diff options
184 files changed, 1744 insertions, 1299 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 562d6b9e1..47e099cde 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -33,10 +33,10 @@ Other context about the problem like related errors to understand the problem. | |||
33 | **Checklist** | 33 | **Checklist** |
34 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. | 34 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. |
35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) | 35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
36 | - [ ] Programs needed for interaction are listed in the profile. | ||
37 | - [ ] A short search for duplicates was performed. | 36 | - [ ] A short search for duplicates was performed. |
38 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | 37 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. |
39 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | 38 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. |
39 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. | ||
40 | 40 | ||
41 | 41 | ||
42 | <details><summary> debug output </summary> | 42 | <details><summary> debug output </summary> |
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml new file mode 100644 index 000000000..1468ef898 --- /dev/null +++ b/.github/workflows/build-extra.yml | |||
@@ -0,0 +1,52 @@ | |||
1 | name: Build-extra CI | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths-ignore: | ||
7 | - CONTRIBUTING.md | ||
8 | - README | ||
9 | - README.md | ||
10 | - RELNOTES | ||
11 | - SECURITY.md | ||
12 | - 'etc/**' | ||
13 | pull_request: | ||
14 | branches: [ master ] | ||
15 | paths-ignore: | ||
16 | - CONTRIBUTING.md | ||
17 | - README | ||
18 | - README.md | ||
19 | - RELNOTES | ||
20 | - SECURITY.md | ||
21 | - 'etc/**' | ||
22 | |||
23 | jobs: | ||
24 | build-clang: | ||
25 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
26 | runs-on: ubuntu-20.04 | ||
27 | steps: | ||
28 | - uses: actions/checkout@v2 | ||
29 | - name: configure | ||
30 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
31 | - name: make | ||
32 | run: make | ||
33 | scan-build: | ||
34 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
35 | runs-on: ubuntu-20.04 | ||
36 | steps: | ||
37 | - uses: actions/checkout@v2 | ||
38 | - name: install clang-tools-10 | ||
39 | run: sudo apt-get install clang-tools-10 | ||
40 | - name: configure | ||
41 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
42 | - name: scan-build | ||
43 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make | ||
44 | cppcheck: | ||
45 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
46 | runs-on: ubuntu-20.04 | ||
47 | steps: | ||
48 | - uses: actions/checkout@v2 | ||
49 | - name: install cppcheck | ||
50 | run: sudo apt-get install cppcheck | ||
51 | - name: cppcheck | ||
52 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 71cb7f0b4..99b8a3be5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -3,11 +3,24 @@ name: Build CI | |||
3 | on: | 3 | on: |
4 | push: | 4 | push: |
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths-ignore: | ||
7 | - CONTRIBUTING.md | ||
8 | - README | ||
9 | - README.md | ||
10 | - RELNOTES | ||
11 | - SECURITY.md | ||
6 | pull_request: | 12 | pull_request: |
7 | branches: [ master ] | 13 | branches: [ master ] |
14 | paths-ignore: | ||
15 | - CONTRIBUTING.md | ||
16 | - README | ||
17 | - README.md | ||
18 | - RELNOTES | ||
19 | - SECURITY.md | ||
8 | 20 | ||
9 | jobs: | 21 | jobs: |
10 | build_and_test: | 22 | build_and_test: |
23 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
11 | runs-on: ubuntu-20.04 | 24 | runs-on: ubuntu-20.04 |
12 | steps: | 25 | steps: |
13 | - uses: actions/checkout@v2 | 26 | - uses: actions/checkout@v2 |
@@ -21,35 +34,3 @@ jobs: | |||
21 | run: sudo make install | 34 | run: sudo make install |
22 | - name: run tests | 35 | - name: run tests |
23 | run: SHELL=/bin/bash make test-github | 36 | run: SHELL=/bin/bash make test-github |
24 | build-clang: | ||
25 | runs-on: ubuntu-20.04 | ||
26 | steps: | ||
27 | - uses: actions/checkout@v2 | ||
28 | - name: configure | ||
29 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
30 | - name: make | ||
31 | run: make | ||
32 | scan-build: | ||
33 | runs-on: ubuntu-20.04 | ||
34 | steps: | ||
35 | - uses: actions/checkout@v2 | ||
36 | - name: install clang-tools-10 | ||
37 | run: sudo apt-get install clang-tools-10 | ||
38 | - name: configure | ||
39 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
40 | - name: scan-build | ||
41 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make | ||
42 | cppcheck: | ||
43 | runs-on: ubuntu-20.04 | ||
44 | steps: | ||
45 | - uses: actions/checkout@v2 | ||
46 | - name: install cppcheck | ||
47 | run: sudo apt-get install cppcheck | ||
48 | - name: cppcheck | ||
49 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
50 | profile-sort: | ||
51 | runs-on: ubuntu-20.04 | ||
52 | steps: | ||
53 | - uses: actions/checkout@v2 | ||
54 | - name: check profiles | ||
55 | run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile} | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a37bbb5c7..301c7fad2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -8,9 +8,23 @@ name: "CodeQL" | |||
8 | on: | 8 | on: |
9 | push: | 9 | push: |
10 | branches: [master] | 10 | branches: [master] |
11 | paths-ignore: | ||
12 | - CONTRIBUTING.md | ||
13 | - README | ||
14 | - README.md | ||
15 | - RELNOTES | ||
16 | - SECURITY.md | ||
17 | - 'etc/**' | ||
11 | pull_request: | 18 | pull_request: |
12 | # The branches below must be a subset of the branches above | 19 | # The branches below must be a subset of the branches above |
13 | branches: [master] | 20 | branches: [master] |
21 | paths-ignore: | ||
22 | - CONTRIBUTING.md | ||
23 | - README | ||
24 | - README.md | ||
25 | - RELNOTES | ||
26 | - SECURITY.md | ||
27 | - 'etc/**' | ||
14 | schedule: | 28 | schedule: |
15 | - cron: '0 7 * * 2' | 29 | - cron: '0 7 * * 2' |
16 | 30 | ||
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml new file mode 100644 index 000000000..55ac065b6 --- /dev/null +++ b/.github/workflows/sort.yml | |||
@@ -0,0 +1,21 @@ | |||
1 | name: sort.py | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | paths: | ||
7 | - 'etc/**' | ||
8 | pull_request: | ||
9 | branches: [ master ] | ||
10 | paths: | ||
11 | - 'etc/**' | ||
12 | |||
13 | jobs: | ||
14 | profile-sort: | ||
15 | if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }} | ||
16 | runs-on: ubuntu-20.04 | ||
17 | steps: | ||
18 | - uses: actions/checkout@v2 | ||
19 | - name: check profiles | ||
20 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} | ||
21 | |||
@@ -252,12 +252,14 @@ Danil Semelenov (https://github.com/sgtpep) | |||
252 | Dara Adib (https://github.com/daradib) | 252 | Dara Adib (https://github.com/daradib) |
253 | - ssh profile fix | 253 | - ssh profile fix |
254 | - evince profile fix | 254 | - evince profile fix |
255 | - linphone profile fix | ||
255 | Dario Pellegrini (https://github.com/dpellegr) | 256 | Dario Pellegrini (https://github.com/dpellegr) |
256 | - allowing links in netns | 257 | - allowing links in netns |
257 | David Thole (https://github.com/TheDarkTrumpet) | 258 | David Thole (https://github.com/TheDarkTrumpet) |
258 | - added profile for teams-for-linux | 259 | - added profile for teams-for-linux |
259 | Davide Beatrici (https://github.com/davidebeatrici) | 260 | Davide Beatrici (https://github.com/davidebeatrici) |
260 | - steam.profile: correctly blacklist unneeded directories in user's home | 261 | - steam.profile: correctly blacklist unneeded directories in user's home |
262 | - minetest fixes | ||
261 | David Hyrule (https://github.com/Svaag) | 263 | David Hyrule (https://github.com/Svaag) |
262 | - remove nou2f in ssh profile | 264 | - remove nou2f in ssh profile |
263 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 265 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
@@ -515,6 +517,8 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
515 | - added support for .local profile files in /etc/firejail | 517 | - added support for .local profile files in /etc/firejail |
516 | - fixed Cryptocat profile | 518 | - fixed Cryptocat profile |
517 | - make ~/.local read-only | 519 | - make ~/.local read-only |
520 | Kelvin (https://github.com/kmk3) | ||
521 | - disable ldns utilities | ||
518 | Kishore96in (https://github.com/Kishore96in) | 522 | Kishore96in (https://github.com/Kishore96in) |
519 | - added falkon profile | 523 | - added falkon profile |
520 | - kxmlgui fixes | 524 | - kxmlgui fixes |
@@ -546,6 +550,7 @@ Liorst4 (https://github.com/Liorst4) | |||
546 | - Preserve CFLAGS given to configure in common.mk.in | 550 | - Preserve CFLAGS given to configure in common.mk.in |
547 | - fix emacs config to load as read-write | 551 | - fix emacs config to load as read-write |
548 | - disable browser drm by default | 552 | - disable browser drm by default |
553 | - minetest fixes | ||
549 | Lockdis (https://github.com/Lockdis) | 554 | Lockdis (https://github.com/Lockdis) |
550 | - Added crow, nyx, and google-earth-pro profiles | 555 | - Added crow, nyx, and google-earth-pro profiles |
551 | Lukáš Krejčí (https://github.com/lskrejci) | 556 | Lukáš Krejčí (https://github.com/lskrejci) |
@@ -604,6 +609,7 @@ Neo00001 (https://github.com/Neo00001) | |||
604 | - add vmware profile | 609 | - add vmware profile |
605 | - update virtualbox profile | 610 | - update virtualbox profile |
606 | - update telegram profile | 611 | - update telegram profile |
612 | - add spectacle profile | ||
607 | Nick Fox (https://github.com/njfox) | 613 | Nick Fox (https://github.com/njfox) |
608 | - add a profile alias for code-oss | 614 | - add a profile alias for code-oss |
609 | - add code-oss config directory | 615 | - add code-oss config directory |
@@ -701,6 +707,8 @@ Rahiel Kasim (https://github.com/rahiel) | |||
701 | - added telegram-desktop profile | 707 | - added telegram-desktop profile |
702 | Rahul Golam (https://github.com/technoLord) | 708 | Rahul Golam (https://github.com/technoLord) |
703 | - strings profile | 709 | - strings profile |
710 | RandomVoid (https://github.com/RandomVoid) | ||
711 | - fix building C# projects in Godot | ||
704 | Raphaël Droz (https://github.com/drzraf) | 712 | Raphaël Droz (https://github.com/drzraf) |
705 | - zoom profile fixes | 713 | - zoom profile fixes |
706 | Reiner Herrmann (https://github.com/reinerh) | 714 | Reiner Herrmann (https://github.com/reinerh) |
@@ -953,6 +961,8 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20) | |||
953 | read-only kde5 services directory | 961 | read-only kde5 services directory |
954 | xee5ch (https://github.com/xee5ch) | 962 | xee5ch (https://github.com/xee5ch) |
955 | - skypeforlinux profile | 963 | - skypeforlinux profile |
964 | Ypnose (https://github.com/Ypnose) | ||
965 | - disable-shell.inc: add mksh shell | ||
956 | yumkam (https://github.com/yumkam) | 966 | yumkam (https://github.com/yumkam) |
957 | - add compile-time option to restrict --net= to root only | 967 | - add compile-time option to restrict --net= to root only |
958 | - man page fixes | 968 | - man page fixes |
@@ -163,7 +163,7 @@ Release discussion: https://github.com/netblue30/firejail/issues/3696 | |||
163 | ### Profile Statistics | 163 | ### Profile Statistics |
164 | 164 | ||
165 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: | 165 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: |
166 | ````` | 166 | ``` |
167 | $ sudo cp src/profstats/profstats /etc/firejail/. | 167 | $ sudo cp src/profstats/profstats /etc/firejail/. |
168 | $ cd /etc/firejail | 168 | $ cd /etc/firejail |
169 | $ ./profstats *.profile | 169 | $ ./profstats *.profile |
@@ -191,7 +191,8 @@ Stats: | |||
191 | net none 333 | 191 | net none 333 |
192 | dbus-user none 523 | 192 | dbus-user none 523 |
193 | dbus-system none 632 | 193 | dbus-system none 632 |
194 | ``` | ||
194 | 195 | ||
195 | ### New profiles: | 196 | ### New profiles: |
196 | 197 | ||
197 | spectacle, chromium-browser-privacy | 198 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo |
@@ -2,7 +2,11 @@ firejail (0.9.65) baseline; urgency=low | |||
2 | * allow --tmpfs inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 4 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * new profiles: spectacle, chromium-browser-privacy | 5 | * Setup guide for new users: contrib/firejail-welcome.sh |
6 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | ||
7 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | ||
8 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo | ||
9 | |||
6 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 | 10 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 |
7 | 11 | ||
8 | firejail (0.9.64) baseline; urgency=low | 12 | firejail (0.9.64) baseline; urgency=low |
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh new file mode 100755 index 000000000..2943983e5 --- /dev/null +++ b/contrib/firejail-welcome.sh | |||
@@ -0,0 +1,128 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # This file is part of Firejail project | ||
4 | # Copyright (C) 2020 Firejail Authors | ||
5 | # License GPL v2 | ||
6 | |||
7 | if ! command -v zenity >/dev/null; then | ||
8 | echo "Please install zenity." | ||
9 | exit 1 | ||
10 | fi | ||
11 | if ! command -v sudo >/dev/null; then | ||
12 | echo "Please install sudo." | ||
13 | exit 1 | ||
14 | fi | ||
15 | |||
16 | export LANG=en_US.UTF8 | ||
17 | |||
18 | zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM | ||
19 | Welcome to firejail! | ||
20 | |||
21 | This is a quick setup guide for newbies. | ||
22 | |||
23 | Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named | ||
24 | <profile-name>.local in ~/.config/firejal. | ||
25 | |||
26 | Firejail's own configuration can be found at /etc/firejail/firejail.config. | ||
27 | |||
28 | Please note that running this script a second time can set new options, but does not unset options | ||
29 | set in a previous run. | ||
30 | |||
31 | Website: https://firejail.wordpress.com | ||
32 | Bug-Tracker: https://github.com/netblue30/firejail/issues | ||
33 | Documentation: | ||
34 | - https://github.com/netblue30/firejail/wiki | ||
35 | - https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | ||
36 | - https://firejail.wordpress.com/documentation-2 | ||
37 | - man:firejail(1) and man:firejail-profile(5) | ||
38 | |||
39 | PS: If you have any improvements for this script, open an issue or pull request. | ||
40 | EOM | ||
41 | [[ $? -eq 1 ]] && exit 0 | ||
42 | |||
43 | sed_scripts=() | ||
44 | |||
45 | read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM | ||
46 | <big><b>Should browsers be allowed to access u2f hardware?</b></big> | ||
47 | EOM | ||
48 | |||
49 | read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM | ||
50 | <big><b>Should browsers be able to play DRM content?</b></big> | ||
51 | |||
52 | \$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME, | ||
53 | is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary | ||
54 | DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to | ||
55 | allow their execution. Clearly, this may help an attacker to start malicious code. | ||
56 | |||
57 | NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME. | ||
58 | |||
59 | HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs. | ||
60 | EOM | ||
61 | |||
62 | read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM | ||
63 | You maybe want to set some of these advanced options. | ||
64 | EOM | ||
65 | |||
66 | read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM | ||
67 | <big><b>Should most programs be started in firejail by default?</b></big> | ||
68 | EOM | ||
69 | |||
70 | read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM | ||
71 | In order to apply these changes, root privileges are required. | ||
72 | You will now be asked to enter your password. | ||
73 | EOM | ||
74 | |||
75 | read -r -d $'\0' MSG_I_FINISH <<EOM | ||
76 | 🥳 | ||
77 | EOM | ||
78 | |||
79 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then | ||
80 | sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/") | ||
81 | fi | ||
82 | |||
83 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then | ||
84 | sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/") | ||
85 | fi | ||
86 | |||
87 | advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \ | ||
88 | --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \ | ||
89 | --column="" --column=Option --column=Description <<EOM | ||
90 | |||
91 | force-nonewprivs | ||
92 | Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore. | ||
93 | |||
94 | restricted-network | ||
95 | Restrict all network related commands except 'net none' to root only. | ||
96 | |||
97 | seccomp-error-action=kill | ||
98 | Kill programs which violate seccomp rules (default: return a error). | ||
99 | EOM | ||
100 | ) | ||
101 | |||
102 | if [[ $advanced_options == *force-nonewprivs* ]]; then | ||
103 | sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/") | ||
104 | fi | ||
105 | if [[ $advanced_options == *restricted-network* ]]; then | ||
106 | sed_scripts+=("-e s/# restricted-network no/restricted-network yes/") | ||
107 | fi | ||
108 | if [[ $advanced_options == *seccomp-error-action=kill* ]]; then | ||
109 | sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/") | ||
110 | fi | ||
111 | |||
112 | if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then | ||
113 | run_firecfg=true | ||
114 | fi | ||
115 | |||
116 | zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED" | ||
117 | |||
118 | passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK) | ||
119 | if [[ -n "${sed_scripts[*]}" ]]; then | ||
120 | sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
121 | fi | ||
122 | if [[ "$run_firecfg" == "true" ]]; then | ||
123 | sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; }; | ||
124 | fi | ||
125 | sudo -k | ||
126 | unset passwd | ||
127 | |||
128 | zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH" | ||
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc new file mode 100644 index 000000000..9812e3ebb --- /dev/null +++ b/etc/inc/archiver-common.inc | |||
@@ -0,0 +1,53 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include archiver-common.local | ||
4 | |||
5 | # common profile for archiver/compression tools | ||
6 | |||
7 | blacklist ${RUNUSER} | ||
8 | |||
9 | # WARNING: | ||
10 | # Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed | ||
11 | # include file(s) here or by putting those into archiver-common.local. | ||
12 | # Another option is to do this **per archiver** in the relevant <archiver>.local. | ||
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | ||
14 | # need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
15 | |||
16 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc. | ||
17 | #include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | # Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc. | ||
23 | #include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | hostname archiver | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | #noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | x11 none | ||
46 | |||
47 | private-cache | ||
48 | private-dev | ||
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1268b4cd2..d88506d90 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -280,6 +280,7 @@ read-only ${HOME}/.plan | |||
280 | read-only ${HOME}/.profile | 280 | read-only ${HOME}/.profile |
281 | read-only ${HOME}/.project | 281 | read-only ${HOME}/.project |
282 | read-only ${HOME}/.tcshrc | 282 | read-only ${HOME}/.tcshrc |
283 | read-only ${HOME}/.zfunc | ||
283 | read-only ${HOME}/.zlogin | 284 | read-only ${HOME}/.zlogin |
284 | read-only ${HOME}/.zlogout | 285 | read-only ${HOME}/.zlogout |
285 | read-only ${HOME}/.zprofile | 286 | read-only ${HOME}/.zprofile |
@@ -302,6 +303,7 @@ read-only ${HOME}/.exrc | |||
302 | read-only ${HOME}/.gvimrc | 303 | read-only ${HOME}/.gvimrc |
303 | read-only ${HOME}/.homesick | 304 | read-only ${HOME}/.homesick |
304 | read-only ${HOME}/.iscreenrc | 305 | read-only ${HOME}/.iscreenrc |
306 | read-only ${HOME}/.local/lib | ||
305 | read-only ${HOME}/.local/share/cool-retro-term | 307 | read-only ${HOME}/.local/share/cool-retro-term |
306 | read-only ${HOME}/.mailcap | 308 | read-only ${HOME}/.mailcap |
307 | read-only ${HOME}/.msmtprc | 309 | read-only ${HOME}/.msmtprc |
@@ -513,18 +515,24 @@ blacklist /proc/config.gz | |||
513 | # prevent DNS malware attempting to communicate with the server | 515 | # prevent DNS malware attempting to communicate with the server |
514 | # using regular DNS tools | 516 | # using regular DNS tools |
515 | blacklist ${PATH}/dig | 517 | blacklist ${PATH}/dig |
516 | blacklist ${PATH}/kdig | ||
517 | blacklist ${PATH}/nslookup | ||
518 | blacklist ${PATH}/host | ||
519 | blacklist ${PATH}/dlint | 518 | blacklist ${PATH}/dlint |
520 | blacklist ${PATH}/dnswalk | ||
521 | blacklist ${PATH}/dns2tcp | 519 | blacklist ${PATH}/dns2tcp |
520 | blacklist ${PATH}/dnssec-* | ||
521 | blacklist ${PATH}/dnswalk | ||
522 | blacklist ${PATH}/drill | ||
523 | blacklist ${PATH}/host | ||
522 | blacklist ${PATH}/iodine | 524 | blacklist ${PATH}/iodine |
525 | blacklist ${PATH}/kdig | ||
526 | blacklist ${PATH}/khost | ||
523 | blacklist ${PATH}/knsupdate | 527 | blacklist ${PATH}/knsupdate |
528 | blacklist ${PATH}/ldns-* | ||
529 | blacklist ${PATH}/ldnsd | ||
530 | blacklist ${PATH}/nslookup | ||
524 | blacklist ${PATH}/resolvectl | 531 | blacklist ${PATH}/resolvectl |
532 | blacklist ${PATH}/unbound-host | ||
525 | 533 | ||
526 | # rest of ${RUNUSER} | 534 | # rest of ${RUNUSER} |
527 | blacklist ${RUNUSER}/*.lock | 535 | blacklist ${RUNUSER}/*.lock |
528 | blacklist ${RUNUSER}/inaccessible | 536 | blacklist ${RUNUSER}/inaccessible |
529 | blacklist ${RUNUSER}/update-notifier.pid | ||
530 | blacklist ${RUNUSER}/pk-debconf-socket | 537 | blacklist ${RUNUSER}/pk-debconf-socket |
538 | blacklist ${RUNUSER}/update-notifier.pid | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 7e3c0b657..7ab11e620 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -188,6 +188,7 @@ blacklist ${HOME}/.config/chromium-flags.conf | |||
188 | blacklist ${HOME}/.config/clipit | 188 | blacklist ${HOME}/.config/clipit |
189 | blacklist ${HOME}/.config/cliqz | 189 | blacklist ${HOME}/.config/cliqz |
190 | blacklist ${HOME}/.config/cmus | 190 | blacklist ${HOME}/.config/cmus |
191 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | ||
191 | blacklist ${HOME}/.config/corebird | 192 | blacklist ${HOME}/.config/corebird |
192 | blacklist ${HOME}/.config/cower | 193 | blacklist ${HOME}/.config/cower |
193 | blacklist ${HOME}/.config/darktable | 194 | blacklist ${HOME}/.config/darktable |
@@ -200,6 +201,7 @@ blacklist ${HOME}/.config/discord | |||
200 | blacklist ${HOME}/.config/discordcanary | 201 | blacklist ${HOME}/.config/discordcanary |
201 | blacklist ${HOME}/.config/dkl | 202 | blacklist ${HOME}/.config/dkl |
202 | blacklist ${HOME}/.config/dnox | 203 | blacklist ${HOME}/.config/dnox |
204 | blacklist ${HOME}/.config/dolphin-emu | ||
203 | blacklist ${HOME}/.config/dolphinrc | 205 | blacklist ${HOME}/.config/dolphinrc |
204 | blacklist ${HOME}/.config/dragonplayerrc | 206 | blacklist ${HOME}/.config/dragonplayerrc |
205 | blacklist ${HOME}/.config/draw.io | 207 | blacklist ${HOME}/.config/draw.io |
@@ -293,6 +295,7 @@ blacklist ${HOME}/.config/libreoffice | |||
293 | blacklist ${HOME}/.config/liferea | 295 | blacklist ${HOME}/.config/liferea |
294 | blacklist ${HOME}/.config/linphone | 296 | blacklist ${HOME}/.config/linphone |
295 | blacklist ${HOME}/.config/lugaru | 297 | blacklist ${HOME}/.config/lugaru |
298 | blacklist ${HOME}/.config/lutris | ||
296 | blacklist ${HOME}/.config/lximage-qt | 299 | blacklist ${HOME}/.config/lximage-qt |
297 | blacklist ${HOME}/.config/mailtransports | 300 | blacklist ${HOME}/.config/mailtransports |
298 | blacklist ${HOME}/.local/share/man | 301 | blacklist ${HOME}/.local/share/man |
@@ -300,11 +303,13 @@ blacklist ${HOME}/.config/mana | |||
300 | blacklist ${HOME}/.config/mate-calc | 303 | blacklist ${HOME}/.config/mate-calc |
301 | blacklist ${HOME}/.config/mate/eom | 304 | blacklist ${HOME}/.config/mate/eom |
302 | blacklist ${HOME}/.config/mate/mate-dictionary | 305 | blacklist ${HOME}/.config/mate/mate-dictionary |
306 | blacklist ${HOME}/.config/matrix-mirage | ||
303 | blacklist ${HOME}/.config/meld | 307 | blacklist ${HOME}/.config/meld |
304 | blacklist ${HOME}/.config/meteo-qt | 308 | blacklist ${HOME}/.config/meteo-qt |
305 | blacklist ${HOME}/.config/menulibre.cfg | 309 | blacklist ${HOME}/.config/menulibre.cfg |
306 | blacklist ${HOME}/.config/mfusion | 310 | blacklist ${HOME}/.config/mfusion |
307 | blacklist ${HOME}/.config/Microsoft | 311 | blacklist ${HOME}/.config/Microsoft |
312 | blacklist ${HOME}/.config/microsoft-edge-dev | ||
308 | blacklist ${HOME}/.config/midori | 313 | blacklist ${HOME}/.config/midori |
309 | blacklist ${HOME}/.config/mirage | 314 | blacklist ${HOME}/.config/mirage |
310 | blacklist ${HOME}/.config/mono | 315 | blacklist ${HOME}/.config/mono |
@@ -378,6 +383,7 @@ blacklist ${HOME}/.config/spotify | |||
378 | blacklist ${HOME}/.config/sqlitebrowser | 383 | blacklist ${HOME}/.config/sqlitebrowser |
379 | blacklist ${HOME}/.config/stellarium | 384 | blacklist ${HOME}/.config/stellarium |
380 | blacklist ${HOME}/.config/strawberry | 385 | blacklist ${HOME}/.config/strawberry |
386 | blacklist ${HOME}/.config/straw-viewer | ||
381 | blacklist ${HOME}/.config/supertuxkart | 387 | blacklist ${HOME}/.config/supertuxkart |
