-dl 10noblacklist ${HOME}/.config/youtube-dl
11noblacklist ${HOME}/.mplayer 11noblacklist ${HOME}/.mplayer
12 12
13# Allow lua (blacklisted by disable-interpreters.inc)
13include allow-lua.inc 14include allow-lua.inc
15
16# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 17include allow-python2.inc
15include allow-python3.inc 18include allow-python3.inc
16 19
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile
index 8348a57fe..f7f86c33c 100644
--- a/etc/profile-m-z/soffice.profile
+++ b/etc/profile-m-z/soffice.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for libreoffice 1# Firejail profile alias for libreoffice
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include soffice.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include libreoffice.profile 10include libreoffice.profile
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index ad39f1071..73d2556ac 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -46,6 +46,7 @@ nou2f
46novideo 46novideo
47protocol unix 47protocol unix
48seccomp 48seccomp
49seccomp.block-secondary
49shell none 50shell none
50tracelog 51tracelog
51 52
@@ -53,7 +54,7 @@ disable-mnt
53private-bin spectacle 54private-bin spectacle
54private-cache 55private-cache
55private-dev 56private-dev
56private-etc alternatives,fonts,ld.so.conf 57private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
57private-tmp 58private-tmp
58 59
59dbus-user filter 60dbus-user filter
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 01b63d3ce..5802299a3 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,9 +6,8 @@ include ssh-agent.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist /etc/ssh 9# Allow ssh (blacklisted by disable-common.inc)
10noblacklist /tmp/ssh-* 10include allow-ssh.inc
11noblacklist ${HOME}/.ssh
12 11
13blacklist /tmp/.X11-unix 12blacklist /tmp/.X11-unix
14blacklist ${RUNUSER}/wayland-* 13blacklist ${RUNUSER}/wayland-*
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index d873a5672..641c3a79d 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,20 +7,20 @@ include ssh.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10noblacklist /etc/ssh
11noblacklist /tmp/ssh-*
12noblacklist ${HOME}/.ssh
13# nc can be used as ProxyCommand, e.g. when using tor 10# nc can be used as ProxyCommand, e.g. when using tor
14noblacklist ${PATH}/nc 11noblacklist ${PATH}/nc
15noblacklist ${PATH}/ncat 12noblacklist ${PATH}/ncat
16 13
14# Allow ssh (blacklisted by disable-common.inc)
15include allow-ssh.inc
16
17include disable-common.inc 17include disable-common.inc
18include disable-exec.inc 18include disable-exec.inc
19include disable-passwdmgr.inc 19include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21 21
22whitelist ${RUNUSER}/keyring/ssh
23whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh 22whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
23whitelist ${RUNUSER}/keyring/ssh
24include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
25include whitelist-runuser-common.inc 25include whitelist-runuser-common.inc
26 26
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile
index 47608ad28..6b4281c5c 100644
--- a/etc/profile-m-z/steam-native.profile
+++ b/etc/profile-m-z/steam-native.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for steam 1# Firejail profile alias for steam
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include steam-native.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include steam.profile 10include steam.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
index 47608ad28..a7e128d40 100644
--- a/etc/profile-m-z/steam-runtime.profile
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for steam 1# Firejail profile alias for steam
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include steam-runtime.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include steam.profile 10include steam.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 55078d993..758b37815 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -9,6 +9,7 @@ include globals.local
9noblacklist ${HOME}/.killingfloor 9noblacklist ${HOME}/.killingfloor
10noblacklist ${HOME}/.local/share/3909/PapersPlease 10noblacklist ${HOME}/.local/share/3909/PapersPlease
11noblacklist ${HOME}/.local/share/aspyr-media 11noblacklist ${HOME}/.local/share/aspyr-media
12noblacklist ${HOME}/.local/share/bohemiainteractive
12noblacklist ${HOME}/.local/share/cdprojektred 13noblacklist ${HOME}/.local/share/cdprojektred
13noblacklist ${HOME}/.local/share/FasterThanLight 14noblacklist ${HOME}/.local/share/FasterThanLight
14noblacklist ${HOME}/.local/share/feral-interactive 15noblacklist ${HOME}/.local/share/feral-interactive
@@ -45,6 +46,7 @@ mkdir ${HOME}/.config/unity3d
45mkdir ${HOME}/.killingfloor 46mkdir ${HOME}/.killingfloor
46mkdir ${HOME}/.local/share/3909/PapersPlease 47mkdir ${HOME}/.local/share/3909/PapersPlease
47mkdir ${HOME}/.local/share/aspyr-media 48mkdir ${HOME}/.local/share/aspyr-media
49mkdir ${HOME}/.local/share/bohemiainteractive
48mkdir ${HOME}/.local/share/cdprojektred 50mkdir ${HOME}/.local/share/cdprojektred
49mkdir ${HOME}/.local/share/FasterThanLight 51mkdir ${HOME}/.local/share/FasterThanLight
50mkdir ${HOME}/.local/share/feral-interactive 52mkdir ${HOME}/.local/share/feral-interactive
@@ -64,6 +66,7 @@ whitelist ${HOME}/.config/unity3d
64whitelist ${HOME}/.killingfloor 66whitelist ${HOME}/.killingfloor
65whitelist ${HOME}/.local/share/3909/PapersPlease 67whitelist ${HOME}/.local/share/3909/PapersPlease
66whitelist ${HOME}/.local/share/aspyr-media 68whitelist ${HOME}/.local/share/aspyr-media
69whitelist ${HOME}/.local/share/bohemiainteractive
67whitelist ${HOME}/.local/share/cdprojektred 70whitelist ${HOME}/.local/share/cdprojektred
68whitelist ${HOME}/.local/share/FasterThanLight 71whitelist ${HOME}/.local/share/FasterThanLight
69whitelist ${HOME}/.local/share/feral-interactive 72whitelist ${HOME}/.local/share/feral-interactive
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index 721ad38ee..2ae35d211 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -10,8 +10,13 @@ include globals.local
10noblacklist ${HOME}/.cache/straw-viewer 10noblacklist ${HOME}/.cache/straw-viewer
11noblacklist ${HOME}/.config/straw-viewer 11noblacklist ${HOME}/.config/straw-viewer
12 12
13# Allow lua (blacklisted by disable-interpreters.inc)
13include allow-lua.inc 14include allow-lua.inc
15
16# Allow perl (blacklisted by disable-interpreters.inc)
14include allow-perl.inc 17include allow-perl.inc
18
19# Allow python (blacklisted by disable-interpreters.inc)
15include allow-python2.inc 20include allow-python2.inc
16include allow-python3.inc 21include allow-python3.inc
17 22
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
index 79e879f36..8df11eef2 100644
--- a/etc/profile-m-z/studio.sh.profile
+++ b/etc/profile-m-z/studio.sh.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for Android Studio 1# Firejail profile alias for Android Studio
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include studio.sh.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include android-studio.profile 10include android-studio.profile
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 4344fe73a..50506d100 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,5 +13,14 @@ whitelist ${HOME}/.sylpheed-2.0
13 13
14whitelist /usr/share/sylpheed 14whitelist /usr/share/sylpheed
15 15
16# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
17
18dbus-user filter
19dbus-user.talk ca.desrt.dconf
20dbus-user.talk org.freedesktop.secrets
21dbus-user.talk org.gnome.keyring.SystemPrompter
22# Uncomment below for notifications (or put them in your sylpheed.local)
23# dbus-user.talk org.freedesktop.Notifications
24
16# Redirect 25# Redirect
17include email-common.profile 26include email-common.profile
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index f6efb0feb..9d7a23d43 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,13 +7,17 @@ include tar.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. 10# Included in archiver-common.inc
11noblacklist /var/lib/pacman
12
13ignore include disable-shell.inc 11ignore include disable-shell.inc
14include archiver-common.inc 12
13# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
14# all capabilities this is automatically read-only.
15noblacklist /var/lib/pacman
15 16
16private-etc alternatives,group,localtime,login.defs,passwd 17private-etc alternatives,group,localtime,login.defs,passwd
17#private-lib libfakeroot,liblzma.so.*,libreadline.so.* 18#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
18# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) 19# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
19writable-var 20writable-var
21
22# Redirect
23include archiver-common.inc
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index 0cfa7114b..e0c5aee9e 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for telegram 1# Firejail profile alias for telegram
2# Description: Official Telegram Desktop client 2# Description: Official Telegram Desktop client
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include tekegram-desktop.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include telegram.profile 11include telegram.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 0e7413fc9..fce7dc461 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -12,8 +12,22 @@ include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc 13include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
16 19
20mkdir ${HOME}/.TelegramDesktop
21mkdir ${HOME}/.local/share/TelegramDesktop
22whitelist ${HOME}/.TelegramDesktop
23whitelist ${HOME}/.local/share/TelegramDesktop
24whitelist ${DOWNLOADS}
25include whitelist-common.inc
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30apparmor
17caps.drop all 31caps.drop all
18netfilter 32netfilter
19nodvd 33nodvd
@@ -22,8 +36,10 @@ noroot
22notv 36notv
23protocol unix,inet,inet6,netlink 37protocol unix,inet,inet6,netlink
24seccomp 38seccomp
39shell none
25 40
26disable-mnt 41disable-mnt
27private-cache 42private-cache
28private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg 43private-dev
44private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
29private-tmp 45private-tmp
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile
index 19993016a..984c5579f 100644
--- a/etc/profile-m-z/thunar.profile
+++ b/etc/profile-m-z/thunar.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for Thunar 1# Firejail profile alias for Thunar
2# Description: Modern file manager for Xfce 2# Description: Modern file manager for Xfce
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include thunar.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include Thunar.profile 11include Thunar.profile
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 6450e40d6..46a1e57c8 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for thunderbird-beta 1# Firejail profile alias for thunderbird-beta
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include thunderbird-beta.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4private-opt thunderbird-beta 9private-opt thunderbird-beta
5 10
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 612b2d01b..59f1bc3b1 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ar.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ar 9noblacklist ${HOME}/.tor-browser-ar
5 10
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index db70a7109..68577e352 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ca.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ca 9noblacklist ${HOME}/.tor-browser-ca
5 10
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 77b271b68..33e51fcd0 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-cs.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-cs 9noblacklist ${HOME}/.tor-browser-cs
5 10
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 3b9fff9a4..440bb7fc3 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-da.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-da 9noblacklist ${HOME}/.tor-browser-da
5 10
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index 3b4f7f94f..b2b98cf82 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-de.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-de 9noblacklist ${HOME}/.tor-browser-de
5 10
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index b978b6042..626757dd5 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-el.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-el 9noblacklist ${HOME}/.tor-browser-el
5 10
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index db56dda1b..15e690748 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-en-us.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-en-us 9noblacklist ${HOME}/.tor-browser-en-us
5 10
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ad4110c0e..ef8c1eb8b 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-en.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-en 9noblacklist ${HOME}/.tor-browser-en
5 10
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index 1aa586658..ad734662e 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-es-es.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-es-es 9noblacklist ${HOME}/.tor-browser-es-es
5 10
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index a386e3387..97d8d8577 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-es.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-es 9noblacklist ${HOME}/.tor-browser-es
5 10
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 7f847a7c2..095be69e4 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-fa.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-fa 9noblacklist ${HOME}/.tor-browser-fa
5 10
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index bce470ec8..37f61fc3a 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-fr.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-fr 9noblacklist ${HOME}/.tor-browser-fr
5 10
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 994897a87..ab7141fc4 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ga-ie.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ga-ie 9noblacklist ${HOME}/.tor-browser-ga-ie
5 10
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 6367b4c0a..ae56f3b7f 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-he.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-he 9noblacklist ${HOME}/.tor-browser-he
5 10
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 68e79833e..65cd18ac8 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-hu.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-hu 9noblacklist ${HOME}/.tor-browser-hu
5 10
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 85b455ba2..57fe09f47 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-id.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-id 9noblacklist ${HOME}/.tor-browser-id
5 10
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 48e88db71..54f1df42d 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-is.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-is 9noblacklist ${HOME}/.tor-browser-is
5 10
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index 3c239ca29..a7d46e875 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-it.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-it 9noblacklist ${HOME}/.tor-browser-it
5 10
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index c52e0f64e..b89016141 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ja.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ja 9noblacklist ${HOME}/.tor-browser-ja
5 10
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 173b85e5c..b57cf10de 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ka.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ka 9noblacklist ${HOME}/.tor-browser-ka
5 10
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index 8faa5afa1..a9bedb6fd 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ko.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ko 9noblacklist ${HOME}/.tor-browser-ko
5 10
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index d1352dd80..fbe9f92bd 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-nb.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-nb 9noblacklist ${HOME}/.tor-browser-nb
5 10
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index d4443cca2..678ac1713 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-nl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-nl 9noblacklist ${HOME}/.tor-browser-nl
5 10
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 08ddd4ae7..25d473b1a 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-pl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-pl 9noblacklist ${HOME}/.tor-browser-pl
5 10
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 9942a3fe8..55adbd5ea 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-pt-br.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-pt-br 9noblacklist ${HOME}/.tor-browser-pt-br
5 10
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 6294f8ca0..aea13be9d 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-ru.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-ru 9noblacklist ${HOME}/.tor-browser-ru
5 10
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index c8544262f..b7882bd04 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-sv-se.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-sv-se 9noblacklist ${HOME}/.tor-browser-sv-se
5 10
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 2343fa8de..c52e8c4c4 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-tr.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-tr 9noblacklist ${HOME}/.tor-browser-tr
5 10
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index 734c38698..d5bf76655 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-vi.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-vi 9noblacklist ${HOME}/.tor-browser-vi
5 10
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 21e813e45..6c8925a4a 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-zh-cn.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-zh-cn 9noblacklist ${HOME}/.tor-browser-zh-cn
5 10
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 6fe09c6c1..141a6701e 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser-zh-tw.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser-zh-tw 9noblacklist ${HOME}/.tor-browser-zh-tw
5 10
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 0cd84abf5..76a0e1fa5 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser 9noblacklist ${HOME}/.tor-browser
5 10
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 1e1f5ce35..d811b7549 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ar.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ar 9noblacklist ${HOME}/.tor-browser_ar
5 10
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index e114b6051..8bf1f7cd4 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ca.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ca 9noblacklist ${HOME}/.tor-browser_ca
5 10
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index 498068bc6..b41107bf1 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_cs.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_cs 9noblacklist ${HOME}/.tor-browser_cs
5 10
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 5c25c03c8..cbec4ee2e 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_da.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_da 9noblacklist ${HOME}/.tor-browser_da
5 10
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index d530e7dbe..ea26765d3 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_de.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_de 9noblacklist ${HOME}/.tor-browser_de
5 10
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 67d5ab440..ff57a8722 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_el.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_el 9noblacklist ${HOME}/.tor-browser_el
5 10
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index b298ab2b8..18c92b638 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_en-US.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_en-US 9noblacklist ${HOME}/.tor-browser_en-US
5 10
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 6bb0616b1..ebba83cc4 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_en.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_en 9noblacklist ${HOME}/.tor-browser_en
5 10
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 78f57ffe5..aecab38d5 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_es-ES.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_es-ES 9noblacklist ${HOME}/.tor-browser_es-ES
5 10
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index ea34a07c9..e19e9b5e6 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_es.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_es 9noblacklist ${HOME}/.tor-browser_es
5 10
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fbc416ce5..68414c277 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_fa.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_fa 9noblacklist ${HOME}/.tor-browser_fa
5 10
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index caea6db5b..0a8bb30b7 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_fr.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_fr 9noblacklist ${HOME}/.tor-browser_fr
5 10
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 6342daebf..12354b900 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ga-IE.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ga-IE 9noblacklist ${HOME}/.tor-browser_ga-IE
5 10
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index cc4150620..19cbb0809 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_he.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_he 9noblacklist ${HOME}/.tor-browser_he
5 10
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 952a0b68a..62b55e170 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_hu.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_hu 9noblacklist ${HOME}/.tor-browser_hu
5 10
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index a006b27c0..2970a7747 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_id.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_id 9noblacklist ${HOME}/.tor-browser_id
5 10
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index 038e0fabb..f922c7644 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_is.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_is 9noblacklist ${HOME}/.tor-browser_is
5 10
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 3d2566994..406901759 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_it.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_it 9noblacklist ${HOME}/.tor-browser_it
5 10
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 08c942bcd..8f9d8d751 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ja.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ja 9noblacklist ${HOME}/.tor-browser_ja
5 10
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 97664be4d..4de4135e1 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ka.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ka 9noblacklist ${HOME}/.tor-browser_ka
5 10
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 98cf1e3e1..125c733ce 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ko.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ko 9noblacklist ${HOME}/.tor-browser_ko
5 10
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index 6df840573..dc6ac876b 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_nb.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_nb 9noblacklist ${HOME}/.tor-browser_nb
5 10
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 3f545f888..2a3a5b519 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_nl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_nl 9noblacklist ${HOME}/.tor-browser_nl
5 10
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 4e04dc027..b7dec32db 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_pl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_pl 9noblacklist ${HOME}/.tor-browser_pl
5 10
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7f864886c..7a7d4726c 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_pt-BR.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_pt-BR 9noblacklist ${HOME}/.tor-browser_pt-BR
5 10
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2fae6fbe7..7d2e6bc97 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_ru.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_ru 9noblacklist ${HOME}/.tor-browser_ru
5 10
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 2157f8d2b..585925e81 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_sv-SE.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_sv-SE 9noblacklist ${HOME}/.tor-browser_sv-SE
5 10
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 20ac246ca..4b0cc3821 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_tr.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_tr 9noblacklist ${HOME}/.tor-browser_tr
5 10
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4faa06ff6..4dcfbf56d 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_vi.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_vi 9noblacklist ${HOME}/.tor-browser_vi
5 10
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index e4d8215e6..1e03b8d6b 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_zh-CN.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_zh-CN 9noblacklist ${HOME}/.tor-browser_zh-CN
5 10
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 8a28015a6..a2dcf5cf1 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for torbrowser-launcher 1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include tor-browser_zh-TW.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.tor-browser_zh-TW 9noblacklist ${HOME}/.tor-browser_zh-TW
5 10
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 36495064e..90c45c7d0 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -6,7 +6,8 @@ include totem.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# Allow lua (required for youtube video) 9# Allow lua (blacklisted by disable-interpreters.inc)
10# required for youtube video
10include allow-lua.inc 11include allow-lua.inc
11 12
12# Allow python (blacklisted by disable-interpreters.inc) 13# Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index a8641af85..b82aadd13 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -57,7 +57,8 @@ private-dev
57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg 57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user filter
61dbus-user.talk org.freedesktop.secrets
61dbus-system none 62dbus-system none
62 63
63read-only ${HOME}/.mozilla/firefox/profiles.ini 64read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index a5cefb47a..3f5a9647e 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -1,6 +1,11 @@
1# Firejail profile for tshark 1# Firejail profile for tshark
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations
5include tshark.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include wireshark.profile 11include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
new file mode 100644
index 000000000..d2cb0cc8a
--- /dev/null
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -0,0 +1,31 @@
1# Firejail profile for tutanota-desktop
2# Description: Encrypted email client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tutanota-desktop.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/tuta_integration
10noblacklist ${HOME}/.config/tutanota-desktop
11
12ignore noexec /tmp
13
14include disable-shell.inc
15
16mkdir ${HOME}/.config/tuta_integration
17mkdir ${HOME}/.config/tutanota-desktop
18whitelist ${HOME}/.config/tuta_integration
19whitelist ${HOME}/.config/tutanota-desktop
20
21# These lines are needed to allow Firefox to open links
22noblacklist ${HOME}/.mozilla
23whitelist ${HOME}/.mozilla/firefox/profiles.ini
24read-only ${HOME}/.mozilla/firefox/profiles.ini
25
26?HAS_APPIMAGE: ignore private-dev
27private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
28private-opt tutanota-desktop
29
30# Redirect
31include electron.profile
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile
new file mode 100644
index 000000000..0226a7de8
--- /dev/null
+++ b/etc/profile-m-z/unar.profile
@@ -0,0 +1,13 @@
1# Firejail profile for unar
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include unar.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10private-bin unar
11
12# Redirect
13include ar.profile
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile
index d9c72407f..115d982e2 100644
--- a/etc/profile-m-z/unlzma.profile
+++ b/etc/profile-m-z/unlzma.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include unlzma.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9487f8e68..65f1a425a 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -7,8 +7,9 @@ include unrar.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10include archiver-common.inc
11
12private-bin unrar 10private-bin unrar
13private-etc alternatives,group,localtime,passwd 11private-etc alternatives,group,localtime,passwd
14private-tmp 12private-tmp
13
14# Redirect
15include archiver-common.inc
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile
index d9c72407f..d86313028 100644
--- a/etc/profile-m-z/unxz.profile
+++ b/etc/profile-m-z/unxz.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include unxz.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 8da9ea820..c94416b87 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,6 +10,7 @@ include globals.local
10# GNOME Shell integration (chrome-gnome-shell) 10# GNOME Shell integration (chrome-gnome-shell)
11noblacklist ${HOME}/.local/share/gnome-shell 11noblacklist ${HOME}/.local/share/gnome-shell
12 12
13include archiver-common.inc
14
15private-etc alternatives,group,localtime,passwd 13private-etc alternatives,group,localtime,passwd
14
15# Redirect
16include archiver-common.inc
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile
index ce9af3286..0294aceff 100644
--- a/etc/profile-m-z/unzstd.profile
+++ b/etc/profile-m-z/unzstd.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include unzstd.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
new file mode 100644
index 000000000..0117af376
--- /dev/null
+++ b/etc/profile-m-z/vmware-view.profile
@@ -0,0 +1,58 @@
1# Firejail profile for vmware-view
2# Description: VMware Horizon Client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include vmware-view.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.vmware
10
11noblacklist /sbin
12noblacklist /usr/sbin
13
14include allow-bin-sh.inc
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-shell.inc
23include disable-xdg.inc
24
25mkdir ${HOME}/.vmware
26whitelist ${HOME}/.vmware
27include whitelist-common.inc
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32caps.drop all
33netfilter
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39nou2f
40# Comment novideo (or add 'ignore novideo' to your vmware-view.local) if you need your webcam
41novideo
42# protocol produces a lot error messages but nothing seems to be broken
43protocol unix,inet,inet6
44seccomp !iopl
45seccomp.block-secondary
46shell none
47tracelog
48
49disable-mnt
50private-cache
51private-dev
52private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg
53# Logs are "stored" in /tmp, comment (or add 'ignore private-tmp' to your vmware-view.local)
54# if you need them without joining the sandbox.
