diff options
284 files changed, 1536 insertions, 239 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 47e099cde..bf58e1dff 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -31,9 +31,9 @@ Steps to reproduce the behavior: | |||
31 | Other context about the problem like related errors to understand the problem. | 31 | Other context about the problem like related errors to understand the problem. |
32 | 32 | ||
33 | **Checklist** | 33 | **Checklist** |
34 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. | 34 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). |
35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) | 35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
36 | - [ ] A short search for duplicates was performed. | 36 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). |
37 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | 37 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. |
38 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | 38 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. |
39 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. | 39 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. |
diff --git a/Makefile.in b/Makefile.in index 623c8bd39..925f702ae 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -110,9 +110,9 @@ endif | |||
110 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 110 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
111 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 111 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
112 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 112 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
113 | # non-dumpable plugins | 113 | # plugins w/o read permission (non-dumpable) |
114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 114 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
115 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | 115 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh |
116 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 116 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
117 | # contrib scripts | 117 | # contrib scripts |
118 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 118 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
@@ -70,6 +70,7 @@ Adrian L. Shaw (https://github.com/adrianlshaw) | |||
70 | - add barrirer profile | 70 | - add barrirer profile |
71 | Aidan Gauland (https://github.com/aidalgol) | 71 | Aidan Gauland (https://github.com/aidalgol) |
72 | - added electron, riot-web and npm profiles | 72 | - added electron, riot-web and npm profiles |
73 | - whitelist Bohemia Interactive config dir for Steam | ||
73 | Akhil Hans Maulloo (https://github.com/kouul) | 74 | Akhil Hans Maulloo (https://github.com/kouul) |
74 | - xz profile | 75 | - xz profile |
75 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 76 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
@@ -159,6 +160,11 @@ Bandie (https://github.com/Bandie) | |||
159 | - fixed riot-desktop | 160 | - fixed riot-desktop |
160 | Barış Ekin Yıldırım (https://github.com/circuitshaker) | 161 | Barış Ekin Yıldırım (https://github.com/circuitshaker) |
161 | - removing net none from code.profile | 162 | - removing net none from code.profile |
163 | bbhtt (https://github.com/bbhtt) | ||
164 | - improvements to balsa,fractal,gajim,trojita profiles | ||
165 | - improvements to nheko, spectral, feh, links, lynx profiles | ||
166 | - added alacartem com.github.bleakgrey.tootle, photoflare profiles | ||
167 | - add profiles for MS Edge dev build for Linux and Librewolf | ||
162 | Benjamin Kampmann (https://github.com/ligthyear) | 168 | Benjamin Kampmann (https://github.com/ligthyear) |
163 | - Forward exit code from child process | 169 | - Forward exit code from child process |
164 | bitfreak25 (https://github.com/bitfreak25) | 170 | bitfreak25 (https://github.com/bitfreak25) |
@@ -178,6 +184,8 @@ Brad Ackerman | |||
178 | - blacklist Bitwarden config in disable-passwdmgr.inc | 184 | - blacklist Bitwarden config in disable-passwdmgr.inc |
179 | briaeros (https://github.com/briaeros) | 185 | briaeros (https://github.com/briaeros) |
180 | - fix command test in jail_prober.py | 186 | - fix command test in jail_prober.py |
187 | botherer (https://github.com/botherder) | ||
188 | - add CoyIM profile | ||
181 | Bruno Nova (https://github.com/brunonova) | 189 | Bruno Nova (https://github.com/brunonova) |
182 | - whitelist fix | 190 | - whitelist fix |
183 | - bash arguments fix | 191 | - bash arguments fix |
@@ -301,6 +309,8 @@ Fabian Würfl (https://github.com/BafDyce) | |||
