aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/build-extra.yml180
-rw-r--r--.github/workflows/build.yml100
-rw-r--r--.github/workflows/check-c.yml164
-rw-r--r--.github/workflows/check-profiles.yml (renamed from .github/workflows/profile-checks.yml)17
-rw-r--r--.github/workflows/check-python.yml58
-rw-r--r--.github/workflows/codeql-analysis.yml123
-rw-r--r--.github/workflows/codespell.yml47
-rw-r--r--.github/workflows/test.yml258
-rw-r--r--Makefile77
-rw-r--r--README.md11
-rw-r--r--RELNOTES16
-rwxr-xr-xcontrib/jail_prober.py4
-rwxr-xr-xcontrib/sort.py4
-rw-r--r--contrib/syntax/files/firejail-profile.lang.in2
-rw-r--r--contrib/syntax/lists/profile_commands_arg0.list2
-rw-r--r--contrib/syntax/lists/profile_commands_arg1.list3
-rw-r--r--etc-fixes/0.9.38/firefox.profile2
-rw-r--r--etc/inc/allow-common-devel.inc8
-rw-r--r--etc/inc/allow-ssh.inc2
-rw-r--r--etc/inc/disable-common.inc131
-rw-r--r--etc/inc/disable-devel.inc63
-rw-r--r--etc/inc/disable-programs.inc21
-rw-r--r--etc/inc/whitelist-usr-share-common.inc1
-rw-r--r--etc/profile-a-l/abiword.profile4
-rw-r--r--etc/profile-a-l/akonadi_control.profile12
-rw-r--r--etc/profile-a-l/akregator.profile2
-rw-r--r--etc/profile-a-l/alacarte.profile2
-rw-r--r--etc/profile-a-l/amarok.profile8
-rw-r--r--etc/profile-a-l/android-studio.profile2
-rw-r--r--etc/profile-a-l/ani-cli.profile1
-rw-r--r--etc/profile-a-l/anki.profile2
-rw-r--r--etc/profile-a-l/arduino.profile2
-rw-r--r--etc/profile-a-l/aria2c.profile2
-rw-r--r--etc/profile-a-l/ark.profile6
-rw-r--r--etc/profile-a-l/artha.profile2
-rw-r--r--etc/profile-a-l/asunder.profile4
-rw-r--r--etc/profile-a-l/atom.profile2
-rw-r--r--etc/profile-a-l/atril.profile4
-rw-r--r--etc/profile-a-l/audacious.profile2
-rw-r--r--etc/profile-a-l/audacity.profile4
-rw-r--r--etc/profile-a-l/audio-recorder.profile4
-rw-r--r--etc/profile-a-l/authenticator.profile12
-rw-r--r--etc/profile-a-l/autokey-common.profile2
-rw-r--r--etc/profile-a-l/baloo_file.profile12
-rw-r--r--etc/profile-a-l/baobab.profile10
-rw-r--r--etc/profile-a-l/bcompare.profile2
-rw-r--r--etc/profile-a-l/bibletime.profile4
-rw-r--r--etc/profile-a-l/bijiben.profile2
-rw-r--r--etc/profile-a-l/bitlbee.profile2
-rw-r--r--etc/profile-a-l/bitwarden.profile2
-rw-r--r--etc/profile-a-l/bleachbit.profile6
-rw-r--r--etc/profile-a-l/blender-3.6.profile10
-rw-r--r--etc/profile-a-l/bless.profile2
-rw-r--r--etc/profile-a-l/brackets.profile2
-rw-r--r--etc/profile-a-l/brasero.profile6
-rw-r--r--etc/profile-a-l/brz.profile14
-rw-r--r--etc/profile-a-l/build-systems-common.profile2
-rw-r--r--etc/profile-a-l/bzr.profile10
-rw-r--r--etc/profile-a-l/calibre.profile2
-rw-r--r--etc/profile-a-l/calligra.profile8
-rw-r--r--etc/profile-a-l/cameramonitor.profile6
-rw-r--r--etc/profile-a-l/cantata.profile4
-rw-r--r--etc/profile-a-l/catfish.profile12
-rw-r--r--etc/profile-a-l/cawbird.profile2
-rw-r--r--etc/profile-a-l/chromium-browser-privacy.profile2
-rw-r--r--etc/profile-a-l/chromium-common.profile6
-rw-r--r--etc/profile-a-l/chromium.profile2
-rw-r--r--etc/profile-a-l/clac.profile4
-rw-r--r--etc/profile-a-l/clamtk.profile16
-rw-r--r--etc/profile-a-l/claws-mail.profile2
-rw-r--r--etc/profile-a-l/clawsker.profile2
-rw-r--r--etc/profile-a-l/clementine.profile2
-rw-r--r--etc/profile-a-l/clion.profile2
-rw-r--r--etc/profile-a-l/clipgrab.profile6
-rw-r--r--etc/profile-a-l/code.profile2
-rw-r--r--etc/profile-a-l/com.github.bleakgrey.tootle.profile6
-rw-r--r--etc/profile-a-l/cower.profile4
-rw-r--r--etc/profile-a-l/curl.profile4
-rw-r--r--etc/profile-a-l/cyberfox.profile2
-rw-r--r--etc/profile-a-l/d-feet.profile4
-rw-r--r--etc/profile-a-l/dconf-editor.profile2
-rw-r--r--etc/profile-a-l/ddgtk.profile2
-rw-r--r--etc/profile-a-l/default.profile68
-rw-r--r--etc/profile-a-l/deluge.profile2
-rw-r--r--etc/profile-a-l/devhelp.profile8
-rw-r--r--etc/profile-a-l/dig.profile6
-rw-r--r--etc/profile-a-l/digikam.profile12
-rw-r--r--etc/profile-a-l/dino.profile3
-rw-r--r--etc/profile-a-l/discord-canary.profile3
-rw-r--r--etc/profile-a-l/discord-common.profile13
-rw-r--r--etc/profile-a-l/discord-ptb.profile3
-rw-r--r--etc/profile-a-l/discord.profile4
-rw-r--r--etc/profile-a-l/display.profile2
-rw-r--r--etc/profile-a-l/dolphin-emu.profile2
-rw-r--r--etc/profile-a-l/drawio.profile6
-rw-r--r--etc/profile-a-l/drill.profile4
-rw-r--r--etc/profile-a-l/easystroke.profile4
-rw-r--r--etc/profile-a-l/electron-mail.profile2
-rw-r--r--etc/profile-a-l/electrum.profile4
-rw-r--r--etc/profile-a-l/element-desktop.profile2
-rw-r--r--etc/profile-a-l/email-common.profile2
-rw-r--r--etc/profile-a-l/engrampa.profile4
-rw-r--r--etc/profile-a-l/enpass.profile2
-rw-r--r--etc/profile-a-l/ephemeral.profile4
-rw-r--r--etc/profile-a-l/etr.profile2
-rw-r--r--etc/profile-a-l/evince.profile2
-rw-r--r--etc/profile-a-l/falkon.profile10
-rw-r--r--etc/profile-a-l/fdns.profile4
-rw-r--r--etc/profile-a-l/feedreader.profile4
-rw-r--r--etc/profile-a-l/ferdi.profile2
-rw-r--r--etc/profile-a-l/ffmpeg.profile2
-rw-r--r--etc/profile-a-l/file-roller.profile8
-rw-r--r--etc/profile-a-l/floorp.profile45
-rw-r--r--etc/profile-a-l/fluffychat.profile73
-rw-r--r--etc/profile-a-l/font-manager.profile4
-rw-r--r--etc/profile-a-l/franz.profile2
-rw-r--r--etc/profile-a-l/freemind.profile4
-rw-r--r--etc/profile-a-l/freshclam.profile2
-rw-r--r--etc/profile-a-l/frozen-bubble.profile2
-rw-r--r--etc/profile-a-l/funnyboat.profile4
-rw-r--r--etc/profile-a-l/galculator.profile2
-rw-r--r--etc/profile-a-l/geary.profile4
-rw-r--r--etc/profile-a-l/gedit.profile14
-rw-r--r--etc/profile-a-l/geekbench.profile2
-rw-r--r--etc/profile-a-l/geeqie.profile2
-rw-r--r--etc/profile-a-l/gfeeds.profile2
-rw-r--r--etc/profile-a-l/ghostwriter.profile2
-rw-r--r--etc/profile-a-l/github-desktop.profile8
-rw-r--r--etc/profile-a-l/gitter.profile2
-rw-r--r--etc/profile-a-l/gjs.profile4
-rw-r--r--etc/profile-a-l/gmpc.profile7
-rw-r--r--etc/profile-a-l/gnome-books.profile2
-rw-r--r--etc/profile-a-l/gnome-calculator.profile2
-rw-r--r--etc/profile-a-l/gnome-characters.profile4
-rw-r--r--etc/profile-a-l/gnome-contacts.profile2
-rw-r--r--etc/profile-a-l/gnome-keyring.profile2
-rw-r--r--etc/profile-a-l/gnome-logs.profile42
-rw-r--r--etc/profile-a-l/gnome-maps.profile2
-rw-r--r--etc/profile-a-l/gnome-mplayer.profile2
-rw-r--r--etc/profile-a-l/gnome-nettool.profile2
-rw-r--r--etc/profile-a-l/gnome-photos.profile2
-rw-r--r--etc/profile-a-l/gnome-pie.profile2
-rw-r--r--etc/profile-a-l/gnome-ring.profile2
-rw-r--r--etc/profile-a-l/gnome-schedule.profile2
-rw-r--r--etc/profile-a-l/gnome-system-log.profile48
-rw-r--r--etc/profile-a-l/gnome-weather.profile4
-rw-r--r--etc/profile-a-l/godot.profile2
-rw-r--r--etc/profile-a-l/goobox.profile6
-rw-r--r--etc/profile-a-l/google-earth.profile2
-rw-r--r--etc/profile-a-l/google-play-music-desktop-player.profile4
-rw-r--r--etc/profile-a-l/gpa.profile2
-rw-r--r--etc/profile-a-l/gpg-agent.profile2
-rw-r--r--etc/profile-a-l/gpg.profile2
-rw-r--r--etc/profile-a-l/gpg2.profile2
-rw-r--r--etc/profile-a-l/gucharmap.profile6
-rw-r--r--etc/profile-a-l/gwenview.profile11
-rw-r--r--etc/profile-a-l/hexchat.profile6
-rw-r--r--etc/profile-a-l/homebank.profile4
-rw-r--r--etc/profile-a-l/iagno.profile4
-rw-r--r--etc/profile-a-l/idea.sh.profile2
-rw-r--r--etc/profile-a-l/img2txt.profile2
-rw-r--r--etc/profile-a-l/inkscape.profile2
-rw-r--r--etc/profile-a-l/ipcalc.profile14
-rw-r--r--etc/profile-a-l/journal-viewer.profile50
-rw-r--r--etc/profile-a-l/k3b.profile14
-rw-r--r--etc/profile-a-l/kaffeine.profile2
-rw-r--r--etc/profile-a-l/kalgebra.profile4
-rw-r--r--etc/profile-a-l/kate.profile16
-rw-r--r--etc/profile-a-l/kazam.profile2
-rw-r--r--etc/profile-a-l/kcalc.profile2
-rw-r--r--etc/profile-a-l/kdeinit4.profile2
-rw-r--r--etc/profile-a-l/kdenlive.profile8
-rw-r--r--etc/profile-a-l/kfind.profile18
-rw-r--r--etc/profile-a-l/kget.profile2
-rw-r--r--etc/profile-a-l/kiwix-desktop.profile6
-rw-r--r--etc/profile-a-l/kmail.profile8
-rw-r--r--etc/profile-a-l/kmplayer.profile2
-rw-r--r--etc/profile-a-l/konversation.profile2
-rw-r--r--etc/profile-a-l/krita.profile6
-rw-r--r--etc/profile-a-l/krunner.profile18
-rw-r--r--etc/profile-a-l/ktorrent.profile4
-rw-r--r--etc/profile-a-l/kube.profile2
-rw-r--r--etc/profile-a-l/kwin_x11.profile2
-rw-r--r--etc/profile-a-l/kwrite.profile8
-rw-r--r--etc/profile-a-l/less.profile4
-rw-r--r--etc/profile-a-l/lettura.profile76
-rw-r--r--etc/profile-a-l/liferea.profile4
-rw-r--r--etc/profile-a-l/links-common.profile2
-rw-r--r--etc/profile-a-l/linuxqq.profile2
-rw-r--r--etc/profile-a-l/lobster.profile1
-rw-r--r--etc/profile-a-l/lutris.profile12
-rw-r--r--etc/profile-a-l/lynx.profile4
-rw-r--r--etc/profile-a-l/lyx.profile2
-rw-r--r--etc/profile-m-z/PCSX2.profile4
-rw-r--r--etc/profile-m-z/QMediathekView.profile4
-rw-r--r--etc/profile-m-z/Viber.profile2
-rw-r--r--etc/profile-m-z/Xephyr.profile8
-rw-r--r--etc/profile-m-z/Xvfb.profile4
-rw-r--r--etc/profile-m-z/makepkg.profile4
-rw-r--r--etc/profile-m-z/microsoft-edge-beta.profile3
-rw-r--r--etc/profile-m-z/midori.profile6
-rw-r--r--etc/profile-m-z/mocp.profile17
-rw-r--r--etc/profile-m-z/mpDris2.profile6
-rw-r--r--etc/profile-m-z/mpd.profile4
-rw-r--r--etc/profile-m-z/mplayer.profile4
-rw-r--r--etc/profile-m-z/mullvad-browser.profile3
-rw-r--r--etc/profile-m-z/multimc5.profile6
-rw-r--r--etc/profile-m-z/mumble.profile2
-rw-r--r--etc/profile-m-z/musescore.profile4
-rw-r--r--etc/profile-m-z/musixmatch.profile2
-rw-r--r--etc/profile-m-z/mutt.profile7
-rw-r--r--etc/profile-m-z/nano.profile2
-rw-r--r--etc/profile-m-z/ncdu.profile2
-rw-r--r--etc/profile-m-z/neochat.profile2
-rw-r--r--etc/profile-m-z/neomutt.profile7
-rw-r--r--etc/profile-m-z/nicotine.profile5
-rw-r--r--etc/profile-m-z/nitroshare.profile8
-rw-r--r--etc/profile-m-z/nodejs-common.profile5
-rw-r--r--etc/profile-m-z/notable.profile3
-rw-r--r--etc/profile-m-z/nuclear.profile4
-rw-r--r--etc/profile-m-z/ocenaudio.profile2
-rw-r--r--etc/profile-m-z/okular.profile11
-rw-r--r--etc/profile-m-z/onionshare-gui.profile2
-rw-r--r--etc/profile-m-z/openclonk.profile2
-rw-r--r--etc/profile-m-z/orage.profile2
-rw-r--r--etc/profile-m-z/otter-browser.profile2
-rw-r--r--etc/profile-m-z/palemoon.profile2
-rw-r--r--etc/profile-m-z/patch.profile1
-rw-r--r--etc/profile-m-z/pavucontrol-qt.profile5
-rw-r--r--etc/profile-m-z/pidgin.profile2
-rw-r--r--etc/profile-m-z/ping.profile2
-rw-r--r--etc/profile-m-z/pluma.profile8
-rw-r--r--etc/profile-m-z/plv.profile2
-rw-r--r--etc/profile-m-z/pnpm.profile11
-rw-r--r--etc/profile-m-z/pnpx.profile11
-rw-r--r--etc/profile-m-z/psi-plus.profile2
-rw-r--r--etc/profile-m-z/psi.profile2
-rw-r--r--etc/profile-m-z/pycharm-community.profile4
-rw-r--r--etc/profile-m-z/qbittorrent.profile4
-rw-r--r--etc/profile-m-z/qmmp.profile2
-rw-r--r--etc/profile-m-z/qpdfview.profile4
-rw-r--r--etc/profile-m-z/qtox.profile2
-rw-r--r--etc/profile-m-z/quassel.profile2
-rw-r--r--etc/profile-m-z/quiterss.profile2
-rw-r--r--etc/profile-m-z/rpcs3.profile3
-rw-r--r--etc/profile-m-z/rssguard.profile4
-rw-r--r--etc/profile-m-z/scribus.profile2
-rw-r--r--etc/profile-m-z/seamonkey.profile2
-rw-r--r--etc/profile-m-z/server.profile50
-rw-r--r--etc/profile-m-z/silentarmy.profile2
-rw-r--r--etc/profile-m-z/simple-scan.profile10
-rw-r--r--etc/profile-m-z/simutrans.profile2
-rw-r--r--etc/profile-m-z/skanlite.profile12
-rw-r--r--etc/profile-m-z/smplayer.profile6
-rw-r--r--etc/profile-m-z/sniffnet.profile4
-rw-r--r--etc/profile-m-z/sol.profile6
-rw-r--r--etc/profile-m-z/sound-juicer.profile4
-rw-r--r--etc/profile-m-z/spotify.profile2
-rw-r--r--etc/profile-m-z/sqlitebrowser.profile6
-rw-r--r--etc/profile-m-z/ssh.profile6
-rw-r--r--etc/profile-m-z/ssmtp.profile1
-rw-r--r--etc/profile-m-z/standardnotes-desktop.profile2
-rw-r--r--etc/profile-m-z/steam.profile6
-rw-r--r--etc/profile-m-z/subdownloader.profile2
-rw-r--r--etc/profile-m-z/supertux2.profile2
-rw-r--r--etc/profile-m-z/sushi.profile2
-rw-r--r--etc/profile-m-z/sylpheed.profile2
-rw-r--r--etc/profile-m-z/sysprof.profile6
-rw-r--r--etc/profile-m-z/system-log-common.profile60
-rw-r--r--etc/profile-m-z/teamspeak3.profile2
-rw-r--r--etc/profile-m-z/telegram.profile3
-rw-r--r--etc/profile-m-z/termshark.profile15
-rw-r--r--etc/profile-m-z/tesseract.profile1
-rw-r--r--etc/profile-m-z/thunderbird-beta.profile2
-rw-r--r--etc/profile-m-z/thunderbird.profile6
-rw-r--r--etc/profile-m-z/tidal-hifi.profile39
-rw-r--r--etc/profile-m-z/tiny-rdm.profile61
-rw-r--r--etc/profile-m-z/tmux.profile12
-rw-r--r--etc/profile-m-z/torbrowser-launcher.profile3
-rw-r--r--etc/profile-m-z/totem.profile4
-rw-r--r--etc/profile-m-z/tracker.profile6
-rw-r--r--etc/profile-m-z/transgui.profile6
-rw-r--r--etc/profile-m-z/trojita.profile2
-rw-r--r--etc/profile-m-z/tshark.profile3
-rw-r--r--etc/profile-m-z/tutanota-desktop.profile2
-rw-r--r--etc/profile-m-z/tvbrowser.profile2
-rw-r--r--etc/profile-m-z/twitch.profile4
-rw-r--r--etc/profile-m-z/udiskie.profile4
-rw-r--r--etc/profile-m-z/unknown-horizons.profile6
-rw-r--r--etc/profile-m-z/viewnior.profile2
-rw-r--r--etc/profile-m-z/virtualbox.profile2
-rw-r--r--etc/profile-m-z/warzone2100.profile2
-rw-r--r--etc/profile-m-z/wine.profile10
-rw-r--r--etc/profile-m-z/wireshark.profile16
-rw-r--r--etc/profile-m-z/xed.profile10
-rw-r--r--etc/profile-m-z/xfburn.profile6
-rw-r--r--etc/profile-m-z/xfce4-mixer.profile2
-rw-r--r--etc/profile-m-z/xfce4-screenshooter.profile2
-rw-r--r--etc/profile-m-z/xmr-stak.profile2
-rw-r--r--etc/profile-m-z/xplayer.profile8
-rw-r--r--etc/profile-m-z/xpra.profile6
-rw-r--r--etc/profile-m-z/xreader.profile4
-rw-r--r--etc/profile-m-z/xviewer.profile8
-rw-r--r--etc/profile-m-z/yelp.profile6
-rw-r--r--etc/profile-m-z/youtube.profile4
-rw-r--r--etc/profile-m-z/youtubemusic-nativefier.profile6
-rw-r--r--etc/profile-m-z/ytmdesktop.profile4
-rw-r--r--etc/profile-m-z/zeal.profile2
-rw-r--r--etc/templates/profile.template7
-rw-r--r--etc/templates/syscalls.txt2
-rw-r--r--src/firecfg/firecfg.config6
-rw-r--r--src/firejail/appimage.c13
-rw-r--r--src/firejail/fs.c4
-rw-r--r--src/firejail/ls.c2
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/paths.c18
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c3
-rw-r--r--src/firejail/util.c2
-rw-r--r--src/fnettrace/main.c10
-rw-r--r--src/fnettrace/static-ip-map.txt454
-rw-r--r--src/lib/syscall.c10
-rw-r--r--src/man/firejail.1.in32
-rwxr-xr-xtest/fs/kmsg.exp2
-rwxr-xr-xtest/sysutils/strings.exp2
-rwxr-xr-xtest/sysutils/sysutils.sh8
-rwxr-xr-xtest/sysutils/wget.exp2
-rwxr-xr-xtest/utils/build.exp24
-rwxr-xr-xtest/utils/trace.exp36
329 files changed, 2542 insertions, 1236 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 0f7ddb466..6c2905e43 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -1,50 +1,39 @@
1name: Build-extra CI 1# Builds the project with alternative tools.
2
3name: Build-extra
2 4
3on: 5on:
6 workflow_dispatch:
4 push: 7 push:
5 paths-ignore: 8 branches-ignore:
6 - '.github/ISSUE_TEMPLATE/*' 9 - 'dependabot/**'
7 - 'contrib/syntax/**' 10 paths:
8 - 'contrib/vim/**' 11 - 'm4/**'
9 - 'etc/**' 12 - 'src/**.c'
10 - 'src/man/*.in' 13 - 'src/**.h'
11 - .git-blame-ignore-revs 14 - 'src/**.mk'
12 - .github/dependabot.yml 15 - 'src/**Makefile'
13 - .github/pull_request_template.md 16 - .github/workflows/build-extra.yml
14 - .github/workflows/build.yml 17 - Makefile
15 - .github/workflows/codeql-analysis.yml 18 - ci/printenv.sh
16 - .github/workflows/profile-checks.yml 19 - config.mk.in
17 - .gitignore 20 - config.sh.in
18 - .gitlab-ci.yml 21 - configure
19 - CONTRIBUTING.md 22 - configure.ac
20 - COPYING
21 - README
22 - README.md
23 - RELNOTES
24 - SECURITY.md
25 - src/firecfg/firecfg.config
26 pull_request: 23 pull_request:
27 paths-ignore: 24 paths:
28 - '.github/ISSUE_TEMPLATE/*' 25 - 'm4/**'
29 - 'contrib/syntax/**' 26 - 'src/**.c'
30 - 'contrib/vim/**' 27 - 'src/**.h'
31 - 'etc/**' 28 - 'src/**.mk'
32 - 'src/man/*.in' 29 - 'src/**Makefile'
33 - .git-blame-ignore-revs 30 - .github/workflows/build-extra.yml
34 - .github/dependabot.yml 31 - Makefile
35 - .github/pull_request_template.md 32 - ci/printenv.sh
36 - .github/workflows/build.yml 33 - config.mk.in
37 - .github/workflows/codeql-analysis.yml 34 - config.sh.in
38 - .github/workflows/profile-checks.yml 35 - configure
39 - .gitignore 36 - configure.ac
40 - .gitlab-ci.yml
41 - CONTRIBUTING.md
42 - COPYING
43 - README
44 - README.md
45 - RELNOTES
46 - SECURITY.md
47 - src/firecfg/firecfg.config
48 37
49permissions: # added using https://github.com/step-security/secure-workflows 38permissions: # added using https://github.com/step-security/secure-workflows
50 contents: read 39 contents: read
@@ -54,7 +43,7 @@ jobs:
54 runs-on: ubuntu-22.04 43 runs-on: ubuntu-22.04
55 steps: 44 steps:
56 - name: Harden Runner 45 - name: Harden Runner
57 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 46 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
58 with: 47 with:
59 egress-policy: block 48 egress-policy: block
60 allowed-endpoints: > 49 allowed-endpoints: >
@@ -64,7 +53,7 @@ jobs:
64 packages.microsoft.com:443 53 packages.microsoft.com:443
65 ppa.launchpadcontent.net:443 54 ppa.launchpadcontent.net:443
66 security.ubuntu.com:80 55 security.ubuntu.com:80
67 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 56 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
68 - name: update package information 57 - name: update package information
69 run: sudo apt-get update -qy 58 run: sudo apt-get update -qy
70 - name: install dependencies 59 - name: install dependencies
@@ -84,104 +73,3 @@ jobs:
84 run: sudo make install 73 run: sudo make install
85 - name: print version 74 - name: print version
86 run: command -V firejail && firejail --version 75 run: command -V firejail && firejail --version
87 scan-build:
88 runs-on: ubuntu-22.04
89 steps:
90 - name: Harden Runner
91 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
92 with:
93 egress-policy: block
94 allowed-endpoints: >
95 archive.ubuntu.com:80
96 azure.archive.ubuntu.com:80
97 github.com:443
98 packages.microsoft.com:443
99 ppa.launchpadcontent.net:443
100 security.ubuntu.com:80
101 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
102 - name: update package information
103 run: sudo apt-get update -qy
104 - name: install clang-tools-14 and dependencies
105 run: >
106 sudo apt-get install -qy
107 clang-tools-14 libapparmor-dev libselinux1-dev
108 - name: print env
109 run: ./ci/printenv.sh
110 - name: configure
111 run: >
112 CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
113 --enable-selinux
114 || (cat config.log; exit 1)
115 - name: scan-build
116 run: scan-build-14 --status-bugs make
117 cppcheck:
118 runs-on: ubuntu-22.04
119 steps:
120 - name: Harden Runner
121 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
122 with:
123 egress-policy: block
124 allowed-endpoints: >
125 archive.ubuntu.com:80
126 azure.archive.ubuntu.com:80
127 github.com:443
128 packages.microsoft.com:443
129 ppa.launchpadcontent.net:443
130 security.ubuntu.com:80
131 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
132 - name: update package information
133 run: sudo apt-get update -qy
134 - name: install cppcheck
135 run: sudo apt-get install -qy cppcheck
136 - run: cppcheck --version
137 - name: cppcheck
138 run: >
139 cppcheck -q --force --error-exitcode=1 --enable=warning,performance
140 -i src/firejail/checkcfg.c -i src/firejail/main.c .
141 # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
142 # scan all files also with older cppcheck version from ubuntu 20.04.
143 cppcheck_old:
144 runs-on: ubuntu-20.04
145 steps:
146 - name: Harden Runner
147 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
148 with:
149 egress-policy: block
150 allowed-endpoints: >
151 archive.ubuntu.com:80
152 azure.archive.ubuntu.com:80
153 github.com:443
154 packages.microsoft.com:443
155 ppa.launchpad.net:80
156 ppa.launchpadcontent.net:443
157 security.ubuntu.com:80
158 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
159 - name: update package information
160 run: sudo apt-get update -qy
161 - name: install cppcheck
162 run: sudo apt-get install -qy cppcheck
163 - run: cppcheck --version
164 - name: cppcheck
165 run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
166 codespell:
167 runs-on: ubuntu-22.04
168 steps:
169 - name: Harden Runner
170 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
171 with:
172 egress-policy: block
173 allowed-endpoints: >
174 archive.ubuntu.com:80
175 azure.archive.ubuntu.com:80
176 github.com:443
177 packages.microsoft.com:443
178 ppa.launchpadcontent.net:443
179 security.ubuntu.com:80
180 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
181 - name: update package information
182 run: sudo apt-get update -qy
183 - name: install dependencies
184 run: sudo apt-get install -qy codespell
185 - run: codespell --version
186 - name: codespell
187 run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cb2c15759..ae1aef039 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,67 +1,73 @@
1name: Build CI 1# Checks that `make dist` works and builds the project with the default
2# configuration.
2 3
4name: Build
5
6# Note: Keep this list in sync with DISTFILES in ../../Makefile.
3on: 7on:
8 workflow_dispatch:
4 push: 9 push:
5 paths-ignore: 10 branches-ignore:
6 - '.github/ISSUE_TEMPLATE/*' 11 - 'dependabot/**'
7 - .git-blame-ignore-revs 12 paths:
8 - .github/dependabot.yml 13 - 'contrib/**'
9 - .github/pull_request_template.md 14 - 'etc/**'
10 - .github/workflows/build-extra.yml 15 - 'm4/**'
11 - .github/workflows/codeql-analysis.yml 16 - 'platform/**'
12 - .github/workflows/profile-checks.yml 17 - 'src/**'
13 - .gitignore 18 - 'test/**'
14 - .gitlab-ci.yml 19 - .github/workflows/build.yml
15 - CONTRIBUTING.md
16 - COPYING 20 - COPYING
21 - Makefile
17 - README 22 - README
18 - README.md
19 - RELNOTES 23 - RELNOTES
20 - SECURITY.md 24 - ci/printenv.sh
25 - config.mk.in
26 - config.sh.in
27 - configure
28 - configure.ac
29 - install.sh
30 - mkdeb.sh
31 - mketc.sh
21 pull_request: 32 pull_request:
22 paths-ignore: 33 paths:
23 - '.github/ISSUE_TEMPLATE/*' 34 - 'contrib/**'
24 - .git-blame-ignore-revs 35 - 'etc/**'
25 - .github/dependabot.yml 36 - 'm4/**'
26 - .github/pull_request_template.md 37 - 'platform/**'
27 - .github/workflows/build-extra.yml 38 - 'src/**'
28 - .github/workflows/codeql-analysis.yml 39 - 'test/**'
29 - .github/workflows/profile-checks.yml 40 - .github/workflows/build.yml
30 - .gitignore
31 - .gitlab-ci.yml
32 - CONTRIBUTING.md
33 - COPYING 41 - COPYING
42 - Makefile
34 - README 43 - README
35 - README.md
36 - RELNOTES 44 - RELNOTES
37 - SECURITY.md 45 - ci/printenv.sh
46 - config.mk.in
47 - config.sh.in
48 - configure
49 - configure.ac
50 - install.sh
51 - mkdeb.sh
52 - mketc.sh
38 53
39permissions: # added using https://github.com/step-security/secure-workflows 54permissions: # added using https://github.com/step-security/secure-workflows
40 contents: read 55 contents: read
41 56
42jobs: 57jobs:
43 build_and_test: 58 build:
44 runs-on: ubuntu-22.04 59 runs-on: ubuntu-22.04
45 env:
46 SHELL: /bin/bash
47 steps: 60 steps:
48 - name: Harden Runner 61 - name: Harden Runner
49 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 62 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
50 with: 63 with:
51 egress-policy: block 64 egress-policy: block
52 allowed-endpoints: > 65 allowed-endpoints: >
53 1.1.1.1:1025
54 azure.archive.ubuntu.com:80 66 azure.archive.ubuntu.com:80
55 debian.org:80
56 dns.quad9.net:53
57 github.com:443 67 github.com:443
58 packages.microsoft.com:443 68 packages.microsoft.com:443
59 ppa.launchpadcontent.net:443 69 ppa.launchpadcontent.net:443
60 whois.pir.org:43 70 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
61 www.debian.org:443
62 www.debian.org:80
63 yahoo.com:1025
64 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
65 - name: update package information 71 - name: update package information
66 run: sudo apt-get update -qy 72 run: sudo apt-get update -qy
67 - name: install dependencies 73 - name: install dependencies
@@ -82,19 +88,3 @@ jobs:
82 run: sudo make install 88 run: sudo make install
83 - name: print firejail version 89 - name: print firejail version
84 run: command -V firejail && firejail --version 90 run: command -V firejail && firejail --version
85 - run: make lab-setup
86 - run: make test-seccomp-extra
87 - run: make test-firecfg
88 - run: make test-capabilities
89 - run: make test-apparmor
90 - run: make test-appimage
91 - run: make test-chroot
92 - run: make test-sysutils
93 - run: make test-private-etc
94 - run: make test-profiles
95 - run: make test-fcopy
96 - run: make test-fnetfilter
97 - run: make test-fs
98 - run: make test-utils
99 - run: make test-environment
100 - run: make test-network
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
new file mode 100644
index 000000000..496efb76c
--- /dev/null
+++ b/.github/workflows/check-c.yml
@@ -0,0 +1,164 @@
1# Checks for potential issues in the source code.
2
3name: Check-C
4
5on:
6 workflow_dispatch:
7 push:
8 branches-ignore:
9 - 'dependabot/**'
10 paths:
11 - 'm4/**'
12 - 'src/**.c'
13 - 'src/**.h'
14 - 'src/**.mk'
15 - 'src/**Makefile'
16 - .github/workflows/check-c.yml
17 - Makefile
18 - ci/printenv.sh
19 - config.mk.in
20 - config.sh.in
21 - configure
22 - configure.ac
23 pull_request:
24 paths:
25 - 'm4/**'
26 - 'src/**.c'
27 - 'src/**.h'
28 - 'src/**.mk'
29 - 'src/**Makefile'
30 - .github/workflows/check-c.yml
31 - Makefile
32 - ci/printenv.sh
33 - config.mk.in
34 - config.sh.in
35 - configure
36 - configure.ac
37 schedule:
38 - cron: '0 7 * * 2'
39
40permissions: # added using https://github.com/step-security/secure-workflows
41 contents: read
42
43jobs:
44 scan-build:
45 runs-on: ubuntu-22.04
46 steps:
47 - name: Harden Runner
48 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
49 with:
50 egress-policy: block
51 allowed-endpoints: >
52 archive.ubuntu.com:80
53 azure.archive.ubuntu.com:80
54 github.com:443
55 packages.microsoft.com:443
56 ppa.launchpadcontent.net:443
57 security.ubuntu.com:80
58 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
59 - name: update package information
60 run: sudo apt-get update -qy
61 - name: install clang-tools-14 and dependencies
62 run: >
63 sudo apt-get install -qy
64 clang-tools-14 libapparmor-dev libselinux1-dev
65 - name: print env
66 run: ./ci/printenv.sh
67 - name: configure
68 run: >
69 CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
70 --enable-selinux
71 || (cat config.log; exit 1)
72 - name: scan-build
73 run: scan-build-14 --status-bugs make
74
75 cppcheck:
76 runs-on: ubuntu-22.04
77 steps:
78 - name: Harden Runner
79 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
80 with:
81 egress-policy: block
82 allowed-endpoints: >
83 archive.ubuntu.com:80
84 azure.archive.ubuntu.com:80
85 github.com:443
86 packages.microsoft.com:443
87 ppa.launchpadcontent.net:443
88 security.ubuntu.com:80
89 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
90 - name: update package information
91 run: sudo apt-get update -qy
92 - name: install cppcheck
93 run: sudo apt-get install -qy cppcheck
94 - run: cppcheck --version
95 - name: cppcheck
96 run: >
97 cppcheck -q --force --error-exitcode=1 --enable=warning,performance
98 -i src/firejail/checkcfg.c -i src/firejail/main.c .
99
100 # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
101 # scan all files also with older cppcheck version from ubuntu 20.04.
102 cppcheck_old:
103 runs-on: ubuntu-20.04
104 steps:
105 - name: Harden Runner
106 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
107 with:
108 egress-policy: block
109 allowed-endpoints: >
110 archive.ubuntu.com:80
111 azure.archive.ubuntu.com:80
112 github.com:443
113 packages.microsoft.com:443
114 ppa.launchpad.net:80
115 ppa.launchpadcontent.net:443
116 security.ubuntu.com:80
117 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
118 - name: update package information
119 run: sudo apt-get update -qy
120 - name: install cppcheck
121 run: sudo apt-get install -qy cppcheck
122 - run: cppcheck --version
123 - name: cppcheck
124 run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
125
126 codeql-cpp:
127 permissions:
128 actions: read
129 contents: read
130 security-events: write
131 runs-on: ubuntu-latest
132
133 steps:
134 - name: Harden Runner
135 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
136 with:
137 disable-sudo: true
138 egress-policy: block
139 allowed-endpoints: >
140 api.github.com:443
141 github.com:443
142 objects.githubusercontent.com:443
143 uploads.github.com:443
144
145 - name: Checkout repository
146 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
147
148 - name: print env
149 run: ./ci/printenv.sh
150
151 # Initializes the CodeQL tools for scanning.
152 - name: Initialize CodeQL
153 uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b
154 with:
155 languages: cpp
156
157 - name: configure
158 run: ./configure
159
160 - name: make
161 run: make -j "$(nproc)"
162
163 - name: Perform CodeQL Analysis
164 uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml
index c44012768..b5490c944 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/check-profiles.yml
@@ -1,18 +1,25 @@
1name: Profile Checks 1# Lints and checks for potential issues in the profiles.
2
3name: Check-Profiles
2 4
3on: 5on:
6 workflow_dispatch:
4 push: 7 push:
8 branches-ignore:
9 - 'dependabot/**'
5 paths: 10 paths:
6 - 'ci/check/profiles/**' 11 - 'ci/check/profiles/**'
7 - 'etc/**' 12 - 'etc/**'
8 - .github/workflows/profile-checks.yml 13 - .github/workflows/check-profiles.yml
14 - ci/printenv.sh
9 - contrib/sort.py 15 - contrib/sort.py
10 - src/firecfg/firecfg.config 16 - src/firecfg/firecfg.config
11 pull_request: 17 pull_request:
12 paths: 18 paths:
13 - 'ci/check/profiles/**' 19 - 'ci/check/profiles/**'
14 - 'etc/**' 20 - 'etc/**'
15 - .github/workflows/profile-checks.yml 21 - .github/workflows/check-profiles.yml
22 - ci/printenv.sh
16 - contrib/sort.py 23 - contrib/sort.py
17 - src/firecfg/firecfg.config 24 - src/firecfg/firecfg.config
18 25
@@ -24,14 +31,14 @@ jobs:
24 runs-on: ubuntu-latest 31 runs-on: ubuntu-latest
25 steps: 32 steps:
26 - name: Harden Runner 33 - name: Harden Runner
27 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 34 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
28 with: 35 with:
29 disable-sudo: true 36 disable-sudo: true
30 egress-policy: block 37 egress-policy: block
31 allowed-endpoints: > 38 allowed-endpoints: >
32 github.com:443 39 github.com:443
33 40
34 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 41 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
35 - name: print env 42 - name: print env
36 run: ./ci/printenv.sh 43 run: ./ci/printenv.sh
37 - run: python3 --version 44 - run: python3 --version
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
new file mode 100644
index 000000000..535b9234b
--- /dev/null
+++ b/.github/workflows/check-python.yml
@@ -0,0 +1,58 @@
1# Lints and checks for potential issues in Python files.
2
3name: Check-Python
4
5on:
6 workflow_dispatch:
7 push:
8 branches-ignore:
9 - 'dependabot/**'
10 paths:
11 - '**.py'
12 - .github/workflows/check-python.yml
13 pull_request:
14 paths:
15 - '**.py'
16 - .github/workflows/check-python.yml
17 schedule:
18 - cron: '0 7 * * 2'
19
20permissions: # added using https://github.com/step-security/secure-workflows
21 contents: read
22
23jobs:
24 codeql-python:
25 permissions:
26 actions: read
27 contents: read
28 security-events: write
29 runs-on: ubuntu-latest
30
31 steps:
32 - name: Harden Runner
33 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
34 with:
35 disable-sudo: true
36 egress-policy: block
37 allowed-endpoints: >
38 api.github.com:443
39 files.pythonhosted.org:443
40 github.com:443
41 objects.githubusercontent.com:443
42 pypi.org:443
43 uploads.github.com:443
44
45 - name: Checkout repository
46 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
47
48 - name: print env
49 run: ./ci/printenv.sh
50
51 # Initializes the CodeQL tools for scanning.
52 - name: Initialize CodeQL
53 uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b
54 with:
55 languages: python
56
57 - name: Perform CodeQL Analysis
58 uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 0f9c0f740..000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,123 +0,0 @@
1# For most projects, this workflow file will not need changing; you simply need
2# to commit it to your repository.
3#
4# You may wish to alter this file to override the set of languages analyzed,
5# or to provide custom queries or build logic.
6name: "CodeQL"
7
8on:
9 push:
10 paths-ignore:
11 - '.github/ISSUE_TEMPLATE/*'
12 - 'contrib/syntax/**'
13 - 'contrib/vim/**'
14 - 'etc/**'
15 - 'src/man/*.txt'
16 - .git-blame-ignore-revs
17 - .github/dependabot.yml
18 - .github/pull_request_template.md
19 - .github/workflows/build-extra.yml
20 - .github/workflows/build.yml
21 - .github/workflows/profile-checks.yml
22 - .gitignore
23 - .gitlab-ci.yml
24 - CONTRIBUTING.md
25 - COPYING
26 - README
27 - README.md
28 - RELNOTES
29 - SECURITY.md
30 - src/firecfg/firecfg.config
31 pull_request:
32 paths-ignore:
33 - '.github/ISSUE_TEMPLATE/*'
34 - 'contrib/syntax/**'
35 - 'contrib/vim/**'
36 - 'etc/**'
37 - 'src/man/*.txt'
38 - .git-blame-ignore-revs
39 - .github/dependabot.yml
40 - .github/pull_request_template.md
41 - .github/workflows/build-extra.yml
42 - .github/workflows/build.yml
43 - .github/workflows/profile-checks.yml
44 - .gitignore
45 - .gitlab-ci.yml
46 - CONTRIBUTING.md
47 - COPYING
48 - README
49 - README.md
50 - RELNOTES
51 - SECURITY.md
52 - src/firecfg/firecfg.config
53 schedule:
54 - cron: '0 7 * * 2'
55
56permissions: # added using https://github.com/step-security/secure-workflows
57 contents: read
58
59jobs:
60 analyze:
61 permissions:
62 actions: read # for github/codeql-action/init to get workflow details
63 contents: read # for actions/checkout to fetch code
64 security-events: write # for github/codeql-action/autobuild to send a status report
65 name: Analyze
66 runs-on: ubuntu-latest
67
68 strategy:
69 fail-fast: false
70 matrix:
71 language: [ 'cpp', 'python' ]
72 # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
73 # Learn more:
74 # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
75
76 steps:
77 - name: Harden Runner
78 uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
79 with:
80 disable-sudo: true
81 egress-policy: block
82 allowed-endpoints: >
83 api.github.com:443
84 files.pythonhosted.org:443
85 github.com:443
86 objects.githubusercontent.com:443
87 pypi.org:443
88 uploads.github.com:443
89
90 - name: Checkout repository
91 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
92
93 - name: print env
94 run: ./ci/printenv.sh
95
96 # Initializes the CodeQL tools for scanning.