55private-tmp
56
57dbus-user none
58dbus-system none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 493c53936..d841d50b7 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -26,7 +26,7 @@ include whitelist-runuser-common.inc
26include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 27include whitelist-var-common.inc
28 28
29caps.keep chown,net_raw,sys_nice,sys_rawio 29caps.keep chown,net_raw,sys_nice
30netfilter 30netfilter
31nogroups 31nogroups
32notv 32notv
@@ -34,6 +34,7 @@ shell none
34tracelog 34tracelog
35 35
36#disable-mnt 36#disable-mnt
37#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix 37#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
38private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
38dbus-user none 39dbus-user none
39dbus-system none 40dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index b4728fb72..a4a4fb7d8 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for Visual Studio Code 1# Firejail profile alias for Visual Studio Code
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include vscodium.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist ${HOME}/.VSCodium 9noblacklist ${HOME}/.VSCodium
5 10
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index 2e9078a7b..fa6ddf1fb 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for nethack-vultures 1# Firejail profile alias for nethack-vultures
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include vulturesclaw.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist /var/games/vulturesclaw 9noblacklist /var/games/vulturesclaw
5whitelist /var/games/vulturesclaw 10whitelist /var/games/vulturesclaw
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 44c263cfc..49d3fa94f 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for nethack-vultures 1# Firejail profile alias for nethack-vultures
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include vultureseye.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4noblacklist /var/games/vultureseye 9noblacklist /var/games/vultureseye
5whitelist /var/games/vultureseye 10whitelist /var/games/vultureseye
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 369c9cc1d..06a7c3412 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-shell.inc 17include disable-shell.inc
18 18
19# mkdir ${HOME}/.warzone2100-3.1 19mkdir ${HOME}/.warzone2100-3.1
20# mkdir ${HOME}/.warzone2100-3.2 20mkdir ${HOME}/.warzone2100-3.2
21whitelist ${HOME}/.warzone2100-3.1 21whitelist ${HOME}/.warzone2100-3.1
22whitelist ${HOME}/.warzone2100-3.2 22whitelist ${HOME}/.warzone2100-3.2
23whitelist /usr/share/games 23whitelist /usr/share/games
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index fc4e8e571..a4adf2896 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -8,12 +8,14 @@ include globals.local
8noblacklist ${HOME}/.WebStorm* 8noblacklist ${HOME}/.WebStorm*
9noblacklist ${HOME}/.android 9noblacklist ${HOME}/.android
10noblacklist ${HOME}/.local/share/JetBrains 10noblacklist ${HOME}/.local/share/JetBrains
11noblacklist ${HOME}/.ssh
12noblacklist ${HOME}/.tooling 11noblacklist ${HOME}/.tooling
13 12
14# Allows files commonly used by IDEs 13# Allows files commonly used by IDEs
15include allow-common-devel.inc 14include allow-common-devel.inc
16 15
16# Allow ssh (blacklisted by disable-common.inc)
17include allow-ssh.inc
18
17noblacklist ${PATH}/node 19noblacklist ${PATH}/node
18noblacklist ${HOME}/.nvm 20noblacklist ${HOME}/.nvm
19 21
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 4719b9788..92c968fb6 100644
--- a/etc/profile-m-z/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for weechat 1# Firejail profile alias for weechat
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include weechat-curses.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include weechat.profile 10include weechat.profile
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
index 3e2e1807e..4d54e986e 100644
--- a/etc/profile-m-z/wireshark-gtk.profile
+++ b/etc/profile-m-z/wireshark-gtk.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for wireshark 1# Firejail profile alias for wireshark
2# Description: Network protocol analyzer 2# Description: Network protocol analyzer
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include wireshark-gtk.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include wireshark.profile 11include wireshark.profile
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
index 3e2e1807e..4e0694f95 100644
--- a/etc/profile-m-z/wireshark-qt.profile
+++ b/etc/profile-m-z/wireshark-qt.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for wireshark 1# Firejail profile alias for wireshark
2# Description: Network protocol analyzer 2# Description: Network protocol analyzer
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include wireshark-qt.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include wireshark.profile 11include wireshark.profile
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index bc9603835..6146016b2 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,10 +6,12 @@ include x2goclient.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.ssh
10noblacklist ${HOME}/.x2go 9noblacklist ${HOME}/.x2go
11noblacklist ${HOME}/.x2goclient 10noblacklist ${HOME}/.x2goclient
12 11
12# Allow ssh (blacklisted by disable-common.inc)
13include allow-ssh.inc
14
13include disable-common.inc 15include disable-common.inc
14include disable-devel.inc 16include disable-devel.inc
15include disable-exec.inc 17include disable-exec.inc
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
index abb91e1ec..f1766fcf4 100644
--- a/etc/profile-m-z/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-glx.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for xonotic 1# Firejail profile alias for xonotic
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include xonotic-glx.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include xonotic.profile 10include xonotic.profile
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
index abb91e1ec..4b680edb1 100644
--- a/etc/profile-m-z/xonotic-sdl.profile
+++ b/etc/profile-m-z/xonotic-sdl.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for xonotic 1# Firejail profile alias for xonotic
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include xonotic-sdl.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include xonotic.profile 10include xonotic.profile
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile
index d9c72407f..7d6be2f49 100644
--- a/etc/profile-m-z/xz.profile
+++ b/etc/profile-m-z/xz.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xz.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile
index d9c72407f..8ba77eece 100644
--- a/etc/profile-m-z/xzcat.profile
+++ b/etc/profile-m-z/xzcat.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzcat.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
index d9c72407f..9626048ba 100644
--- a/etc/profile-m-z/xzcmp.profile
+++ b/etc/profile-m-z/xzcmp.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzcmp.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
index 082392a08..c5e8d1631 100644
--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -7,4 +7,5 @@ include xzdec.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Redirect
10include archiver-common.inc 11include archiver-common.inc
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
index d9c72407f..825fa9180 100644
--- a/etc/profile-m-z/xzdiff.profile
+++ b/etc/profile-m-z/xzdiff.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzdiff.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
index d9c72407f..8d50a3bc6 100644
--- a/etc/profile-m-z/xzegrep.profile
+++ b/etc/profile-m-z/xzegrep.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzegrep.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
index d9c72407f..a8aac86b7 100644
--- a/etc/profile-m-z/xzfgrep.profile
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzfgrep.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
index f7410b928..ac4cc81c4 100644
--- a/etc/profile-m-z/xzgrep.profile
+++ b/etc/profile-m-z/xzgrep.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include xzgrep.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include cpio.profile 11include cpio.profile
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile
index f7410b928..f17c5e1f6 100644
--- a/etc/profile-m-z/xzless.profile
+++ b/etc/profile-m-z/xzless.profile
@@ -1,6 +1,11 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations
5include xzless.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
4 9
5# Redirect 10# Redirect
6include cpio.profile 11include cpio.profile
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile
index d9c72407f..ef4106f66 100644
--- a/etc/profile-m-z/xzmore.profile
+++ b/etc/profile-m-z/xzmore.profile
@@ -2,6 +2,11 @@
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet 4quiet
5# Persistent local customizations
6include xzmore.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
5 10
6# Redirect 11# Redirect
7include cpio.profile 12include cpio.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
new file mode 100644
index 000000000..f20225050
--- /dev/null
+++ b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,29 @@
1# Firejail profile for yarn
2# Description: Fast, reliable, and secure dependency management
3quiet
4# Persistent local customizations
5include yarn.local
6# Persistent global definitions
7include globals.local
8
9ignore read-only ${HOME}/.yarnrc
10
11noblacklist ${HOME}/.yarn
12noblacklist ${HOME}/.yarn-config
13noblacklist ${HOME}/.yarncache
14noblacklist ${HOME}/.yarnrc
15
16# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
17#mkdir ${HOME}/.yarn
18#mkdir ${HOME}/.yarn-config
19#mkdir ${HOME}/.yarncache
20#mkfile ${HOME}/.yarnrc
21#whitelist ${HOME}/.yarn
22#whitelist ${HOME}/.yarn-config
23#whitelist ${HOME}/.yarncache
24#whitelist ${HOME}/.yarnrc
25#whitelist ${HOME}/Projects
26#include whitelist-common.inc
27
28# Redirect
29include nodejs-common.profile
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index a3a2afa29..e8fe4a360 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -9,7 +9,10 @@ include globals.local
9 9
10noblacklist ${HOME}/.config/youtube-viewer 10noblacklist ${HOME}/.config/youtube-viewer
11 11
12# Allow perl (blacklisted by disable-interpreters.inc)
12include allow-perl.inc 13include allow-perl.inc
14
15# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python2.inc 16include allow-python2.inc
14include allow-python3.inc 17include allow-python3.inc
15 18
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
index 42749ba6d..07a75f97f 100644
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -7,4 +7,5 @@ include zstd.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10# Redirect
10include archiver-common.inc 11include archiver-common.inc
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
index ce9af3286..df4c493fd 100644
--- a/etc/profile-m-z/zstdcat.profile
+++ b/etc/profile-m-z/zstdcat.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include zstdcat.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
index ce9af3286..8a2683119 100644
--- a/etc/profile-m-z/zstdgrep.profile
+++ b/etc/profile-m-z/zstdgrep.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include zstdgrep.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile
index ce9af3286..e5821e4c5 100644
--- a/etc/profile-m-z/zstdless.profile
+++ b/etc/profile-m-z/zstdless.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include zstdless.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
index ce9af3286..0a43fd556 100644
--- a/etc/profile-m-z/zstdmt.profile
+++ b/etc/profile-m-z/zstdmt.profile
@@ -1,5 +1,10 @@
1# Firejail profile alias for zstd 1# Firejail profile alias for zstd
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3# Persistent local customizations
4include zstdmt.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
3 8
4# Redirect 9# Redirect
5include zstd.profile 10include zstd.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 3d37fc827..9e9fc3fe9 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -103,6 +103,9 @@ include globals.local
103# Allows files commonly used by IDEs 103# Allows files commonly used by IDEs
104#include allow-common-devel.inc 104#include allow-common-devel.inc
105 105
106# Allow ssh (blacklisted by disable-common.inc)
107#include allow-ssh.inc
108
106#include disable-common.inc 109#include disable-common.inc
107#include disable-devel.inc 110#include disable-devel.inc
108#include disable-exec.inc 111#include disable-exec.inc
@@ -158,6 +161,7 @@ include globals.local
158##seccomp !chroot 161##seccomp !chroot
159##seccomp.drop SYSCALLS (see syscalls.txt) 162##seccomp.drop SYSCALLS (see syscalls.txt)
160#seccomp.block-secondary 163#seccomp.block-secondary
164##seccomp-error-action log (Only for debugging seccomp issues)
161#shell none 165#shell none
162#tracelog 166#tracelog
163# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set 167# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c454887dd..0775f60ff 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -35,8 +35,8 @@ Definition of groups
35@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext 35@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
36@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup 36@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
37@default-nodebuggers=@default,ptrace,personality,process_vm_readv 37@default-nodebuggers=@default,ptrace,personality,process_vm_readv
38@default-keep=execve,prctl 38@default-keep=execveat,execve,prctl
39@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes 39@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
40@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select 40@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
41@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget 41@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
42@keyring=add_key,keyctl,request_key 42@keyring=add_key,keyctl,request_key
diff --git a/mkasc.sh b/mkasc.sh
index 872127dda..32f874bd6 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -3,7 +3,7 @@
3# Copyright (C) 2014-2020 Firejail Authors 3# Copyright (C) 2014-2020 Firejail Authors
4# License GPL v2 4# License GPL v2
5 5
6echo "Calculationg SHA256 for all files in /transfer - firejail version $1" 6echo "Calculating SHA256 for all files in /transfer - firejail version $1"
7 7
8cd /transfer 8cd /transfer
9sha256sum * > firejail-$1-unsigned 9sha256sum * > firejail-$1-unsigned
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index a19dee620..5b68175fd 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -64,7 +64,7 @@ chmod 644 $DEBIAN_CTRL_DIR/conffiles
64find $INSTALL_DIR -type d | xargs chmod 755 64find $INSTALL_DIR -type d | xargs chmod 755
65cd $CODE_DIR 65cd $CODE_DIR
66fakeroot dpkg-deb --build debian 66fakeroot dpkg-deb --build debian
67lintian debian.deb 67lintian --no-tag-display-limit debian.deb
68mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb 68mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
69cd .. 69cd ..