301 | - Liferea profile | 309 | - Liferea profile |
302 | Felipe Barriga Richards (https://github.com/fbarriga) | 310 | Felipe Barriga Richards (https://github.com/fbarriga) |
303 | - --private-etc fix | 311 | - --private-etc fix |
312 | fenuks (https://github.com/fenuks) | ||
313 | - fix sound in games using FMOD | ||
304 | Florian Begusch (https://github.com/florianbegusch) | 314 | Florian Begusch (https://github.com/florianbegusch) |
305 | - (la)tex profiles | 315 | - (la)tex profiles |
306 | - fixed transmission-common.profile | 316 | - fixed transmission-common.profile |
@@ -420,6 +430,8 @@ hawkey116477 (https://github.com/hawkeye116477) | |||
420 | - updated Waterfox profile | 430 | - updated Waterfox profile |
421 | Helmut Grohne (https://github.com/helmutg) | 431 | Helmut Grohne (https://github.com/helmutg) |
422 | - compiler support in the build system - Debian bug #869707 | 432 | - compiler support in the build system - Debian bug #869707 |
433 | hhzek0014 (https://github.com/hhzek0014) | ||
434 | - updated bibletime.profile | ||
423 | hlein (https://github.com/hlein) | 435 | hlein (https://github.com/hlein) |
424 | - strip out \r's from jail prober | 436 | - strip out \r's from jail prober |
425 | Holger Heinz (https://github.com/hheinz) | 437 | Holger Heinz (https://github.com/hheinz) |
@@ -518,7 +530,11 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
518 | - fixed Cryptocat profile | 530 | - fixed Cryptocat profile |
519 | - make ~/.local read-only | 531 | - make ~/.local read-only |
520 | Kelvin (https://github.com/kmk3) | 532 | Kelvin (https://github.com/kmk3) |
521 | - disable ldns utilities | 533 | - disable ldns utilities, dnssec-*, khost, unbound-host |
534 | - sort DNS / RUNUSER paths | ||
535 | - improve bug_report.md | ||
536 | - fix keypassxc | ||
537 | - blacklist oksh shell in disable-shell.inc | ||
522 | Kishore96in (https://github.com/Kishore96in) | 538 | Kishore96in (https://github.com/Kishore96in) |
523 | - added falkon profile | 539 | - added falkon profile |
524 | - kxmlgui fixes | 540 | - kxmlgui fixes |
@@ -610,6 +626,7 @@ Neo00001 (https://github.com/Neo00001) | |||
610 | - update virtualbox profile | 626 | - update virtualbox profile |
611 | - update telegram profile | 627 | - update telegram profile |
612 | - add spectacle profile | 628 | - add spectacle profile |
629 | - add kdiff3 profile | ||
613 | Nick Fox (https://github.com/njfox) | 630 | Nick Fox (https://github.com/njfox) |
614 | - add a profile alias for code-oss | 631 | - add a profile alias for code-oss |
615 | - add code-oss config directory | 632 | - add code-oss config directory |
@@ -620,6 +637,8 @@ Niklas Haas (https://github.com/haasn) | |||
620 | - blacklisting for keybase.io's client | 637 | - blacklisting for keybase.io's client |
621 | Niklas Goerke (https://github.com/Niklas974) | 638 | Niklas Goerke (https://github.com/Niklas974) |
622 | - update QOwnNotes profile | 639 | - update QOwnNotes profile |
640 | Nikos Chantziaras (https://github.com/realnc) | ||
641 | - fix audio support for Discord | ||
623 | nyancat18 (https://github.com/nyancat18) | 642 | nyancat18 (https://github.com/nyancat18) |
624 | - added ardour4, dooble, karbon, krita profiles | 643 | - added ardour4, dooble, karbon, krita profiles |
625 | Ondra Nekola (https://github.com/satai) | 644 | Ondra Nekola (https://github.com/satai) |
@@ -711,6 +730,8 @@ RandomVoid (https://github.com/RandomVoid) | |||
711 | - fix building C# projects in Godot | 730 | - fix building C# projects in Godot |
712 | Raphaël Droz (https://github.com/drzraf) | 731 | Raphaël Droz (https://github.com/drzraf) |
713 | - zoom profile fixes | 732 | - zoom profile fixes |
733 | realaltffour (https://github.com/realaltffour) | ||
734 | - add lynx support to newsboat profile | ||
714 | Reiner Herrmann (https://github.com/reinerh) | 735 | Reiner Herrmann (https://github.com/reinerh) |
715 | - a number of build patches | 736 | - a number of build patches |
716 | - man page fixes | 737 | - man page fixes |
@@ -730,6 +751,8 @@ RD PROJEKT (https://github.com/RDProjekt) | |||
730 | - support AMD GPU by OpenCL in Blender | 751 | - support AMD GPU by OpenCL in Blender |
731 | rogshdo (https://github.com/rogshdo) | 752 | rogshdo (https://github.com/rogshdo) |
732 | - BitlBee profile | 753 | - BitlBee profile |
754 | rootalc (https://github.com/rootalc) | ||
755 | - add nolocal6.net filter | ||
733 | Ruan (https://github.com/ruany) | 756 | Ruan (https://github.com/ruany) |
734 | - fixed hexchat profile | 757 | - fixed hexchat profile |
735 | rusty-snake (https://github.com/rusty-snake) | 758 | rusty-snake (https://github.com/rusty-snake) |