97 - name: Initialize CodeQL
98 uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
99 with:
100 languages: ${{ matrix.language }}
101 # If you wish to specify custom queries, you can do so here or in a config file.
102 # By default, queries listed here will override any specified in a config file.
103 # Prefix the list here with "+" to use these queries and those in the config file.
104 # queries: ./path/to/local/query, your-org/your-repo/queries@main
105
106 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
107 # If this step fails, then you should remove it and run the build manually (see below)
108 - name: Autobuild
109 uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
110
111 # ℹ️ Command-line programs to run using the OS shell.
112 # 📚 https://git.io/JvXDl
113
114 # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
115 # and modify them (or add more) to build your code if your project
116 # uses a compiled language
117
118 #- run: |
119 # make bootstrap
120 # make release
121
122 - name: Perform CodeQL Analysis
123 uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
new file mode 100644
index 000000000..f3c512c3e
--- /dev/null
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,47 @@
1# Checks the spelling on all non-third-party files.
2
3name: Codespell
4
5on:
6 workflow_dispatch:
7 push:
8 branches-ignore:
9 - 'dependabot/**'
10 paths-ignore:
11 - 'm4/**'
12 - COPYING
13 pull_request:
14 paths-ignore:
15 - 'm4/**'
16 - COPYING
17
18permissions: # added using https://github.com/step-security/secure-workflows
19 contents: read
20
21jobs:
22 codespell:
23 runs-on: ubuntu-22.04
24 steps:
25 - name: Harden Runner
26 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
27 with:
28 egress-policy: block
29 allowed-endpoints: >
30 archive.ubuntu.com:80
31 azure.archive.ubuntu.com:80
32 github.com:443
33 packages.microsoft.com:443
34 ppa.launchpadcontent.net:443
35 security.ubuntu.com:80
36 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
37 - name: update package information
38 run: sudo apt-get update -qy
39 - name: install dependencies
40 run: sudo apt-get install -qy codespell
41 - name: print env
42 run: ./ci/printenv.sh
43 - name: configure
44 run: ./configure || (cat config.log; exit 1)
45 - run: codespell --version
46 - name: codespell
47 run: make codespell
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..0a6069a5c
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,258 @@
1# Checks that the tests are passing.
2
3name: Test
4
5on:
6 workflow_dispatch:
7 push:
8 branches-ignore:
9 - 'dependabot/**'
10 paths:
11 - 'm4/**'
12 - 'src/**.c'
13 - 'src/**.h'
14 - 'src/**.mk'
15 - 'src/**Makefile'
16 - 'test/**'
17 - .github/workflows/test.yml
18 - Makefile
19 - config.mk.in
20 - config.sh.in
21 - configure
22 - configure.ac
23 - etc/profile-a-l/default.profile
24 - src/firecfg/firecfg.config
25 pull_request:
26 paths:
27 - 'm4/**'
28 - 'src/**.c'
29 - 'src/**.h'
30 - 'src/**.mk'
31 - 'src/**Makefile'
32 - 'test/**'
33 - .github/workflows/test.yml
34 - Makefile
35 - config.mk.in
36 - config.sh.in
37 - configure
38 - configure.ac
39 - etc/profile-a-l/default.profile
40 - src/firecfg/firecfg.config
41
42permissions: # added using https://github.com/step-security/secure-workflows
43 contents: read
44
45#
46# Faster tests
47#
48
49jobs:
50 test-main:
51 runs-on: ubuntu-22.04
52 env:
53 SHELL: /bin/bash
54 steps:
55 - name: Harden Runner
56 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
57 with:
58 egress-policy: block
59 allowed-endpoints: >
60 azure.archive.ubuntu.com:80
61 github.com:443
62 packages.microsoft.com:443
63 ppa.launchpadcontent.net:443
64 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
65 - name: update package information
66 run: sudo apt-get update -qy
67 - name: install dependencies
68 run: >
69 sudo apt-get install -qy
70 gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
71 - name: print env
72 run: ./ci/printenv.sh
73 - name: configure
74 run: >
75 CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
76 --enable-analyzer --enable-apparmor --enable-selinux
77 || (cat config.log; exit 1)
78 - name: make
79 run: make -j "$(nproc)"
80 - name: make install
81 run: sudo make install
82 - name: print firejail version
83 run: command -V firejail && firejail --version
84 - run: make lab-setup
85 - run: make test-seccomp-extra
86 - run: make test-firecfg
87 - run: make test-capabilities
88 - run: make test-apparmor
89 - run: make test-appimage
90 - run: make test-chroot
91 - run: make test-fcopy
92
93#
94# Slower tests
95#
96
97 test-fs:
98 runs-on: ubuntu-22.04
99 env:
100 SHELL: /bin/bash
101 steps:
102 - name: Harden Runner
103 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
104 with:
105 egress-policy: block
106 allowed-endpoints: >
107 azure.archive.ubuntu.com:80
108 github.com:443
109 packages.microsoft.com:443
110 ppa.launchpadcontent.net:443
111 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
112 - name: update package information
113 run: sudo apt-get update -qy
114 - name: install dependencies
115 run: >
116 sudo apt-get install -qy
117 gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
118 - name: print env
119 run: ./ci/printenv.sh
120 - name: configure
121 run: >
122 CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
123 --enable-analyzer --enable-apparmor --enable-selinux
124 || (cat config.log; exit 1)
125 - name: make
126 run: make -j "$(nproc)"
127 - name: make install
128 run: sudo make install
129 - name: print firejail version
130 run: command -V firejail && firejail --version
131 - run: make lab-setup
132 - run: make test-private-etc
133 - run: make test-fs
134
135 test-environment:
136 runs-on: ubuntu-22.04
137 env:
138 SHELL: /bin/bash
139 steps:
140 - name: Harden Runner
141 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
142 with:
143 egress-policy: block
144 allowed-endpoints: >
145 azure.archive.ubuntu.com:80
146 github.com:443
147 packages.microsoft.com:443
148 ppa.launchpadcontent.net:443
149 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
150 - name: update package information
151 run: sudo apt-get update -qy
152 - name: install dependencies
153 run: >
154 sudo apt-get install -qy
155 gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
156 - name: print env
157 run: ./ci/printenv.sh
158 - name: configure
159 run: >
160 CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
161 --enable-analyzer --enable-apparmor --enable-selinux
162 || (cat config.log; exit 1)
163 - name: make
164 run: make -j "$(nproc)"
165 - name: make install
166 run: sudo make install
167 - name: print firejail version
168 run: command -V firejail && firejail --version
169 - run: make lab-setup
170 - run: make test-environment
171 - run: make test-profiles
172
173 test-utils:
174 runs-on: ubuntu-22.04
175 env:
176 SHELL: /bin/bash
177 steps:
178 - name: Harden Runner
179 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
180 with:
181 egress-policy: block
182 allowed-endpoints: >
183 azure.archive.ubuntu.com:80
184 debian.org:80
185 github.com:443
186 packages.microsoft.com:443
187 ppa.launchpadcontent.net:443
188 www.debian.org:443
189 www.debian.org:80
190 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
191 - name: update package information
192 run: sudo apt-get update -qy
193 - name: install dependencies
194 run: >
195 sudo apt-get install -qy
196 gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
197 - name: print env
198 run: ./ci/printenv.sh
199 - name: configure
200 run: >
201 CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
202 --enable-analyzer --enable-apparmor --enable-selinux
203 || (cat config.log; exit 1)
204 - name: make
205 run: make -j "$(nproc)"
206 - name: make install
207 run: sudo make install
208 - name: print firejail version
209 run: command -V firejail && firejail --version
210 - run: make lab-setup
211 - run: make test-utils
212
213 test-network:
214 runs-on: ubuntu-22.04
215 env:
216 SHELL: /bin/bash
217 steps:
218 - name: Harden Runner
219 uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
220 with:
221 egress-policy: block
222 allowed-endpoints: >
223 1.1.1.1:1025
224 azure.archive.ubuntu.com:80
225 debian.org:80
226 dns.quad9.net:53
227 github.com:443
228 packages.microsoft.com:443
229 ppa.launchpadcontent.net:443
230 whois.pir.org:43
231 www.debian.org:443
232 www.debian.org:80
233 yahoo.com:1025
234 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
235 - name: update package information
236 run: sudo apt-get update -qy
237 - name: install dependencies
238 run: >
239 sudo apt-get install -qy
240 gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
241 bridge-utils
242 - name: print env
243 run: ./ci/printenv.sh
244 - name: configure
245 run: >
246 CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
247 --enable-analyzer --enable-apparmor --enable-selinux
248 || (cat config.log; exit 1)
249 - name: make
250 run: make -j "$(nproc)"
251 - name: make install
252 run: sudo make install
253 - name: print firejail version
254 run: command -V firejail && firejail --version
255 - run: make lab-setup
256 - run: make test-fnetfilter
257 - run: make test-sysutils
258 - run: make test-network
diff --git a/Makefile b/Makefile
index e3e0ad551..d5ec11ea6 100644
--- a/Makefile
+++ b/Makefile
@@ -64,31 +64,31 @@ $(MYDIRS):
64 64
65.PHONY: filters 65.PHONY: filters
66filters: $(SECCOMP_FILTERS) 66filters: $(SECCOMP_FILTERS)
67seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize 67seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
68 src/fseccomp/fseccomp default seccomp 68 src/fseccomp/fseccomp default seccomp
69 src/fsec-optimize/fsec-optimize seccomp 69 src/fsec-optimize/fsec-optimize seccomp
70 70
71seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize 71seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
72 src/fseccomp/fseccomp default seccomp.debug allow-debuggers 72 src/fseccomp/fseccomp default seccomp.debug allow-debuggers
73 src/fsec-optimize/fsec-optimize seccomp.debug 73 src/fsec-optimize/fsec-optimize seccomp.debug
74 74
75seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize 75seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
76 src/fseccomp/fseccomp secondary 32 seccomp.32 76 src/fseccomp/fseccomp secondary 32 seccomp.32
77 src/fsec-optimize/fsec-optimize seccomp.32 77 src/fsec-optimize/fsec-optimize seccomp.32
78 78
79seccomp.block_secondary: src/fseccomp/fseccomp 79seccomp.block_secondary: src/fseccomp/fseccomp Makefile
80 src/fseccomp/fseccomp secondary block seccomp.block_secondary 80 src/fseccomp/fseccomp secondary block seccomp.block_secondary
81 81
82seccomp.mdwx: src/fseccomp/fseccomp 82seccomp.mdwx: src/fseccomp/fseccomp Makefile
83 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx 83 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
84 84
85seccomp.mdwx.32: src/fseccomp/fseccomp 85seccomp.mdwx.32: src/fseccomp/fseccomp Makefile
86 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 86 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
87 87
88seccomp.namespaces: src/fseccomp/fseccomp 88seccomp.namespaces: src/fseccomp/fseccomp Makefile
89 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts 89 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
90 90
91seccomp.namespaces.32: src/fseccomp/fseccomp 91seccomp.namespaces.32: src/fseccomp/fseccomp Makefile
92 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts 92 src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
93 93
94.PHONY: man 94.PHONY: man
@@ -103,58 +103,65 @@ contrib: syntax
103syntax: $(SYNTAX_FILES) 103syntax: $(SYNTAX_FILES)
104 104
105# TODO: include/rlimit are false positives 105# TODO: include/rlimit are false positives
106contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c 106contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c Makefile
107 @printf 'Generating %s from %s\n' $@ $<
107 @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \ 108 @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
108 grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@ 109 grep -Ev '^(include|rlimit)$$' | LC_ALL=C sort -u >$@
109 110
110# TODO: private-lib is special-cased in the code and doesn't match the regex 111# TODO: private-lib is special-cased in the code and doesn't match the regex
111contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c 112contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c Makefile
112 @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \ 113 @printf 'Generating %s from %s\n' $@ $<
113 LC_ALL=C sort -u >$@ 114 @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) .*/\1/p' $<; \
115 echo private-lib; } | LC_ALL=C sort -u >$@
114 116
115contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c 117contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c Makefile
118 @printf 'Generating %s from %s\n' $@ $<
116 @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \ 119 @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
117 /\t*\{"[^"]+".*/ \ 120 /\t*\{"[^"]+".*/ \
118 { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \ 121 { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
119 /^\t\{ NULL, NULL \}$$/ {process=0;}' \ 122 /^\t\{ NULL, NULL \}$$/ {process=0;}' \
120 $< | LC_ALL=C sort -u >$@ 123 $< | LC_ALL=C sort -u >$@
121 124
122contrib/syntax/lists/profile_macros.list: src/firejail/macros.c 125contrib/syntax/lists/profile_macros.list: src/firejail/macros.c Makefile
126 @printf 'Generating %s from %s\n' $@ $<
123 @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@ 127 @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
124 128
125contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c 129contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c Makefile
130 @printf 'Generating %s from %s\n' $@ $<
126 @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@ 131 @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
127 132
128contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS) 133contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS) Makefile
134 @printf 'Generating %s\n' $@
129 @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \ 135 @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
130 LC_ALL=C sort -u >$@ 136 LC_ALL=C sort -u >$@
131 137
132contrib/syntax/lists/system_errnos.list: src/lib/errno.c 138contrib/syntax/lists/system_errnos.list: src/lib/errno.c Makefile
139 @printf 'Generating %s from %s\n' $@ $<
133 @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@ 140 @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
134 141
135pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; } 142regex_fromlf = { tr '\n' '|' | sed -e 's/|$$//' -e 's/\./\\\\./g'; }
136space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; } 143space_fromlf = { tr '\n' ' ' | sed -e 's/ $$//'; }
137edit_syntax_file = sed \ 144edit_syntax_file = sed \
138 -e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \ 145 -e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \
139 -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \ 146 -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
140 -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \ 147 -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
141 -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \ 148 -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
142 -e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \ 149 -e "s/@FJ_PROFILE_MACROS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
143 -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \ 150 -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
144 -e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \ 151 -e "s/@FJ_SYSCALL_GROUPS@/$$($(regex_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
145 -e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/" 152 -e "s/@FJ_SYSTEM_ERRNOS@/$$($(regex_fromlf) <contrib/syntax/lists/system_errnos.list)/"
146 153
147contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS) 154contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS) Makefile
148 @printf 'Generating %s from %s\n' $@ $< 155 @printf 'Generating %s from %s\n' $@ $<
149 @$(edit_syntax_file) $< >$@ 156 @$(edit_syntax_file) $< >$@
150 157
151# gtksourceview language-specs 158# gtksourceview language-specs
152contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS) 159contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS) Makefile
153 @printf 'Generating %s from %s\n' $@ $< 160 @printf 'Generating %s from %s\n' $@ $<
154 @$(edit_syntax_file) $< >$@ 161 @$(edit_syntax_file) $< >$@
155 162
156# vim syntax files 163# vim syntax files
157contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS) 164contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS) Makefile
158 @printf 'Generating %s from %s\n' $@ $< 165 @printf 'Generating %s from %s\n' $@ $<
159 @$(edit_syntax_file) $< >$@ 166 @$(edit_syntax_file) $< >$@
160 167
@@ -292,6 +299,7 @@ uninstall: config.mk
292 rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang 299 rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
293 @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." 300 @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
294 301
302# Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
295DISTFILES = \ 303DISTFILES = \
296 COPYING \ 304 COPYING \
297 Makefile \ 305 Makefile \
@@ -366,9 +374,16 @@ cppcheck: clean
366scan-build: clean 374scan-build: clean
367 scan-build $(MAKE) 375 scan-build $(MAKE)
368 376
377# TODO: Old codespell versions (such as v2.1.0 in CI) have issues with
378# contrib/syscalls.sh
369.PHONY: codespell 379.PHONY: codespell
370codespell: clean 380codespell:
371 codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test 381 @printf 'Running %s...\n' $@
382 @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \
383 -S *.gz,*.o,*.so \
384 -S COPYING,m4 \
385 -S ./contrib/syscalls.sh \
386 .
372 387
373.PHONY: print-env 388.PHONY: print-env
374print-env: 389print-env:
diff --git a/README.md b/README.md
index 781304451..c51137808 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,13 @@
1# Firejail 1# Firejail
2 2
3[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) 3[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
4[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) 4[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild)
5[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) 5[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra)
6[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest)
7[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C)
8[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles)
9[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python)
10[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell)
6[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) 11[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
7 12
8Firejail is a SUID sandbox program that reduces the risk of security breaches 13Firejail is a SUID sandbox program that reduces the risk of security breaches
diff --git a/RELNOTES b/RELNOTES
index d6ffdc3b2..b81ae74c4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -21,10 +21,13 @@ firejail (0.9.73) baseline; urgency=low
21 * modif: Improve --version/--help & print version on startup (#5829) 21 * modif: Improve --version/--help & print version on startup (#5829)
22 * modif: improve errExit error messages (#5871) 22 * modif: improve errExit error messages (#5871)
23 * modif: drop deprecated 'shell' option references (#5894) 23 * modif: drop deprecated 'shell' option references (#5894)
24 * modif: keep pipewire group unless nosound is used (#5992 #5993)
24 * bugfix: qutebrowser: links will not open in the existing instance (#5601 25 * bugfix: qutebrowser: links will not open in the existing instance (#5601
25 #5618) 26 #5618)
26 * bugfix: fix --hostname and --hosts-file commands 27 * bugfix: fix --hostname and --hosts-file commands
27 * bugfix: arp.c: ensure positive timeout on select(2) (#5806) 28 * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
29 * bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write
30 (#5965 #5976)
28 * build: auto-generate syntax files (#5627) 31 * build: auto-generate syntax files (#5627)
29 * build: mark all phony targets as such (#5637) 32 * build: mark all phony targets as such (#5637)
30 * build: mkdeb.sh: pass all arguments to ./configure (#5654) 33 * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -40,6 +43,9 @@ firejail (0.9.73) baseline; urgency=low
40 * build: fix hardcoded make & remove unnecessary distclean targets (#5911) 43 * build: fix hardcoded make & remove unnecessary distclean targets (#5911)
41 * build: dist and asc improvements (#5916) 44 * build: dist and asc improvements (#5916)
42 * build: fix some shellcheck issues & use config.sh in more scripts (#5927) 45 * build: fix some shellcheck issues & use config.sh in more scripts (#5927)
46 * build: firecfg.config sorting improvements (#5942)
47 * build: codespell improvements (#5955)
48 * build: add missing makefile dep & syntax improvements (#5956)
43 * ci: always update the package db before installing packages (#5742) 49 * ci: always update the package db before installing packages (#5742)
44 * ci: fix codeql unable to download its own bundle (#5783) 50 * ci: fix codeql unable to download its own bundle (#5783)
45 * ci: split configure/build/install commands on gitlab (#5784) 51 * ci: split configure/build/install commands on gitlab (#5784)
@@ -48,6 +54,9 @@ firejail (0.9.73) baseline; urgency=low
48 * ci: run for every branch instead of just master (#5815) 54 * ci: run for every branch instead of just master (#5815)
49 * ci: upgrade debian:stretch to debian:buster (#5818) 55 * ci: upgrade debian:stretch to debian:buster (#5818)
50 * ci: standardize apt-get update/install & misc improvements (#5857) 56 * ci: standardize apt-get update/install & misc improvements (#5857)
57 * ci: whitelist paths, reorganize workflows & speed-up tests (#5960)
58 * ci: fix dependabot duplicated workflow runs (#5984)
59 * ci: allow running workflows manually (#6026)
51 * contrib/vim: match profile files more broadly (#5850) 60 * contrib/vim: match profile files more broadly (#5850)
52 * test: split individual test groups in github workflows 61 * test: split individual test groups in github workflows
53 * test: add chroot, appimage and network tests in github workflows 62 * test: add chroot, appimage and network tests in github workflows
@@ -58,6 +67,9 @@ firejail (0.9.73) baseline; urgency=low
58 * docs: add uninstall instructions to README.md (#5812) 67 * docs: add uninstall instructions to README.md (#5812)
59 * legal: selinux.c: Split Copyright notice & use same license as upstream 68 * legal: selinux.c: Split Copyright notice & use same license as upstream
60 (#5667) 69 (#5667)
70 * profiles: standardize commented code and eol comments (#5987)
71 * profiles: replace private-opt with whitelist & document private-opt issues
72 (#6021)
61 * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater 73 * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
62 -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 74 -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500
63 75
@@ -363,7 +375,7 @@ firejail (0.9.62) baseline; urgency=low
363 * whitelisting /usr/share in a large number of profiles 375 * whitelisting /usr/share in a large number of profiles
364 * new scripts in contrib: gdb-firejail.sh and sort.py 376 * new scripts in contrib: gdb-firejail.sh and sort.py
365 * enhancement: whitelist /usr/share in some profiles 377 * enhancement: whitelist /usr/share in some profiles
366 * added signal mediation ot apparmor profile 378 * added signal mediation to apparmor profile
367 * new conditions: HAS_X11, HAS_NET 379 * new conditions: HAS_X11, HAS_NET
368 * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks 380 * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
369 * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder 381 * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@@ -758,7 +770,7 @@ firejail (0.9.44.4) baseline; urgency=low
758 770
759firejail (0.9.44.2) baseline; urgency=low 771firejail (0.9.44.2) baseline; urgency=low
760 * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) 772 * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
761 * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson 773 * security: TOCTOU exploit for --get and --put found by Daniel Hodson
762 * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) 774 * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
763 * security: several security enhancements 775 * security: several security enhancements
764 * bugfix: crashing VLC by pressing Ctrl-O 776 * bugfix: crashing VLC by pressing Ctrl-O
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index fcfe90eb7..070079e09 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -151,8 +151,8 @@ def run_firejail(program, all_args):
151 if arg: 151 if arg:
152 myargs.insert(-1, arg) 152 myargs.insert(-1, arg)
153 subprocess.call(myargs) 153 subprocess.call(myargs)
154 ans = input('Did %s run correctly? [y]/n ' % program) 154 answer = input('Did %s run correctly? [y]/n ' % program)
155 if ans in ['n', 'N']: 155 if answer in ['n', 'N']:
156 bad_args.append(arg) 156 bad_args.append(arg)
157 elif arg: 157 elif arg:
158 good_args.insert(-1, arg) 158 good_args.insert(-1, arg)
diff --git a/contrib/sort.py b/contrib/sort.py
index cdeecf99b..026384e1a 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -15,8 +15,8 @@ Usage: {path.basename(argv[0])} [/path/to/profile ...]
15 15
16The following commands are supported: 16The following commands are supported:
17 17
18 private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, 18 private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp,
19 seccomp.drop, protocol 19 seccomp.drop, seccomp.keep, protocol
20 20
21Note that this is only applicable to commands that support multiple arguments. 21Note that this is only applicable to commands that support multiple arguments.
22 22
diff --git a/contrib/syntax/files/firejail-profile.lang.in b/contrib/syntax/files/firejail-profile.lang.in
index acd5c86ce..a5deceb2c 100644
--- a/contrib/syntax/files/firejail-profile.lang.in
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -7,7 +7,7 @@
7--> 7-->
8<language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other"> 8<language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other">
9 <metadata> 9 <metadata>
10 <property name="mimetypes">text/plain;text/x-firejail-profile</property> 10 <property name="mimetypes">text/x-firejail-profile</property>
11 <property name="globs">*.profile;*.local;*.inc</property> 11 <property name="globs">*.profile;*.local;*.inc</property>
12 <property name="line-comment-start">#</property> 12 <property name="line-comment-start">#</property>
13 </metadata> 13 </metadata>
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index fd1bdb401..e7fecef4b 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -41,7 +41,7 @@ private-tmp
41quiet 41quiet
42restrict-namespaces 42restrict-namespaces
43seccomp 43seccomp
44seccomp\.block-secondary 44seccomp.block-secondary
45tab 45tab
46tracelog 46tracelog
47writable-etc 47writable-etc
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
index 28913542f..5862f16ac 100644
--- a/contrib/syntax/lists/profile_commands_arg1.list
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -5,11 +5,13 @@ blacklist-nolog
5caps.drop 5caps.drop
6caps.keep 6caps.keep
7cpu 7cpu
8dbus-system
8dbus-system.broadcast 9dbus-system.broadcast
9dbus-system.call 10dbus-system.call
10dbus-system.own 11dbus-system.own
11dbus-system.see 12dbus-system.see
12dbus-system.talk 13dbus-system.talk
14dbus-user
13dbus-user.broadcast 15dbus-user.broadcast
14dbus-user.call 16dbus-user.call
15dbus-user.own 17dbus-user.own
@@ -74,4 +76,5 @@ tmpfs
74veth-name 76veth-name
75whitelist 77whitelist
76whitelist-ro 78whitelist-ro
79x11
77xephyr-screen 80xephyr-screen
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile
index 00244aaa4..3b8264e75 100644
--- a/etc-fixes/0.9.38/firefox.profile
+++ b/etc-fixes/0.9.38/firefox.profile
@@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc
7caps.drop all 7caps.drop all
8 8
9#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 9#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
10seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 10seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
11 11
12protocol unix,inet,inet6,netlink 12protocol unix,inet,inet6,netlink
13netfilter 13netfilter
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 9576239f3..8083ef1a8 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -2,6 +2,10 @@
2# Persistent customizations should go in a .local file. 2# Persistent customizations should go in a .local file.
3include allow-common-devel.local 3include allow-common-devel.local
4 4
5# Arduino
6noblacklist ${HOME}/.arduino15
7noblacklist ${HOME}/Arduino
8
5# Git 9# Git
6noblacklist ${HOME}/.config/git 10noblacklist ${HOME}/.config/git
7noblacklist ${HOME}/.gitconfig 11noblacklist ${HOME}/.gitconfig
@@ -26,6 +30,9 @@ noblacklist ${HOME}/.yarn-config
26noblacklist ${HOME}/.yarncache 30noblacklist ${HOME}/.yarncache
27noblacklist ${HOME}/.yarnrc 31noblacklist ${HOME}/.yarnrc
28 32
33# PlatformIO
34noblacklist ${HOME}/.platformio
35
29# Python 36# Python
30noblacklist ${HOME}/.pylint.d 37noblacklist ${HOME}/.pylint.d
31noblacklist ${HOME}/.python-history 38noblacklist ${HOME}/.python-history
@@ -37,3 +44,4 @@ noblacklist ${HOME}/.bundle
37 44
38# Rust 45# Rust
39noblacklist ${HOME}/.cargo 46noblacklist ${HOME}/.cargo
47noblacklist ${HOME}/.rustup
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 024d87be7..6b2c5846e 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -6,7 +6,7 @@ noblacklist ${HOME}/.ssh
6noblacklist /etc/ssh 6noblacklist /etc/ssh
7noblacklist /etc/ssh/ssh_config 7noblacklist /etc/ssh/ssh_config
8noblacklist /etc/ssh/ssh_config.d 8noblacklist /etc/ssh/ssh_config.d
9noblacklist ${PATH}/ssh 9noblacklist ${PATH}/ssh*
10noblacklist /tmp/ssh-* 10noblacklist /tmp/ssh-*
11# Arch Linux and derivatives 11# Arch Linux and derivatives
12noblacklist /usr/lib/ssh 12noblacklist /usr/lib/ssh
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ce4f08958..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo
33blacklist-nolog /tmp/clipmenu* 33blacklist-nolog /tmp/clipmenu*
34 34
35# X11 session autostart 35# X11 session autostart
36# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs 36# this will kill --x11=xpra cmdline option for all programs
37#blacklist ${HOME}/.xpra
37blacklist ${HOME}/.Xsession 38blacklist ${HOME}/.Xsession
38blacklist ${HOME}/.blackbox 39blacklist ${HOME}/.blackbox
39blacklist ${HOME}/.config/autostart 40blacklist ${HOME}/.config/autostart
@@ -170,7 +171,7 @@ blacklist ${RUNUSER}/gsconnect
170blacklist ${HOME}/.config/systemd 171blacklist ${HOME}/.config/systemd
171blacklist ${HOME}/.local/share/systemd 172blacklist ${HOME}/.local/share/systemd
172blacklist ${PATH}/systemctl 173blacklist ${PATH}/systemctl
173blacklist ${PATH}/systemd-run 174blacklist ${PATH}/systemd*
174blacklist ${RUNUSER}/systemd 175blacklist ${RUNUSER}/systemd
175blacklist /etc/credstore* 176blacklist /etc/credstore*
176blacklist /etc/systemd/network 177blacklist /etc/systemd/network
@@ -191,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
191blacklist ${HOME}/VirtualBox VMs 192blacklist ${HOME}/VirtualBox VMs
192 193
193# GNOME Boxes 194# GNOME Boxes
195blacklist ${HOME}/.cache/gnome-boxes
194blacklist ${HOME}/.config/gnome-boxes 196blacklist ${HOME}/.config/gnome-boxes
195blacklist ${HOME}/.local/share/gnome-boxes 197blacklist ${HOME}/.local/share/gnome-boxes
196 198
@@ -241,8 +243,9 @@ blacklist /var/lib/mysql/mysql.sock
241blacklist /var/lib/mysqld/mysql.sock 243blacklist /var/lib/mysqld/mysql.sock
242blacklist /var/lib/pacman 244blacklist /var/lib/pacman
243blacklist /var/lib/upower 245blacklist /var/lib/upower
244# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for 246# a virtual /var/log directory (mostly empty) is build up by default for every
245# every sandbox, unless --writable-var-log switch is activated 247# sandbox, unless --writable-var-log switch is activated
248#blacklist /var/log
246blacklist /var/mail 249blacklist /var/mail
247blacklist /var/opt 250blacklist /var/opt
248blacklist /var/run/acpid.socket 251blacklist /var/run/acpid.socket
@@ -319,7 +322,7 @@ read-only ${HOME}/.zshenv
319read-only ${HOME}/.zshrc 322read-only ${HOME}/.zshrc
320read-only ${HOME}/.zshrc.local 323read-only ${HOME}/.zshrc.local
321 324
322# Remote access 325# Remote access (used only by sshd; should always be blacklisted)
323blacklist ${HOME}/.rhosts 326blacklist ${HOME}/.rhosts
324blacklist ${HOME}/.shosts 327blacklist ${HOME}/.shosts
325blacklist ${HOME}/.ssh/authorized_keys 328blacklist ${HOME}/.ssh/authorized_keys
@@ -327,13 +330,12 @@ blacklist ${HOME}/.ssh/authorized_keys2
327blacklist ${HOME}/.ssh/environment 330blacklist ${HOME}/.ssh/environment
328blacklist ${HOME}/.ssh/rc 331blacklist ${HOME}/.ssh/rc
329blacklist /etc/hosts.equiv 332blacklist /etc/hosts.equiv
330read-only ${HOME}/.ssh/config
331read-only ${HOME}/.ssh/config.d
332 333
333# Initialization files that allow arbitrary command execution 334# Initialization files that allow arbitrary command execution
334read-only ${HOME}/.caffrc 335read-only ${HOME}/.caffrc
335read-only ${HOME}/.cargo/env 336read-only ${HOME}/.cargo/env
336read-only ${HOME}/.config/mpv 337read-only ${HOME}/.config/mpv
338read-only ${HOME}/.config/msmtp
337read-only ${HOME}/.config/nano 339read-only ${HOME}/.config/nano
338read-only ${HOME}/.config/nvim 340read-only ${HOME}/.config/nvim
339read-only ${HOME}/.config/pkcs11 341read-only ${HOME}/.config/pkcs11
@@ -360,6 +362,8 @@ read-only ${HOME}/.nanorc
360read-only ${HOME}/.npmrc 362read-only ${HOME}/.npmrc
361read-only ${HOME}/.pythonrc.py 363read-only ${HOME}/.pythonrc.py
362read-only ${HOME}/.reportbugrc 364read-only ${HOME}/.reportbugrc
365read-only ${HOME}/.ssh/config
366read-only ${HOME}/.ssh/config.d
363read-only ${HOME}/.tmux.conf 367read-only ${HOME}/.tmux.conf
364read-only ${HOME}/.vim 368read-only ${HOME}/.vim
365read-only ${HOME}/.viminfo 369read-only ${HOME}/.viminfo
@@ -422,6 +426,7 @@ blacklist /etc/group-
422blacklist /etc/gshadow 426blacklist /etc/gshadow
423blacklist /etc/gshadow+ 427blacklist /etc/gshadow+
424blacklist /etc/gshadow- 428blacklist /etc/gshadow-
429blacklist /etc/msmtprc
425blacklist /etc/passwd+ 430blacklist /etc/passwd+
426blacklist /etc/passwd- 431blacklist /etc/passwd-
427blacklist /etc/shadow 432blacklist /etc/shadow
@@ -444,6 +449,7 @@ blacklist ${HOME}/.cargo/credentials.toml
444blacklist ${HOME}/.cert 449blacklist ${HOME}/.cert
445blacklist ${HOME}/.config/hub 450blacklist ${HOME}/.config/hub
446blacklist ${HOME}/.config/keybase 451blacklist ${HOME}/.config/keybase
452blacklist ${HOME}/.config/msmtp
447blacklist ${HOME}/.davfs2/secrets 453blacklist ${HOME}/.davfs2/secrets
448blacklist ${HOME}/.ecryptfs 454blacklist ${HOME}/.ecryptfs
449blacklist ${HOME}/.fetchmailrc 455blacklist ${HOME}/.fetchmailrc
@@ -502,6 +508,7 @@ blacklist /usr/sbin
502 508
503# system management and various SUID executables 509# system management and various SUID executables
504blacklist ${PATH}/at 510blacklist ${PATH}/at
511blacklist ${PATH}/bmon
505blacklist ${PATH}/busybox 512blacklist ${PATH}/busybox
506blacklist ${PATH}/chage 513blacklist ${PATH}/chage
507blacklist ${PATH}/chfn 514blacklist ${PATH}/chfn
@@ -510,69 +517,96 @@ blacklist ${PATH}/crontab
510blacklist ${PATH}/doas 517blacklist ${PATH}/doas
511blacklist ${PATH}/evtest 518blacklist ${PATH}/evtest
512blacklist ${PATH}/expiry 519blacklist ${PATH}/expiry
513blacklist ${PATH}/fusermount 520blacklist ${PATH}/fping
521blacklist ${PATH}/fping6
522blacklist ${PATH}/fusermount*
514blacklist ${PATH}/gksu 523blacklist ${PATH}/gksu
515blacklist ${PATH}/gksudo 524blacklist ${PATH}/gksudo
516blacklist ${PATH}/gpasswd 525blacklist ${PATH}/gpasswd
526blacklist ${PATH}/groupmems
527blacklist ${PATH}/hostname
528#blacklist ${PATH}/ip # breaks --ip=dhcp
517blacklist ${PATH}/kdesudo 529blacklist ${PATH}/kdesudo
518blacklist ${PATH}/ksu 530blacklist ${PATH}/ksu
519blacklist ${PATH}/mount 531blacklist ${PATH}/mount
520blacklist ${PATH}/mount.ecryptfs_private 532blacklist ${PATH}/mount.*
533blacklist ${PATH}/mountpoint
534blacklist ${PATH}/mtr
535blacklist ${PATH}/mtr-packet
521blacklist ${PATH}/nc 536blacklist ${PATH}/nc
537blacklist ${PATH}/nc.openbsd
538blacklist ${PATH}/nc.traditional
522blacklist ${PATH}/ncat 539blacklist ${PATH}/ncat
523blacklist ${PATH}/nmap 540blacklist ${PATH}/netstat
541blacklist ${PATH}/networkctl
524blacklist ${PATH}/newgidmap 542blacklist ${PATH}/newgidmap
525blacklist ${PATH}/newgrp 543blacklist ${PATH}/newgrp
526blacklist ${PATH}/newuidmap 544blacklist ${PATH}/newuidmap
545blacklist ${PATH}/nm-online
546blacklist ${PATH}/nmap
547blacklist ${PATH}/nmcli
548blacklist ${PATH}/nmtui
549blacklist ${PATH}/nmtui-connect
550blacklist ${PATH}/nmtui-edit
551blacklist ${PATH}/nmtui-hostname
527blacklist ${PATH}/ntfs-3g 552blacklist ${PATH}/ntfs-3g
553blacklist ${PATH}/passwd
554blacklist ${PATH}/physlock
528blacklist ${PATH}/pkexec 555blacklist ${PATH}/pkexec
556blacklist ${PATH}/plocate
557blacklist ${PATH}/pmount
529blacklist ${PATH}/procmail 558blacklist ${PATH}/procmail
559blacklist ${PATH}/pumount
560blacklist ${PATH}/schroot
530blacklist ${PATH}/sg 561blacklist ${PATH}/sg
562blacklist ${PATH}/slock
563blacklist ${PATH}/ss
564blacklist ${PATH}/ssmtp
531blacklist ${PATH}/strace 565blacklist ${PATH}/strace
532blacklist ${PATH}/su 566blacklist ${PATH}/su
533blacklist ${PATH}/sudo 567blacklist ${PATH}/sudo
568blacklist ${PATH}/suexec
534blacklist ${PATH}/tcpdump 569blacklist ${PATH}/tcpdump
570blacklist ${PATH}/traceroute
535blacklist ${PATH}/umount 571blacklist ${PATH}/umount
536blacklist ${PATH}/unix_chkpwd 572blacklist ${PATH}/unix_chkpwd
573blacklist ${PATH}/wall
574blacklist ${PATH}/write
575blacklist ${PATH}/wshowkeys
537blacklist ${PATH}/xev 576blacklist ${PATH}/xev
538blacklist ${PATH}/xinput 577blacklist ${PATH}/xinput
539# from 0.9.67 578blacklist /usr/lib/chromium/chrome-sandbox
540blacklist /usr/lib/openssh
541blacklist /usr/lib/ssh
542blacklist /usr/libexec/openssh
543blacklist ${PATH}/passwd
544blacklist /usr/lib/xorg/Xorg.wrap
545blacklist /usr/lib/policykit-1/polkit-agent-helper-1
546blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper 579blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
547blacklist /usr/lib/eject/dmcrypt-get-device 580blacklist /usr/lib/eject/dmcrypt-get-device
548blacklist /usr/lib/chromium/chrome-sandbox 581blacklist /usr/lib/openssh
549blacklist /usr/lib/opera/opera_sandbox 582blacklist /usr/lib/opera/opera_sandbox
550blacklist /usr/lib/vmware 583blacklist /usr/lib/policykit-1/polkit-agent-helper-1
551blacklist ${PATH}/suexec
552blacklist /usr/lib/squid/basic_pam_auth 584blacklist /usr/lib/squid/basic_pam_auth
553blacklist ${PATH}/slock 585blacklist /usr/lib/ssh
554blacklist ${PATH}/physlock 586blacklist /usr/lib/vmware
555blacklist ${PATH}/schroot 587blacklist /usr/lib/xorg/Xorg.wrap
556blacklist ${PATH}/wshowkeys 588blacklist /usr/libexec/openssh
557blacklist ${PATH}/pmount 589# since firejail version 0.9.73
558blacklist ${PATH}/pumount 590blacklist ${PATH}/dpkg*
559blacklist ${PATH}/bmon 591blacklist ${PATH}/apt*
560blacklist ${PATH}/fping 592blacklist ${PATH}/dumpcap
561blacklist ${PATH}/fping6 593blacklist ${PATH}/efibootdump
562blacklist ${PATH}/hostname 594blacklist ${PATH}/efibootmgr
563# blacklist ${PATH}/ip - breaks --ip=dhcp 595blacklist ${PATH}/passmass
564blacklist ${PATH}/mtr 596blacklist ${PATH}/proxy
565blacklist ${PATH}/mtr-packet 597blacklist ${PATH}/aa-*
566blacklist ${PATH}/netstat 598blacklist ${PATH}/airscan-discover
567blacklist ${PATH}/nm-online 599blacklist ${PATH}/avahi*
568blacklist ${PATH}/nmcli 600blacklist ${PATH}/dbus-*