70rm -fr $CODE_DIR 70rm -fr $CODE_DIR
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 1b8231033..0bc4a0ee2 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -217,6 +217,10 @@ void build_share(const char *fname, FILE *fp) {
217//******************************************* 217//*******************************************
218static FileDB *tmp_out = NULL; 218static FileDB *tmp_out = NULL;
219static void tmp_callback(char *ptr) { 219static void tmp_callback(char *ptr) {
220 // skip strace file
221 if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
222 return;
223
220 tmp_out = filedb_add(tmp_out, ptr); 224 tmp_out = filedb_add(tmp_out, ptr);
221} 225}
222 226
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index fca3396c4..c0f4a3407 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -24,7 +24,7 @@ static FileDB *db_skip = NULL;
24static FileDB *db_out = NULL; 24static FileDB *db_out = NULL;
25 25
26static void load_whitelist_common(void) { 26static void load_whitelist_common(void) {
27 FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); 27 FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
28 if (!fp) { 28 if (!fp) {
29 fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); 29 fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
30 exit(1); 30 exit(1);
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index adc00e67b..09f41a838 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
80 stroutput, 80 stroutput,
81 }; 81 };
82 82
83 // detect strace 83 // detect strace and check if Yama LSM allows us to use it
84 int have_strace = 0; 84 int have_strace = 0;
85 if (access("/usr/bin/strace", X_OK) == 0) 85 int have_yama_permission = 1;
86 if (access("/usr/bin/strace", X_OK) == 0) {
86 have_strace = 1; 87 have_strace = 1;
88 FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
89 if (ps) {
90 unsigned val;
91 if (fscanf(ps, "%u", &val) == 1)
92 have_yama_permission = (val < 2);
93 fclose(ps);
94 }
95 }
87 96
88 // calculate command length 97 // calculate command length
89 unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; 98 unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
@@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
93 cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error 102 cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error
94 103
95 // build command 104 // build command
105 // skip strace if not installed, or no permission to use it
106 int skip_strace = !(have_strace && have_yama_permission);
96 unsigned i = 0; 107 unsigned i = 0;
97 for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { 108 for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
98 // skip strace if not installed 109 if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
99 if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
100 break; 110 break;
101 cmd[i] = cmdlist[i]; 111 cmd[i] = cmdlist[i];
102 } 112 }
@@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
172 fprintf(fp, "caps.drop all\n"); 182 fprintf(fp, "caps.drop all\n");
173 fprintf(fp, "nonewprivs\n"); 183 fprintf(fp, "nonewprivs\n");
174 fprintf(fp, "seccomp\n"); 184 fprintf(fp, "seccomp\n");
175 if (have_strace) 185 if (!have_strace) {
176 build_seccomp(strace_output, fp);
177 else {
178 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); 186 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
179 fprintf(fp, "# whitelisted seccomp filter.\n"); 187 fprintf(fp, "# whitelisted seccomp filter.\n");
180 } 188 }
189 else if (!have_yama_permission)
190 fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
191 else
192 build_seccomp(strace_output, fp);
181 fprintf(fp, "\n"); 193 fprintf(fp, "\n");
182 194
183 fprintf(fp, "### network\n"); 195 fprintf(fp, "### network\n");
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 64e277e2d..85f84aa32 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fcopy: $(OBJS) 8fcopy: $(OBJS) ../lib/common.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 67237b4ea..e65501d6d 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -23,7 +23,6 @@
23#include <ftw.h> 23#include <ftw.h>
24#include <errno.h> 24#include <errno.h>
25#include <pwd.h> 25#include <pwd.h>
26#include <sys/prctl.h>
27 26
28#if HAVE_SELINUX 27#if HAVE_SELINUX
29#include <sys/stat.h> 28#include <sys/stat.h>
@@ -112,7 +111,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
112 } 111 }
113 112
114 // open destination 113 // open destination
115 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); 114 int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR);
116 if (dst < 0) { 115 if (dst < 0) {
117 if (!arg_quiet) 116 if (!arg_quiet)
118 fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); 117 fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
@@ -133,7 +132,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
133 done += rv; 132 done += rv;
134 } 133 }
135 } 134 }
136 fflush(0); 135 if (len < 0)
136 goto errexit;
137 137
138 if (fchown(dst, uid, gid) == -1) 138 if (fchown(dst, uid, gid) == -1)
139 goto errexit; 139 goto errexit;
@@ -180,7 +180,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid,
180 180
181 // if the link is already there, don't create it 181 // if the link is already there, don't create it
182 struct stat s; 182 struct stat s;
183 if (stat(linkpath, &s) == 0) 183 if (lstat(linkpath, &s) == 0)
184 return; 184 return;
185 185
186 char *rp = realpath(target, NULL); 186 char *rp = realpath(target, NULL);
@@ -412,30 +412,21 @@ int main(int argc, char **argv) {
412 exit(1); 412 exit(1);
413 } 413 }
414 414
415#ifdef WARN_DUMPABLE 415 warn_dumpable();
416 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
417 fprintf(stderr, "Error fcopy: I am dumpable\n");
418#endif
419
420 // trim trailing chars
421 if (src[strlen(src) - 1] == '/')
422 src[strlen(src) - 1] = '\0';
423 if (dest[strlen(dest) - 1] == '/')
424 dest[strlen(dest) - 1] = '\0';
425 416
426 // check the two files; remove ending / 417 // check the two files; remove ending /
427 int len = strlen(src); 418 size_t len = strlen(src);
428 if (src[len - 1] == '/') 419 while (len > 1 && src[len - 1] == '/')
429 src[len - 1] = '\0'; 420 src[--len] = '\0';
430 if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { 421 if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
431 fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); 422 fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
432 exit(1); 423 exit(1);
433 } 424 }
434 425
435 len = strlen(dest); 426 len = strlen(dest);
436 if (dest[len - 1] == '/') 427 while (len > 1 && dest[len - 1] == '/')
437 dest[len - 1] = '\0'; 428 dest[--len] = '\0';
438 if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { 429 if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
439 fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); 430 fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
440 exit(1); 431 exit(1);
441 } 432 }
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 23b1e364a..d056d0654 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -69,6 +69,7 @@ autokey-gtk
69autokey-qt 69autokey-qt
70autokey-run 70autokey-run
71autokey-shell 71autokey-shell
72avidemux3_qt5
72aweather 73aweather
73baloo_file 74baloo_file
74baloo_filemetadata_temp_extractor 75baloo_filemetadata_temp_extractor
@@ -106,6 +107,7 @@ calligra
106calligraauthor 107calligraauthor
107calligraconverter 108calligraconverter
108calligraflow 109calligraflow
110calligragemini
109calligraplan 111calligraplan
110calligraplanwork 112calligraplanwork
111calligrasheets 113calligrasheets
@@ -149,6 +151,7 @@ conkeror
149conky 151conky
150conplay 152conplay
151corebird 153corebird
154coyim
152crawl 155crawl
153crawl-tiles 156crawl-tiles
154crow 157crow
@@ -172,6 +175,7 @@ dino-im
172discord 175discord
173discord-canary 176discord-canary
174display 177display
178display-im6.q16
175dnox 179dnox
176dnscrypt-proxy 180dnscrypt-proxy
177dnsmasq 181dnsmasq
@@ -390,6 +394,7 @@ kazam
390kcalc 394kcalc
391# kdeinit4 395# kdeinit4
392kdenlive 396kdenlive
397kdiff3
393keepass 398keepass
394keepass2 399keepass2
395keepassx 400keepassx
@@ -455,6 +460,7 @@ macrofusion
455magicor 460magicor
456# man 461# man
457manaplus 462manaplus
463marker
458masterpdfeditor 464masterpdfeditor
459masterpdfeditor4 465masterpdfeditor4
460masterpdfeditor5 466masterpdfeditor5
@@ -532,6 +538,7 @@ mypaint
532mypaint-ora-thumbnailer 538mypaint-ora-thumbnailer
533natron 539natron
534ncdu 540ncdu
541neomutt
535netactview 542netactview
536nethack 543nethack
537netsurf 544netsurf
@@ -621,6 +628,7 @@ qemu-launcher
621qgis 628qgis
622qlipper 629qlipper
623qmmp 630qmmp
631qnapi
624qpdfview 632qpdfview
625qt-faststart 633qt-faststart
626qtox 634qtox
@@ -662,6 +670,7 @@ secret-tool
662shellcheck 670shellcheck
663shortwave 671shortwave
664shotcut 672shotcut
673shotwell
665signal-cli 674signal-cli
666signal-desktop 675signal-desktop
667silentarmy 676silentarmy
@@ -771,6 +780,7 @@ tremulous
771trojita 780trojita
772truecraft 781truecraft
773tshark 782tshark
783tutanota-desktop
774tuxguitar 784tuxguitar
775tvbrowser 785tvbrowser
776twitch 786twitch
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 6190b6f01..dd94b9921 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -131,14 +131,16 @@ void appimage_set(const char *appimage) {
131 errExit("Failed to obtain absolute path"); 131 errExit("Failed to obtain absolute path");
132 132
133 // set environment 133 // set environment
134 if (setenv("APPIMAGE", abspath, 1) < 0) 134 env_store_name_val("APPIMAGE", abspath, SETENV);
135 errExit("setenv"); 135
136 if (mntdir && setenv("APPDIR", mntdir, 1) < 0) 136 if (mntdir)
137 errExit("setenv"); 137 env_store_name_val("APPDIR", mntdir, SETENV);
138 if (size != 0 && setenv("ARGV0", appimage, 1) < 0) 138
139 errExit("setenv"); 139 if (size != 0)
140 if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) 140 env_store_name_val("ARGV0", appimage, SETENV);
141 errExit("setenv"); 141
142 if (cfg.cwd)
143 env_store_name_val("OWD", cfg.cwd, SETENV);
142 144
143 // build new command line 145 // build new command line
144 if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) 146 if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 085221464..fb2171a55 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -215,10 +215,8 @@ int checkcfg(int val) {
215 } 215 }
216 216
217 // file copy limit 217 // file copy limit
218 else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { 218 else if (strncmp(ptr, "file-copy-limit ", 16) == 0)
219 if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) 219 env_store_name_val("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, SETENV);
220 errExit("setenv");
221 }
222 220
223 // timeout for join option 221 // timeout for join option
224 else if (strncmp(ptr, "join-timeout ", 13) == 0) 222 else if (strncmp(ptr, "join-timeout ", 13) == 0)
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index cfa32d1d3..9253490ca 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -173,9 +173,21 @@ void fs_chroot(const char *rootdir) {
173 173
174 // x11 174 // x11
175 // if users want this mount, they should set FIREJAIL_CHROOT_X11 175 // if users want this mount, they should set FIREJAIL_CHROOT_X11
176 if (getenv("FIREJAIL_X11") || getenv("FIREJAIL_CHROOT_X11")) { 176 if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) {
177 if (arg_debug) 177 if (arg_debug)
178 printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); 178 printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
179 struct stat s1, s2;
180 if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2))
181 errExit("mounting /tmp/.X11-unix");
182 if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
183 fprintf(stderr, "Error: sticky bit not set on /tmp directory\n");
184 exit(1);
185 }
186 if (s2.st_uid != 0) {
187 fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n");
188 exit(1);
189 }
190
179 check_subdir(parentfd, "tmp/.X11-unix", 0); 191 check_subdir(parentfd, "tmp/.X11-unix", 0);
180 fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 192 fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
181 if (fd == -1) 193 if (fd == -1)
@@ -194,7 +206,7 @@ void fs_chroot(const char *rootdir) {
194 check_subdir(parentfd, "run", 1); 206 check_subdir(parentfd, "run", 1);
195 207
196 // pulseaudio; only support for default directory /run/user/$UID/pulse 208 // pulseaudio; only support for default directory /run/user/$UID/pulse
197 if (getenv("FIREJAIL_CHROOT_PULSE")) { 209 if (env_get("FIREJAIL_CHROOT_PULSE")) {
198 char *pulse; 210 char *pulse;
199 if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) 211 if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1)
200 errExit("asprintf"); 212 errExit("asprintf");
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 3cf75ed84..1d0f07089 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -329,7 +329,7 @@ void dbus_proxy_start(void) {
329 errExit("close"); 329 errExit("close");
330 330
331 if (arg_dbus_user == DBUS_POLICY_FILTER) { 331 if (arg_dbus_user == DBUS_POLICY_FILTER) {
332 char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); 332 const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV);
333 if (user_env == NULL) { 333 if (user_env == NULL) {
334 char *dbus_user_socket = find_user_socket(); 334 char *dbus_user_socket = find_user_socket();
335 write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", 335 write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s",
@@ -350,7 +350,7 @@ void dbus_proxy_start(void) {
350 } 350 }
351 351
352 if (arg_dbus_system == DBUS_POLICY_FILTER) { 352 if (arg_dbus_system == DBUS_POLICY_FILTER) {
353 char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); 353 const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV);
354 if (system_env == NULL) { 354 if (system_env == NULL) {
355 write_arg(args_pipe[1], 355 write_arg(args_pipe[1],
356 DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); 356 DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET);
@@ -435,8 +435,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
435 close(fd); 435 close(fd);
436} 436}
437 437
438static char *get_socket_env(const char *name) { 438static const char *get_socket_env(const char *name) {
439 char *value = getenv(name); 439 const char *value = env_get(name);
440 if (value == NULL) 440 if (value == NULL)
441 return NULL; 441 return NULL;
442 if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, 442 if (strncmp(value, DBUS_SOCKET_PATH_PREFIX,
@@ -446,21 +446,13 @@ static char *get_socket_env(const char *name) {
446} 446}
447 447
448void dbus_set_session_bus_env(void) { 448void dbus_set_session_bus_env(void) {
449 if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, 449 env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV,
450 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { 450 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV);
451 fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV
452 " required by --dbus-user\n");
453 exit(1);
454 }
455} 451}
456 452
457void dbus_set_system_bus_env(void) { 453void dbus_set_system_bus_env(void) {
458 if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, 454 env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV,
459 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { 455 DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV);
460 fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV
461 " required by --dbus-system\n");
462 exit(1);
463 }
464} 456}
465 457
466static void disable_socket_dir(void) { 458static void disable_socket_dir(void) {
@@ -506,7 +498,7 @@ void dbus_apply_policy(void) {
506 errExit("asprintf"); 498 errExit("asprintf");
507 disable_file_or_dir(dbus_user_socket2); 499 disable_file_or_dir(dbus_user_socket2);
508 500
509 char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); 501 const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV);
510 if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && 502 if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 &&
511 strcmp(user_env, dbus_user_socket2) != 0) 503 strcmp(user_env, dbus_user_socket2) != 0)
512 disable_file_or_dir(user_env); 504 disable_file_or_dir(user_env);
@@ -535,7 +527,7 @@ void dbus_apply_policy(void) {
535 527
536 disable_file_or_dir(DBUS_SYSTEM_SOCKET); 528 disable_file_or_dir(DBUS_SYSTEM_SOCKET);
537 529
538 char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); 530 const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV);
539 if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) 531 if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0)
540 disable_file_or_dir(system_env); 532 disable_file_or_dir(system_env);
541 533
@@ -561,4 +553,4 @@ void dbus_apply_policy(void) {
561 553
562 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); 554 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
563} 555}
564#endif // HAVE_DBUSPROXY \ No newline at end of file 556#endif // HAVE_DBUSPROXY
diff --git a/src/firejail/env.c b/src/firejail/env.c
index d74cebb39..9ee6c6bfb 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -25,8 +25,8 @@
25 25
26typedef struct env_t { 26typedef struct env_t {
27 struct env_t *next; 27 struct env_t *next;
28 char *name; 28 const char *name;
29 char *value; 29 const char *value;
30 ENV_OP op; 30 ENV_OP op;
31} Env; 31} Env;
32static Env *envlist = NULL; 32static Env *envlist = NULL;
@@ -117,45 +117,35 @@ void env_ibus_load(void) {
117// default sandbox env variables 117// default sandbox env variables
118void env_defaults(void) { 118void env_defaults(void) {
119 // Qt fixes 119 // Qt fixes
120 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) 120 env_store_name_val("QT_X11_NO_MITSHM", "1", SETENV);
121 errExit("setenv"); 121 env_store_name_val("QML_DISABLE_DISK_CACHE", "1", SETENV);
122 if (setenv("QML_DISABLE_DISK_CACHE", "1", 1) < 0) 122// env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV);
123 errExit("setenv"); 123// env_store_name_val("MOZ_NO_REMOTE, "1", SETENV);
124// if (setenv("QTWEBENGINE_DISABLE_SANDBOX", "1", 1) < 0) 124 env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc,
125// errExit("setenv");
126// if (setenv("MOZ_NO_REMOTE, "1", 1) < 0)
127// errExit("setenv");
128 if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
129 errExit("setenv");
130 if (!cfg.shell) 125 if (!cfg.shell)
131 cfg.shell = guess_shell(); 126 cfg.shell = guess_shell();
132 if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) 127 if (cfg.shell)
133 errExit("setenv"); 128 env_store_name_val("SHELL", cfg.shell, SETENV);
134 129
135 // spawn KIO slaves inside the sandbox 130 // spawn KIO slaves inside the sandbox
136 if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) 131 env_store_name_val("KDE_FORK_SLAVES", "1", SETENV);
137 errExit("setenv");
138 132
139 // set prompt color to green 133 // set prompt color to green
140 int set_prompt = 0; 134 int set_prompt = 0;
141 if (checkcfg(CFG_FIREJAIL_PROMPT)) 135 if (checkcfg(CFG_FIREJAIL_PROMPT))
142 set_prompt = 1; 136 set_prompt = 1;
143 else { // check FIREJAIL_PROMPT="yes" environment variable 137 else { // check FIREJAIL_PROMPT="yes" environment variable
144 char *prompt = getenv("FIREJAIL_PROMPT"); 138 const char *prompt = env_get("FIREJAIL_PROMPT");
145 if (prompt && strcmp(prompt, "yes") == 0) 139 if (prompt && strcmp(prompt, "yes") == 0)
146 set_prompt = 1; 140 set_prompt = 1;
147 } 141 }
148 142
149 if (set_prompt) { 143 if (set_prompt)
150 //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' 144 //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
151 if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) 145 env_store_name_val("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", SETENV);
152 errExit("setenv"); 146 else
153 }
154 else {
155 // remove PROMPT_COMMAND 147 // remove PROMPT_COMMAND
156 if (setenv("PROMPT_COMMAND", ":", 1) < 0) // unsetenv() will not work here, bash still picks it up from somewhere 148 env_store_name_val("PROMPT_COMMAND", ":", SETENV); // unsetenv() will not work here, bash still picks it up from somewhere
157 errExit("setenv");
158 }
159 149
160 // set the window title 150 // set the window title
161 if (!arg_quiet && isatty(STDOUT_FILENO)) 151 if (!arg_quiet && isatty(STDOUT_FILENO))
@@ -163,14 +153,13 @@ void env_defaults(void) {
163 153
164 // pass --quiet as an environment variable, in case the command calls further firejailed commands 154 // pass --quiet as an environment variable, in case the command calls further firejailed commands
165 if (arg_quiet) 155 if (arg_quiet)
166 setenv("FIREJAIL_QUIET", "yes", 1); 156 env_store_name_val("FIREJAIL_QUIET", "yes", SETENV);
167 157
168 fflush(0); 158 fflush(0);
169} 159}
170 160
171// parse and store the environment setting 161// parse and store the environment setting
172void env_store(const char *str, ENV_OP op) { 162void env_store(const char *str, ENV_OP op) {
173 EUID_ASSERT();
174 assert(str); 163 assert(str);
175 164
176 // some basic checking 165 // some basic checking
@@ -181,8 +170,7 @@ void env_store(const char *str, ENV_OP op) {
181 if (!ptr) 170 if (!ptr)
182 goto errexit; 171 goto errexit;
183 ptr++; 172 ptr++;
184 if (*ptr == '\0') 173 op = SETENV;
185 goto errexit;
186 } 174 }
187 175
188 // build list entry 176 // build list entry
@@ -210,8 +198,40 @@ errexit:
210 exit(1); 198 exit(1);
211} 199}
212 200
201void env_store_name_val(const char *name, const char *val, ENV_OP op) {
202 assert(name);
203
204 // some basic checking
205 if (*name == '\0')
206 goto errexit;
207
208 // build list entry
209 Env *env = calloc(1, sizeof(Env));
210 if (!env)
211 errExit("calloc");
212
213 env->name = strdup(name);
214 if (env->name == NULL)
215 errExit("strdup");
216
217 if (op == SETENV) {
218 env->value = strdup(val);
219 if (env->value == NULL)
220 errExit("strdup");
221 }
222 env->op = op;
223
224 // add entry to the list
225 env_add(env);
226 return;
227
228errexit:
229 fprintf(stderr, "Error: invalid --env setting\n");
230 exit(1);
231}
232
213// set env variables in the new sandbox process 233// set env variables in the new sandbox process
214void env_apply(void) { 234void env_apply_all(void) {
215 Env *env = envlist; 235 Env *env = envlist;
216 236
217 while (env) { 237 while (env) {
@@ -225,3 +245,81 @@ void env_apply(void) {
225 env = env->next; 245 env = env->next;
226 } 246 }
227} 247}
248
249// get env variable
250const char *env_get(const char *name) {
251 Env *env = envlist;
252 const char *r = NULL;
253
254 while (env) {
255 if (strcmp(env->name, name) == 0) {
256 if (env->op == SETENV)
257 r = env->value;
258 else if (env->op == RMENV)
259 r = NULL;
260 }
261 env = env->next;
262 }
263 return r;
264}
265
266static const char * const env_whitelist[] = {
267 "LANG",
268 "LANGUAGE",
269 "LC_MESSAGES",
270 "PATH",
271 "DISPLAY" // required by X11
272};
273
274static const char * const env_whitelist_sbox[] = {
275 "FIREJAIL_DEBUG",
276 "FIREJAIL_FILE_COPY_LIMIT",
277 "FIREJAIL_PLUGIN",
278 "FIREJAIL_QUIET",
279 "FIREJAIL_SECCOMP_ERROR_ACTION",
280 "FIREJAIL_TEST_ARGUMENTS",
281 "FIREJAIL_TRACEFILE"
282};
283
284static void env_apply_list(const char * const *list, unsigned int num_items) {
285 Env *env = envlist;
286
287 while (env) {
288 if (env->op == SETENV) {
289 for (unsigned int i = 0; i < num_items; i++)
290 if (strcmp(env->name, list[i]) == 0) {
291 // sanity check for whitelisted environment variables
292 if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) {
293 fprintf(stderr, "Error: too long environment variable %s, please use --rmenv\n", env->name);
294 exit(1);
295 }
296
297 //fprintf(stderr, "whitelisted env var %s=%s\n", env->name, env->value);
298 if (setenv(env->name, env->value, 1) < 0)
299 errExit("setenv");
300 break;
301 }
302 } else if (env->op == RMENV)
303 unsetenv(env->name);
304
305 env = env->next;
306 }
307}
308
309// Filter env variables in main firejail process. All variables will
310// be reapplied for the sandboxed app by env_apply_all().