@@ -170,29 +170,29 @@ $ ./profstats *.profile | |||
170 | Warning: multiple caps in transmission-daemon.profile | 170 | Warning: multiple caps in transmission-daemon.profile |
171 | 171 | ||
172 | Stats: | 172 | Stats: |
173 | profiles 1031 | 173 | profiles 1064 |
174 | include local profile 1031 (include profile-name.local) | 174 | include local profile 1064 (include profile-name.local) |
175 | include globals 1031 (include globals.local) | 175 | include globals 1064 (include globals.local) |
176 | blacklist ~/.ssh 1007 (include disable-common.inc) | 176 | blacklist ~/.ssh 959 (include disable-common.inc) |
177 | seccomp 976 | 177 | seccomp 975 |
178 | capabilities 1030 | 178 | capabilities 1063 |
179 | noexec 901 (include disable-exec.inc) | 179 | noexec 944 (include disable-exec.inc) |
180 | memory-deny-write-execute 221 | 180 | memory-deny-write-execute 229 |
181 | apparmor 555 | 181 | apparmor 605 |
182 | private-bin 544 | 182 | private-bin 564 |
183 | private-dev 897 | 183 | private-dev 932 |
184 | private-etc 435 | 184 | private-etc 462 |
185 | private-tmp 785 | 185 | private-tmp 823 |
186 | whitelist home directory 474 | 186 | whitelist home directory 502 |
187 | whitelist var 699 (include whitelist-var-common.inc) | 187 | whitelist var 744 (include whitelist-var-common.inc) |
188 | whitelist run/user 336 (include whitelist-runuser-common.inc | 188 | whitelist run/user 461 (include whitelist-runuser-common.inc |
189 | or blacklist ${RUNUSER}) | 189 | or blacklist ${RUNUSER}) |
190 | whitelist usr/share 359 (include whitelist-usr-share-common.inc | 190 | whitelist usr/share 451 (include whitelist-usr-share-common.inc |
191 | net none 333 | 191 | net none 345 |
192 | dbus-user none 523 | 192 | dbus-user none 564 |
193 | dbus-system none 632 | 193 | dbus-user filter 85 |
194 | dbus-system none 696 | ||
195 | dbus-system filter 7 | ||
194 | ``` | 196 | ``` |
195 | 197 | ||
196 | ### New profiles: | 198 | ### New profiles: |
197 | |||
198 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn | ||
@@ -1,15 +1,16 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.64.2) baseline; urgency=low |
2 | * allow --tmpfs inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * --disable-usertmpfs compile time option | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | 4 | * allow AF_BLUETOOTH via --protocol=bluetooth |
5 | * Setup guide for new users: contrib/firejail-welcome.sh | 5 | * Setup guide for new users: contrib/firejail-welcome.sh |
6 | * implement netns in profiles | 6 | * implement netns in profiles |
7 | * added nolocal6.net IPv6 network filter | ||
7 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | 8 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer |
8 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | 9 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer |
9 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo | 10 | * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo |
10 | * new profiles: npm, marker | 11 | * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi |
11 | 12 | * new profiles: guvcview, pkglog, kdiff3, CoyIM | |
12 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 | 13 | -- netblue30 <netblue30@yahoo.com> Tue, 26 Jan 2021 09:00:00 -0500 |
13 | 14 | ||
14 | firejail (0.9.64) baseline; urgency=low | 15 | firejail (0.9.64) baseline; urgency=low |
15 | * replaced --nowrap option with --wrap in firemon | 16 | * replaced --nowrap option with --wrap in firemon |
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc new file mode 100644 index 000000000..d6c295414 --- /dev/null +++ b/etc/inc/allow-bin-sh.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-bin-sh.local | ||
4 | |||
5 | noblacklist ${PATH}/bash | ||
6 | noblacklist ${PATH}/dash | ||
7 | noblacklist ${PATH}/sh | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 2ef40b23a..5910d3543 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -191,6 +191,7 @@ blacklist ${HOME}/.config/cmus | |||
191 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 191 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
192 | blacklist ${HOME}/.config/corebird | 192 | blacklist ${HOME}/.config/corebird |
193 | blacklist ${HOME}/.config/cower | 193 | blacklist ${HOME}/.config/cower |
194 | blacklist ${HOME}/.config/coyim | ||
194 | blacklist ${HOME}/.config/darktable | 195 | blacklist ${HOME}/.config/darktable |
195 | blacklist ${HOME}/.config/deadbeef | 196 | blacklist ${HOME}/.config/deadbeef |
196 | blacklist ${HOME}/.config/deluge | 197 | blacklist ${HOME}/.config/deluge |
@@ -253,6 +254,7 @@ blacklist ${HOME}/.config/google-chrome-unstable | |||