569blacklist ${PATH}/nmtui 601blacklist ${PATH}/debconf*
570blacklist ${PATH}/nmtui-connect 602blacklist ${PATH}/grub-*
571blacklist ${PATH}/nmtui-edit 603blacklist ${PATH}/kernel-install # from systemd package
572blacklist ${PATH}/nmtui-hostname 604
573blacklist ${PATH}/networkctl 605# binaries installed by firejail
574blacklist ${PATH}/ss 606blacklist ${PATH}/firemon
575blacklist ${PATH}/traceroute 607blacklist ${PATH}/firecfg
608blacklist ${PATH}/jailcheck
609blacklist ${PATH}/firetools
576 610
577# other SUID binaries 611# other SUID binaries
578blacklist /opt/microsoft/msedge*/msedge-sandbox 612blacklist /opt/microsoft/msedge*/msedge-sandbox
@@ -585,11 +619,13 @@ blacklist /tmp/.lxterminal-socket*
585blacklist /tmp/tmux-* 619blacklist /tmp/tmux-*
586 620
587# disable terminals running as server resulting in sandbox escape 621# disable terminals running as server resulting in sandbox escape
622blacklist ${PATH}/foot
623blacklist ${PATH}/footserver
588blacklist ${PATH}/gnome-terminal 624blacklist ${PATH}/gnome-terminal
589blacklist ${PATH}/gnome-terminal.wrapper 625blacklist ${PATH}/gnome-terminal.wrapper
590blacklist ${PATH}/kgx 626blacklist ${PATH}/kgx
591# blacklist ${PATH}/konsole
592# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 627# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
628#blacklist ${PATH}/konsole
593blacklist ${PATH}/lilyterm 629blacklist ${PATH}/lilyterm
594blacklist ${PATH}/lxterminal 630blacklist ${PATH}/lxterminal
595blacklist ${PATH}/mate-terminal 631blacklist ${PATH}/mate-terminal
@@ -653,10 +689,13 @@ blacklist ${HOME}/sent
653blacklist /proc/config.gz 689blacklist /proc/config.gz
654 690
655# prevent DNS malware attempting to communicate with the server using regular DNS tools 691# prevent DNS malware attempting to communicate with the server using regular DNS tools
692blacklist ${PATH}/delv
656blacklist ${PATH}/dig 693blacklist ${PATH}/dig
657blacklist ${PATH}/dlint 694blacklist ${PATH}/dlint
658blacklist ${PATH}/dns2tcp 695blacklist ${PATH}/dns2tcp
659blacklist ${PATH}/dnssec-* 696blacklist ${PATH}/dnssec-*
697blacklist ${PATH}/dnstap-read
698blacklist ${PATH}/mdig
660blacklist ${PATH}/dnswalk 699blacklist ${PATH}/dnswalk
661blacklist ${PATH}/drill 700blacklist ${PATH}/drill
662blacklist ${PATH}/host 701blacklist ${PATH}/host
@@ -667,12 +706,14 @@ blacklist ${PATH}/knsupdate
667blacklist ${PATH}/ldns-* 706blacklist ${PATH}/ldns-*
668blacklist ${PATH}/ldnsd 707blacklist ${PATH}/ldnsd
669blacklist ${PATH}/nslookup 708blacklist ${PATH}/nslookup
709blacklist ${PATH}/nsupdate
710blacklist ${PATH}/nstat
670blacklist ${PATH}/resolvectl 711blacklist ${PATH}/resolvectl
671blacklist ${PATH}/unbound-host 712blacklist ${PATH}/unbound-host
672 713
673# prevent an intruder to guess passwords using regular network tools 714# prevent an intruder to guess passwords using regular network tools
674blacklist ${PATH}/ftp 715blacklist ${PATH}/ftp
675blacklist ${PATH}/ssh 716blacklist ${PATH}/ssh*
676blacklist ${PATH}/telnet 717blacklist ${PATH}/telnet
677 718
678# rest of ${RUNUSER} 719# rest of ${RUNUSER}
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index 360077936..ae64f456e 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -4,32 +4,72 @@ include disable-devel.local
4 4
5# development tools 5# development tools
6 6
7# autoconf/automake
8blacklist ${PATH}/aclocal*
9blacklist ${PATH}/autoconf
10blacklist ${PATH}/autoheader
11blacklist ${PATH}/autom4te
12blacklist ${PATH}/automake*
13blacklist ${PATH}/autoreconf
14blacklist ${PATH}/autoscan
15blacklist ${PATH}/autoupdate
16blacklist ${PATH}/ifnames
17blacklist ${PATH}/m4
18
19# patch
20blacklist ${PATH}/elfedit
21blacklist ${PATH}/espdiff
22blacklist ${PATH}/patch
23blacklist ${PATH}/patchview
24
25# packaging
26blacklist ${PATH}/dh_*
27blacklist ${PATH}/fakeroot*
28blacklist ${PATH}/lintian
29
30# expect
31blacklist ${PATH}/autoexpect
32blacklist ${PATH}/expect*
33
7# clang/llvm 34# clang/llvm
35blacklist ${PATH}/analyze-build*
36blacklist ${PATH}/asan_symbolize*
37blacklist ${PATH}/bugpoint*
38blacklist ${PATH}/c-index-test*
8blacklist ${PATH}/clang* 39blacklist ${PATH}/clang*
40blacklist ${PATH}/llc*
9blacklist ${PATH}/lldb* 41blacklist ${PATH}/lldb*
42blacklist ${PATH}/lli*
10blacklist ${PATH}/llvm* 43blacklist ${PATH}/llvm*
44blacklist ${PATH}/scan-build
11# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU 45# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
12# blacklist /usr/lib/llvm* 46#blacklist /usr/lib/llvm*
13 47
14# GCC 48# GCC
49blacklist ${PATH}/*-g++*
50blacklist ${PATH}/*-g++*
51blacklist ${PATH}/*-gcc*
52blacklist ${PATH}/*-gcc*
15blacklist ${PATH}/as 53blacklist ${PATH}/as
16blacklist ${PATH}/cc
17blacklist ${PATH}/c++* 54blacklist ${PATH}/c++*
18blacklist ${PATH}/c8* 55blacklist ${PATH}/c8*
19blacklist ${PATH}/c9* 56blacklist ${PATH}/c9*
57blacklist ${PATH}/cc
20blacklist ${PATH}/cpp* 58blacklist ${PATH}/cpp*
59blacklist ${PATH}/elfedit
21blacklist ${PATH}/g++* 60blacklist ${PATH}/g++*
22blacklist ${PATH}/gcc* 61blacklist ${PATH}/gcc*
62blacklist ${PATH}/gcov*
23blacklist ${PATH}/gdb 63blacklist ${PATH}/gdb
64blacklist ${PATH}/gmake
24blacklist ${PATH}/ld 65blacklist ${PATH}/ld
25blacklist ${PATH}/*-gcc* 66blacklist ${PATH}/make
26blacklist ${PATH}/*-g++* 67blacklist ${PATH}/make-first-existing-target
27blacklist ${PATH}/*-gcc* 68blacklist ${PATH}/x86_64-linux-gnu-*
28blacklist ${PATH}/*-g++*
29# seems to create problems on Gentoo 69# seems to create problems on Gentoo
30#blacklist /usr/lib/gcc 70#blacklist /usr/lib/gcc
31 71
32#Go 72# Go
33blacklist ${PATH}/gccgo 73blacklist ${PATH}/gccgo
34blacklist ${PATH}/go 74blacklist ${PATH}/go
35blacklist ${PATH}/gofmt 75blacklist ${PATH}/gofmt
@@ -48,15 +88,14 @@ blacklist ${PATH}/scala3-compiler
48blacklist ${PATH}/scala3-repl 88blacklist ${PATH}/scala3-repl
49blacklist ${PATH}/scalac 89blacklist ${PATH}/scalac
50 90
51#OpenSSL 91# OpenSSL
52blacklist ${PATH}/openssl 92blacklist ${PATH}/openssl
53blacklist ${PATH}/openssl-1.0 93blacklist ${PATH}/openssl-1.0
54 94
55#Rust 95# Rust
56blacklist ${PATH}/rust-gdb 96blacklist ${PATH}/rust-gdb
57blacklist ${PATH}/rust-lldb 97blacklist ${PATH}/rust-lldb
58blacklist ${PATH}/rustc 98blacklist ${PATH}/rustc
59blacklist ${HOME}/.rustup
60 99
61# tcc - Tiny C Compiler 100# tcc - Tiny C Compiler
62blacklist ${PATH}/tcc 101blacklist ${PATH}/tcc
@@ -68,7 +107,7 @@ blacklist ${PATH}/valgrind*
68blacklist /usr/lib/valgrind 107blacklist /usr/lib/valgrind
69 108
70# Source-Code 109# Source-Code
71blacklist /usr/src
72blacklist /usr/local/src
73blacklist /usr/include 110blacklist /usr/include
74blacklist /usr/local/include 111blacklist /usr/local/include
112blacklist /usr/local/src
113blacklist /usr/src
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 38ab7221e..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
22blacklist ${HOME}/.TelegramDesktop 22blacklist ${HOME}/.TelegramDesktop
23blacklist ${HOME}/.VSCodium 23blacklist ${HOME}/.VSCodium
24blacklist ${HOME}/.ViberPC 24blacklist ${HOME}/.ViberPC
25blacklist ${HOME}/.VirtualBox
26blacklist ${HOME}/.WebStorm* 25blacklist ${HOME}/.WebStorm*
27blacklist ${HOME}/.Wolfram Research 26blacklist ${HOME}/.Wolfram Research
28blacklist ${HOME}/.ZAP 27blacklist ${HOME}/.ZAP
@@ -112,6 +111,7 @@ blacklist ${HOME}/.cache/falkon
112blacklist ${HOME}/.cache/feedreader 111blacklist ${HOME}/.cache/feedreader
113blacklist ${HOME}/.cache/firedragon 112blacklist ${HOME}/.cache/firedragon
114blacklist ${HOME}/.cache/flaska.net/trojita 113blacklist ${HOME}/.cache/flaska.net/trojita
114blacklist ${HOME}/.cache/floorp
115blacklist ${HOME}/.cache/folks 115blacklist ${HOME}/.cache/folks
116blacklist ${HOME}/.cache/font-manager 116blacklist ${HOME}/.cache/font-manager
117blacklist ${HOME}/.cache/fossamail 117blacklist ${HOME}/.cache/fossamail
@@ -124,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
124blacklist ${HOME}/.cache/gegl-0.4 124blacklist ${HOME}/.cache/gegl-0.4
125blacklist ${HOME}/.cache/gfeeds 125blacklist ${HOME}/.cache/gfeeds
126blacklist ${HOME}/.cache/gimp 126blacklist ${HOME}/.cache/gimp
127blacklist ${HOME}/.cache/gnome-boxes
128blacklist ${HOME}/.cache/gnome-builder 127blacklist ${HOME}/.cache/gnome-builder
129blacklist ${HOME}/.cache/gnome-control-center 128blacklist ${HOME}/.cache/gnome-control-center
130blacklist ${HOME}/.cache/gnome-recipes 129blacklist ${HOME}/.cache/gnome-recipes
@@ -157,6 +156,7 @@ blacklist ${HOME}/.cache/ksplashqml
157blacklist ${HOME}/.cache/kube 156blacklist ${HOME}/.cache/kube
158blacklist ${HOME}/.cache/kwin 157blacklist ${HOME}/.cache/kwin
159blacklist ${HOME}/.cache/lbry-viewer 158blacklist ${HOME}/.cache/lbry-viewer
159blacklist ${HOME}/.cache/lettura
160blacklist ${HOME}/.cache/libgweather 160blacklist ${HOME}/.cache/libgweather
161blacklist ${HOME}/.cache/librewolf 161blacklist ${HOME}/.cache/librewolf
162blacklist ${HOME}/.cache/liferea 162blacklist ${HOME}/.cache/liferea
@@ -221,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
221blacklist ${HOME}/.cache/systemsettings 221blacklist ${HOME}/.cache/systemsettings
222blacklist ${HOME}/.cache/telepathy 222blacklist ${HOME}/.cache/telepathy
223blacklist ${HOME}/.cache/thunderbird 223blacklist ${HOME}/.cache/thunderbird
224blacklist ${HOME}/.cache/tiny-rdm
224blacklist ${HOME}/.cache/torbrowser 225blacklist ${HOME}/.cache/torbrowser
225blacklist ${HOME}/.cache/transmission 226blacklist ${HOME}/.cache/transmission
226blacklist ${HOME}/.cache/ueberzugpp 227blacklist ${HOME}/.cache/ueberzugpp
@@ -345,10 +346,10 @@ blacklist ${HOME}/.config/Slack
345blacklist ${HOME}/.config/Standard Notes 346blacklist ${HOME}/.config/Standard Notes
346blacklist ${HOME}/.config/SubDownloader 347blacklist ${HOME}/.config/SubDownloader
347blacklist ${HOME}/.config/Thunar 348blacklist ${HOME}/.config/Thunar
349blacklist ${HOME}/.config/TinyRDM
348blacklist ${HOME}/.config/Twitch 350blacklist ${HOME}/.config/Twitch
349blacklist ${HOME}/.config/Unknown Organization 351blacklist ${HOME}/.config/Unknown Organization
350blacklist ${HOME}/.config/VSCodium 352blacklist ${HOME}/.config/VSCodium
351blacklist ${HOME}/.config/VirtualBox
352blacklist ${HOME}/.config/Whalebird 353blacklist ${HOME}/.config/Whalebird
353blacklist ${HOME}/.config/Wire 354blacklist ${HOME}/.config/Wire
354blacklist ${HOME}/.config/Youtube 355blacklist ${HOME}/.config/Youtube
@@ -385,6 +386,7 @@ blacklist ${HOME}/.config/borg
385blacklist ${HOME}/.config/brasero 386blacklist ${HOME}/.config/brasero
386blacklist ${HOME}/.config/brave 387blacklist ${HOME}/.config/brave
387blacklist ${HOME}/.config/brave-flags.conf 388blacklist ${HOME}/.config/brave-flags.conf
389blacklist ${HOME}/.config/breezy
388blacklist ${HOME}/.config/caja 390blacklist ${HOME}/.config/caja
389blacklist ${HOME}/.config/calibre 391blacklist ${HOME}/.config/calibre
390blacklist ${HOME}/.config/cantata 392blacklist ${HOME}/.config/cantata
@@ -406,6 +408,7 @@ blacklist ${HOME}/.config/cliqz
406blacklist ${HOME}/.config/cmus 408blacklist ${HOME}/.config/cmus
407blacklist ${HOME}/.config/cointop 409blacklist ${HOME}/.config/cointop
408blacklist ${HOME}/.config/com.github.bleakgrey.tootle 410blacklist ${HOME}/.config/com.github.bleakgrey.tootle
411blacklist ${HOME}/.config/com.lettura.dev
409blacklist ${HOME}/.config/corebird 412blacklist ${HOME}/.config/corebird
410blacklist ${HOME}/.config/coyim 413blacklist ${HOME}/.config/coyim
411blacklist ${HOME}/.config/d-feet 414blacklist ${HOME}/.config/d-feet
@@ -715,8 +718,10 @@ blacklist ${HOME}/.emacs.d
715blacklist ${HOME}/.equalx 718blacklist ${HOME}/.equalx
716blacklist ${HOME}/.ethereum 719blacklist ${HOME}/.ethereum
717blacklist ${HOME}/.etr 720blacklist ${HOME}/.etr
721blacklist ${HOME}/.factorio
718blacklist ${HOME}/.filezilla 722blacklist ${HOME}/.filezilla
719blacklist ${HOME}/.firedragon 723blacklist ${HOME}/.firedragon
724blacklist ${HOME}/.floorp
720blacklist ${HOME}/.flowblade 725blacklist ${HOME}/.flowblade
721blacklist ${HOME}/.fltk 726blacklist ${HOME}/.fltk
722blacklist ${HOME}/.fossamail 727blacklist ${HOME}/.fossamail
@@ -832,6 +837,7 @@ blacklist ${HOME}/.klatexformula
832blacklist ${HOME}/.klei 837blacklist ${HOME}/.klei
833blacklist ${HOME}/.kodi 838blacklist ${HOME}/.kodi
834blacklist ${HOME}/.lastpass 839blacklist ${HOME}/.lastpass
840blacklist ${HOME}/.lettura
835blacklist ${HOME}/.librewolf 841blacklist ${HOME}/.librewolf
836blacklist ${HOME}/.lincity-ng 842blacklist ${HOME}/.lincity-ng
837blacklist ${HOME}/.links 843blacklist ${HOME}/.links
@@ -843,6 +849,7 @@ blacklist ${HOME}/.local/lib/vivaldi
843blacklist ${HOME}/.local/share/0ad 849blacklist ${HOME}/.local/share/0ad
844blacklist ${HOME}/.local/share/3909/PapersPlease 850blacklist ${HOME}/.local/share/3909/PapersPlease
845blacklist ${HOME}/.local/share/Anki2 851blacklist ${HOME}/.local/share/Anki2
852blacklist ${HOME}/.local/share/Baba_Is_You
846blacklist ${HOME}/.local/share/Colossal Order 853blacklist ${HOME}/.local/share/Colossal Order
847blacklist ${HOME}/.local/share/Dredmor 854blacklist ${HOME}/.local/share/Dredmor
848blacklist ${HOME}/.local/share/Empathy 855blacklist ${HOME}/.local/share/Empathy
@@ -902,6 +909,7 @@ blacklist ${HOME}/.local/share/cdprojektred
902blacklist ${HOME}/.local/share/chatterino 909blacklist ${HOME}/.local/share/chatterino
903blacklist ${HOME}/.local/share/clipit 910blacklist ${HOME}/.local/share/clipit
904blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate 911blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
912blacklist ${HOME}/.local/share/com.lettura.dev
905blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer 913blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
906blacklist ${HOME}/.local/share/contacts 914blacklist ${HOME}/.local/share/contacts
907blacklist ${HOME}/.local/share/cor-games 915blacklist ${HOME}/.local/share/cor-games
@@ -920,6 +928,7 @@ blacklist ${HOME}/.local/share/evolution
920blacklist ${HOME}/.local/share/feedreader 928blacklist ${HOME}/.local/share/feedreader
921blacklist ${HOME}/.local/share/feral-interactive 929blacklist ${HOME}/.local/share/feral-interactive
922blacklist ${HOME}/.local/share/five-or-more 930blacklist ${HOME}/.local/share/five-or-more
931blacklist ${HOME}/.local/share/fluffychat
923blacklist ${HOME}/.local/share/freecol 932blacklist ${HOME}/.local/share/freecol
924blacklist ${HOME}/.local/share/gajim 933blacklist ${HOME}/.local/share/gajim
925blacklist ${HOME}/.local/share/gdfuse 934blacklist ${HOME}/.local/share/gdfuse
@@ -928,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
928blacklist ${HOME}/.local/share/ghostwriter 937blacklist ${HOME}/.local/share/ghostwriter
929blacklist ${HOME}/.local/share/gitg 938blacklist ${HOME}/.local/share/gitg
930blacklist ${HOME}/.local/share/gnome-2048 939blacklist ${HOME}/.local/share/gnome-2048
931blacklist ${HOME}/.local/share/gnome-boxes
932blacklist ${HOME}/.local/share/gnome-builder 940blacklist ${HOME}/.local/share/gnome-builder
933blacklist ${HOME}/.local/share/gnome-chess 941blacklist ${HOME}/.local/share/gnome-chess
934blacklist ${HOME}/.local/share/gnome-klotski 942blacklist ${HOME}/.local/share/gnome-klotski
@@ -1008,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
1008blacklist ${HOME}/.local/share/org.kde.gwenview 1016blacklist ${HOME}/.local/share/org.kde.gwenview
1009blacklist ${HOME}/.local/share/pix 1017blacklist ${HOME}/.local/share/pix
1010blacklist ${HOME}/.local/share/plasma_notes 1018blacklist ${HOME}/.local/share/plasma_notes
1019blacklist ${HOME}/.local/share/pnpm
1011blacklist ${HOME}/.local/share/profanity 1020blacklist ${HOME}/.local/share/profanity
1012blacklist ${HOME}/.local/share/psi 1021blacklist ${HOME}/.local/share/psi
1013blacklist ${HOME}/.local/share/psi+ 1022blacklist ${HOME}/.local/share/psi+
@@ -1030,6 +1039,7 @@ blacklist ${HOME}/.local/share/strawberry
1030blacklist ${HOME}/.local/share/supertux2 1039blacklist ${HOME}/.local/share/supertux2
1031blacklist ${HOME}/.local/share/supertuxkart 1040blacklist ${HOME}/.local/share/supertuxkart
1032blacklist ${HOME}/.local/share/swell-foop 1041blacklist ${HOME}/.local/share/swell-foop
1042blacklist ${HOME}/.local/share/telegram-desktop
1033blacklist ${HOME}/.local/share/telepathy 1043blacklist ${HOME}/.local/share/telepathy
1034blacklist ${HOME}/.local/share/terasology 1044blacklist ${HOME}/.local/share/terasology
1035blacklist ${HOME}/.local/share/torbrowser 1045blacklist ${HOME}/.local/share/torbrowser
@@ -1072,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
1072blacklist ${HOME}/.mpd 1082blacklist ${HOME}/.mpd
1073blacklist ${HOME}/.mpdconf 1083blacklist ${HOME}/.mpdconf
1074blacklist ${HOME}/.mplayer 1084blacklist ${HOME}/.mplayer
1075blacklist ${HOME}/.msmtprc
1076blacklist ${HOME}/.mullvad/mullvadbrowser 1085blacklist ${HOME}/.mullvad/mullvadbrowser
1077blacklist ${HOME}/.multimc5 1086blacklist ${HOME}/.multimc5
1078blacklist ${HOME}/.nanorc 1087blacklist ${HOME}/.nanorc
@@ -1115,6 +1124,7 @@ blacklist ${HOME}/.pinerc
1115blacklist ${HOME}/.pinercex 1124blacklist ${HOME}/.pinercex
1116blacklist ${HOME}/.pingus 1125blacklist ${HOME}/.pingus
1117blacklist ${HOME}/.pioneer 1126blacklist ${HOME}/.pioneer
1127blacklist ${HOME}/.platformio
1118blacklist ${HOME}/.prey 1128blacklist ${HOME}/.prey
1119blacklist ${HOME}/.purple 1129blacklist ${HOME}/.purple
1120blacklist ${HOME}/.pylint.d 1130blacklist ${HOME}/.pylint.d
@@ -1129,6 +1139,7 @@ blacklist ${HOME}/.repo_.gitconfig.json
1129blacklist ${HOME}/.repoconfig 1139blacklist ${HOME}/.repoconfig
1130blacklist ${HOME}/.retroshare 1140blacklist ${HOME}/.retroshare
1131blacklist ${HOME}/.ripperXrc 1141blacklist ${HOME}/.ripperXrc
1142blacklist ${HOME}/.rustup
1132blacklist ${HOME}/.sbt 1143blacklist ${HOME}/.sbt
1133blacklist ${HOME}/.scorched3d 1144blacklist ${HOME}/.scorched3d
1134blacklist ${HOME}/.scribus 1145blacklist ${HOME}/.scribus
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index dcf941004..03653cc16 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -40,6 +40,7 @@ whitelist /usr/share/kxmlgui5
40whitelist /usr/share/libdrm 40whitelist /usr/share/libdrm
41whitelist /usr/share/libthai 41whitelist /usr/share/libthai
42whitelist /usr/share/locale 42whitelist /usr/share/locale
43whitelist /usr/share/locale-langpack
43whitelist /usr/share/mime 44whitelist /usr/share/mime
44whitelist /usr/share/misc 45whitelist /usr/share/misc
45whitelist /usr/share/Modules 46whitelist /usr/share/Modules
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index a0eed24ca..dcd1259cf 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -44,7 +44,7 @@ private-dev
44private-etc @x11 44private-etc @x11
45private-tmp 45private-tmp
46 46
47# dbus-user none 47#dbus-user none
48# dbus-system none 48#dbus-system none
49 49
50restrict-namespaces 50restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 184036f24..275ff41ef 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
34# disabled options below are not compatible with the apparmor profile for mysqld-akonadi. 34# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
35# this affects ubuntu and debian currently 35# this affects ubuntu and debian currently
36 36
37# apparmor 37#apparmor
38caps.drop all 38caps.drop all
39ipc-namespace 39ipc-namespace
40netfilter 40netfilter
@@ -42,17 +42,17 @@ no3d
42nodvd 42nodvd
43nogroups 43nogroups
44noinput 44noinput
45# nonewprivs 45#nonewprivs
46noroot 46noroot
47nosound 47nosound
48notv 48notv
49nou2f 49nou2f
50novideo 50novideo
51# protocol unix,inet,inet6,netlink 51#protocol unix,inet,inet6,netlink
52# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set 52#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
53tracelog 53tracelog
54 54
55private-dev 55private-dev
56# private-tmp - breaks programs that depend on akonadi 56#private-tmp # breaks programs that depend on akonadi
57 57
58# restrict-namespaces 58#restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d88a1fcad..9de992a76 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,4 +49,4 @@ private-dev
49private-tmp 49private-tmp
50 50
51deterministic-shutdown 51deterministic-shutdown
52# restrict-namespaces 52#restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 22a303cdd..14c425cc6 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ seccomp.block-secondary
49tracelog 49tracelog
50 50
51disable-mnt 51disable-mnt
52# private-bin alacarte,bash,python*,sh 52#private-bin alacarte,bash,python*,sh
53private-cache 53private-cache
54private-dev 54private-dev
55private-etc @tls-ca,@x11,mime.types 55private-etc @tls-ca,@x11,mime.types
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 389aae602..0c78ab20d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -26,11 +26,11 @@ notv
26nou2f 26nou2f
27novideo 27novideo
28protocol unix,inet,inet6 28protocol unix,inet,inet6
29# seccomp 29#seccomp
30 30
31# private-bin amarok 31#private-bin amarok
32private-dev 32private-dev
33# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl 33#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
34private-tmp 34private-tmp
35 35
36dbus-user filter 36dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
45#dbus-user.talk org.kde.knotify 45#dbus-user.talk org.kde.knotify
46dbus-system none 46dbus-system none
47 47
48# restrict-namespaces 48#restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 3dfa0f95a..09289ace1 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
36seccomp 36seccomp
37 37
38private-cache 38private-cache
39# private-tmp 39#private-tmp
40 40
41# noexec /tmp breaks 'Android Profiler' 41# noexec /tmp breaks 'Android Profiler'
42#noexec /tmp 42#noexec /tmp
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index f34f6270b..afd76282c 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -10,6 +10,7 @@ include ani-cli.local
10 10
11noblacklist ${HOME}/.cache/ani-cli 11noblacklist ${HOME}/.cache/ani-cli
12noblacklist ${HOME}/.local/state/ani-cli 12noblacklist ${HOME}/.local/state/ani-cli
13noblacklist ${PATH}/patch
13 14
14# Allow /bin/sh (blacklisted by disable-shell.inc) 15# Allow /bin/sh (blacklisted by disable-shell.inc)
15include allow-bin-sh.inc 16include allow-bin-sh.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 2d0bfcb6c..acf52509c 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -55,4 +55,4 @@ private-tmp
55dbus-user none 55dbus-user none
56dbus-system none 56dbus-system none
57 57
58# restrict-namespaces 58#restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 85ea76939..a925e223f 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -21,7 +21,7 @@ caps.drop all
21netfilter 21netfilter
22no3d 22no3d
23nodvd 23nodvd
24# nogroups 24#nogroups
25nonewprivs 25nonewprivs
26noroot 26noroot
27nosound 27nosound
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 7f9463c4f..65ffdfa1b 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -39,7 +39,7 @@ novideo
39protocol unix,inet,inet6,netlink 39protocol unix,inet,inet6,netlink
40seccomp 40seccomp
41 41
42# disable-mnt 42#disable-mnt
43# Add your custom event hook commands to 'private-bin' in your aria2c.local. 43# Add your custom event hook commands to 'private-bin' in your aria2c.local.
44private-bin aria2c,gzip 44private-bin aria2c,gzip
45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). 45# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 272e06219..65e965248 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
22 22
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25# net none 25#net none
26netfilter 26netfilter
27nodvd 27nodvd
28nogroups 28nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
42private-dev 42private-dev
43private-tmp 43private-tmp
44 44
45# dbus-user none 45#dbus-user none
46# dbus-system none 46#dbus-system none
47 47
48restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 897140857..f6369eb86 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -35,7 +35,7 @@ include whitelist-var-common.inc
35apparmor 35apparmor
36caps.drop all 36caps.drop all
37ipc-namespace 37ipc-namespace
38# net none - breaks on Ubuntu 38#net none # breaks on Ubuntu
39no3d 39no3d
40nodvd 40nodvd
41nogroups 41nogroups
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c09ad7936..601ef5c13 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -26,7 +26,7 @@ apparmor
26caps.drop all 26caps.drop all
27netfilter 27netfilter
28no3d 28no3d
29# nogroups 29#nogroups
30noinput 30noinput
31nonewprivs 31nonewprivs
32noroot 32noroot
@@ -44,5 +44,5 @@ dbus-user none
44dbus-system none 44dbus-system none
45 45
46# mdwe is disabled due to breaking hardware accelerated decoding 46# mdwe is disabled due to breaking hardware accelerated decoding
47# memory-deny-write-execute 47#memory-deny-write-execute
48restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 8e8f8515f..f21a8c34a 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
26# Allows files commonly used by IDEs 26# Allows files commonly used by IDEs
27include allow-common-devel.inc 27include allow-common-devel.inc
28 28
29# net none 29#net none
30nosound 30nosound
31 31
32# Redirect 32# Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index d0513d2a7..26b978158 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -22,7 +22,7 @@ include disable-xdg.inc
22 22
23include whitelist-var-common.inc 23include whitelist-var-common.inc
24 24
25# apparmor 25#apparmor
26caps.drop all 26caps.drop all
27machine-id 27machine-id
28no3d 28no3d
@@ -44,7 +44,7 @@ private-dev
44private-etc 44private-etc
45# atril uses webkit gtk to display epub files 45# atril uses webkit gtk to display epub files
46# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 46# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
47#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit 47#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
48private-tmp 48private-tmp
49 49
50# webkit gtk killed by memory-deny-write-execute 50# webkit gtk killed by memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 6abd87c92..6d1a07e2d 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
36seccomp 36seccomp
37tracelog 37tracelog
38 38
39# private-bin audacious 39#private-bin audacious
40private-cache 40private-cache
41private-dev 41private-dev
42private-tmp 42private-tmp
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index c2a482b61..e70215891 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -54,7 +54,7 @@ private-etc @x11
54private-tmp 54private-tmp
55 55
56# problems on Fedora 27 56# problems on Fedora 27
57# dbus-user none 57#dbus-user none
58# dbus-system none 58#dbus-system none
59 59
60restrict-namespaces 60restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index deba11a47..816852a71 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -41,7 +41,7 @@ seccomp
41tracelog 41tracelog
42 42
43disable-mnt 43disable-mnt
44# private-bin audio-recorder 44#private-bin audio-recorder
45private-cache 45private-cache
46private-etc 46private-etc
47private-tmp 47private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
50dbus-user.talk ca.desrt.dconf 50dbus-user.talk ca.desrt.dconf
51dbus-system none 51dbus-system none
52 52
53# memory-deny-write-execute - breaks on Arch 53#memory-deny-write-execute # breaks on Arch
54restrict-namespaces 54restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 96c70a838..cbd97449d 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
19include disable-interpreters.inc 19include disable-interpreters.inc
20include disable-programs.inc 20include disable-programs.inc
21 21
22# apparmor 22#apparmor
23caps.drop all 23caps.drop all
24netfilter 24netfilter
25no3d 25no3d
@@ -31,19 +31,19 @@ noroot
31nosound 31nosound
32notv 32notv
33nou2f 33nou2f
34# novideo 34#novideo
35protocol unix,inet,inet6 35protocol unix,inet,inet6
36seccomp 36seccomp
37 37
38disable-mnt 38disable-mnt
39# private-bin authenticator,python* 39#private-bin authenticator,python*
40private-dev 40private-dev
41private-etc @tls-ca 41private-etc @tls-ca
42private-tmp 42private-tmp
43 43
44# makes settings immutable 44# makes settings immutable
45# dbus-user none 45#dbus-user none
46# dbus-system none 46#dbus-system none
47 47
48#memory-deny-write-execute - breaks on Arch (see issue #1803) 48#memory-deny-write-execute # breaks on Arch (see issue #1803)
49restrict-namespaces 49restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 834eac11a..bc47b26a9 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -38,5 +38,5 @@ private-cache
38private-dev 38private-dev
39private-tmp 39private-tmp
40 40
41#memory-deny-write-execute - breaks on Arch (see issue #1803) 41#memory-deny-write-execute # breaks on Arch (see issue #1803)
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 084b7c702..de4004724 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -7,10 +7,10 @@ include globals.local
7 7
8# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo 8# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
9# Note: Baloo will not be able to update the "first run" key in its configuration files. 9# Note: Baloo will not be able to update the "first run" key in its configuration files.
10# mkdir ${HOME}/.local/share/baloo 10#mkdir ${HOME}/.local/share/baloo
11# read-only ${HOME} 11#read-only ${HOME}
12# read-write ${HOME}/.local/share/baloo 12#read-write ${HOME}/.local/share/baloo
13# ignore read-write 13#ignore read-write
14 14
15noblacklist ${HOME}/.config/baloofilerc 15noblacklist ${HOME}/.config/baloofilerc
16noblacklist ${HOME}/.kde/share/config/baloofilerc 16noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
31apparmor 31apparmor
32caps.drop all 32caps.drop all
33machine-id 33machine-id
34# net none 34#net none
35netfilter 35netfilter
36no3d 36no3d
37nodvd 37nodvd
@@ -46,7 +46,7 @@ novideo
46protocol unix 46protocol unix
47# blacklisting of ioprio_set system calls breaks baloo_file 47# blacklisting of ioprio_set system calls breaks baloo_file
48seccomp !ioprio_set 48seccomp !ioprio_set
49# x11 xorg 49#x11 xorg
50 50
51private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 51private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
52private-cache 52private-cache
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 31ef66a58..942d82941 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -6,13 +6,13 @@ include baobab.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9# include disable-common.inc 9#include disable-common.inc
10include disable-devel.inc 10include disable-devel.inc
11include disable-exec.inc 11include disable-exec.inc
12include disable-interpreters.inc 12include disable-interpreters.inc
13# include disable-programs.inc 13#include disable-programs.inc
14include disable-shell.inc 14include disable-shell.inc
15# include disable-xdg.inc 15#include disable-xdg.inc
16 16
17include whitelist-runuser-common.inc 17include whitelist-runuser-common.inc
18 18
@@ -37,8 +37,8 @@ private-bin baobab
37private-dev 37private-dev
38private-tmp 38private-tmp
39 39
40# dbus-user none 40#dbus-user none
41# dbus-system none 41#dbus-system none
42 42
43read-only ${HOME} 43read-only ${HOME}
44restrict-namespaces 44restrict-namespaces
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index d566b94e8..c0e024445 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
19include disable-interpreters.inc 19include disable-interpreters.inc
20# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. 20# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
21#include disable-programs.inc 21#include disable-programs.inc
22#include disable-shell.inc - breaks launch 22#include disable-shell.inc # breaks launch
23include disable-write-mnt.inc 23include disable-write-mnt.inc
24 24
25apparmor 25apparmor
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 3fb2a82c3..dcef2bff1 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
48seccomp !chroot 48seccomp !chroot
49 49
50disable-mnt 50disable-mnt
51# private-bin bibletime 51#private-bin bibletime
52private-cache 52private-cache
53private-dev 53private-dev
54private-etc @tls-ca,sword,sword.conf 54private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
57dbus-user none 57dbus-user none
58dbus-system none 58dbus-system none
59 59
60# restrict-namespaces 60#restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 53d212e34..e596ec9d2 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -48,7 +48,7 @@ tracelog
48 48
49disable-mnt 49disable-mnt
50private-bin bijiben 50private-bin bijiben
51# private-cache -- access to .cache/tracker is required 51#private-cache # access to .cache/tracker is required
52private-dev 52private-dev
53private-etc @x11 53private-etc @x11
54private-tmp 54private-tmp
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 988a1479e..0f10c7ce0 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -10,7 +10,7 @@ ignore noexec ${HOME}
10 10
11noblacklist /sbin 11noblacklist /sbin
12noblacklist /usr/sbin 12noblacklist /usr/sbin
13# noblacklist /var/log 13#noblacklist /var/log
14 14
15include disable-common.inc 15include disable-common.inc
16include disable-devel.inc 16include disable-devel.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 56bb871e7..1572ca572 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -17,6 +17,7 @@ include disable-shell.inc
17 17
18mkdir ${HOME}/.config/Bitwarden 18mkdir ${HOME}/.config/Bitwarden
19whitelist ${HOME}/.config/Bitwarden 19whitelist ${HOME}/.config/Bitwarden
20whitelist /opt/Bitwarden
20 21
21machine-id 22machine-id
22no3d 23no3d
@@ -24,7 +25,6 @@ nosound
24 25
25?HAS_APPIMAGE: ignore private-dev 26?HAS_APPIMAGE: ignore private-dev
26private-etc @tls-ca 27private-etc @tls-ca
27private-opt Bitwarden
28 28
29# Redirect 29# Redirect
30include electron-common.profile 30include electron-common.profile
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 52d970d89..cd1b059b4 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -18,7 +18,7 @@ include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc 19include disable-exec.inc
20include disable-interpreters.inc 20include disable-interpreters.inc
21# include disable-programs.inc 21#include disable-programs.inc
22 22
23caps.drop all 23caps.drop all
24net none 24net none
@@ -36,11 +36,11 @@ protocol unix
36seccomp 36seccomp
37 37
38private-dev 38private-dev
39# private-tmp 39#private-tmp
40 40
41dbus-user none 41dbus-user none
42dbus-system none 42dbus-system none
43 43
44# memory-deny-write-execute breaks some systems, see issue #1850 44# memory-deny-write-execute breaks some systems, see issue #1850
45# memory-deny-write-execute 45#memory-deny-write-execute
46restrict-namespaces 46restrict-namespaces
diff --git a/etc/profile-a-l/blender-3.6.profile b/etc/profile-a-l/blender-3.6.profile
new file mode 100644
index 000000000..4e32c1f6d
--- /dev/null
+++ b/etc/profile-a-l/blender-3.6.profile
@@ -0,0 +1,10 @@
1# Firejail profile alias for blender
2# This file is overwritten after every install/update
3# Persistent local customizations
4include blender-3.6.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9# Redirect
10include blender.profile
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 6dd540943..85f232751 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -31,7 +31,7 @@ novideo
31protocol unix 31protocol unix
32seccomp 32seccomp
33 33
34# private-bin bash,bless,mono,sh 34#private-bin bash,bless,mono,sh
35private-cache 35private-cache
36private-dev 36private-dev
37private-etc mono 37private-etc mono
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index a483c2b0a..684504937 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
32private-cache 32private-cache
33private-dev 33private-dev
34 34
35# restrict-namespaces 35#restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 12d7062ab..92184ef18 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -29,9 +29,9 @@ protocol unix
29seccomp 29seccomp
30tracelog 30tracelog
31 31
32# private-bin brasero 32#private-bin brasero
33private-cache 33private-cache
34# private-dev 34#private-dev
35# private-tmp 35#private-tmp
36 36
37restrict-namespaces 37restrict-namespaces
diff --git a/etc/profile-a-l/brz.profile b/etc/profile-a-l/brz.profile
new file mode 100644
index 000000000..dcc7af54b
--- /dev/null
+++ b/etc/profile-a-l/brz.profile
@@ -0,0 +1,14 @@
1# Firejail profile for brz
2# Description: Distributed VCS with support for Bazaar and Git file formats
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include brz.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11noblacklist ${HOME}/.config/breezy
12
13# Redirect
14include git.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index cf5f462ae..8616996d2 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -39,7 +39,7 @@ include whitelist-var-common.inc
39caps.drop all 39caps.drop all
40ipc-namespace 40ipc-namespace
41machine-id 41machine-id
42# net none 42#net none
43netfilter 43netfilter
44no3d 44no3d
45nodvd 45nodvd
diff --git a/etc/profile-a-l/bzr.profile b/etc/profile-a-l/bzr.profile
new file mode 100644
index 000000000..61c1aae38
--- /dev/null
+++ b/etc/profile-a-l/bzr.profile
@@ -0,0 +1,10 @@
1# Firejail profile alias for bzr
2# This file is overwritten after every install/update
3# Persistent local customizations
4include bzr.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9# Redirect
10include brz.profile
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index b347941d7..cb9c92ffb 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -36,4 +36,4 @@ seccomp !chroot
36private-dev 36private-dev
37private-tmp 37private-tmp
38 38
39# restrict-namespaces 39#restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index c2972f902..ffb83b2ed 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17ipc-namespace 17ipc-namespace
18# net none 18#net none
19netfilter 19netfilter
20nodvd 20nodvd
21nogroups 21nogroups
@@ -32,9 +32,9 @@ seccomp.block-secondary
32private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 32private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
33private-dev 33private-dev
34 34
35# dbus-user none 35#dbus-user none
36# dbus-system none 36#dbus-system none
37 37
38# noexec ${HOME} 38#noexec ${HOME}
39noexec /tmp 39noexec /tmp
40restrict-namespaces 40restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index df94ac859..4f8fd7187 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -48,8 +48,8 @@ private-cache
48private-etc 48private-etc
49private-tmp 49private-tmp
50 50
51# dbus-user none 51#dbus-user none
52# dbus-system none 52#dbus-system none
53 53
54# memory-deny-write-execute - breaks on Arch 54#memory-deny-write-execute # breaks on Arch
55restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 7cb56efee..36c7c1091 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -22,7 +22,7 @@ include disable-programs.inc
22include disable-shell.inc 22include disable-shell.inc
23include disable-xdg.inc 23include disable-xdg.inc
24 24
25# apparmor 25#apparmor
26caps.drop all 26caps.drop all
27ipc-namespace 27ipc-namespace
28netfilter 28netfilter
@@ -34,7 +34,7 @@ novideo
34protocol unix,inet,inet6,netlink 34protocol unix,inet,inet6,netlink
35seccomp 35seccomp
36 36
37# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg 37#private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
38private-bin cantata,mpd,perl 38private-bin cantata,mpd,perl
39private-dev 39private-dev
40 40
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index e2df341e9..037f6ee40 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish
15include allow-python2.inc 15include allow-python2.inc
16include allow-python3.inc 16include allow-python3.inc
17 17
18# include disable-common.inc 18#include disable-common.inc
19# include disable-devel.inc 19#include disable-devel.inc
20include disable-interpreters.inc 20include disable-interpreters.inc
21# include disable-programs.inc 21#include disable-programs.inc
22 22
23whitelist /var/lib/mlocate 23whitelist /var/lib/mlocate
24include whitelist-var-common.inc 24include whitelist-var-common.inc
@@ -40,9 +40,9 @@ tracelog
40 40
41# These options work but are disabled in case 41# These options work but are disabled in case
42# a users wants to search in these directories. 42# a users wants to search in these directories.