382 | blacklist ${HOME}/.config/synfig | 388 | blacklist ${HOME}/.config/synfig |
383 | blacklist ${HOME}/.config/teams | 389 | blacklist ${HOME}/.config/teams |
@@ -427,6 +433,7 @@ blacklist ${HOME}/.config/Zulip | |||
427 | blacklist ${HOME}/.conkeror.mozdev.org | 433 | blacklist ${HOME}/.conkeror.mozdev.org |
428 | blacklist ${HOME}/.crawl | 434 | blacklist ${HOME}/.crawl |
429 | blacklist ${HOME}/.cups | 435 | blacklist ${HOME}/.cups |
436 | blacklist ${HOME}/.curl-hsts | ||
430 | blacklist ${HOME}/.curlrc | 437 | blacklist ${HOME}/.curlrc |
431 | blacklist ${HOME}/.dashcore | 438 | blacklist ${HOME}/.dashcore |
432 | blacklist ${HOME}/.devilspie | 439 | blacklist ${HOME}/.devilspie |
@@ -549,6 +556,7 @@ blacklist ${HOME}/.kino-history | |||
549 | blacklist ${HOME}/.kinorc | 556 | blacklist ${HOME}/.kinorc |
550 | blacklist ${HOME}/.klatexformula | 557 | blacklist ${HOME}/.klatexformula |
551 | blacklist ${HOME}/.kodi | 558 | blacklist ${HOME}/.kodi |
559 | blacklist ${HOME}/.librewolf | ||
552 | blacklist ${HOME}/.lincity-ng | 560 | blacklist ${HOME}/.lincity-ng |
553 | blacklist ${HOME}/.links | 561 | blacklist ${HOME}/.links |
554 | blacklist ${HOME}/.linphone-history.db | 562 | blacklist ${HOME}/.linphone-history.db |
@@ -584,6 +592,7 @@ blacklist ${HOME}/.local/share/agenda | |||
584 | blacklist ${HOME}/.local/share/apps/korganizer | 592 | blacklist ${HOME}/.local/share/apps/korganizer |
585 | blacklist ${HOME}/.local/share/aspyr-media | 593 | blacklist ${HOME}/.local/share/aspyr-media |
586 | blacklist ${HOME}/.local/share/autokey | 594 | blacklist ${HOME}/.local/share/autokey |
595 | blacklist ${HOME}/.local/share/authenticator-rs | ||
587 | blacklist ${HOME}/.local/share/backintime | 596 | blacklist ${HOME}/.local/share/backintime |
588 | blacklist ${HOME}/.local/share/baloo | 597 | blacklist ${HOME}/.local/share/baloo |
589 | blacklist ${HOME}/.local/share/barrier | 598 | blacklist ${HOME}/.local/share/barrier |
@@ -603,6 +612,7 @@ blacklist ${HOME}/.local/share/data/nomacs | |||
603 | blacklist ${HOME}/.local/share/data/qBittorrent | 612 | blacklist ${HOME}/.local/share/data/qBittorrent |
604 | blacklist ${HOME}/.local/share/dino | 613 | blacklist ${HOME}/.local/share/dino |
605 | blacklist ${HOME}/.local/share/dolphin | 614 | blacklist ${HOME}/.local/share/dolphin |
615 | blacklist ${HOME}/.local/share/dolphin-emu | ||
606 | blacklist ${HOME}/.local/share/emailidentities | 616 | blacklist ${HOME}/.local/share/emailidentities |
607 | blacklist ${HOME}/.local/share/epiphany | 617 | blacklist ${HOME}/.local/share/epiphany |
608 | blacklist ${HOME}/.local/share/evolution | 618 | blacklist ${HOME}/.local/share/evolution |
@@ -661,8 +671,10 @@ blacklist ${HOME}/.local/share/local-mail | |||
661 | blacklist ${HOME}/.local/share/lollypop | 671 | blacklist ${HOME}/.local/share/lollypop |
662 | blacklist ${HOME}/.local/share/love | 672 | blacklist ${HOME}/.local/share/love |
663 | blacklist ${HOME}/.local/share/lugaru | 673 | blacklist ${HOME}/.local/share/lugaru |
674 | blacklist ${HOME}/.local/share/lutris | ||
664 | blacklist ${HOME}/.local/share/mana | 675 | blacklist ${HOME}/.local/share/mana |
665 | blacklist ${HOME}/.local/share/maps-places.json | 676 | blacklist ${HOME}/.local/share/maps-places.json |
677 | blacklist ${HOME}/.local/share/matrix-mirage | ||
666 | blacklist ${HOME}/.local/share/meld | 678 | blacklist ${HOME}/.local/share/meld |
667 | blacklist ${HOME}/.local/share/midori | 679 | blacklist ${HOME}/.local/share/midori |
668 | blacklist ${HOME}/.local/share/mirage | 680 | blacklist ${HOME}/.local/share/mirage |
@@ -793,7 +805,7 @@ blacklist ${HOME}/.synfig | |||
793 | blacklist ${HOME}/.tb | 805 | blacklist ${HOME}/.tb |
794 | blacklist ${HOME}/.tconn | 806 | blacklist ${HOME}/.tconn |
795 | blacklist ${HOME}/.teeworlds | 807 | blacklist ${HOME}/.teeworlds |
796 | blacklist ${HOME}/.texlive2018 | 808 | blacklist ${HOME}/.texlive20* |
797 | blacklist ${HOME}/.thunderbird | 809 | blacklist ${HOME}/.thunderbird |
798 | blacklist ${HOME}/.tilp | 810 | blacklist ${HOME}/.tilp |
799 | blacklist ${HOME}/.tooling | 811 | blacklist ${HOME}/.tooling |
@@ -883,6 +895,7 @@ blacklist ${HOME}/.cache/deja-dup | |||
883 | blacklist ${HOME}/.cache/discover | 895 | blacklist ${HOME}/.cache/discover |
884 | blacklist ${HOME}/.cache/dnox | 896 | blacklist ${HOME}/.cache/dnox |
885 | blacklist ${HOME}/.cache/dolphin | 897 | blacklist ${HOME}/.cache/dolphin |
898 | blacklist ${HOME}/.cache/dolphin-emu | ||
886 | blacklist ${HOME}/.cache/ephemeral | 899 | blacklist ${HOME}/.cache/ephemeral |
887 | blacklist ${HOME}/.cache/epiphany | 900 | blacklist ${HOME}/.cache/epiphany |
888 | blacklist ${HOME}/.cache/evolution | 901 | blacklist ${HOME}/.cache/evolution |
@@ -931,8 +944,12 @@ blacklist ${HOME}/.cache/ksplashqml | |||
931 | blacklist ${HOME}/.cache/kube | 944 | blacklist ${HOME}/.cache/kube |
932 | blacklist ${HOME}/.cache/kwin | 945 | blacklist ${HOME}/.cache/kwin |
933 | blacklist ${HOME}/.cache/libgweather | 946 | blacklist ${HOME}/.cache/libgweather |
947 | blacklist ${HOME}/.cache/librewolf | ||
934 | blacklist ${HOME}/.cache/liferea | 948 | blacklist ${HOME}/.cache/liferea |
949 | blacklist ${HOME}/.cache/lutris | ||
935 | blacklist ${HOME}/.cache/Mendeley Ltd. | 950 | blacklist ${HOME}/.cache/Mendeley Ltd. |
951 | blacklist ${HOME}/.cache/matrix-mirage | ||
952 | blacklist ${HOME}/.cache/microsoft-edge-dev | ||
936 | blacklist ${HOME}/.cache/midori | 953 | blacklist ${HOME}/.cache/midori |
937 | blacklist ${HOME}/.cache/minetest | 954 | blacklist ${HOME}/.cache/minetest |
938 | blacklist ${HOME}/.cache/mirage | 955 | blacklist ${HOME}/.cache/mirage |
@@ -948,7 +965,7 @@ blacklist ${HOME}/.cache/ms-skype-online | |||
948 | blacklist ${HOME}/.cache/ms-word-online | 965 | blacklist ${HOME}/.cache/ms-word-online |
949 | blacklist ${HOME}/.cache/mutt | 966 | blacklist ${HOME}/.cache/mutt |
950 | blacklist ${HOME}/.cache/mypaint | 967 | blacklist ${HOME}/.cache/mypaint |
951 | blacklist ${HOME}/.cache/nheko/nheko | 968 | blacklist ${HOME}/.cache/nheko |
952 | blacklist ${HOME}/.cache/netsurf | 969 | blacklist ${HOME}/.cache/netsurf |
953 | blacklist ${HOME}/.cache/okular | 970 | blacklist ${HOME}/.cache/okular |
954 | blacklist ${HOME}/.cache/opera | 971 | blacklist ${HOME}/.cache/opera |
@@ -972,6 +989,7 @@ blacklist ${HOME}/.cache/smuxi | |||
972 | blacklist ${HOME}/.cache/snox | 989 | blacklist ${HOME}/.cache/snox |
973 | blacklist ${HOME}/.cache/spotify | 990 | blacklist ${HOME}/.cache/spotify |
974 | blacklist ${HOME}/.cache/strawberry | 991 | blacklist ${HOME}/.cache/strawberry |
992 | blacklist ${HOME}/.cache/straw-viewer | ||
975 | blacklist ${HOME}/.cache/supertuxkart | 993 | blacklist ${HOME}/.cache/supertuxkart |
976 | blacklist ${HOME}/.cache/systemsettings | 994 | blacklist ${HOME}/.cache/systemsettings |
977 | blacklist ${HOME}/.cache/telepathy | 995 | blacklist ${HOME}/.cache/telepathy |
@@ -986,6 +1004,7 @@ blacklist ${HOME}/.cache/vmware | |||
986 | blacklist ${HOME}/.cache/warsow-2.1 | 1004 | blacklist ${HOME}/.cache/warsow-2.1 |
987 | blacklist ${HOME}/.cache/waterfox | 1005 | blacklist ${HOME}/.cache/waterfox |
988 | blacklist ${HOME}/.cache/wesnoth | 1006 | blacklist ${HOME}/.cache/wesnoth |
1007 | blacklist ${HOME}/.cache/winetricks | ||
989 | blacklist ${HOME}/.cache/xmms2 | 1008 | blacklist ${HOME}/.cache/xmms2 |
990 | blacklist ${HOME}/.cache/xreader | 1009 | blacklist ${HOME}/.cache/xreader |
991 | blacklist ${HOME}/.cache/yandex-browser | 1010 | blacklist ${HOME}/.cache/yandex-browser |
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc index e66d23c9f..8274b0215 100644 --- a/etc/inc/disable-shell.inc +++ b/etc/inc/disable-shell.inc | |||
@@ -8,6 +8,7 @@ blacklist ${PATH}/dash | |||
8 | blacklist ${PATH}/fish | 8 | blacklist ${PATH}/fish |
9 | blacklist ${PATH}/ksh | 9 | blacklist ${PATH}/ksh |
10 | blacklist ${PATH}/mksh | 10 | blacklist ${PATH}/mksh |
11 | blacklist ${PATH}/oksh | ||
11 | blacklist ${PATH}/sh | 12 | blacklist ${PATH}/sh |
12 | blacklist ${PATH}/tclsh | 13 | blacklist ${PATH}/tclsh |
13 | blacklist ${PATH}/tcsh | 14 | blacklist ${PATH}/tcsh |
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc index 3990cf760..01f57cb0f 100644 --- a/etc/inc/disable-write-mnt.inc +++ b/etc/inc/disable-write-mnt.inc | |||
@@ -2,7 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include disable-write-mnt.local | 3 | include disable-write-mnt.local |
4 | 4 | ||
5 | read-only /mnt | ||
6 | read-only /media | 5 | read-only /media |
7 | read-only /run/mount | 6 | read-only /mnt |
8 | read-only /run/media | 7 | read-only /run/media |
8 | read-only /run/mount | ||
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index 7ea692607..1d3728521 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -1,4 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
2 | include whitelist-common.local | 3 | include whitelist-common.local |
3 | 4 | ||
4 | # common whitelist for all profiles | 5 | # common whitelist for all profiles |
diff --git a/etc/inc/whitelist-players.inc b/etc/inc/whitelist-player-common.inc index 0e473768b..e5bf36804 100644 --- a/etc/inc/whitelist-players.inc +++ b/etc/inc/whitelist-player-common.inc | |||
@@ -1,5 +1,6 @@ | |||
1 | # Local customizations come here | 1 | # This file is overwritten during software install. |
2 | include whitelist-players.local | 2 | # Persistent customizations should go in a .local file. |
3 | include whitelist-player-common.local | ||
3 | 4 | ||
4 | # common whitelist for all media players | 5 | # common whitelist for all media players |
5 | 6 | ||
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 7d9f106ef..0a1030b34 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -1,4 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
2 | include whitelist-runuser-common.local | 3 | include whitelist-runuser-common.local |
3 | 4 | ||
4 | # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles | 5 | # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles |
@@ -10,4 +11,5 @@ whitelist ${RUNUSER}/ICEauthority | |||
10 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* | 11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* |
11 | whitelist ${RUNUSER}/pulse/native | 12 | whitelist ${RUNUSER}/pulse/native |
12 | whitelist ${RUNUSER}/wayland-0 | 13 | whitelist ${RUNUSER}/wayland-0 |
14 | whitelist ${RUNUSER}/wayland-1 | ||
13 | whitelist ${RUNUSER}/xauth_* | 15 | whitelist ${RUNUSER}/xauth_* |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index de4ae2101..45e988602 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -1,4 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
2 | include whitelist-usr-share-common.local | 3 | include whitelist-usr-share-common.local |
3 | 4 | ||
4 | # common /usr/share whitelist for all profiles | 5 | # common /usr/share whitelist for all profiles |
@@ -60,6 +61,8 @@ whitelist /usr/share/texlive | |||
60 | whitelist /usr/share/texmf | 61 | whitelist /usr/share/texmf |
61 | whitelist /usr/share/themes | 62 | whitelist /usr/share/themes |
62 | whitelist /usr/share/thumbnail.so | 63 | whitelist /usr/share/thumbnail.so |
64 | whitelist /usr/share/vulkan | ||
63 | whitelist /usr/share/X11 | 65 | whitelist /usr/share/X11 |
64 | whitelist /usr/share/xml | 66 | whitelist /usr/share/xml |
67 | whitelist /usr/share/zenity | ||
65 | whitelist /usr/share/zoneinfo | 68 | whitelist /usr/share/zoneinfo |
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc index 08bd23d6a..1c077b232 100644 --- a/etc/inc/whitelist-var-common.inc +++ b/etc/inc/whitelist-var-common.inc | |||
@@ -1,4 +1,5 @@ | |||
1 | # Local customizations come here | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
2 | include whitelist-var-common.local | 3 | include whitelist-var-common.local |
3 | 4 | ||
4 | # common /var whitelist for all profiles | 5 | # common /var whitelist for all profiles |
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index 02a2e7ea0..5e1c17b28 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile | |||
@@ -7,41 +7,6 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | noblacklist ${PATH}/bash |
11 | 11 | noblacklist ${PATH}/sh | |
12 | include disable-common.inc | 12 | include archiver-common.inc |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname 7z | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | #private-bin 7z,7z*,p7zip | ||
41 | private-cache | ||
42 | private-dev | ||
43 | |||
44 | dbus-user none | ||
45 | dbus-system none | ||
46 | |||
47 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile new file mode 100644 index 000000000..98188d2a7 --- /dev/null +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for alacarte | ||
2 | # Description: Create desktop and menu launchers easily | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include alacarte.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include allow-python2.inc | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # Whitelist your system icon directory,varies by distro | ||
21 | whitelist /usr/share/alacarte | ||
22 | whitelist /usr/share/app-info | ||
23 | whitelist /usr/share/desktop-directories | ||
24 | whitelist /usr/share/icons | ||
25 | whitelist /var/lib/app-info/icons | ||
26 | whitelist /var/lib/flatpak/exports/share/applications | ||
27 | whitelist /var/lib/flatpak/exports/share/icons | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | nodvd | ||
37 | no3d | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | # private-bin alacarte,bash,python*,sh | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
60 | |||
61 | read-write ${HOME}/.config/menus | ||
62 | read-write ${HOME}/.gnome/apps | ||
63 | read-write ${HOME}/.local/share/applications | ||
64 | read-write ${HOME}/.local/share/flatpak/exports | ||
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index 183587ff8..c2b215807 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile | |||
@@ -7,42 +7,4 @@ include ar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | include archiver-common.inc |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | hostname ar | ||
23 | ipc-namespace | ||
24 | machine-id | ||
25 | net none | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | x11 none | ||
40 | |||
41 | private-bin ar | ||
42 | private-cache | ||
43 | private-dev | ||
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index cf0a5a42b..f21a5febf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile | |||
@@ -6,31 +6,27 @@ include atom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-devel.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore whitelist ${DOWNLOADS} | ||
14 | ignore include whitelist-common.inc | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | ignore include whitelist-var-common.inc | ||
18 | ignore apparmor | ||
19 | ignore disable-mnt | ||
20 | |||
9 | noblacklist ${HOME}/.atom | 21 | noblacklist ${HOME}/.atom |
10 | noblacklist ${HOME}/.config/Atom | 22 | noblacklist ${HOME}/.config/Atom |
11 | 23 | ||
12 | # Allows files commonly used by IDEs | 24 | # Allows files commonly used by IDEs |
13 | include allow-common-devel.inc | 25 | include allow-common-devel.inc |
14 | 26 | ||
15 | include disable-common.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | caps.keep sys_admin,sys_chroot | ||
21 | # net none | 27 | # net none |
22 | netfilter | 28 | netfilter |
23 | nodvd | ||
24 | nogroups | ||
25 | nosound | 29 | nosound |
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | |||
31 | private-cache | ||
32 | private-dev | ||
33 | private-tmp | ||
34 | 30 | ||
35 | dbus-user none | 31 | # Redirect |
36 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index e501e956c..34af47df2 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -7,47 +7,12 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 10 | # Allow perl (blacklisted by disable-interpreters.inc) |
13 | include allow-perl.inc | 11 | include allow-perl.inc |
12 | include archiver-common.inc | ||
14 | 13 | ||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname atool | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | 14 | noroot |
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | 15 | ||
43 | # private-bin atool,perl | ||
44 | private-cache | ||
45 | private-dev | ||
46 | # without login.defs atool complains and uses UID/GID 1000 by default | 16 | # without login.defs atool complains and uses UID/GID 1000 by default |
47 | private-etc alternatives,group,login.defs,passwd | 17 | private-etc alternatives,group,login.defs,passwd |
48 | private-tmp | 18 | private-tmp |
49 | |||
50 | dbus-user none | ||
51 | dbus-system none | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile new file mode 100644 index 000000000..fb12018f5 --- /dev/null +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for authenticator-rs | ||
2 | # Description: Rust based 2FA authentication program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include authenticator-rs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/authenticator-rs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.local/share/authenticator-rs | ||
21 | whitelist ${HOME}/.local/share/authenticator-rs | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist /usr/share/uk.co.grumlimited.authenticator-rs | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin authenticator-rs | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user filter | ||
54 | dbus-user.talk ca.desrt.dconf | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index a401ac592..cda6b1aa0 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -58,7 +58,7 @@ shell none | |||
58 | tracelog | 58 | tracelog |
59 | 59 | ||
60 | # disable-mnt | 60 | # disable-mnt |
61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | 62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. |
63 | private-bin balsa,balsa-ab | 63 | private-bin balsa,balsa-ab |
64 | private-cache | 64 | private-cache |
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a49..f3a9568bd 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile | |||
@@ -3,17 +3,26 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include beaker.local | 4 | include beaker.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | ||
8 | 7 | ||
9 | noblacklist ${HOME}/.config/Beaker Browser | 8 | # Disabled until someone reported positive feedback |
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore shell none | ||
17 | ignore disable-mnt | ||
18 | ignore private-cache | ||
19 | ignore private-dev | ||
20 | ignore private-tmp | ||
10 | 21 | ||
11 | include disable-devel.inc | 22 | noblacklist ${HOME}/.config/Beaker Browser |
12 | include disable-interpreters.inc | ||
13 | 23 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 24 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 25 | whitelist ${HOME}/.config/Beaker Browser |
16 | include whitelist-common.inc | ||
17 | 26 | ||
18 | # Redirect | 27 | # Redirect |
19 | include electron.profile | 28 | include electron.profile |
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 904d3e94f..5a5e9eacd 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
@@ -10,10 +10,6 @@ include globals.local | |||
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | # TOR is installed in ${HOME} | 11 | # TOR is installed in ${HOME} |
12 | ignore noexec ${HOME} | 12 | ignore noexec ${HOME} |
13 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
14 | ignore whitelist /usr/share/chromium | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
17 | 13 | ||
18 | noblacklist ${HOME}/.cache/BraveSoftware | 14 | noblacklist ${HOME}/.cache/BraveSoftware |
19 | noblacklist ${HOME}/.config/BraveSoftware | 15 | noblacklist ${HOME}/.config/BraveSoftware |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index 08e51f3c1..c37f4071e 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,43 +6,6 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | 9 | include archiver-common.inc |
10 | 10 | ||
11 | include disable-common.inc | ||
12 | # include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | apparmor | ||
19 | caps.drop all | ||
20 | hostname bsdtar | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | # noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | # support compressed archives | ||
40 | private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,group,localtime,passwd | 11 | private-etc alternatives,group,localtime,passwd |
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
47 | |||
48 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 56709a466..d379651c7 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -32,7 +32,7 @@ whitelist ${HOME}/.config/celluloid | |||
32 | whitelist ${HOME}/.config/gnome-mpv | 32 | whitelist ${HOME}/.config/gnome-mpv |
33 | whitelist ${HOME}/.config/youtube-dl | 33 | whitelist ${HOME}/.config/youtube-dl |
34 | include whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include whitelist-players.inc | 35 | include whitelist-player-common.inc |
36 | include whitelist-runuser-common.inc | 36 | include whitelist-runuser-common.inc |
37 | include whitelist-usr-share-common.inc | 37 | include whitelist-usr-share-common.inc |
38 | include whitelist-var-common.inc | 38 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 6a9cf99b0..ce9c652c6 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -25,7 +25,6 @@ mkdir ${HOME}/.local/share/pki | |||
25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
26 | whitelist ${HOME}/.pki | 26 | whitelist ${HOME}/.pki |
27 | whitelist ${HOME}/.local/share/pki | 27 | whitelist ${HOME}/.local/share/pki |
28 | whitelist /usr/share/chromium | ||
29 | include whitelist-common.inc | 28 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 29 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile index dab9ce449..14f1bbe64 100644 --- a/etc/profile-a-l/chromium.profile +++ b/etc/profile-a-l/chromium.profile | |||
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/chromium | |||
15 | whitelist ${HOME}/.cache/chromium | 15 | whitelist ${HOME}/.cache/chromium |
16 | whitelist ${HOME}/.config/chromium | 16 | whitelist ${HOME}/.config/chromium |
17 | whitelist ${HOME}/.config/chromium-flags.conf | 17 | whitelist ${HOME}/.config/chromium-flags.conf |
18 | whitelist /usr/share/chromium | ||
18 | 19 | ||
19 | # private-bin chromium,chromium-browser,chromedriver | 20 | # private-bin chromium,chromium-browser,chromedriver |
20 | 21 | ||
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile new file mode 100644 index 000000000..4de7eb497 --- /dev/null +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for com.github.bleakgrey.tootle | ||
2 | # Description: Gtk Mastodon client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include com.github.bleakgrey.tootle.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/com.github.bleakgrey.tootle | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/com.github.bleakgrey.tootle | ||
21 | whitelist ${DOWNLOADS} | ||
22 | whitelist ${HOME}/.config/com.github.bleakgrey.tootle | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | machine-id | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin com.github.bleakgrey.tootle | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | ||
49 | private-tmp | ||
50 | |||
51 | # Settings are immutable | ||
52 | # dbus-user filter | ||
53 | # dbus-user.own com.github.bleakgrey.tootle | ||
54 | # dbus-user.talk ca.desrt.dconf | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 0ab5a7f78..2c6b15e02 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -46,5 +46,4 @@ private-dev | |||
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | memory-deny-write-execute |
49 | |||
50 | read-only ${HOME}/.config/cower/config | 49 | read-only ${HOME}/.config/cower/config |
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 087a5b2bb..785308ffd 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile | |||
@@ -7,40 +7,7 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist /sbin | 10 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
14 | 12 | ||
15 | include disable-common.inc | 13 | include archiver-common.inc |
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
26 | net none | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | dbus-user none | ||
44 | dbus-system none | ||
45 | |||
46 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 996ff51d3..f8b194044 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -7,10 +7,15 @@ include curl.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # curl 7.74.0 introduces experimental support for HSTS cache | ||
11 | # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ | ||
12 | # technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts | ||
13 | # if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local | ||
14 | # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact | ||
15 | noblacklist ${HOME}/.curl-hsts | ||
10 | noblacklist ${HOME}/.curlrc | 16 | noblacklist ${HOME}/.curlrc |
11 | 17 | ||
12 | blacklist /tmp/.X11-unix | 18 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
14 | blacklist ${RUNUSER} | 19 | blacklist ${RUNUSER} |
15 | 20 | ||
16 | include disable-common.inc | 21 | include disable-common.inc |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 7eb7660dd..2ecf1a45d 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -5,7 +5,7 @@ include default.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # generic gui profile | 8 | # generic GUI profile |
9 | # depending on your usage, you can enable some of the commands below: | 9 | # depending on your usage, you can enable some of the commands below: |
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