311void env_apply_whitelist(void) {
312 int r;
313
314 r = clearenv();
315 if (r != 0)
316 errExit("clearenv");
317
318 env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
319}
320
321// Filter env variables for a sbox app
322void env_apply_whitelist_sbox(void) {
323 env_apply_whitelist();
324 env_apply_list(env_whitelist_sbox, ARRAY_SIZE(env_whitelist_sbox));
325}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 80987e494..e352dadc4 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -81,6 +81,8 @@
81 (void) rv;\ 81 (void) rv;\
82 } while (0) 82 } while (0)
83 83
84#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
85
84// main.c 86// main.c
85typedef struct bridge_t { 87typedef struct bridge_t {
86 // on the host 88 // on the host
@@ -513,7 +515,6 @@ void check_private_dir(void);
513void update_map(char *mapping, char *map_file); 515void update_map(char *mapping, char *map_file);
514void wait_for_other(int fd); 516void wait_for_other(int fd);
515void notify_other(int fd); 517void notify_other(int fd);
516const char *gnu_basename(const char *path);
517uid_t pid_get_uid(pid_t pid); 518uid_t pid_get_uid(pid_t pid);
518uid_t get_group_id(const char *group); 519uid_t get_group_id(const char *group);
519int remove_overlay_directory(void); 520int remove_overlay_directory(void);
@@ -656,7 +657,7 @@ int check_kernel_procs(void);
656void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); 657void run_no_sandbox(int argc, char **argv) __attribute__((noreturn));
657 658
658#define MAX_ENVS 256 // some sane maximum number of environment variables 659#define MAX_ENVS 256 // some sane maximum number of environment variables
659#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH 660#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps
660// env.c 661// env.c
661typedef enum { 662typedef enum {
662 SETENV = 0, 663 SETENV = 0,
@@ -664,8 +665,12 @@ typedef enum {
664} ENV_OP; 665} ENV_OP;
665 666
666void env_store(const char *str, ENV_OP op); 667void env_store(const char *str, ENV_OP op);
667void env_apply(void); 668void env_store_name_val(const char *name, const char *val, ENV_OP op);
669void env_apply_all(void);
670void env_apply_whitelist(void);
671void env_apply_whitelist_sbox(void);
668void env_defaults(void); 672void env_defaults(void);
673const char *env_get(const char *name);
669void env_ibus_load(void); 674void env_ibus_load(void);
670 675
671// fs_whitelist.c 676// fs_whitelist.c
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0d4e496e8..ef1f87f0c 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -487,27 +487,26 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
487 close(fd); 487 close(fd);
488} 488}
489 489
490// remount path, but preserve existing mount flags; requires a resolved path 490// remount path, preserving other mount flags; requires a resolved path
491static void fs_remount_simple(const char *path, OPERATION op) { 491static void fs_remount_simple(const char *path, OPERATION op) {
492 assert(path); 492 assert(path);
493 493
494 // open path without following symbolic links 494 // open path without following symbolic links
495 int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); 495 int fd1 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
496 if (fd == -1) 496 if (fd1 == -1)
497 goto out; 497 goto out;
498 // identify file owner 498 struct stat s1;
499 struct stat s; 499 if (fstat(fd1, &s1) == -1) {
500 if (fstat(fd, &s) == -1) {
501 // fstat can fail with EACCES if path is a FUSE mount, 500 // fstat can fail with EACCES if path is a FUSE mount,
502 // mounted without 'allow_root' or 'allow_other' 501 // mounted without 'allow_root' or 'allow_other'
503 if (errno != EACCES) 502 if (errno != EACCES)
504 errExit("fstat"); 503 errExit("fstat");
505 close(fd); 504 close(fd1);
506 goto out; 505 goto out;
507 } 506 }
508 // get mount flags 507 // get mount flags
509 struct statvfs buf; 508 struct statvfs buf;
510 if (fstatvfs(fd, &buf) == -1) 509 if (fstatvfs(fd1, &buf) == -1)
511 errExit("fstatvfs"); 510 errExit("fstatvfs");
512 unsigned long flags = buf.f_flag; 511 unsigned long flags = buf.f_flag;
513 512
@@ -515,13 +514,13 @@ static void fs_remount_simple(const char *path, OPERATION op) {
515 if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { 514 if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
516 // nothing to do if there is no read-only flag 515 // nothing to do if there is no read-only flag
517 if ((flags & MS_RDONLY) == 0) { 516 if ((flags & MS_RDONLY) == 0) {
518 close(fd); 517 close(fd1);
519 return; 518 return;
520 } 519 }
521 // allow only user owned directories, except the user is root 520 // allow only user owned directories, except the user is root
522 if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) { 521 if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) {
523 fwarning("you are not allowed to change %s to read-write\n", path); 522 fwarning("you are not allowed to change %s to read-write\n", path);
524 close(fd); 523 close(fd1);
525 return; 524 return;
526 } 525 }
527 flags &= ~MS_RDONLY; 526 flags &= ~MS_RDONLY;
@@ -530,7 +529,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
530 else if (op == MOUNT_NOEXEC) { 529 else if (op == MOUNT_NOEXEC) {
531 // nothing to do if path is mounted noexec already 530 // nothing to do if path is mounted noexec already
532 if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) { 531 if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
533 close(fd); 532 close(fd1);
534 return; 533 return;
535 } 534 }
536 flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; 535 flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
@@ -539,7 +538,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
539 else if (op == MOUNT_READONLY) { 538 else if (op == MOUNT_READONLY) {
540 // nothing to do if path is mounted read-only already 539 // nothing to do if path is mounted read-only already
541 if ((flags & MS_RDONLY) == MS_RDONLY) { 540 if ((flags & MS_RDONLY) == MS_RDONLY) {
542 close(fd); 541 close(fd1);
543 return; 542 return;
544 } 543 }
545 flags |= MS_RDONLY; 544 flags |= MS_RDONLY;
@@ -549,21 +548,26 @@ static void fs_remount_simple(const char *path, OPERATION op) {
549 548
550 if (arg_debug) 549 if (arg_debug)
551 printf("Mounting %s %s\n", opstr[op], path); 550 printf("Mounting %s %s\n", opstr[op], path);
552 // mount --bind /bin /bin 551 // mount --bind path path
553 char *proc; 552 char *proc;
554 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) 553 if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1)
555 errExit("asprintf"); 554 errExit("asprintf");
556 if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) 555 if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
557 errExit("mount"); 556 errExit("mount");
558 free(proc); 557 free(proc);
559 close(fd);
560 558
561 // mount --bind -o remount,ro /bin 559 // mount --bind -o remount,ro path
562 // we need to open path again 560 // need to open path again without following symbolic links
563 fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); 561 int fd2 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
564 if (fd == -1) 562 if (fd2 == -1)
565 errExit("open"); 563 errExit("open");
566 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) 564 struct stat s2;
565 if (fstat(fd2, &s2) == -1)
566 errExit("fstat");
567 // device and inode number should be the same
568 if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino)
569 errLogExit("invalid %s mount", opstr[op]);
570 if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1)
567 errExit("asprintf"); 571 errExit("asprintf");
568 if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) 572 if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
569 errExit("mount"); 573 errExit("mount");
@@ -579,7 +583,8 @@ static void fs_remount_simple(const char *path, OPERATION op) {
579 errLogExit("invalid %s mount", opstr[op]); 583 errLogExit("invalid %s mount", opstr[op]);
580 fs_logger2(opstr[op], path); 584 fs_logger2(opstr[op], path);
581 free(proc); 585 free(proc);
582 close(fd); 586 close(fd1);
587 close(fd2);
583 return; 588 return;
584 589
585out: 590out:
@@ -795,6 +800,8 @@ void disable_config(void) {
795 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); 800 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
796 if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) 801 if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
797 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); 802 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
803 if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0)
804 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR);
798} 805}
799 806
800 807
@@ -1219,7 +1226,7 @@ void fs_private_tmp(void) {
1219 printf("Generate private-tmp whitelist commands\n"); 1226 printf("Generate private-tmp whitelist commands\n");
1220 1227
1221 // check XAUTHORITY file, KDE keeps it under /tmp 1228 // check XAUTHORITY file, KDE keeps it under /tmp
1222 char *xauth = getenv("XAUTHORITY"); 1229 const char *xauth = env_get("XAUTHORITY");
1223 if (xauth) { 1230 if (xauth) {
1224 char *rp = realpath(xauth, NULL); 1231 char *rp = realpath(xauth, NULL);
1225 if (rp && strncmp(rp, "/tmp/", 5) == 0) { 1232 if (rp && strncmp(rp, "/tmp/", 5) == 0) {
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5cfd33b42..b8c1b21b1 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -33,6 +33,52 @@ extern void fslib_install_system(void);
33static int lib_cnt = 0; 33static int lib_cnt = 0;
34static int dir_cnt = 0; 34static int dir_cnt = 0;
35 35
36char *find_in_path(const char *program) {
37 EUID_ASSERT();
38 if (arg_debug)
39 printf("Searching $PATH for %s\n", program);
40
41 char self[MAXBUF];
42 ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
43 if (len < 0)
44 errExit("readlink");
45 self[len] = '\0';
46
47 char *path = getenv("PATH");
48 if (!path)
49 return NULL;
50 char *dup = strdup(path);
51 if (!dup)
52 errExit("strdup");
53 char *tok = strtok(dup, ":");
54 while (tok) {
55 char *fname;
56 if (asprintf(&fname, "%s/%s", tok, program) == -1)
57 errExit("asprintf");
58
59 if (arg_debug)
60 printf("trying #%s#\n", fname);
61 struct stat s;
62 if (stat(fname, &s) == 0) {
63 // but skip links created by firecfg
64 char *rp = realpath(fname, NULL);
65 if (!rp)
66 errExit("realpath");
67 if (strcmp(self, rp) != 0) {
68 free(rp);
69 free(dup);
70 return fname;
71 }
72 free(rp);
73 }
74 free(fname);
75 tok = strtok(NULL, ":");
76 }
77
78 free(dup);
79 return NULL;
80}
81
36static void report_duplication(const char *full_path) { 82static void report_duplication(const char *full_path) {
37 char *fname = strrchr(full_path, '/'); 83 char *fname = strrchr(full_path, '/');
38 if (fname && *(++fname) != '\0') { 84 if (fname && *(++fname) != '\0') {
@@ -165,7 +211,7 @@ void fslib_copy_dir(const char *full_path) {
165 mkdir_attr(dest, 0755, 0, 0); 211 mkdir_attr(dest, 0755, 0, 0);
166 212
167 if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || 213 if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
168 mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) 214 mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
169 errExit("mount bind"); 215 errExit("mount bind");
170 fs_logger2("clone", full_path); 216 fs_logger2("clone", full_path);
171 fs_logger2("mount", full_path); 217 fs_logger2("mount", full_path);
@@ -336,11 +382,40 @@ void fs_private_lib(void) {
336 // start timetrace 382 // start timetrace
337 timetrace_start(); 383 timetrace_start();
338 384
385 // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
386 if (arg_debug || arg_debug_private_lib)
387 printf("Installing Firejail libraries\n");
388 fslib_install_list(PATH_FIREJAIL);
389
390 // bring in firejail directory
391 fslib_install_list(LIBDIR "/firejail");
392
393 // bring in dhclient libraries
394 if (any_dhcp()) {
395 if (arg_debug || arg_debug_private_lib)
396 printf("Installing dhclient libraries\n");
397 fslib_install_list(RUN_MNT_DIR "/dhclient");
398 }
399 fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
400
401 timetrace_start();
402
339 // copy the libs in the new lib directory for the main exe 403 // copy the libs in the new lib directory for the main exe
340 if (cfg.original_program_index > 0) { 404 if (cfg.original_program_index > 0) {
341 if (arg_debug || arg_debug_private_lib) 405 if (arg_debug || arg_debug_private_lib)
342 printf("Installing sandboxed program libraries\n"); 406 printf("Installing sandboxed program libraries\n");
343 fslib_install_list(cfg.original_argv[cfg.original_program_index]); 407
408 if (strchr(cfg.original_argv[cfg.original_program_index], '/'))
409 fslib_install_list(cfg.original_argv[cfg.original_program_index]);
410 else { // search executable in $PATH
411 EUID_USER();
412 char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]);
413 EUID_ROOT();
414 if (fname) {
415 fslib_install_list(fname);
416 free(fname);
417 }
418 }
344 } 419 }
345 420
346 // for the shell 421 // for the shell
@@ -369,18 +444,11 @@ void fs_private_lib(void) {
369 } 444 }
370 fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); 445 fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
371 446
372 // install the reset of the system libraries 447 // install the rest of the system libraries
373 if (arg_debug || arg_debug_private_lib) 448 if (arg_debug || arg_debug_private_lib)
374 printf("Installing system libraries\n"); 449 printf("Installing system libraries\n");
375 fslib_install_system(); 450 fslib_install_system();
376 451
377 // bring in firejail directory for --trace and seccomp post exec
378 // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
379 fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
380
381 // install libraries needed by fcopy
382 fslib_install_list(PATH_FCOPY);
383
384 fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", 452 fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
385 dir_cnt, (dir_cnt == 1)? "directory": "directories"); 453 dir_cnt, (dir_cnt == 1)? "directory": "directories");
386 454
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index b2ae07f3e..95e10ee05 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path);
30//*************************************************************** 30//***************************************************************
31// standard libc libraries based on Debian's libc6 package 31// standard libc libraries based on Debian's libc6 package
32// selinux seems to be linked in most command line utilities 32// selinux seems to be linked in most command line utilities
33// libpcre2 is a dependency of selinux
33// locale (/usr/lib/locale) - without it, the program will default to "C" locale 34// locale (/usr/lib/locale) - without it, the program will default to "C" locale
34typedef struct liblist_t { 35typedef struct liblist_t {
35 const char *name; 36 const char *name;
@@ -38,6 +39,7 @@ typedef struct liblist_t {
38 39
39static LibList libc_list[] = { 40static LibList libc_list[] = {
40 { "libselinux.so.", 0 }, 41 { "libselinux.so.", 0 },
42 { "libpcre2-8.so.", 0 },
41 { "libapparmor.so.", 0}, 43 { "libapparmor.so.", 0},
42 { "ld-linux-x86-64.so.", 0 }, 44 { "ld-linux-x86-64.so.", 0 },
43 { "libanl.so.", 0 }, 45 { "libanl.so.", 0 },
@@ -104,17 +106,15 @@ static void stdc(const char *dirname) {
104 106
105void fslib_install_stdc(void) { 107void fslib_install_stdc(void) {
106 // install standard C libraries 108 // install standard C libraries
109 timetrace_start();
107 struct stat s; 110 struct stat s;
108 char *stdclib = "/lib64"; // CentOS, Fedora, Arch
109
110 if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends 111 if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends
111 mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); 112 mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
112 selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); 113 selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
113 stdclib = "/lib/x86_64-linux-gnu"; 114 stdc("/lib/x86_64-linux-gnu");
114 } 115 }
115 116
116 timetrace_start(); 117 stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends
117 stdc(stdclib);
118 118
119 // install locale 119 // install locale
120 if (stat("/usr/lib/locale", &s) == 0) 120 if (stat("/usr/lib/locale", &s) == 0)
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 1d7552339..d60c57fec 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -778,7 +778,7 @@ void fs_whitelist(void) {
778 fs_logger("tmpfs /tmp"); 778 fs_logger("tmpfs /tmp");
779 779
780 // pam-tmpdir - issue #2685 780 // pam-tmpdir - issue #2685