43# private-bin bash,catfish,env,locate,ls,mlocate,python* 43#private-bin bash,catfish,env,locate,ls,mlocate,python*
44# private-dev 44#private-dev
45# private-tmp 45#private-tmp
46 46
47dbus-user none 47dbus-user none
48dbus-system none 48dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 17887b6cc..7fdbc3881 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -41,7 +41,7 @@ private-dev
41private-etc @tls-ca,@x11,host.conf,mime.types 41private-etc @tls-ca,@x11,host.conf,mime.types
42private-tmp 42private-tmp
43 43
44# dbus-user none 44#dbus-user none
45dbus-system none 45dbus-system none
46 46
47restrict-namespaces 47restrict-namespaces
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 8803a4d9d..67a3a43af 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
13whitelist ${HOME}/.cache/ungoogled-chromium 13whitelist ${HOME}/.cache/ungoogled-chromium
14whitelist ${HOME}/.config/ungoogled-chromium 14whitelist ${HOME}/.config/ungoogled-chromium
15 15
16# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings 16#private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
17 17
18# Redirect 18# Redirect
19include chromium.profile 19include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 878e0fe1d..37bfa0bfe 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -33,13 +33,15 @@ include whitelist-run-common.inc
33?BROWSER_DISABLE_U2F: nou2f 33?BROWSER_DISABLE_U2F: nou2f
34 34
35?BROWSER_DISABLE_U2F: private-dev 35?BROWSER_DISABLE_U2F: private-dev
36#private-tmp - issues when using multiple browser sessions 36#private-tmp # issues when using multiple browser sessions
37 37
38blacklist ${PATH}/curl 38blacklist ${PATH}/curl
39blacklist ${PATH}/wget 39blacklist ${PATH}/wget
40blacklist ${PATH}/wget2 40blacklist ${PATH}/wget2
41 41
42#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. 42# This prevents access to passwords saved in GNOME Keyring and KWallet, also
43# breaks Gnome connector.
44#dbus-user none
43 45
44# The file dialog needs to work without d-bus. 46# The file dialog needs to work without d-bus.
45?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 47?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 14f1bbe64..8c43aac9c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium
17whitelist ${HOME}/.config/chromium-flags.conf 17whitelist ${HOME}/.config/chromium-flags.conf
18whitelist /usr/share/chromium 18whitelist /usr/share/chromium
19 19
20# private-bin chromium,chromium-browser,chromedriver 20#private-bin chromium,chromium-browser,chromedriver
21 21
22# Redirect 22# Redirect
23include chromium-common.profile 23include chromium-common.profile
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile
index b654b3890..cd2b2522d 100644
--- a/etc/profile-a-l/clac.profile
+++ b/etc/profile-a-l/clac.profile
@@ -16,10 +16,10 @@ include disable-interpreters.inc
16include disable-proc.inc 16include disable-proc.inc
17include disable-programs.inc 17include disable-programs.inc
18include disable-shell.inc 18include disable-shell.inc
19#include disable-X11.inc - x11 none 19#include disable-X11.inc # x11 none
20include disable-xdg.inc 20include disable-xdg.inc
21 21
22#include whitelist-common.inc - see #903 22#include whitelist-common.inc # see #903
23include whitelist-run-common.inc 23include whitelist-run-common.inc
24include whitelist-runuser-common.inc 24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc 25include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
1# Firejail profile for clamtk 1# Firejail profile for clamtk
2# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
2# This file is overwritten after every install/update 3# This file is overwritten after every install/update
3# Persistent local customizations 4# Persistent local customizations
4include clamtk.local 5include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
7 8
8include disable-exec.inc 9include disable-exec.inc
9 10
11# Add the below lines to your clamtk.local if you update signatures databases per-user:
12#ignore net none
13#netfilter
14#protocol inet,inet6
15
10caps.drop all 16caps.drop all
11ipc-namespace 17ipc-namespace
12net none 18net none
13no3d 19no3d
14nodvd 20nodvd
15nogroups 21# nogroups breaks scanning
22#nogroups
16noinput 23noinput
17nonewprivs 24nonewprivs
18noroot 25# noroot breaks scanning
26#noroot
19nosound 27nosound
20notv 28notv
21nou2f 29nou2f
@@ -25,7 +33,9 @@ seccomp
25 33
26private-dev 34private-dev
27 35
28dbus-user none 36dbus-user filter
37dbus-user.talk ca.desrt.dconf
38dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
29dbus-system none 39dbus-system none
30 40
31restrict-namespaces 41restrict-namespaces
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 7fefc68b1..53db480a4 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail
18 18
19whitelist /usr/share/doc/claws-mail 19whitelist /usr/share/doc/claws-mail
20 20
21# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 21#private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
22 22
23# Redirect 23# Redirect
24include email-common.profile 24include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 3b8eb7bbd..37d9e9e3a 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -50,5 +50,5 @@ private-tmp
50dbus-user none 50dbus-user none
51dbus-system none 51dbus-system none
52 52
53#memory-deny-write-execute - breaks on Arch (see issue #1803) 53#memory-deny-write-execute # breaks on Arch (see issue #1803)
54restrict-namespaces 54restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index ee01fa653..3e9363bb4 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -37,6 +37,6 @@ private-dev
37private-tmp 37private-tmp
38 38
39dbus-system none 39dbus-system none
40# dbus-user none 40#dbus-user none
41 41
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 652809f1b..0cea1c7d4 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -37,7 +37,7 @@ seccomp
37 37
38private-cache 38private-cache
39private-dev 39private-dev
40# private-tmp 40#private-tmp
41 41
42noexec /tmp 42noexec /tmp
43restrict-namespaces 43restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 3f3748e1a..2657876b8 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -46,7 +46,7 @@ private-dev
46private-tmp 46private-tmp
47 47
48# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. 48# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
49# dbus-user none 49#dbus-user none
50# dbus-system none 50#dbus-system none
51 51
52# restrict-namespaces 52#restrict-namespaces
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 19862bc92..1b69effc3 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -35,7 +35,7 @@ nosound
35# Disabling noexec ${HOME} for now since it will 35# Disabling noexec ${HOME} for now since it will
36# probably interfere with running some programmes 36# probably interfere with running some programmes
37# in VS Code 37# in VS Code
38# noexec ${HOME} 38#noexec ${HOME}
39noexec /tmp 39noexec /tmp
40 40
41# Redirect 41# Redirect
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 180282869..b1275e96b 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types
48private-tmp 48private-tmp
49 49
50# Settings are immutable 50# Settings are immutable
51# dbus-user filter 51#dbus-user filter
52# dbus-user.own com.github.bleakgrey.tootle 52#dbus-user.own com.github.bleakgrey.tootle
53# dbus-user.talk ca.desrt.dconf 53#dbus-user.talk ca.desrt.dconf
54dbus-system none 54dbus-system none
55 55
56restrict-namespaces 56restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 9b05b4416..c280cf22a 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -19,8 +19,8 @@ include disable-shell.inc
19include disable-xdg.inc 19include disable-xdg.inc
20 20
21# This profile could be significantly strengthened by adding the following to cower.local 21# This profile could be significantly strengthened by adding the following to cower.local
22# whitelist ${HOME}/<Your Build Folder> 22#whitelist ${HOME}/<Your Build Folder>
23# whitelist ${HOME}/.config/cower 23#whitelist ${HOME}/.config/cower
24 24
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index bfe8764d5..42ade7ce9 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -50,10 +50,10 @@ protocol inet,inet6
50seccomp 50seccomp
51tracelog 51tracelog
52 52
53# private-bin curl 53#private-bin curl
54private-cache 54private-cache
55private-dev 55private-dev
56# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 56#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
57private-etc @tls-ca 57private-etc @tls-ca
58private-tmp 58private-tmp
59 59
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index a303c5979..c7a42e0eb 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
15whitelist /usr/share/8pecxstudios 15whitelist /usr/share/8pecxstudios
16whitelist /usr/share/cyberfox 16whitelist /usr/share/cyberfox
17 17
18# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which 18#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
19# private-etc must first be enabled in firefox-common.profile 19# private-etc must first be enabled in firefox-common.profile
20#private-etc cyberfox 20#private-etc cyberfox
21 21
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 7dd5ca260..75338eb6d 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
31apparmor 31apparmor
32caps.drop all 32caps.drop all
33ipc-namespace 33ipc-namespace
34# net none - breaks on Ubuntu 34#net none # breaks on Ubuntu
35no3d 35no3d
36nodvd 36nodvd
37nogroups 37nogroups
@@ -52,5 +52,5 @@ private-dev
52private-etc dbus-1 52private-etc dbus-1
53private-tmp 53private-tmp
54 54
55#memory-deny-write-execute - breaks on Arch (see issue #1803) 55#memory-deny-write-execute # breaks on Arch (see issue #1803)
56restrict-namespaces 56restrict-namespaces
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index e2e2492bc..e8acd60b7 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
22 22
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25# net none - breaks application on older versions 25#net none # breaks application on older versions
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 9811c90d6..0fa88f232 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -50,5 +50,5 @@ private-tmp
50dbus-user none 50dbus-user none
51dbus-system none 51dbus-system none
52 52
53# memory-deny-write-execute - breaks on Arch 53#memory-deny-write-execute # breaks on Arch
54restrict-namespaces 54restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 41794d173..c071da4b7 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -9,54 +9,54 @@ include globals.local
9# depending on your usage, you can enable some of the commands below: 9# depending on your usage, you can enable some of the commands below:
10 10
11include disable-common.inc 11include disable-common.inc
12# include disable-devel.inc 12#include disable-devel.inc
13# include disable-exec.inc 13#include disable-exec.inc
14# include disable-interpreters.inc 14#include disable-interpreters.inc
15include disable-programs.inc 15include disable-programs.inc
16# include disable-shell.inc 16#include disable-shell.inc
17# include disable-write-mnt.inc 17#include disable-write-mnt.inc
18# include disable-xdg.inc 18#include disable-xdg.inc
19 19
20# include whitelist-common.inc 20#include whitelist-common.inc
21# include whitelist-runuser-common.inc 21#include whitelist-runuser-common.inc
22# include whitelist-usr-share-common.inc 22#include whitelist-usr-share-common.inc
23# include whitelist-var-common.inc 23#include whitelist-var-common.inc
24 24
25# apparmor 25#apparmor
26caps.drop all 26caps.drop all
27# ipc-namespace 27#ipc-namespace
28# machine-id 28#machine-id
29# net none 29#net none
30netfilter 30netfilter
31# no3d 31#no3d
32# nodvd 32#nodvd
33# nogroups 33#nogroups
34noinput 34noinput
35nonewprivs 35nonewprivs
36noroot 36noroot
37# nosound 37#nosound
38notv 38notv
39# nou2f 39#nou2f
40novideo 40novideo
41protocol unix,inet,inet6 41protocol unix,inet,inet6
42seccomp 42seccomp
43# tracelog 43#tracelog
44 44
45# disable-mnt 45#disable-mnt
46# private 46#private
47# private-bin program 47#private-bin program
48# private-cache 48#private-cache
49# private-dev 49private-dev
50# see /usr/share/doc/firejail/profile.template for more common private-etc paths. 50# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
51# private-etc alternatives,fonts,machine-id 51#private-etc alternatives,fonts,machine-id
52# private-lib 52#private-lib
53# private-opt none 53#private-opt none
54# private-tmp 54private-tmp
55 55
56# dbus-user none 56#dbus-user none
57# dbus-system none 57#dbus-system none
58 58
59# deterministic-shutdown 59#deterministic-shutdown
60# memory-deny-write-execute 60#memory-deny-write-execute
61# read-only ${HOME} 61#read-only ${HOME}
62restrict-namespaces 62restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ebc751e1a..b257f9a4c 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -13,7 +13,7 @@ include allow-python2.inc
13include allow-python3.inc 13include allow-python3.inc
14 14
15include disable-common.inc 15include disable-common.inc
16# include disable-devel.inc 16#include disable-devel.inc
17include disable-exec.inc 17include disable-exec.inc
18include disable-interpreters.inc 18include disable-interpreters.inc
19include disable-programs.inc 19include disable-programs.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 066cdc8b0..7b5e692a0 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
23 23
24apparmor 24apparmor
25caps.drop all 25caps.drop all
26# net none - makes settings immutable 26#net none # makes settings immutable
27nodvd 27nodvd
28nogroups 28nogroups
29noinput 29noinput
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11
45private-tmp 45private-tmp
46 46
47# makes settings immutable 47# makes settings immutable
48# dbus-user none 48#dbus-user none
49# dbus-system none 49#dbus-system none
50 50
51#memory-deny-write-execute - breaks on Arch (see issue #1803) 51#memory-deny-write-execute # breaks on Arch (see issue #1803)
52read-only ${HOME} 52read-only ${HOME}
53restrict-namespaces 53restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 7c0fee9c3..781dfdcbc 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix
14blacklist ${RUNUSER} 14blacklist ${RUNUSER}
15 15
16include disable-common.inc 16include disable-common.inc
17# include disable-devel.inc 17#include disable-devel.inc
18include disable-exec.inc 18include disable-exec.inc
19# include disable-interpreters.inc 19#include disable-interpreters.inc
20include disable-programs.inc 20include disable-programs.inc
21include disable-xdg.inc 21include disable-xdg.inc
22 22
23#mkfile ${HOME}/.digrc - see #903 23#mkfile ${HOME}/.digrc # see #903
24whitelist ${HOME}/.digrc 24whitelist ${HOME}/.digrc
25include whitelist-common.inc 25include whitelist-common.inc
26include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 05f0dfba8..34d4081d4 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -37,11 +37,13 @@ protocol unix,inet,inet6,netlink
37# QtWebengine needs chroot to set up its own sandbox 37# QtWebengine needs chroot to set up its own sandbox
38seccomp !chroot 38seccomp !chroot
39 39
40# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device 40# private-dev prevents libdc1394 from loading; this lib is used to connect to a
41# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 41# camera device
42#private-dev
43#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
42private-tmp 44private-tmp
43 45
44# dbus-user none 46#dbus-user none
45# dbus-system none 47#dbus-system none
46 48
47# restrict-namespaces 49#restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index fe2b59a1e..44a3f0846 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -40,7 +40,8 @@ tracelog
40disable-mnt 40disable-mnt
41private-bin dino 41private-bin dino
42private-dev 42private-dev
43# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection 43# breaks server connection
44#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
44private-tmp 45private-tmp
45 46
46dbus-user filter 47dbus-user filter
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 245b07b8d..b67729301 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordcanary
9 9
10mkdir ${HOME}/.config/discordcanary 10mkdir ${HOME}/.config/discordcanary
11whitelist ${HOME}/.config/discordcanary 11whitelist ${HOME}/.config/discordcanary
12whitelist /opt/DiscordCanary
13whitelist /opt/discord-canary
12 14
13private-bin discord-canary,DiscordCanary 15private-bin discord-canary,DiscordCanary
14private-opt discord-canary,DiscordCanary
15 16
16# Redirect 17# Redirect
17include discord-common.profile 18include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 83fca8772..b7744a83c 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -7,15 +7,7 @@ include discord-common.local
7#include globals.local 7#include globals.local
8 8
9# Disabled until someone reported positive feedback 9# Disabled until someone reported positive feedback
10ignore include disable-interpreters.inc
11ignore include disable-xdg.inc
12ignore include whitelist-runuser-common.inc
13ignore include whitelist-usr-share-common.inc
14ignore apparmor 10ignore apparmor
15ignore disable-mnt
16ignore private-cache
17ignore dbus-user none
18ignore dbus-system none
19 11
20ignore noexec ${HOME} 12ignore noexec ${HOME}
21ignore novideo 13ignore novideo
@@ -26,6 +18,11 @@ whitelist ${HOME}/.local/share/betterdiscordctl
26private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh 18private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
27private-etc @tls-ca 19private-etc @tls-ca
28 20
21# allow D-Bus notifications
22dbus-user filter
23dbus-user.talk org.freedesktop.Notifications
24ignore dbus-user none
25
29join-or-start discord 26join-or-start discord
30 27
31# Redirect 28# Redirect
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index 265bf5615..a657c52b5 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordptb
9 9
10mkdir ${HOME}/.config/discordptb 10mkdir ${HOME}/.config/discordptb
11whitelist ${HOME}/.config/discordptb 11whitelist ${HOME}/.config/discordptb
12whitelist /opt/DiscordPTB
13whitelist /opt/discord
12 14
13private-bin discord-ptb,DiscordPTB 15private-bin discord-ptb,DiscordPTB
14private-opt discord-ptb,DiscordPTB
15 16
16# Redirect 17# Redirect
17include discord-common.profile 18include discord-common.profile
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 02d1c65cd..6e7d8f91d 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -9,9 +9,11 @@ noblacklist ${HOME}/.config/discord
9 9
10mkdir ${HOME}/.config/discord 10mkdir ${HOME}/.config/discord
11whitelist ${HOME}/.config/discord 11whitelist ${HOME}/.config/discord
12whitelist /opt/Discord
13whitelist /opt/discord
14whitelist /usr/share/discord
12 15
13private-bin discord,Discord 16private-bin discord,Discord
14private-opt discord,Discord
15 17
16# Redirect 18# Redirect
17include discord-common.profile 19include discord-common.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index bf77828be..40e19dfc3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -34,7 +34,7 @@ notv
34nou2f 34nou2f
35protocol unix 35protocol unix
36seccomp 36seccomp
37# x11 xorg - problems on kubuntu 17.04 37#x11 xorg # problems on kubuntu 17.04
38 38
39private-bin display,python* 39private-bin display,python*
40private-dev 40private-dev
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 9743ebfbd..0ae09ce7e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -36,7 +36,7 @@ apparmor
36caps.drop all 36caps.drop all
37ipc-namespace 37ipc-namespace
38# Add the next line to your dolphin-emu.local if you do not need NetPlay support. 38# Add the next line to your dolphin-emu.local if you do not need NetPlay support.
39# net none 39#net none
40netfilter 40netfilter
41# Add the next line to your dolphin-emu.local if you do not need disc support. 41# Add the next line to your dolphin-emu.local if you do not need disc support.
42#nodvd 42#nodvd
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 79366b8ee..c9daa939a 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -39,7 +39,7 @@ nou2f
39novideo 39novideo
40protocol unix 40protocol unix
41seccomp !chroot 41seccomp !chroot
42# tracelog - breaks on Arch 42#tracelog # breaks on Arch
43 43
44private-bin drawio 44private-bin drawio
45private-cache 45private-cache
@@ -50,5 +50,5 @@ private-tmp
50dbus-user none 50dbus-user none
51dbus-system none 51dbus-system none
52 52
53# memory-deny-write-execute - breaks on Arch 53#memory-deny-write-execute # breaks on Arch
54# restrict-namespaces 54#restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bea114dd6..63dfd6c0d 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -13,9 +13,9 @@ blacklist /tmp/.X11-unix
13blacklist ${RUNUSER} 13blacklist ${RUNUSER}
14 14
15include disable-common.inc 15include disable-common.inc
16# include disable-devel.inc 16#include disable-devel.inc
17include disable-exec.inc 17include disable-exec.inc
18# include disable-interpreters.inc 18#include disable-interpreters.inc
19include disable-programs.inc 19include disable-programs.inc
20include disable-xdg.inc 20include disable-xdg.inc
21 21
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 40fd8be7c..3fd5578e6 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -49,8 +49,8 @@ private-etc
49#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 49#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
50private-tmp 50private-tmp
51 51
52# dbus-user none 52#dbus-user none
53# dbus-system none 53#dbus-system none
54 54
55memory-deny-write-execute 55memory-deny-write-execute
56restrict-namespaces 56restrict-namespaces
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 766fe523b..544756877 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -18,6 +18,7 @@ include disable-shell.inc
18 18
19mkdir ${HOME}/.config/electron-mail 19mkdir ${HOME}/.config/electron-mail
20whitelist ${HOME}/.config/electron-mail 20whitelist ${HOME}/.config/electron-mail
21whitelist /opt/ElectronMail
21 22
22# The lines below are needed to find the default Firefox profile name, to allow 23# The lines below are needed to find the default Firefox profile name, to allow
23# opening links in an existing instance of Firefox (note that it still fails if 24# opening links in an existing instance of Firefox (note that it still fails if
@@ -29,7 +30,6 @@ machine-id
29nosound 30nosound
30 31
31private-etc @tls-ca,@x11 32private-etc @tls-ca,@x11
32private-opt ElectronMail
33 33
34dbus-user filter 34dbus-user filter
35dbus-user.talk org.freedesktop.Notifications 35dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 48ce0aa22..d73ed9092 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -49,7 +49,7 @@ private-dev
49private-etc @tls-ca,@x11 49private-etc @tls-ca,@x11
50private-tmp 50private-tmp
51 51
52# dbus-user none 52#dbus-user none
53# dbus-system none 53#dbus-system none
54 54
55restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 7b4994a85..1af2884b6 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -15,8 +15,6 @@ mkdir ${HOME}/.config/Element
15whitelist ${HOME}/.config/Element 15whitelist ${HOME}/.config/Element
16whitelist /opt/Element 16whitelist /opt/Element
17 17
18private-opt Element
19
20dbus-user filter 18dbus-user filter
21dbus-user.talk org.freedesktop.Notifications 19dbus-user.talk org.freedesktop.Notifications
22dbus-user.talk org.freedesktop.secrets 20dbus-user.talk org.freedesktop.secrets
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 8eee662ad..cffa85fd5 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -75,7 +75,7 @@ seccomp
75seccomp.block-secondary 75seccomp.block-secondary
76tracelog 76tracelog
77 77
78# disable-mnt 78#disable-mnt
79private-cache 79private-cache
80private-dev 80private-dev
81private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone 81private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index e1d107dc7..24e4f8a0e 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -35,9 +35,9 @@ seccomp
35seccomp.block-secondary 35seccomp.block-secondary
36tracelog 36tracelog
37 37
38# private-bin engrampa 38#private-bin engrampa
39private-dev 39private-dev
40# private-tmp 40#private-tmp
41 41
42dbus-user filter 42dbus-user filter
43dbus-user.talk ca.desrt.dconf 43dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 45a1125b4..93929c6ea 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -58,5 +58,5 @@ private-dev
58private-opt Enpass 58private-opt Enpass
59private-tmp 59private-tmp
60 60
61#memory-deny-write-execute - breaks on Arch (see issue #1803) 61#memory-deny-write-execute # breaks on Arch (see issue #1803)
62restrict-namespaces 62restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 8b32d08b1..795128418 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -59,7 +59,7 @@ private-cache
59private-tmp 59private-tmp
60 60
61# breaks preferences 61# breaks preferences
62# dbus-user none 62#dbus-user none
63# dbus-system none 63#dbus-system none
64 64
65restrict-namespaces 65restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 5b9892af3..4789afee6 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -48,7 +48,7 @@ disable-mnt
48private-bin etr 48private-bin etr
49private-cache 49private-cache
50private-dev 50private-dev
51# private-etc alternatives,drirc,machine-id,openal,passwd 51#private-etc alternatives,drirc,machine-id,openal,passwd
52private-etc @games,@x11 52private-etc @games,@x11
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 75a3958ad..06a4a64b1 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
34 34
35caps.drop all 35caps.drop all
36machine-id 36machine-id
37# net none - breaks AppArmor on Ubuntu systems 37#net none # breaks AppArmor on Ubuntu systems
38netfilter 38netfilter
39no3d 39no3d
40nodvd 40nodvd
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index d805766eb..2a30d2e23 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -41,17 +41,17 @@ nou2f
41protocol unix,inet,inet6,netlink 41protocol unix,inet,inet6,netlink
42# blacklisting of chroot system calls breaks falkon 42# blacklisting of chroot system calls breaks falkon
43seccomp !chroot 43seccomp !chroot
44# tracelog 44#tracelog
45 45
46disable-mnt 46disable-mnt
47# private-bin falkon 47#private-bin falkon
48private-cache 48private-cache
49private-dev 49private-dev
50private-etc @tls-ca,@x11,adobe,mailcap,mime.types 50private-etc @tls-ca,@x11,adobe,mailcap,mime.types
51private-tmp 51private-tmp
52 52
53# dbus-user filter 53#dbus-user filter
54# dbus-user.own org.kde.Falkon 54#dbus-user.own org.kde.Falkon
55dbus-system none 55dbus-system none
56 56
57# restrict-namespaces 57#restrict-namespaces
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index fe7f88a75..e9d5709ec 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -24,7 +24,7 @@ include disable-xdg.inc
24apparmor /usr/bin/fdns 24apparmor /usr/bin/fdns
25caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot 25caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
26ipc-namespace 26ipc-namespace
27# netfilter /etc/firejail/webserver.net 27#netfilter /etc/firejail/webserver.net
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh
43private-cache 43private-cache
44#private-dev 44#private-dev
45private-etc @tls-ca,fdns 45private-etc @tls-ca,fdns
46# private-lib 46#private-lib
47private-tmp 47private-tmp
48 48
49memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 6aa24cc86..7b205a917 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -29,13 +29,13 @@ include whitelist-var-common.inc
29 29
30caps.drop all 30caps.drop all
31netfilter 31netfilter
32# no3d 32#no3d
33nodvd 33nodvd
34nogroups 34nogroups
35noinput 35noinput
36nonewprivs 36nonewprivs
37noroot 37noroot
38# nosound 38#nosound
39notv 39notv
40nou2f 40nou2f
41novideo 41novideo
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index 3a044542f..27920620a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -45,4 +45,4 @@ disable-mnt
45private-dev 45private-dev
46private-tmp 46private-tmp
47 47
48# restrict-namespaces 48#restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b7d54f05d..af9d556db 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -53,5 +53,5 @@ private-tmp
53dbus-user none 53dbus-user none
54dbus-system none 54dbus-system none
55 55
56# memory-deny-write-execute - it breaks old versions of ffmpeg 56#memory-deny-write-execute # it breaks old versions of ffmpeg
57restrict-namespaces 57restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 78e2751b3..cc1a290ef 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -6,6 +6,8 @@ include file-roller.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${PATH}/dpkg*
10
9include disable-common.inc 11include disable-common.inc
10include disable-devel.inc 12include disable-devel.inc
11include disable-exec.inc 13include disable-exec.inc
@@ -22,7 +24,7 @@ include whitelist-var-common.inc
22apparmor 24apparmor
23caps.drop all 25caps.drop all
24machine-id 26machine-id
25# net none - breaks on older Ubuntu versions 27#net none # breaks on older Ubuntu versions
26netfilter 28netfilter
27no3d 29no3d
28nodvd 30nodvd
@@ -40,11 +42,11 @@ seccomp
40seccomp.block-secondary 42seccomp.block-secondary
41tracelog 43tracelog
42 44
43private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd 45private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg*,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
44private-cache 46private-cache
45private-dev 47private-dev
46private-etc @x11 48private-etc @x11
47# private-tmp 49#private-tmp
48 50
49dbus-user filter 51dbus-user filter
50dbus-user.own org.gnome.ArchiveManager1 52dbus-user.own org.gnome.ArchiveManager1
diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile
new file mode 100644
index 000000000..49caed107
--- /dev/null
+++ b/etc/profile-a-l/floorp.profile
@@ -0,0 +1,45 @@
1# Firejail profile for floorp
2# Description: A customisable Firefox fork with excellent privacy protection
3# This file is overwritten after every install/update
4# Persistent local customizations
5include floorp.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/floorp
10noblacklist ${HOME}/.floorp
11
12mkdir ${HOME}/.cache/floorp
13mkdir ${HOME}/.floorp
14whitelist ${HOME}/.cache/floorp
15whitelist ${HOME}/.floorp
16
17# Add the next lines to your floorp.local if you want to use the migration wizard.
18#noblacklist ${HOME}/.mozilla
19#whitelist ${HOME}/.mozilla
20
21# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
22# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
23#whitelist ${RUNUSER}/kpxc_server
24#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
25
26dbus-user filter
27dbus-user.own org.mozilla.floorp.*
28# Add the next line to your floorp.local to enable native notifications.
29#dbus-user.talk org.freedesktop.Notifications
30# Add the next line to your floorp.local to allow inhibiting screensavers.
31#dbus-user.talk org.freedesktop.ScreenSaver
32# Add the next lines to your floorp.local for plasma browser integration.
33#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
34#dbus-user.talk org.kde.JobViewServer
35#dbus-user.talk org.kde.kuiserver
36# Add the next line to your floorp.local to allow screensharing under Wayland.
37#dbus-user.talk org.freedesktop.portal.Desktop
38# Also add the next line to your floorp.local if screensharing does not work with
39# the above lines (depends on the portal implementation).
40#ignore noroot
41ignore apparmor
42ignore dbus-user none
43
44# Redirect
45include firefox-common.profile
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
new file mode 100644
index 000000000..abc5979da
--- /dev/null
+++ b/etc/profile-a-l/fluffychat.profile
@@ -0,0 +1,73 @@
1# Firejail profile for fluffychat
2# Description: Easy to use matrix messenger
3# This file is overwritten after every install/update
4# Persistent local customizations
5include fluffychat.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/fluffychat
10
11# Allow /bin/sh (blacklisted by disable-shell.inc)
12include allow-bin-sh.inc
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-proc.inc
19include disable-programs.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23# The lines below are needed to find the default Firefox profile name, to allow
24# opening links in an existing instance of Firefox (note that it still fails if
25# there isn't a Firefox instance running with the default profile; see #5352)
26noblacklist ${HOME}/.mozilla
27whitelist ${HOME}/.mozilla/firefox/profiles.ini
28read-only ${HOME}/.mozilla/firefox/profiles.ini
29
30mkdir ${HOME}/.local/share/fluffychat
31whitelist ${DOWNLOADS}
32whitelist ${HOME}/.local/share/fluffychat
33whitelist /opt/fluffychat
34whitelist /usr/share/fluffychat
35include whitelist-common.inc
36include whitelist-run-common.inc
37include whitelist-runuser-common.inc
38include whitelist-usr-share-common.inc
39include whitelist-var-common.inc
40
41apparmor
42caps.drop all
43netfilter
44no3d
45nodvd
46nogroups
47noinput
48nonewprivs
49noprinters
50noroot
51notv
52nou2f
53novideo
54protocol unix,inet,inet6
55seccomp
56seccomp.block-secondary
57tracelog
58
59disable-mnt
60private-bin firefox,fluffychat,sh,which,zenity
61private-cache
62private-dev
63private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
64private-tmp
65
66dbus-user filter
67dbus-user.talk org.freedesktop.secrets
68# allow D-Bus communication with firefox for opening links
69dbus-user.talk org.mozilla.*
70dbus-system filter
71dbus-system.talk org.freedesktop.NetworkManager
72
73restrict-namespaces
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index 88ae56c82..5b9603243 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -33,7 +33,7 @@ include whitelist-var-common.inc
33apparmor 33apparmor
34caps.drop all 34caps.drop all
35machine-id 35machine-id
36# net none - issues on older versions 36#net none # issues on older versions
37no3d 37no3d
38nodvd 38nodvd
39nogroups 39nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
53private-dev 53private-dev
54private-tmp 54private-tmp
55 55
56#memory-deny-write-execute - breaks on Arch (see issue #1803) 56#memory-deny-write-execute # breaks on Arch (see issue #1803)
57restrict-namespaces 57restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index e21789d73..664773b77 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -45,4 +45,4 @@ disable-mnt
45private-dev 45private-dev
46private-tmp 46private-tmp
47 47
48# restrict-namespaces 48#restrict-namespaces
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 9bf5a14be..80958d305 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -9,6 +9,8 @@ include globals.local
9noblacklist ${DOCUMENTS} 9noblacklist ${DOCUMENTS}
10noblacklist ${HOME}/.freemind 10noblacklist ${HOME}/.freemind
11 11
12noblacklist ${PATH}/dpkg*
13
12# Allow java (blacklisted by disable-devel.inc) 14# Allow java (blacklisted by disable-devel.inc)
13include allow-java.inc 15include allow-java.inc
14 16
@@ -40,7 +42,7 @@ seccomp
40tracelog 42tracelog
41 43
42disable-mnt 44disable-mnt
43private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which 45private-bin bash,cp,dirname,dpkg*,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
44private-cache 46private-cache
45private-dev 47private-dev
46#private-etc alternatives,fonts,java* 48#private-etc alternatives,fonts,java*
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations 4# Persistent local customizations
5include clamav.local 5include freshclam.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index f162a4a31..98f473654 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -41,7 +41,7 @@ seccomp
41tracelog 41tracelog
42 42
43disable-mnt 43disable-mnt
44# private-bin frozen-bubble 44#private-bin frozen-bubble
45private-dev 45private-dev
46private-etc @games,@x11 46private-etc @games,@x11
47private-tmp 47private-tmp
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 8ca349d1c..bd790cab4 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -16,7 +16,7 @@ include disable-devel.inc
16include disable-exec.inc 16include disable-exec.inc
17include disable-interpreters.inc 17include disable-interpreters.inc
18include disable-programs.inc 18include disable-programs.inc
19# include disable-shell.inc 19#include disable-shell.inc
20include disable-xdg.inc 20include disable-xdg.inc
21 21
22mkdir ${HOME}/.funnyboat 22mkdir ${HOME}/.funnyboat
@@ -41,7 +41,7 @@ notv
41novideo 41novideo
42protocol unix,inet,inet6 42protocol unix,inet,inet6
43seccomp 43seccomp
44# tracelog 44#tracelog
45 45
46disable-mnt 46disable-mnt
47private-cache 47private-cache
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 44d62cc86..aa1b96c41 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -48,5 +48,5 @@ private-tmp
48dbus-user none 48dbus-user none
49dbus-system none 49dbus-system none
50 50
51#memory-deny-write-execute - breaks on Arch (see issue #1803) 51#memory-deny-write-execute # breaks on Arch (see issue #1803)
52restrict-namespaces 52restrict-namespaces
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index ba0837780..da240c36a 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -53,7 +53,7 @@ include whitelist-var-common.inc
53 53
54apparmor 54apparmor
55caps.drop all 55caps.drop all
56#ipc-namespace - may cause issues with X11 56#ipc-namespace # may cause issues with X11
57#machine-id 57#machine-id
58netfilter 58netfilter
59no3d 59no3d
@@ -71,7 +71,7 @@ seccomp
71seccomp.block-secondary 71seccomp.block-secondary
72tracelog 72tracelog
73 73
74# disable-mnt 74#disable-mnt
75#private-bin geary,sh 75#private-bin geary,sh
76private-cache 76private-cache
77private-dev 77private-dev
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index dbb3ab971..bc265a509 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit
13include allow-common-devel.inc 13include allow-common-devel.inc
14 14
15include disable-common.inc 15include disable-common.inc
16# include disable-devel.inc 16#include disable-devel.inc
17include disable-exec.inc 17include disable-exec.inc
18# include disable-interpreters.inc 18#include disable-interpreters.inc
19include disable-programs.inc 19include disable-programs.inc
20 20
21include whitelist-runuser-common.inc 21include whitelist-runuser-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24# apparmor - makes settings immutable 24#apparmor # makes settings immutable
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27# net none - makes settings immutable 27#net none # makes settings immutable
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
@@ -40,14 +40,14 @@ seccomp
40seccomp.block-secondary 40seccomp.block-secondary
41tracelog 41tracelog
42 42
43# private-bin gedit 43#private-bin gedit
44private-dev 44private-dev
45# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. 45# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
46#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* 46#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
47private-tmp 47private-tmp
48 48
49# makes settings immutable 49# makes settings immutable
50# dbus-user none 50#dbus-user none
51# dbus-system none 51#dbus-system none
52 52
53restrict-namespaces 53restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e8d4c013f..387ec615f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -43,7 +43,7 @@ seccomp
43tracelog 43tracelog
44 44
45disable-mnt 45disable-mnt
46#private-bin bash,geekbench*,sh -- #4576 46#private-bin bash,geekbench*,sh # #4576
47private-cache 47private-cache
48private-dev 48private-dev
49private-etc lsb-release 49private-etc lsb-release
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index f81a49e4f..6cd28f25d 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -32,7 +32,7 @@ novideo
32protocol unix,inet,inet6 32protocol unix,inet,inet6
33seccomp 33seccomp
34 34
35# private-bin geeqie 35#private-bin geeqie
36private-dev 36private-dev
37 37
38restrict-namespaces 38restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 1c97ad21c..007658138 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -58,7 +58,7 @@ tracelog
58 58
59disable-mnt 59disable-mnt
60private-bin gfeeds,python3* 60private-bin gfeeds,python3*
61# private-cache -- feeds are stored in ~/.cache 61#private-cache # feeds are stored in ~/.cache
62private-dev 62private-dev
63private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services 63private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
64private-tmp 64private-tmp
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index dabf0dd7f..2023ca9f0 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -45,7 +45,7 @@ novideo
45protocol unix,inet,inet6,netlink 45protocol unix,inet,inet6,netlink
46seccomp !chroot 46seccomp !chroot
47seccomp.block-secondary 47seccomp.block-secondary
48#tracelog -- breaks 48#tracelog # breaks
49 49
50private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf 50private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
51private-cache 51private-cache
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index ced1aa190..88134b363 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git
29noblacklist ${HOME}/.gitconfig 29noblacklist ${HOME}/.gitconfig
30noblacklist ${HOME}/.git-credentials 30noblacklist ${HOME}/.git-credentials
31 31
32# no3d 32#no3d
33nosound 33nosound
34 34
35# private-bin github-desktop 35#private-bin github-desktop
36?HAS_APPIMAGE: ignore private-dev 36?HAS_APPIMAGE: ignore private-dev
37# private-lib 37#private-lib
38 38
39# memory-deny-write-execute 39#memory-deny-write-execute
40 40
41# Redirect 41# Redirect
42include electron-common.profile 42include electron-common.profile
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index e3cf87c87..54f2923ba 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Gitter
18whitelist ${DOWNLOADS} 18whitelist ${DOWNLOADS}
19whitelist ${HOME}/.config/autostart 19whitelist ${HOME}/.config/autostart
20whitelist ${HOME}/.config/Gitter 20whitelist ${HOME}/.config/Gitter
21whitelist /opt/Gitter
21include whitelist-var-common.inc 22include whitelist-var-common.inc
22 23
23caps.drop all 24caps.drop all
@@ -37,7 +38,6 @@ seccomp
37disable-mnt 38disable-mnt
38private-bin bash,env,gitter 39private-bin bash,env,gitter
39private-etc @tls-ca 40private-etc @tls-ca
40private-opt Gitter
41private-dev 41private-dev
42private-tmp 42private-tmp
43 43
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index bd332a6d5..cad261365 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -38,9 +38,9 @@ protocol unix,inet,inet6
38seccomp 38seccomp
39tracelog 39tracelog
40 40
41# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather 41#private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
42private-dev 42private-dev
43# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl 43#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
44private-tmp 44private-tmp
45 45
46restrict-namespaces 46restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index f3e045000..4d4a0d50e 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -47,8 +47,9 @@ private-etc
47private-tmp 47private-tmp
48writable-run-user 48writable-run-user
49 49
50# dbus-user none 50dbus-user filter
51# dbus-system none 51dbus-user.talk org.mpris.MediaPlayer2.mpd
52dbus-system none
52 53
53# memory-deny-write-execute - breaks on Arch 54#memory-deny-write-execute # breaks on Arch
54restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 812923b2d..962b8b30f 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -39,7 +39,7 @@ protocol unix
39seccomp 39seccomp
40tracelog 40tracelog
41 41
42# private-bin gjs,gnome-books 42#private-bin gjs,gnome-books
43private-dev 43private-dev
44private-tmp 44private-tmp
45 45
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index e5c6022e8..40f799693 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -24,7 +24,7 @@ apparmor
24caps.drop all 24caps.drop all
25ipc-namespace 25ipc-namespace
26machine-id 26machine-id
27#net none -- breaks currency conversion 27#net none # breaks currency conversion
28netfilter 28netfilter
29no3d 29no3d
30nodvd 30nodvd
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 9e9730e53..9f592722c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types
52private-tmp 52private-tmp
53 53
54# Add the next lines to your gnome-characters.local if you don't need access to recently used chars. 54# Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
55# dbus-user none 55#dbus-user none
56# dbus-system none 56#dbus-system none
57 57
58read-only ${HOME} 58read-only ${HOME}
59restrict-namespaces 59restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 2326115c3..25a906c69 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -21,7 +21,7 @@ include whitelist-var-common.inc
21 21
22caps.drop all 22caps.drop all
23netfilter 23netfilter
24#no3d - breaks on Arch 24#no3d # breaks on Arch
25nodvd 25nodvd
26noinput 26noinput
27nonewprivs 27nonewprivs
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 45b6fd880..aa0a7f4cc 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -55,7 +55,7 @@ private-dev
55#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security 55#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
56private-tmp 56private-tmp
57 57
58# dbus-user none 58#dbus-user none
59dbus-system none 59dbus-system none
60 60
61memory-deny-write-execute 61memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 61f4f4107..4d2681fbc 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -6,49 +6,15 @@ include gnome-logs.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include disable-common.inc 9whitelist /usr/share/gnome-logs
10include disable-devel.inc
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-programs.inc
14include disable-shell.inc
15include disable-xdg.inc
16 10
17whitelist /var/log/journal
18include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24ipc-namespace
25net none
26no3d
27nodvd
28noinput
29nonewprivs
30nosound
31notv
32nou2f
33novideo
34protocol unix
35seccomp
36tracelog
37
38disable-mnt
39private-bin gnome-logs 11private-bin gnome-logs
40private-cache
41private-dev
42private-etc
43private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* 12private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
44private-tmp
45writable-var-log
46 13
47dbus-user filter 14dbus-user filter
48dbus-user.own org.gnome.Logs 15dbus-user.own org.gnome.Logs
49dbus-user.talk ca.desrt.dconf 16dbus-user.talk ca.desrt.dconf
50dbus-system none 17ignore dbus-user none
51 18
52# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. 19# Redirect
53read-only ${HOME} 20include system-log-common.profile
54restrict-namespaces
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 17f52e588..40c264c86 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -61,7 +61,7 @@ tracelog
61 61
62disable-mnt 62disable-mnt
63private-bin gjs,gnome-maps 63private-bin gjs,gnome-maps