@@ -14,12 +14,13 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-shell.inc | ||
17 | # include disable-write-mnt.inc | 18 | # include disable-write-mnt.inc |
18 | # include disable-xdg.inc | 19 | # include disable-xdg.inc |
19 | 20 | ||
20 | # include whitelist-common.inc | 21 | # include whitelist-common.inc |
21 | # include whitelist-usr-share-common.inc | ||
22 | # include whitelist-runuser-common.inc | 22 | # include whitelist-runuser-common.inc |
23 | # include whitelist-usr-share-common.inc | ||
23 | # include whitelist-var-common.inc | 24 | # include whitelist-var-common.inc |
24 | 25 | ||
25 | # apparmor | 26 | # apparmor |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index b8b07469d..a47a71feb 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -50,5 +50,4 @@ private-tmp | |||
50 | # dbus-system none | 50 | # dbus-system none |
51 | 51 | ||
52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 52 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
53 | |||
54 | read-only ${HOME} | 53 | read-only ${HOME} |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 1ab10a6f6..7c3ac50ad 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -56,5 +56,4 @@ dbus-user none | |||
56 | dbus-system none | 56 | dbus-system none |
57 | 57 | ||
58 | memory-deny-write-execute | 58 | memory-deny-write-execute |
59 | |||
60 | read-only ${HOME} | 59 | read-only ${HOME} |
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 152dfd980..80d97a31f 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile | |||
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.digrc | |||
11 | noblacklist ${PATH}/dig | 11 | noblacklist ${PATH}/dig |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
15 | blacklist ${RUNUSER} | 14 | blacklist ${RUNUSER} |
16 | 15 | ||
17 | include disable-common.inc | 16 | include disable-common.inc |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 35bea4aaa..e6edbd7eb 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -6,33 +6,24 @@ include discord-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | 9 | # Disabled until someone reported positive feedback |
10 | ignore include disable-interpreters.inc | ||
11 | ignore include disable-xdg.inc | ||
12 | ignore include whitelist-runuser-common.inc | ||
13 | ignore include whitelist-usr-share-common.inc | ||
14 | ignore apparmor | ||
15 | ignore disable-mnt | ||
16 | ignore private-cache | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
10 | 19 | ||
11 | include disable-common.inc | 20 | ignore noexec ${HOME} |
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | 21 | ||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/BetterDiscord | 22 | whitelist ${HOME}/.config/BetterDiscord |
19 | whitelist ${HOME}/.local/share/betterdiscordctl | 23 | whitelist ${HOME}/.local/share/betterdiscordctl |
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 24 | ||
35 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 25 | private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
36 | private-dev | ||
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl |
38 | private-tmp | 27 | |
28 | # Redirect | ||
29 | include electron.profile | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile new file mode 100644 index 000000000..13d830b55 --- /dev/null +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for dolphin-emu | ||
2 | # Description: An emulator for Gamecube and Wii games | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dolphin-emu.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a dolphin-emu.local | ||
10 | |||
11 | noblacklist ${HOME}/.cache/dolphin-emu | ||
12 | noblacklist ${HOME}/.config/dolphin-emu | ||
13 | noblacklist ${HOME}/.local/share/dolphin-emu | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.cache/dolphin-emu | ||
24 | mkdir ${HOME}/.config/dolphin-emu | ||
25 | mkdir ${HOME}/.local/share/dolphin-emu | ||
26 | whitelist ${HOME}/.cache/dolphin-emu | ||
27 | whitelist ${HOME}/.config/dolphin-emu | ||
28 | whitelist ${HOME}/.local/share/dolphin-emu | ||
29 | whitelist /usr/share/dolphin-emu | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | ipc-namespace | ||
38 | # uncomment the following line if you do not need NetPlay support | ||
39 | # net none | ||
40 | netfilter | ||
41 | # uncomment the following line if you do not need disc support | ||
42 | #nodvd | ||
43 | nogroups | ||
44 | nonewprivs | ||
45 | noroot | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix,inet,inet6,netlink,bluetooth | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-bin bash,dolphin-emu,dolphin-emu-x11,sh | ||
55 | private-cache | ||
56 | # uncomment the following line if you do not need controller support | ||
57 | #private-dev | ||
58 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg | ||
59 | private-opt none | ||
60 | private-tmp | ||
61 | |||
62 | dbus-user none | ||
63 | dbus-system none | ||
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile new file mode 100644 index 000000000..07f47be5d --- /dev/null +++ b/etc/profile-a-l/drill.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for drill | ||
2 | # Description: DNS lookup utility | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include drill.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${PATH}/drill | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER} | ||
14 | |||
15 | include disable-common.inc | ||
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | # include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | netfilter | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix,inet,inet6 | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private | ||
48 | private-bin bash,drill,sh | ||
49 | private-dev | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb..d3be07c9d 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -3,25 +3,39 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include electron.local | 5 | include electron.local |
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 6 | ||
9 | include disable-common.inc | 7 | include disable-common.inc |
8 | include disable-devel.inc | ||
9 | include disable-exec.inc | ||
10 | include disable-interpreters.inc | ||
10 | include disable-passwdmgr.inc | 11 | include disable-passwdmgr.inc |
11 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | include disable-xdg.inc | ||
12 | 14 | ||
13 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
16 | include whitelist-common.inc | ||
17 | include whitelist-runuser-common.inc | ||
18 | include whitelist-usr-share-common.inc | ||
19 | include whitelist-var-common.inc | ||
20 | |||
21 | # Uncomment the next line (or add it to your chromium-common.local) | ||
22 | # if your kernel allows unprivileged userns clone. | ||
23 | #include chromium-common-hardened.inc | ||
14 | 24 | ||
15 | apparmor | 25 | apparmor |
16 | caps.drop all | 26 | caps.keep sys_admin,sys_chroot |
17 | netfilter | 27 | netfilter |
18 | nodvd | 28 | nodvd |
19 | nogroups | 29 | nogroups |
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | 30 | notv |
23 | protocol unix,inet,inet6,netlink | 31 | nou2f |
24 | seccomp | 32 | novideo |
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
25 | 39 | ||
26 | dbus-user none | 40 | dbus-user none |
27 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index c1aa821e3..48a826f2e 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -7,16 +7,18 @@ include element-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore dbus-user none | ||
11 | |||
10 | noblacklist ${HOME}/.config/Element | 12 | noblacklist ${HOME}/.config/Element |
11 | noblacklist ${HOME}/.config/Element (Riot) | ||
12 | 13 | ||
13 | mkdir ${HOME}/.config/Element | 14 | mkdir ${HOME}/.config/Element |
14 | mkdir ${HOME}/.config/Element (Riot) | ||
15 | whitelist ${HOME}/.config/Element | 15 | whitelist ${HOME}/.config/Element |
16 | whitelist ${HOME}/.config/Element (Riot) | ||
17 | whitelist /opt/Element | 16 | whitelist /opt/Element |
18 | 17 | ||
19 | private-opt Element | 18 | private-opt Element |
20 | 19 | ||
20 | dbus-user filter | ||
21 | dbus-user.talk org.freedesktop.secrets | ||
22 | |||
21 | # Redirect | 23 | # Redirect |
22 | include riot-desktop.profile | 24 | include riot-desktop.profile |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 0024b6660..640b0e485 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -15,15 +15,20 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | ||
18 | 19 | ||
19 | mkdir ${HOME}/.cache/falkon | 20 | mkdir ${HOME}/.cache/falkon |
20 | mkdir ${HOME}/.config/falkon | 21 | mkdir ${HOME}/.config/falkon |
21 | whitelist ${DOWNLOADS} | 22 | whitelist ${DOWNLOADS} |
22 | whitelist ${HOME}/.cache/falkon | 23 | whitelist ${HOME}/.cache/falkon |
23 | whitelist ${HOME}/.config/falkon | 24 | whitelist ${HOME}/.config/falkon |
25 | whitelist /usr/share/falkon | ||
24 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
26 | 30 | ||
31 | apparmor | ||
27 | caps.drop all | 32 | caps.drop all |
28 | netfilter | 33 | netfilter |
29 | nodvd | 34 | nodvd |
@@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink | |||
37 | seccomp !chroot | 42 | seccomp !chroot |
38 | # tracelog | 43 | # tracelog |
39 | 44 | ||
45 | disable-mnt | ||
46 | # private-bin falkon | ||
47 | private-cache | ||
40 | private-dev | 48 | private-dev |
41 | # private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies | 49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
42 | # private-tmp - interferes with the opening of downloaded files | 50 | private-tmp |
43 | 51 | ||
52 | # dbus-user filter | ||
53 | # dbus-user.own org.kde.Falkon | ||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 3ee07e559..8ac7755de 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for feh | 1 | # Firejail profile for feh |
2 | # Description: imlib2 based image viewer | 2 | # Description: imlib2 based image viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include feh.local | 6 | include feh.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index 74620d4cd..c02f9e3de 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -7,7 +7,6 @@ include file.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 3472ac5c4..772aad7da 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mozilla | |||
16 | 16 | ||
17 | whitelist /usr/share/doc | 17 | whitelist /usr/share/doc |
18 | whitelist /usr/share/firefox | 18 | whitelist /usr/share/firefox |
19 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | ||
19 | whitelist /usr/share/gtk-doc/html | 20 | whitelist /usr/share/gtk-doc/html |
20 | whitelist /usr/share/mozilla | 21 | whitelist /usr/share/mozilla |
21 | whitelist /usr/share/webext | 22 | whitelist /usr/share/webext |
@@ -29,6 +30,7 @@ include whitelist-usr-share-common.inc | |||
29 | #private-etc firefox | 30 | #private-etc firefox |
30 | 31 | ||
31 | dbus-user filter | 32 | dbus-user filter |
33 | dbus-user.own org.mozilla.Firefox.* | ||
32 | dbus-user.own org.mozilla.firefox.* | 34 | dbus-user.own org.mozilla.firefox.* |
33 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 35 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
34 | # Uncomment or put in your firefox.local to enable native notifications. | 36 | # Uncomment or put in your firefox.local to enable native notifications. |
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index ab907eb0d..c3af29e15 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for fractal | 1 | # Firejail profile for fractal |
2 | # Description: Desktop client for Matrix | 2 | # Description: Desktop client for Matrix |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include fractal.local | 5 | include fractal.local |
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/fractal | |||
21 | whitelist ${HOME}/.cache/fractal | 21 | whitelist ${HOME}/.cache/fractal |
22 | whitelist ${DOWNLOADS} | 22 | whitelist ${DOWNLOADS} |
23 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
25 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
27 | 27 | ||
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile index 9449e7c48..b6ca167eb 100644 --- a/etc/profile-a-l/freeoffice-planmaker.profile +++ b/etc/profile-a-l/freeoffice-planmaker.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile index 636868e2e..43661028c 100644 --- a/etc/profile-a-l/freeoffice-presentations.profile +++ b/etc/profile-a-l/freeoffice-presentations.profile | |||
@@ -7,4 +7,4 @@ include freeoffice-presentations.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile index 5d98d1cc6..f7d30eaed 100644 --- a/etc/profile-a-l/freeoffice-textmaker.profile +++ b/etc/profile-a-l/freeoffice-textmaker.profile | |||
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Redirect | 8 | # Redirect |
9 | include softmaker-common.inc | 9 | include softmaker-common.profile |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 91f0caf87..e6aff533d 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -8,24 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/FreeTube | 9 | noblacklist ${HOME}/.config/FreeTube |
10 | 10 | ||
11 | include disable-devel.inc | 11 | include disable-shell.inc |
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/FreeTube | 13 | mkdir ${HOME}/.config/FreeTube |
18 | whitelist ${HOME}/.config/FreeTube | 14 | whitelist ${HOME}/.config/FreeTube |
19 | 15 | ||
20 | seccomp !chroot | ||
21 | shell none | ||
22 | |||
23 | disable-mnt | ||
24 | private-bin freetube | 16 | private-bin freetube |
25 | private-cache | ||
26 | private-dev | ||
27 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
28 | private-tmp | ||
29 | 18 | ||
30 | # Redirect | 19 | # Redirect |
31 | include electron.profile | 20 | include electron.profile |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index e06a9afad..77287769a 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -51,5 +51,4 @@ dbus-user none | |||
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
54 | |||
55 | read-only ${HOME} | 54 | read-only ${HOME} |
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index c15174815..d56d6714e 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/ghostwriter | |||
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${PICTURES} | 12 | noblacklist ${PICTURES} |
13 | 13 | ||
14 | include allow-lua.inc | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index ed27de7f5..bc5ef966c 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -52,7 +52,7 @@ nosound | |||
52 | notv | 52 | notv |
53 | nou2f | 53 | nou2f |
54 | protocol unix | 54 | protocol unix |
55 | seccomp | 55 | seccomp !mbind |
56 | shell none | 56 | shell none |
57 | tracelog | 57 | tracelog |
58 | 58 | ||
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index 152396553..325c54ced 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile | |||
@@ -6,43 +6,35 @@ include github-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: On debian-based distributions the binary might be located in | ||
10 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
11 | # If that's the case you can start GitHub Desktop with firejail via | ||
12 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
13 | |||
14 | # Disabled until someone reported positive feedback | ||
15 | ignore include disable-xdg.inc | ||
16 | ignore whitelist ${DOWNLOADS} | ||
17 | ignore include whitelist-common.inc | ||
18 | ignore include whitelist-runuser-common.inc | ||
19 | ignore include whitelist-usr-share-common.inc | ||
20 | ignore include whitelist-var-common.inc | ||
21 | ignore apparmor | ||
22 | ignore dbus-user none | ||
23 | ignore dbus-system none | ||
24 | |||
9 | noblacklist ${HOME}/.config/GitHub Desktop | 25 | noblacklist ${HOME}/.config/GitHub Desktop |
10 | noblacklist ${HOME}/.config/git | 26 | noblacklist ${HOME}/.config/git |
11 | noblacklist ${HOME}/.gitconfig | 27 | noblacklist ${HOME}/.gitconfig |
12 | noblacklist ${HOME}/.git-credentials | 28 | noblacklist ${HOME}/.git-credentials |
13 | 29 | ||
14 | include disable-common.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | |||
21 | caps.drop all | ||
22 | netfilter | ||
23 | # no3d | 30 | # no3d |
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | 31 | nosound |
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix,inet,inet6,netlink | ||
33 | seccomp !chroot | ||
34 | 32 | ||
35 | # Note: On debian-based distributions the binary might be located in | ||
36 | # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. | ||
37 | # If that's the case you can start GitHub Desktop with firejail via | ||
38 | # `firejail "/opt/GitHub Desktop/github-desktop"`. | ||
39 | |||
40 | disable-mnt | ||
41 | # private-bin github-desktop | 33 | # private-bin github-desktop |
42 | private-cache | ||
43 | ?HAS_APPIMAGE: ignore private-dev | 34 | ?HAS_APPIMAGE: ignore private-dev |
44 | private-dev | ||
45 | # private-lib | 35 | # private-lib |
46 | private-tmp | ||
47 | 36 | ||
48 | # memory-deny-write-execute | 37 | # memory-deny-write-execute |
38 | |||
39 | # Redirect | ||
40 | include electron.profile | ||
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index 14b0f758e..9c0a26a02 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -53,7 +53,6 @@ writable-var-log | |||
53 | # dbus-system none | 53 | # dbus-system none |
54 | 54 | ||
55 | memory-deny-write-execute | 55 | memory-deny-write-execute |
56 | 56 | # Comment the line below if you export logs to a file in your ${HOME} | |
57 | # comment this if you export logs to a file in your ${HOME} | ||
58 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local | 57 | # or put 'ignore read-only ${HOME}' in your gnome-system-log.local |
59 | read-only ${HOME} | 58 | read-only ${HOME} |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 8324a4eb5..f37f345ba 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile new file mode 100644 index 000000000..e2721360b --- /dev/null +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | ||
2 | # Description: Gtk front-end to straw-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-straw-viewer.local | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | include whitelist-runuser-common.inc | ||
12 | |||
13 | # Redirect | ||
14 | include straw-viewer.profile | ||
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile index 023f10d3d..848979b52 100644 --- a/etc/profile-a-l/gtk-youtube-viewer +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -3,16 +3,12 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | 11 | include whitelist-runuser-common.inc |
16 | 12 | ||
17 | # Redirect | 13 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile index 331e73218..787c7bd90 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -3,16 +3,15 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | noblacklist /tmp/.X11-unix |
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | 12 | noblacklist ${RUNUSER} |
14 | 13 | ||
15 | include whitelist-runuser-common.inc | 14 | include whitelist-runuser-common.inc |
16 | 15 | ||
17 | # Redirect | 16 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 17 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile index 4c5bde55f..988882622 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -3,16 +3,15 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | noblacklist /tmp/.X11-unix |
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | 12 | noblacklist ${RUNUSER} |
14 | 13 | ||
15 | include whitelist-runuser-common.inc | 14 | include whitelist-runuser-common.inc |
16 | 15 | ||
17 | # Redirect | 16 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 17 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 8ec39d8ca..9b59e57e7 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile | |||
@@ -7,43 +7,7 @@ include gzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. |
13 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
14 | 12 | ||
15 | include disable-common.inc | 13 | include archiver-common.inc |
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname gzip | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | |||
43 | private-cache | ||
44 | private-dev | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 0761aa2fc..c2812d7f5 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -6,7 +6,6 @@ include highlight.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
11 | 10 | ||
12 | include disable-common.inc | 11 | include disable-common.inc |
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile index 8e600a2d7..da32de640 100644 --- a/etc/profile-a-l/homebank.profile +++ b/etc/profile-a-l/homebank.profile | |||
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/homebank | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d835..e5beb741a 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | ignore shell none | ||
13 | |||
9 | ignore noexec /tmp | 14 | ignore noexec /tmp |
10 | 15 | ||
11 | noblacklist ${HOME}/.config/Jitsi Meet | 16 | noblacklist ${HOME}/.config/Jitsi Meet |
12 | 17 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | nowhitelist ${DOWNLOADS} | 18 | nowhitelist ${DOWNLOADS} |
19 | 19 | ||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | |||
22 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
23 | 22 | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | seccomp !chroot | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,jitsi-meet-desktop |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 9899ff195..9c095e106 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -12,12 +12,12 @@ noblacklist ${PICTURES} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | noblacklist ${HOME}/.config/kazam | 13 | noblacklist ${HOME}/.config/kazam |
14 | 14 | ||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
@@ -25,7 +25,7 @@ include disable-shell.inc | |||
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | whitelist /usr/share/kazam | 27 | whitelist /usr/share/kazam |
28 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
29 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
31 | 31 | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 6a3b29c9d..a3a1b500a 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session | |||
73 | dbus-user.talk org.gnome.ScreenSaver | 73 | dbus-user.talk org.gnome.ScreenSaver |
74 | dbus-user.talk org.gnome.SessionManager | 74 | dbus-user.talk org.gnome.SessionManager |
75 | dbus-user.talk org.gnome.SessionManager.Presence | 75 | dbus-user.talk org.gnome.SessionManager.Presence |
76 | # Uncomment or add to your keepassxc.local to allow Notifications/Tray. | 76 | # Uncomment or add to your keepassxc.local to allow Notifications. |
77 | #dbus-user.talk org.freedesktop.Notifications | 77 | #dbus-user.talk org.freedesktop.Notifications |
78 | # Uncomment or add to your keepassxc.local to allow Tray. | ||
78 | #dbus-user.talk org.kde.StatusNotifierWatcher | 79 | #dbus-user.talk org.kde.StatusNotifierWatcher |
79 | # These numbers seems to be not stable, see #3713. Play around with them. | 80 | #dbus-user.own org.kde.* |
80 | #dbus-user.own org.kde.StatusNotifierItem-2-2 | ||
81 | #dbus-user.own org.kde.StatusNotifierItem-10-2 | ||
82 | dbus-system none | 81 | dbus-system none |
83 | 82 | ||
84 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 83 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index cf3a69fd7..e0cfb9f24 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -63,7 +63,7 @@ shell none | |||
63 | tracelog | 63 | tracelog |
64 | 64 | ||
65 | # disable-mnt | 65 | # disable-mnt |
66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | 66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg |
67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | 67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. |
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index de6fa67d1..e1f0bc290 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile | |||
@@ -7,7 +7,6 @@ include less.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | noblacklist ${HOME}/.lesshst | 12 | noblacklist ${HOME}/.lesshst |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile new file mode 100644 index 000000000..5208cb979 --- /dev/null +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for Librewolf | ||
2 | # Description: Firefox fork based on privacy | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include librewolf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/librewolf | ||
10 | noblacklist ${HOME}/.librewolf | ||
11 | |||
12 | mkdir ${HOME}/.cache/librewolf | ||
13 | mkdir ${HOME}/.librewolf | ||
14 | whitelist ${HOME}/.cache/librewolf | ||
15 | whitelist ${HOME}/.librewolf | ||
16 | |||
17 | # Uncomment (or add to librewolf.local) the following lines if you want to | ||
18 | # use the migration wizard. | ||
19 | #noblacklist ${HOME}/.mozilla | ||
20 | #whitelist ${HOME}/.mozilla | ||
21 | |||
22 | # librewolf requires a shell to launch on Arch. We can possibly remove sh though. | ||
23 | #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which | ||
24 | # private-etc must first be enabled in firefox-common.profile | ||
25 | #private-etc librewolf | ||
26 | |||
27 | # Redirect | ||
28 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index b2f94d3cf..ccc77f274 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for links | 1 | # Firejail profile for links |
2 | # Description: Text WWW browser | 2 | # Description: Text WWW browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include links.local | 6 | include links.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile new file mode 100644 index 000000000..652f571bb --- /dev/null +++ b/etc/profile-a-l/lutris.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for lutris | ||
2 | # Description: Multi-library game handler with special support for Wine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lutris.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${PATH}/llvm* | ||