781 char *env = getenv("TMP"); 781 const char *env = env_get("TMP");
782 if (env) { 782 if (env) {
783 char *pamtmpdir; 783 char *pamtmpdir;
784 if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) 784 if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d2f802add..bdd0f286c 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) {
296 fprintf(stderr, "Error: cannot open umask file\n"); 296 fprintf(stderr, "Error: cannot open umask file\n");
297 exit(1); 297 exit(1);
298 } 298 }
299 if (fscanf(fp, "%o", &orig_umask) != 1) { 299 if (fscanf(fp, "%3o", &orig_umask) != 1) {
300 fprintf(stderr, "Error: cannot read umask\n"); 300 fprintf(stderr, "Error: cannot read umask\n");
301 exit(1); 301 exit(1);
302 } 302 }
@@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) {
335 struct stat s; 335 struct stat s;
336 if (fstat(fd, &s) == -1) 336 if (fstat(fd, &s) == -1)
337 errExit("fstat"); 337 errExit("fstat");
338 if (!S_ISREG(s.st_mode) || s.st_uid != 0) { 338 if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
339 close(fd); 339 close(fd);
340 return false; 340 return false;
341 } 341 }
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
411 extract_x11_display(parent); 411 extract_x11_display(parent);
412 412
413 int shfd = -1; 413 int shfd = -1;
414 if (!arg_shell_none) 414 if (!arg_shell_none && !arg_audit)
415 shfd = open_shell(); 415 shfd = open_shell();
416 416
417 EUID_ROOT(); 417 EUID_ROOT();
@@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
423 extract_cgroup(pid); 423 extract_cgroup(pid);
424 extract_nogroups(pid); 424 extract_nogroups(pid);
425 extract_user_namespace(pid); 425 extract_user_namespace(pid);
426 extract_umask(pid);
426#ifdef HAVE_APPARMOR 427#ifdef HAVE_APPARMOR
427 extract_apparmor(pid); 428 extract_apparmor(pid);
428#endif 429#endif
@@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
432 if (cfg.cgroup) // not available for uid 0 433 if (cfg.cgroup) // not available for uid 0
433 set_cgroup(cfg.cgroup); 434 set_cgroup(cfg.cgroup);
434 435
435 // set umask, also uid 0
436 extract_umask(pid);
437
438 // join namespaces 436 // join namespaces
439 if (arg_join_network) { 437 if (arg_join_network) {
440 if (join_namespace(pid, "net")) 438 if (join_namespace(pid, "net"))
@@ -563,7 +561,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
563 char *display_str; 561 char *display_str;
564 if (asprintf(&display_str, ":%d", display) == -1) 562 if (asprintf(&display_str, ":%d", display) == -1)
565 errExit("asprintf"); 563 errExit("asprintf");
566 setenv("DISPLAY", display_str, 1); 564 env_store_name_val("DISPLAY", display_str, SETENV);
567 free(display_str); 565 free(display_str);
568 } 566 }
569 567
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e5d8a4720..982a4c7a6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -861,19 +861,20 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
861} 861}
862 862
863char *guess_shell(void) { 863char *guess_shell(void) {
864 char *shell = NULL; 864 const char *shell;
865 char *retval;
865 struct stat s; 866 struct stat s;
866 867
867 shell = getenv("SHELL"); 868 shell = env_get("SHELL");
868 if (shell) { 869 if (shell) {
869 invalid_filename(shell, 0); // no globbing 870 invalid_filename(shell, 0); // no globbing
870 if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 && 871 if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
871 strcmp(shell, PATH_FIREJAIL) != 0) 872 strcmp(shell, PATH_FIREJAIL) != 0)
872 return shell; 873 goto found;
873 } 874 }
874 875
875 // shells in order of preference 876 // shells in order of preference
876 char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; 877 static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
877 878
878 int i = 0; 879 int i = 0;
879 while (shells[i] != NULL) { 880 while (shells[i] != NULL) {
@@ -884,8 +885,11 @@ char *guess_shell(void) {
884 } 885 }
885 i++; 886 i++;
886 } 887 }
887 888 found:
888 return shell; 889 retval = strdup(shell);
890 if (!retval)
891 errExit("strdup");
892 return retval;
889} 893}
890 894
891// return argument index 895// return argument index
@@ -926,9 +930,13 @@ static void run_builder(int argc, char **argv) {
926 if (setresuid(-1, getuid(), getuid()) != 0) 930 if (setresuid(-1, getuid(), getuid()) != 0)
927 errExit("setresuid"); 931 errExit("setresuid");
928 932
933 assert(env_get("LD_PRELOAD") == NULL);
929 assert(getenv("LD_PRELOAD") == NULL); 934 assert(getenv("LD_PRELOAD") == NULL);
930 umask(orig_umask); 935 umask(orig_umask);
931 936
937 // restore some environment variables
938 env_apply_whitelist_sbox();
939
932 argv[0] = LIBDIR "/firejail/fbuilder"; 940 argv[0] = LIBDIR "/firejail/fbuilder";
933 execvp(argv[0], argv); 941 execvp(argv[0], argv);
934 942
@@ -994,6 +1002,16 @@ int main(int argc, char **argv, char **envp) {
994 exit(1); 1002 exit(1);
995 } 1003 }
996 1004
1005 // Stash environment variables
1006 for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
1007 env_store(*ptr, SETENV);
1008
1009 // sanity check for environment variables
1010 if (i >= MAX_ENVS) {
1011 fprintf(stderr, "Error: too many environment variables, please use --rmenv\n");
1012 exit(1);
1013 }
1014
997 // sanity check for arguments 1015 // sanity check for arguments
998 for (i = 0; i < argc; i++) { 1016 for (i = 0; i < argc; i++) {
999 if (*argv[i] == 0) { 1017 if (*argv[i] == 0) {
@@ -1005,29 +1023,19 @@ int main(int argc, char **argv, char **envp) {
1005 exit(1); 1023 exit(1);
1006 } 1024 }
1007 // Also remove requested environment variables 1025 // Also remove requested environment variables
1008 // entirely to avoid tripping the length check below
1009 if (strncmp(argv[i], "--rmenv=", 8) == 0) 1026 if (strncmp(argv[i], "--rmenv=", 8) == 0)
1010 unsetenv(argv[i] + 8); 1027 env_store(argv[i] + 8, RMENV);
1011 } 1028 }
1012 1029
1013 // sanity check for environment variables 1030 // Reapply a minimal set of environment variables
1014 for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { 1031 env_apply_whitelist();
1015 if (strlen(*ptr) >= MAX_ENV_LEN) {
1016 fprintf(stderr, "Error: too long environment variables, please use --rmenv\n");
1017 exit(1);
1018 }
1019 }
1020 if (i >= MAX_ENVS) {
1021 fprintf(stderr, "Error: too many environment variables, please use --rmenv\n");
1022 exit(1);
1023 }
1024 1032
1025 // check if the user is allowed to use firejail 1033 // check if the user is allowed to use firejail
1026 init_cfg(argc, argv); 1034 init_cfg(argc, argv);
1027 1035
1028 // get starting timestamp, process --quiet 1036 // get starting timestamp, process --quiet
1029 timetrace_start(); 1037 timetrace_start();
1030 char *env_quiet = getenv("FIREJAIL_QUIET"); 1038 const char *env_quiet = env_get("FIREJAIL_QUIET");
1031 if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) 1039 if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
1032 arg_quiet = 1; 1040 arg_quiet = 1;
1033 1041
@@ -1037,7 +1045,7 @@ int main(int argc, char **argv, char **envp) {
1037 1045
1038 // build /run/firejail directory structure 1046 // build /run/firejail directory structure
1039 preproc_build_firejail_dir(); 1047 preproc_build_firejail_dir();
1040 char *container_name = getenv("container"); 1048 const char *container_name = env_get("container");
1041 if (!container_name || strcmp(container_name, "firejail")) { 1049 if (!container_name || strcmp(container_name, "firejail")) {
1042 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 1050 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
1043 if (lockfd_directory != -1) { 1051 if (lockfd_directory != -1) {
@@ -1170,6 +1178,9 @@ int main(int argc, char **argv, char **envp) {
1170 1178
1171 drop_privs(1); 1179 drop_privs(1);
1172 umask(orig_umask); 1180 umask(orig_umask);
1181
1182 // restore original environment variables
1183 env_apply_all();
1173 int rv = system(argv[2]); 1184 int rv = system(argv[2]);
1174 exit(rv); 1185 exit(rv);
1175 } 1186 }
@@ -1231,11 +1242,6 @@ int main(int argc, char **argv, char **envp) {
1231 } 1242 }
1232 EUID_ASSERT(); 1243 EUID_ASSERT();
1233 1244
1234#ifdef WARN_DUMPABLE
1235 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
1236 fprintf(stderr, "Error: Firejail is dumpable\n");
1237#endif
1238
1239 // check for force-nonewprivs in /etc/firejail/firejail.config file 1245 // check for force-nonewprivs in /etc/firejail/firejail.config file
1240 if (checkcfg(CFG_FORCE_NONEWPRIVS)) 1246 if (checkcfg(CFG_FORCE_NONEWPRIVS))
1241 arg_nonewprivs = 1; 1247 arg_nonewprivs = 1;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 6c7803602..111d94333 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -41,7 +41,7 @@ int check_namespace_virt(void) {
41 EUID_ASSERT(); 41 EUID_ASSERT();
42 42
43 // check container environment variable 43 // check container environment variable
44 char *str = getenv("container"); 44 const char *str = env_get("container");
45 if (str && is_container(str)) 45 if (str && is_container(str))
46 return 1; 46 return 1;
47 47
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 36cb905cb..1682ee025 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -95,6 +95,9 @@ void check_output(int argc, char **argv) {
95 close(pipefd[0]); 95 close(pipefd[0]);
96 } 96 }
97 97
98 // restore some environment variables
99 env_apply_whitelist_sbox();
100
98 char *args[3]; 101 char *args[3];
99 args[0] = LIBDIR "/firejail/ftee"; 102 args[0] = LIBDIR "/firejail/ftee";
100 args[1] = outfile; 103 args[1] = outfile;
@@ -137,6 +140,10 @@ void check_output(int argc, char **argv) {
137 } 140 }
138 args[j++] = argv[i]; 141 args[j++] = argv[i];
139 } 142 }
143
144 // restore original environment variables
145 env_apply_all();
146
140 execvp(args[0], args); 147 execvp(args[0], args);
141 148
142 perror("execvp"); 149 perror("execvp");
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 5de704bef..981a6bc71 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -26,13 +26,13 @@ static unsigned int longest_path_elt = 0;
26 26
27static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning 27static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning
28static void init_paths(void) { 28static void init_paths(void) {
29 char *path = getenv("PATH"); 29 const char *env_path = env_get("PATH");
30 char *p; 30 char *p;
31 if (!path) { 31 if (!env_path) {
32 path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; 32 env_path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin";
33 setenv("PATH", path, 1); 33 env_store_name_val("PATH", env_path, SETENV);
34 } 34 }
35 path = strdup(path); 35 char *path = strdup(env_path);
36 if (!path) 36 if (!path)
37 errExit("strdup"); 37 errExit("strdup");
38 38
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1ee8cdfcb..3766ba8f0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -158,7 +158,7 @@ static int check_nosound(void) {
158} 158}
159 159
160static int check_x11(void) { 160static int check_x11(void) {
161 return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); 161 return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11"));
162} 162}
163 163
164static int check_disable_u2f(void) { 164static int check_disable_u2f(void) {
@@ -1181,7 +1181,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1181 if (strcmp(ptr, "x11 xephyr") == 0) { 1181 if (strcmp(ptr, "x11 xephyr") == 0) {
1182#ifdef HAVE_X11 1182#ifdef HAVE_X11
1183 if (checkcfg(CFG_X11)) { 1183 if (checkcfg(CFG_X11)) {
1184 char *x11env = getenv("FIREJAIL_X11"); 1184 const char *x11env = env_get("FIREJAIL_X11");
1185 if (x11env && strcmp(x11env, "yes") == 0) { 1185 if (x11env && strcmp(x11env, "yes") == 0) {
1186 return 0; 1186 return 0;
1187 } 1187 }
@@ -1210,7 +1210,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1210 if (strcmp(ptr, "x11 xpra") == 0) { 1210 if (strcmp(ptr, "x11 xpra") == 0) {
1211#ifdef HAVE_X11 1211#ifdef HAVE_X11
1212 if (checkcfg(CFG_X11)) { 1212 if (checkcfg(CFG_X11)) {
1213 char *x11env = getenv("FIREJAIL_X11"); 1213 const char *x11env = env_get("FIREJAIL_X11");
1214 if (x11env && strcmp(x11env, "yes") == 0) { 1214 if (x11env && strcmp(x11env, "yes") == 0) {
1215 return 0; 1215 return 0;
1216 } 1216 }
@@ -1229,7 +1229,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1229 if (strcmp(ptr, "x11 xvfb") == 0) { 1229 if (strcmp(ptr, "x11 xvfb") == 0) {
1230#ifdef HAVE_X11 1230#ifdef HAVE_X11
1231 if (checkcfg(CFG_X11)) { 1231 if (checkcfg(CFG_X11)) {
1232 char *x11env = getenv("FIREJAIL_X11"); 1232 const char *x11env = env_get("FIREJAIL_X11");
1233 if (x11env && strcmp(x11env, "yes") == 0) { 1233 if (x11env && strcmp(x11env, "yes") == 0) {
1234 return 0; 1234 return 0;
1235 } 1235 }
@@ -1248,7 +1248,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1248 if (strcmp(ptr, "x11") == 0) { 1248 if (strcmp(ptr, "x11") == 0) {
1249#ifdef HAVE_X11 1249#ifdef HAVE_X11
1250 if (checkcfg(CFG_X11)) { 1250 if (checkcfg(CFG_X11)) {
1251 char *x11env = getenv("FIREJAIL_X11"); 1251 const char *x11env = env_get("FIREJAIL_X11");
1252 if (x11env && strcmp(x11env, "yes") == 0) { 1252 if (x11env && strcmp(x11env, "yes") == 0) {
1253 return 0; 1253 return 0;
1254 } 1254 }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index a5c924a70..5df3d9cd3 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -42,7 +42,7 @@ void pulseaudio_disable(void) {
42 42
43 43
44 // blacklist pulseaudio socket in XDG_RUNTIME_DIR 44 // blacklist pulseaudio socket in XDG_RUNTIME_DIR
45 char *name = getenv("XDG_RUNTIME_DIR"); 45 const char *name = env_get("XDG_RUNTIME_DIR");
46 if (name) 46 if (name)
47 disable_file_path(name, "pulse/native"); 47 disable_file_path(name, "pulse/native");
48 48
@@ -76,7 +76,10 @@ void pulseaudio_disable(void) {
76} 76}
77 77
78static void pulseaudio_fallback(const char *path) { 78static void pulseaudio_fallback(const char *path) {
79 assert(path);
80
79 fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); 81 fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
82 env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
80 if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) 83 if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
81 errExit("setenv"); 84 errExit("setenv");
82} 85}
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index ea3889024..5bf27fc6d 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,6 +22,8 @@
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <unistd.h> 23#include <unistd.h>
24 24
25extern char *find_in_path(const char *program);
26
25void run_symlink(int argc, char **argv, int run_as_is) { 27void run_symlink(int argc, char **argv, int run_as_is) {
26 EUID_ASSERT(); 28 EUID_ASSERT();
27 29
@@ -40,58 +42,25 @@ void run_symlink(int argc, char **argv, int run_as_is) {
40 errExit("setresuid"); 42 errExit("setresuid");
41 43
42 // find the real program by looking in PATH 44 // find the real program by looking in PATH
43 char *p = getenv("PATH"); 45 const char *path = env_get("PATH");
44 if (!p) { 46 if (!path) {
45 fprintf(stderr, "Error: PATH environment variable not set\n"); 47 fprintf(stderr, "Error: PATH environment variable not set\n");
46 exit(1); 48 exit(1);
47 } 49 }
48 50
49 char *path = strdup(p); 51 char *p = find_in_path(program);
50 if (!path) 52 if (!p) {
51 errExit("strdup");
52
53 char *selfpath = realpath("/proc/self/exe", NULL);
54 if (!selfpath)
55 errExit("realpath");
56
57 // look in path for our program
58 char *tok = strtok(path, ":");
59 int found = 0;
60 while (tok) {
61 char *name;
62 if (asprintf(&name, "%s/%s", tok, program) == -1)
63 errExit("asprintf");
64
65 struct stat s;
66 if (stat(name, &s) == 0) {
67 /* coverity[toctou] */
68 char* rp = realpath(name, NULL);
69 if (!rp)
70 errExit("realpath");
71
72 if (strcmp(selfpath, rp) != 0) {
73 program = strdup(name);
74 found = 1;
75 free(rp);
76 break;
77 }
78
79 free(rp);
80 }
81
82 free(name);
83 tok = strtok(NULL, ":");
84 }
85 if (!found) {
86 fprintf(stderr, "Error: cannot find the program in the path\n"); 53 fprintf(stderr, "Error: cannot find the program in the path\n");
87 exit(1); 54 exit(1);
88 } 55 }
89 56 program = p;
90 free(selfpath);
91 57
92 // restore original umask 58 // restore original umask
93 umask(orig_umask); 59 umask(orig_umask);
94 60
61 // restore original environment variables
62 env_apply_all();
63
95 // desktop integration is not supported for root user; instead, the original program is started 64 // desktop integration is not supported for root user; instead, the original program is started
96 if (getuid() == 0 || run_as_is) { 65 if (getuid() == 0 || run_as_is) {
97 argv[0] = program; 66 argv[0] = program;
@@ -108,6 +77,7 @@ void run_symlink(int argc, char **argv, int run_as_is) {