64# private-cache -- gnome-maps cache all maps/satelite-images 64#private-cache # gnome-maps cache all maps/satelite-images
65private-dev 65private-dev
66private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services 66private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
67private-tmp 67private-tmp
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 052e9ba9c..5315cbec6 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -26,7 +26,7 @@ nou2f
26protocol unix,inet,inet6 26protocol unix,inet,inet6
27seccomp 27seccomp
28 28
29# private-bin gnome-mplayer,mplayer 29#private-bin gnome-mplayer,mplayer
30private-cache 30private-cache
31private-dev 31private-dev
32private-tmp 32private-tmp
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 7a9a0e336..7a8338cd7 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-programs.inc
14include disable-xdg.inc 14include disable-xdg.inc
15 15
16whitelist /usr/share/gnome-nettool 16whitelist /usr/share/gnome-nettool
17#include whitelist-common.inc -- see #903 17#include whitelist-common.inc # see #903
18include whitelist-runuser-common.inc 18include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc 19include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 20include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 1d0291aa2..4d2a3913f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -36,7 +36,7 @@ seccomp
36seccomp.block-secondary 36seccomp.block-secondary
37tracelog 37tracelog
38 38
39# private-bin gjs,gnome-photos 39#private-bin gjs,gnome-photos
40private-dev 40private-dev
41private-tmp 41private-tmp
42 42
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index ac0fb555d..dff6032d1 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -16,7 +16,7 @@ include disable-exec.inc
16 16
17caps.drop all 17caps.drop all
18ipc-namespace 18ipc-namespace
19# net none - breaks dbus 19#net none # breaks dbus
20no3d 20no3d
21nodvd 21nodvd
22nogroups 22nogroups
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 8f2ab7fd6..898cdf1f8 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -27,7 +27,7 @@ protocol unix,inet,inet6,netlink
27seccomp 27seccomp
28 28
29disable-mnt 29disable-mnt
30# private-dev 30#private-dev
31private-tmp 31private-tmp
32 32
33restrict-namespaces 33restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index b71d77621..33f22136e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -46,7 +46,7 @@ apparmor
46caps.keep chown,dac_override,setgid,setuid 46caps.keep chown,dac_override,setgid,setuid
47ipc-namespace 47ipc-namespace
48machine-id 48machine-id
49#net none - breaks on Ubuntu 49#net none # breaks on Ubuntu
50no3d 50no3d
51nodvd 51nodvd
52nogroups 52nogroups
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index f4e985342..0d6116f4f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -6,51 +6,13 @@ include gnome-system-log.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9include disable-common.inc 9# 'net none' breaks dbus
10include disable-devel.inc 10ignore net none
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-programs.inc
14include disable-shell.inc
15include disable-xdg.inc
16 11
17whitelist /var/log
18include whitelist-common.inc
19include whitelist-usr-share-common.inc
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24ipc-namespace
25# net none - breaks dbus
26no3d
27nodvd
28# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
29# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
30nogroups
31noinput
32nonewprivs
33noroot
34nosound
35notv
36nou2f
37novideo
38protocol unix
39seccomp
40
41disable-mnt
42private-bin gnome-system-log 12private-bin gnome-system-log
43private-cache
44private-dev
45private-etc
46private-lib 13private-lib
47private-tmp
48writable-var-log
49
50# dbus-user none
51# dbus-system none
52 14
53memory-deny-write-execute 15memory-deny-write-execute
54# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. 16
55read-only ${HOME} 17# Redirect
56restrict-namespaces 18include system-log-common.profile
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 147b84a19..8637f5019 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -41,9 +41,9 @@ seccomp.block-secondary
41tracelog 41tracelog
42 42
43disable-mnt 43disable-mnt
44# private-bin gjs,gnome-weather 44#private-bin gjs,gnome-weather
45private-dev 45private-dev
46# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl 46#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
47private-tmp 47private-tmp
48 48
49restrict-namespaces 49restrict-namespaces
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 5e41384ab..96bbffc41 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -34,7 +34,7 @@ seccomp
34tracelog 34tracelog
35 35
36 36
37# private-bin godot 37#private-bin godot
38private-cache 38private-cache
39private-dev 39private-dev
40private-etc @games,@tls-ca,@x11,mono 40private-etc @games,@tls-ca,@x11,mono
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8807a239d..96b72230d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -28,9 +28,9 @@ protocol unix,inet,inet6
28seccomp 28seccomp
29tracelog 29tracelog
30 30
31# private-bin goobox 31#private-bin goobox
32private-dev 32private-dev
33# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl 33#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
34# private-tmp 34#private-tmp
35 35
36restrict-namespaces 36restrict-namespaces
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 4af6ce36b..1087b3d6e 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Google
18mkdir ${HOME}/.googleearth 18mkdir ${HOME}/.googleearth
19whitelist ${HOME}/.config/Google 19whitelist ${HOME}/.config/Google
20whitelist ${HOME}/.googleearth 20whitelist ${HOME}/.googleearth
21whitelist /opt/google
21include whitelist-common.inc 22include whitelist-common.inc
22 23
23caps.drop all 24caps.drop all
@@ -37,6 +38,5 @@ seccomp
37disable-mnt 38disable-mnt
38private-bin bash,dirname,google-earth,grep,ls,sed,sh 39private-bin bash,dirname,google-earth,grep,ls,sed,sh
39private-dev 40private-dev
40private-opt google
41 41
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index c2a7d89fd..1218631d8 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -17,8 +17,8 @@ include disable-interpreters.inc
17include disable-programs.inc 17include disable-programs.inc
18 18
19mkdir ${HOME}/.config/Google Play Music Desktop Player 19mkdir ${HOME}/.config/Google Play Music Desktop Player
20# whitelist ${HOME}/.config/pulse 20#whitelist ${HOME}/.config/pulse
21# whitelist ${HOME}/.pulse 21#whitelist ${HOME}/.pulse
22whitelist ${HOME}/.config/Google Play Music Desktop Player 22whitelist ${HOME}/.config/Google Play Music Desktop Player
23include whitelist-common.inc 23include whitelist-common.inc
24 24
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index e05cdf424..25498d89e 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -28,7 +28,7 @@ protocol unix,inet,inet6
28seccomp 28seccomp
29tracelog 29tracelog
30 30
31# private-bin gpa,gpg 31#private-bin gpa,gpg
32private-dev 32private-dev
33 33
34restrict-namespaces 34restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index f4cd85e3a..3b623a338 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -46,7 +46,7 @@ protocol unix,inet,inet6
46seccomp 46seccomp
47tracelog 47tracelog
48 48
49# private-bin gpg-agent 49#private-bin gpg-agent
50private-cache 50private-cache
51private-dev 51private-dev
52 52
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 60690852a..bf4a1c60b 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -42,7 +42,7 @@ protocol unix,inet,inet6
42seccomp 42seccomp
43tracelog 43tracelog
44 44
45# private-bin gpg 45#private-bin gpg
46private-cache 46private-cache
47private-dev 47private-dev
48 48
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..a9d928f17 100644
--- a/etc/profile-a-l/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
@@ -7,7 +7,7 @@ include gpg2.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10# private-bin gpg2 10#private-bin gpg2
11 11
12# Redirect 12# Redirect
13include gpg.profile 13include gpg.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index ef4aad4da..93db304da 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24machine-id 24machine-id
25#net none - breaks dbus 25#net none # breaks dbus
26no3d 26no3d
27nodvd 27nodvd
28nogroups 28nogroups
@@ -47,8 +47,8 @@ private-lib
47private-tmp 47private-tmp
48 48
49# breaks state saving 49# breaks state saving
50# dbus-user none 50#dbus-user none
51# dbus-system none 51#dbus-system none
52 52
53read-only ${HOME} 53read-only ${HOME}
54restrict-namespaces 54restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 4be71f6d3..bc4084a38 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.kde/share/apps/gwenview
14noblacklist ${HOME}/.kde/share/config/gwenviewrc 14noblacklist ${HOME}/.kde/share/config/gwenviewrc
15noblacklist ${HOME}/.kde4/share/apps/gwenview 15noblacklist ${HOME}/.kde4/share/apps/gwenview
16noblacklist ${HOME}/.kde4/share/config/gwenviewrc 16noblacklist ${HOME}/.kde4/share/config/gwenviewrc
17noblacklist ${HOME}/.local/share/Trash
17noblacklist ${HOME}/.local/share/gwenview 18noblacklist ${HOME}/.local/share/gwenview
18noblacklist ${HOME}/.local/share/kxmlgui5/gwenview 19noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
19noblacklist ${HOME}/.local/share/org.kde.gwenview 20noblacklist ${HOME}/.local/share/org.kde.gwenview
@@ -30,7 +31,7 @@ include whitelist-var-common.inc
30 31
31apparmor 32apparmor
32caps.drop all 33caps.drop all
33# net none 34#net none
34netfilter 35netfilter
35nodvd 36nodvd
36nogroups 37nogroups
@@ -42,14 +43,14 @@ nou2f
42novideo 43novideo
43protocol unix 44protocol unix
44seccomp 45seccomp
45# tracelog 46#tracelog
46 47
47private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 48private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
48private-dev 49private-dev
49private-etc @x11,gimp 50private-etc @x11,gimp
50 51
51# dbus-user none 52#dbus-user none
52# dbus-system none 53#dbus-system none
53 54
54# memory-deny-write-execute 55#memory-deny-write-execute
55restrict-namespaces 56restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index df7f8f3a3..def7bf25f 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -32,7 +32,7 @@ include whitelist-common.inc
32include whitelist-var-common.inc 32include whitelist-var-common.inc
33 33
34caps.drop all 34caps.drop all
35#machine-id -- breaks sound 35#machine-id # breaks sound
36netfilter 36netfilter
37no3d 37no3d
38nodvd 38nodvd
@@ -51,8 +51,8 @@ disable-mnt
51# debug note: private-bin requires perl, python, etc on some systems 51# debug note: private-bin requires perl, python, etc on some systems
52private-bin hexchat,python*,sh 52private-bin hexchat,python*,sh
53private-dev 53private-dev
54#private-lib - python problems 54#private-lib # python problems
55private-tmp 55private-tmp
56 56
57# memory-deny-write-execute - breaks python 57#memory-deny-write-execute # breaks python
58restrict-namespaces 58restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index ccbb66333..d36cf0f46 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -28,7 +28,7 @@ include whitelist-var-common.inc
28apparmor 28apparmor
29caps.drop all 29caps.drop all
30machine-id 30machine-id
31# net none 31#net none
32netfilter 32netfilter
33nodvd 33nodvd
34no3d 34no3d
@@ -55,5 +55,5 @@ private-tmp
55dbus-user none 55dbus-user none
56dbus-system none 56dbus-system none
57 57
58# memory-deny-write-execute 58#memory-deny-write-execute
59restrict-namespaces 59restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 82cba7887..47c341333 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -43,7 +43,7 @@ private-dev
43private-etc @x11,gconf 43private-etc @x11,gconf
44private-tmp 44private-tmp
45 45
46# dbus-user none 46#dbus-user none
47# dbus-system none 47#dbus-system none
48 48
49restrict-namespaces 49restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 31f65962f..2b4c68a4d 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -36,7 +36,7 @@ seccomp
36 36
37private-cache 37private-cache
38private-dev 38private-dev
39# private-tmp 39#private-tmp
40 40
41noexec /tmp 41noexec /tmp
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index ee341423a..8091a4c9e 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -41,7 +41,7 @@ seccomp
41tracelog 41tracelog
42x11 none 42x11 none
43 43
44# private-bin img2txt 44#private-bin img2txt
45private-cache 45private-cache
46private-dev 46private-dev
47private-tmp 47private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index c4fc16c87..ced7a285f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -61,7 +61,7 @@ protocol unix
61seccomp 61seccomp
62tracelog 62tracelog
63 63
64# private-bin inkscape,potrace,python* - problems on Debian stretch 64#private-bin inkscape,potrace,python* # problems on Debian stretch
65private-cache 65private-cache
66private-dev 66private-dev
67private-etc @x11,ImageMagick*,python* 67private-etc @x11,ImageMagick*,python*
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index e73ca44a8..369519947 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -14,7 +14,7 @@ include disable-devel.inc
14include disable-exec.inc 14include disable-exec.inc
15include disable-interpreters.inc 15include disable-interpreters.inc
16include disable-programs.inc 16include disable-programs.inc
17# include disable-shell.inc 17#include disable-shell.inc
18include disable-write-mnt.inc 18include disable-write-mnt.inc
19include disable-xdg.inc 19include disable-xdg.inc
20 20
@@ -26,7 +26,7 @@ include whitelist-var-common.inc
26apparmor 26apparmor
27caps.drop all 27caps.drop all
28ipc-namespace 28ipc-namespace
29# machine-id 29#machine-id
30net none 30net none
31netfilter 31netfilter
32no3d 32no3d
@@ -39,14 +39,14 @@ nosound
39notv 39notv
40nou2f 40nou2f
41novideo 41novideo
42# protocol unix 42#protocol unix
43seccomp 43seccomp
44# tracelog 44#tracelog
45 45
46disable-mnt 46disable-mnt
47private 47private
48private-bin bash,ipcalc,ipcalc-ng,perl,sh 48private-bin bash,ipcalc,ipcalc-ng,perl,sh
49# private-cache 49#private-cache
50private-dev 50private-dev
51# empty etc directory 51# empty etc directory
52private-etc 52private-etc
@@ -57,6 +57,6 @@ private-tmp
57dbus-user none 57dbus-user none
58dbus-system none 58dbus-system none
59 59
60# memory-deny-write-execute 60#memory-deny-write-execute
61# read-only ${HOME} 61#read-only ${HOME}
62restrict-namespaces 62restrict-namespaces
diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile
index f73595fb1..eb007b765 100644
--- a/etc/profile-a-l/journal-viewer.profile
+++ b/etc/profile-a-l/journal-viewer.profile
@@ -9,60 +9,16 @@ include globals.local
9noblacklist ${HOME}/.cache/journal-viewer 9noblacklist ${HOME}/.cache/journal-viewer
10noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer 10noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
11 11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-proc.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/journal-viewer 12mkdir ${HOME}/.cache/journal-viewer
22mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer 13mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
23whitelist ${HOME}/.cache/journal-viewer 14whitelist ${HOME}/.cache/journal-viewer
24whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer 15whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
25whitelist /run/log/journal
26whitelist /var/log/journal
27include whitelist-common.inc
28include whitelist-run-common.inc
29include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc
31include whitelist-var-common.inc
32
33apparmor
34caps.drop all
35ipc-namespace
36net none
37no3d
38nodvd
39nogroups
40noinput
41nonewprivs
42noprinters
43noroot
44nosound
45notv
46nou2f
47novideo
48protocol unix
49seccomp
50seccomp.block-secondary
51tracelog
52 16
53disable-mnt
54private-bin journal-viewer 17private-bin journal-viewer
55private-cache
56private-dev
57private-etc machine-id
58private-lib webkit2gtk-* 18private-lib webkit2gtk-*
59private-tmp
60 19
61dbus-user none
62dbus-system none
63
64restrict-namespaces
65read-only ${HOME}
66read-write ${HOME}/.cache/journal-viewer 20read-write ${HOME}/.cache/journal-viewer
67read-write ${HOME}/.local/share/com.vmingueza.journal-viewer 21read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
68writable-var-log 22
23# Redirect
24include system-log-common.profile
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 81d4f3458..9fb609151 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,19 +21,19 @@ include disable-xdg.inc
21include whitelist-var-common.inc 21include whitelist-var-common.inc
22 22
23caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource 23caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
24# net none 24#net none
25netfilter 25netfilter
26no3d 26no3d
27# nonewprivs - breaks privileged helpers 27#nonewprivs # breaks privileged helpers
28noinput 28noinput
29# noroot - breaks privileged helpers 29#noroot # breaks privileged helpers
30nosound 30nosound
31notv 31notv
32novideo 32novideo
33# protocol unix - breaks privileged helpers 33#protocol unix # breaks privileged helpers
34# seccomp - breaks privileged helpers 34#seccomp # breaks privileged helpers
35 35
36private-dev 36private-dev
37# private-tmp 37#private-tmp
38 38
39# restrict-namespaces - breaks privileged helpers 39#restrict-namespaces # breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 73417bf11..b84d144bd 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -36,7 +36,7 @@ novideo
36protocol unix,inet,inet6 36protocol unix,inet,inet6
37seccomp 37seccomp
38 38
39# private-bin kaffeine 39#private-bin kaffeine
40private-dev 40private-dev
41private-tmp 41private-tmp
42 42
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index a4e67cf6b..359c02b38 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -35,7 +35,7 @@ nou2f
35novideo 35novideo
36protocol unix,netlink 36protocol unix,netlink
37seccomp !chroot 37seccomp !chroot
38# tracelog 38#tracelog
39 39
40disable-mnt 40disable-mnt
41private-bin kalgebra,kalgebramobile 41private-bin kalgebra,kalgebramobile
@@ -47,4 +47,4 @@ private-tmp
47dbus-user none 47dbus-user none
48dbus-system none 48dbus-system none
49 49
50# restrict-namespaces 50#restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 152f73d5d..f141a25e1 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -28,17 +28,17 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
28include allow-common-devel.inc 28include allow-common-devel.inc
29 29
30include disable-common.inc 30include disable-common.inc
31# include disable-devel.inc 31#include disable-devel.inc
32include disable-exec.inc 32include disable-exec.inc
33# include disable-interpreters.inc 33#include disable-interpreters.inc
34include disable-programs.inc 34include disable-programs.inc
35 35
36include whitelist-run-common.inc 36include whitelist-run-common.inc
37include whitelist-var-common.inc 37include whitelist-var-common.inc
38 38
39# apparmor 39#apparmor
40caps.drop all 40caps.drop all
41# net none 41#net none
42netfilter 42netfilter
43nodvd 43nodvd
44nogroups 44nogroups
@@ -52,13 +52,13 @@ novideo
52protocol unix 52protocol unix
53seccomp 53seccomp
54 54
55# private-bin kate,kbuildsycoca4,kdeinit4 55#private-bin kate,kbuildsycoca4,kdeinit4
56private-dev 56private-dev
57# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg 57#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
58private-tmp 58private-tmp
59 59
60# dbus-user none 60#dbus-user none
61# dbus-system none 61#dbus-system none
62 62
63restrict-namespaces 63restrict-namespaces
64join-or-start kate 64join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 70414eeea..5a19d2f50 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -45,7 +45,7 @@ seccomp
45tracelog 45tracelog
46 46
47disable-mnt 47disable-mnt
48# private-bin kazam,python* 48#private-bin kazam,python*
49private-cache 49private-cache
50private-dev 50private-dev
51private-etc @x11 51private-etc @x11
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index cfb756c43..9f10039df 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -60,7 +60,7 @@ private-bin kcalc
60private-cache 60private-cache
61private-dev 61private-dev
62private-etc 62private-etc
63# private-lib - problems on Arch 63#private-lib # problems on Arch
64private-tmp 64private-tmp
65 65
66dbus-user none 66dbus-user none
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 2f426e191..dce189c59 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -22,7 +22,7 @@ no3d
22nogroups 22nogroups
23noinput 23noinput
24nonewprivs 24nonewprivs
25# nosound - disabled for knotify 25#nosound # disabled for knotify
26noroot 26noroot
27nou2f 27nou2f
28novideo 28novideo
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d4933d816..717bfa8d6 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -21,7 +21,7 @@ include disable-programs.inc
21 21
22apparmor 22apparmor
23caps.drop all 23caps.drop all
24# net none 24#net none
25nodvd 25nodvd
26nogroups 26nogroups
27noinput 27noinput
@@ -34,9 +34,9 @@ seccomp
34 34
35private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine 35private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
36private-dev 36private-dev
37# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg 37#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
38 38
39# dbus-user none 39#dbus-user none
40# dbus-system none 40#dbus-system none
41 41
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index c70030a38..115f785eb 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -9,21 +9,21 @@ include globals.local
9# searching in blacklisted or masked paths fails silently 9# searching in blacklisted or masked paths fails silently
10# adjust filesystem restrictions as necessary 10# adjust filesystem restrictions as necessary
11 11
12# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below 12#noblacklist ${HOME}/.cache/kfind # disable-programs.inc is disabled, see below
13# noblacklist ${HOME}/.config/kfindrc 13#noblacklist ${HOME}/.config/kfindrc
14# noblacklist ${HOME}/.kde/share/config/kfindrc 14#noblacklist ${HOME}/.kde/share/config/kfindrc
15# noblacklist ${HOME}/.kde4/share/config/kfindrc 15#noblacklist ${HOME}/.kde4/share/config/kfindrc
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
19include disable-exec.inc 19include disable-exec.inc
20include disable-interpreters.inc 20include disable-interpreters.inc
21# include disable-programs.inc 21#include disable-programs.inc
22 22
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25machine-id 25machine-id
26# net none 26#net none
27netfilter 27netfilter
28no3d 28no3d
29nodvd 29nodvd
@@ -38,11 +38,11 @@ novideo
38protocol unix 38protocol unix
39seccomp 39seccomp
40 40
41# private-bin kbuildsycoca4,kdeinit4,kfind 41#private-bin kbuildsycoca4,kdeinit4,kfind
42private-dev 42private-dev
43private-tmp 43private-tmp
44 44
45# dbus-user none 45#dbus-user none
46# dbus-system none 46#dbus-system none
47 47
48restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index dd45c1889..892577117 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -40,5 +40,5 @@ seccomp
40private-dev 40private-dev
41private-tmp 41private-tmp
42 42
43# memory-deny-write-execute 43#memory-deny-write-execute
44restrict-namespaces 44restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 2e369b945..9f41f41db 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -27,13 +27,13 @@ apparmor
27caps.drop all 27caps.drop all
28ipc-namespace 28ipc-namespace
29netfilter 29netfilter
30# no3d 30#no3d
31nodvd 31nodvd
32nogroups 32nogroups
33noinput 33noinput
34nonewprivs 34nonewprivs
35noroot 35noroot
36# nosound 36#nosound
37notv 37notv
38nou2f 38nou2f
39novideo 39novideo
@@ -49,4 +49,4 @@ private-tmp
49dbus-user none 49dbus-user none
50dbus-system none 50dbus-system none
51 51
52# restrict-namespaces 52#restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 9724f4963..20d2c01d6 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -41,7 +41,7 @@ include disable-programs.inc
41include whitelist-run-common.inc 41include whitelist-run-common.inc
42include whitelist-var-common.inc 42include whitelist-var-common.inc
43 43
44# apparmor 44#apparmor
45caps.drop all 45caps.drop all
46netfilter 46netfilter
47nodvd 47nodvd
@@ -56,11 +56,11 @@ novideo
56protocol unix,inet,inet6,netlink 56protocol unix,inet,inet6,netlink
57# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls 57# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
58seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set 58seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
59# tracelog 59#tracelog
60 60
61private-dev 61private-dev
62# private-tmp - interrupts connection to akonadi, breaks opening of email attachments 62#private-tmp # interrupts connection to akonadi, breaks opening of email attachments
63# writable-run-user is needed for signing and encrypting emails 63# writable-run-user is needed for signing and encrypting emails
64writable-run-user 64writable-run-user
65 65
66# restrict-namespaces 66#restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 992b312ee..7615f00c4 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -33,7 +33,7 @@ nou2f
33protocol unix,inet,inet6,netlink 33protocol unix,inet,inet6,netlink
34seccomp 34seccomp
35 35
36# private-bin kmplayer,mplayer 36#private-bin kmplayer,mplayer
37private-cache 37private-cache
38private-dev 38private-dev
39private-tmp 39private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index e4781fea3..10a823c89 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -42,5 +42,5 @@ private-cache
42private-dev 42private-dev
43private-tmp 43private-tmp
44 44
45# memory-deny-write-execute 45#memory-deny-write-execute
46restrict-namespaces 46restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index a04376430..f61bf36a8 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -28,7 +28,7 @@ include disable-xdg.inc
28apparmor 28apparmor
29caps.drop all 29caps.drop all
30ipc-namespace 30ipc-namespace
31# net none 31#net none
32netfilter 32netfilter
33nodvd 33nodvd
34nogroups 34nogroups
@@ -46,7 +46,7 @@ private-cache
46private-dev 46private-dev
47private-tmp 47private-tmp
48 48
49# dbus-user none 49#dbus-user none
50# dbus-system none 50#dbus-system none
51 51
52restrict-namespaces 52restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index a0244ef47..8af3657d1 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -10,19 +10,19 @@ include globals.local
10# When a file is opened in krunner, the file viewer runs in its own sandbox 10# When a file is opened in krunner, the file viewer runs in its own sandbox
11# with its own profile, if it is sandboxed automatically. 11# with its own profile, if it is sandboxed automatically.
12 12
13# noblacklist ${HOME}/.cache/krunner 13#noblacklist ${HOME}/.cache/krunner
14# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* 14#noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
15# noblacklist ${HOME}/.config/chromium 15#noblacklist ${HOME}/.config/chromium
16noblacklist ${HOME}/.config/krunnerrc 16noblacklist ${HOME}/.config/krunnerrc
17noblacklist ${HOME}/.kde/share/config/krunnerrc 17noblacklist ${HOME}/.kde/share/config/krunnerrc
18noblacklist ${HOME}/.kde4/share/config/krunnerrc 18noblacklist ${HOME}/.kde4/share/config/krunnerrc
19# noblacklist ${HOME}/.local/share/baloo 19#noblacklist ${HOME}/.local/share/baloo
20# noblacklist ${HOME}/.mozilla 20#noblacklist ${HOME}/.mozilla
21 21
22include disable-common.inc 22include disable-common.inc
23# include disable-devel.inc 23#include disable-devel.inc
24# include disable-interpreters.inc 24#include disable-interpreters.inc
25# include disable-programs.inc 25#include disable-programs.inc
26 26
27include whitelist-var-common.inc 27include whitelist-var-common.inc
28 28
@@ -34,6 +34,6 @@ noroot
34protocol unix,inet,inet6 34protocol unix,inet,inet6
35seccomp 35seccomp
36 36
37# private-cache 37#private-cache
38 38
39restrict-namespaces 39restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index da267b962..63bdc0b83 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -62,9 +62,9 @@ seccomp
62 62
63private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest 63private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest
64private-dev 64private-dev
65# private-lib - problems on Arch 65#private-lib # problems on Arch
66private-tmp 66private-tmp
67 67
68deterministic-shutdown 68deterministic-shutdown
69# memory-deny-write-execute 69#memory-deny-write-execute
70restrict-namespaces 70restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 82336969d..1f8757edb 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -65,7 +65,7 @@ protocol unix,inet,inet6
65seccomp 65seccomp
66tracelog 66tracelog
67 67
68# disable-mnt 68#disable-mnt
69# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 69# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
70private-bin kube,sink_synchronizer 70private-bin kube,sink_synchronizer
71private-cache 71private-cache
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 589811643..da430377e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -5,7 +5,7 @@ include kwin_x11.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# fix automatical kwin_x11 sandboxing: 8# fix automatic kwin_x11 sandboxing:
9# echo KDEWM=kwin_x11 >> ~/.pam_environment 9# echo KDEWM=kwin_x11 >> ~/.pam_environment
10 10
11noblacklist ${HOME}/.cache/kwin 11noblacklist ${HOME}/.cache/kwin
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 34fe2ace6..efc6b7c56 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -29,14 +29,14 @@ include whitelist-var-common.inc
29 29
30apparmor 30apparmor
31caps.drop all 31caps.drop all
32# net none 32#net none
33netfilter 33netfilter
34nodvd 34nodvd
35nogroups 35nogroups
36noinput 36noinput
37nonewprivs 37nonewprivs
38noroot 38noroot
39# nosound - KWrite is using ALSA! 39#nosound # KWrite is using ALSA!
40notv 40notv
41nou2f 41nou2f
42novideo 42novideo
@@ -49,8 +49,8 @@ private-dev
49private-etc @x11 49private-etc @x11
50private-tmp 50private-tmp
51 51
52# dbus-user none 52#dbus-user none
53# dbus-system none 53#dbus-system none
54 54
55restrict-namespaces 55restrict-namespaces
56join-or-start kwrite 56join-or-start kwrite
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 6efe23ade..661c0594a 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -36,8 +36,8 @@ x11 none
36 36
37# The user can have a custom coloring script configured in ${HOME}/.lessfilter. 37# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
38# Enable private-bin and private-lib if you are not using any filter. 38# Enable private-bin and private-lib if you are not using any filter.
39# private-bin less 39#private-bin less
40# private-lib 40#private-lib
41private-cache 41private-cache
42private-dev 42private-dev
43writable-var-log 43writable-var-log
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
new file mode 100644
index 000000000..94a455355
--- /dev/null
+++ b/etc/profile-a-l/lettura.profile
@@ -0,0 +1,76 @@
1# Firejail profile for lettura
2# Description: Another free and open-source feed reader
3# This file is overwritten after every install/update
4# Persistent local customizations
5include lettura.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/lettura
10noblacklist ${HOME}/.config/com.lettura.dev
11noblacklist ${HOME}/.lettura
12noblacklist ${HOME}/.local/share/com.lettura.dev
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-proc.inc
19include disable-programs.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23mkdir ${HOME}/.cache/lettura
24mkdir ${HOME}/.config/com.lettura.dev
25mkdir ${HOME}/.lettura
26mkdir ${HOME}/.local/share/com.lettura.dev
27whitelist ${HOME}/.cache/lettura
28whitelist ${HOME}/.config/com.lettura.dev
29whitelist ${HOME}/.lettura
30whitelist ${HOME}/.local/share/com.lettura.dev
31whitelist ${DOWNLOADS}
32include whitelist-common.inc
33include whitelist-run-common.inc
34include whitelist-runuser-common.inc
35include whitelist-usr-share-common.inc
36include whitelist-var-common.inc
37
38# The lines below are needed to find the default Firefox profile name, to allow
39# opening links in an existing instance of Firefox (note that it still fails if
40# there isn't a Firefox instance running with the default profile; see #5352)
41noblacklist ${HOME}/.mozilla
42whitelist ${HOME}/.mozilla/firefox/profiles.ini
43
44apparmor
45caps.drop all
46netfilter
47nodvd
48nogroups
49noinput
50nonewprivs
51noprinters
52noroot
53#nosound
54notv
55nou2f
56novideo
57protocol unix,inet,inet6
58seccomp
59seccomp.block-secondary
60tracelog
61
62disable-mnt
63private-bin lettura
64private-cache
65private-dev
66private-etc @network,@sound,@tls-ca,@x11,mime.types
67private-tmp
68
69dbus-user filter
70dbus-user.talk org.freedesktop.Notifications
71?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
72# allow D-Bus communication with firefox for opening links
73dbus-user.talk org.mozilla.*
74dbus-system none
75
76restrict-namespaces
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index b0e9015ee..739d2cc1e 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -33,13 +33,13 @@ include whitelist-var-common.inc
33 33
34caps.drop all 34caps.drop all
35netfilter 35netfilter
36# no3d 36#no3d
37nodvd 37nodvd
38nogroups 38nogroups
39noinput 39noinput
40nonewprivs 40nonewprivs
41noroot 41noroot
42# nosound 42#nosound
43notv 43notv
44nou2f 44nou2f
45novideo 45novideo
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 838d619b7..636560789 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -52,7 +52,7 @@ private-cache
52private-dev 52private-dev
53private-etc @tls-ca 53private-etc @tls-ca
54# Add the next line to your links-common.local to allow external media players. 54# Add the next line to your links-common.local to allow external media players.
55# private-etc alsa,asound.conf,machine-id,openal,pulse 55#private-etc alsa,asound.conf,machine-id,openal,pulse
56private-tmp 56private-tmp
57 57
58dbus-user none 58dbus-user none
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 6ca8b8103..e900c0914 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -17,6 +17,7 @@ mkdir ${HOME}/.config/QQ
17whitelist ${HOME}/.config/QQ 17whitelist ${HOME}/.config/QQ
18whitelist ${HOME}/.mozilla/firefox/profiles.ini 18whitelist ${HOME}/.mozilla/firefox/profiles.ini
19whitelist ${DESKTOP} 19whitelist ${DESKTOP}
20whitelist /opt/QQ
20 21
21ignore apparmor 22ignore apparmor
22noprinters 23noprinters
@@ -24,7 +25,6 @@ noprinters
24# If you don't need/want to save anything to disk you can add `private` to your linuxqq.local. 25# If you don't need/want to save anything to disk you can add `private` to your linuxqq.local.
25#private 26#private
26private-etc @tls-ca,@x11,host.conf,os-release 27private-etc @tls-ca,@x11,host.conf,os-release
27private-opt QQ
28 28
29dbus-user filter 29dbus-user filter
30dbus-user.talk org.freedesktop.Notifications 30dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index 4daa1d010..f9dc4f60c 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.config/ueberzugpp
17noblacklist ${HOME}/.local/share/applications/lobster 17noblacklist ${HOME}/.local/share/applications/lobster
18noblacklist ${HOME}/.local/share/lobster 18noblacklist ${HOME}/.local/share/lobster
19noblacklist ${PATH}/openssl 19noblacklist ${PATH}/openssl
20noblacklist ${PATH}/patch
20 21
21# Allow /bin/sh (blacklisted by disable-shell.inc) 22# Allow /bin/sh (blacklisted by disable-shell.inc)
22include allow-bin-sh.inc 23include allow-bin-sh.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 2658c5373..c3497c3bd 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.cache/wine
13noblacklist ${HOME}/.cache/winetricks 13noblacklist ${HOME}/.cache/winetricks
14noblacklist ${HOME}/.config/lutris 14noblacklist ${HOME}/.config/lutris
15noblacklist ${HOME}/.local/share/lutris 15noblacklist ${HOME}/.local/share/lutris
16# noblacklist ${HOME}/.wine 16#noblacklist ${HOME}/.wine
17noblacklist /tmp/.wine-* 17noblacklist /tmp/.wine-*
18# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise 18# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
19# Lutris won't even start. 19# Lutris won't even start.
@@ -39,7 +39,7 @@ mkdir ${HOME}/.cache/wine
39mkdir ${HOME}/.cache/winetricks 39mkdir ${HOME}/.cache/winetricks
40mkdir ${HOME}/.config/lutris 40mkdir ${HOME}/.config/lutris
41mkdir ${HOME}/.local/share/lutris 41mkdir ${HOME}/.local/share/lutris
42# mkdir ${HOME}/.wine 42#mkdir ${HOME}/.wine
43whitelist ${DOWNLOADS} 43whitelist ${DOWNLOADS}
44whitelist ${HOME}/Games 44whitelist ${HOME}/Games
45whitelist ${HOME}/.cache/lutris 45whitelist ${HOME}/.cache/lutris
@@ -47,7 +47,7 @@ whitelist ${HOME}/.cache/wine
47whitelist ${HOME}/.cache/winetricks 47whitelist ${HOME}/.cache/winetricks
48whitelist ${HOME}/.config/lutris 48whitelist ${HOME}/.config/lutris
49whitelist ${HOME}/.local/share/lutris 49whitelist ${HOME}/.local/share/lutris
50# whitelist ${HOME}/.wine 50#whitelist ${HOME}/.wine
51whitelist /usr/share/lutris 51whitelist /usr/share/lutris
52whitelist /usr/share/wine 52whitelist /usr/share/wine
53include whitelist-common.inc 53include whitelist-common.inc
@@ -55,11 +55,11 @@ include whitelist-usr-share-common.inc
55include whitelist-runuser-common.inc 55include whitelist-runuser-common.inc
56include whitelist-var-common.inc 56include whitelist-var-common.inc
57 57
58# allow-debuggers 58#allow-debuggers
59# apparmor 59#apparmor
60caps.drop all 60caps.drop all
61ipc-namespace 61ipc-namespace
62# net none 62#net none
63netfilter 63netfilter
64nodvd 64nodvd
65nogroups 65nogroups
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index caf8de104..248061b3f 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -34,10 +34,10 @@ protocol unix,inet,inet6
34seccomp 34seccomp
35tracelog 35tracelog
36 36
37# private-bin lynx 37#private-bin lynx
38private-cache 38private-cache
39private-dev 39private-dev
40# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 40#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
41private-tmp 41private-tmp
42 42
43restrict-namespaces 43restrict-namespaces
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index c3366acef..d210333c3 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -31,7 +31,7 @@ include whitelist-usr-share-common.inc
31apparmor 31apparmor
32machine-id 32machine-id
33 33
34# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex 34#private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
35private-etc @x11,lyx,mime.types,texmf 35private-etc @x11,lyx,mime.types,texmf
36 36
37# Redirect 37# Redirect
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e75de80ac..a6a9ba6bc 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -40,8 +40,8 @@ notv
40nou2f 40nou2f
41novideo 41novideo
42protocol unix,netlink 42protocol unix,netlink
43#seccomp - breaks loading with no logs 43#seccomp # breaks loading with no logs
44#tracelog - 32/64 bit incompatibility 44#tracelog # 32/64 bit incompatibility
45 45
46private-bin PCSX2 46private-bin PCSX2
47private-cache 47private-cache
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 0e18b3cdf..dd5639268 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -57,7 +57,7 @@ include whitelist-var-common.inc
57apparmor 57apparmor
58caps.drop all 58caps.drop all
59netfilter 59netfilter
60# no3d 60#no3d
61nodvd 61nodvd
62nogroups 62nogroups
63noinput 63noinput
@@ -81,5 +81,5 @@ private-tmp
81dbus-user none 81dbus-user none
82dbus-system none 82dbus-system none
83 83
84#memory-deny-write-execute - breaks on Arch (see issue #1803) 84#memory-deny-write-execute # breaks on Arch (see issue #1803)
85restrict-namespaces 85restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 34d500bb1..fe1f9b877 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber
35private-etc @tls-ca,@x11,mailcap,proxychains.conf 35private-etc @tls-ca,@x11,mailcap,proxychains.conf
36private-tmp 36private-tmp
37 37
38# restrict-namespaces 38#restrict-namespaces
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 0c3d4c1da..aae1808dd 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -25,7 +25,7 @@ nogroups
25noinput 25noinput
26nonewprivs 26nonewprivs
27# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. 27# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
28# noroot 28#noroot
29nosound 29nosound
30notv 30notv
31nou2f 31nou2f
@@ -35,10 +35,10 @@ seccomp
35disable-mnt 35disable-mnt
36# using a private home directory 36# using a private home directory
37private 37private
38# private-bin sh,Xephyr,xkbcomp 38#private-bin sh,Xephyr,xkbcomp
39# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp 39#private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
40private-dev 40private-dev
41# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf 41#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
42#private-tmp 42#private-tmp
43 43
44restrict-namespaces 44restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 2bb9f171a..052ea520d 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -39,8 +39,8 @@ seccomp
39disable-mnt 39disable-mnt
40# using a private home directory 40# using a private home directory
41private 41private
42# private-bin sh,xkbcomp,Xvfb 42#private-bin sh,xkbcomp,Xvfb
43# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb 43#private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
44private-dev 44private-dev
45private-etc gai.conf,host.conf 45private-etc gai.conf,host.conf
46private-tmp 46private-tmp
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 266d00395..b6afbad59 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-*
14# for potential issues and their solutions when Firejailing makepkg 14# for potential issues and their solutions when Firejailing makepkg
15 15
16# This profile could be significantly strengthened by adding the following to makepkg.local 16# This profile could be significantly strengthened by adding the following to makepkg.local
17# whitelist ${HOME}/<Your Build Folder> 17#whitelist ${HOME}/<Your Build Folder>
18# whitelist ${HOME}/.gnupg 18#whitelist ${HOME}/.gnupg
19 19
20# Enable severely restricted access to ${HOME}/.gnupg 20# Enable severely restricted access to ${HOME}/.gnupg
21noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 6843c11c7..e07bbe6e5 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,10 +14,7 @@ mkdir ${HOME}/.cache/microsoft-edge-beta
14mkdir ${HOME}/.config/microsoft-edge-beta 14mkdir ${HOME}/.config/microsoft-edge-beta
15whitelist ${HOME}/.cache/microsoft-edge-beta 15whitelist ${HOME}/.cache/microsoft-edge-beta
16whitelist ${HOME}/.config/microsoft-edge-beta 16whitelist ${HOME}/.config/microsoft-edge-beta
17
18whitelist /opt/microsoft/msedge-beta 17whitelist /opt/microsoft/msedge-beta
19# private-opt might break the file-copy-limit, see #5307
20#private-opt microsoft
21 18
22# Redirect 19# Redirect
23include chromium-common.profile 20include chromium-common.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index d1655fabb..fcc4845df 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori
13noblacklist ${HOME}/.config/midori 13noblacklist ${HOME}/.config/midori
14noblacklist ${HOME}/.local/share/midori 14noblacklist ${HOME}/.local/share/midori
15noblacklist ${HOME}/.local/share/pki 15noblacklist ${HOME}/.local/share/pki
16# noblacklist ${HOME}/.local/share/webkit 16#noblacklist ${HOME}/.local/share/webkit
17# noblacklist ${HOME}/.local/share/webkitgtk 17#noblacklist ${HOME}/.local/share/webkitgtk
18noblacklist ${HOME}/.pki 18noblacklist ${HOME}/.pki
19 19
20noblacklist ${HOME}/.cache/gnome-mplayer 20noblacklist ${HOME}/.cache/gnome-mplayer
@@ -54,7 +54,7 @@ caps.drop all
54netfilter 54netfilter
55nodvd 55nodvd
56nonewprivs 56nonewprivs
57# noroot - problems on Ubuntu 14.04 57#noroot # problems on Ubuntu 14.04
58notv 58notv
59protocol unix,inet,inet6,netlink 59protocol unix,inet,inet6,netlink
60seccomp 60seccomp
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 2ba03ec97..0a5e4255a 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
10noblacklist ${HOME}/.moc 10noblacklist ${HOME}/.moc
11noblacklist ${MUSIC} 11noblacklist ${MUSIC}
12 12
13blacklist /tmp/.X11-unix
14blacklist ${RUNUSER}/wayland-*
15
13include disable-common.inc 16include disable-common.inc
14include disable-devel.inc 17include disable-devel.inc
15include disable-exec.inc 18include disable-exec.inc
16include disable-interpreters.inc 19include disable-interpreters.inc
20include disable-proc.inc
17include disable-programs.inc 21include disable-programs.inc
18include disable-xdg.inc 22include disable-xdg.inc
19 23
20include whitelist-usr-share-common.inc 24mkdir ${HOME}/.moc
25whitelist ${HOME}/.moc
26whitelist ${MUSIC}
27include whitelist-common.inc
28include whitelist-run-common.inc
21include whitelist-runuser-common.inc 29include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 31include whitelist-var-common.inc
23 32
24apparmor 33apparmor
@@ -30,18 +39,20 @@ nodvd
30nogroups 39nogroups
31noinput 40noinput
32nonewprivs 41nonewprivs
42noprinters
33noroot 43noroot
34notv 44notv
35nou2f 45nou2f
36novideo 46novideo
37protocol unix,inet,inet6,netlink 47protocol unix,inet,inet6
38seccomp 48seccomp
49seccomp.block-secondary
39tracelog 50tracelog
40 51
41private-bin mocp 52private-bin mocp
42private-cache 53private-cache
43private-dev 54private-dev
44private-etc @tls-ca 55private-etc @network,@tls-ca
45private-tmp 56private-tmp
46 57
47dbus-user none 58dbus-user none
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index a9631733c..ab1c93eaf 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -52,7 +52,11 @@ private-etc
52private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* 52private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
53private-tmp 53private-tmp
54 54
55#memory-deny-write-execute - breaks on Arch (see issue #1803) 55dbus-user filter
56dbus-user.own org.mpris.MediaPlayer2.mpd
57dbus-system none
58
59#memory-deny-write-execute # breaks on Arch (see issue #1803)
56 60
57read-only ${HOME} 61read-only ${HOME}
58restrict-namespaces 62restrict-namespaces
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index d1c4bd24f..6bf881faf 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -41,4 +41,8 @@ private-cache
41private-dev 41private-dev
42private-tmp 42private-tmp
43 43
44dbus-user filter
45dbus-user.talk org.mpris.MediaPlayer2.mpd
46dbus-system none
47
44restrict-namespaces 48restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 7d9ff39ad..bdb9fa51d 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -24,9 +24,9 @@ include whitelist-var-common.inc
24 24
25apparmor 25apparmor
26caps.drop all 26caps.drop all
27# net none - mplayer can be used for streaming. 27#net none # mplayer can be used for streaming.