10 | noblacklist ${HOME}/Games | ||
11 | noblacklist ${HOME}/.cache/lutris | ||
12 | noblacklist ${HOME}/.cache/winetricks | ||
13 | noblacklist ${HOME}/.config/lutris | ||
14 | noblacklist ${HOME}/.local/share/lutris | ||
15 | # noblacklist ${HOME}/.wine | ||
16 | noblacklist /tmp/.wine-* | ||
17 | |||
18 | ignore noexec ${HOME} | ||
19 | |||
20 | # Allow python (blacklisted by disable-interpreters.inc) | ||
21 | include allow-python2.inc | ||
22 | include allow-python3.inc | ||
23 | |||
24 | include disable-common.inc | ||
25 | include disable-devel.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-passwdmgr.inc | ||
29 | include disable-programs.inc | ||
30 | include disable-xdg.inc | ||
31 | |||
32 | mkdir ${HOME}/Games | ||
33 | mkdir ${HOME}/.cache/lutris | ||
34 | mkdir ${HOME}/.cache/winetricks | ||
35 | mkdir ${HOME}/.config/lutris | ||
36 | mkdir ${HOME}/.local/share/lutris | ||
37 | # mkdir ${HOME}/.wine | ||
38 | whitelist ${HOME}/Downloads | ||
39 | whitelist ${HOME}/Games | ||
40 | whitelist ${HOME}/.cache/lutris | ||
41 | whitelist ${HOME}/.cache/winetricks | ||
42 | whitelist ${HOME}/.config/lutris | ||
43 | whitelist ${HOME}/.local/share/lutris | ||
44 | # whitelist ${HOME}/.wine | ||
45 | whitelist /usr/share/lutris | ||
46 | whitelist /usr/share/wine | ||
47 | include whitelist-common.inc | ||
48 | include whitelist-usr-share-common.inc | ||
49 | include whitelist-runuser-common.inc | ||
50 | include whitelist-var-common.inc | ||
51 | |||
52 | # allow-debuggers | ||
53 | # apparmor | ||
54 | caps.drop all | ||
55 | ipc-namespace | ||
56 | # net none | ||
57 | netfilter | ||
58 | nodvd | ||
59 | nogroups | ||
60 | nonewprivs | ||
61 | noroot | ||
62 | notv | ||
63 | nou2f | ||
64 | novideo | ||
65 | protocol unix,inet,inet6,netlink | ||
66 | seccomp | ||
67 | shell none | ||
68 | |||
69 | # uncomment the following line if you do not need controller support | ||
70 | # private-dev | ||
71 | private-tmp | ||
72 | |||
73 | dbus-user none | ||
74 | dbus-system none | ||
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index dbd0a61e5..76a0e7ed0 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for lynx | 1 | # Firejail profile for lynx |
2 | # Description: Classic non-graphical (text-mode) web browser | 2 | # Description: Classic non-graphical (text-mode) web browser |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include lynx.local | 6 | include lynx.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index b2c0afbe7..ffde057d5 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -27,7 +27,7 @@ apparmor | |||
27 | machine-id | 27 | machine-id |
28 | 28 | ||
29 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 29 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
30 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg | 30 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
31 | 31 | ||
32 | # Redirect | 32 | # Redirect |
33 | include latex-common.profile | 33 | include latex-common.profile |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 589dcfeb6..5ab302218 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -53,7 +53,7 @@ private-cache | |||
53 | private-dev | 53 | private-dev |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # dbus-user none | 56 | dbus-user none |
57 | # dbus-system none | 57 | dbus-system none |
58 | 58 | ||
59 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 59 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile new file mode 100644 index 000000000..b3080df88 --- /dev/null +++ b/etc/profile-m-z/matrix-mirage.profile | |||
@@ -0,0 +1,24 @@ | |||
1 | # Firejail profile for matrix-mirage | ||
2 | # Description: Debian name for mirage binary/package | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include matrix-mirage.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.cache/matrix-mirage | ||
11 | noblacklist ${HOME}/.config/matrix-mirage | ||
12 | noblacklist ${HOME}/.local/share/matrix-mirage | ||
13 | |||
14 | mkdir ${HOME}/.cache/matrix-mirage | ||
15 | mkdir ${HOME}/.config/matrix-mirage | ||
16 | mkdir ${HOME}/.local/share/matrix-mirage | ||
17 | whitelist ${HOME}/.cache/matrix-mirage | ||
18 | whitelist ${HOME}/.config/matrix-mirage | ||
19 | whitelist ${HOME}/.local/share/matrix-mirage | ||
20 | |||
21 | private-bin matrix-mirage | ||
22 | |||
23 | # Redirect | ||
24 | include mirage.profile | ||
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index c70090a25..8a98209a2 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -11,7 +11,7 @@ include allow-python3.inc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | 14 | include disable-exec.inc |
15 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
@@ -25,7 +25,7 @@ whitelist /usr/share/menulibre | |||
25 | whitelist /var/lib/app-info/icons | 25 | whitelist /var/lib/app-info/icons |
26 | whitelist /var/lib/flatpak/exports/share/applications | 26 | whitelist /var/lib/flatpak/exports/share/applications |
27 | whitelist /var/lib/flatpak/exports/share/icons | 27 | whitelist /var/lib/flatpak/exports/share/icons |
28 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
29 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
31 | 31 | ||
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile new file mode 100644 index 000000000..039cd36a8 --- /dev/null +++ b/etc/profile-m-z/microsoft-edge-dev.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Microsoft Edge Dev | ||
2 | # Description: Web browser from Microsoft,dev channel | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include microsoft-edge-dev.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/microsoft-edge-dev | ||
10 | noblacklist ${HOME}/.config/microsoft-edge-dev | ||
11 | |||
12 | mkdir ${HOME}/.cache/microsoft-edge-dev | ||
13 | mkdir ${HOME}/.config/microsoft-edge-dev | ||
14 | whitelist ${HOME}/.cache/microsoft-edge-dev | ||
15 | whitelist ${HOME}/.config/microsoft-edge-dev | ||
16 | |||
17 | private-opt microsoft | ||
18 | |||
19 | # Redirect | ||
20 | include chromium-common.profile | ||
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile new file mode 100644 index 000000000..f427507d1 --- /dev/null +++ b/etc/profile-m-z/microsoft-edge.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for Microsoft Edge | ||
2 | # Description: Web browser from Microsoft | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include microsoft-edge.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include microsoft-edge-dev.profile | ||
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile index be85fdbc4..7f3aeab44 100644 --- a/etc/profile-m-z/min.profile +++ b/etc/profile-m-z/min.profile | |||
@@ -6,8 +6,6 @@ include min.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | nowhitelist /usr/share/chromium | ||
10 | |||
11 | noblacklist ${HOME}/.config/Min | 9 | noblacklist ${HOME}/.config/Min |
12 | 10 | ||
13 | mkdir ${HOME}/.config/Min | 11 | mkdir ${HOME}/.config/Min |
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 5678a781c..666af323d 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -52,8 +52,9 @@ shell none | |||
52 | tracelog | 52 | tracelog |
53 | 53 | ||
54 | disable-mnt | 54 | disable-mnt |
55 | private-bin minetest | 55 | private-bin minetest,rm |
56 | private-cache | 56 | # cache is used for storing assets when connecting to servers |
57 | #private-cache | ||
57 | private-dev | 58 | private-dev |
58 | # private-etc needs to be updated, see #1702 | 59 | # private-etc needs to be updated, see #1702 |
59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 39ecc7127..78ef5e398 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
@@ -19,7 +19,7 @@ include disable-exec.inc | |||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-shell.inc | 22 | include disable-shell.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | mkdir ${HOME}/.cache/Flavio Tordini | 25 | mkdir ${HOME}/.cache/Flavio Tordini |
@@ -30,8 +30,8 @@ whitelist ${HOME}/.cache/Flavio Tordini | |||
30 | whitelist ${HOME}/.config/Flavio Tordini | 30 | whitelist ${HOME}/.config/Flavio Tordini |
31 | whitelist ${HOME}/.local/share/Flavio Tordini | 31 | whitelist ${HOME}/.local/share/Flavio Tordini |
32 | whitelist /usr/share/minitube | 32 | whitelist /usr/share/minitube |
33 | include whitelist-common.inc | 33 | include whitelist-common.inc |
34 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
35 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
37 | 37 | ||
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index 4a5f12aec..7130267e8 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for mirage | 1 | # Firejail profile for mirage |
2 | # Description: Desktop client for Matrix | 2 | # Description: Desktop client for Matrix |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include mirage.local | 5 | include mirage.local |
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/mirage | 9 | noblacklist ${HOME}/.cache/mirage |
10 | noblacklist ${HOME}/.config/mirage | 10 | noblacklist ${HOME}/.config/mirage |
11 | noblacklist ${HOME}/.local/share/mirage | 11 | noblacklist ${HOME}/.local/share/mirage |
12 | noblacklist /sbin | ||
12 | 13 | ||
13 | include allow-python2.inc | 14 | include allow-python2.inc |
14 | include allow-python3.inc | 15 | include allow-python3.inc |
@@ -30,7 +31,7 @@ whitelist ${HOME}/.config/mirage | |||
30 | whitelist ${HOME}/.local/share/mirage | 31 | whitelist ${HOME}/.local/share/mirage |
31 | whitelist ${DOWNLOADS} | 32 | whitelist ${DOWNLOADS} |
32 | include whitelist-common.inc | 33 | include whitelist-common.inc |
33 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
34 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
35 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
36 | 37 | ||
@@ -49,7 +50,7 @@ shell none | |||
49 | tracelog | 50 | tracelog |
50 | 51 | ||
51 | disable-mnt | 52 | disable-mnt |
52 | private-bin mirage | 53 | private-bin ldconfig,mirage |
53 | private-cache | 54 | private-cache |
54 | private-dev | 55 | private-dev |
55 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index 31a6caa9a..58384e33c 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -19,7 +19,7 @@ read-only ${DESKTOP} | |||
19 | mkdir ${HOME}/.mplayer | 19 | mkdir ${HOME}/.mplayer |
20 | whitelist ${HOME}/.mplayer | 20 | whitelist ${HOME}/.mplayer |
21 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-players.inc | 22 | include whitelist-player-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index 414eaf312..bdf50421b 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile | |||
@@ -44,7 +44,7 @@ whitelist ${HOME}/.mplayer | |||
44 | whitelist ${HOME}/.netrc | 44 | whitelist ${HOME}/.netrc |
45 | whitelist ${HOME}/mps | 45 | whitelist ${HOME}/mps |
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | include whitelist-players.inc | 47 | include whitelist-player-common.inc |
48 | include whitelist-var-common.inc | 48 | include whitelist-var-common.inc |
49 | 49 | ||
50 | apparmor | 50 | apparmor |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index ce3bfe421..1d87eeb48 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -50,7 +50,7 @@ whitelist ${HOME}/.config/mpv | |||
50 | whitelist ${HOME}/.config/youtube-dl | 50 | whitelist ${HOME}/.config/youtube-dl |
51 | whitelist ${HOME}/.netrc | 51 | whitelist ${HOME}/.netrc |
52 | include whitelist-common.inc | 52 | include whitelist-common.inc |
53 | include whitelist-players.inc | 53 | include whitelist-player-common.inc |
54 | whitelist /usr/share/lua | 54 | whitelist /usr/share/lua |
55 | whitelist /usr/share/lua* | 55 | whitelist /usr/share/lua* |
56 | whitelist /usr/share/vulkan | 56 | whitelist /usr/share/vulkan |
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile index cfd00e8ae..9f1f0f53d 100644 --- a/etc/profile-m-z/mtpaint.profile +++ b/etc/profile-m-z/mtpaint.profile | |||
@@ -10,14 +10,14 @@ noblacklist ${PICTURES} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-runuser-common.inc | 20 | include whitelist-runuser-common.inc |
21 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile index 955df698d..dbfd12619 100644 --- a/etc/profile-m-z/musictube.profile +++ b/etc/profile-m-z/musictube.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for musictube | 1 | # Firejail profile for musictube |
2 | # Description: Stream music | 2 | # Description: Stream music |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include musictube.local | 5 | include musictube.local |
@@ -16,7 +16,7 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | 19 | include disable-shell.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/.cache/Flavio Tordini | 22 | mkdir ${HOME}/.cache/Flavio Tordini |
@@ -26,8 +26,8 @@ whitelist ${HOME}/.cache/Flavio Tordini | |||
26 | whitelist ${HOME}/.config/Flavio Tordini | 26 | whitelist ${HOME}/.config/Flavio Tordini |
27 | whitelist ${HOME}/.local/share/Flavio Tordini | 27 | whitelist ${HOME}/.local/share/Flavio Tordini |
28 | whitelist /usr/share/musictube | 28 | whitelist /usr/share/musictube |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 701098f4b..42e7e92fc 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -7,7 +7,7 @@ include nheko.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/nheko | 9 | noblacklist ${HOME}/.config/nheko |
10 | noblacklist ${HOME}/.cache/nheko/nheko | 10 | noblacklist ${HOME}/.cache/nheko |
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -16,14 +16,19 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-shell.inc | 18 | include disable-shell.inc |
19 | include disable-xdg.inc | ||
19 | 20 | ||
20 | mkdir ${HOME}/.config/nheko | 21 | mkdir ${HOME}/.config/nheko |
21 | mkdir ${HOME}/.cache/nheko/nheko | 22 | mkdir ${HOME}/.cache/nheko/nheko |
22 | whitelist ${HOME}/.config/nheko | 23 | whitelist ${HOME}/.config/nheko |
23 | whitelist ${HOME}/.cache/nheko/nheko | 24 | whitelist ${HOME}/.cache/nheko |
24 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
25 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
26 | 30 | ||
31 | apparmor | ||
27 | caps.drop all | 32 | caps.drop all |
28 | netfilter | 33 | netfilter |
29 | nodvd | 34 | nodvd |
@@ -38,5 +43,14 @@ tracelog | |||
38 | 43 | ||
39 | disable-mnt | 44 | disable-mnt |
40 | private-bin nheko | 45 | private-bin nheko |
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
41 | private-tmp | 49 | private-tmp |
42 | 50 | ||
51 | dbus-user none | ||
52 | # Comment the above line and uncomment below lines for notification popups | ||
53 | # dbus-user filter | ||
54 | # dbus-user.talk org.freedesktop.Notifications | ||
55 | # dbus-user.talk org.kde.StatusNotifierWatcher | ||
56 | dbus-system none | ||
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index a8e0ddd89..17798a6fb 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile | |||
@@ -8,7 +8,6 @@ include nslookup.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
13 | 12 | ||
14 | noblacklist ${PATH}/nslookup | 13 | noblacklist ${PATH}/nslookup |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 1b97eda9b..886403b9e 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -10,31 +10,16 @@ ignore dbus-user | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.config/nuclear | 11 | noblacklist ${HOME}/.config/nuclear |
12 | 12 | ||
13 | include disable-devel.inc | 13 | include disable-shell.inc |
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | 14 | ||
19 | mkdir ${HOME}/.config/nuclear | 15 | mkdir ${HOME}/.config/nuclear |
20 | whitelist ${HOME}/.config/nuclear | 16 | whitelist ${HOME}/.config/nuclear |
21 | include whitelist-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | 17 | ||
26 | no3d | 18 | no3d |
27 | nou2f | ||
28 | novideo | ||
29 | shell none | ||
30 | 19 | ||
31 | disable-mnt | ||
32 | # private-bin nuclear | 20 | # private-bin nuclear |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
36 | private-opt nuclear | 22 | private-opt nuclear |
37 | private-tmp | ||
38 | 23 | ||
39 | # Redirect | 24 | # Redirect |
40 | include electron.profile | 25 | include electron.profile |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index 3a235a677..f7cb8790b 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -13,7 +13,7 @@ include allow-python3.inc | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | 16 | include disable-exec.inc |
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
@@ -23,9 +23,9 @@ include disable-xdg.inc | |||
23 | mkdir ${HOME}/.config/onboard | 23 | mkdir ${HOME}/.config/onboard |
24 | whitelist ${HOME}/.config/onboard | 24 | whitelist ${HOME}/.config/onboard |
25 | whitelist /usr/share/onboard | 25 | whitelist /usr/share/onboard |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
28 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
29 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
30 | 30 | ||
31 | apparmor | 31 | apparmor |
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index cc44d5a48..3bfda7946 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin ostrichriders | 43 | private-bin ostrichriders |
44 | private-cache | 44 | private-cache |
45 | # private-dev should be commented for controllers | 45 | # comment the following line if you need controller support |
46 | private-dev | 46 | private-dev |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile index 652b6b7cb..aa26ddd4e 100644 --- a/etc/profile-m-z/otter-browser.profile +++ b/etc/profile-m-z/otter-browser.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for otter-browser | 1 | # Firejail profile for otter-browser |
2 | # Description: Lightweight web browser based on Qt5 | 2 | # Description: Lightweight web browser based on Qt5 |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include otter-browser.local | 5 | include otter-browser.local |
@@ -32,7 +32,7 @@ whitelist ${HOME}/.pki | |||
32 | whitelist ${HOME}/.local/share/pki | 32 | whitelist ${HOME}/.local/share/pki |
33 | whitelist /usr/share/otter-browser | 33 | whitelist /usr/share/otter-browser |
34 | include whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include whitelist-runuser-common.inc | 35 | include whitelist-runuser-common.inc |
36 | include whitelist-usr-share-common.inc | 36 | include whitelist-usr-share-common.inc |
37 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
38 | 38 | ||
@@ -54,6 +54,6 @@ private-bin bash,otter-browser,sh,which | |||
54 | private-cache | 54 | private-cache |
55 | ?BROWSER_DISABLE_U2F: private-dev | 55 | ?BROWSER_DISABLE_U2F: private-dev |
56 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 56 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 9ee7e75b4..d2dcef0d0 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -7,7 +7,6 @@ include pandoc.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 6cbaa66ad..46a84372c 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -7,7 +7,6 @@ include patch.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index 2a7d0cec1..6bbd30b22 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -6,7 +6,6 @@ include pdftotext.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
11 | 10 | ||
12 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile new file mode 100644 index 000000000..9e6b4a87d --- /dev/null +++ b/etc/profile-m-z/photoflare.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for photoflare | ||
2 | # Description: Simple painting and editing program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include photoflare.local | ||
6 | # Persistent global definitions | ||
7 | include photoflare.local | ||
8 | |||
9 | noblacklist ${PICTURES} | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | net none | ||
28 | nodvd | ||
29 | no3d | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin photoflare | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user none | ||
50 | dbus-system none | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index bd95cb1de..03b548ffa 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -8,7 +8,6 @@ include ping.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
13 | 12 | ||
14 | include disable-common.inc | 13 | include disable-common.inc |
diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile index 2ba8e86c0..4cf1efb7f 100644 --- a/etc/profile-m-z/planmaker18.profile +++ b/etc/profile-m-z/planmaker18.profile | |||
@@ -7,4 +7,4 @@ include planmaker18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile index d0bce44f5..bb85f1fc7 100644 --- a/etc/profile-m-z/planmaker18free.profile +++ b/etc/profile-m-z/planmaker18free.profile | |||
@@ -7,4 +7,4 @@ include planmaker18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile index 03091af6d..0ebef226a 100644 --- a/etc/profile-m-z/playonlinux.profile +++ b/etc/profile-m-z/playonlinux.profile | |||
@@ -4,34 +4,17 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include playonlinux.local | 5 | include playonlinux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.local/share/Steam | ||
11 | noblacklist ${HOME}/.local/share/steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | noblacklist ${HOME}/.PlayOnLinux | 10 | noblacklist ${HOME}/.PlayOnLinux |
14 | 11 | ||
15 | # nc is needed to run playonlinux | 12 | # nc is needed to run playonlinux |
16 | noblacklist ${PATH}/nc | 13 | noblacklist ${PATH}/nc |
17 | 14 | ||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
19 | include allow-python2.inc | 15 | include allow-python2.inc |
20 | include allow-python3.inc | 16 | include allow-python3.inc |
21 | |||
22 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
23 | include allow-perl.inc | 17 | include allow-perl.inc |
24 | 18 | ||
25 | include disable-common.inc | 19 | # Redirect |
26 | include disable-devel.inc | 20 | include wine.profile |
27 | include disable-interpreters.inc | ||
28 | include disable-programs.inc | ||
29 | |||
30 | caps.drop all | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | seccomp | ||
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index c62e53151..c71553bcd 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -32,7 +32,7 @@ protocol unix,netlink | |||
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | # private-dev is disabled to allow controller support | 35 | # uncomment the following line if you do not need controller support |
36 | #private-dev | 36 | #private-dev |
37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
38 | private-opt ppsspp | 38 | private-opt ppsspp |
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile index d4f531060..65d684c40 100644 --- a/etc/profile-m-z/presentations18.profile +++ b/etc/profile-m-z/presentations18.profile | |||
@@ -7,5 +7,5 @@ include presentations18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
11 | 11 | ||
diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile index e2319f13f..218747224 100644 --- a/etc/profile-m-z/presentations18free.profile +++ b/etc/profile-m-z/presentations18free.profile | |||
@@ -7,4 +7,4 @@ include presentations18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 5e49a342a..952e9f5f3 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -7,7 +7,6 @@ include qrencode.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile index 2133c74d3..3041860b3 100644 --- a/etc/profile-m-z/quaternion.profile +++ b/etc/profile-m-z/quaternion.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for quaternion | 1 | # Firejail profile for quaternion |
2 | # Description: Desktop client for Matrix | 2 | # Description: Desktop client for Matrix |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include quaternion.local | 5 | include quaternion.local |
@@ -25,7 +25,7 @@ whitelist ${HOME}/.config/Quotient | |||
25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
26 | whitelist /usr/share/Quotient/quaternion | 26 | whitelist /usr/share/Quotient/quaternion |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
29 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
30 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
31 | 31 | ||
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index e7f379509..9fb7dc713 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -59,6 +59,7 @@ dbus-user.own org.gnome.Rhythmbox3 | |||
59 | dbus-user.own org.mpris.MediaPlayer2.rhythmbox | 59 | dbus-user.own org.mpris.MediaPlayer2.rhythmbox |
60 | dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox | 60 | dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox |
61 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
62 | dbus-user.talk org.gtk.vfs.* | ||
62 | dbus-user.talk org.freedesktop.Notifications | 63 | dbus-user.talk org.freedesktop.Notifications |
63 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys | 64 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys |
64 | dbus-system filter | 65 | dbus-system filter |
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile index 4372fabe1..e91d25196 100644 --- a/etc/profile-m-z/riot-desktop.profile +++ b/etc/profile-m-z/riot-desktop.profile | |||
@@ -7,7 +7,5 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | seccomp !chroot | ||
11 | |||
12 | # Redirect | 10 | # Redirect |
13 | include riot-web.profile | 11 | include riot-web.profile |
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile index b930adf2b..687c943b0 100644 --- a/etc/profile-m-z/riot-web.profile +++ b/etc/profile-m-z/riot-web.profile | |||
@@ -4,14 +4,15 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include riot-web.local | 5 | include riot-web.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | ignore noexec /tmp | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.config/Riot | 11 | noblacklist ${HOME}/.config/Riot |
11 | 12 | ||