108 a[i + 2] = argv[i + 1]; 77 a[i + 2] = argv[i + 1];
109 } 78 }
110 a[i + 2] = NULL; 79 a[i + 2] = NULL;
80 assert(env_get("LD_PRELOAD") == NULL);
111 assert(getenv("LD_PRELOAD") == NULL); 81 assert(getenv("LD_PRELOAD") == NULL);
112 execvp(a[0], a); 82 execvp(a[0], a);
113 83
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d811fe45a..1f94d86cd 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -268,8 +268,7 @@ static void sandbox_if_up(Bridge *br) {
268 268
269static void chk_chroot(void) { 269static void chk_chroot(void) {
270 // if we are starting firejail inside some other container technology, we don't care about this 270 // if we are starting firejail inside some other container technology, we don't care about this
271 char *mycont = getenv("container"); 271 if (env_get("container"))
272 if (mycont)
273 return; 272 return;
274 273
275 // check if this is a regular chroot 274 // check if this is a regular chroot
@@ -419,7 +418,7 @@ static int ok_to_run(const char *program) {
419 return 1; 418 return 1;
420 } 419 }
421 else { // search $PATH 420 else { // search $PATH
422 char *path1 = getenv("PATH"); 421 const char *path1 = env_get("PATH");
423 if (path1) { 422 if (path1) {
424 if (arg_debug) 423 if (arg_debug)
425 printf("Searching $PATH for %s\n", program); 424 printf("Searching $PATH for %s\n", program);
@@ -465,7 +464,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
465 // set environment 464 // set environment
466 if (no_sandbox == 0) { 465 if (no_sandbox == 0) {
467 env_defaults(); 466 env_defaults();
468 env_apply(); 467 env_apply_all();
469 } 468 }
470 // restore original umask 469 // restore original umask
471 umask(orig_umask); 470 umask(orig_umask);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index a2aaa86eb..baf99c5b9 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -36,7 +36,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
36 int env_index = 0; 36 int env_index = 0;
37 char *new_environment[256] = { NULL }; 37 char *new_environment[256] = { NULL };
38 // preserve firejail-specific env vars 38 // preserve firejail-specific env vars
39 char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); 39 const char *cl = env_get("FIREJAIL_FILE_COPY_LIMIT");
40 if (cl) { 40 if (cl) {
41 if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1) 41 if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1)
42 errExit("asprintf"); 42 errExit("asprintf");
@@ -120,7 +120,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
120 // handle X32 ABI 120 // handle X32 ABI
121 BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0), 121 BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0),
122 BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0), 122 BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0),
123 RETURN_ERRNO(EPERM), 123 KILL_OR_RETURN_ERRNO,
124#endif 124#endif
125 125
126 // syscall list 126 // syscall list
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index e47e6c910..808dd4c37 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,7 +208,7 @@ int seccomp_filter_drop(bool native) {
208 // - seccomp 208 // - seccomp
209 if (cfg.seccomp_list_drop == NULL) { 209 if (cfg.seccomp_list_drop == NULL) {
210 // default seccomp if error action is not changed 210 // default seccomp if error action is not changed
211 if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) { 211 if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
212 if (arg_seccomp_block_secondary) 212 if (arg_seccomp_block_secondary)
213 seccomp_filter_block_secondary(); 213 seccomp_filter_block_secondary();
214 else { 214 else {
@@ -221,11 +221,29 @@ int seccomp_filter_drop(bool native) {
221 } 221 }
222 // default seccomp filter with additional drop list 222 // default seccomp filter with additional drop list
223 else { // cfg.seccomp_list != NULL 223 else { // cfg.seccomp_list != NULL
224 if (arg_seccomp_block_secondary) 224 int rv;
225
226 if (arg_seccomp_block_secondary) {
227 if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) {
228 if (arg_debug)
229 printf("Rebuild secondary block seccomp filter\n");
230 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
231 PATH_FSECCOMP, "secondary", "block", RUN_SECCOMP_BLOCK_SECONDARY);
232 if (rv)
233 exit(rv);
234 }
225 seccomp_filter_block_secondary(); 235 seccomp_filter_block_secondary();
226 else { 236 } else {
227#if defined(__x86_64__) 237#if defined(__x86_64__)
228#if defined(__LP64__) 238#if defined(__LP64__)
239 if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) {
240 if (arg_debug)
241 printf("Rebuild 32 bit seccomp filter\n");
242 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
243 PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_32);
244 if (rv)
245 exit(rv);
246 }
229 seccomp_filter_32(); 247 seccomp_filter_32();
230#endif 248#endif
231#endif 249#endif
@@ -242,16 +260,22 @@ int seccomp_filter_drop(bool native) {
242 list = cfg.seccomp_list32; 260 list = cfg.seccomp_list32;
243 } 261 }
244 262
245 if (list == NULL)
246 list = "";
247 // build the seccomp filter as a regular user 263 // build the seccomp filter as a regular user
248 int rv; 264 if (list)
249 if (arg_allow_debuggers) 265 if (arg_allow_debuggers)
250 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, 266 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
251 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); 267 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
268 else
269 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
270 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list);
252 else 271 else
253 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, 272 if (arg_allow_debuggers)
254 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); 273 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
274 PATH_FSECCOMP, command, filter, "allow-debuggers");
275 else
276 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
277 PATH_FSECCOMP, command, filter);
278
255 if (rv) 279 if (rv)
256 exit(rv); 280 exit(rv);
257 281
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a3927cc88..911c8bd94 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -565,27 +565,18 @@ char *clean_pathname(const char *path) {
565 if (!rv) 565 if (!rv)
566 errExit("malloc"); 566 errExit("malloc");
567 567
568 if (len > 0) { 568 size_t i = 0;
569 size_t i = 0, j = 0, cnt = 0; 569 size_t j = 0;
570 for (; i < len; i++) { 570 while (path[i]) {
571 if (path[i] == '/') 571 while (path[i] == '/' && path[i+1] == '/')
572 cnt++; 572 i++;
573 else 573 rv[j++] = path[i++];
574 cnt = 0;
575
576 if (cnt < 2) {
577 rv[j] = path[i];
578 j++;
579 }
580 }
581 rv[j] = '\0';
582
583 // remove a trailing slash
584 if (j > 1 && rv[j - 1] == '/')
585 rv[j - 1] = '\0';
586 } 574 }
587 else 575 rv[j] = '\0';
588 *rv = '\0'; 576
577 // remove a trailing slash
578 if (j > 1 && rv[j - 1] == '/')
579 rv[j - 1] = '\0';
589 580
590 return rv; 581 return rv;
591} 582}
@@ -820,20 +811,6 @@ void notify_other(int fd) {
820 fclose(stream); 811 fclose(stream);
821} 812}
822 813
823
824
825
826// Equivalent to the GNU version of basename, which is incompatible with
827// the POSIX basename. A few lines of code saves any portability pain.
828// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
829const char *gnu_basename(const char *path) {
830 const char *last_slash = strrchr(path, '/');
831 if (!last_slash)
832 return path;
833 return last_slash+1;
834}
835
836
837uid_t pid_get_uid(pid_t pid) { 814uid_t pid_get_uid(pid_t pid) {
838 EUID_ASSERT(); 815 EUID_ASSERT();
839 uid_t rv = 0; 816 uid_t rv = 0;
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 4872a5207..1121ec84e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -41,7 +41,7 @@
41// Parse the DISPLAY environment variable and return a display number. 41// Parse the DISPLAY environment variable and return a display number.
42// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. 42// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd.
43int x11_display(void) { 43int x11_display(void) {
44 const char *display_str = getenv("DISPLAY"); 44 const char *display_str = env_get("DISPLAY");
45 char *endp; 45 char *endp;
46 unsigned long display; 46 unsigned long display;
47 47
@@ -208,7 +208,7 @@ void x11_start_xvfb(int argc, char **argv) {
208 pid_t jail = 0; 208 pid_t jail = 0;
209 pid_t server = 0; 209 pid_t server = 0;
210 210
211 setenv("FIREJAIL_X11", "yes", 1); 211 env_store_name_val("FIREJAIL_X11", "yes", SETENV);
212 212
213 // never try to run X servers as root!!! 213 // never try to run X servers as root!!!
214 if (getuid() == 0) { 214 if (getuid() == 0) {
@@ -326,7 +326,11 @@ void x11_start_xvfb(int argc, char **argv) {
326 if (arg_debug) 326 if (arg_debug)
327 printf("Starting xvfb...\n"); 327 printf("Starting xvfb...\n");
328 328
329 // restore original environment variables
330 env_apply_all();
331
329 // running without privileges - see drop_privs call above 332 // running without privileges - see drop_privs call above
333 assert(env_get("LD_PRELOAD") == NULL);
330 assert(getenv("LD_PRELOAD") == NULL); 334 assert(getenv("LD_PRELOAD") == NULL);
331 execvp(server_argv[0], server_argv); 335 execvp(server_argv[0], server_argv);
332 perror("execvp"); 336 perror("execvp");
@@ -355,7 +359,7 @@ void x11_start_xvfb(int argc, char **argv) {
355 free(fname); 359 free(fname);
356 360
357 assert(display_str); 361 assert(display_str);
358 setenv("DISPLAY", display_str, 1); 362 env_store_name_val("DISPLAY", display_str, SETENV);
359 // run attach command 363 // run attach command
360 jail = fork(); 364 jail = fork();
361 if (jail < 0) 365 if (jail < 0)
@@ -363,7 +367,11 @@ void x11_start_xvfb(int argc, char **argv) {
363 if (jail == 0) { 367 if (jail == 0) {
364 fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); 368 fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display);
365 369
370 // restore original environment variables
371 env_apply_all();
372
366 // running without privileges - see drop_privs call above 373 // running without privileges - see drop_privs call above
374 assert(env_get("LD_PRELOAD") == NULL);
367 assert(getenv("LD_PRELOAD") == NULL); 375 assert(getenv("LD_PRELOAD") == NULL);
368 execvp(jail_argv[0], jail_argv); 376 execvp(jail_argv[0], jail_argv);
369 perror("execvp"); 377 perror("execvp");
@@ -428,7 +436,7 @@ void x11_start_xephyr(int argc, char **argv) {
428 if (newscreen) 436 if (newscreen)
429 xephyr_screen = newscreen; 437 xephyr_screen = newscreen;
430 438
431 setenv("FIREJAIL_X11", "yes", 1); 439 env_store_name_val("FIREJAIL_X11", "yes", SETENV);
432 440
433 // unfortunately, xephyr does a number of weird things when started by root user!!! 441 // unfortunately, xephyr does a number of weird things when started by root user!!!
434 if (getuid() == 0) { 442 if (getuid() == 0) {
@@ -556,7 +564,11 @@ void x11_start_xephyr(int argc, char **argv) {
556 if (arg_debug) 564 if (arg_debug)
557 printf("Starting xephyr...\n"); 565 printf("Starting xephyr...\n");
558 566
567 // restore original environment variables
568 env_apply_all();
569
559 // running without privileges - see drop_privs call above 570 // running without privileges - see drop_privs call above
571 assert(env_get("LD_PRELOAD") == NULL);
560 assert(getenv("LD_PRELOAD") == NULL); 572 assert(getenv("LD_PRELOAD") == NULL);
561 execvp(server_argv[0], server_argv); 573 execvp(server_argv[0], server_argv);
562 perror("execvp"); 574 perror("execvp");
@@ -585,7 +597,7 @@ void x11_start_xephyr(int argc, char **argv) {
585 free(fname); 597 free(fname);
586 598
587 assert(display_str); 599 assert(display_str);
588 setenv("DISPLAY", display_str, 1); 600 env_store_name_val("DISPLAY", display_str, SETENV);
589 // run attach command 601 // run attach command
590 jail = fork(); 602 jail = fork();
591 if (jail < 0) 603 if (jail < 0)
@@ -594,8 +606,12 @@ void x11_start_xephyr(int argc, char **argv) {
594 if (!arg_quiet) 606 if (!arg_quiet)
595 printf("\n*** Attaching to Xephyr display %d ***\n\n", display); 607 printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
596 608
609 // restore original environment variables
610 env_apply_all();
611
597 // running without privileges - see drop_privs call above 612 // running without privileges - see drop_privs call above
598 assert(getenv("LD_PRELOAD") == NULL); 613 assert(getenv("LD_PRELOAD") == NULL);
614 assert(env_get("LD_PRELOAD") == NULL);
599 execvp(jail_argv[0], jail_argv); 615 execvp(jail_argv[0], jail_argv);
600 perror("execvp"); 616 perror("execvp");
601 _exit(1); 617 _exit(1);
@@ -780,8 +796,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
780 dup2(fd_null,2); 796 dup2(fd_null,2);
781 } 797 }
782 798
799 // restore original environment variables
800 env_apply_all();
801
783 // running without privileges - see drop_privs call above 802 // running without privileges - see drop_privs call above
784 assert(getenv("LD_PRELOAD") == NULL); 803 assert(getenv("LD_PRELOAD") == NULL);
804 assert(env_get("LD_PRELOAD") == NULL);
785 execvp(server_argv[0], server_argv); 805 execvp(server_argv[0], server_argv);
786 perror("execvp"); 806 perror("execvp");
787 _exit(1); 807 _exit(1);
@@ -827,7 +847,11 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
827 847
828 fmessage("\n*** Attaching to xpra display %d ***\n\n", display); 848 fmessage("\n*** Attaching to xpra display %d ***\n\n", display);
829 849
850 // restore original environment variables
851 env_apply_all();
852
830 // running without privileges - see drop_privs call above 853 // running without privileges - see drop_privs call above
854 assert(env_get("LD_PRELOAD") == NULL);
831 assert(getenv("LD_PRELOAD") == NULL); 855 assert(getenv("LD_PRELOAD") == NULL);
832 execvp(attach_argv[0], attach_argv); 856 execvp(attach_argv[0], attach_argv);
833 perror("execvp"); 857 perror("execvp");
@@ -835,7 +859,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
835 } 859 }
836 860
837 assert(display_str); 861 assert(display_str);
838 setenv("DISPLAY", display_str, 1); 862 env_store_name_val("DISPLAY", display_str, SETENV);
839 863
840 // build jail command 864 // build jail command
841 char *firejail_argv[argc+2]; 865 char *firejail_argv[argc+2];
@@ -857,7 +881,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
857 errExit("fork"); 881 errExit("fork");
858 if (jail == 0) { 882 if (jail == 0) {
859 // running without privileges - see drop_privs call above 883 // running without privileges - see drop_privs call above
884 assert(env_get("LD_PRELOAD") == NULL);
860 assert(getenv("LD_PRELOAD") == NULL); 885 assert(getenv("LD_PRELOAD") == NULL);
886
887 // restore original environment variables
888 env_apply_all();
889
861 if (firejail_argv[0]) // shut up llvm scan-build 890 if (firejail_argv[0]) // shut up llvm scan-build
862 execvp(firejail_argv[0], firejail_argv); 891 execvp(firejail_argv[0], firejail_argv);
863 perror("execvp"); 892 perror("execvp");
@@ -883,7 +912,12 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
883 dup2(fd_null,1); 912 dup2(fd_null,1);
884 dup2(fd_null,2); 913 dup2(fd_null,2);
885 } 914 }
915
916 // restore original environment variables
917 env_apply_all();
918
886 // running without privileges - see drop_privs call above 919 // running without privileges - see drop_privs call above
920 assert(env_get("LD_PRELOAD") == NULL);
887 assert(getenv("LD_PRELOAD") == NULL); 921 assert(getenv("LD_PRELOAD") == NULL);
888 execvp(stop_argv[0], stop_argv); 922 execvp(stop_argv[0], stop_argv);
889 perror("execvp"); 923 perror("execvp");
@@ -1051,7 +1085,11 @@ static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv,
1051 dup2(fd_null,2); 1085 dup2(fd_null,2);
1052 } 1086 }
1053 1087
1088 // restore original environment variables
1089 env_apply_all();
1090
1054 // running without privileges - see drop_privs call above 1091 // running without privileges - see drop_privs call above
1092 assert(env_get("LD_PRELOAD") == NULL);
1055 assert(getenv("LD_PRELOAD") == NULL); 1093 assert(getenv("LD_PRELOAD") == NULL);
1056 execvp(server_argv[0], server_argv); 1094 execvp(server_argv[0], server_argv);
1057 perror("execvp"); 1095 perror("execvp");
@@ -1072,7 +1110,7 @@ static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv,
1072void x11_start_xpra(int argc, char **argv) { 1110void x11_start_xpra(int argc, char **argv) {
1073 EUID_ASSERT(); 1111 EUID_ASSERT();
1074 1112
1075 setenv("FIREJAIL_X11", "yes", 1); 1113 env_store_name_val("FIREJAIL_X11", "yes", SETENV);
1076 1114
1077 // unfortunately, xpra does a number of weird things when started by root user!!! 1115 // unfortunately, xpra does a number of weird things when started by root user!!!