253 | blacklist ${HOME}/.config/gpicview | 254 | blacklist ${HOME}/.config/gpicview |
254 | blacklist ${HOME}/.config/gthumb | 255 | blacklist ${HOME}/.config/gthumb |
255 | blacklist ${HOME}/.config/gummi | 256 | blacklist ${HOME}/.config/gummi |
257 | blacklist ${HOME}/.config/guvcview2 | ||
256 | blacklist ${HOME}/.config/gwenviewrc | 258 | blacklist ${HOME}/.config/gwenviewrc |
257 | blacklist ${HOME}/.config/hexchat | 259 | blacklist ${HOME}/.config/hexchat |
258 | blacklist ${HOME}/.config/homebank | 260 | blacklist ${HOME}/.config/homebank |
@@ -274,6 +276,8 @@ blacklist ${HOME}/.config/katevirc | |||
274 | blacklist ${HOME}/.config/kazam | 276 | blacklist ${HOME}/.config/kazam |
275 | blacklist ${HOME}/.config/kdeconnect | 277 | blacklist ${HOME}/.config/kdeconnect |
276 | blacklist ${HOME}/.config/kdenliverc | 278 | blacklist ${HOME}/.config/kdenliverc |
279 | blacklist ${HOME}/.config/kdiff3fileitemactionrc | ||
280 | blacklist ${HOME}/.config/kdiff3rc | ||
277 | blacklist ${HOME}/.config/kfindrc | 281 | blacklist ${HOME}/.config/kfindrc |
278 | blacklist ${HOME}/.config/kgetrc | 282 | blacklist ${HOME}/.config/kgetrc |
279 | blacklist ${HOME}/.config/kid3rc | 283 | blacklist ${HOME}/.config/kid3rc |
@@ -340,6 +344,7 @@ blacklist ${HOME}/.config/opera | |||
340 | blacklist ${HOME}/.config/opera-beta | 344 | blacklist ${HOME}/.config/opera-beta |
341 | blacklist ${HOME}/.config/orage | 345 | blacklist ${HOME}/.config/orage |
342 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json | 346 | blacklist ${HOME}/.config/org.gabmus.gfeeds.json |
347 | blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
343 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 348 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
344 | blacklist ${HOME}/.config/otter | 349 | blacklist ${HOME}/.config/otter |
345 | blacklist ${HOME}/.config/pavucontrol-qt | 350 | blacklist ${HOME}/.config/pavucontrol-qt |
@@ -357,6 +362,7 @@ blacklist ${HOME}/.config/psi | |||
357 | blacklist ${HOME}/.config/psi+ | 362 | blacklist ${HOME}/.config/psi+ |
358 | blacklist ${HOME}/.config/qBittorrent | 363 | blacklist ${HOME}/.config/qBittorrent |
359 | blacklist ${HOME}/.config/qBittorrentrc | 364 | blacklist ${HOME}/.config/qBittorrentrc |
365 | blacklist ${HOME}/.config/qnapi.ini | ||
360 | blacklist ${HOME}/.config/qpdfview | 366 | blacklist ${HOME}/.config/qpdfview |
361 | blacklist ${HOME}/.config/qupzilla | 367 | blacklist ${HOME}/.config/qupzilla |
362 | blacklist ${HOME}/.config/qutebrowser | 368 | blacklist ${HOME}/.config/qutebrowser |
@@ -467,10 +473,7 @@ blacklist ${HOME}/.gimp* | |||
467 | blacklist ${HOME}/.gist | 473 | blacklist ${HOME}/.gist |
468 | blacklist ${HOME}/.gitconfig | 474 | blacklist ${HOME}/.gitconfig |
469 | blacklist ${HOME}/.gnome/gnome-schedule | 475 | blacklist ${HOME}/.gnome/gnome-schedule |
470 | blacklist ${HOME}/.googleearth/Cache | 476 | blacklist ${HOME}/.googleearth |
471 | blacklist ${HOME}/.googleearth/Temp | ||
472 | blacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
473 | blacklist ${HOME}/.googleearth/myplaces.kml | ||
474 | blacklist ${HOME}/.gradle | 477 | blacklist ${HOME}/.gradle |
475 | blacklist ${HOME}/.gramps | 478 | blacklist ${HOME}/.gramps |
476 | blacklist ${HOME}/.guayadeque | 479 | blacklist ${HOME}/.guayadeque |
@@ -710,6 +713,7 @@ blacklist ${HOME}/.local/share/remmina | |||
710 | blacklist ${HOME}/.local/share/rhythmbox | 713 | blacklist ${HOME}/.local/share/rhythmbox |
711 | blacklist ${HOME}/.local/share/rtv | 714 | blacklist ${HOME}/.local/share/rtv |
712 | blacklist ${HOME}/.local/share/scribus | 715 | blacklist ${HOME}/.local/share/scribus |
716 | blacklist ${HOME}/.local/share/shotwell | ||
713 | blacklist ${HOME}/.local/share/signal-cli | 717 | blacklist ${HOME}/.local/share/signal-cli |
714 | blacklist ${HOME}/.local/share/sink | 718 | blacklist ${HOME}/.local/share/sink |
715 | blacklist ${HOME}/.local/share/smuxi | 719 | blacklist ${HOME}/.local/share/smuxi |
@@ -993,6 +997,7 @@ blacklist ${HOME}/.cache/qBittorrent | |||
993 | blacklist ${HOME}/.cache/qupzilla | 997 | blacklist ${HOME}/.cache/qupzilla |
994 | blacklist ${HOME}/.cache/qutebrowser | 998 | blacklist ${HOME}/.cache/qutebrowser |
995 | blacklist ${HOME}/.cache/rhythmbox | 999 | blacklist ${HOME}/.cache/rhythmbox |
1000 | blacklist ${HOME}/.cache/shotwell | ||
996 | blacklist ${HOME}/.cache/simple-scan | 1001 | blacklist ${HOME}/.cache/simple-scan |
997 | blacklist ${HOME}/.cache/slimjet | 1002 | blacklist ${HOME}/.cache/slimjet |
998 | blacklist ${HOME}/.cache/smuxi | 1003 | blacklist ${HOME}/.cache/smuxi |