12 | mkdir ${HOME}/.config/Riot | 13 | mkdir ${HOME}/.config/Riot |
13 | whitelist ${HOME}/.config/Riot | 14 | whitelist ${HOME}/.config/Riot |
14 | include whitelist-common.inc | 15 | whitelist /usr/share/webapps/element |
15 | 16 | ||
16 | # Redirect | 17 | # Redirect |
17 | include electron.profile | 18 | include electron.profile |
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile index a574e4e8b..8d3607c75 100644 --- a/etc/profile-m-z/rocketchat.profile +++ b/etc/profile-m-z/rocketchat.profile | |||
@@ -3,14 +3,28 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include rocketchat.local | 4 | include rocketchat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | include globals.local |
7 | #include globals.local | 7 | |
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-devel.inc | ||
10 | ignore include disable-exec.inc | ||
11 | ignore include disable-interpreters.inc | ||
12 | ignore include disable-xdg.inc | ||
13 | ignore include whitelist-runuser-common.inc | ||
14 | ignore include whitelist-usr-share-common.inc | ||
15 | ignore include whitelist-var-common.inc | ||
16 | ignore nou2f | ||
17 | ignore novideo | ||
18 | ignore shell none | ||
19 | ignore disable-mnt | ||
20 | ignore private-cache | ||
21 | ignore private-dev | ||
22 | ignore private-tmp | ||
8 | 23 | ||
9 | noblacklist ${HOME}/.config/Rocket.Chat | 24 | noblacklist ${HOME}/.config/Rocket.Chat |
10 | 25 | ||
11 | mkdir ${HOME}/.config/Rocket.Chat | 26 | mkdir ${HOME}/.config/Rocket.Chat |
12 | whitelist ${HOME}/.config/Rocket.Chat | 27 | whitelist ${HOME}/.config/Rocket.Chat |
13 | include whitelist-common.inc | ||
14 | 28 | ||
15 | # Redirect | 29 | # Redirect |
16 | include electron.profile | 30 | include electron.profile |
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 95deed119..78159527a 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -13,7 +13,6 @@ include globals.local | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | 13 | # Usage: firejail --profile=rsync-download_only rsync |
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | blacklist ${RUNUSER}/wayland-* | ||
17 | blacklist ${RUNUSER} | 16 | blacklist ${RUNUSER} |
18 | 17 | ||
19 | include disable-common.inc | 18 | include disable-common.inc |
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 5bc4735ae..d47f1289a 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile | |||
@@ -45,10 +45,17 @@ include disable-common.inc | |||
45 | # include disable-interpreters.inc | 45 | # include disable-interpreters.inc |
46 | include disable-passwdmgr.inc | 46 | include disable-passwdmgr.inc |
47 | include disable-programs.inc | 47 | include disable-programs.inc |
48 | # include disable-xdg.inc | 48 | include disable-write-mnt.inc |
49 | include disable-xdg.inc | ||
49 | 50 | ||
51 | # include whitelist-runuser-common.inc | ||
52 | # include whitelist-usr-share-common.inc | ||
53 | # include whitelist-var-common.inc | ||
54 | |||
55 | apparmor | ||
50 | caps | 56 | caps |
51 | # ipc-namespace | 57 | # ipc-namespace |
58 | machine-id | ||
52 | # netfilter /etc/firejail/webserver.net | 59 | # netfilter /etc/firejail/webserver.net |
53 | no3d | 60 | no3d |
54 | nodvd | 61 | nodvd |
@@ -59,19 +66,26 @@ nosound | |||
59 | notv | 66 | notv |
60 | nou2f | 67 | nou2f |
61 | novideo | 68 | novideo |
69 | # protocol unix,inet,inet6,netlink | ||
62 | seccomp | 70 | seccomp |
63 | # shell none | 71 | # shell none |
64 | 72 | ||
65 | # disable-mnt | 73 | disable-mnt |
66 | private | 74 | private |
67 | # private-bin program | 75 | # private-bin program |
68 | # private-cache | 76 | # private-cache |
69 | private-dev | 77 | private-dev |
78 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
70 | # private-etc alternatives | 79 | # private-etc alternatives |
71 | # private-lib | 80 | # private-lib |
81 | # private-opt none | ||
72 | private-tmp | 82 | private-tmp |
73 | 83 | ||
74 | # dbus-user none | 84 | dbus-user none |
75 | # dbus-system none | 85 | # dbus-system none |
76 | 86 | ||
77 | # memory-deny-write-execute | 87 | # memory-deny-write-execute |
88 | # read-only ${HOME} | ||
89 | # writable-run-user | ||
90 | # writable-var | ||
91 | # writable-var-log | ||
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile new file mode 100644 index 000000000..65da5d0de --- /dev/null +++ b/etc/profile-m-z/servo.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for servo | ||
2 | # Description: The Servo Browser Engine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include servo.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Servo is usually installed inside $HOME | ||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # Add a whitelist for the directory where servo is installed and uncomment the lines below. | ||
21 | #whitelist ${DOWNLOADS} | ||
22 | #include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6 | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin servo,sh | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index c67a88161..2ae298142 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -7,7 +7,6 @@ include shellcheck.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index c28571270..08e1c1f03 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -5,6 +5,13 @@ include signal-desktop.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include-xdg.inc | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | ignore private-cache | ||
13 | ignore novideo | ||
14 | |||
8 | ignore noexec /tmp | 15 | ignore noexec /tmp |
9 | 16 | ||
10 | noblacklist ${HOME}/.config/Signal | 17 | noblacklist ${HOME}/.config/Signal |
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 21 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
15 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 22 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
16 | 23 | ||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | 24 | include disable-exec.inc |
20 | include disable-interpreters.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | 25 | ||
24 | mkdir ${HOME}/.config/Signal | 26 | mkdir ${HOME}/.config/Signal |
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${HOME}/.config/Signal | 27 | whitelist ${HOME}/.config/Signal |
27 | include whitelist-common.inc | 28 | |
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | notv | ||
36 | nou2f | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | private-dev | ||
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
42 | private-tmp | ||
43 | 30 | ||
44 | dbus-user none | 31 | # Redirect |
45 | dbus-system none | 32 | include electron.profile |
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index 341c25a95..b39763981 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -5,27 +5,24 @@ include skypeforlinux.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore whitelist ${DOWNLOADS} | ||
10 | ignore include whitelist-common.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore include whitelist-var-common.inc | ||
14 | ignore nou2f | ||
15 | ignore novideo | ||
16 | ignore private-dev | ||
17 | ignore dbus-user none | ||
18 | ignore dbus-system none | ||
19 | |||
8 | # breaks Skype | 20 | # breaks Skype |
9 | ignore noexec /tmp | 21 | ignore noexec /tmp |
10 | 22 | ||
11 | noblacklist ${HOME}/.config/skypeforlinux | 23 | noblacklist ${HOME}/.config/skypeforlinux |
12 | 24 | ||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | caps.keep sys_admin,sys_chroot | ||
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | notv | ||
26 | shell none | ||
27 | |||
28 | disable-mnt | ||
29 | private-cache | ||
30 | # private-dev - needs /dev/disk | 25 | # private-dev - needs /dev/disk |
31 | private-tmp | 26 | |
27 | # Redirect | ||
28 | include electron.profile | ||
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 8ab3edd63..9ad772cd5 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -5,31 +5,26 @@ include slack.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disabled until someone reported positive feedback | ||
9 | ignore include disable-exec.inc | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore apparmor | ||
14 | ignore novideo | ||
15 | ignore private-tmp | ||
16 | ignore dbus-user none | ||
17 | ignore dbus-system none | ||
18 | |||
8 | noblacklist ${HOME}/.config/Slack | 19 | noblacklist ${HOME}/.config/Slack |
9 | 20 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | 21 | include disable-shell.inc |
16 | 22 | ||
17 | mkdir ${HOME}/.config/Slack | 23 | mkdir ${HOME}/.config/Slack |
18 | whitelist ${HOME}/.config/Slack | 24 | whitelist ${HOME}/.config/Slack |
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.keep sys_admin,sys_chroot | ||
24 | netfilter | ||
25 | nodvd | ||
26 | nogroups | ||
27 | notv | ||
28 | nou2f | ||
29 | shell none | ||
30 | 25 | ||
31 | disable-mnt | ||
32 | private-bin locale,slack | 26 | private-bin locale,slack |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 27 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
28 | |||
29 | # Redirect | ||
30 | include electron.profile | ||
diff --git a/etc/inc/softmaker-common.inc b/etc/profile-m-z/softmaker-common.profile index a8ec5848c..a8ec5848c 100644 --- a/etc/inc/softmaker-common.inc +++ b/etc/profile-m-z/softmaker-common.profile | |||
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index d7f94e144..093661d8c 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for spectral | 1 | # Firejail profile for spectral |
2 | # Description: Desktop client for Matrix | 2 | # Description: Desktop client for Matrix |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include spectral.local | 5 | include spectral.local |
@@ -24,7 +24,7 @@ whitelist ${HOME}/.cache/ENCOM/Spectral | |||
24 | whitelist ${HOME}/.config/ENCOM | 24 | whitelist ${HOME}/.config/ENCOM |
25 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
26 | include whitelist-common.inc | 26 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
30 | 30 | ||
@@ -50,4 +50,8 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts, | |||
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
53 | # Comment the above line and uncomment below lines for notification popups | ||
54 | # dbus-user filter | ||
55 | # dbus-user.talk org.freedesktop.Notifications | ||
56 | # dbus-user.talk org.kde.StatusNotifierWatcher | ||
53 | dbus-system none | 57 | dbus-system none |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 78b12c2cb..d873a5672 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -34,7 +34,7 @@ nonewprivs | |||
34 | # noroot - see issue #1543 | 34 | # noroot - see issue #1543 |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | # nou2f - OpenSSH >= 8.2 supports U2F | 37 | # nou2f - OpenSSH >= 8.2 supports U2F |
38 | novideo | 38 | novideo |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 7292f189c..55078d993 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -109,10 +109,10 @@ shell none | |||
109 | # picture viewers are needed for viewing screenshots | 109 | # picture viewers are needed for viewing screenshots |
110 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer | 110 | #private-bin eog,eom,gthumb,pix,viewnior,xviewer |
111 | 111 | ||
112 | # private-dev should be commented for controllers | 112 | # comment the following line if you need controller support |
113 | private-dev | 113 | private-dev |
114 | # private-etc breaks a small selection of games on some systems, comment to support those | 114 | # private-etc breaks a small selection of games on some systems, comment to support those |
115 | private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl | 115 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl |
116 | private-tmp | 116 | private-tmp |
117 | 117 | ||
118 | # breaks appindicator support | 118 | # breaks appindicator support |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile new file mode 100644 index 000000000..721ad38ee --- /dev/null +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for straw-viewer | ||
2 | # Description: Fork of youtube-viewer acts like an invidious frontend | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include straw-viewer.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.cache/straw-viewer | ||
11 | noblacklist ${HOME}/.config/straw-viewer | ||
12 | |||
13 | include allow-lua.inc | ||
14 | include allow-perl.inc | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.config/straw-viewer | ||
27 | mkdir ${HOME}/.cache/straw-viewer | ||
28 | whitelist ${HOME}/.cache/straw-viewer | ||
29 | whitelist ${HOME}/.config/straw-viewer | ||
30 | whitelist ${DOWNLOADS} | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | netfilter | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index cd36c0d41..0801add28 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
@@ -21,7 +21,7 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 09ada1e25..6a582532d 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
@@ -7,7 +7,6 @@ include strings.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | #include disable-common.inc | 12 | #include disable-common.inc |
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index ff99c234e..1b20f5d3d 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -41,7 +41,7 @@ noroot | |||
41 | notv | 41 | notv |
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6,bluetooth |
45 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | 46 | seccomp.block-secondary |
47 | shell none | 47 | shell none |
@@ -50,7 +50,8 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin supertuxkart | 51 | private-bin supertuxkart |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | # uncomment the following line if you do not need controller support |
54 | #private-dev | ||
54 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl |
55 | private-tmp | 56 | private-tmp |
56 | private-opt none | 57 | private-opt none |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ad3346285..9e9d2a448 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -6,6 +6,7 @@ include sysprof.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${DOCUMENTS} | ||
9 | include disable-common.inc | 10 | include disable-common.inc |
10 | include disable-devel.inc | 11 | include disable-devel.inc |
11 | include disable-exec.inc | 12 | include disable-exec.inc |
@@ -14,6 +15,19 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 15 | include disable-programs.inc |
15 | include disable-xdg.inc | 16 | include disable-xdg.inc |
16 | 17 | ||
18 | # help menu functionality (yelp) - comment or add this block prepended with 'ignore' | ||
19 | # to your sysprof.local if you don't need the help functionality | ||
20 | noblacklist ${HOME}/.config/yelp | ||
21 | mkdir ${HOME}/.config/yelp | ||
22 | whitelist ${HOME}/.config/yelp | ||
23 | whitelist /usr/share/help/C/sysprof | ||
24 | whitelist /usr/share/yelp | ||
25 | whitelist /usr/share/yelp-tools | ||
26 | whitelist /usr/share/yelp-xsl | ||
27 | |||
28 | whitelist ${DOCUMENTS} | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
17 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
19 | 33 | ||
@@ -26,27 +40,30 @@ no3d | |||
26 | nodvd | 40 | nodvd |
27 | nogroups | 41 | nogroups |
28 | nonewprivs | 42 | nonewprivs |
29 | # Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that | 43 | # Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial |
30 | #noroot | 44 | noroot |
31 | nosound | 45 | nosound |
32 | notv | 46 | notv |
33 | nou2f | 47 | nou2f |
34 | novideo | 48 | novideo |
35 | protocol unix,netlink | 49 | protocol unix,netlink |
50 | seccomp | ||
36 | shell none | 51 | shell none |
37 | tracelog | 52 | tracelog |
38 | 53 | ||
39 | disable-mnt | 54 | disable-mnt |
40 | #private-bin sysprof - breaks GUI help menu | 55 | #private-bin sysprof - breaks help menu |
41 | private-cache | 56 | private-cache |
42 | private-dev | 57 | private-dev |
43 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | 58 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl |
44 | # private-lib breaks GUI help menu | 59 | # private-lib breaks help menu |
45 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 60 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
46 | private-tmp | 61 | private-tmp |
47 | 62 | ||
48 | # makes settings immutable | 63 | dbus-user filter |
49 | # dbus-user none | 64 | dbus-user.own org.gnome.Shell |
50 | # dbus-system none | 65 | dbus-user.own org.gnome.Yelp |
66 | dbus-user.own org.gnome.Sysprof3 | ||
67 | dbus-user.talk ca.desrt.dconf | ||
51 | 68 | ||
52 | # memory-deny-write-execute - Breaks GUI on Arch | 69 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 3a7405305..f6efb0feb 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -7,49 +7,13 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. |
13 | noblacklist /var/lib/pacman | 11 | noblacklist /var/lib/pacman |
14 | 12 | ||
15 | include disable-common.inc | 13 | ignore include disable-shell.inc |
16 | include disable-devel.inc | 14 | include archiver-common.inc |
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | hostname tar | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | #noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | 15 | ||
43 | # support compressed archives | ||
44 | private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,group,localtime,login.defs,passwd | 16 | private-etc alternatives,group,localtime,login.defs,passwd |
48 | private-lib libfakeroot | 17 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* |
49 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 18 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
50 | writable-var | 19 | writable-var |
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index a13c92bc3..eee083332 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -4,33 +4,23 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include teams-for-linux.local | 5 | include teams-for-linux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
9 | 13 | ||
10 | ignore dbus-user none | 14 | ignore dbus-user none |
11 | ignore dbus-system none | 15 | ignore dbus-system none |
12 | 16 | ||
13 | noblacklist ${HOME}/.config/teams-for-linux | 17 | noblacklist ${HOME}/.config/teams-for-linux |
14 | 18 | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/teams-for-linux | 19 | mkdir ${HOME}/.config/teams-for-linux |
20 | whitelist ${HOME}/.config/teams-for-linux | 20 | whitelist ${HOME}/.config/teams-for-linux |
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | nou2f | ||
25 | novideo | ||
26 | shell none | ||
27 | 21 | ||
28 | disable-mnt | ||
29 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | 22 | private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh |
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | 23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl |
33 | private-tmp | ||
34 | 24 | ||
35 | # Redirect | 25 | # Redirect |
36 | include electron.profile | 26 | include electron.profile |
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index bd7faa80a..c8d98cbaa 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -4,8 +4,14 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include teams.local | 5 | include teams.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include disable-xdg.inc | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | ignore novideo | ||
14 | ignore private-tmp | ||
9 | 15 | ||
10 | # see #3404 | 16 | # see #3404 |
11 | ignore apparmor | 17 | ignore apparmor |
@@ -15,24 +21,10 @@ ignore dbus-system none | |||
15 | noblacklist ${HOME}/.config/teams | 21 | noblacklist ${HOME}/.config/teams |
16 | noblacklist ${HOME}/.config/Microsoft | 22 | noblacklist ${HOME}/.config/Microsoft |
17 | 23 | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/teams | 24 | mkdir ${HOME}/.config/teams |
23 | mkdir ${HOME}/.config/Microsoft | 25 | mkdir ${HOME}/.config/Microsoft |
24 | whitelist ${HOME}/.config/teams | 26 | whitelist ${HOME}/.config/teams |
25 | whitelist ${HOME}/.config/Microsoft | 27 | whitelist ${HOME}/.config/Microsoft |
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | nou2f | ||
30 | shell none | ||
31 | tracelog | ||
32 | |||
33 | disable-mnt | ||
34 | private-cache | ||
35 | private-dev | ||
36 | 28 | ||
37 | # Redirect | 29 | # Redirect |
38 | include electron.profile | 30 | include electron.profile |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 5be834fb0..0e7413fc9 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -25,5 +25,5 @@ seccomp | |||
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | private-cache | 27 | private-cache |
28 | private-etc alsa,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 28 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg |
29 | private-tmp | 29 | private-tmp |
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile index d28947394..e5a4b6454 100644 --- a/etc/profile-m-z/textmaker18.profile +++ b/etc/profile-m-z/textmaker18.profile | |||
@@ -7,5 +7,5 @@ include textmaker18.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
11 | 11 | ||
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile index 7b4fd5b08..0e918bf0a 100644 --- a/etc/profile-m-z/textmaker18free.profile +++ b/etc/profile-m-z/textmaker18free.profile | |||
@@ -7,5 +7,5 @@ include textmaker18free.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.inc | 10 | include softmaker-common.profile |
11 | 11 | ||
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 2e7b69cec..b478fbe1e 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -6,7 +6,7 @@ include thunderbird.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore whitelist-runuser-common.inc | 9 | ignore include whitelist-runuser-common.inc |
10 | 10 | ||
11 | # writable-run-user and dbus are needed by enigmail | 11 | # writable-run-user and dbus are needed by enigmail |
12 | ignore dbus-user none | 12 | ignore dbus-user none |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 7bb2f3e2d..36495064e 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -30,7 +30,7 @@ whitelist ${HOME}/.config/totem | |||
30 | whitelist ${HOME}/.local/share/totem | 30 | whitelist ${HOME}/.local/share/totem |
31 | whitelist /usr/share/totem | 31 | whitelist /usr/share/totem |
32 | include whitelist-common.inc | 32 | include whitelist-common.inc |
33 | include whitelist-players.inc | 33 | include whitelist-player-common.inc |
34 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
35 | include whitelist-usr-share-common.inc | 35 | include whitelist-usr-share-common.inc |
36 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index 3c50344f1..2f573c872 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -6,31 +6,20 @@ include twitch.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | ignore novideo | ||
12 | |||
9 | noblacklist ${HOME}/.config/Twitch | 13 | noblacklist ${HOME}/.config/Twitch |
10 | 14 | ||
11 | include disable-devel.inc | 15 | include disable-shell.inc |
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | 16 | ||
17 | mkdir ${HOME}/.config/Twitch | 17 | mkdir ${HOME}/.config/Twitch |
18 | whitelist ${HOME}/.config/Twitch | 18 | whitelist ${HOME}/.config/Twitch |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | seccomp !chroot | ||
25 | shell none | ||
26 | 19 | ||
27 | disable-mnt | ||
28 | private-bin twitch | 20 | private-bin twitch |
29 | private-cache | ||
30 | private-dev | ||
31 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
32 | private-opt Twitch | 22 | private-opt Twitch |
33 | private-tmp | ||
34 | 23 | ||
35 | # Redirect | 24 | # Redirect |
36 | include electron.profile | 25 | include electron.profile |
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index e07a6fc93..9487f8e68 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -7,40 +7,8 @@ include unrar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | include archiver-common.inc |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | |||
20 | caps.drop all | ||
21 | hostname unrar | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | #nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | 11 | ||
40 | private-bin unrar | 12 | private-bin unrar |
41 | private-dev | ||
42 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,localtime,passwd |
43 | private-tmp | 14 | private-tmp |
44 | |||
45 | dbus-user none | ||
46 | dbus-system none | ||
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index e08511c12..8da9ea820 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -7,42 +7,9 @@ include unzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | # GNOME Shell integration (chrome-gnome-shell) | 10 | # GNOME Shell integration (chrome-gnome-shell) |
13 | noblacklist ${HOME}/.local/share/gnome-shell | 11 | noblacklist ${HOME}/.local/share/gnome-shell |
14 | 12 | ||
15 | include disable-common.inc | 13 | include archiver-common.inc |
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-shell.inc | ||
22 | |||
23 | caps.drop all | ||
24 | hostname unzip | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | net none | ||
28 | no3d | ||
29 | nodvd | ||
30 | #nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | x11 none | ||
42 | 14 | ||
43 | private-bin unzip | ||
44 | private-dev | ||
45 | private-etc alternatives,group,localtime,passwd | 15 | private-etc alternatives,group,localtime,passwd |
46 | |||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index cd06b7f4c..fdeb0307f 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -35,5 +35,7 @@ whitelist ${HOME}/.local/lib/vivaldi | |||
35 | ignore dbus-user none | 35 | ignore dbus-user none |
36 | ignore dbus-system none | 36 | ignore dbus-system none |
37 | 37 | ||
38 | read-write ${HOME}/.local/lib/vivaldi | ||
39 | |||
38 | # Redirect | 40 | # Redirect |