1078 if (getuid() == 0) { 1116 if (getuid() == 0) {
@@ -1134,7 +1172,7 @@ void x11_xorg(void) {
1134#ifdef HAVE_X11 1172#ifdef HAVE_X11
1135 1173
1136 // get DISPLAY env 1174 // get DISPLAY env
1137 char *display = getenv("DISPLAY"); 1175 const char *display = env_get("DISPLAY");
1138 if (!display) { 1176 if (!display) {
1139 fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); 1177 fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
1140 exit(1); 1178 exit(1);
@@ -1259,7 +1297,7 @@ void x11_xorg(void) {
1259 ASSERT_PERMS(dest, getuid(), getgid(), 0600); 1297 ASSERT_PERMS(dest, getuid(), getgid(), 0600);
1260 1298
1261 // blacklist user .Xauthority file if it is not masked already 1299 // blacklist user .Xauthority file if it is not masked already
1262 char *envar = getenv("XAUTHORITY"); 1300 const char *envar = env_get("XAUTHORITY");
1263 if (envar) { 1301 if (envar) {
1264 char *rp = realpath(envar, NULL); 1302 char *rp = realpath(envar, NULL);
1265 if (rp) { 1303 if (rp) {
@@ -1269,8 +1307,7 @@ void x11_xorg(void) {
1269 } 1307 }
1270 } 1308 }
1271 // set environment variable 1309 // set environment variable
1272 if (setenv("XAUTHORITY", dest, 1) < 0) 1310 env_store_name_val("XAUTHORITY", dest, SETENV);
1273 errExit("setenv");
1274 free(dest); 1311 free(dest);
1275 1312
1276 // mask RUN_XAUTHORITY_SEC_DIR 1313 // mask RUN_XAUTHORITY_SEC_DIR
@@ -1391,7 +1428,7 @@ void x11_block(void) {
1391 errExit("strdup"); 1428 errExit("strdup");
1392 profile_check_line(cmd, 0, NULL); 1429 profile_check_line(cmd, 0, NULL);
1393 profile_add(cmd); 1430 profile_add(cmd);
1394 char *xauthority = getenv("XAUTHORITY"); 1431 const char *xauthority = env_get("XAUTHORITY");
1395 if (xauthority) { 1432 if (xauthority) {
1396 char *line; 1433 char *line;
1397 if (asprintf(&line, "blacklist %s", xauthority) == -1) 1434 if (asprintf(&line, "blacklist %s", xauthority) == -1)
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index f2513213c..9ee798fe9 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -2,7 +2,7 @@ all: firemon
2 2
3include ../common.mk 3include ../common.mk
4 4
5%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8firemon: $(OBJS) ../lib/common.o ../lib/pid.o 8firemon: $(OBJS) ../lib/common.o ../lib/pid.o
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 53382c2df..37b139d38 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fldd: $(OBJS) ../lib/ldd_utils.o 8fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fldd/main.c b/src/fldd/main.c
index d68504f6b..55a0dfcce 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -24,7 +24,6 @@
24#include <fcntl.h> 24#include <fcntl.h>
25#include <sys/mman.h> 25#include <sys/mman.h>
26#include <sys/mount.h> 26#include <sys/mount.h>
27#include <sys/prctl.h>
28#include <sys/stat.h> 27#include <sys/stat.h>
29#include <sys/types.h> 28#include <sys/types.h>
30#include <unistd.h> 29#include <unistd.h>
@@ -303,10 +302,7 @@ printf("\n");
303 return 0; 302 return 0;
304 } 303 }
305 304
306#ifdef WARN_DUMPABLE 305 warn_dumpable();
307 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
308 fprintf(stderr, "Error fldd: I am dumpable\n");
309#endif
310 306
311 // check program access 307 // check program access
312 if (access(argv[1], R_OK)) { 308 if (access(argv[1], R_OK)) {
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 37566db72..bd5fe9e7a 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fnet: $(OBJS) ../lib/libnetlink.o 8fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fnet/main.c b/src/fnet/main.c
index f6316a7fe..db090fb95 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -21,7 +21,6 @@
21#include <sys/types.h> 21#include <sys/types.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <sys/utsname.h> 23#include <sys/utsname.h>
24#include <sys/prctl.h>
25 24
26int arg_quiet = 0; 25int arg_quiet = 0;
27 26
@@ -69,10 +68,9 @@ printf("\n");
69 usage(); 68 usage();
70 return 0; 69 return 0;
71 } 70 }
72#ifdef WARN_DUMPABLE 71
73 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) 72 warn_dumpable();
74 fprintf(stderr, "Error fnet: I am dumpable\n"); 73
75#endif
76 char *quiet = getenv("FIREJAIL_QUIET"); 74 char *quiet = getenv("FIREJAIL_QUIET");
77 if (quiet && strcmp(quiet, "yes") == 0) 75 if (quiet && strcmp(quiet, "yes") == 0)
78 arg_quiet = 1; 76 arg_quiet = 1;
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 055167192..6fe650a17 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fnetfilter: $(OBJS) 8fnetfilter: $(OBJS) ../lib/common.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 1ca35ab56..381d0d36e 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -18,7 +18,6 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "../include/common.h" 20#include "../include/common.h"
21#include <sys/prctl.h>
22 21
23#define MAXBUF 4098 22#define MAXBUF 4098
24#define MAXARGS 16 23#define MAXARGS 16
@@ -181,10 +180,9 @@ printf("\n");
181 usage(); 180 usage();
182 return 1; 181 return 1;
183 } 182 }
184#ifdef WARN_DUMPABLE 183
185 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) 184 warn_dumpable();
186 fprintf(stderr, "Error fnetfilter: I am dumpable\n"); 185
187#endif
188 char *destfile = (argc == 3)? argv[2]: argv[1]; 186 char *destfile = (argc == 3)? argv[2]: argv[1];
189 char *command = (argc == 3)? argv[1]: NULL; 187 char *command = (argc == 3)? argv[1]: NULL;
190//printf("command %s\n", command); 188//printf("command %s\n", command);
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index 0387f7ec7..cc5ac7e35 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fsec-optimize: $(OBJS) ../lib/libnetlink.o 8fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 034fde2ac..211111641 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,7 +22,6 @@
22#include "../include/common.h" 22#include "../include/common.h"
23#include "../include/seccomp.h" 23#include "../include/seccomp.h"
24#include <sys/mman.h> 24#include <sys/mman.h>
25#include <sys/prctl.h>
26 25
27// optimize.c 26// optimize.c
28struct sock_filter *duplicate(struct sock_filter *filter, int entries); 27struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index fb13eeca8..c64587068 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -18,6 +18,9 @@
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "fsec_optimize.h" 20#include "fsec_optimize.h"
21#include "../include/syscall.h"
22
23int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
21 24
22static void usage(void) { 25static void usage(void) {
23 printf("Usage:\n"); 26 printf("Usage:\n");
@@ -44,11 +47,21 @@ printf("\n");
44 return 0; 47 return 0;
45 } 48 }
46 49
47#ifdef WARN_DUMPABLE 50 warn_dumpable();
48 // check FIREJAIL_PLUGIN in order to not print a warning during make 51
49 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) 52 char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
50 fprintf(stderr, "Error fsec-optimize: I am dumpable\n"); 53 if (error_action) {
51#endif 54 if (strcmp(error_action, "kill") == 0)
55 arg_seccomp_error_action = SECCOMP_RET_KILL;
56 else if (strcmp(error_action, "log") == 0)
57 arg_seccomp_error_action = SECCOMP_RET_LOG;
58 else {
59 arg_seccomp_error_action = errno_find_name(error_action);
60 if (arg_seccomp_error_action == -1)
61 errExit("seccomp-error-action: unknown errno");
62 arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
63 }
64 }
52 65
53 char *fname = argv[1]; 66 char *fname = argv[1];
54 67
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
index 776beaa75..eb777f13b 100644
--- a/src/fsec-optimize/optimizer.c
+++ b/src/fsec-optimize/optimizer.c
@@ -33,7 +33,7 @@
33static inline int is_blacklist(struct sock_filter *bpf) { 33static inline int is_blacklist(struct sock_filter *bpf) {
34 if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && 34 if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&
35 (bpf + 1)->code == BPF_RET + BPF_K && 35 (bpf + 1)->code == BPF_RET + BPF_K &&
36 (bpf + 1)->k == SECCOMP_RET_KILL ) 36 (bpf + 1)->k == (__u32)arg_seccomp_error_action)
37 return 1; 37 return 1;
38 return 0; 38 return 0;
39} 39}
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) {
89 } 89 }
90 } 90 }
91 91
92 // step 3: add the new ret KILL, and recalculate entries 92 // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries
93 filter_step2[j].code = BPF_RET + BPF_K; 93 filter_step2[j].code = BPF_RET + BPF_K;
94 filter_step2[j].k = SECCOMP_RET_KILL; 94 filter_step2[j].k = arg_seccomp_error_action;
95 entries = j + 1; 95 entries = j + 1;
96 96
97 // step 4: recalculate jumps 97 // step 4: recalculate jumps
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index a30ff4ba3..bf39a8c77 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o 8fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 9d17e3f18..337199288 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -23,7 +23,6 @@
23#include "../include/seccomp.h" 23#include "../include/seccomp.h"
24#include "../include/syscall.h" 24#include "../include/syscall.h"
25#include <sys/mman.h> 25#include <sys/mman.h>
26#include <sys/prctl.h>
27 26
28// print.c 27// print.c
29void print(struct sock_filter *filter, int entries); 28void print(struct sock_filter *filter, int entries);
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index d1f056e47..ed030db21 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -61,10 +61,7 @@ printf("\n");
61 return 0; 61 return 0;
62 } 62 }
63 63
64#ifdef WARN_DUMPABLE 64 warn_dumpable();
65 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
66 fprintf(stderr, "Error fsec-print: I am dumpable\n");
67#endif
68 65
69 char *fname = argv[1]; 66 char *fname = argv[1];
70 67
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 8623db6f8..b776a73ce 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o 8fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e40999938..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,7 +23,6 @@
23#include <stdlib.h> 23#include <stdlib.h>
24#include <string.h> 24#include <string.h>
25#include <assert.h> 25#include <assert.h>
26#include <sys/prctl.h>
27#include "../include/common.h" 26#include "../include/common.h"
28#include "../include/syscall.h" 27#include "../include/syscall.h"
29 28
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index f505ca0f3..f47efb5e8 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
20#include "fseccomp.h" 20#include "fseccomp.h"
21#include "../include/seccomp.h" 21#include "../include/seccomp.h"
22int arg_quiet = 0; 22int arg_quiet = 0;
23int arg_seccomp_error_action = EPERM; // error action: errno, log or kill 23int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
24 24
25static void usage(void) { 25static void usage(void) {
26 printf("Usage:\n"); 26 printf("Usage:\n");
@@ -69,11 +69,7 @@ printf("\n");
69 return 0; 69 return 0;
70 } 70 }
71 71
72#ifdef WARN_DUMPABLE 72 warn_dumpable();
73 // check FIREJAIL_PLUGIN in order to not print a warning during make
74 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
75 fprintf(stderr, "Error fseccomp: I am dumpable\n");
76#endif
77 73
78 char *quiet = getenv("FIREJAIL_QUIET"); 74 char *quiet = getenv("FIREJAIL_QUIET");
79 if (quiet && strcmp(quiet, "yes") == 0) 75 if (quiet && strcmp(quiet, "yes") == 0)
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index f024859d3..b8e8d0a89 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -126,7 +126,7 @@ void seccomp_secondary_block(const char *fname) {
126 EXAMINE_SYSCALL, 126 EXAMINE_SYSCALL,
127#if defined(__x86_64__) 127#if defined(__x86_64__)
128 // block x32 128 // block x32
129 HANDLE_X32_KILL, 129 HANDLE_X32,
130#endif 130#endif
131 // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality) 131 // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality)
132 // 0: if personality(2), continue to 1, else goto 7 (allow) 132 // 0: if personality(2), continue to 1, else goto 7 (allow)
diff --git a/src/include/common.h b/src/include/common.h
index 5df51c5a9..5497929c7 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -38,11 +38,6 @@
38 38
39#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) 39#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
40 40
41// check if processes run with dumpable flag set
42// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
43// regardless what Debian version we run the build on
44//#define WARN_DUMPABLE
45
46// macro to print ip addresses in a printf statement 41// macro to print ip addresses in a printf statement
47#define PRINT_IP(A) \ 42#define PRINT_IP(A) \
48((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) 43((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid);
126char *pid_proc_cmdline(const pid_t pid); 121char *pid_proc_cmdline(const pid_t pid);
127int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); 122int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
128int pid_hidepid(void); 123int pid_hidepid(void);
124void warn_dumpable(void);
125const char *gnu_basename(const char *path);
129#endif 126#endif
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 90db16d39..b3b75c2d1 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -201,7 +201,7 @@
201#define VALIDATE_ARCHITECTURE_KILL \ 201#define VALIDATE_ARCHITECTURE_KILL \
202 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 202 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
203 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ 203 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
204 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 204 KILL_OR_RETURN_ERRNO
205 205
206#define VALIDATE_ARCHITECTURE_64 \ 206#define VALIDATE_ARCHITECTURE_64 \
207 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 207 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
@@ -222,11 +222,7 @@
222#define HANDLE_X32 \ 222#define HANDLE_X32 \
223 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ 223 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
224 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ 224 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
225 RETURN_ERRNO(EPERM) 225 KILL_OR_RETURN_ERRNO
226#define HANDLE_X32_KILL \
227 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
228 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
229 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
230#endif 226#endif
231 227
232#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ 228#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
@@ -258,6 +254,8 @@
258 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) 254 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
259 255
260extern int arg_seccomp_error_action; // error action: errno, log or kill 256extern int arg_seccomp_error_action; // error action: errno, log or kill
257#define DEFAULT_SECCOMP_ERROR_ACTION EPERM
258
261#define KILL_OR_RETURN_ERRNO \ 259#define KILL_OR_RETURN_ERRNO \
262 BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) 260 BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
263 261
diff --git a/src/include/syscall_armeabi.h b/src/include/syscall_armeabi.h
index cbdc67f37..3b574f875 100644
--- a/src/include/syscall_armeabi.h
+++ b/src/include/syscall_armeabi.h
@@ -42,6 +42,7 @@
42{ "exit", 1 }, 42{ "exit", 1 },
43{ "exit_group", 248 }, 43{ "exit_group", 248 },
44{ "faccessat", 334 }, 44{ "faccessat", 334 },
45{ "faccessat2", 439 },
45{ "fallocate", 352 }, 46{ "fallocate", 352 },
46{ "fanotify_init", 367 }, 47{ "fanotify_init", 367 },
47{ "fanotify_mark", 368 }, 48{ "fanotify_mark", 368 },
diff --git a/src/include/syscall_i386.h b/src/include/syscall_i386.h
index 4795e5b2a..752e11f24 100644
--- a/src/include/syscall_i386.h
+++ b/src/include/syscall_i386.h
@@ -54,6 +54,7 @@
54{ "exit", 1 }, 54{ "exit", 1 },
55{ "exit_group", 252 }, 55{ "exit_group", 252 },
56{ "faccessat", 307 }, 56{ "faccessat", 307 },
57{ "faccessat2", 439 },
57{ "fadvise64", 250 }, 58{ "fadvise64", 250 },
58{ "fadvise64_64", 272 }, 59{ "fadvise64_64", 272 },
59{ "fallocate", 324 }, 60{ "fallocate", 324 },
diff --git a/src/include/syscall_x86_64.h b/src/include/syscall_x86_64.h
index 539e874be..97f2762b1 100644
--- a/src/include/syscall_x86_64.h
+++ b/src/include/syscall_x86_64.h
@@ -47,6 +47,7 @@
47{ "exit", 60 }, 47{ "exit", 60 },
48{ "exit_group", 231 }, 48{ "exit_group", 231 },
49{ "faccessat", 269 }, 49{ "faccessat", 269 },
50{ "faccessat2", 439 },
50{ "fadvise64", 221 }, 51{ "fadvise64", 221 },
51{ "fallocate", 285 }, 52{ "fallocate", 285 },
52{ "fanotify_init", 300 }, 53{ "fanotify_init", 300 },
diff --git a/src/lib/common.c b/src/lib/common.c
index 823442835..ace5cb87e 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
267} 267}
268 268
269// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied 269// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
270#define BUFLEN 4096
271int pid_hidepid(void) { 270int pid_hidepid(void) {
272 FILE *fp = fopen("/proc/mounts", "r"); 271 FILE *fp = fopen("/proc/mounts", "r");
273 if (!fp) 272 if (!fp)
@@ -288,6 +287,39 @@ int pid_hidepid(void) {
288 return 0; 287 return 0;
289} 288}
290 289
290// print error if unprivileged users can trace the process
291void warn_dumpable(void) {
292 if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
293 fprintf(stderr, "Error: dumpable process\n");
294
295 // best effort to provide detailed debug information
296 // cannot use process name, it is just a file descriptor number
297 char path[BUFLEN];
298 ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
299 if (len < 0)
300 return;
301 path[len] = '\0';
302 // path can refer to a sandbox mount namespace, use basename only
303 const char *base = gnu_basename(path);
304
305 struct stat s;
306 if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
307 fprintf(stderr, "Change owner of %s executable to root\n", base);
308 else if (access("/proc/self/exe", R_OK) == 0)
309 fprintf(stderr, "Remove read permission on %s executable\n", base);
310 }
311}
312
313// Equivalent to the GNU version of basename, which is incompatible with
314// the POSIX basename. A few lines of code saves any portability pain.
315// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
316const char *gnu_basename(const char *path) {
317 const char *last_slash = strrchr(path, '/');
318 if (!last_slash)
319 return path;
320 return last_slash+1;
321}
322
291//************************** 323//**************************
292// time trace based on getticks function 324// time trace based on getticks function
293//************************** 325//**************************
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 4903971ad..758f1ce0b 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = {
336#endif 336#endif
337 }, 337 },
338 { .name = "@default-keep", .list = 338 { .name = "@default-keep", .list =
339 "execveat," // commonly used by fexecve
339 "execve," 340 "execve,"
340 "prctl" 341 "prctl"
341 }, 342 },
@@ -358,6 +359,9 @@ static const SyscallGroupList sysgroups[] = {
358#ifdef SYS_faccessat 359#ifdef SYS_faccessat
359 "faccessat," 360 "faccessat,"
360#endif 361#endif
362#ifdef SYS_faccessat2
363 "faccessat2,"
364#endif
361#ifdef SYS_fallocate 365#ifdef SYS_fallocate
362 "fallocate," 366 "fallocate,"
363#endif 367#endif
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index f3123356a..2c02aee47 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -61,7 +61,7 @@ $ sudo firecfg --add-users dustin lucas mike eleven
61 61
62.TP 62.TP
63\fB\-\-bindir=directory 63\fB\-\-bindir=directory
64Create and search symbolic links in directory instead of the default location /user/local/bin. 64Create and search symbolic links in directory instead of the default location /usr/local/bin.
65Directory should precede /usr/bin and /bin in the PATH environment variable. 65Directory should precede /usr/bin and /bin in the PATH environment variable.
66 66
67.TP 67.TP
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9524254c1..5e77b5f70 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -266,7 +266,7 @@ Mount new /root and /home/user directories in temporary
266filesystems. All modifications are discarded when the sandbox is 266filesystems. All modifications are discarded when the sandbox is
267closed. 267closed.
268.TP 268.TP
269\fBprivate directory 269\fBprivate=directory
270Use directory as user home. 270Use directory as user home.
271.TP 271.TP
272\fBprivate-bin file,file 272\fBprivate-bin file,file
@@ -862,6 +862,11 @@ the parent interface specified by --net is not configured. An IP address and
862a default gateway address also have to be added. 862a default gateway address also have to be added.
863 863
864.TP 864.TP
865\fBnetns namespace
866Run the program in a named, persistent network namespace. These can
867be created and configured using "ip netns".
868
869.TP
865\fBveth-name name 870\fBveth-name name
866Use this name for the interface connected to the bridge for --net=bridge_interface commands, 871Use this name for the interface connected to the bridge for --net=bridge_interface commands,
867instead of the default one. 872instead of the default one.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 347e2b31b..e85a02ee8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -693,6 +693,10 @@ Example:
693$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox 693$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
694#endif 694#endif
695.TP 695.TP
696\fB\-\-deterministic-exit-code
697Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
698.br
699.TP
696\fB\-\-disable-mnt 700\fB\-\-disable-mnt
697Blacklist /mnt, /media, /run/mount and /run/media access. 701Blacklist /mnt, /media, /run/mount and /run/media access.
698.br 702.br
@@ -703,10 +707,6 @@ Example:
703$ firejail \-\-disable-mnt firefox 707$ firejail \-\-disable-mnt firefox
704 708
705.TP 709.TP
706\fB\-\-deterministic-exit-code
707Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
708
709.TP
710\fB\-\-dns=address 710\fB\-\-dns=address
711Set a DNS server for the sandbox. Up to three DNS servers can be defined. 711Set a DNS server for the sandbox. Up to three DNS servers can be defined.
712Use this option if you don't trust the DNS setup on your network. 712Use this option if you don't trust the DNS setup on your network.
@@ -1317,7 +1317,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
1317.br 1317.br
1318 1318
1319.br 1319.br
1320.B nolocal.net 1320.B nolocal.net/nolocal6.net
1321is a desktop client firewall that disable access to local network. Example: 1321is a desktop client firewall that disable access to local network. Example:
1322.br 1322.br
1323 1323
@@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted
2273.TP 2273.TP
2274\fB\-\-seccomp.keep=syscall,@group,!syscall2 2274\fB\-\-seccomp.keep=syscall,@group,!syscall2
2275Enable seccomp filter, blacklist all syscall not listed and "syscall2". 2275Enable seccomp filter, blacklist all syscall not listed and "syscall2".
2276The system calls needed by Firejail (group @default-keep: prctl, execve) 2276The system calls needed by Firejail (group @default-keep: prctl, execve, execveat)
2277are handled with the preload library. On a 64 bit architecture, an 2277are handled with the preload library. On a 64 bit architecture, an
2278additional filter for 32 bit system calls can be installed with 2278additional filter for 32 bit system calls can be installed with
2279\-\-seccomp.32.keep. 2279\-\-seccomp.32.keep.
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 4c1221464..68f62831b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0;
30static int cnt_caps = 0; 30static int cnt_caps = 0;
31static int cnt_dbus_system_none = 0; 31static int cnt_dbus_system_none = 0;
32static int cnt_dbus_user_none = 0; 32static int cnt_dbus_user_none = 0;
33static int cnt_dbus_system_filter = 0;
34static int cnt_dbus_user_filter = 0;
33static int cnt_dotlocal = 0; 35static int cnt_dotlocal = 0;
34static int cnt_globalsdotlocal = 0; 36static int cnt_globalsdotlocal = 0;
35static int cnt_netnone = 0; 37static int cnt_netnone = 0;
@@ -107,6 +109,7 @@ void process_file(const char *fname) {
107 return; 109 return;
108 } 110 }
109 111
112 int have_include_local = 0;
110 char buf[MAXBUF]; 113 char buf[MAXBUF];
111 while (fgets(buf, MAXBUF, fp)) { 114 while (fgets(buf, MAXBUF, fp)) {
112 char *ptr = strchr(buf, '\n'); 115 char *ptr = strchr(buf, '\n');
@@ -152,11 +155,16 @@ void process_file(const char *fname) {
152 cnt_privateetc++; 155 cnt_privateetc++;
153 else if (strncmp(ptr, "dbus-system none", 16) == 0) 156 else if (strncmp(ptr, "dbus-system none", 16) == 0)
154 cnt_dbus_system_none++; 157 cnt_dbus_system_none++;
158 else if (strncmp(ptr, "dbus-system", 11) == 0)
159 cnt_dbus_system_filter++;
155 else if (strncmp(ptr, "dbus-user none", 14) == 0) 160 else if (strncmp(ptr, "dbus-user none", 14) == 0)
156 cnt_dbus_user_none++; 161 cnt_dbus_user_none++;
162 else if (strncmp(ptr, "dbus-user", 9) == 0)
163 cnt_dbus_user_filter++;
157 else if (strncmp(ptr, "include ", 8) == 0) { 164 else if (strncmp(ptr, "include ", 8) == 0) {
158 // not processing .local files 165 // not processing .local files
159 if (strstr(ptr, ".local")) { 166 if (strstr(ptr, ".local")) {
167 have_include_local = 1;
160//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); 168//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
161 if (strstr(ptr, "globals.local")) 169 if (strstr(ptr, "globals.local"))
162 cnt_globalsdotlocal++; 170 cnt_globalsdotlocal++;
@@ -174,6 +182,8 @@ void process_file(const char *fname) {
174 } 182 }
175 183
176 fclose(fp); 184 fclose(fp);
185 if (!have_include_local)
186 printf("No include .local found in %s\n", fname);
177 level--; 187 level--;
178} 188}
179 189
@@ -257,7 +267,9 @@ int main(int argc, char **argv) {
257 int whitelistrunuser = cnt_whitelistrunuser; 267 int whitelistrunuser = cnt_whitelistrunuser;
258 int whitelistusrshare = cnt_whitelistusrshare; 268 int whitelistusrshare = cnt_whitelistusrshare;
259 int dbussystemnone = cnt_dbus_system_none; 269 int dbussystemnone = cnt_dbus_system_none;
270 int dbussystemfilter = cnt_dbus_system_filter;
260 int dbususernone = cnt_dbus_user_none; 271 int dbususernone = cnt_dbus_user_none;
272 int dbususerfilter = cnt_dbus_user_filter;
261 int ssh = cnt_ssh; 273 int ssh = cnt_ssh;
262 int mdwx = cnt_mdwx; 274 int mdwx = cnt_mdwx;
263 275
@@ -278,6 +290,16 @@ int main(int argc, char **argv) {
278 cnt_globalsdotlocal = globalsdotlocal + 1; 290 cnt_globalsdotlocal = globalsdotlocal + 1;
279 if (cnt_whitelistrunuser > (whitelistrunuser + 1)) 291 if (cnt_whitelistrunuser > (whitelistrunuser + 1))
280 cnt_whitelistrunuser = whitelistrunuser + 1; 292 cnt_whitelistrunuser = whitelistrunuser + 1;
293 if (cnt_seccomp > (seccomp + 1))
294 cnt_seccomp = seccomp + 1;
295 if (cnt_dbus_user_none > (dbususernone + 1))
296 cnt_dbus_user_none = dbususernone + 1;
297 if (cnt_dbus_user_filter > (dbususerfilter + 1))
298 cnt_dbus_user_filter = dbususerfilter + 1;
299 if (cnt_dbus_system_none > (dbussystemnone + 1))
300 cnt_dbus_system_none = dbussystemnone + 1;
301 if (cnt_dbus_system_filter > (dbussystemfilter + 1))
302 cnt_dbus_system_filter = dbussystemfilter + 1;
281 303
282 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) 304 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
283 printf("No dbus-system none found in %s\n", argv[i]); 305 printf("No dbus-system none found in %s\n", argv[i]);
@@ -337,7 +359,9 @@ int main(int argc, char **argv) {
337 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); 359 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
338 printf(" net none\t\t\t%d\n", cnt_netnone); 360 printf(" net none\t\t\t%d\n", cnt_netnone);
339 printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); 361 printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none);
362 printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
340 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); 363 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none);
364 printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
341 printf("\n"); 365 printf("\n");
342 return 0; 366 return 0;
343} 367}
diff --git a/test/Makefile.in b/test/Makefile.in
index ef1ca73bc..d41ab39d1 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -8,3 +8,6 @@ $(TESTS):
8 8
9clean: 9clean:
10 for test in $(TESTS); do rm -f "$$test/$$test.log"; done 10 for test in $(TESTS); do rm -f "$$test/$$test.log"; done
11
12distclean: clean
13 rm -f Makefile
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 91fcfb85d..04819d95d 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -3,6 +3,16 @@
3# Copyright (C) 2014-2020 Firejail Authors 3# Copyright (C) 2014-2020 Firejail Authors
4# License GPL v2 4# License GPL v2
5 5
6# not currently covered
7# --disable-suid install as a non-SUID executable
8# --enable-fatal-warnings -W -Wall -Werror
9# --enable-gcov Gcov instrumentation
10# --enable-contrib-install
11# install contrib scripts
12# --enable-analyzer enable GCC 10 static analyzer
13
14
15
6arr[1]="TEST 1: standard compilation" 16arr[1]="TEST 1: standard compilation"
7arr[2]="TEST 2: compile dbus proxy disabled" 17arr[2]="TEST 2: compile dbus proxy disabled"
8arr[3]="TEST 3: compile chroot disabled" 18arr[3]="TEST 3: compile chroot disabled"
@@ -18,7 +28,9 @@ arr[12]="TEST 12: compile apparmor"
18arr[13]="TEST 13: compile busybox" 28arr[13]="TEST 13: compile busybox"
19arr[14]="TEST 14: compile overlayfs disabled" 29arr[14]="TEST 14: compile overlayfs disabled"
20arr[15]="TEST 15: compile private-home disabled" 30arr[15]="TEST 15: compile private-home disabled"
21arr[15]="TEST 16: compile disable manpages" 31arr[16]="TEST 16: compile disable manpages"
32arr[17]="TEST 17: disable tmpfs as regular user"
33arr[18]="TEST 18: disable private home"
22 34
23# remove previous reports and output file 35# remove previous reports and output file
24cleanup() { 36cleanup() {
@@ -334,6 +346,40 @@ cp output-make om16
334rm output-configure output-make 346rm output-configure output-make
335 347
336#***************************************************************** 348#*****************************************************************
349# TEST 17
350#*****************************************************************
351# - disable tmpfs as regular user"
352#*****************************************************************
353print_title "${arr[17]}"
354cd firejail
355make distclean
356./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
357make -j4 2>&1 | tee ../output-make
358cd ..
359grep Warning output-configure output-make > ./report-test17
360grep Error output-configure output-make >> ./report-test17
361cp output-configure oc17
362cp output-make om17
363rm output-configure output-make
364
365#*****************************************************************
366# TEST 18
367#*****************************************************************
368# - disable private home feature
369#*****************************************************************
370print_title "${arr[18]}"
371cd firejail
372make distclean
373./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
374make -j4 2>&1 | tee ../output-make
375cd ..
376grep Warning output-configure output-make > ./report-test18
377grep Error output-configure output-make >> ./report-test18
378cp output-configure oc18
379cp output-make om18
380rm output-configure output-make
381
382#*****************************************************************
337# PRINT REPORTS 383# PRINT REPORTS
338#***************************************************************** 384#*****************************************************************
339echo 385echo
@@ -363,3 +409,5 @@ echo ${arr[13]}
363echo ${arr[14]} 409echo ${arr[14]}
364echo ${arr[15]} 410echo ${arr[15]}
365echo ${arr[16]} 411echo ${arr[16]}
412echo ${arr[17]}
413echo ${arr[18]}
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index e88036d3d..0706cbd88 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -70,12 +70,12 @@ echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-
70./firejail-in-firejail.exp 70./firejail-in-firejail.exp
71 71
72which aplay 2>/dev/null 72which aplay 2>/dev/null
73if [ "$?" -eq 0 ]; 73if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ];
74then 74then
75 echo "TESTING: sound (test/environment/sound.exp)" 75 echo "TESTING: sound (test/environment/sound.exp)"
76 ./sound.exp 76 ./sound.exp
77else 77else
78 echo "TESTING SKIP: aplay not found" 78 echo "TESTING SKIP: no aplay or sound card found"
79fi 79fi
80 80
81echo "TESTING: nice (test/environment/nice.exp)" 81echo "TESTING: nice (test/environment/nice.exp)"
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
index 0f6cab8bb..0867970a1 100755
--- a/test/utils/shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -3,7 +3,7 @@
3# Copyright (C) 2014-2020 Firejail Authors 3# Copyright (C) 2014-2020 Firejail Authors
4# License GPL v2 4# License GPL v2
5 5
6set timeout 10 6set timeout 15
7cd /home 7cd /home
8spawn $env(SHELL) 8spawn $env(SHELL)
9match_max 100000 9match_max 100000
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 7e8426f35..8453894a2 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -18,7 +18,7 @@ echo "TESTING: build (test/utils/build.exp)"
18rm -f ~/firejail-test-file-7699 18rm -f ~/firejail-test-file-7699
19rm -f firejail-test-file-4388 19rm -f firejail-test-file-4388
20 20
21if [ $(readlink /proc/self) -lt 100 ]; then 21if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then
22 echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" 22 echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)"
23else 23else
24 echo "TESTING: audit (test/utils/audit.exp)" 24 echo "TESTING: audit (test/utils/audit.exp)"
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 20:11:37 +0000