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc index 03f09fece..ca7731442 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/inc/firefox-common-addons.inc | |||
@@ -58,11 +58,12 @@ whitelist ${HOME}/.wine-pipelight64 | |||
58 | whitelist ${HOME}/.zotero | 58 | whitelist ${HOME}/.zotero |
59 | whitelist ${HOME}/dwhelper | 59 | whitelist ${HOME}/dwhelper |
60 | 60 | ||
61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | 61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
62 | noblacklist ${HOME}/.local/share/gnome-shell | 62 | noblacklist ${HOME}/.local/share/gnome-shell |
63 | whitelist ${HOME}/.local/share/gnome-shell | 63 | whitelist ${HOME}/.local/share/gnome-shell |
64 | ignore dbus-user none | 64 | ignore dbus-user none |
65 | ignore dbus-system none | 65 | ignore dbus-system none |
66 | # Allow python (blacklisted by disable-interpreters.inc) | ||
66 | include allow-python3.inc | 67 | include allow-python3.inc |
67 | 68 | ||
68 | # KeePassXC Browser Integration | 69 | # KeePassXC Browser Integration |
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 000000000..5a6678d03 --- /dev/null +++ b/etc/net/nolocal6.net | |||
@@ -0,0 +1,41 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of | ||
8 | # DNS traffic | ||
9 | # | ||
10 | # Usage: | ||
11 | # firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | #allow all loopback traffic | ||
16 | -A INPUT -i lo -j ACCEPT | ||
17 | |||
18 | # no incoming connections | ||
19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow ping etc. | ||
22 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | ||
23 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | ||
24 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | ||
25 | # required for ipv6 | ||
26 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT | ||
27 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT | ||
28 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT | ||
29 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT | ||
30 | |||
31 | # accept dns requests going out to a server on the local network | ||
32 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
33 | |||
34 | # drop all local network traffic | ||
35 | -A OUTPUT -d FC00::/7 -j DROP | ||
36 | |||
37 | # drop multicast traffic | ||
38 | # required for ipv6 | ||
39 | -A OUTPUT -d ff02::2 -j ACCEPT | ||
40 | -A OUTPUT -d ff00::/8 -j DROP | ||
41 | COMMIT | ||
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile index 54b437441..a010e84dc 100644 --- a/etc/profile-a-l/Builder.profile +++ b/etc/profile-a-l/Builder.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-builder | 1 | # Firejail profile for gnome-builder |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Builder.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-builder.profile | 9 | include gnome-builder.profile |
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile index 5bb5064f0..e8020c3e1 100644 --- a/etc/profile-a-l/Cheese.profile +++ b/etc/profile-a-l/Cheese.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for cheese | 1 | # Firejail profile for cheese |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Cheese.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include cheese.profile | 9 | include cheese.profile |
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile index 26a4348c9..d26230b02 100644 --- a/etc/profile-a-l/Cyberfox.profile +++ b/etc/profile-a-l/Cyberfox.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for cyberfox | 1 | # Firejail profile alias for cyberfox |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Cyberfox.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include cyberfox.profile | 8 | include cyberfox.profile |
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile index 171ab4357..94109e239 100644 --- a/etc/profile-a-l/Documents.profile +++ b/etc/profile-a-l/Documents.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-documents | 1 | # Firejail profile for gnome-documents |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Documents.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-documents.profile | 9 | include gnome-documents.profile |
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile index 9e1f61421..9c7826643 100644 --- a/etc/profile-a-l/FossaMail.profile +++ b/etc/profile-a-l/FossaMail.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for fossamail | 1 | # Firejail profile alias for fossamail |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include FossaMail.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include fossamail.profile | 8 | include fossamail.profile |