28netfilter 28netfilter
29# nogroups 29#nogroups
30noinput 30noinput
31nonewprivs 31nonewprivs
32noroot 32noroot
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
index b9eb57743..6706386aa 100644
--- a/etc/profile-m-z/mullvad-browser.profile
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -73,13 +73,12 @@ novideo
73protocol unix,inet,inet6 73protocol unix,inet,inet6
74seccomp !chroot 74seccomp !chroot
75seccomp.block-secondary 75seccomp.block-secondary
76#tracelog - may cause issues, see #1930 76#tracelog # may cause issues, see #1930
77 77
78disable-mnt 78disable-mnt
79private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity 79private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
80private-dev 80private-dev
81private-etc @tls-ca 81private-etc @tls-ca
82#private-opt mullvad-browser - can cause slow startup
83private-tmp 82private-tmp
84 83
85blacklist ${PATH}/curl 84blacklist ${PATH}/curl
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 73107680c..41f82bd07 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -41,12 +41,12 @@ notv
41nou2f 41nou2f
42novideo 42novideo
43protocol unix,inet,inet6 43protocol unix,inet,inet6
44# seccomp 44#seccomp
45 45
46disable-mnt 46disable-mnt
47# private-bin works, but causes weirdness 47# private-bin works, but causes weirdness
48# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper 48#private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
49private-dev 49private-dev
50private-tmp 50private-tmp
51 51
52# restrict-namespaces 52#restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index ef09e6fca..52dc46800 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -41,5 +41,5 @@ disable-mnt
41private-bin mumble 41private-bin mumble
42private-tmp 42private-tmp
43 43
44#memory-deny-write-execute - breaks on Arch (see issue #1803) 44#memory-deny-write-execute # breaks on Arch (see issue #1803)
45restrict-namespaces 45restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index ca951f70c..b62674ad6 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -37,7 +37,7 @@ protocol unix,inet,inet6
37seccomp !chroot 37seccomp !chroot
38tracelog 38tracelog
39 39
40# private-bin musescore,mscore 40#private-bin musescore,mscore
41private-tmp 41private-tmp
42 42
43# restrict-namespaces 43#restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 7ce7fbd19..d67cd24bd 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,4 +35,4 @@ disable-mnt
35private-dev 35private-dev
36private-etc @tls-ca 36private-etc @tls-ca
37 37
38# restrict-namespaces 38#restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 288ffedf1..ab1e0ab02 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
13noblacklist ${HOME}/.Mail 13noblacklist ${HOME}/.Mail
14noblacklist ${HOME}/.bogofilter 14noblacklist ${HOME}/.bogofilter
15noblacklist ${HOME}/.cache/mutt 15noblacklist ${HOME}/.cache/mutt
16noblacklist ${HOME}/.config/msmtp
16noblacklist ${HOME}/.config/mutt 17noblacklist ${HOME}/.config/mutt
17noblacklist ${HOME}/.config/nano 18noblacklist ${HOME}/.config/nano
18noblacklist ${HOME}/.elinks 19noblacklist ${HOME}/.elinks
@@ -35,6 +36,7 @@ noblacklist ${HOME}/Mail
35noblacklist ${HOME}/mail 36noblacklist ${HOME}/mail
36noblacklist ${HOME}/postponed 37noblacklist ${HOME}/postponed
37noblacklist ${HOME}/sent 38noblacklist ${HOME}/sent
39noblacklist /etc/msmtprc
38 40
39blacklist /tmp/.X11-unix 41blacklist /tmp/.X11-unix
40blacklist ${RUNUSER}/wayland-* 42blacklist ${RUNUSER}/wayland-*
@@ -69,6 +71,7 @@ whitelist ${DOWNLOADS}
69whitelist ${HOME}/.Mail 71whitelist ${HOME}/.Mail
70whitelist ${HOME}/.bogofilter 72whitelist ${HOME}/.bogofilter
71whitelist ${HOME}/.cache/mutt 73whitelist ${HOME}/.cache/mutt
74whitelist ${HOME}/.config/msmtp
72whitelist ${HOME}/.config/mutt 75whitelist ${HOME}/.config/mutt
73whitelist ${HOME}/.config/nano 76whitelist ${HOME}/.config/nano
74whitelist ${HOME}/.elinks 77whitelist ${HOME}/.elinks
@@ -121,10 +124,10 @@ seccomp
121seccomp.block-secondary 124seccomp.block-secondary
122tracelog 125tracelog
123 126
124# disable-mnt 127#disable-mnt
125private-cache 128private-cache
126private-dev 129private-dev
127private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo 130private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
128private-tmp 131private-tmp
129writable-run-user 132writable-run-user
130writable-var 133writable-var
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 6b4074dfb..ba63b2067 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -41,7 +41,7 @@ seccomp
41tracelog 41tracelog
42x11 none 42x11 none
43 43
44# disable-mnt 44#disable-mnt
45private-bin nano,rnano 45private-bin nano,rnano
46private-cache 46private-cache
47private-dev 47private-dev
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 09687199b..5cfd8290a 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -29,7 +29,7 @@ seccomp
29x11 none 29x11 none
30 30
31private-dev 31private-dev
32# private-tmp 32#private-tmp
33 33
34dbus-user none 34dbus-user none
35dbus-system none 35dbus-system none
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 80e28a5e5..d1a36e079 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -45,7 +45,7 @@ nosound
45notv 45notv
46nou2f 46nou2f
47novideo 47novideo
48protocol unix,inet,inet6 48protocol unix,inet,inet6,netlink
49seccomp 49seccomp
50seccomp.block-secondary 50seccomp.block-secondary
51tracelog 51tracelog
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5bd1e7cba..b15e98424 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -10,6 +10,7 @@ include globals.local
10noblacklist ${DOCUMENTS} 10noblacklist ${DOCUMENTS}
11noblacklist ${HOME}/.Mail 11noblacklist ${HOME}/.Mail
12noblacklist ${HOME}/.bogofilter 12noblacklist ${HOME}/.bogofilter
13noblacklist ${HOME}/.config/msmtp
13noblacklist ${HOME}/.config/mutt 14noblacklist ${HOME}/.config/mutt
14noblacklist ${HOME}/.config/nano 15noblacklist ${HOME}/.config/nano
15noblacklist ${HOME}/.config/neomutt 16noblacklist ${HOME}/.config/neomutt
@@ -34,6 +35,7 @@ noblacklist ${HOME}/Mail
34noblacklist ${HOME}/mail 35noblacklist ${HOME}/mail
35noblacklist ${HOME}/postponed 36noblacklist ${HOME}/postponed
36noblacklist ${HOME}/sent 37noblacklist ${HOME}/sent
38noblacklist /etc/msmtprc
37noblacklist /var/mail 39noblacklist /var/mail
38noblacklist /var/spool/mail 40noblacklist /var/spool/mail
39 41
@@ -59,6 +61,7 @@ whitelist ${DOCUMENTS}
59whitelist ${DOWNLOADS} 61whitelist ${DOWNLOADS}
60whitelist ${HOME}/.Mail 62whitelist ${HOME}/.Mail
61whitelist ${HOME}/.bogofilter 63whitelist ${HOME}/.bogofilter
64whitelist ${HOME}/.config/msmtp
62whitelist ${HOME}/.config/mutt 65whitelist ${HOME}/.config/mutt
63whitelist ${HOME}/.config/nano 66whitelist ${HOME}/.config/nano
64whitelist ${HOME}/.config/neomutt 67whitelist ${HOME}/.config/neomutt
@@ -113,10 +116,10 @@ seccomp
113seccomp.block-secondary 116seccomp.block-secondary
114tracelog 117tracelog
115 118
116# disable-mnt 119#disable-mnt
117private-cache 120private-cache
118private-dev 121private-dev
119private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver 122private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
120private-tmp 123private-tmp
121writable-run-user 124writable-run-user
122writable-var 125writable-var
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 568899eea..d1680e666 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -43,7 +43,6 @@ noinput
43nonewprivs 43nonewprivs
44noprinters 44noprinters
45noroot 45noroot
46nosound
47notv 46notv
48nou2f 47nou2f
49novideo 48novideo
@@ -57,7 +56,9 @@ private-cache
57private-dev 56private-dev
58private-tmp 57private-tmp
59 58
60dbus-user none 59dbus-user filter
60dbus-user.own org.nicotine_plus.Nicotine
61dbus-user.talk ca.desrt.dconf
61dbus-system none 62dbus-system none
62 63
63restrict-namespaces 64restrict-namespaces
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 7a97ca825..254eb789a 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni
42private-cache 42private-cache
43private-dev 43private-dev
44private-etc @tls-ca,@x11 44private-etc @tls-ca,@x11
45# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare 45#private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
46private-tmp 46private-tmp
47 47
48# dbus-user none 48#dbus-user none
49# dbus-system none 49#dbus-system none
50 50
51# memory-deny-write-execute 51#memory-deny-write-execute
52restrict-namespaces 52restrict-namespaces
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
7# added by caller profile 7# added by caller profile
8#include globals.local 8#include globals.local
9 9
10# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts 10# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full 11# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
12# node.js stack will be firejailed. The only exception is nvm, which is implemented 12# node.js stack will be firejailed. The only exception is nvm, which is implemented
13# as a sourced shell function, not an executable binary. Hence it is not 13# as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
22ignore read-only ${HOME}/.nvm 22ignore read-only ${HOME}/.nvm
23ignore read-only ${HOME}/.yarnrc 23ignore read-only ${HOME}/.yarnrc
24 24
25noblacklist ${HOME}/.local/share/pnpm
25noblacklist ${HOME}/.node-gyp 26noblacklist ${HOME}/.node-gyp
26noblacklist ${HOME}/.npm 27noblacklist ${HOME}/.npm
27noblacklist ${HOME}/.npmrc 28noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
43 44
44# If you want whitelisting, change ${HOME}/Projects below to your node projects directory 45# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
45# and add the next lines to your nodejs-common.local. 46# and add the next lines to your nodejs-common.local.
47#mkdir ${HOME}/.local/share/pnpm
46#mkdir ${HOME}/.node-gyp 48#mkdir ${HOME}/.node-gyp
47#mkdir ${HOME}/.npm 49#mkdir ${HOME}/.npm
48#mkdir ${HOME}/.npm-packages 50#mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
52#mkdir ${HOME}/.yarn-config 54#mkdir ${HOME}/.yarn-config
53#mkdir ${HOME}/.yarncache 55#mkdir ${HOME}/.yarncache
54#mkfile ${HOME}/.yarnrc 56#mkfile ${HOME}/.yarnrc
57#whitelist ${HOME}/.local/share/pnpm
55#whitelist ${HOME}/.node-gyp 58#whitelist ${HOME}/.node-gyp
56#whitelist ${HOME}/.npm 59#whitelist ${HOME}/.npm
57#whitelist ${HOME}/.npm-packages 60#whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/notable.profile b/etc/profile-m-z/notable.profile
index 9fbbf94c0..4bd3d45ac 100644
--- a/etc/profile-m-z/notable.profile
+++ b/etc/profile-m-z/notable.profile
@@ -14,11 +14,12 @@ include globals.local
14noblacklist ${HOME}/.config/Notable 14noblacklist ${HOME}/.config/Notable
15noblacklist ${HOME}/.notable 15noblacklist ${HOME}/.notable
16 16
17whitelist /opt/Notable
18
17net none 19net none
18nosound 20nosound
19 21
20?HAS_APPIMAGE: ignore private-dev 22?HAS_APPIMAGE: ignore private-dev
21private-opt Notable
22 23
23dbus-user filter 24dbus-user filter
24dbus-user.talk ca.desrt.dconf 25dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index dec48c827..6d1e3cd8a 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -14,12 +14,12 @@ include disable-shell.inc
14 14
15mkdir ${HOME}/.config/nuclear 15mkdir ${HOME}/.config/nuclear
16whitelist ${HOME}/.config/nuclear 16whitelist ${HOME}/.config/nuclear
17whitelist /opt/nuclear
17 18
18no3d 19no3d
19 20
20# private-bin nuclear 21#private-bin nuclear
21private-etc @tls-ca,@x11,host.conf,mime.types 22private-etc @tls-ca,@x11,host.conf,mime.types
22private-opt nuclear
23 23
24# Redirect 24# Redirect
25include electron-common.profile 25include electron-common.profile
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 830483bd4..3fe5a4712 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.cache/ocenaudio
25whitelist ${HOME}/.local/share/ocenaudio 25whitelist ${HOME}/.local/share/ocenaudio
26whitelist ${DOWNLOADS} 26whitelist ${DOWNLOADS}
27whitelist ${MUSIC} 27whitelist ${MUSIC}
28whitelist /opt/ocenaudio
28include whitelist-common.inc 29include whitelist-common.inc
29include whitelist-run-common.inc 30include whitelist-run-common.inc
30include whitelist-runuser-common.inc 31include whitelist-runuser-common.inc
@@ -54,7 +55,6 @@ private-bin ocenaudio,ocenvst
54private-cache 55private-cache
55private-dev 56private-dev
56private-etc @tls-ca,@x11,mime.types 57private-etc @tls-ca,@x11,mime.types
57private-opt ocenaudio
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 8e0758c37..ac573dc47 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -44,7 +44,7 @@ include whitelist-var-common.inc
44apparmor 44apparmor
45caps.drop all 45caps.drop all
46machine-id 46machine-id
47# net none 47#net none
48netfilter 48netfilter
49nodvd 49nodvd
50nogroups 50nogroups
@@ -62,12 +62,13 @@ tracelog
62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar 62private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
63private-dev 63private-dev
64private-etc @x11,cups 64private-etc @x11,cups
65# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients 65# on KDE we need access to the real /tmp for data exchange with email clients
66#private-tmp
66 67
67# dbus-user none 68#dbus-user none
68# dbus-system none 69#dbus-system none
69 70
70# memory-deny-write-execute 71#memory-deny-write-execute
71 72
72restrict-namespaces 73restrict-namespaces
73join-or-start okular 74join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 47ac9fc05..3338cadf5 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -50,7 +50,7 @@ novideo
50protocol unix,inet,inet6 50protocol unix,inet,inet6
51seccomp 51seccomp
52seccomp.block-secondary 52seccomp.block-secondary
53#tracelog - may cause issues, see #1930 53#tracelog # may cause issues, see #1930
54 54
55disable-mnt 55disable-mnt
56private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor* 56private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 3449ac686..e10f6011b 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
24apparmor 24apparmor
25caps.drop all 25caps.drop all
26ipc-namespace 26ipc-namespace
27# net none - networked game 27#net none # networked game
28netfilter 28netfilter
29nodvd 29nodvd
30nogroups 30nogroups
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index fa16c05e2..c4849b958 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -24,7 +24,7 @@ nogroups
24noinput 24noinput
25nonewprivs 25nonewprivs
26noroot 26noroot
27# nosound - calendar application, It must be able to play sound to wake you up. 27#nosound # calendar application, It must be able to play sound to wake you up.
28notv 28notv
29nou2f 29nou2f
30novideo 30novideo
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index a1c0462ba..76d4a2c52 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -57,4 +57,4 @@ private-tmp
57 57
58dbus-system none 58dbus-system none
59 59
60# restrict-namespaces 60#restrict-namespaces
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index ab4e24595..8917a9bc5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
12mkdir ${HOME}/.moonchild productions 12mkdir ${HOME}/.moonchild productions
13whitelist ${HOME}/.cache/moonchild productions/pale moon 13whitelist ${HOME}/.cache/moonchild productions/pale moon
14whitelist ${HOME}/.moonchild productions 14whitelist ${HOME}/.moonchild productions
15whitelist /opt/palemoon
15whitelist /usr/share/moonchild productions 16whitelist /usr/share/moonchild productions
16whitelist /usr/share/palemoon 17whitelist /usr/share/palemoon
17 18
@@ -22,7 +23,6 @@ ignore seccomp
22#private-bin palemoon 23#private-bin palemoon
23# private-etc must first be enabled in firefox-common.profile 24# private-etc must first be enabled in firefox-common.profile
24#private-etc palemoon 25#private-etc palemoon
25#private-opt palemoon
26 26
27restrict-namespaces 27restrict-namespaces
28ignore restrict-namespaces 28ignore restrict-namespaces
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 5a0f69f79..23e734b43 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -10,6 +10,7 @@ include globals.local
10blacklist ${RUNUSER} 10blacklist ${RUNUSER}
11 11
12noblacklist ${DOCUMENTS} 12noblacklist ${DOCUMENTS}
13noblacklist ${PATH}/patch
13 14
14include disable-common.inc 15include disable-common.inc
15include disable-devel.inc 16include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..79ed8777d 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -9,8 +9,9 @@ include pavucontrol-qt.local
9 9
10noblacklist ${HOME}/.config/pavucontrol-qt 10noblacklist ${HOME}/.config/pavucontrol-qt
11 11
12mkdir ${HOME}/.config/pavucontrol-qt 12# whitelisting in ${HOME} is broken, see #3112
13whitelist ${HOME}/.config/pavucontrol-qt 13#mkdir ${HOME}/.config/pavucontrol-qt
14#whitelist ${HOME}/.config/pavucontrol-qt
14 15
15private-bin pavucontrol-qt 16private-bin pavucontrol-qt
16ignore private-lib 17ignore private-lib
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a852a2a18..5bc0bd700 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink
40seccomp 40seccomp
41tracelog 41tracelog
42 42
43# private-bin pidgin 43#private-bin pidgin
44private-cache 44private-cache
45private-dev 45private-dev
46private-tmp 46private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index d563064e1..c3aa0a501 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -55,7 +55,7 @@ tracelog
55 55
56disable-mnt 56disable-mnt
57private 57private
58#private-bin ping - has mammoth problems with execvp: "No such file or directory" 58#private-bin ping # has mammoth problems with execvp: "No such file or directory"
59private-cache 59private-cache
60private-dev 60private-dev
61private-etc @tls-ca 61private-etc @tls-ca
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index efcdaa661..6e56208d5 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -21,10 +21,10 @@ include disable-shell.inc
21 21
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24# apparmor - makes settings immutable 24#apparmor # makes settings immutable
25caps.drop all 25caps.drop all
26machine-id 26machine-id
27# net none - makes settings immutable 27#net none # makes settings immutable
28no3d 28no3d
29nodvd 29nodvd
30nogroups 30nogroups
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
45private-tmp 45private-tmp
46 46
47# makes settings immutable 47# makes settings immutable
48# dbus-user none 48#dbus-user none
49# dbus-system none 49#dbus-system none
50 50
51restrict-namespaces 51restrict-namespaces
52join-or-start pluma 52join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 34e18cbd7..38fa01553 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -53,7 +53,7 @@ writable-var-log
53dbus-user none 53dbus-user none
54dbus-system none 54dbus-system none
55 55
56#memory-deny-write-execute - breaks opening file-chooser 56#memory-deny-write-execute # breaks opening file-chooser
57read-only ${HOME} 57read-only ${HOME}
58read-write ${HOME}/.config/PacmanLogViewer 58read-write ${HOME}/.config/PacmanLogViewer
59read-only /var/log/pacman.log 59read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpm
2# Description: Fast, disk space efficient package manager
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpm.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
1# Firejail profile for pnpx
2# Description: Part of the Node.js stack
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include pnpx.local
7# Persistent global definitions
8include globals.local
9
10# Redirect
11include nodejs-common.profile
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index af117c3b5..7a735bba7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -43,4 +43,4 @@ disable-mnt
43private-dev 43private-dev
44private-tmp 44private-tmp
45 45
46# restrict-namespaces 46#restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index a1a0606b9..1417a87c9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -62,7 +62,7 @@ novideo
62nou2f 62nou2f
63protocol unix,inet,inet6,netlink 63protocol unix,inet,inet6,netlink
64seccomp !chroot 64seccomp !chroot
65#tracelog - breaks on Arch 65#tracelog # breaks on Arch
66 66
67disable-mnt 67disable-mnt
68# Add the next line to your psi.local to enable GPG support. 68# Add the next line to your psi.local to enable GPG support.
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 875b83e8e..fa307fc88 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -34,8 +34,8 @@ nou2f
34novideo 34novideo
35tracelog 35tracelog
36 36
37# private-etc alternatives,fonts,passwd - minimal required to run but will probably break 37# minimum required to run but will probably break the program!
38# program! 38#private-etc alternatives,fonts,passwd
39private-dev 39private-dev
40private-tmp 40private-tmp
41 41
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 9605da3ac..ae0a2cdf1 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -55,12 +55,12 @@ seccomp
55 55
56private-bin python*,qbittorrent 56private-bin python*,qbittorrent
57private-dev 57private-dev
58# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg 58#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
59private-tmp 59private-tmp
60 60
61# See https://github.com/netblue30/firejail/issues/3707 for tray-icon 61# See https://github.com/netblue30/firejail/issues/3707 for tray-icon
62dbus-user none 62dbus-user none
63dbus-system none 63dbus-system none
64 64
65# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo 65#memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo
66restrict-namespaces 66restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index ecd62a7d1..66c8f3238 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
18 18
19caps.drop all 19caps.drop all
20netfilter 20netfilter
21# no3d 21#no3d
22nogroups 22nogroups
23noinput 23noinput
24nonewprivs 24nonewprivs
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 4caa0917f..784d2fafd 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -41,7 +41,7 @@ private-dev
41private-tmp 41private-tmp
42 42
43# needs D-Bus when started from a file manager 43# needs D-Bus when started from a file manager
44# dbus-user none 44#dbus-user none
45# dbus-system none 45#dbus-system none
46 46
47restrict-namespaces 47restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index ab0f9425a..20c84c5a8 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -48,5 +48,5 @@ private-tmp
48dbus-user none 48dbus-user none
49dbus-system none 49dbus-system none
50 50
51#memory-deny-write-execute - breaks on Arch (see issue #1803) 51#memory-deny-write-execute # breaks on Arch (see issue #1803)
52restrict-namespaces 52restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index 4589c9e4a..4ec990e95 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -25,4 +25,4 @@ seccomp !chroot
25private-cache 25private-cache
26private-tmp 26private-tmp
27 27
28# restrict-namespaces 28#restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index a59f01f85..4102b1ea0 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -50,6 +50,6 @@ tracelog
50disable-mnt 50disable-mnt
51private-bin quiterss 51private-bin quiterss
52private-dev 52private-dev
53# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11 53#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
54 54
55restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 405ab818d..603ec8ff4 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -54,7 +54,8 @@ tracelog
54 54
55disable-mnt 55disable-mnt
56#private-cache 56#private-cache
57#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk 57# seems to need awk
58#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl
58private-tmp 59private-tmp
59 60
60dbus-user none 61dbus-user none
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
index 81381c205..ce455baba 100644
--- a/etc/profile-m-z/rssguard.profile
+++ b/etc/profile-m-z/rssguard.profile
@@ -31,13 +31,13 @@ include whitelist-var-common.inc
31apparmor 31apparmor
32caps.drop all 32caps.drop all
33netfilter 33netfilter
34# no3d 34#no3d
35nodvd 35nodvd
36nogroups 36nogroups
37noinput 37noinput
38nonewprivs 38nonewprivs
39noroot 39noroot
40# nosound 40#nosound
41notv 41notv
42nou2f 42nou2f
43novideo 43novideo
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 34cf783fe..8e25375b0 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -55,7 +55,7 @@ protocol unix
55seccomp 55seccomp
56tracelog 56tracelog
57 57
58# private-bin gimp*,gs,scribus 58#private-bin gimp*,gs,scribus
59private-dev 59private-dev
60private-tmp 60private-tmp
61 61
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c2dbbc2c6..1171a52f0 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -55,7 +55,7 @@ seccomp
55tracelog 55tracelog
56 56
57disable-mnt 57disable-mnt
58# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl 58#private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
59writable-run-user 59writable-run-user
60 60
61restrict-namespaces 61restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 667f9c557..74587c992 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,36 +34,36 @@ include globals.local
34noblacklist /sbin 34noblacklist /sbin
35noblacklist /usr/sbin 35noblacklist /usr/sbin
36noblacklist /etc/init.d 36noblacklist /etc/init.d
37# noblacklist /var/opt 37#noblacklist /var/opt
38 38
39blacklist /tmp/.X11-unix 39blacklist /tmp/.X11-unix
40blacklist ${RUNUSER}/wayland-* 40blacklist ${RUNUSER}/wayland-*
41 41
42include disable-common.inc 42include disable-common.inc
43# include disable-devel.inc 43#include disable-devel.inc
44# include disable-exec.inc 44#include disable-exec.inc
45# include disable-interpreters.inc 45#include disable-interpreters.inc
46include disable-programs.inc 46include disable-programs.inc
47include disable-write-mnt.inc 47include disable-write-mnt.inc
48include disable-xdg.inc 48include disable-xdg.inc
49 49
50# include whitelist-runuser-common.inc 50#include whitelist-runuser-common.inc
51# include whitelist-usr-share-common.inc 51#include whitelist-usr-share-common.inc
52# include whitelist-var-common.inc 52#include whitelist-var-common.inc
53 53
54# people use to install servers all over the place! 54# people use to install servers all over the place!
55# apparmor runs executable only from default system locations 55# apparmor runs executable only from default system locations
56# apparmor 56#apparmor
57caps 57caps
58# ipc-namespace 58#ipc-namespace
59machine-id 59machine-id
60# netfilter /etc/firejail/webserver.net 60#netfilter /etc/firejail/webserver.net
61no3d 61no3d
62nodvd 62nodvd
63# nogroups 63#nogroups
64noinput 64noinput
65nonewprivs 65nonewprivs
66# noroot 66#noroot
67nosound 67nosound
68notv 68notv
69nou2f 69nou2f
@@ -74,22 +74,22 @@ tab # allow tab completion
74 74
75disable-mnt 75disable-mnt
76private 76private
77# private-bin program 77#private-bin program
78# private-cache 78#private-cache
79private-dev 79private-dev
80# see /usr/share/doc/firejail/profile.template for more common private-etc paths. 80# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
81# private-etc alternatives 81#private-etc alternatives
82# private-lib 82#private-lib
83# private-opt none 83#private-opt none
84private-tmp 84private-tmp
85# writable-run-user 85#writable-run-user
86# writable-var 86#writable-var
87# writable-var-log 87#writable-var-log
88 88
89dbus-user none 89dbus-user none
90# dbus-system none 90#dbus-system none
91 91
92# deterministic-shutdown 92#deterministic-shutdown
93# memory-deny-write-execute 93#memory-deny-write-execute
94# read-only ${HOME} 94#read-only ${HOME}
95# restrict-namespaces 95#restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 96e4cf283..154e29ccf 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -7,7 +7,7 @@ include globals.local
7 7
8 8
9include disable-common.inc 9include disable-common.inc
10# include disable-devel.inc 10#include disable-devel.inc
11include disable-exec.inc 11include disable-exec.inc
12include disable-interpreters.inc 12include disable-interpreters.inc
13include disable-programs.inc 13include disable-programs.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 14846cf58..f8bcd3c6e 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -28,15 +28,15 @@ nonewprivs
28noroot 28noroot
29nosound 29nosound
30notv 30notv
31# novideo 31#novideo
32protocol unix,inet,inet6,netlink 32protocol unix,inet,inet6,netlink
33# blacklisting of ioperm system calls breaks simple-scan 33# blacklisting of ioperm system calls breaks simple-scan
34seccomp !ioperm 34seccomp !ioperm
35tracelog 35tracelog
36 36
37# private-bin simple-scan 37#private-bin simple-scan
38# private-dev 38#private-dev
39# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl 39#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
40# private-tmp 40#private-tmp
41 41
42restrict-namespaces 42restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index f88ae65c8..995b59538 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -33,7 +33,7 @@ novideo
33protocol unix 33protocol unix
34seccomp 34seccomp
35 35
36# private-bin simutrans 36#private-bin simutrans
37private-dev 37private-dev
38private-etc @games,@x11 38private-etc @games,@x11
39private-tmp 39private-tmp
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6b73b2289..3b78f7fd2 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -22,16 +22,16 @@ nonewprivs
22noroot 22noroot
23nosound 23nosound
24notv 24notv
25# novideo 25#novideo
26protocol unix,inet,inet6,netlink 26protocol unix,inet,inet6,netlink
27# blacklisting of ioperm system calls breaks skanlite 27# blacklisting of ioperm system calls breaks skanlite
28seccomp !ioperm 28seccomp !ioperm
29 29
30# private-bin kbuildsycoca4,kdeinit4,skanlite 30#private-bin kbuildsycoca4,kdeinit4,skanlite
31# private-dev 31#private-dev
32# private-tmp 32#private-tmp
33 33
34# dbus-user none 34#dbus-user none
35# dbus-system none 35#dbus-system none
36 36
37restrict-namespaces 37restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9dd41fd27..ece191b73 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
36apparmor 36apparmor
37caps.drop all 37caps.drop all
38netfilter 38netfilter
39# nogroups 39#nogroups
40noinput 40noinput
41nonewprivs 41nonewprivs
42noroot 42noroot
@@ -49,7 +49,7 @@ private-dev
49private-tmp 49private-tmp
50 50
51# problems with KDE 51# problems with KDE
52# dbus-user none 52#dbus-user none
53# dbus-system none 53#dbus-system none
54 54
55restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
index eb18c1f01..940c35b2e 100644
--- a/etc/profile-m-z/sniffnet.profile
+++ b/etc/profile-m-z/sniffnet.profile
@@ -29,8 +29,8 @@ netfilter
29nodvd 29nodvd
30nogroups 30nogroups
31noinput 31noinput
32# nonewprivs - breaks network traffic capture for unprivileged users 32#nonewprivs # breaks network traffic capture for unprivileged users
33# noroot 33#noroot
34notv 34notv
35nou2f 35nou2f
36novideo 36novideo
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index e2be4e9e0..07f9b0094 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -21,13 +21,13 @@ apparmor
21caps.drop all 21caps.drop all
22ipc-namespace 22ipc-namespace
23net none 23net none
24# no3d 24#no3d
25nodvd 25nodvd
26nogroups 26nogroups
27noinput 27noinput
28nonewprivs 28nonewprivs
29noroot 29noroot
30# nosound 30#nosound
31notv 31notv
32nou2f 32nou2f
33novideo 33novideo
@@ -43,5 +43,5 @@ private-tmp
43dbus-user none 43dbus-user none
44dbus-system none 44dbus-system none
45 45
46# memory-deny-write-execute 46#memory-deny-write-execute
47restrict-namespaces 47restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f5ac6c739..5c5763538 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -38,7 +38,7 @@ private-cache
38private-dev 38private-dev
39private-tmp 39private-tmp
40 40
41# dbus-user none 41#dbus-user none
42# dbus-system none 42#dbus-system none
43 43
44restrict-namespaces 44restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index c893a92fb..63c2c5086 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.cache/spotify
26whitelist ${HOME}/.config/spotify 26whitelist ${HOME}/.config/spotify
27whitelist ${HOME}/.config/spotify-adblock 27whitelist ${HOME}/.config/spotify-adblock
28whitelist ${HOME}/.local/share/spotify 28whitelist ${HOME}/.local/share/spotify
29whitelist /opt/spotify
29include whitelist-common.inc 30include whitelist-common.inc
30include whitelist-var-common.inc 31include whitelist-var-common.inc
31 32
@@ -48,7 +49,6 @@ private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
48private-dev 49private-dev
49# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. 50# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
50private-etc @tls-ca,host.conf,spotify-adblock 51private-etc @tls-ca,host.conf,spotify-adblock
51private-opt spotify
52private-srv none 52private-srv none
53private-tmp 53private-tmp
54 54
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index ce356367f..013c7ac13 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -46,8 +46,8 @@ private-etc @tls-ca
46private-tmp 46private-tmp
47 47
48# breaks proxy creation 48# breaks proxy creation
49# dbus-user none 49#dbus-user none
50# dbus-system none 50#dbus-system none
51 51
52#memory-deny-write-execute - breaks on Arch (see issue #1803) 52#memory-deny-write-execute # breaks on Arch (see issue #1803)
53restrict-namespaces 53restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a7956a76e..fde85be64 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -32,10 +32,10 @@ nodvd
32nogroups 32nogroups
33noinput 33noinput
34nonewprivs 34nonewprivs
35# noroot - see issue #1543 35#noroot # see issue #1543
36nosound 36nosound
37notv 37notv
38# nou2f - OpenSSH >= 8.2 supports U2F 38#nou2f # OpenSSH >= 8.2 supports U2F
39novideo 39novideo
40protocol unix,inet,inet6 40protocol unix,inet,inet6
41seccomp 41seccomp
@@ -43,7 +43,7 @@ tracelog
43 43
44private-cache 44private-cache
45private-dev 45private-dev
46# private-tmp # Breaks when exiting 46#private-tmp # Breaks when exiting
47writable-run-user 47writable-run-user
48 48
49dbus-user none 49dbus-user none
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
index 1a224e7b0..b87f514f9 100644
--- a/etc/profile-m-z/ssmtp.profile
+++ b/etc/profile-m-z/ssmtp.profile
@@ -16,6 +16,7 @@ noblacklist /sbin
16noblacklist /usr/sbin 16noblacklist /usr/sbin
17 17
18noblacklist ${DOCUMENTS} 18noblacklist ${DOCUMENTS}
19noblacklist ${PATH}/ssmtp
19include disable-common.inc 20include disable-common.inc
20include disable-devel.inc 21include disable-devel.inc
21include disable-exec.inc 22include disable-exec.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 3fe0963a9..fe4e4b6d7 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf
47dbus-user none 47dbus-user none
48dbus-system none 48dbus-system none
49 49
50# restrict-namespaces 50#restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 99317c9dc..34cb3631a 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -12,10 +12,12 @@ noblacklist ${HOME}/.config/MangoHud
12noblacklist ${HOME}/.config/ModTheSpire 12noblacklist ${HOME}/.config/ModTheSpire
13noblacklist ${HOME}/.config/RogueLegacy 13noblacklist ${HOME}/.config/RogueLegacy
14noblacklist ${HOME}/.config/RogueLegacyStorageContainer 14noblacklist ${HOME}/.config/RogueLegacyStorageContainer
15noblacklist ${HOME}/.factorio
15noblacklist ${HOME}/.killingfloor 16noblacklist ${HOME}/.killingfloor
16noblacklist ${HOME}/.klei 17noblacklist ${HOME}/.klei
17noblacklist ${HOME}/.local/share/3909/PapersPlease 18noblacklist ${HOME}/.local/share/3909/PapersPlease
18noblacklist ${HOME}/.local/share/aspyr-media 19noblacklist ${HOME}/.local/share/aspyr-media
20noblacklist ${HOME}/.local/share/Baba_Is_You
19noblacklist ${HOME}/.local/share/bohemiainteractive 21noblacklist ${HOME}/.local/share/bohemiainteractive
20noblacklist ${HOME}/.local/share/cdprojektred 22noblacklist ${HOME}/.local/share/cdprojektred
21noblacklist ${HOME}/.local/share/Colossal Order 23noblacklist ${HOME}/.local/share/Colossal Order
@@ -64,10 +66,12 @@ mkdir ${HOME}/.config/MangoHud
64mkdir ${HOME}/.config/ModTheSpire 66mkdir ${HOME}/.config/ModTheSpire
65mkdir ${HOME}/.config/RogueLegacy 67mkdir ${HOME}/.config/RogueLegacy
66mkdir ${HOME}/.config/unity3d 68mkdir ${HOME}/.config/unity3d
69mkdir ${HOME}/.factorio
67mkdir ${HOME}/.killingfloor 70mkdir ${HOME}/.killingfloor
68mkdir ${HOME}/.klei 71mkdir ${HOME}/.klei
69mkdir ${HOME}/.local/share/3909/PapersPlease 72mkdir ${HOME}/.local/share/3909/PapersPlease
70mkdir ${HOME}/.local/share/aspyr-media 73mkdir ${HOME}/.local/share/aspyr-media
74mkdir ${HOME}/.local/share/Baba_Is_You
71mkdir ${HOME}/.local/share/bohemiainteractive 75mkdir ${HOME}/.local/share/bohemiainteractive
72mkdir ${HOME}/.local/share/cdprojektred 76mkdir ${HOME}/.local/share/cdprojektred
73mkdir ${HOME}/.local/share/Colossal Order 77mkdir ${HOME}/.local/share/Colossal Order
@@ -100,10 +104,12 @@ whitelist ${HOME}/.config/ModTheSpire
100whitelist ${HOME}/.config/RogueLegacy 104whitelist ${HOME}/.config/RogueLegacy
101whitelist ${HOME}/.config/RogueLegacyStorageContainer 105whitelist ${HOME}/.config/RogueLegacyStorageContainer
102whitelist ${HOME}/.config/unity3d 106whitelist ${HOME}/.config/unity3d
107whitelist ${HOME}/.factorio
103whitelist ${HOME}/.killingfloor 108whitelist ${HOME}/.killingfloor
104whitelist ${HOME}/.klei 109whitelist ${HOME}/.klei
105whitelist ${HOME}/.local/share/3909/PapersPlease 110whitelist ${HOME}/.local/share/3909/PapersPlease
106whitelist ${HOME}/.local/share/aspyr-media 111whitelist ${HOME}/.local/share/aspyr-media
112whitelist ${HOME}/.local/share/Baba_Is_You
107whitelist ${HOME}/.local/share/bohemiainteractive 113whitelist ${HOME}/.local/share/bohemiainteractive
108whitelist ${HOME}/.local/share/cdprojektred 114whitelist ${HOME}/.local/share/cdprojektred
109whitelist ${HOME}/.local/share/Colossal Order 115whitelist ${HOME}/.local/share/Colossal Order
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 6de288c46..8b5d7e253 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -49,5 +49,5 @@ private-tmp
49dbus-user none 49dbus-user none
50dbus-system none 50dbus-system none
51 51
52#memory-deny-write-execute - breaks on Arch (see issue #1803) 52#memory-deny-write-execute # breaks on Arch (see issue #1803)
53restrict-namespaces 53restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 2ad107f1a..65aea6667 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
41tracelog 41tracelog
42 42
43disable-mnt 43disable-mnt
44# private-bin supertux2 44#private-bin supertux2
45private-cache 45private-cache
46private-etc 46private-etc
47private-dev 47private-dev
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 7b6a87b31..728db012e 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,7 @@ include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc 14include disable-exec.inc
15include disable-interpreters.inc 15include disable-interpreters.inc
16# include disable-programs.inc 16#include disable-programs.inc
17include disable-shell.inc 17include disable-shell.inc
18 18
19include whitelist-runuser-common.inc 19include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 5fb35aa04..7cef394c2 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0
13 13
14whitelist /usr/share/sylpheed 14whitelist /usr/share/sylpheed
15 15
16# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed 16#private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
17 17
18# Redirect 18# Redirect
19include email-common.profile 19include email-common.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 726baf336..b0a80fc27 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -59,11 +59,11 @@ seccomp
59tracelog 59tracelog
60 60
61disable-mnt 61disable-mnt
62#private-bin sysprof - breaks help menu 62#private-bin sysprof # breaks help menu
63private-cache 63private-cache
64private-dev 64private-dev
65private-etc @tls-ca 65private-etc @tls-ca
66# private-lib - breaks help menu 66#private-lib # breaks help menu
67#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 67#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
68private-tmp 68private-tmp
69 69
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp
73dbus-user.own org.gnome.Sysprof3 73dbus-user.own org.gnome.Sysprof3
74dbus-user.talk ca.desrt.dconf 74dbus-user.talk ca.desrt.dconf
75 75
76# memory-deny-write-execute - breaks on Arch 76#memory-deny-write-execute # breaks on Arch
77restrict-namespaces 77restrict-namespaces
diff --git a/etc/profile-m-z/system-log-common.profile b/etc/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
1# Firejail profile for system-log-common
2# Description: Common profile for GUI system log viewers
3# This file is overwritten after every install/update
4# Persistent local customizations
5include system-log-common.local
6# Persistent global definitions
7# added by caller profile
8#include globals.local
9
10include disable-common.inc
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-proc.inc
15include disable-programs.inc
16include disable-shell.inc
17include disable-xdg.inc
18
19whitelist /run/log/journal
20whitelist /var/log/journal
21include whitelist-common.inc
22include whitelist-run-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30net none
31no3d
32nodvd
33#nogroups
34noinput
35nonewprivs
36noprinters
37#noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44seccomp.block-secondary
45tracelog
46
47disable-mnt
48private-cache
49private-dev
50private-etc machine-id
51private-tmp
52
53dbus-user none
54dbus-system none
55
56restrict-namespaces
57# Add 'ignore read-only ${HOME}' to your system-log-common.local
58# if you export logs to a file under your ${HOME}.