39 | include chromium-common.profile | 41 | include chromium-common.profile |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index fc8efe089..9a12686cd 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -27,7 +27,7 @@ whitelist ${HOME}/.config/vlc | |||
27 | whitelist ${HOME}/.config/aacs | 27 | whitelist ${HOME}/.config/aacs |
28 | whitelist ${HOME}/.local/share/vlc | 28 | whitelist ${HOME}/.local/share/vlc |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-players.inc | 30 | include whitelist-player-common.inc |
31 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
32 | 32 | ||
33 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 33 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index bd33edd6a..0e172333a 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -7,6 +7,11 @@ include w3m.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole | ||
11 | #ignore nogroups | ||
12 | #ignore private-dev | ||
13 | #ignore private-etc | ||
14 | |||
10 | noblacklist ${HOME}/.w3m | 15 | noblacklist ${HOME}/.w3m |
11 | 16 | ||
12 | blacklist /tmp/.X11-unix | 17 | blacklist /tmp/.X11-unix |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 8a64d2d73..f67d28618 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.wget-hsts | |||
12 | noblacklist ${HOME}/.wgetrc | 12 | noblacklist ${HOME}/.wgetrc |
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER}/wayland-* | ||
16 | blacklist ${RUNUSER} | 15 | blacklist ${RUNUSER} |
17 | 16 | ||
18 | include disable-common.inc | 17 | include disable-common.inc |
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 187c49ed8..22a84274d 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -4,36 +4,24 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include whalebird.local | 5 | include whalebird.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | # Disabled until someone reported positive feedback | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
9 | 12 | ||
10 | ignore dbus-user none | 13 | ignore dbus-user none |
11 | ignore dbus-system none | 14 | ignore dbus-system none |
12 | 15 | ||
13 | noblacklist ${HOME}/.config/Whalebird | 16 | noblacklist ${HOME}/.config/Whalebird |
14 | 17 | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Whalebird | 18 | mkdir ${HOME}/.config/Whalebird |
21 | whitelist ${HOME}/.config/Whalebird | 19 | whitelist ${HOME}/.config/Whalebird |
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | 20 | ||
25 | no3d | 21 | no3d |
26 | nou2f | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | shell none | ||
30 | 22 | ||
31 | disable-mnt | ||
32 | private-bin whalebird | 23 | private-bin whalebird |
33 | private-cache | ||
34 | private-dev | ||
35 | private-etc fonts,machine-id | 24 | private-etc fonts,machine-id |
36 | private-tmp | ||
37 | 25 | ||
38 | # Redirect | 26 | # Redirect |
39 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index a9cecb18d..fa7a16093 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -8,7 +8,6 @@ include whois.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | 11 | blacklist ${RUNUSER} |
13 | 12 | ||
14 | include disable-common.inc | 13 | include disable-common.inc |
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 901340052..6ac74b9da 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile | |||
@@ -6,6 +6,7 @@ include wine.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/winetricks | ||
9 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.local/share/Steam | 11 | noblacklist ${HOME}/.local/share/Steam |
11 | noblacklist ${HOME}/.local/share/steam | 12 | noblacklist ${HOME}/.local/share/steam |
@@ -19,6 +20,8 @@ include disable-interpreters.inc | |||
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
21 | 22 | ||
23 | # whitelist /usr/share/wine | ||
24 | # include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
23 | 26 | ||
24 | # some applications don't need allow-debuggers, comment the next line | 27 | # some applications don't need allow-debuggers, comment the next line |
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index d265c6bae..151cd2adb 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -4,33 +4,29 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include wire-desktop.local | 5 | include wire-desktop.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | 9 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. |
11 | 10 | ||
11 | # Disabled until someone reported positive feedback | ||
12 | ignore include disable-exec.inc | ||
13 | ignore include disable-xdg.inc | ||
14 | ignore include whitelist-runuser-common.inc | ||
15 | ignore include whitelist-usr-share-common.inc | ||
16 | ignore include whitelist-var-common.inc | ||
17 | ignore novideo | ||
18 | ignore private-cache | ||
19 | |||
12 | ignore dbus-user none | 20 | ignore dbus-user none |
13 | ignore dbus-system none | 21 | ignore dbus-system none |
14 | 22 | ||
15 | noblacklist ${HOME}/.config/Wire | 23 | noblacklist ${HOME}/.config/Wire |
16 | 24 | ||
17 | include disable-devel.inc | ||
18 | include disable-interpreters.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/Wire | 25 | mkdir ${HOME}/.config/Wire |
21 | whitelist ${HOME}/.config/Wire | 26 | whitelist ${HOME}/.config/Wire |
22 | include whitelist-common.inc | ||
23 | |||
24 | nou2f | ||
25 | ignore seccomp | ||
26 | seccomp !chroot | ||
27 | shell none | ||
28 | 27 | ||
29 | disable-mnt | ||
30 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop | 28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
31 | private-dev | ||
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl |
33 | private-tmp | ||
34 | 30 | ||
35 | # Redirect | 31 | # Redirect |
36 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 6ff4a1103..78cb2862c 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
22 | whitelist /usr/share/gstreamer | ||
22 | whitelist /usr/share/xfce4 | 23 | whitelist /usr/share/xfce4 |
23 | whitelist /usr/share/xfce4-mixer | 24 | whitelist /usr/share/xfce4-mixer |
24 | include whitelist-common.inc | 25 | include whitelist-common.inc |
@@ -48,7 +49,9 @@ private-dev | |||
48 | private-etc alternatives,asound.conf,fonts,machine-id,pulse | 49 | private-etc alternatives,asound.conf,fonts,machine-id,pulse |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | # dbus-user none | 52 | dbus-user filter |
52 | # dbus-system none | 53 | dbus-user.own org.xfce.xfce4-mixer |
54 | dbus-user.talk org.xfce.Xfconf | ||
55 | dbus-system none | ||
53 | 56 | ||
54 | memory-deny-write-execute | 57 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index b760b44dd..c9200304c 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -48,4 +48,4 @@ private-tmp | |||
48 | dbus-user none | 48 | dbus-user none |
49 | dbus-system none | 49 | dbus-system none |
50 | 50 | ||
51 | memory-deny-write-execute | 51 | # memory-deny-write-execute -- see #3790 |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index a52858870..988b878b9 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -18,7 +18,7 @@ include whitelist-runuser-common.inc | |||
18 | 18 | ||
19 | #mkdir ${HOME}/.xournalpp | 19 | #mkdir ${HOME}/.xournalpp |
20 | #whitelist ${HOME}/.xournalpp | 20 | #whitelist ${HOME}/.xournalpp |
21 | #whitelist ${HOME}/.texlive2019 | 21 | #whitelist ${HOME}/.texlive20* |
22 | #whitelist ${DOCUMENTS} | 22 | #whitelist ${DOCUMENTS} |
23 | #include whitelist-common.inc | 23 | #include whitelist-common.inc |
24 | 24 | ||
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index d22d04818..f0290f461 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -25,7 +25,7 @@ mkdir ${HOME}/.local/share/xplayer | |||
25 | whitelist ${HOME}/.config/xplayer | 25 | whitelist ${HOME}/.config/xplayer |
26 | whitelist ${HOME}/.local/share/xplayer | 26 | whitelist ${HOME}/.local/share/xplayer |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-players.inc | 28 | include whitelist-player-common.inc |
29 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
30 | 30 | ||
31 | # apparmor - makes settings immutable | 31 | # apparmor - makes settings immutable |
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index 542363b57..082392a08 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile | |||
@@ -7,35 +7,4 @@ include xzdec.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | include archiver-common.inc |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodvd | ||
25 | #nogroups | ||
26 | nonewprivs | ||
27 | #noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | x11 none | ||
37 | |||
38 | private-dev | ||
39 | |||
40 | dbus-user none | ||
41 | dbus-system none | ||
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index e198af8b2..479582b2a 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -20,7 +20,9 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.config/yelp | 20 | mkdir ${HOME}/.config/yelp |
21 | whitelist ${HOME}/.config/yelp | 21 | whitelist ${HOME}/.config/yelp |
22 | whitelist /usr/share/doc | 22 | whitelist /usr/share/doc |
23 | whitelist /usr/share/groff | ||
23 | whitelist /usr/share/help | 24 | whitelist /usr/share/help |
25 | whitelist /usr/share/man | ||
24 | whitelist /usr/share/yelp | 26 | whitelist /usr/share/yelp |
25 | whitelist /usr/share/yelp-tools | 27 | whitelist /usr/share/yelp-tools |
26 | whitelist /usr/share/yelp-xsl | 28 | whitelist /usr/share/yelp-xsl |
@@ -31,11 +33,15 @@ include whitelist-var-common.inc | |||
31 | 33 | ||
32 | apparmor | 34 | apparmor |
33 | caps.drop all | 35 | caps.drop all |
36 | # machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it | ||
37 | #machine-id | ||
34 | net none | 38 | net none |
35 | nodvd | 39 | nodvd |
36 | nogroups | 40 | nogroups |
37 | nonewprivs | 41 | nonewprivs |
38 | noroot | 42 | noroot |
43 | # nosound - uncomment here or put it in your yelp.local if you don't need it | ||
44 | #nosound | ||
39 | notv | 45 | notv |
40 | nou2f | 46 | nou2f |
41 | novideo | 47 | novideo |
@@ -46,17 +52,25 @@ shell none | |||
46 | tracelog | 52 | tracelog |
47 | 53 | ||
48 | disable-mnt | 54 | disable-mnt |
49 | private-bin yelp | 55 | private-bin groff,man,tbl,troff,yelp |
50 | private-cache | 56 | private-cache |
51 | private-dev | 57 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | 58 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml |
53 | private-tmp | 59 | private-tmp |
54 | 60 | ||
61 | dbus-user filter | ||
62 | dbus-user.own org.gnome.Yelp | ||
63 | dbus-user.talk ca.desrt.dconf | ||
55 | dbus-system none | 64 | dbus-system none |
56 | 65 | ||
57 | # read-only ${HOME} breaks some not necesarry featrues, comment it if | 66 | # read-only ${HOME} breaks some features: |
58 | # you need them or put 'ignore read-only ${HOME}' into your yelp.local. | ||
59 | # broken features: | ||
60 | # 1. yelp --editor-mode | 67 | # 1. yelp --editor-mode |
61 | # 2. saving the window geometry | 68 | # 2. saving the window geometry |
69 | # comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features | ||
62 | read-only ${HOME} | 70 | read-only ${HOME} |
71 | read-write ${HOME}/.cache | ||
72 | # 3. printing to PDF in ${DOCUMENTS} | ||
73 | # additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and | ||
74 | # 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support | ||
75 | #noblacklist ${DOCUMENTS} | ||
76 | #whitelist ${DOCUMENTS} | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index d9dee6891..6ce632682 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -21,7 +21,6 @@ include allow-python2.inc | |||
21 | include allow-python3.inc | 21 | include allow-python3.inc |
22 | 22 | ||
23 | blacklist /tmp/.X11-unix | 23 | blacklist /tmp/.X11-unix |
24 | blacklist ${RUNUSER}/wayland-* | ||
25 | blacklist ${RUNUSER} | 24 | blacklist ${RUNUSER} |
26 | 25 | ||
27 | include disable-common.inc | 26 | include disable-common.inc |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index 513cb0f6e..a3a2afa29 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -7,10 +7,6 @@ include youtube-viewer.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | noblacklist ${HOME}/.config/youtube-viewer | 10 | noblacklist ${HOME}/.config/youtube-viewer |
15 | 11 | ||
16 | include allow-perl.inc | 12 | include allow-perl.inc |
@@ -47,11 +43,11 @@ shell none | |||
47 | tracelog | 43 | tracelog |
48 | 44 | ||
49 | disable-mnt | 45 | disable-mnt |
50 | # private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer | 46 | private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer |
51 | private-cache | 47 | private-cache |
52 | private-dev | 48 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
54 | private-tmp | 50 | private-tmp |
55 | 51 | ||
56 | dbus-user none | 52 | dbus-user none |
57 | dbus-system none \ No newline at end of file | 53 | dbus-system none |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index a6c7750a9..ad7ceaee4 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -6,32 +6,19 @@ include youtube.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore nou2f | ||
11 | |||
9 | noblacklist ${HOME}/.config/Youtube | 12 | noblacklist ${HOME}/.config/Youtube |
10 | 13 | ||
11 | include disable-devel.inc | 14 | include disable-shell.inc |
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | 15 | ||
17 | mkdir ${HOME}/.config/Youtube | 16 | mkdir ${HOME}/.config/Youtube |
18 | whitelist ${HOME}/.config/Youtube | 17 | whitelist ${HOME}/.config/Youtube |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | novideo | ||
25 | seccomp !chroot | ||
26 | shell none | ||
27 | 18 | ||
28 | disable-mnt | ||
29 | private-bin youtube | 19 | private-bin youtube |
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
33 | private-opt Youtube | 21 | private-opt Youtube |
34 | private-tmp | ||
35 | 22 | ||
36 | # Redirect | 23 | # Redirect |
37 | include electron.profile | 24 | include electron.profile |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index 3a94a5707..74b0e38b9 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -8,31 +8,14 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 9 | noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
10 | 10 | ||
11 | include disable-devel.inc | 11 | include disable-shell.inc |
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | 12 | ||
17 | mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | 13 | mkdir ${HOME}/.config/youtubemusic-nativefier-040164 |
18 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | 14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 |
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | 15 | ||
24 | nou2f | ||
25 | novideo | ||
26 | seccomp !chroot | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-bin youtubemusic-nativefier | 16 | private-bin youtubemusic-nativefier |
31 | private-cache | ||
32 | private-dev | ||
33 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
34 | private-opt youtubemusic-nativefier | 18 | private-opt youtubemusic-nativefier |
35 | private-tmp | ||
36 | 19 | ||
37 | # Redirect | 20 | # Redirect |
38 | include electron.profile | 21 | include electron.profile |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index 5c37b838b..ab46fccc2 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -10,30 +10,12 @@ ignore dbus-user none | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.config/youtube-music-desktop-app | 11 | noblacklist ${HOME}/.config/youtube-music-desktop-app |
12 | 12 | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/youtube-music-desktop-app | 13 | mkdir ${HOME}/.config/youtube-music-desktop-app |
19 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | nou2f | ||
26 | novideo | ||
27 | seccomp !chroot | ||
28 | shell none | ||
29 | 15 | ||
30 | disable-mnt | ||
31 | # private-bin env,ytmdesktop | 16 | # private-bin env,ytmdesktop |
32 | private-cache | ||
33 | private-dev | ||
34 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
35 | # private-opt | 18 | # private-opt |
36 | private-tmp | ||
37 | 19 | ||
38 | # Redirect | 20 | # Redirect |
39 | include electron.profile | 21 | include electron.profile |
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index 5274e5b42..86615341f 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile | |||
@@ -28,7 +28,6 @@ include whitelist-var-common.inc | |||
28 | 28 | ||
29 | apparmor | 29 | apparmor |
30 | caps.drop all | 30 | caps.drop all |
31 | ipc-namespace | ||
32 | machine-id | 31 | machine-id |
33 | net none | 32 | net none |
34 | nodvd | 33 | nodvd |
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index f175e5e21..e8cd64c93 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -6,16 +6,20 @@ include zoom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disabled until someone reported positive feedback | ||
10 | ignore apparmor | ||
11 | ignore novideo | ||
12 | ignore dbus-user none | ||
13 | ignore dbus-system none | ||
14 | |||
15 | # nogroups breaks webcam access on non-systemd systems (see #3711). | ||
16 | # If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local | ||
17 | #ignore nogroups | ||
18 | |||
9 | noblacklist ${HOME}/.config/zoomus.conf | 19 | noblacklist ${HOME}/.config/zoomus.conf |
10 | noblacklist ${HOME}/.zoom | 20 | noblacklist ${HOME}/.zoom |
11 | 21 | ||
12 | include disable-common.inc | 22 | nowhitelist ${DOWNLOADS} |
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | 23 | ||
20 | mkdir ${HOME}/.cache/zoom | 24 | mkdir ${HOME}/.cache/zoom |
21 | mkfile ${HOME}/.config/zoomus.conf | 25 | mkfile ${HOME}/.config/zoomus.conf |
@@ -23,27 +27,9 @@ mkdir ${HOME}/.zoom | |||
23 | whitelist ${HOME}/.cache/zoom | 27 | whitelist ${HOME}/.cache/zoom |
24 | whitelist ${HOME}/.config/zoomus.conf | 28 | whitelist ${HOME}/.config/zoomus.conf |
25 | whitelist ${HOME}/.zoom | 29 | whitelist ${HOME}/.zoom |
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | 30 | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | #nogroups - breaks webcam access (see #3711) | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | protocol unix,inet,inet6,netlink | ||
40 | seccomp !chroot | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-cache | ||
46 | private-dev | ||
47 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 | 31 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 |
48 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 32 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl |
49 | private-tmp | 33 | |
34 | # Redirect | ||
35 | include electron.profile | ||
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index be27c10e1..42749ba6d 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile | |||
@@ -7,37 +7,4 @@ include zstd.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | 10 | include archiver-common.inc |
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | apparmor | ||
20 | caps.drop all | ||
21 | hostname zstd | ||
22 | ipc-namespace | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | #noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | x11 none | ||
39 | |||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index b0a223911..23b1e364a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -34,6 +34,7 @@ abiword | |||
34 | abrowser | 34 | abrowser |
35 | akonadi_control | 35 | akonadi_control |
36 | akregator | 36 | akregator |
37 | alacarte | ||
37 | amarok | 38 | amarok |
38 | amule | 39 | amule |
39 | amuled | 40 | amuled |
@@ -63,6 +64,7 @@ audacious | |||
63 | audacity | 64 | audacity |
64 | audio-recorder | 65 | audio-recorder |
65 | authenticator | 66 | authenticator |
67 | authenticator-rs | ||
66 | autokey-gtk | 68 | autokey-gtk |
67 | autokey-qt | 69 | autokey-qt |
68 | autokey-run | 70 | autokey-run |
@@ -139,6 +141,7 @@ cmus | |||
139 | code | 141 | code |
140 | code-oss | 142 | code-oss |
141 | cola | 143 | cola |
144 | com.github.bleakgrey.tootle | ||
142 | com.github.dahenson.agenda | 145 | com.github.dahenson.agenda |
143 | com.github.johnfactotum.Foliate | 146 | com.github.johnfactotum.Foliate |
144 | com.gitlab.newsflash | 147 | com.gitlab.newsflash |
@@ -173,11 +176,13 @@ dnox | |||
173 | dnscrypt-proxy | 176 | dnscrypt-proxy |
174 | dnsmasq | 177 | dnsmasq |
175 | dolphin | 178 | dolphin |
179 | dolphin-emu | ||
176 | dooble | 180 | dooble |
177 | dooble-qt4 | 181 | dooble-qt4 |
178 | dosbox | 182 | dosbox |
179 | dragon | 183 | dragon |
180 | drawio | 184 | drawio |
185 | drill | ||
181 | dropbox | 186 | dropbox |
182 | d-feet | 187 | d-feet |
183 | easystroke | 188 | easystroke |
@@ -197,14 +202,14 @@ enpass | |||
197 | eog | 202 | eog |
198 | eom | 203 | eom |
199 | ephemeral | 204 | ephemeral |
200 | #epiphany | 205 | #epiphany - see #2995 |
201 | equalx | 206 | equalx |
202 | et | 207 | et |
203 | etr | 208 | etr |
204 | evince | 209 | evince |
205 | evince-previewer | 210 | evince-previewer |
206 | evince-thumbnailer | 211 | evince-thumbnailer |
207 | evolution | 212 | #evolution - see #3647 |
208 | exfalso | 213 | exfalso |
209 | exiftool | 214 | exiftool |
210 | falkon | 215 | falkon |
@@ -212,7 +217,7 @@ fbreader | |||
212 | feedreader | 217 | feedreader |
213 | feh | 218 | feh |
214 | ferdi | 219 | ferdi |
215 | ffmpeg | 220 | #ffmpeg |
216 | ffmpegthumbnailer | 221 | ffmpegthumbnailer |
217 | ffplay | 222 | ffplay |
218 | ffprobe | 223 | ffprobe |
@@ -334,6 +339,7 @@ gradio | |||
334 | gramps | 339 | gramps |
335 | gravity-beams-and-evaporating-stars | 340 | gravity-beams-and-evaporating-stars |
336 | gthumb | 341 | gthumb |
342 | gtk-straw-viewer | ||
337 | gtk-youtube-viewer | 343 | gtk-youtube-viewer |
338 | gtk2-youtube-viewer | 344 | gtk2-youtube-viewer |
339 | gtk3-youtube-viewer | 345 | gtk3-youtube-viewer |
@@ -417,6 +423,7 @@ kwrite | |||
417 | leafpad | 423 | leafpad |
418 | # less - breaks man | 424 | # less - breaks man |
419 | libreoffice | 425 | libreoffice |
426 | librewolf | ||
420 | liferea | 427 | liferea |
421 | lightsoff | 428 | lightsoff |
422 | lincity-ng | 429 | lincity-ng |
@@ -456,6 +463,7 @@ mate-calculator | |||
456 | mate-color-select | 463 | mate-color-select |
457 | mate-dictionary | 464 | mate-dictionary |
458 | mathematica | 465 | mathematica |
466 | matrix-mirage | ||
459 | mattermost-desktop | 467 | mattermost-desktop |
460 | mcabber | 468 | mcabber |
461 | mediainfo | 469 | mediainfo |
@@ -467,6 +475,8 @@ mencoder | |||
467 | mendeleydesktop | 475 | mendeleydesktop |
468 | menulibre | 476 | menulibre |
469 | meteo-qt | 477 | meteo-qt |
478 | microsoft-edge | ||
479 | microsoft-edge-dev | ||
470 | midori | 480 | midori |
471 | min | 481 | min |
472 | mindless | 482 | mindless |
@@ -578,6 +588,7 @@ pdfsam | |||
578 | pdftotext | 588 | pdftotext |
579 | peek | 589 | peek |
580 | penguin-command | 590 | penguin-command |
591 | photoflare | ||
581 | picard | 592 | picard |
582 | pidgin | 593 | pidgin |
583 | #ping - disabled until we fix #1912 | 594 | #ping - disabled until we fix #1912 |
@@ -682,6 +693,7 @@ steam-native | |||
682 | steam-runtime | 693 | steam-runtime |
683 | stellarium | 694 | stellarium |
684 | strawberry | 695 | strawberry |
696 | straw-viewer | ||
685 | strings | 697 | strings |
686 | studio.sh | 698 | studio.sh |
687 | subdownloader | 699 | subdownloader |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6c0ebcd43..80987e494 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -372,7 +372,7 @@ char *guess_shell(void); | |||
372 | // sandbox.c | 372 | // sandbox.c |
373 | #define SANDBOX_DONE '1' | 373 | #define SANDBOX_DONE '1' |
374 | int sandbox(void* sandbox_arg); | 374 | int sandbox(void* sandbox_arg); |
375 | void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn)); | 375 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); |
376 | void set_apparmor(void); | 376 | void set_apparmor(void); |
377 | 377 | ||
378 | // network_main.c | 378 | // network_main.c |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 76ec102c3..0d4e496e8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,6 +162,13 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | } | 162 | } |
163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
165 | if (getuid()) { | ||
166 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | ||
167 | fname[strlen(cfg.homedir)] != '/') { | ||
168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | ||
169 | exit(1); | ||
170 | } | ||
171 | } | ||
165 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
166 | last_disable = SUCCESSFUL; | 173 | last_disable = SUCCESSFUL; |
167 | } | 174 | } |
@@ -366,14 +373,6 @@ void fs_blacklist(void) { | |||
366 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { | 373 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { |
367 | ptr = entry->data + 6; | 374 | ptr = entry->data + 6; |
368 | op = MOUNT_TMPFS; | 375 | op = MOUNT_TMPFS; |
369 | char *resolved_path = realpath(ptr, NULL); | ||
370 | if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) { | ||
371 | if (getuid() != 0) { | ||
372 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | ||
373 | exit(1); | ||
374 | } | ||
375 | } | ||
376 | free(resolved_path); | ||
377 | } | 376 | } |
378 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { | 377 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { |
379 | EUID_USER(); | 378 | EUID_USER(); |
@@ -1262,28 +1261,3 @@ void fs_private_tmp(void) { | |||
1262 | } | 1261 | } |
1263 | closedir(dir); | 1262 | closedir(dir); |
1264 | } | 1263 | } |
1265 | |||
1266 | // this function is called from sandbox.c before blacklist/whitelist functions | ||
1267 | void fs_private_cache(void) { | ||
1268 | char *cache; | ||
1269 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
1270 | errExit("asprintf"); | ||
1271 | // check if ~/.cache is a valid destination | ||
1272 | struct stat s; | ||
1273 | if (lstat(cache, &s) == -1) { | ||
1274 | fwarning("skipping private-cache: cannot find %s\n", cache); | ||