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile index a8bcb6a54..f670d0d7f 100644 --- a/etc/profile-a-l/Gitter.profile +++ b/etc/profile-a-l/Gitter.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for Gitter | 1 | # Firejail profile alias for Gitter |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Gitter.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include gitter.profile | 8 | include gitter.profile |
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile index 431439f17..2d01ccb87 100644 --- a/etc/profile-a-l/Logs.profile +++ b/etc/profile-a-l/Logs.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-logs | 1 | # Firejail profile for gnome-logs |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Logs.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-logs.profile | 9 | include gnome-logs.profile |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile new file mode 100644 index 000000000..6d5dab41a --- /dev/null +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for agetpkg | ||
2 | # Description: CLI tool to list/get/install packages from the Arch Linux Archive | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include agetpkg.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | #include allow-python2.inc | ||
15 | include allow-python3.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | whitelist ${DOWNLOADS} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | hostname agetpkg | ||
33 | ipc-namespace | ||
34 | machine-id | ||
35 | noautopulse | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | private-bin agetpkg,python3 | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
59 | |||
60 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 98188d2a7..57b5e5d95 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -6,6 +6,7 @@ include alacarte.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | include allow-python2.inc | 10 | include allow-python2.inc |
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile index 4ad8dd456..b81f01389 100644 --- a/etc/profile-a-l/ardour4.profile +++ b/etc/profile-a-l/ardour4.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for ardour5 | 1 | # Firejail profile alias for ardour5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include ardur4.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include ardour5.profile | 8 | include ardour5.profile |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 99e2802eb..235b84be3 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -26,6 +26,7 @@ whitelist ${HOME}/.bibletime | |||
26 | whitelist ${HOME}/.sword | 26 | whitelist ${HOME}/.sword |
27 | whitelist ${HOME}/.local/share/bibletime | 27 | whitelist ${HOME}/.local/share/bibletime |
28 | whitelist /usr/share/bibletime | 28 | whitelist /usr/share/bibletime |
29 | whitelist /usr/share/doc/bibletime | ||
29 | whitelist /usr/share/sword | 30 | whitelist /usr/share/sword |
30 | include whitelist-common.inc | 31 | include whitelist-common.inc |
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile index 13e83493d..233f9a96f 100644 --- a/etc/profile-a-l/blackbox.profile +++ b/etc/profile-a-l/blackbox.profile | |||
@@ -6,7 +6,7 @@ include blackbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in blackbox will run in this profile |
10 | noblacklist ${HOME}/.blackbox | 10 | noblacklist ${HOME}/.blackbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile index b7242c443..f8062d00e 100644 --- a/etc/profile-a-l/blender-2.8.profile +++ b/etc/profile-a-l/blender-2.8.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for blender | 1 | # Firejail profile alias for blender |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include blender-2.8.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include blender.profile | 8 | include blender.profile |
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile index 528a6402d..bfea2c622 100644 --- a/etc/profile-a-l/brave-browser-beta.profile +++ b/etc/profile-a-l/brave-browser-beta.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for brave (beta channel) | 1 | # Firejail profile alias for brave (beta channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include brave-browser-beta.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include brave.profile | 8 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile index 4601de119..6c66c9697 100644 --- a/etc/profile-a-l/brave-browser-dev.profile +++ b/etc/profile-a-l/brave-browser-dev.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for brave (development channel) | 1 | # Firejail profile alias for brave (development channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include brave-browser-dev.