59read-only ${HOME}
60writable-var-log
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 41da4ee13..06b547b3d 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,4 +39,4 @@ disable-mnt
39private-dev 39private-dev
40private-tmp 40private-tmp
41 41
42# restrict-namespaces 42#restrict-namespaces
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index ba915c2d4..fa992ad1a 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -7,6 +7,7 @@ include globals.local
7 7
8noblacklist ${HOME}/.TelegramDesktop 8noblacklist ${HOME}/.TelegramDesktop
9noblacklist ${HOME}/.local/share/TelegramDesktop 9noblacklist ${HOME}/.local/share/TelegramDesktop
10noblacklist ${HOME}/.local/share/telegram-desktop
10 11
11# Allow opening hyperlinks 12# Allow opening hyperlinks
12include allow-bin-sh.inc 13include allow-bin-sh.inc
@@ -21,8 +22,10 @@ include disable-xdg.inc
21 22
22mkdir ${HOME}/.TelegramDesktop 23mkdir ${HOME}/.TelegramDesktop
23mkdir ${HOME}/.local/share/TelegramDesktop 24mkdir ${HOME}/.local/share/TelegramDesktop
25mkdir ${HOME}/.local/share/telegram-desktop
24whitelist ${HOME}/.TelegramDesktop 26whitelist ${HOME}/.TelegramDesktop
25whitelist ${HOME}/.local/share/TelegramDesktop 27whitelist ${HOME}/.local/share/TelegramDesktop
28whitelist ${HOME}/.local/share/telegram-desktop
26whitelist ${DOWNLOADS} 29whitelist ${DOWNLOADS}
27whitelist /usr/share/TelegramDesktop 30whitelist /usr/share/TelegramDesktop
28include whitelist-common.inc 31include whitelist-common.inc
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile
new file mode 100644
index 000000000..630d5dda6
--- /dev/null
+++ b/etc/profile-m-z/termshark.profile
@@ -0,0 +1,15 @@
1# Firejail profile for termshark
2# Description: Terminal UI for tshark, inspired by Wireshark
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include termshark.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11blacklist /tmp/.X11-unix
12blacklist ${RUNUSER}
13
14# Redirect
15include wireshark.profile
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
26include whitelist-run-common.inc 26include whitelist-run-common.inc
27include whitelist-runuser-common.inc 27include whitelist-runuser-common.inc
28whitelist /usr/share/tessdata 28whitelist /usr/share/tessdata
29whitelist /usr/share/tesseract-ocr
29include whitelist-usr-share-common.inc 30include whitelist-usr-share-common.inc
30include whitelist-var-common.inc 31include whitelist-var-common.inc
31 32
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 46a1e57c8..e01a9d2d8 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -6,7 +6,7 @@ include thunderbird-beta.local
6# added by included profile 6# added by included profile
7#include globals.local 7#include globals.local
8 8
9private-opt thunderbird-beta 9whitelist /opt/thunderbird-beta
10 10
11# Redirect 11# Redirect
12include thunderbird.profile 12include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 17e2f0856..979971ac2 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
35 35
36noblacklist ${HOME}/.cache/thunderbird 36noblacklist ${HOME}/.cache/thunderbird
37noblacklist ${HOME}/.gnupg 37noblacklist ${HOME}/.gnupg
38# noblacklist ${HOME}/.icedove 38#noblacklist ${HOME}/.icedove
39noblacklist ${HOME}/.thunderbird 39noblacklist ${HOME}/.thunderbird
40 40
41include disable-xdg.inc 41include disable-xdg.inc
@@ -46,11 +46,11 @@ include disable-xdg.inc
46# See https://github.com/netblue30/firejail/issues/2357 46# See https://github.com/netblue30/firejail/issues/2357
47mkdir ${HOME}/.cache/thunderbird 47mkdir ${HOME}/.cache/thunderbird
48mkdir ${HOME}/.gnupg 48mkdir ${HOME}/.gnupg
49# mkdir ${HOME}/.icedove 49#mkdir ${HOME}/.icedove
50mkdir ${HOME}/.thunderbird 50mkdir ${HOME}/.thunderbird
51whitelist ${HOME}/.cache/thunderbird 51whitelist ${HOME}/.cache/thunderbird
52whitelist ${HOME}/.gnupg 52whitelist ${HOME}/.gnupg
53# whitelist ${HOME}/.icedove 53#whitelist ${HOME}/.icedove
54whitelist ${HOME}/.thunderbird 54whitelist ${HOME}/.thunderbird
55 55
56whitelist /usr/share/gnupg 56whitelist /usr/share/gnupg
diff --git a/etc/profile-m-z/tidal-hifi.profile b/etc/profile-m-z/tidal-hifi.profile
new file mode 100644
index 000000000..d2e23239e
--- /dev/null
+++ b/etc/profile-m-z/tidal-hifi.profile
@@ -0,0 +1,39 @@
1# Firejail profile for tidal-hifi
2# Description: The web version of Tidal running in electron with hifi support thanks to widevine.
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tidal-hifi.local
6# Persistent global definitions
7include globals.local
8
9ignore noexec ${HOME}
10
11noblacklist ${HOME}/.config/tidal-hifi
12
13include disable-proc.inc
14include disable-shell.inc
15
16whitelist ${HOME}/.config/tidal-hifi
17
18caps.drop all
19no3d
20nonewprivs
21noprinters
22noroot
23protocol unix,inet,inet6
24seccomp !chroot
25seccomp.block-secondary
26tracelog
27
28private-bin chrome-sandbox,tidal-hifi
29private-etc @network,@sound,@tls-ca,@xdg
30private-opt tidal-hifi
31
32ignore dbus-user none
33dbus-user filter
34dbus-user.own org.mpris.MediaPlayer2.tidal-hifi
35dbus-user.talk org.freedesktop.Notifications
36
37join-or-start tidal-hifi
38
39include electron-common.profile
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
1# Firejail profile for tiny-rdm
2# Description: A Modern Redis GUI Client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tiny-rdm.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/tiny-rdm
10noblacklist ${HOME}/.config/TinyRDM
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-programs.inc
17include disable-proc.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/tiny-rdm
22mkdir ${HOME}/.config/TinyRDM
23whitelist ${HOME}/.cache/tiny-rdm
24whitelist ${HOME}/.config/TinyRDM
25include whitelist-common.inc
26include whitelist-run-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33ipc-namespace
34netfilter
35no3d
36nodvd
37nogroups
38noinput
39nonewprivs
40noprinters
41noroot
42notv
43nou2f
44novideo
45nosound
46protocol unix,inet,inet6
47seccomp
48seccomp.block-secondary
49tracelog
50
51disable-mnt
52private-bin tiny-rdm
53private-cache
54private-dev
55private-etc @network,@tls-ca,@x11
56private-tmp
57
58dbus-user none
59dbus-system none
60
61restrict-namespaces
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index a855ff839..ddd2aa85f 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -12,10 +12,10 @@ blacklist ${RUNUSER}
12 12
13noblacklist /tmp/tmux-* 13noblacklist /tmp/tmux-*
14 14
15# include disable-common.inc 15#include disable-common.inc
16# include disable-devel.inc 16#include disable-devel.inc
17# include disable-exec.inc 17#include disable-exec.inc
18# include disable-programs.inc 18#include disable-programs.inc
19 19
20caps.drop all 20caps.drop all
21ipc-namespace 21ipc-namespace
@@ -36,9 +36,9 @@ seccomp
36seccomp.block-secondary 36seccomp.block-secondary
37tracelog 37tracelog
38 38
39# private-cache 39#private-cache
40private-dev 40private-dev
41# private-tmp 41#private-tmp
42 42
43dbus-user none 43dbus-user none
44dbus-system none 44dbus-system none
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 86746c7f1..b9fdcf92c 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -56,13 +56,12 @@ novideo
56protocol unix,inet,inet6 56protocol unix,inet,inet6
57seccomp !chroot 57seccomp !chroot
58seccomp.block-secondary 58seccomp.block-secondary
59#tracelog - may cause issues, see #1930 59#tracelog # may cause issues, see #1930
60 60
61disable-mnt 61disable-mnt
62private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity 62private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
63private-dev 63private-dev
64private-etc @tls-ca 64private-etc @tls-ca
65#private-opt tor-browser - can cause slow startup
66private-tmp 65private-tmp
67 66
68dbus-user none 67dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index a4cb49171..73d3b0b6f 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc
35include whitelist-usr-share-common.inc 35include whitelist-usr-share-common.inc
36include whitelist-var-common.inc 36include whitelist-var-common.inc
37 37
38# apparmor - makes settings immutable 38#apparmor # makes settings immutable
39caps.drop all 39caps.drop all
40netfilter 40netfilter
41nogroups 41nogroups
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python*
55private-tmp 55private-tmp
56 56
57# makes settings immutable 57# makes settings immutable
58# dbus-user none 58#dbus-user none
59dbus-system none 59dbus-system none
60 60
61restrict-namespaces 61restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index f30b0aef6..c46b00fc9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -33,8 +33,8 @@ protocol unix
33seccomp 33seccomp
34tracelog 34tracelog
35 35
36# private-bin tracker 36#private-bin tracker
37# private-dev 37#private-dev
38# private-tmp 38#private-tmp
39 39
40restrict-namespaces 40restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 645c55c3b..9f1f1c241 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -12,6 +12,7 @@ include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc 13include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-proc.inc
15include disable-programs.inc 16include disable-programs.inc
16include disable-shell.inc 17include disable-shell.inc
17include disable-xdg.inc 18include disable-xdg.inc
@@ -19,7 +20,10 @@ include disable-xdg.inc
19mkdir ${HOME}/.config/transgui 20mkdir ${HOME}/.config/transgui
20whitelist ${HOME}/.config/transgui 21whitelist ${HOME}/.config/transgui
21whitelist ${DOWNLOADS} 22whitelist ${DOWNLOADS}
23whitelist /usr/share/transgui
22include whitelist-common.inc 24include whitelist-common.inc
25include whitelist-run-common.inc
26include whitelist-runuser-common.inc
23include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
24include whitelist-var-common.inc 28include whitelist-var-common.inc
25 29
@@ -44,7 +48,7 @@ tracelog
44private-bin geoiplookup,geoiplookup6,transgui 48private-bin geoiplookup,geoiplookup6,transgui
45private-cache 49private-cache
46private-dev 50private-dev
47private-etc 51private-etc @network,@tls-ca,@x11
48private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* 52private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
49private-tmp 53private-tmp
50 54
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2578eb0be..5e9e7f127 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
52seccomp 52seccomp
53tracelog 53tracelog
54 54
55# disable-mnt 55#disable-mnt
56private-bin trojita 56private-bin trojita
57private-cache 57private-cache
58private-dev 58private-dev
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 3f5a9647e..f2273e6a7 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -7,5 +7,8 @@ include tshark.local
7# added by included profile 7# added by included profile
8#include globals.local 8#include globals.local
9 9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}
12
10# Redirect 13# Redirect
11include wireshark.profile 14include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 55e4a4392..f0a0cacaf 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.config/tuta_integration
22mkdir ${HOME}/.config/tutanota-desktop 22mkdir ${HOME}/.config/tutanota-desktop
23whitelist ${HOME}/.config/tuta_integration 23whitelist ${HOME}/.config/tuta_integration
24whitelist ${HOME}/.config/tutanota-desktop 24whitelist ${HOME}/.config/tutanota-desktop
25whitelist /opt/tutanota-desktop
25 26
26# The lines below are needed to find the default Firefox profile name, to allow 27# The lines below are needed to find the default Firefox profile name, to allow
27# opening links in an existing instance of Firefox (note that it still fails if 28# opening links in an existing instance of Firefox (note that it still fails if
@@ -34,7 +35,6 @@ nosound
34 35
35?HAS_APPIMAGE: ignore private-dev 36?HAS_APPIMAGE: ignore private-dev
36private-etc @tls-ca 37private-etc @tls-ca
37private-opt tutanota-desktop
38 38
39dbus-user filter 39dbus-user filter
40dbus-user.talk org.freedesktop.Notifications 40dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 518dc95c7..16162f989 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -1,5 +1,5 @@
1# Firejail profile for tvbrowser 1# Firejail profile for tvbrowser
2# Description: java tv programm form tvbrowser.org 2# Description: java tv program form tvbrowser.org
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include tvbrowser.local 5include tvbrowser.local
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d53acdaf7..55106d622 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -1,5 +1,5 @@
1# Firejail profile for twitch 1# Firejail profile for twitch
2# Description: Unofficial electron based desktop warpper for Twitch 2# Description: Unofficial electron based desktop wrapper for Twitch
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include twitch.local 5include twitch.local
@@ -16,10 +16,10 @@ include disable-shell.inc
16 16
17mkdir ${HOME}/.config/Twitch 17mkdir ${HOME}/.config/Twitch
18whitelist ${HOME}/.config/Twitch 18whitelist ${HOME}/.config/Twitch
19whitelist /opt/Twitch
19 20
20private-bin electron,electron[0-9],electron[0-9][0-9],twitch 21private-bin electron,electron[0-9],electron[0-9][0-9],twitch
21private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types 22private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
22private-opt Twitch
23 23
24# Redirect 24# Redirect
25include electron-common.profile 25include electron-common.profile
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index c182326bb..175ae4591 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -36,8 +36,8 @@ tracelog
36 36
37private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop 37private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
38# add your configured file browser in udiskie.local, e. g. 38# add your configured file browser in udiskie.local, e. g.
39# private-bin nautilus 39#private-bin nautilus
40# private-bin thunar 40#private-bin thunar
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc @x11,mime.types 43private-etc @x11,mime.types
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e2b28dec..4e7dc3705 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink
34seccomp 34seccomp
35 35
36disable-mnt 36disable-mnt
37# private-bin unknown-horizons 37#private-bin unknown-horizons
38private-dev 38private-dev
39# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 39#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
40private-tmp 40private-tmp
41 41
42# doesn't work - maybe all Tcl/Tk programs have this problem 42# doesn't work - maybe all Tcl/Tk programs have this problem
43# memory-deny-write-execute 43#memory-deny-write-execute
44restrict-namespaces 44restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index aa8199442..8c6efaa1c 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -49,5 +49,5 @@ private-tmp
49dbus-user none 49dbus-user none
50dbus-system none 50dbus-system none
51 51
52#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808) 52#memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808)
53restrict-namespaces 53restrict-namespaces
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index ae8afbbf1..b768a635a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -9,7 +9,7 @@ include globals.local
9noblacklist ${HOME}/.VirtualBox 9noblacklist ${HOME}/.VirtualBox
10noblacklist ${HOME}/.config/VirtualBox 10noblacklist ${HOME}/.config/VirtualBox
11noblacklist ${HOME}/VirtualBox VMs 11noblacklist ${HOME}/VirtualBox VMs
12# noblacklist /usr/bin/virtualbox 12#noblacklist /usr/bin/virtualbox
13noblacklist /usr/lib/virtualbox 13noblacklist /usr/lib/virtualbox
14noblacklist /usr/lib64/virtualbox 14noblacklist /usr/lib64/virtualbox
15 15
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 79ba41d44..a7b0f5f1d 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -15,7 +15,7 @@ include disable-devel.inc
15include disable-exec.inc 15include disable-exec.inc
16include disable-interpreters.inc 16include disable-interpreters.inc
17include disable-programs.inc 17include disable-programs.inc
18#include disable-shell.inc - problems on Debian 11 18#include disable-shell.inc # problems on Debian 11
19 19
20mkdir ${HOME}/.local/share/warzone2100 20mkdir ${HOME}/.local/share/warzone2100
21mkdir ${HOME}/.local/share/warzone2100-3.3.0 21mkdir ${HOME}/.local/share/warzone2100-3.3.0
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e2b164b9..33f404464 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -20,23 +20,23 @@ include disable-devel.inc
20include disable-interpreters.inc 20include disable-interpreters.inc
21include disable-programs.inc 21include disable-programs.inc
22 22
23# whitelist /usr/share/wine 23#whitelist /usr/share/wine
24# include whitelist-usr-share-common.inc 24#include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 25include whitelist-var-common.inc
26 26
27# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. 27# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
28allow-debuggers 28allow-debuggers
29caps.drop all 29caps.drop all
30# net none 30#net none
31netfilter 31netfilter
32nodvd 32nodvd
33nogroups 33nogroups
34noinput 34noinput
35nonewprivs 35nonewprivs
36noroot 36noroot
37# nosound 37#nosound
38notv 38notv
39# novideo 39#novideo
40seccomp 40seccomp
41 41
42private-dev 42private-dev
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d1b757a25..55c4e6ac7 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -9,6 +9,7 @@ include globals.local
9noblacklist ${HOME}/.config/wireshark 9noblacklist ${HOME}/.config/wireshark
10noblacklist ${HOME}/.wireshark 10noblacklist ${HOME}/.wireshark
11noblacklist ${DOCUMENTS} 11noblacklist ${DOCUMENTS}
12noblacklist ${PATH}/dumpcap
12 13
13# Allow lua (blacklisted by disable-interpreters.inc) 14# Allow lua (blacklisted by disable-interpreters.inc)
14include allow-lua.inc 15include allow-lua.inc
@@ -25,29 +26,30 @@ include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 26include whitelist-var-common.inc
26 27
27apparmor 28apparmor
28# caps.drop all 29#caps.drop all
29caps.keep dac_override,dac_read_search,net_admin,net_raw 30caps.keep dac_override,dac_read_search,net_admin,net_raw
30netfilter 31netfilter
31no3d 32no3d
32# nogroups - breaks network traffic capture for unprivileged users 33#nogroups # breaks network traffic capture for unprivileged users
33noinput 34noinput
34# nonewprivs - breaks network traffic capture for unprivileged users 35#nonewprivs # breaks network traffic capture for unprivileged users
35# noroot 36#noroot
36nodvd 37nodvd
37nosound 38nosound
38notv 39notv
39nou2f 40nou2f
40novideo 41novideo
41# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols 42# commented out in case they bring in new protocols
43#protocol unix,inet,inet6,netlink,packet,bluetooth
42#seccomp 44#seccomp
43tracelog 45tracelog
44 46
45# private-bin wireshark 47#private-bin wireshark
46private-cache 48private-cache
47# private-dev prevents (some) interfaces from being shown. 49# private-dev prevents (some) interfaces from being shown.
48# Add the below line to your wirehsark.local if you only want to inspect pcap files. 50# Add the below line to your wirehsark.local if you only want to inspect pcap files.
49#private-dev 51#private-dev
50# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl 52#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
51private-tmp 53private-tmp
52 54
53dbus-user none 55dbus-user none
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index dda803bd5..b47437e2d 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -23,10 +23,10 @@ include disable-shell.inc
23 23
24include whitelist-var-common.inc 24include whitelist-var-common.inc
25 25
26# apparmor - makes settings immutable 26#apparmor # makes settings immutable
27caps.drop all 27caps.drop all
28machine-id 28machine-id
29# net none - makes settings immutable 29#net none # makes settings immutable
30no3d 30no3d
31nodvd 31nodvd
32nogroups 32nogroups
@@ -46,9 +46,9 @@ private-dev
46private-tmp 46private-tmp
47 47
48# makes settings immutable 48# makes settings immutable
49# dbus-user none 49#dbus-user none
50# dbus-system none 50#dbus-system none
51 51
52# xed uses python plugins, memory-deny-write-execute breaks python 52# xed uses python plugins, memory-deny-write-execute breaks python
53# memory-deny-write-execute 53#memory-deny-write-execute
54restrict-namespaces 54restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 141fda909..96edc15ab 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -25,8 +25,8 @@ protocol unix
25seccomp 25seccomp
26tracelog 26tracelog
27 27
28# private-bin xfburn 28#private-bin xfburn
29# private-dev 29#private-dev
30# private-tmp 30#private-tmp
31 31
32restrict-namespaces 32restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 9c4fa8293..6c3a5812b 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer
53dbus-user.talk org.xfce.Xfconf 53dbus-user.talk org.xfce.Xfconf
54dbus-system none 54dbus-system none
55 55
56# memory-deny-write-execute - breaks on Arch 56#memory-deny-write-execute # breaks on Arch
57restrict-namespaces 57restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 4d841b35c..9094a7872 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -47,5 +47,5 @@ private-tmp
47dbus-user none 47dbus-user none
48dbus-system none 48dbus-system none
49 49
50# memory-deny-write-execute -- see #3790 50#memory-deny-write-execute # see #3790
51restrict-namespaces 51restrict-namespaces
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index b8bf0ae96..06f0b5833 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -16,6 +16,7 @@ include disable-shell.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18mkdir ${HOME}/.xmr-stak 18mkdir ${HOME}/.xmr-stak
19whitelist /opt/cuda
19include whitelist-var-common.inc 20include whitelist-var-common.inc
20 21
21caps.drop all 22caps.drop all
@@ -39,7 +40,6 @@ private-bin xmr-stak
39private-dev 40private-dev
40private-etc @tls-ca 41private-etc @tls-ca
41#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend 42#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
42private-opt cuda
43private-tmp 43private-tmp
44 44
45memory-deny-write-execute 45memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index a673d6aa3..9741888f0 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
27include whitelist-player-common.inc 27include whitelist-player-common.inc
28include whitelist-var-common.inc 28include whitelist-var-common.inc
29 29
30# apparmor - makes settings immutable 30#apparmor # makes settings immutable
31caps.drop all 31caps.drop all
32netfilter 32netfilter
33nogroups 33nogroups
@@ -41,11 +41,11 @@ tracelog
41 41
42private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer 42private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
43private-dev 43private-dev
44# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl 44#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
45private-tmp 45private-tmp
46 46
47# makes settings immutable 47# makes settings immutable
48# dbus-user none 48#dbus-user none
49# dbus-system none 49#dbus-system none
50 50
51restrict-namespaces 51restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 05c12b9a2..b00307394 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -45,11 +45,11 @@ seccomp
45 45
46disable-mnt 46disable-mnt
47# private home directory doesn't work on some distros, so we go for a regular home 47# private home directory doesn't work on some distros, so we go for a regular home
48# private 48#private
49# older Xpra versions also use Xvfb 49# older Xpra versions also use Xvfb
50# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb 50#private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
51private-dev 51private-dev
52# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra 52#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
53private-tmp 53private-tmp
54 54
55restrict-namespaces 55restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 6edbf9357..cad836fdc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -18,9 +18,9 @@ include disable-programs.inc
18include disable-xdg.inc 18include disable-xdg.inc
19 19
20# Breaks xreader on Mint 18.3 20# Breaks xreader on Mint 18.3
21# include whitelist-var-common.inc 21#include whitelist-var-common.inc
22 22
23# apparmor 23#apparmor
24caps.drop all 24caps.drop all
25no3d 25no3d
26nodvd 26nodvd
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 6c31df4a9..575c1bf68 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -19,9 +19,9 @@ include disable-shell.inc
19 19
20include whitelist-var-common.inc 20include whitelist-var-common.inc
21 21
22# apparmor - makes settings immutable 22#apparmor # makes settings immutable
23caps.drop all 23caps.drop all
24# net none - makes settings immutable 24#net none # makes settings immutable
25no3d 25no3d
26nodvd 26nodvd
27nogroups 27nogroups
@@ -42,8 +42,8 @@ private-lib
42private-tmp 42private-tmp
43 43
44# makes settings immutable 44# makes settings immutable
45# dbus-user none 45#dbus-user none
46# dbus-system none 46#dbus-system none
47 47
48memory-deny-write-execute 48memory-deny-write-execute
49restrict-namespaces 49restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f5dd0c309..f957954dd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,16 +33,14 @@ include whitelist-var-common.inc
33 33
34apparmor 34apparmor
35caps.drop all 35caps.drop all
36# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. 36#machine-id # add this to your yelp.local if you don't need sound support.
37#machine-id
38net none 37net none
39nodvd 38nodvd
40nogroups 39nogroups
41noinput 40noinput
42nonewprivs 41nonewprivs
43noroot 42noroot
44# nosound - add the next line to your yelp.local if you don't need sound support. 43#nosound # add this to your yelp.local if you don't need sound support.
45#nosound
46notv 44notv
47nou2f 45nou2f
48novideo 46novideo
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 4d1e9a063..0fb87f747 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -1,5 +1,5 @@
1# Firejail profile for youtube 1# Firejail profile for youtube
2# Description: Unofficial electron based desktop warpper for YouTube 2# Description: Unofficial electron based desktop wrapper for YouTube
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include youtube.local 5include youtube.local
@@ -15,10 +15,10 @@ include disable-shell.inc
15 15
16mkdir ${HOME}/.config/Youtube 16mkdir ${HOME}/.config/Youtube
17whitelist ${HOME}/.config/Youtube 17whitelist ${HOME}/.config/Youtube
18whitelist /opt/Youtube
18 19
19private-bin electron,electron[0-9],electron[0-9][0-9],youtube 20private-bin electron,electron[0-9],electron[0-9][0-9],youtube
20private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types 21private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
21private-opt Youtube
22 22
23# Redirect 23# Redirect
24include electron-common.profile 24include electron-common.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index cfee8c426..e5ece41bc 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -1,8 +1,8 @@
1# Firejail profile for youtubemusic-nativefier 1# Firejail profile for youtubemusic-nativefier
2# Description: Unofficial electron based desktop warpper for YouTube Music 2# Description: Unofficial electron based desktop wrapper for YouTube Music
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4# Persistent local customizations 4# Persistent local customizations
5include youtube.local 5include youtubemusic-nativefier.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
@@ -12,10 +12,10 @@ include disable-shell.inc
12 12
13mkdir ${HOME}/.config/youtubemusic-nativefier-040164 13mkdir ${HOME}/.config/youtubemusic-nativefier-040164
14whitelist ${HOME}/.config/youtubemusic-nativefier-040164 14whitelist ${HOME}/.config/youtubemusic-nativefier-040164
15whitelist /opt/youtubemusic-nativefier
15 16
16private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier 17private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
17private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types 18private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
18private-opt youtubemusic-nativefier
19 19
20# Redirect 20# Redirect
21include electron-common.profile 21include electron-common.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index de07e3ddf..ccf5f1e63 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app
13mkdir ${HOME}/.config/youtube-music-desktop-app 13mkdir ${HOME}/.config/youtube-music-desktop-app
14whitelist ${HOME}/.config/youtube-music-desktop-app 14whitelist ${HOME}/.config/youtube-music-desktop-app
15 15
16# private-bin env,ytmdesktop 16#private-bin env,ytmdesktop
17private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types 17private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
18# private-opt 18#private-opt
19 19
20# Redirect 20# Redirect
21include electron-common.profile 21include electron-common.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 09a1d37a3..d576dbefd 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.*
67?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher 67?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
68dbus-system none 68dbus-system none
69 69
70# memory-deny-write-execute - breaks on Arch 70#memory-deny-write-execute # breaks on Arch
71restrict-namespaces 71restrict-namespaces
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 9329fe297..6299d42cd 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -196,6 +196,13 @@ include globals.local
196# Extra: gai.conf,proxychains.conf 196# Extra: gai.conf,proxychains.conf
197# Qt: Trolltech.conf 197# Qt: Trolltech.conf
198##private-lib LIBS 198##private-lib LIBS
199## Note: private-opt copies the entire path(s) to RAM, which may break
200## file-copy-limit in firejail.config (see firejail(1)).