1275 | free(cache); | ||
1276 | return; | ||
1277 | } | ||
1278 | if (!S_ISDIR(s.st_mode)) { | ||
1279 | if (S_ISLNK(s.st_mode)) | ||
1280 | fwarning("skipping private-cache: %s is a symbolic link\n", cache); | ||
1281 | else | ||
1282 | fwarning("skipping private-cache: %s is not a directory\n", cache); | ||
1283 | free(cache); | ||
1284 | return; | ||
1285 | } | ||
1286 | // do the mount | ||
1287 | fs_tmpfs(cache, getuid()); // check ownership of ~/.cache | ||
1288 | free(cache); | ||
1289 | } | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index af891d61f..8c7c19203 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -360,43 +360,38 @@ void fs_private(void) { | |||
360 | selinux_relabel_path("/root", "/root"); | 360 | selinux_relabel_path("/root", "/root"); |
361 | fs_logger("tmpfs /root"); | 361 | fs_logger("tmpfs /root"); |
362 | 362 | ||
363 | if (arg_allusers) { | 363 | // mask /home |
364 | if (u != 0) | 364 | if (!arg_allusers) { |
365 | // mask user home directory | ||
366 | // the directory should be owned by the current user | ||
367 | fs_tmpfs(homedir, 1); | ||
368 | } | ||
369 | else { // mask /home | ||
370 | if (arg_debug) | 365 | if (arg_debug) |
371 | printf("Mounting a new /home directory\n"); | 366 | printf("Mounting a new /home directory\n"); |
372 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) | 367 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) |
373 | errExit("mounting /home directory"); | 368 | errExit("mounting /home directory"); |
374 | selinux_relabel_path("/home", "/home"); | 369 | selinux_relabel_path("/home", "/home"); |
375 | fs_logger("tmpfs /home"); | 370 | fs_logger("tmpfs /home"); |
371 | } | ||
376 | 372 | ||
377 | if (u != 0) { | 373 | if (u != 0) { |
378 | if (strncmp(homedir, "/home/", 6) == 0) { | 374 | if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { |
379 | // create /home/user | 375 | // create new empty /home/user directory |
380 | if (arg_debug) | 376 | if (arg_debug) |
381 | printf("Create a new user directory\n"); | 377 | printf("Create a new user directory\n"); |
382 | if (mkdir(homedir, S_IRWXU) == -1) { | 378 | if (mkdir(homedir, S_IRWXU) == -1) { |
383 | if (mkpath_as_root(homedir) == -1) | 379 | if (mkpath_as_root(homedir) == -1) |
384 | errExit("mkpath"); | 380 | errExit("mkpath"); |
385 | if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) | 381 | if (mkdir(homedir, S_IRWXU) == -1) |
386 | errExit("mkdir"); | 382 | errExit("mkdir"); |
387 | } | ||
388 | if (chown(homedir, u, g) < 0) | ||
389 | errExit("chown"); | ||
390 | |||
391 | selinux_relabel_path(homedir, homedir); | ||
392 | fs_logger2("mkdir", homedir); | ||
393 | fs_logger2("tmpfs", homedir); | ||
394 | } | 383 | } |
395 | else | 384 | if (chown(homedir, u, g) < 0) |
396 | // mask user home directory | 385 | errExit("chown"); |
397 | // the directory should be owned by the current user | 386 | |
398 | fs_tmpfs(homedir, 1); | 387 | selinux_relabel_path(homedir, homedir); |
388 | fs_logger2("mkdir", homedir); | ||
389 | fs_logger2("tmpfs", homedir); | ||
399 | } | 390 | } |
391 | else | ||
392 | // mask user home directory | ||
393 | // the directory should be owned by the current user | ||
394 | fs_tmpfs(homedir, 1); | ||
400 | } | 395 | } |
401 | 396 | ||
402 | skel(homedir, u, g); | 397 | skel(homedir, u, g); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 64444bba2..5cfd33b42 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -378,6 +378,9 @@ void fs_private_lib(void) { | |||
378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | 378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail |
379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable | 379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable |
380 | 380 | ||
381 | // install libraries needed by fcopy | ||
382 | fslib_install_list(PATH_FCOPY); | ||
383 | |||
381 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", | 384 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
382 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | 385 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); |
383 | 386 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index ca8b8c4bf..d2f802add 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -20,10 +20,14 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/stat.h> | 21 | #include <sys/stat.h> |
22 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
23 | #include <fcntl.h> | ||
24 | #include <unistd.h> | 23 | #include <unistd.h> |
25 | #include <errno.h> | 24 | #include <errno.h> |
26 | 25 | ||
26 | #include <fcntl.h> | ||
27 | #ifndef O_PATH | ||
28 | #define O_PATH 010000000 | ||
29 | #endif | ||
30 | |||
27 | #include <sys/prctl.h> | 31 | #include <sys/prctl.h> |
28 | #ifndef PR_SET_NO_NEW_PRIVS | 32 | #ifndef PR_SET_NO_NEW_PRIVS |
29 | #define PR_SET_NO_NEW_PRIVS 38 | 33 | #define PR_SET_NO_NEW_PRIVS 38 |
@@ -299,6 +303,21 @@ static void extract_umask(pid_t pid) { | |||
299 | fclose(fp); | 303 | fclose(fp); |
300 | } | 304 | } |
301 | 305 | ||
306 | static int open_shell(void) { | ||
307 | EUID_ASSERT(); | ||
308 | assert(cfg.shell); | ||
309 | |||
310 | if (arg_debug) | ||
311 | printf("Opening shell %s\n", cfg.shell); | ||
312 | // file descriptor will leak if not opened with O_CLOEXEC !! | ||
313 | int fd = open(cfg.shell, O_PATH|O_CLOEXEC); | ||
314 | if (fd == -1) { | ||
315 | fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell); | ||
316 | exit(1); | ||
317 | } | ||
318 | return fd; | ||
319 | } | ||
320 | |||
302 | // return false if the sandbox identified by pid is not fully set up yet or if | 321 | // return false if the sandbox identified by pid is not fully set up yet or if |
303 | // it is no firejail sandbox at all, return true if the sandbox is complete | 322 | // it is no firejail sandbox at all, return true if the sandbox is complete |
304 | bool is_ready_for_join(const pid_t pid) { | 323 | bool is_ready_for_join(const pid_t pid) { |
@@ -391,6 +410,10 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
391 | 410 | ||
392 | extract_x11_display(parent); | 411 | extract_x11_display(parent); |
393 | 412 | ||
413 | int shfd = -1; | ||
414 | if (!arg_shell_none) | ||
415 | shfd = open_shell(); | ||
416 | |||
394 | EUID_ROOT(); | 417 | EUID_ROOT(); |
395 | // in user mode set caps seccomp, cpu, cgroup, etc | 418 | // in user mode set caps seccomp, cpu, cgroup, etc |
396 | if (getuid() != 0) { | 419 | if (getuid() != 0) { |
@@ -522,10 +545,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
522 | extract_command(argc, argv, index); | 545 | extract_command(argc, argv, index); |
523 | if (cfg.command_line == NULL) { | 546 | if (cfg.command_line == NULL) { |
524 | assert(cfg.shell); | 547 | assert(cfg.shell); |
525 | cfg.command_line = cfg.shell; | ||
526 | cfg.window_title = cfg.shell; | 548 | cfg.window_title = cfg.shell; |
527 | } | 549 | } |
528 | if (arg_debug) | 550 | else if (arg_debug) |
529 | printf("Extracted command #%s#\n", cfg.command_line); | 551 | printf("Extracted command #%s#\n", cfg.command_line); |
530 | 552 | ||
531 | // set cpu affinity | 553 | // set cpu affinity |
@@ -554,11 +576,13 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
554 | dbus_set_system_bus_env(); | 576 | dbus_set_system_bus_env(); |
555 | #endif | 577 | #endif |
556 | 578 | ||
557 | start_application(0, NULL); | 579 | start_application(0, shfd, NULL); |
558 | 580 | ||
559 | __builtin_unreachable(); | 581 | __builtin_unreachable(); |
560 | } | 582 | } |
561 | EUID_USER(); | 583 | EUID_USER(); |
584 | if (shfd != -1) | ||
585 | close(shfd); | ||
562 | 586 | ||
563 | int status = 0; | 587 | int status = 0; |
564 | //***************************** | 588 | //***************************** |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 1a65c9ff0..e61edf427 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <pwd.h> | 27 | #include <pwd.h> |
28 | #include <grp.h> | 28 | #include <grp.h> |
29 | #include <fcntl.h> | ||
29 | //#include <dirent.h> | 30 | //#include <dirent.h> |
30 | //#include <stdio.h> | 31 | //#include <stdio.h> |
31 | //#include <stdlib.h> | 32 | //#include <stdlib.h> |
@@ -293,6 +294,41 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
293 | printf("file2 %s\n", fname2 ? fname2 : "(null)"); | 294 | printf("file2 %s\n", fname2 ? fname2 : "(null)"); |
294 | } | 295 | } |
295 | 296 | ||
297 | // get file from sandbox and store it in the current directory | ||
298 | // implemented using --cat | ||
299 | if (op == SANDBOX_FS_GET) { | ||
300 | char *dest_fname = strrchr(fname1, '/'); | ||
301 | if (!dest_fname || *(++dest_fname) == '\0') { | ||
302 | fprintf(stderr, "Error: invalid file name %s\n", fname1); | ||
303 | exit(1); | ||
304 | } | ||
305 | // create destination file if necessary | ||
306 | EUID_ASSERT(); | ||
307 | int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE); | ||
308 | if (fd == -1) { | ||
309 | fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); | ||
310 | exit(1); | ||
311 | } | ||
312 | struct stat s; | ||
313 | if (fstat(fd, &s) == -1) | ||
314 | errExit("fstat"); | ||
315 | if (!S_ISREG(s.st_mode)) { | ||
316 | fprintf(stderr, "Error: %s is no regular file\n", dest_fname); | ||
317 | exit(1); | ||
318 | } | ||
319 | if (ftruncate(fd, 0) == -1) | ||
320 | errExit("ftruncate"); | ||
321 | // go quiet - messages on stdout will corrupt the file | ||
322 | arg_debug = 0; | ||
323 | arg_quiet = 1; | ||
324 | // redirection | ||
325 | if (dup2(fd, STDOUT_FILENO) == -1) | ||
326 | errExit("dup2"); | ||
327 | assert(fd != STDOUT_FILENO); | ||
328 | close(fd); | ||
329 | op = SANDBOX_FS_CAT; | ||
330 | } | ||
331 | |||
296 | // sandbox root directory | 332 | // sandbox root directory |
297 | char *rootdir; | 333 | char *rootdir; |
298 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 334 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
@@ -317,92 +353,6 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
317 | __gcov_flush(); | 353 | __gcov_flush(); |
318 | #endif | 354 | #endif |
319 | } | 355 | } |
320 | |||
321 | // get file from sandbox and store it in the current directory | ||
322 | else if (op == SANDBOX_FS_GET) { | ||
323 | char *src_fname =fname1; | ||
324 | char *dest_fname = strrchr(fname1, '/'); | ||
325 | if (!dest_fname || *(++dest_fname) == '\0') { | ||
326 | fprintf(stderr, "Error: invalid file name %s\n", fname1); | ||
327 | exit(1); | ||
328 | } | ||
329 | |||
330 | EUID_ROOT(); | ||
331 | if (arg_debug) | ||
332 | printf("copy %s to %s\n", src_fname, dest_fname); | ||
333 | |||
334 | // create a user-owned temporary file in /run/firejail directory | ||
335 | char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; | ||
336 | int fd = mkstemp(tmp_fname); | ||
337 | if (fd == -1) { | ||
338 | fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname); | ||
339 | exit(1); | ||
340 | } | ||
341 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); | ||
342 | close(fd); | ||
343 | |||
344 | // copy the source file into the temporary file - we need to chroot | ||
345 | pid_t child = fork(); | ||
346 | if (child < 0) | ||
347 | errExit("fork"); | ||
348 | if (child == 0) { | ||
349 | // chroot | ||
350 | if (chroot(rootdir) < 0) | ||
351 | errExit("chroot"); | ||
352 | if (chdir("/") < 0) | ||
353 | errExit("chdir"); | ||
354 | |||
355 | // drop privileges | ||
356 | drop_privs(0); | ||
357 | |||
358 | // copy the file | ||
359 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | ||
360 | _exit(1); | ||
361 | #ifdef HAVE_GCOV | ||
362 | __gcov_flush(); | ||
363 | #endif | ||
364 | _exit(0); | ||
365 | } | ||
366 | |||
367 | // wait for the child to finish | ||
368 | int status = 0; | ||
369 | waitpid(child, &status, 0); | ||
370 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
371 | else { | ||
372 | unlink(tmp_fname); | ||
373 | exit(1); | ||
374 | } | ||
375 | |||
376 | // copy the temporary file into the destination file | ||
377 | child = fork(); | ||
378 | if (child < 0) | ||
379 | errExit("fork"); | ||
380 | if (child == 0) { | ||
381 | // drop privileges | ||
382 | drop_privs(0); | ||
383 | |||
384 | // copy the file | ||
385 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | ||
386 | _exit(1); | ||
387 | #ifdef HAVE_GCOV | ||
388 | __gcov_flush(); | ||
389 | #endif | ||
390 | _exit(0); | ||
391 | } | ||
392 | |||
393 | // wait for the child to finish | ||
394 | status = 0; | ||
395 | waitpid(child, &status, 0); | ||
396 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
397 | else { | ||
398 | unlink(tmp_fname); | ||
399 | exit(1); | ||
400 | } | ||
401 | |||
402 | // remove the temporary file | ||
403 | unlink(tmp_fname); | ||
404 | EUID_USER(); | ||
405 | } | ||
406 | // get file from host and store it in the sandbox | 356 | // get file from host and store it in the sandbox |
407 | else if (op == SANDBOX_FS_PUT && path2) { | 357 | else if (op == SANDBOX_FS_PUT && path2) { |
408 | char *src_fname =fname1; | 358 | char *src_fname =fname1; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 676d04895..e5d8a4720 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -161,7 +161,6 @@ int fullargc = 0; | |||
161 | static pid_t child = 0; | 161 | static pid_t child = 0; |
162 | pid_t sandbox_pid; | 162 | pid_t sandbox_pid; |
163 | mode_t orig_umask = 022; | 163 | mode_t orig_umask = 022; |
164 | unsigned long long start_timestamp; | ||
165 | 164 | ||
166 | static void clear_atexit(void) { | 165 | static void clear_atexit(void) { |
167 | EUID_ROOT(); | 166 | EUID_ROOT(); |
@@ -868,7 +867,8 @@ char *guess_shell(void) { | |||
868 | shell = getenv("SHELL"); | 867 | shell = getenv("SHELL"); |
869 | if (shell) { | 868 | if (shell) { |
870 | invalid_filename(shell, 0); // no globbing | 869 | invalid_filename(shell, 0); // no globbing |
871 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0) | 870 | if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 && |
871 | strcmp(shell, PATH_FIREJAIL) != 0) | ||
872 | return shell; | 872 | return shell; |
873 | } | 873 | } |
874 | 874 | ||
@@ -1026,7 +1026,7 @@ int main(int argc, char **argv, char **envp) { | |||
1026 | init_cfg(argc, argv); | 1026 | init_cfg(argc, argv); |
1027 | 1027 | ||
1028 | // get starting timestamp, process --quiet | 1028 | // get starting timestamp, process --quiet |
1029 | start_timestamp = getticks(); | 1029 | timetrace_start(); |
1030 | char *env_quiet = getenv("FIREJAIL_QUIET"); | 1030 | char *env_quiet = getenv("FIREJAIL_QUIET"); |
1031 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) | 1031 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) |
1032 | arg_quiet = 1; | 1032 | arg_quiet = 1; |
@@ -2398,6 +2398,13 @@ int main(int argc, char **argv, char **envp) { | |||
2398 | fprintf(stderr, "Error: invalid MAC address\n"); | 2398 | fprintf(stderr, "Error: invalid MAC address\n"); |
2399 | exit(1); | 2399 | exit(1); |
2400 | } | 2400 | } |
2401 | |||
2402 | // check multicast address | ||
2403 | if (br->macsandbox[0] & 1) { | ||
2404 | fprintf(stderr, "Error: invalid MAC address (multicast)\n"); | ||
2405 | exit(1); | ||
2406 | } | ||
2407 | |||
2401 | } | 2408 | } |
2402 | else | 2409 | else |
2403 | exit_err_feature("networking"); | 2410 | exit_err_feature("networking"); |
@@ -2780,7 +2787,7 @@ int main(int argc, char **argv, char **envp) { | |||
2780 | 2787 | ||
2781 | // build the sandbox command | 2788 | // build the sandbox command |
2782 | if (prog_index == -1 && cfg.shell) { | 2789 | if (prog_index == -1 && cfg.shell) { |
2783 | cfg.command_line = cfg.shell; | 2790 | assert(cfg.command_line == NULL); // runs cfg.shell |
2784 | cfg.window_title = cfg.shell; | 2791 | cfg.window_title = cfg.shell; |
2785 | cfg.command_name = cfg.shell; | 2792 | cfg.command_name = cfg.shell; |
2786 | } | 2793 | } |
@@ -3023,8 +3030,15 @@ int main(int argc, char **argv, char **envp) { | |||
3023 | ptr += strlen(ptr); | 3030 | ptr += strlen(ptr); |
3024 | 3031 | ||
3025 | if (!arg_nogroups) { | 3032 | if (!arg_nogroups) { |
3033 | // add firejail group | ||
3034 | gid_t g = get_group_id("firejail"); | ||
3035 | if (g) { | ||
3036 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3037 | ptr += strlen(ptr); | ||
3038 | } | ||
3039 | |||
3026 | // add tty group | 3040 | // add tty group |
3027 | gid_t g = get_group_id("tty"); | 3041 | g = get_group_id("tty"); |
3028 | if (g) { | 3042 | if (g) { |
3029 | sprintf(ptr, "%d %d 1\n", g, g); | 3043 | sprintf(ptr, "%d %d 1\n", g, g); |
3030 | ptr += strlen(ptr); | 3044 | ptr += strlen(ptr); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 01df77ee6..6c7803602 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -204,14 +204,15 @@ void run_no_sandbox(int argc, char **argv) { | |||
204 | break; | 204 | break; |
205 | } | 205 | } |
206 | } | 206 | } |
207 | // if shell is /usr/bin/firejail, replace it with /bin/bash | 207 | |
208 | if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { | 208 | // if shell is /usr/bin/firejail, replace it with /bin/bash |
209 | cfg.shell = "/bin/bash"; | 209 | // if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { |
210 | prog_index = 0; | 210 | // cfg.shell = "/bin/bash"; |
211 | } | 211 | // prog_index = 0; |
212 | // } | ||
212 | 213 | ||
213 | if (prog_index == 0) { | 214 | if (prog_index == 0) { |
214 | cfg.command_line = cfg.shell; | 215 | assert(cfg.command_line == NULL); // runs cfg.shell |
215 | cfg.window_title = cfg.shell; | 216 | cfg.window_title = cfg.shell; |
216 | } else { | 217 | } else { |
217 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 218 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
@@ -230,5 +231,5 @@ void run_no_sandbox(int argc, char **argv) { | |||
230 | 231 | ||
231 | arg_quiet = 1; | 232 | arg_quiet = 1; |
232 | 233 | ||
233 | start_application(1, NULL); | 234 | start_application(1, -1, NULL); |
234 | } | 235 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5ddf6fdbb..1ee8cdfcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -619,6 +619,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
619 | #endif | 619 | #endif |
620 | return 0; | 620 | return 0; |
621 | } | 621 | } |
622 | else if (strncmp(ptr, "netns ", 6) == 0) { | ||
623 | #ifdef HAVE_NETWORK | ||
624 | if (checkcfg(CFG_NETWORK)) { | ||
625 | arg_netns = ptr + 6; | ||
626 | check_netns(arg_netns); | ||
627 | } | ||
628 | else | ||
629 | warning_feature_disabled("networking"); | ||
630 | #endif | ||
631 | return 0; | ||
632 | } | ||
622 | else if (strcmp(ptr, "net none") == 0) { | 633 | else if (strcmp(ptr, "net none") == 0) { |
623 | arg_nonetwork = 1; | 634 | arg_nonetwork = 1; |
624 | cfg.bridge0.configured = 0; | 635 | cfg.bridge0.configured = 0; |
@@ -745,6 +756,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
745 | fprintf(stderr, "Error: invalid MAC address\n"); | 756 | fprintf(stderr, "Error: invalid MAC address\n"); |
746 | exit(1); | 757 | exit(1); |
747 | } | 758 | } |
759 | |||
760 | // check multicast address | ||
761 | if (br->macsandbox[0] & 1) { | ||
762 | fprintf(stderr, "Error: invalid MAC address (multicast)\n"); | ||
763 | exit(1); | ||
764 | } | ||
748 | } | 765 | } |
749 | else | 766 | else |
750 | warning_feature_disabled("networking"); | 767 | warning_feature_disabled("networking"); |
@@ -1497,7 +1514,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1497 | if (checkcfg(CFG_JOIN) || getuid() == 0) { | 1514 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
1498 | // try to join by name only | 1515 | // try to join by name only |
1499 | pid_t pid; | 1516 | pid_t pid; |
1500 | if (!name2pid(ptr + 14, &pid)) { | 1517 | EUID_ROOT(); |
1518 | int r = name2pid(ptr + 14, &pid); | ||
1519 | EUID_USER(); | ||
1520 | if (!r) { | ||
1501 | if (!cfg.shell && !arg_shell_none) | 1521 | if (!cfg.shell && !arg_shell_none) |
1502 | cfg.shell = guess_shell(); | 1522 | cfg.shell = guess_shell(); |
1503 | 1523 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 84cbb1977..a5c924a70 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -31,6 +31,8 @@ | |||
31 | #define O_PATH 010000000 | 31 | #define O_PATH 010000000 |
32 | #endif | 32 | #endif |
33 | 33 | ||
34 | #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" | ||
35 | |||
34 | // disable pulseaudio socket | 36 | // disable pulseaudio socket |
35 | void pulseaudio_disable(void) { | 37 | void pulseaudio_disable(void) { |
36 | if (arg_debug) | 38 | if (arg_debug) |
@@ -73,8 +75,8 @@ void pulseaudio_disable(void) { | |||
73 | closedir(dir); | 75 | closedir(dir); |
74 | } | 76 | } |
75 | 77 | ||
76 | static void pulseaudio_set_environment(const char *path) { | 78 | static void pulseaudio_fallback(const char *path) { |
77 | assert(path); | 79 | fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir); |
78 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) | 80 | if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) |
79 | errExit("setenv"); | 81 | errExit("setenv"); |
80 | } | 82 | } |
@@ -84,9 +86,9 @@ void pulseaudio_init(void) { | |||
84 | struct stat s; | 86 | struct stat s; |
85 | 87 | ||
86 | // do we have pulseaudio in the system? | 88 | // do we have pulseaudio in the system? |
87 | if (stat("/etc/pulse/client.conf", &s) == -1) { | 89 | if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) { |
88 | if (arg_debug) | 90 | if (arg_debug) |
89 | printf("/etc/pulse/client.conf not found\n"); | 91 | printf("%s not found\n", PULSE_CLIENT_SYSCONF); |
90 | return; | 92 | return; |
91 | } | 93 | } |
92 | 94 | ||
@@ -101,7 +103,7 @@ void pulseaudio_init(void) { | |||
101 | char *pulsecfg = NULL; | 103 | char *pulsecfg = NULL; |
102 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 104 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
103 | errExit("asprintf"); | 105 | errExit("asprintf"); |
104 | if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed | 106 | if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed |
105 | errExit("copy_file"); | 107 | errExit("copy_file"); |
106 | FILE *fp = fopen(pulsecfg, "a"); | 108 | FILE *fp = fopen(pulsecfg, "a"); |
107 | if (!fp) | 109 | if (!fp) |
@@ -126,11 +128,11 @@ void pulseaudio_init(void) { | |||
126 | if (create_empty_dir_as_user(homeusercfg, 0700)) | 128 | if (create_empty_dir_as_user(homeusercfg, 0700)) |
127 | fs_logger2("create", homeusercfg); | 129 | fs_logger2("create", homeusercfg); |
128 | 130 | ||
129 | // if ~/.config/pulse now exists and there are no symbolic links, mount the new directory | 131 | // if ~/.config/pulse exists and there are no symbolic links, mount the new directory |
130 | // else set environment variable | 132 | // else set environment variable |
131 | int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 133 | int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
132 | if (fd == -1) { | 134 | if (fd == -1) { |
133 | pulseaudio_set_environment(pulsecfg); | 135 | pulseaudio_fallback(pulsecfg); |
134 | goto out; | 136 | goto out; |
135 | } | 137 | } |
136 | // confirm the actual mount destination is owned by the user | 138 | // confirm the actual mount destination is owned by the user |
@@ -138,12 +140,12 @@ void pulseaudio_init(void) { | |||
138 | if (errno != EACCES) | 140 | if (errno != EACCES) |
139 | errExit("fstat"); | 141 | errExit("fstat"); |
140 | close(fd); | 142 | close(fd); |
141 | pulseaudio_set_environment(pulsecfg); | 143 | pulseaudio_fallback(pulsecfg); |
142 | goto out; | 144 | goto out; |
143 | } | 145 | } |
144 | if (s.st_uid != getuid()) { | 146 | if (s.st_uid != getuid()) { |
145 | close(fd); | 147 | close(fd); |
146 | pulseaudio_set_environment(pulsecfg); | 148 | pulseaudio_fallback(pulsecfg); |
147 | goto out; | 149 | goto out; |
148 | } | 150 | } |
149 | // preserve a read-only mount | 151 | // preserve a read-only mount |
@@ -171,8 +173,9 @@ void pulseaudio_init(void) { | |||
171 | char *p; | 173 | char *p; |
172 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 174 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
173 | errExit("asprintf"); | 175 | errExit("asprintf"); |
176 | if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0) | ||
177 | errExit("setenv"); | ||
174 | fs_logger2("create", p); | 178 | fs_logger2("create", p); |
175 | pulseaudio_set_environment(p); | ||
176 | free(p); | 179 | free(p); |
177 | 180 | ||
178 | // RUN_PULSE_DIR not needed anymore, mask it | 181 | // RUN_PULSE_DIR not needed anymore, mask it |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8bfe76603..d811fe45a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -141,7 +141,7 @@ void set_apparmor(void) { | |||
141 | } | 141 | } |
142 | #endif | 142 | #endif |
143 | 143 | ||
144 | void seccomp_debug(void) { | 144 | static void seccomp_debug(void) { |
145 | if (arg_debug == 0) | 145 | if (arg_debug == 0) |
146 | return; | 146 | return; |
147 | 147 | ||
@@ -400,19 +400,8 @@ static int monitor_application(pid_t app_pid) { | |||
400 | } | 400 | } |
401 | 401 | ||
402 | static void print_time(void) { | 402 | static void print_time(void) { |
403 | if (start_timestamp) { | 403 | float delta = timetrace_end(); |
404 | unsigned long long end_timestamp = getticks(); | 404 | fmessage("Child process initialized in %.02f ms\n", delta); |
405 | // measure 1 ms | ||
406 | usleep(1000); | ||
407 | unsigned long long onems = getticks() - end_timestamp; | ||
408 | if (onems) { | ||
409 | fmessage("Child process initialized in %.02f ms\n", | ||
410 | (float) (end_timestamp - start_timestamp) / (float) onems); | ||
411 | return; | ||
412 | } | ||
413 | } | ||
414 | |||
415 | fmessage("Child process initialized\n"); | ||
416 | } | 405 | } |
417 | 406 | ||
418 | 407 | ||
@@ -472,7 +461,7 @@ static int ok_to_run(const char *program) { | |||
472 | return 0; | 461 | return 0; |
473 | } | 462 | } |
474 | 463 | ||