201## For sizeable apps (if in doubt, do this):
202## - never use 'private-opt NAME'
203## - place 'whitelist /opt/NAME' in the whitelist section above
204## For acceptable apps:
205## - use 'private-opt NAME'
199##private-opt NAME 206##private-opt NAME
200#private-tmp 207#private-tmp
201##writable-etc 208##writable-etc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c33e6d602..569509534 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -47,7 +47,7 @@ Definition of groups
47@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver 47@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
48@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup 48@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
49@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid 49@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
50@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write 50@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write
51@reboot=kexec_load,kexec_file_load,reboot 51@reboot=kexec_load,kexec_file_load,reboot
52@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy 52@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
53@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 53@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7db4480b6..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -101,6 +101,7 @@ bitwarden
101bleachbit 101bleachbit
102blender 102blender
103blender-2.8 103blender-2.8
104blender-3.6
104bless 105bless
105blobby 106blobby
106blobwars 107blobwars
@@ -274,6 +275,7 @@ flacsplt
274flameshot 275flameshot
275flashpeak-slimjet 276flashpeak-slimjet
276flowblade 277flowblade
278fluffychat
277font-manager 279font-manager
278fontforge 280fontforge
279fossamail 281fossamail
@@ -480,6 +482,7 @@ kwrite
480lbry-viewer 482lbry-viewer
481leafpad 483leafpad
482#less # breaks man 484#less # breaks man
485lettura
483librecad 486librecad
484libreoffice 487libreoffice
485librewolf 488librewolf
@@ -822,13 +825,16 @@ telegram
822telegram-desktop 825telegram-desktop
823telnet 826telnet
824terasology 827terasology
828termshark
825tesseract 829tesseract
826textmaker18 830textmaker18
827textmaker18free 831textmaker18free
828thunderbird 832thunderbird
829thunderbird-beta 833thunderbird-beta
830thunderbird-wayland 834thunderbird-wayland
835tidal-hifi
831tilp 836tilp
837tiny-rdm
832tor-browser 838tor-browser
833tor-browser-ar 839tor-browser-ar
834tor-browser-ca 840tor-browser-ca
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a4f727c0a..bb20a0da6 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -43,6 +43,16 @@ int appimage_find_profile(const char *archive) {
43 assert(archive); 43 assert(archive);
44 assert(strlen(archive)); 44 assert(strlen(archive));
45 45
46 // extract the name of the appimage from a full path
47 // example: archive = /opt/kdenlive-20.12.2-x86_64.appimage
48 const char *arc = strrchr(archive, '/');
49 if (arc)
50 arc++;
51 else
52 arc = archive;
53 if (arg_debug)
54 printf("Looking for a %s profile\n", arc);
55
46 // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config 56 // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
47 FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r"); 57 FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
48 if (!fp) { 58 if (!fp) {
@@ -56,7 +66,8 @@ int appimage_find_profile(const char *archive) {
56 char *ptr = strchr(buf, '\n'); 66 char *ptr = strchr(buf, '\n');
57 if (ptr) 67 if (ptr)
58 *ptr = '\0'; 68 *ptr = '\0';
59 if (strcasestr(archive, buf)) { 69 char *found = strcasestr(arc, buf);
70 if (found == arc) {
60 fclose(fp); 71 fclose(fp);
61 return profile_find_firejail(buf, 1); 72 return profile_find_firejail(buf, 1);
62 } 73 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 182f26e53..28fecfb98 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -281,6 +281,8 @@ void fs_blacklist(void) {
281 if (!entry) 281 if (!entry)
282 return; 282 return;
283 283
284 timetrace_start();
285
284 size_t noblacklist_c = 0; 286 size_t noblacklist_c = 0;
285 size_t noblacklist_m = 32; 287 size_t noblacklist_m = 32;
286 char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist)); 288 char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -463,6 +465,8 @@ void fs_blacklist(void) {
463 for (i = 0; i < noblacklist_c; i++) 465 for (i = 0; i < noblacklist_c; i++)
464 free(noblacklist[i]); 466 free(noblacklist[i]);
465 free(noblacklist); 467 free(noblacklist);
468
469 fmessage("Base filesystem installed in %0.2f ms\n", timetrace_end());
466} 470}
467 471
468//*********************************************** 472//***********************************************
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
154 154
155 // file size 155 // file size
156 char *sz; 156 char *sz;
157 if (asprintf(&sz, "%d", (int) s.st_size) == -1) 157 if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
158 errExit("asprintf"); 158 errExit("asprintf");
159 159
160 // file name 160 // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b0d5dac17..0c9c80137 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -420,7 +420,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
420 exit_err_feature("x11"); 420 exit_err_feature("x11");
421 } 421 }
422#endif 422#endif
423#ifdef HAVE_NETWORK
424 else if (strcmp(argv[i], "--nettrace") == 0) { 423 else if (strcmp(argv[i], "--nettrace") == 0) {
425 if (checkcfg(CFG_NETWORK)) { 424 if (checkcfg(CFG_NETWORK)) {
426 if (getuid() != 0) { 425 if (getuid() != 0) {
@@ -524,8 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
524 exit(0); 523 exit(0);
525 } 524 }
526 525
527 526#ifdef HAVE_NETWORK
528
529 else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { 527 else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
530 if (checkcfg(CFG_NETWORK)) { 528 if (checkcfg(CFG_NETWORK)) {
531 logargs(argc, argv); 529 logargs(argc, argv);
@@ -3217,13 +3215,18 @@ int main(int argc, char **argv, char **envp) {
3217 3215
3218 gid_t g; 3216 gid_t g;
3219 if (!arg_nogroups || !check_can_drop_all_groups()) { 3217 if (!arg_nogroups || !check_can_drop_all_groups()) {
3220 // add audio group 3218 // add audio groups
3221 if (!arg_nosound) { 3219 if (!arg_nosound) {
3222 g = get_group_id("audio"); 3220 g = get_group_id("audio");
3223 if (g) { 3221 if (g) {
3224 sprintf(ptr, "%d %d 1\n", g, g); 3222 sprintf(ptr, "%d %d 1\n", g, g);
3225 ptr += strlen(ptr); 3223 ptr += strlen(ptr);
3226 } 3224 }
3225 g = get_group_id("pipewire");
3226 if (g) {
3227 sprintf(ptr, "%d %d 1\n", g, g);
3228 ptr += strlen(ptr);
3229 }
3227 } 3230 }
3228 3231
3229 // add video group 3232 // add video group
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 6bc6230f0..fea842d93 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -47,6 +47,16 @@ static void init_paths(void) {
47 errExit("calloc"); 47 errExit("calloc");
48 memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer 48 memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
49 49
50 // lots of distros set /bin as a symlink to /usr/bin;
51 // we remove /bin form the path to speed up path-based operations such as blacklist
52 int bin_symlink = 0;
53 p = realpath("/bin", NULL);
54 if (p) {
55 if (strcmp(p, "/usr/bin") == 0)
56 bin_symlink = 1;
57 }
58 free(p);
59
50 // fill in 'paths' with pointers to elements of 'path' 60 // fill in 'paths' with pointers to elements of 'path'
51 unsigned int i = 0, j; 61 unsigned int i = 0, j;
52 unsigned int len; 62 unsigned int len;
@@ -62,6 +72,14 @@ static void init_paths(void) {
62 if (len == 0) 72 if (len == 0)
63 goto skip; 73 goto skip;
64 74
75 //deal with /bin - /usr/bin symlink
76 if (bin_symlink > 0) {
77 if (strcmp(elt, "/bin") == 0 || strcmp(elt, "/usr/bin") == 0)
78 bin_symlink++;
79 if (bin_symlink == 3)
80 goto skip;
81 }
82
65 // filter out duplicate entries 83 // filter out duplicate entries
66 for (j = 0; j < i; j++) 84 for (j = 0; j < i; j++)
67 if (strcmp(elt, paths[j]) == 0) 85 if (strcmp(elt, paths[j]) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bdaaed433..8cc5c1166 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -484,7 +484,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
484#endif 484#endif
485 return 0; 485 return 0;
486 } 486 }
487 else if (strncmp("dbus-user ", ptr, 10) == 0) { 487 else if (strncmp(ptr, "dbus-user ", 10) == 0) {
488#ifdef HAVE_DBUSPROXY 488#ifdef HAVE_DBUSPROXY
489 ptr += 10; 489 ptr += 10;
490 if (strcmp("filter", ptr) == 0) { 490 if (strcmp("filter", ptr) == 0) {
@@ -551,7 +551,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
551#endif 551#endif
552 return 1; 552 return 1;
553 } 553 }
554 else if (strncmp("dbus-system ", ptr, 12) == 0) { 554 else if (strncmp(ptr, "dbus-system ", 12) == 0) {
555#ifdef HAVE_DBUSPROXY 555#ifdef HAVE_DBUSPROXY
556 ptr += 12; 556 ptr += 12;
557 if (strcmp("filter", ptr) == 0) { 557 if (strcmp("filter", ptr) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 538f5be67..827be5d85 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -878,7 +878,8 @@ int sandbox(void* sandbox_arg) {
878 //**************************** 878 //****************************
879 // appimage 879 // appimage
880 //**************************** 880 //****************************
881 appimage_mount(); 881 if (arg_appimage)
882 appimage_mount();
882 883
883 //**************************** 884 //****************************
884 // private mode 885 // private mode
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 970832b38..bd32181b5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -207,6 +207,8 @@ static void clean_supplementary_groups(gid_t gid) {
207 if (!arg_nosound) { 207 if (!arg_nosound) {
208 copy_group_ifcont("audio", groups, ngroups, 208 copy_group_ifcont("audio", groups, ngroups,
209 new_groups, &new_ngroups, MAX_GROUPS); 209 new_groups, &new_ngroups, MAX_GROUPS);
210 copy_group_ifcont("pipewire", groups, ngroups,
211 new_groups, &new_ngroups, MAX_GROUPS);
210 } 212 }
211 213
212 if (!arg_novideo) { 214 if (!arg_novideo) {
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 5a0b97e89..4db8e7478 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -308,6 +308,8 @@ static inline const char *common_port(uint16_t port) {
308 return "Tor"; 308 return "Tor";
309 else if (port == 9030) 309 else if (port == 9030)
310 return "Tor"; 310 return "Tor";
311 else if (port == 9040)
312 return "Tor";
311 else if (port == 9050) 313 else if (port == 9050)
312 return "Tor"; 314 return "Tor";
313 else if (port == 9051) 315 else if (port == 9051)
@@ -506,16 +508,16 @@ static void print_stats(FILE *fp) {
506 508
507 fprintf(fp, "\n\nIP map"); 509 fprintf(fp, "\n\nIP map");
508 if (fp == stdout) 510 if (fp == stdout)
509 ansi_faint(" - server-address network (packets)\n"); 511 ansi_faint(" - network (packets)\n");
510 else 512 else
511 fprintf(fp, " - server-address network (packets)\n"); 513 fprintf(fp, " - network (packets)\n");
512 radix_print(fp, 1); 514 radix_print(fp, 1);
513 515
514 fprintf(fp, "\n\nEvents %d", ev_cnt); 516 fprintf(fp, "\n\nEvents %d", ev_cnt);
515 if (fp == stdout) 517 if (fp == stdout)
516 ansi_faint(" - time address:port data\n"); 518 ansi_faint(" - time address data\n");
517 else 519 else
518 fprintf(fp, " - time address:port data\n"); 520 fprintf(fp, " - time address data\n");
519 ev_print(fp); 521 ev_print(fp);
520 522
521} 523}
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index fa6c74b62..aeac58c6a 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -188,6 +188,7 @@
188104.244.40.0/21 Twitter 188104.244.40.0/21 Twitter
189108.160.160.0/20 Dropbox 189108.160.160.0/20 Dropbox
190108.175.32.0/20 Netflix 190108.175.32.0/20 Netflix
191129.144.0.0/12 Oracle
191129.134.0.0/16 Facebook 192129.134.0.0/16 Facebook
192140.82.112.0/20 GitHub 193140.82.112.0/20 GitHub
193143.55.64.0/20 GitHub 194143.55.64.0/20 GitHub
@@ -221,7 +222,6 @@
221185.125.188.0/22 Ubuntu One 222185.125.188.0/22 Ubuntu One
222185.199.108.0/22 GitHub 223185.199.108.0/22 GitHub
223185.205.69.0/24 Tutanota 224185.205.69.0/24 Tutanota
224185.238.113.0/24 Bitchute
225188.64.224.0/21 Twitter 225188.64.224.0/21 Twitter
226190.217.33.0/24 Steam 226190.217.33.0/24 Steam
227192.0.64.0/18 Wordpress 227192.0.64.0/18 Wordpress
@@ -253,7 +253,12 @@
25363.141.247.168/29 BitChute 25363.141.247.168/29 BitChute
25463.141.247.240/29 BitChute 25463.141.247.240/29 BitChute
25569.30.200.200/29 BitChute 25569.30.200.200/29 BitChute
25669.30.230.64/29 BitChute
25769.30.241.40/29 BitChute
25669.30.241.48/29 BitChute 25869.30.241.48/29 BitChute
25969.30.243.168/29 BitChute
26069.30.245.232/29 BitChute
26169.30.253.16/29 BitChute
25769.197.182.184/29 BitChute 26269.197.182.184/29 BitChute
25874.91.28.208/29 BitChute 26374.91.28.208/29 BitChute
25974.91.29.208/29 BitChute 26474.91.29.208/29 BitChute
@@ -263,27 +268,40 @@
263107.150.45.120/29 BitChute 268107.150.45.120/29 BitChute
264142.54.180.104/29 BitChute 269142.54.180.104/29 BitChute
265142.54.181.184/29 BitChute 270142.54.181.184/29 BitChute
271142.54.188.112/29 BitChute
266142.54.189.192/29 BitChute 272142.54.189.192/29 BitChute
267173.208.154.8/29 BitChute 273173.208.154.8/29 BitChute
268173.208.154.160/29 BitChute 274173.208.154.160/29 BitChute
275173.208.176.128/29 BitChute
269173.208.185.200/29 BitChute 276173.208.185.200/29 BitChute
277173.208.203.224/29 BitChute
270173.208.203.248/29 BitChute 278173.208.203.248/29 BitChute
271173.208.211.224/29 BitChute 279173.208.211.224/29 BitChute
272173.208.216.40/29 BitChute 280173.208.216.40/29 BitChute
273173.208.219.112/29 BitChute 281173.208.219.112/29 BitChute
274173.208.246.160/29 BitChute 282173.208.246.160/29 BitChute
283185.238.113.0/24 BitChute
284192.151.147.16/29 BitChute
275192.151.158.136/29 BitChute 285192.151.158.136/29 BitChute
276192.187.97.88/29 BitChute 286192.187.97.88/29 BitChute
277192.187.114.16/29 BitChute 287192.187.114.16/29 BitChute
278192.187.114.96/29 BitChute 288192.187.114.96/29 BitChute
289192.187.118.168/29 BitChute
290192.187.121.208/29 BitChute
279192.187.123.112/29 BitChute 291192.187.123.112/29 BitChute
280192.187.126.0/29 BitChute 292192.187.126.0/29 BitChute
281198.204.226.120/29 BitChute 293198.204.226.120/29 BitChute
282198.204.228.48/29 BitChute 294198.204.228.48/29 BitChute
295198.204.235.88/29 BitChute
296198.204.235.216/29 BitChute
283198.204.245.32/29 BitChute 297198.204.245.32/29 BitChute
284198.204.245.88/29 BitChute 298198.204.245.88/29 BitChute
285198.204.250.208/29 BitChute 299198.204.250.208/29 BitChute
300198.204.253.64/29 BitChute
301198.204.253.184/29 BitChute
286199.168.96.24/29 BitChute 302199.168.96.24/29 BitChute
303199.168.96.64/29 BitChute
304204.12.220.136/29 BitChute
287204.12.194.176/29 BitChute 305204.12.194.176/29 BitChute
288204.12.194.248/29 BitChute 306204.12.194.248/29 BitChute
289204.12.220.232/29 BitChute 307204.12.220.232/29 BitChute
@@ -292,6 +310,7 @@
292# WholeSale Internet 310# WholeSale Internet
29369.30.192.0/18 WholeSale Internet 31169.30.192.0/18 WholeSale Internet
29469.197.128.0/18 WholeSale Internet 31269.197.128.0/18 WholeSale Internet
313142.54.160.0/19 WholeSale Internet
295173.208.128.0/17 WholeSale Internet 314173.208.128.0/17 WholeSale Internet
296204.12.192.0/18 WholeSale Internet 315204.12.192.0/18 WholeSale Internet
297208.67.0.0/21 WholeSale Internet 316208.67.0.0/21 WholeSale Internet
@@ -322,6 +341,7 @@
32266.243.0.0/17 Level 3 34166.243.0.0/17 Level 3
32366.243.128.0/18 Level 3 34266.243.128.0/18 Level 3
32466.251.192.0/19 Level 3 34366.251.192.0/19 Level 3
34474.202.0.0/15 Level 3
325205.128.0.0/14 Level 3 345205.128.0.0/14 Level 3
326205.180.0.0/14 Level 3 346205.180.0.0/14 Level 3
327205.184.0.0/19 Level 3 347205.184.0.0/19 Level 3
@@ -350,6 +370,7 @@
35069.16.173.0/24 StackPath 37069.16.173.0/24 StackPath
35169.16.174.0/23 StackPath 37169.16.174.0/23 StackPath
35269.16.176.0/20 StackPath 37269.16.176.0/20 StackPath
37374.209.128.0/20 StackPath
353151.139.0.0/16 StackPath 374151.139.0.0/16 StackPath
354205.185.194.0/23 StackPath 375205.185.194.0/23 StackPath
355205.185.196.0/23 StackPath 376205.185.196.0/23 StackPath
@@ -379,6 +400,7 @@
37945.79.0.0/16 Linode 40045.79.0.0/16 Linode
38050.116.0.0/18 Linode 40150.116.0.0/18 Linode
38166.175.208.0/20 Linode 40266.175.208.0/20 Linode
40374.207.224.0/19 Linode
382103.29.68.0/22 Linode 404103.29.68.0/22 Linode
383104.200.16.0/21 Linode 405104.200.16.0/21 Linode
384104.200.24.0/22 Linode 406104.200.24.0/22 Linode
@@ -486,6 +508,7 @@
48623.72.0.0/13 Akamai 50823.72.0.0/13 Akamai
48723.192.0.0/11 Akamai 50923.192.0.0/11 Akamai
48872.246.0.0/15 Akamai 51072.246.0.0/15 Akamai
51174.121.124.0/22 Akamai
48992.122.160.0/20 Akamai 51292.122.160.0/20 Akamai
49096.6.0.0/15 Akamai 51396.6.0.0/15 Akamai
49196.16.0.0/15 Akamai 51496.16.0.0/15 Akamai
@@ -559,6 +582,7 @@
55920.48.0.0/12 Microsoft 58220.48.0.0/12 Microsoft
56020.128.0.0/16 Microsoft 58320.128.0.0/16 Microsoft
56120.192.0.0/10 Microsoft 58420.192.0.0/10 Microsoft
58523.96.0.0/13 Microsoft
56240.76.0.0/14 Microsoft 58640.76.0.0/14 Microsoft
56340.96.0.0/12 Microsoft 58740.96.0.0/12 Microsoft
56440.112.0.0/13 Microsoft 58840.112.0.0/13 Microsoft
@@ -567,11 +591,38 @@
56740.80.0.0/12 Microsoft 59140.80.0.0/12 Microsoft
56840.120.0.0/14 Microsoft 59240.120.0.0/14 Microsoft
56940.125.0.0/17 Microsoft 59340.125.0.0/17 Microsoft
59451.4.0.0/15 Microsoft
59551.8.0.0/16 Microsoft
59651.10.0.0/14 Microsoft
59751.51.0.0/16 Microsoft
59851.53.0.0/16 Microsoft
59951.103.0.0/16 Microsoft
60051.107.0.0/16 Microsoft
60151.116.0.0/16 Microsoft
60251.120.0.0/16 Microsoft
60351.124.0.0/16 Microsoft
60451.132.0.0/16 Microsoft
60551.136.0.0/16 Microsoft
60651.140.0.0/15 Microsoft
60752.96.0.0/12 Microsoft
60852.112.0.0/14 Microsoft
60952.120.0.0/14 Microsoft
61052.125.0.0/16 Microsoft
61152.126.0.0/15 Microsoft
61252.132.0.0/14 Microsoft
61352.136.0.0/13 Microsoft
57052.145.0.0/16 Microsoft 61452.145.0.0/16 Microsoft
61552.146.0.0/15 Microsoft
57152.148.0.0/14 Microsoft 61652.148.0.0/14 Microsoft
57252.152.0.0/13 Microsoft 61752.152.0.0/13 Microsoft
57352.146.0.0/15 Microsoft
57452.160.0.0/11 Microsoft 61852.160.0.0/11 Microsoft
61952.224.0.0/11 Microsoft
62074.160.0.0/14 Microsoft
62174.176.0.0/14 Microsoft
62274.224.0.0/14 Microsoft
62374.234.0.0/15 Microsoft
62474.240.0.0/14 Microsoft
62574.248.0.0/15 Microsoft
575168.61.0.0/16 Microsoft 626168.61.0.0/16 Microsoft
576168.62.0.0/15 Microsoft 627168.62.0.0/15 Microsoft
577 628
@@ -587,6 +638,7 @@
587206.190.32.0/19 Yahoo 638206.190.32.0/19 Yahoo
588209.73.160.0/19 Yahoo 639209.73.160.0/19 Yahoo
589209.191.64.0/18 Yahoo 640209.191.64.0/18 Yahoo
641212.82.100.0/22 Yahoo
590216.115.96.0/20 Yahoo 642216.115.96.0/20 Yahoo
591 643
592# Google 644# Google
@@ -596,6 +648,18 @@
5968.35.192.0/20 Google 6488.35.192.0/20 Google
59723.236.48.0/20 Google 64923.236.48.0/20 Google
59823.251.128.0/19 Google 65023.251.128.0/19 Google
65134.4.16.0/20 Google
65234.4.64.0/18 Google
65334.4.6.0/23 Google
65434.16.0.0/12 Google
65534.32.0.0/11 Google
65634.4.128.0/17 Google
65734.8.0.0/13 Google
65834.4.8.0/21 Google
65934.5.0.0/16 Google
66034.6.0.0/15 Google
66134.4.32.0/19 Google
66234.4.5.0/24 Google
59934.64.0.0/10 Google 66334.64.0.0/10 Google
60034.128.0.0/10 Google 66434.128.0.0/10 Google
60135.184.0.0/13 Google 66535.184.0.0/13 Google
@@ -1846,6 +1910,7 @@
184634.192.0.0/12 Amazon 191034.192.0.0/12 Amazon
184734.208.0.0/12 Amazon 191134.208.0.0/12 Amazon
184834.224.0.0/12 Amazon 191234.224.0.0/12 Amazon
191334.225.127.72/10 Amazon
184934.240.0.0/13 Amazon 191434.240.0.0/13 Amazon
185034.248.0.0/13 Amazon 191534.248.0.0/13 Amazon
185135.71.64.0/22 Amazon 191635.71.64.0/22 Amazon
@@ -3394,7 +3459,7 @@
339454.93.0.0/16 Amazon 345954.93.0.0/16 Amazon
339554.94.0.0/16 Amazon 346054.94.0.0/16 Amazon
339654.95.0.0/16 Amazon 346154.95.0.0/16 Amazon
339754.144.0.0/14 Amazon 346254.144.0.0/12 Amazon
339854.148.0.0/15 Amazon 346354.148.0.0/15 Amazon
339954.150.0.0/16 Amazon 346454.150.0.0/16 Amazon
340054.151.0.0/17 Amazon 346554.151.0.0/17 Amazon
@@ -3405,7 +3470,7 @@
340554.154.0.0/16 Amazon 347054.154.0.0/16 Amazon
340654.155.0.0/16 Amazon 347154.155.0.0/16 Amazon
340754.156.0.0/14 Amazon 347254.156.0.0/14 Amazon
340854.160.0.0/13 Amazon 347354.160.0.0/11 Amazon
340954.168.0.0/16 Amazon 347454.168.0.0/16 Amazon
341054.169.0.0/16 Amazon 347554.169.0.0/16 Amazon
341154.170.0.0/15 Amazon 347654.170.0.0/15 Amazon
@@ -3418,7 +3483,7 @@
341854.182.0.0/16 Amazon 348354.182.0.0/16 Amazon
341954.183.0.0/16 Amazon 348454.183.0.0/16 Amazon
342054.184.0.0/13 Amazon 348554.184.0.0/13 Amazon
342154.192.0.0/16 Amazon 348654.192.0.0/12 Amazon
342254.193.0.0/16 Amazon 348754.193.0.0/16 Amazon
342354.194.0.0/15 Amazon 348854.194.0.0/15 Amazon
342454.196.0.0/15 Amazon 348954.196.0.0/15 Amazon
@@ -3429,12 +3494,12 @@
342954.204.0.0/15 Amazon 349454.204.0.0/15 Amazon
343054.206.0.0/16 Amazon 349554.206.0.0/16 Amazon
343154.207.0.0/16 Amazon 349654.207.0.0/16 Amazon
343254.208.0.0/15 Amazon 349754.208.0.0/13 Amazon
343354.210.0.0/15 Amazon 349854.210.0.0/15 Amazon
343454.212.0.0/15 Amazon 349954.212.0.0/15 Amazon
343554.214.0.0/16 Amazon 350054.214.0.0/16 Amazon
343654.215.0.0/16 Amazon 350154.215.0.0/16 Amazon
343754.216.0.0/15 Amazon 350254.216.0.0/14 Amazon
343854.218.0.0/16 Amazon 350354.218.0.0/16 Amazon
343954.219.0.0/16 Amazon 350454.219.0.0/16 Amazon
344054.220.0.0/16 Amazon 350554.220.0.0/16 Amazon
@@ -3694,6 +3759,10 @@
369472.21.192.0/19 Amazon 375972.21.192.0/19 Amazon
369572.41.0.0/20 Amazon 376072.41.0.0/20 Amazon
369672.44.32.0/19 Amazon 376172.44.32.0/19 Amazon
376274.127.0.0/18 Amazon
376374.190.0.0/16 Amazon
376474.230.0.0/16 Amazon
376574.250.0.0/16 Amazon
369775.2.0.0/17 Amazon 376675.2.0.0/17 Amazon
369875.101.128.0/17 Amazon 376775.101.128.0/17 Amazon
369976.223.0.0/17 Amazon 376876.223.0.0/17 Amazon
@@ -5675,3 +5744,374 @@
567564.120.69.0/24 Leaseweb 574464.120.69.0/24 Leaseweb
567669.147.236.0/24 Leaseweb 574569.147.236.0/24 Leaseweb
567770.32.34.0/24 Leaseweb 574670.32.34.0/24 Leaseweb
5747
5748
5749
5750# GoDaddy
5751103.1.172.0/22 GoDaddy
5752103.1.172.0/24 GoDaddy
5753103.1.174.0/24 GoDaddy
5754103.1.175.0/24 GoDaddy
5755104.238.64.0/18 GoDaddy
5756104.238.64.0/19 GoDaddy
5757104.238.64.0/22 GoDaddy
5758104.238.64.0/24 GoDaddy
5759107.180.0.0/17 GoDaddy
5760107.180.0.0/18 GoDaddy
5761107.180.100.0/22 GoDaddy
5762107.180.104.0/22 GoDaddy
5763107.180.108.0/22 GoDaddy
5764107.180.120.0/22 GoDaddy
5765107.180.64.0/19 GoDaddy
5766118.139.160.0/19 GoDaddy
5767118.139.160.0/21 GoDaddy
5768132.148.0.0/16 GoDaddy
5769132.148.16.0/20 GoDaddy
5770132.148.16.0/22 GoDaddy
5771132.148.164.0/22 GoDaddy
5772132.148.184.0/21 GoDaddy
5773132.148.192.0/20 GoDaddy
5774132.148.20.0/22 GoDaddy
5775132.148.24.0/22 GoDaddy
5776132.148.32.0/21 GoDaddy
5777148.66.128.0/19 GoDaddy
5778148.66.128.0/22 GoDaddy
5779148.66.136.0/22 GoDaddy
5780148.66.140.0/22 GoDaddy
5781148.66.144.0/21 GoDaddy
5782148.72.0.0/17 GoDaddy
5783148.72.16.0/22 GoDaddy
5784148.72.204.0/22 GoDaddy
5785148.72.204.0/24 GoDaddy
5786148.72.206.0/23 GoDaddy
5787148.72.208.0/21 GoDaddy
5788148.72.220.0/22 GoDaddy
5789148.72.224.0/19 GoDaddy
5790148.72.224.0/20 GoDaddy
5791148.72.240.0/22 GoDaddy
5792148.72.244.0/22 GoDaddy
5793148.72.32.0/21 GoDaddy
5794148.72.32.0/23 GoDaddy
5795148.72.34.0/24 GoDaddy
5796148.72.36.0/24 GoDaddy
5797148.72.4.0/22 GoDaddy
5798148.72.44.0/22 GoDaddy
5799148.72.88.0/22 GoDaddy
5800160.153.32.0/19 GoDaddy
5801160.153.64.0/18 GoDaddy
5802160.153.64.0/19 GoDaddy
5803160.153.96.0/19 GoDaddy
5804166.62.0.0/19 GoDaddy
5805166.62.0.0/22 GoDaddy
5806166.62.0.0/24 GoDaddy
5807166.62.100.0/22 GoDaddy
5808166.62.10.0/23 GoDaddy
5809166.62.1.0/24 GoDaddy
5810166.62.112.0/20 GoDaddy
5811166.62.116.0/22 GoDaddy
5812166.62.120.0/22 GoDaddy
5813166.62.12.0/22 GoDaddy
5814166.62.12.0/24 GoDaddy
5815166.62.13.0/24 GoDaddy
5816166.62.15.0/24 GoDaddy
5817166.62.16.0/22 GoDaddy
5818166.62.17.0/24 GoDaddy
5819166.62.20.0/22 GoDaddy
5820166.62.2.0/24 GoDaddy
5821166.62.23.0/24 GoDaddy
5822166.62.24.0/22 GoDaddy
5823166.62.24.0/24 GoDaddy
5824166.62.25.0/24 GoDaddy
5825166.62.26.0/23 GoDaddy
5826166.62.28.0/22 GoDaddy
5827166.62.3.0/24 GoDaddy
5828166.62.32.0/19 GoDaddy
5829166.62.32.0/22 GoDaddy
5830166.62.36.0/22 GoDaddy
5831166.62.40.0/22 GoDaddy
5832166.62.4.0/22 GoDaddy
5833166.62.4.0/24 GoDaddy
5834166.62.44.0/22 GoDaddy
5835166.62.5.0/24 GoDaddy
5836166.62.52.0/22 GoDaddy
5837166.62.56.0/22 GoDaddy
5838166.62.60.0/22 GoDaddy
5839166.62.6.0/23 GoDaddy
5840166.62.64.0/18 GoDaddy
5841166.62.64.0/19 GoDaddy
5842166.62.80.0/22 GoDaddy
5843166.62.8.0/22 GoDaddy
5844166.62.8.0/24 GoDaddy
5845166.62.84.0/22 GoDaddy
5846166.62.88.0/22 GoDaddy
5847166.62.9.0/24 GoDaddy
5848
5849# IBM cloud service
5850# https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-ibm-cloud-ip-ranges
5851# last update Aug 2023
5852159.8.198.0/23 IBM
5853169.38.118.0/23 IBM
5854173.192.118.0/23 IBM
5855192.255.18.0/24 IBM
5856198.23.118.0/23 IBM
5857169.46.118.0/23 IBM
5858169.47.118.0/23 IBM
5859169.48.118.0/24 IBM
5860159.122.118.0/23 IBM
5861161.156.118.0/24 IBM
5862149.81.118.0/23 IBM
58635.10.118.0/23 IBM
5864158.175.127.0/24 IBM
5865141.125.118.0/23 IBM
5866158.176.118.0/23 IBM
5867159.122.138.0/23 IBM
5868169.54.118.0/23 IBM
5869163.68.118.0/24 IBM
5870163.69.118.0/24 IBM
5871163.73.118.0/24 IBM
5872159.8.118.0/23 IBM
5873169.57.138.0/23 IBM
587450.23.118.0/23 IBM
5875169.45.118.0/23 IBM
5876169.62.118.0/24 IBM
5877174.133.118.0/23 IBM
5878168.1.18.0/23 IBM
5879130.198.118.0/23 IBM
5880135.90.118.0/23 IBM
5881161.202.118.0/23 IBM
5882128.168.118.0/23 IBM
5883165.192.118.0/23 IBM
5884158.85.118.0/23 IBM
5885163.74.118.0/23 IBM
5886163.75.118.0/23 IBM
5887208.43.118.0/23 IBM
5888192.255.38.0/24 IBM
5889169.55.118.0/23 IBM
5890169.60.118.0/23 IBM
5891169.61.118.0/23 IBM
5892159.8.197.0/24 IBM
5893169.38.117.0/24 IBM
589450.23.203.0/24 IBM
5895108.168.157.0/24 IBM
5896173.192.117.0/24 IBM
5897192.155.205.0/24 IBM
5898169.46.187.0/24 IBM
5899198.23.117.0/24 IBM
5900169.46.117.0/24 IBM
5901169.47.117.0/24 IBM
5902169.48.117.0/24 IBM
5903159.122.117.0/24 IBM
5904161.156.117.0/24 IBM
5905149.81.117.0/24 IBM
59065.10.117.0/24 IBM
5907158.175.117.0/24 IBM
5908141.125.117.0/24 IBM
5909158.176.117.0/24 IBM
5910159.122.137.0/24 IBM
5911169.54.117.0/24 IBM
5912159.8.117.0/24 IBM
5913169.57.137.0/24 IBM
591450.23.117.0/24 IBM
5915169.45.117.0/24 IBM
5916174.133.117.0/24 IBM
5917168.1.17.0/24 IBM
5918130.198.117.0/24 IBM
5919135.90.117.0/24 IBM
5920161.202.117.0/24 IBM
5921128.168.117.0/24 IBM
5922165.192.117.0/24 IBM
5923158.85.117.0/24 IBM
592450.22.248.0/25 IBM
5925169.54.27.0/24 IBM
5926198.11.250.0/24 IBM
5927208.43.117.0/24 IBM
5928169.55.117.0/24 IBM
5929169.60.117.0/24 IBM
5930169.61.117.0/24 IBM
593112.96.160.0/24 IBM
593266.98.240.192/26 IBM
593367.18.139.0/24 IBM
593467.19.0.0/24 IBM
593570.84.160.0/24 IBM
593670.85.125.0/24 IBM
593775.125.126.8/32 IBM
5938209.85.4.0/26 IBM
5939216.12.193.9/32 IBM
5940216.40.193.0/24 IBM
5941216.234.234.0/24 IBM
5942
5943# Hetzner
5944116.202.0.0/16 Hetzner
5945116.203.0.0/16 Hetzner
5946128.140.0.0/17 Hetzner
5947135.181.0.0/16 Hetzner
5948142.132.128.0/17 Hetzner
5949157.90.0.0/16 Hetzner
5950159.69.0.0/16 Hetzner
5951162.55.0.0/16 Hetzner
5952167.233.0.0/16 Hetzner
5953167.235.0.0/16 Hetzner
5954168.119.0.0/16 Hetzner
5955176.9.0.0/16 Hetzner
5956178.63.0.0/16 Hetzner
5957188.34.128.0/17 Hetzner
5958188.40.0.0/16 Hetzner
5959195.201.0.0/16 Hetzner
5960213.239.192.0/18 Hetzner
596123.88.0.0/17 Hetzner
596237.27.0.0/16 Hetzner
596346.4.0.0/16 Hetzner
596449.12.0.0/16 Hetzner
596549.13.0.0/16 Hetzner
59665.75.128.0/17 Hetzner
59675.9.0.0/16 Hetzner
596865.108.0.0/16 Hetzner
596965.109.0.0/16 Hetzner
597065.21.0.0/16 Hetzner
597178.46.0.0/15 Hetzner
597285.10.192.0/18 Hetzner
597388.198.0.0/16 Hetzner
597488.99.0.0/16 Hetzner
597591.107.128.0/17 Hetzner
597694.130.0.0/16 Hetzner
597795.216.0.0/16 Hetzner
597895.217.0.0/16 Hetzner
5979
5980# Liquid Web
5981159.135.48.0/20 Liquid Web
5982162.212.134.0/24 Liquid Web
5983162.252.104.0/22 Liquid Web
5984172.255.59.0/24 Liquid Web
5985173.199.128.0/18 Liquid Web
5986184.106.55.0/24 Liquid Web
5987192.126.88.0/22 Liquid Web
5988192.133.82.0/24 Liquid Web
5989192.138.16.0/21 Liquid Web
5990192.190.220.0/22 Liquid Web
5991192.251.32.0/24 Liquid Web
5992199.189.224.0/22 Liquid Web
5993199.195.118.0/24 Liquid Web
5994205.174.24.0/22 Liquid Web
5995207.246.248.0/21 Liquid Web
5996208.75.148.0/22 Liquid Web
5997208.79.232.0/21 Liquid Web
5998208.86.152.0/21 Liquid Web
5999209.124.89.0/24 Liquid Web
6000209.188.80.0/20 Liquid Web
6001209.59.128.0/18 Liquid Web
600250.28.0.0/18 Liquid Web
600350.28.5.0/24 Liquid Web
600450.28.64.0/19 Liquid Web
600550.57.240.0/20 Liquid Web
600664.50.144.0/20 Liquid Web
600764.50.144.0/23 Liquid Web
600864.50.148.0/22 Liquid Web
600964.50.152.0/21 Liquid Web
601064.91.224.0/19 Liquid Web
601167.225.128.0/17 Liquid Web
601267.227.128.0/17 Liquid Web
601367.43.0.0/20 Liquid Web
601468.66.211.0/24 Liquid Web
601569.160.56.0/24 Liquid Web
601669.16.192.0/18 Liquid Web
601769.16.222.0/23 Liquid Web
601869.167.128.0/18 Liquid Web
601972.52.128.0/17 Liquid Web
602096.30.0.0/18 Liquid Web
6021
6022# OVH
6023107.189.64.0/18 OVH
6024135.125.0.0/17 OVH
6025135.125.128.0/17 OVH
6026135.148.0.0/17 OVH
6027135.148.128.0/17 OVH
6028137.74.0.0/16 OVH
6029139.99.0.0/17 OVH
6030139.99.128.0/17 OVH
6031141.94.0.0/16 OVH
6032141.95.0.0/17 OVH
6033141.95.128.0/17 OVH
6034142.4.192.0/19 OVH
6035142.44.128.0/17 OVH
6036144.217.0.0/16 OVH
6037145.239.0.0/16 OVH
6038146.59.0.0/16 OVH
6039146.59.0.0/17 OVH
6040147.135.0.0/17 OVH
6041147.135.128.0/17 OVH
6042148.113.0.0/18 OVH
6043148.113.128.0/17 OVH
6044149.202.0.0/16 OVH
6045149.56.0.0/16 OVH
6046151.80.0.0/16 OVH
604715.204.0.0/17 OVH
604815.204.128.0/17 OVH
6049152.228.128.0/17 OVH
605015.235.0.0/17 OVH
605115.235.128.0/17 OVH
6052158.69.0.0/16 OVH
6053162.19.0.0/17 OVH
6054162.19.128.0/17 OVH
6055164.132.0.0/16 OVH
6056167.114.0.0/17 OVH
6057167.114.128.0/18 OVH
6058167.114.192.0/19 OVH
6059176.31.0.0/16 OVH
6060178.32.0.0/15 OVH
6061185.15.68.0/22 OVH
6062185.45.160.0/22 OVH
6063188.165.0.0/16 OVH
6064192.240.152.0/21 OVH
6065192.95.0.0/18 OVH
6066192.99.0.0/16 OVH
6067193.70.0.0/17 OVH
6068198.100.144.0/20 OVH
6069198.244.128.0/17 OVH
6070198.245.48.0/20 OVH
6071198.27.64.0/18 OVH
6072198.27.92.0/24 OVH
6073198.50.128.0/17 OVH
6074213.186.32.0/19 OVH
6075213.251.128.0/18 OVH
6076213.32.0.0/17 OVH
6077217.182.0.0/16 OVH
607823.92.224.0/19 OVH
607937.187.0.0/16 OVH
608037.59.0.0/16 OVH
608140.160.0.0/17 OVH
608246.105.0.0/16 OVH
608346.105.198.0/24 OVH
608446.105.199.0/24 OVH
608546.105.200.0/24 OVH
608646.105.201.0/24 OVH
608746.105.202.0/24 OVH
608846.105.203.0/24 OVH
608946.105.204.0/24 OVH
609046.105.206.0/24 OVH
609146.105.207.0/24 OVH
609246.244.32.0/20 OVH
609351.161.0.0/17 OVH
609451.161.128.0/17 OVH
6095
6096# Ionos
609774.208.0.0/16 Ionos
6098
6099# WPEngine
6100141.193.213.0/24 WPEngine
6101
6102# Dreamhost
6103208.113.128.0/17 Dreamhost
6104
6105# Shopify
610623.227.32.0/19 Shopify
6107
6108# Sucuri
610966.248.200.0/22 Sucuri
6110185.93.228.0/22 Sucuri
6111192.88.134.0/23 Sucuri
6112192.124.249.0/24 Sucuri
6113192.161.0.0/24 Sucuri
6114
6115# HostGator
6116# Bluehost
6117# Squarespace
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index ca7c61c8e..602f7218c 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1104,13 +1104,13 @@ static const SyscallGroupList sysgroups[] = {
1104#ifdef SYS_pciconfig_write 1104#ifdef SYS_pciconfig_write
1105 "pciconfig_write," 1105 "pciconfig_write,"
1106#endif 1106#endif
1107#ifdef SYS_s390_mmio_read 1107#ifdef SYS_s390_pci_mmio_read
1108 "s390_mmio_read," 1108 "s390_pci_mmio_read,"
1109#endif 1109#endif
1110#ifdef SYS_s390_mmio_write 1110#ifdef SYS_s390_pci_mmio_write
1111 "s390_mmio_write" 1111 "s390_pci_mmio_write"
1112#endif 1112#endif
1113#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) 1113#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_pci_mmio_read) && !defined(SYS_s390_pci_mmio_write)
1114 "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed 1114 "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
1115#endif 1115#endif
1116 }, 1116 },
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 19fc94ebd..06969e851 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -788,7 +788,6 @@ $ firejail \-\-list
788.br 788.br
789$ firejail \-\-dns.print=3272 789$ firejail \-\-dns.print=3272
790 790
791#ifdef HAVE_NETWORK
792.TP 791.TP
793\fB\-\-dnstrace[=name|pid] 792\fB\-\-dnstrace[=name|pid]
794Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes 793Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -828,7 +827,6 @@ $ sudo firejail --dnstrace
828.br 827.br
82911:32:08 9.9.9.9 www.youtube.com (type 1) 82811:32:08 9.9.9.9 www.youtube.com (type 1)
830.br 829.br
831#endif
832 830
833.TP 831.TP
834\fB\-\-env=name=value 832\fB\-\-env=name=value
@@ -930,7 +928,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox
930$ firejail \-\-ignore="net eth0" firefox 928$ firejail \-\-ignore="net eth0" firefox
931#endif 929#endif
932 930
933#ifdef HAVE_NETWORK
934.TP 931.TP
935\fB\-\-icmptrace[=name|pid] 932\fB\-\-icmptrace[=name|pid]
936Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes 933Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -956,7 +953,6 @@ $ sudo firejail --icmptrace
956.br 953.br
95720:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable 95420:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
958.br 955.br
959#endif
960 956
961.TP 957.TP
962\fB\-\-\include=file.profile 958\fB\-\-\include=file.profile
@@ -1643,6 +1639,7 @@ PID User RX(KB/s) TX(KB/s) Command
16431294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox 16391294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox
1644.br 1640.br
16457383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission 16417383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission
1642#endif
1646.TP 1643.TP
1647\fB\-\-nettrace[=name|pid] 1644\fB\-\-nettrace[=name|pid]
1648Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes 1645Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -1658,17 +1655,15 @@ Example:
1658.br 1655.br
1659$ sudo firejail --nettrace 1656$ sudo firejail --nettrace
1660.br 1657.br
1661 95 KB/s geoip 457, IP database 4436 1658 93 KB/s address:port (protocol) network
1662.br
1663 52 KB/s *********** 64.222.84.207:443 United States
1664.br 1659.br
1665 33 KB/s ******* 89.147.74.105:63930 Hungary 1660 14 B/s ** 104.24.8.4:443(QUIC) Cloudflare
1666.br 1661.br
1667 0 B/s 45.90.28.0:443 NextDNS 1662 80 KB/s ***************** 192.187.97.90:443(TLS) BitChute
1668.br 1663.br
1669 0 B/s 94.70.122.176:52309(UDP) Greece 1664 1 B/s 149.56.228.45:443(DoH) Canada
1670.br 1665.br
1671 339 B/s 104.26.7.35:443 Cloudflare 1666(D)isplay, (S)ave, (C)lear, e(X)it
1672.br 1667.br
1673 1668
1674.br 1669.br
@@ -1677,7 +1672,6 @@ the country the traffic originates from is added to the trace.
1677We also use the static IP map in /usr/lib/firejail/static-ip-map 1672We also use the static IP map in /usr/lib/firejail/static-ip-map
1678to print the domain names for some of the more common websites and cloud platforms. 1673to print the domain names for some of the more common websites and cloud platforms.
1679No external services are contacted for reverse IP lookup. 1674No external services are contacted for reverse IP lookup.
1680#endif
1681.TP 1675.TP
1682\fB\-\-nice=value 1676\fB\-\-nice=value
1683Set nice value for all processes running inside the sandbox. 1677Set nice value for all processes running inside the sandbox.
@@ -2263,6 +2257,18 @@ All modifications are discarded when the sandbox is closed.
2263Example: 2257Example:
2264.br 2258.br
2265$ firejail --private-opt=firefox /opt/firefox/firefox 2259$ firejail --private-opt=firefox /opt/firefox/firefox
2260.br
2261
2262.br
2263Note: Program installations in /opt tend to be relatively large and private-opt
2264copies the entire path(s) into RAM, which may significantly increase RAM usage
2265and break \fBfile-copy-limit\fR in firejail.config.
2266Therefore, in general it is recommended to use "whitelist /opt/PATH" instead of
2267"private-opt PATH".
2268For details, see
2269.UR https://github.com/netblue30/firejail/discussions/5307
2270#5307
2271.UE
2266 2272
2267.TP 2273.TP
2268\fB\-\-private-srv=file,directory 2274\fB\-\-private-srv=file,directory
@@ -2850,7 +2856,6 @@ $ firejail \-\-list
2850.br 2856.br
2851$ firejail \-\-shutdown=3272 2857$ firejail \-\-shutdown=3272
2852 2858
2853#ifdef HAVE_NETWORK
2854.TP 2859.TP
2855\fB\-\-snitrace[=name|pid] 2860\fB\-\-snitrace[=name|pid]
2856Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes 2861Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
@@ -2892,7 +2897,6 @@ $ sudo firejail --snitrace
2892.br 2897.br
289307:53:11 192.0.73.2 1.gravatar.com 289807:53:11 192.0.73.2 1.gravatar.com
2894.br 2899.br
2895#endif
2896 2900
2897.TP 2901.TP
2898\fB\-\-tab 2902\fB\-\-tab
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp
index 3f952a4d4..deab8fcf5 100755
--- a/test/fs/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -7,7 +7,7 @@ set timeout 10
7spawn $env(SHELL) 7spawn $env(SHELL)
8match_max 100000 8match_max 100000
9 9
10send -- "firejail\r" 10send -- "firejail --ignore=private-dev\r"
11expect { 11expect {
12 timeout {puts "TESTING ERROR 1\n";exit} 12 timeout {puts "TESTING ERROR 1\n";exit}
13 -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" 13 -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
index f440a7674..cec1aac69 100755
--- a/test/sysutils/strings.exp
+++ b/test/sysutils/strings.exp
@@ -13,7 +13,7 @@ sleep 1
13send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" 13send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
14sleep 1 14sleep 1
15 15
16send -- "diff -s firejail_t1 firejail_t2\r" 16send -- "diff -s firejail_t1 firejail_t2 | head\r"
17expect { 17expect {
18 timeout {puts "TESTING ERROR 1\n";exit} 18 timeout {puts "TESTING ERROR 1\n";exit}
19 "firejail_t1 and firejail_t2 are identical" 19 "firejail_t1 and firejail_t2 are identical"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index f5567ff02..354bd0aba 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -121,8 +121,8 @@ fi
121 121
122if command -v wget 122if command -v wget
123then 123then
124 echo "TESTING: wget" 124 echo "TESTING: FIXME: wget"
125 ./wget.exp 125 #./wget.exp # FIXME: Broken in CI
126else 126else
127 echo "TESTING SKIP: wget not found" 127 echo "TESTING SKIP: wget not found"
128fi 128fi
@@ -137,8 +137,8 @@ fi
137 137
138if command -v strings 138if command -v strings
139then 139then
140 echo "TESTING: strings" 140 echo "TESTING: FIXME: strings"
141 ./strings.exp 141 #./strings.exp # FIXME: Broken since commit 3077b2d1f
142else 142else
143 echo "TESTING SKIP: strings not found" 143 echo "TESTING SKIP: strings not found"
144fi 144fi
diff --git a/test/sysutils/wget.exp b/test/sysutils/wget.exp
index 7f994ff81..26756eeb2 100755
--- a/test/sysutils/wget.exp
+++ b/test/sysutils/wget.exp
@@ -3,7 +3,7 @@
3# Copyright (C) 2014-2023 Firejail Authors 3# Copyright (C) 2014-2023 Firejail Authors
4# License GPL v2 4# License GPL v2
5 5
6set timeout 10 6set timeout 30
7spawn $env(SHELL) 7spawn $env(SHELL)
8match_max 100000 8match_max 100000
9 9
diff --git a/test/utils/build.exp b/test/utils/build.exp
index e1ea6af69..d8813b3a4 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -94,15 +94,19 @@ expect {
94} 94}
95after 100 95after 100
96 96
97send -- "firejail --build wget --output-document=~ debian.org\r" 97# increase the timeout for remote services
98expect { 98set timeout 30
99 timeout {puts "TESTING ERROR 13\n";exit} 99
100 "protocol" 100# FIXME: Broken in CI
101} 101#send -- "firejail --build wget --output-document=~ debian.org\r"
102expect { 102#expect {
103 timeout {puts "TESTING ERROR 13.1\n";exit} 103# timeout {puts "TESTING ERROR 13\n";exit}
104 "inet" 104# "protocol"
105} 105#}
106after 100 106#expect {
107# timeout {puts "TESTING ERROR 13.1\n";exit}
108# "inet"
109#}
110#after 100
107 111
108puts "all done\n" 112puts "all done\n"
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 3805955d7..282b52e50 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -52,7 +52,8 @@ expect {
52} 52}
53sleep 1 53sleep 1
54 54
55send -- "firejail --trace wget -q debian.org\r" 55# FIXME: Broken in CI
56#send -- "firejail --trace wget -q debian.org\r"
56#expect { 57#expect {
57# timeout {puts "TESTING ERROR 8.1\n";exit} 58# timeout {puts "TESTING ERROR 8.1\n";exit}
58# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" 59# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -62,22 +63,23 @@ send -- "firejail --trace wget -q debian.org\r"
62# "bash:open /dev/tty" {puts "OK\n";} 63# "bash:open /dev/tty" {puts "OK\n";}
63# "bash:open64 /dev/tty" {puts "OK\n";} 64# "bash:open64 /dev/tty" {puts "OK\n";}
64#} 65#}
65expect { 66#expect {
66 timeout {puts "TESTING ERROR 8.3\n";exit} 67# timeout {puts "TESTING ERROR 8.3\n";exit}
67 "wget:fopen64 /etc/wgetrc" {puts "OK\n";} 68# "wget:fopen64 /etc/wgetrc" {puts "OK\n";}
68 "wget:fopen /etc/wgetrc" {puts "OK\n";} 69# "wget:fopen /etc/wgetrc" {puts "OK\n";}
69} 70#}
70expect { 71#expect {
71 timeout {puts "TESTING ERROR 8.5\n";exit} 72# timeout {puts "TESTING ERROR 8.5\n";exit}
72 "wget:connect" 73# "wget:connect"
73} 74#}
74expect { 75#expect {
75 timeout {puts "TESTING ERROR 8.6\n";exit} 76# timeout {puts "TESTING ERROR 8.6\n";exit}
76 "wget:fopen64 index.html" {puts "OK\n";} 77# "wget:stat64 index.html" {puts "OK\n";}
77 "wget:fopen index.html" {puts "OK\n";} 78# "wget:fopen64 index.html" {puts "OK\n";}
78 "Parent is shutting down" {puts "OK\n";} 79# "wget:fopen index.html" {puts "OK\n";}
79} 80# "Parent is shutting down" {puts "OK\n";}
80sleep 1 81#}
82#sleep 1
81 83
82send -- "firejail --trace rm index.html\r" 84send -- "firejail --trace rm index.html\r"
83expect { 85expect {
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-01 13:40:34 +0000