475 | void start_application(int no_sandbox, char *set_sandbox_status) { | 464 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
476 | // set environment | 465 | // set environment |
477 | if (no_sandbox == 0) { | 466 | if (no_sandbox == 0) { |
478 | env_defaults(); | 467 | env_defaults(); |
@@ -482,7 +471,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
482 | umask(orig_umask); | 471 | umask(orig_umask); |
483 | 472 | ||
484 | if (arg_debug) { | 473 | if (arg_debug) { |
485 | printf("starting application\n"); | 474 | printf("Starting application\n"); |
486 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); | 475 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); |
487 | } | 476 | } |
488 | 477 | ||
@@ -499,9 +488,6 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
499 | if (set_sandbox_status) | 488 | if (set_sandbox_status) |
500 | *set_sandbox_status = SANDBOX_DONE; | 489 | *set_sandbox_status = SANDBOX_DONE; |
501 | execl(arg_audit_prog, arg_audit_prog, NULL); | 490 | execl(arg_audit_prog, arg_audit_prog, NULL); |
502 | |||
503 | perror("execl"); | ||
504 | exit(1); | ||
505 | } | 491 | } |
506 | //**************************************** | 492 | //**************************************** |
507 | // start the program without using a shell | 493 | // start the program without using a shell |
@@ -543,35 +529,37 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
543 | //**************************************** | 529 | //**************************************** |
544 | else { | 530 | else { |
545 | assert(cfg.shell); | 531 | assert(cfg.shell); |
546 | assert(cfg.command_line); | ||
547 | 532 | ||
548 | char *arg[5]; | 533 | char *arg[5]; |
549 | int index = 0; | 534 | int index = 0; |
550 | arg[index++] = cfg.shell; | 535 | arg[index++] = cfg.shell; |
551 | if (login_shell) { | 536 | if (cfg.command_line) { |
552 | arg[index++] = "-l"; | ||
553 | if (arg_debug) | ||
554 | printf("Starting %s login shell\n", cfg.shell); | ||
555 | } else { | ||
556 | arg[index++] = "-c"; | ||
557 | if (arg_debug) | 537 | if (arg_debug) |
558 | printf("Running %s command through %s\n", cfg.command_line, cfg.shell); | 538 | printf("Running %s command through %s\n", cfg.command_line, cfg.shell); |
539 | arg[index++] = "-c"; | ||
559 | if (arg_doubledash) | 540 | if (arg_doubledash) |
560 | arg[index++] = "--"; | 541 | arg[index++] = "--"; |
561 | arg[index++] = cfg.command_line; | 542 | arg[index++] = cfg.command_line; |
562 | } | 543 | } |
563 | arg[index] = NULL; | 544 | else if (login_shell) { |
545 | if (arg_debug) | ||
546 | printf("Starting %s login shell\n", cfg.shell); | ||
547 | arg[index++] = "-l"; | ||
548 | } | ||
549 | else if (arg_debug) | ||
550 | printf("Starting %s shell\n", cfg.shell); | ||
551 | |||
564 | assert(index < 5); | 552 | assert(index < 5); |
553 | arg[index] = NULL; | ||
565 | 554 | ||
566 | if (arg_debug) { | 555 | if (arg_debug) { |
567 | char *msg; | 556 | char *msg; |
568 | if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1) | 557 | if (asprintf(&msg, "sandbox %d, execvp into %s", |
558 | sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1) | ||
569 | errExit("asprintf"); | 559 | errExit("asprintf"); |
570 | logmsg(msg); | 560 | logmsg(msg); |
571 | free(msg); | 561 | free(msg); |
572 | } | ||
573 | 562 | ||
574 | if (arg_debug) { | ||
575 | int i; | 563 | int i; |
576 | for (i = 0; i < 5; i++) { | 564 | for (i = 0; i < 5; i++) { |
577 | if (arg[i] == NULL) | 565 | if (arg[i] == NULL) |
@@ -591,10 +579,14 @@ void start_application(int no_sandbox, char *set_sandbox_status) { | |||
591 | if (set_sandbox_status) | 579 | if (set_sandbox_status) |
592 | *set_sandbox_status = SANDBOX_DONE; | 580 | *set_sandbox_status = SANDBOX_DONE; |
593 | execvp(arg[0], arg); | 581 | execvp(arg[0], arg); |
582 | |||
583 | // join sandbox without shell in the mount namespace | ||
584 | if (fd > -1) | ||
585 | fexecve(fd, arg, environ); | ||
594 | } | 586 | } |
595 | 587 | ||
596 | perror("execvp"); | 588 | perror("Cannot start application"); |
597 | exit(1); // it should never get here!!! | 589 | exit(1); |
598 | } | 590 | } |
599 | 591 | ||
600 | static void enforce_filters(void) { | 592 | static void enforce_filters(void) { |
@@ -923,12 +915,9 @@ int sandbox(void* sandbox_arg) { | |||
923 | 915 | ||
924 | #ifdef HAVE_USERTMPFS | 916 | #ifdef HAVE_USERTMPFS |
925 | if (arg_private_cache) { | 917 | if (arg_private_cache) { |
926 | if (cfg.chrootdir) | 918 | EUID_USER(); |
927 | fwarning("private-cache feature is disabled in chroot\n"); | 919 | profile_add("tmpfs ${HOME}/.cache"); |
928 | else if (arg_overlay) | 920 | EUID_ROOT(); |
929 | fwarning("private-cache feature is disabled in overlay\n"); | ||
930 | else | ||
931 | fs_private_cache(); | ||
932 | } | 921 | } |
933 | #endif | 922 | #endif |
934 | 923 | ||
@@ -1237,7 +1226,7 @@ int sandbox(void* sandbox_arg) { | |||
1237 | set_nice(cfg.nice); | 1226 | set_nice(cfg.nice); |
1238 | set_rlimits(); | 1227 | set_rlimits(); |
1239 | 1228 | ||
1240 | start_application(0, set_sandbox_status); | 1229 | start_application(0, -1, set_sandbox_status); |
1241 | } | 1230 | } |
1242 | 1231 | ||
1243 | munmap(set_sandbox_status, 1); | 1232 | munmap(set_sandbox_status, 1); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 02befdc12..a3927cc88 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -36,6 +36,11 @@ | |||
36 | #define O_PATH 010000000 | 36 | #define O_PATH 010000000 |
37 | #endif | 37 | #endif |
38 | 38 | ||
39 | #include <sys/syscall.h> | ||
40 | #ifdef __NR_openat2 | ||
41 | #include <linux/openat2.h> | ||
42 | #endif | ||
43 | |||
39 | #define MAX_GROUPS 1024 | 44 | #define MAX_GROUPS 1024 |
40 | #define MAXBUF 4098 | 45 | #define MAXBUF 4098 |
41 | #define EMPTY_STRING ("") | 46 | #define EMPTY_STRING ("") |
@@ -70,10 +75,11 @@ static void clean_supplementary_groups(gid_t gid) { | |||
70 | goto clean_all; | 75 | goto clean_all; |
71 | 76 | ||
72 | // clean supplementary group list | 77 | // clean supplementary group list |
73 | // allow only tty, audio, video, games | 78 | // allow only firejail, tty, audio, video, games |
74 | gid_t new_groups[MAX_GROUPS]; | 79 | gid_t new_groups[MAX_GROUPS]; |
75 | int new_ngroups = 0; | 80 | int new_ngroups = 0; |
76 | char *allowed[] = { | 81 | char *allowed[] = { |
82 | "firejail", | ||
77 | "tty", | 83 | "tty", |
78 | "audio", | 84 | "audio", |
79 | "video", | 85 | "video", |
@@ -1007,12 +1013,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
1007 | if (chmod(dir, mode) == -1) | 1013 | if (chmod(dir, mode) == -1) |
1008 | {;} // do nothing | 1014 | {;} // do nothing |
1009 | } | 1015 | } |
1010 | else if (arg_debug) { | 1016 | else if (arg_debug) |
1011 | char *str; | 1017 | printf("Directory %s not created: %s\n", dir, strerror(errno)); |
1012 | if (asprintf(&str, "Directory %s not created", dir) == -1) | ||
1013 | errExit("asprintf"); | ||
1014 | perror(str); | ||
1015 | } | ||
1016 | #ifdef HAVE_GCOV | 1018 | #ifdef HAVE_GCOV |
1017 | __gcov_flush(); | 1019 | __gcov_flush(); |
1018 | #endif | 1020 | #endif |
@@ -1157,46 +1159,57 @@ void disable_file_path(const char *path, const char *file) { | |||
1157 | free(fname); | 1159 | free(fname); |
1158 | } | 1160 | } |
1159 | 1161 | ||
1160 | // open file without following any symbolic link | 1162 | // open an existing file without following any symbolic link |
1161 | // returns a file descriptor on success, or -1 if a symlink is found | ||
1162 | int safe_fd(const char *path, int flags) { | 1163 | int safe_fd(const char *path, int flags) { |
1164 | flags |= O_NOFOLLOW; | ||
1163 | assert(path); | 1165 | assert(path); |
1164 | if (*path != '/') | 1166 | if (*path != '/' || strstr(path, "..")) { |
1165 | goto errexit; | 1167 | fprintf(stderr, "Error: invalid path %s\n", path); |
1166 | if (strstr(path, "..")) | 1168 | exit(1); |
1167 | goto errexit; | 1169 | } |
1168 | |||
1169 | int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC); | ||
1170 | if (parentfd == -1) | ||
1171 | errExit("open"); | ||
1172 | int fd = -1; | 1170 | int fd = -1; |
1173 | 1171 | ||
1174 | char *last_tok = EMPTY_STRING; | 1172 | #ifdef __NR_openat2 // kernel 5.6 or better |
1173 | struct open_how oh; | ||
1174 | memset(&oh, 0, sizeof(oh)); | ||
1175 | oh.flags = flags; | ||
1176 | oh.resolve = RESOLVE_NO_SYMLINKS; | ||
1177 | fd = syscall(__NR_openat2, -1, path, &oh, sizeof(struct open_how)); | ||
1178 | if (fd != -1 || errno != ENOSYS) | ||
1179 | return fd; | ||
1180 | #endif | ||
1181 | |||
1182 | // openat2 syscall is not available, traverse path and | ||
1183 | // check each component if it is a symbolic link or not | ||
1175 | char *dup = strdup(path); | 1184 | char *dup = strdup(path); |
1176 | if (!dup) | 1185 | if (!dup) |
1177 | errExit("strdup"); | 1186 | errExit("strdup"); |
1178 | char *tok = strtok(dup, "/"); | 1187 | char *tok = strtok(dup, "/"); |
1179 | if (!tok) { // root directory | 1188 | if (!tok) { // root directory |
1180 | free(dup); | 1189 | free(dup); |
1181 | return parentfd; | 1190 | return open("/", flags); |
1182 | } | 1191 | } |
1192 | char *last_tok = EMPTY_STRING; | ||
1193 | int parentfd = open("/", O_PATH|O_CLOEXEC); | ||
1194 | if (parentfd == -1) | ||
1195 | errExit("open"); | ||
1183 | 1196 | ||
1184 | while(1) { | 1197 | while(1) { |
1185 | // open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link | 1198 | // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link |
1186 | // if token is a single dot, the previous directory is reopened | 1199 | // if token is a single dot, the previous directory is reopened |
1187 | fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 1200 | fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
1188 | if (fd == -1) { | 1201 | if (fd == -1) { |
1189 | // if the following token is NULL, the current token is the final path element | 1202 | // if the following token is NULL, the current token is the final path component |
1190 | // try again to open it, this time using the passed flags, and return -1 or the descriptor | 1203 | // try again to open it, this time using the passed flags, and return -1 or the descriptor |
1191 | last_tok = tok; | 1204 | last_tok = tok; |
1192 | tok = strtok(NULL, "/"); | 1205 | tok = strtok(NULL, "/"); |
1193 | if (!tok) | 1206 | if (!tok) |
1194 | fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); | 1207 | fd = openat(parentfd, last_tok, flags); |
1195 | close(parentfd); | 1208 | close(parentfd); |
1196 | free(dup); | 1209 | free(dup); |
1197 | return fd; // -1 if open failed | 1210 | return fd; |
1198 | } | 1211 | } |
1199 | // move on to next path segment | 1212 | // move on to next path component |
1200 | last_tok = tok; | 1213 | last_tok = tok; |
1201 | tok = strtok(NULL, "/"); | 1214 | tok = strtok(NULL, "/"); |
1202 | if (!tok) | 1215 | if (!tok) |
@@ -1204,18 +1217,13 @@ int safe_fd(const char *path, int flags) { | |||
1204 | close(parentfd); | 1217 | close(parentfd); |
1205 | parentfd = fd; | 1218 | parentfd = fd; |
1206 | } | 1219 | } |
1207 | 1220 | // getting here when the last path component exists and is of file type directory | |
1208 | // we are here because the last path element exists and is of file type directory | ||
1209 | // reopen it using the passed flags | 1221 | // reopen it using the passed flags |
1210 | close(fd); | 1222 | close(fd); |
1211 | fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); | 1223 | fd = openat(parentfd, last_tok, flags); |
1212 | close(parentfd); | 1224 | close(parentfd); |
1213 | free(dup); | 1225 | free(dup); |
1214 | return fd; // -1 if open failed | 1226 | return fd; |
1215 | |||
1216 | errexit: | ||
1217 | fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path); | ||
1218 | exit(1); | ||
1219 | } | 1227 | } |
1220 | 1228 | ||
1221 | int has_handler(pid_t pid, int signal) { | 1229 | int has_handler(pid_t pid, int signal) { |
@@ -1321,7 +1329,7 @@ static int has_link(const char *dir) { | |||
1321 | assert(dir); | 1329 | assert(dir); |
1322 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 1330 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
1323 | if (fd == -1) { | 1331 | if (fd == -1) { |
1324 | if (errno == ENOTDIR && is_dir(dir)) | 1332 | if ((errno == ELOOP || errno == ENOTDIR) && is_dir(dir)) |
1325 | return 1; | 1333 | return 1; |
1326 | } | 1334 | } |
1327 | else | 1335 | else |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index e10abad4e..4872a5207 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1368,7 +1368,7 @@ void fs_x11(void) { | |||
1368 | void x11_block(void) { | 1368 | void x11_block(void) { |
1369 | #ifdef HAVE_X11 | 1369 | #ifdef HAVE_X11 |
1370 | // check abstract socket presence and network namespace options | 1370 | // check abstract socket presence and network namespace options |
1371 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | 1371 | if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured) |
1372 | && x11_abstract_sockets_present()) { | 1372 | && x11_abstract_sockets_present()) { |
1373 | fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" | 1373 | fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" |
1374 | "Additional setup required. To block abstract X11 socket you can either:\n" | 1374 | "Additional setup required. To block abstract X11 socket you can either:\n" |
diff --git a/src/include/common.h b/src/include/common.h index 2fa61cc91..5df51c5a9 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -118,21 +118,6 @@ static inline int mac_not_zero(const unsigned char mac[6]) { | |||
118 | return 0; | 118 | return 0; |
119 | } | 119 | } |
120 | 120 | ||
121 | // rtdsc timestamp on x86-64/amd64 processors | ||
122 | static inline unsigned long long getticks(void) { | ||
123 | #if defined(__x86_64__) | ||
124 | unsigned a, d; | ||
125 | asm volatile("rdtsc" : "=a" (a), "=d" (d)); | ||
126 | return ((unsigned long long)a) | (((unsigned long long)d) << 32); | ||
127 | #elif defined(__i386__) | ||
128 | unsigned long long ret; | ||
129 | __asm__ __volatile__("rdtsc" : "=A" (ret)); | ||
130 | return ret; | ||
131 | #else | ||
132 | return 0; // not implemented | ||
133 | #endif | ||
134 | } | ||
135 | |||
136 | void timetrace_start(void); | 121 | void timetrace_start(void); |
137 | float timetrace_end(void); | 122 | float timetrace_end(void); |
138 | int join_namespace(pid_t pid, char *type); | 123 | int join_namespace(pid_t pid, char *type); |
diff --git a/src/lib/common.c b/src/lib/common.c index 1fd317d4f..823442835 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -30,6 +30,7 @@ | |||
30 | #include <signal.h> | 30 | #include <signal.h> |
31 | #include <dirent.h> | 31 | #include <dirent.h> |
32 | #include <string.h> | 32 | #include <string.h> |
33 | #include <time.h> | ||
33 | #include "../include/common.h" | 34 | #include "../include/common.h" |
34 | #define BUFLEN 4096 | 35 | #define BUFLEN 4096 |
35 | 36 | ||
@@ -277,7 +278,7 @@ int pid_hidepid(void) { | |||
277 | if (strstr(buf, "proc /proc proc")) { | 278 | if (strstr(buf, "proc /proc proc")) { |
278 | fclose(fp); | 279 | fclose(fp); |
279 | // check hidepid | 280 | // check hidepid |
280 | if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1")) | 281 | if (strstr(buf, "hidepid=")) |
281 | return 1; | 282 | return 1; |
282 | return 0; | 283 | return 0; |
283 | } | 284 | } |
@@ -290,38 +291,42 @@ int pid_hidepid(void) { | |||
290 | //************************** | 291 | //************************** |
291 | // time trace based on getticks function | 292 | // time trace based on getticks function |
292 | //************************** | 293 | //************************** |
293 | static int tt_not_implemented = 0; // not implemented for the current architecture | 294 | typedef struct list_entry_t { |
294 | static unsigned long long tt_1ms = 0; | 295 | struct list_entry_t *next; |
295 | static unsigned long long tt = 0; // start time | 296 | struct timespec ts; |
297 | } ListEntry; | ||
296 | 298 | ||
297 | void timetrace_start(void) { | 299 | static ListEntry *ts_list = NULL; |
298 | if (tt_not_implemented) | ||
299 | return; | ||
300 | unsigned long long t1 = getticks(); | ||
301 | if (t1 == 0) { | ||
302 | tt_not_implemented = 1; | ||
303 | return; | ||
304 | } | ||
305 | 300 | ||
306 | if (tt_1ms == 0) { | 301 | static inline float msdelta(struct timespec *start, struct timespec *end) { |
307 | usleep(1000); // sleep 1 ms | 302 | unsigned sec = end->tv_sec - start->tv_sec; |
308 | unsigned long long t2 = getticks(); | 303 | long nsec = end->tv_nsec - start->tv_nsec; |
309 | tt_1ms = t2 - t1; | 304 | return (float) sec * 1000 + (float) nsec / 1000000; |
310 | if (tt_1ms == 0) { | 305 | } |
311 | tt_not_implemented = 1; | ||
312 | return; | ||
313 | } | ||
314 | } | ||
315 | 306 | ||
316 | tt = getticks(); | 307 | void timetrace_start(void) { |
308 | ListEntry *t = malloc(sizeof(ListEntry)); | ||
309 | if (!t) | ||
310 | errExit("malloc"); | ||
311 | memset(t, 0, sizeof(ListEntry)); | ||
312 | clock_gettime(CLOCK_MONOTONIC, &t->ts); | ||
313 | |||
314 | // add it to the list | ||
315 | t->next = ts_list; | ||
316 | ts_list = t; | ||
317 | } | 317 | } |
318 | 318 | ||
319 | float timetrace_end(void) { | 319 | float timetrace_end(void) { |
320 | if (tt_not_implemented) | 320 | if (!ts_list) |
321 | return 0; | 321 | return 0; |
322 | 322 | ||
323 | unsigned long long delta = getticks() - tt; | 323 | // remove start time from the list |
324 | assert(tt_1ms); | 324 | ListEntry *t = ts_list; |
325 | ts_list = t->next; | ||
325 | 326 | ||
326 | return (float) delta / (float) tt_1ms; | 327 | struct timespec end; |
328 | clock_gettime(CLOCK_MONOTONIC, &end); | ||
329 | float rv = msdelta(&t->ts, &end); | ||
330 | free(t); | ||
331 | return rv; | ||
327 | } | 332 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8c73962fb..347e2b31b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile. | |||
76 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 76 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
77 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. | 77 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
78 | .PP | 78 | .PP |
79 | If a program argument is not specified, Firejail starts /bin/bash shell. | 79 | If a program argument is not specified, Firejail starts the user's preferred shell. |
80 | Examples: | 80 | Examples: |
81 | .PP | 81 | .PP |
82 | $ firejail [OPTIONS] # starting a /bin/bash shell | 82 | $ firejail [OPTIONS] # starting the program specified in $SHELL, usually /bin/bash |
83 | .PP | 83 | .PP |
84 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox | 84 | $ firejail [OPTIONS] firefox # starting Mozilla Firefox |
85 | .PP | 85 | .PP |
@@ -1558,7 +1558,7 @@ Parent pid 8553, child pid 8554 | |||
1558 | Child process initialized | 1558 | Child process initialized |
1559 | .br | 1559 | .br |
1560 | [...] | 1560 | [...] |
1561 | #if HAVE_USERNS | 1561 | #ifdef HAVE_USERNS |
1562 | .TP | 1562 | .TP |
1563 | \fB\-\-noroot | 1563 | \fB\-\-noroot |
1564 | Install a user namespace with a single user - the current user. | 1564 | Install a user namespace with a single user - the current user. |
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh | |||
2476 | \fB\-\-shell=program | 2476 | \fB\-\-shell=program |
2477 | Set default user shell. Use this shell to run the application using \-c shell option. | 2477 | Set default user shell. Use this shell to run the application using \-c shell option. |
2478 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". | 2478 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". |
2479 | By default Bash shell (/bin/bash) is used. | 2479 | By default the user's preferred shell is used. |
2480 | .br | 2480 | .br |
2481 | 2481 | ||
2482 | .br | 2482 | .br |
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f | |||
3023 | .SH EXAMPLES | 3023 | .SH EXAMPLES |
3024 | .TP | 3024 | .TP |
3025 | \f\firejail | 3025 | \f\firejail |
3026 | Sandbox a regular /bin/bash session. | 3026 | Sandbox a regular shell session. |
3027 | .TP | 3027 | .TP |
3028 | \f\firejail firefox | 3028 | \f\firejail firefox |
3029 | Start Mozilla Firefox. | 3029 | Start Mozilla Firefox. |
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is | |||
3043 | assigned automatically. | 3043 | assigned automatically. |
3044 | .TP | 3044 | .TP |
3045 | \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 | 3045 | \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 |
3046 | Start a /bin/bash session in a new network namespace and connect it | 3046 | Start a shell session in a new network namespace and connect it |
3047 | to br0, br1, and br2 host bridge devices. IP addresses are assigned | 3047 | to br0, br1, and br2 host bridge devices. IP addresses are assigned |
3048 | automatically for the interfaces connected to br1 and b2 | 3048 | automatically for the interfaces connected to br1 and b2 |
3049 | #endif | 3049 | #endif |
diff --git a/src/man/preproc.awk b/src/man/preproc.awk index 20081b551..1471be3ec 100755 --- a/src/man/preproc.awk +++ b/src/man/preproc.awk | |||
@@ -23,7 +23,7 @@ | |||
23 | BEGIN { | 23 | BEGIN { |
24 | macros[0] = 0 | 24 | macros[0] = 0 |
25 | for (arg in ARGV) { | 25 | for (arg in ARGV) { |
26 | if (ARGV[arg] ~ /^-D[A-Z_]+$/) { | 26 | if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) { |
27 | macros[length(macros) + 1] = substr(ARGV[arg], 3) | 27 | macros[length(macros) + 1] = substr(ARGV[arg], 3) |
28 | } | 28 | } |
29 | ARGV[arg] = "" | 29 | ARGV[arg] = "" |
@@ -31,7 +31,7 @@ BEGIN { | |||
31 | 31 | ||
32 | include = 1 | 32 | include = 1 |
33 | } | 33 | } |
34 | /^#ifdef [A-Z_]+$/ { | 34 | /^#ifdef [A-Z0-9_]+$/ { |
35 | macro = substr($0, 8) | 35 | macro = substr($0, 8) |
36 | for (i in macros) { | 36 | for (i in macros) { |
37 | if (macros[i] == macro) { | 37 | if (macros[i] == macro) { |
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp index ebd3eeb9c..818549fe2 100755 --- a/test/fs/fscheck-tmpfs.exp +++ b/test/fs/fscheck-tmpfs.exp | |||
@@ -7,12 +7,49 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | # .. | 10 | send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r" |
11 | send -- "firejail --tmpfs=fscheck-dir\r" | 11 | after 100 |
12 | send -- "mkdir /tmp/fjtest-dir\r" | ||
13 | after 100 | ||
14 | |||
15 | if { ! [file exists ~/fjtest-dir/fjtest-dir] } { | ||
16 | puts "TESTING ERROR 1\n" | ||
17 | exit | ||
18 | } | ||
19 | if { ! [file exists /tmp/fjtest-dir] } { | ||
20 | puts "TESTING ERROR 2\n" | ||
21 | exit | ||
22 | } | ||
23 | |||
24 | send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | after 500 | ||
30 | |||
31 | send -- "ls ~/fjtest-dir/fjtest-dir\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "No such file or directory" | ||
35 | } | ||
36 | after 500 | ||
37 | |||
38 | send -- "exit\r" | ||
39 | after 500 | ||
40 | |||
41 | send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r" | ||
12 | expect { | 42 | expect { |
13 | timeout {puts "TESTING ERROR 0.1\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
14 | "Error" | 44 | "Error" |
15 | } | 45 | } |
46 | after 500 | ||
47 | |||
48 | # cleanup | ||
49 | send -- "rm -fr ~/fjtest-dir\r" | ||
16 | after 100 | 50 | after 100 |
51 | send -- "rm -fr /tmp/fjtest-dir\r" | ||
52 | after 100 | ||
53 | |||
17 | 54 | ||
18 | puts "\nall done\n" | 55 | puts "\nall done\n" |
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 0597e8921..6e4c6bd1b 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp | |||
@@ -7,16 +7,17 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | if {[file exists ~/.cache]} { | 10 | send -- "mkdir --mode=700 ~/.cache\r" |
11 | puts "found .cache directory\n" | ||
12 | } else { | ||
13 | send -- "mkdir --mode=755 ~/.cache\r" | ||
14 | } | ||
15 | after 100 | 11 | after 100 |
16 | 12 | ||
17 | send -- "touch ~/.cache/abcdefg\r" | 13 | send -- "touch ~/.cache/abcdefg\r" |
18 | after 100 | 14 | after 100 |
19 | 15 | ||
16 | if { ! [file exists ~/.cache/abcdefg] } { | ||
17 | puts "TESTING ERROR 0\n" | ||
18 | exit | ||
19 | } | ||
20 | |||
20 | send -- "firejail --noprofile --private-cache\r" | 21 | send -- "firejail --noprofile --private-cache\r" |
21 | expect { | 22 | expect { |
22 | timeout {puts "TESTING ERROR 1\n";exit} | 23 | timeout {puts "TESTING ERROR 1\n";exit} |
@@ -34,23 +35,8 @@ after 100 | |||
34 | send -- "exit\r" | 35 | send -- "exit\r" |
35 | sleep 1 | 36 | sleep 1 |
36 | 37 | ||
37 | send -- "rm -v ~/.cache/abcdefg\r" | 38 | # cleanup |
38 | expect { | 39 | send -- "rm ~/.cache/abcdefg\r" |
39 | timeout {puts "TESTING ERROR 3\n";exit} | ||
40 | "removed" | ||
41 | } | ||
42 | after 100 | 40 | after 100 |
43 | 41 | ||
44 | # redo the test with --private | ||
45 | |||
46 | send -- "firejail --noprofile --private --private-cache\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 4\n";exit} | ||
49 | "Warning" | ||
50 | } | ||
51 | sleep 1 | ||
52 | |||
53 | send -- "exit\r" | ||
54 | sleep 1 | ||
55 | |||
56 | puts "\nall done\n" | 42 | puts "\nall done\n" |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 75d961eb1..2d7d2a966 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -40,7 +40,7 @@ if [ -d "/run/user/$UID" ]; then | |||
40 | PROFILES=`ls /etc/firejail/*.profile` | 40 | PROFILES=`ls /etc/firejail/*.profile` |
41 | echo "TESTING: default profiles installed in /etc" | 41 | echo "TESTING: default profiles installed in /etc" |
42 | else | 42 | else |
43 | PROFILES=`ls /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile` | 43 | PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile` |
44 | echo "TESTING: small number of default profiles installed in /etc" | 44 | echo "TESTING: small number of default profiles installed in /etc" |
45 | fi | 45 | fi |
46 | 46 | ||