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include brave.profile | 8 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile index 43d3cc724..8812f06ba 100644 --- a/etc/profile-a-l/brave-browser-nightly.profile +++ b/etc/profile-a-l/brave-browser-nightly.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for brave (nightly channel) | 1 | # Firejail profile alias for brave (nightly channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include brave-browser-nightly.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include brave.profile | 8 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile index 06d33dea4..f59e5763b 100644 --- a/etc/profile-a-l/brave-browser-stable.profile +++ b/etc/profile-a-l/brave-browser-stable.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for brave (release channel) | 1 | # Firejail profile alias for brave (release channel) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include brave-browser-stable.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include brave.profile | 8 | include brave.profile |
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile index e223ecf87..d9c9c45d7 100644 --- a/etc/profile-a-l/brave-browser.profile +++ b/etc/profile-a-l/brave-browser.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for brave | 1 | # Firejail profile alias for brave |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include brave-browser.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include brave.profile | 8 | include brave.profile |
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile index 5271ee5d6..562ba4b65 100644 --- a/etc/profile-a-l/bsdcat.profile +++ b/etc/profile-a-l/bsdcat.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for bsdtar | 1 | # Firejail profile alias for bsdtar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include bsdcat.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include bsdtar.profile | 8 | include bsdtar.profile |
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile index 5271ee5d6..ed109957d 100644 --- a/etc/profile-a-l/bsdcpio.profile +++ b/etc/profile-a-l/bsdcpio.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for bsdtar | 1 | # Firejail profile alias for bsdtar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include bsdcpio.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include bsdtar.profile | 8 | include bsdtar.profile |
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile index 7804a3b97..bb555a70b 100644 --- a/etc/profile-a-l/calligraauthor.profile +++ b/etc/profile-a-l/calligraauthor.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligraauthor.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include calligra.profile | 8 | include calligra.profile |
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile index 7804a3b97..205087758 100644 --- a/etc/profile-a-l/calligraconverter.profile +++ b/etc/profile-a-l/calligraconverter.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligraconverter.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include calligra.profile | 8 | include calligra.profile |
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile index 7804a3b97..99e094016 100644 --- a/etc/profile-a-l/calligraflow.profile +++ b/etc/profile-a-l/calligraflow.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligraflow.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include calligra.profile | 8 | include calligra.profile |
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile index 23dd61175..d8b18b238 100644 --- a/etc/profile-a-l/calligraplan.profile +++ b/etc/profile-a-l/calligraplan.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligraplan.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile index 1c283a3cb..0feb49a77 100644 --- a/etc/profile-a-l/calligraplanwork.profile +++ b/etc/profile-a-l/calligraplanwork.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligraplanwork.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile index 8ef75be71..0c45b6b54 100644 --- a/etc/profile-a-l/calligrasheets.profile +++ b/etc/profile-a-l/calligrasheets.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligrasheets.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile index d5c960248..a9db7e64b 100644 --- a/etc/profile-a-l/calligrastage.profile +++ b/etc/profile-a-l/calligrastage.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligrastage.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile index 5985b4250..1f62cb7ec 100644 --- a/etc/profile-a-l/calligrawords.profile +++ b/etc/profile-a-l/calligrawords.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for calligra | 1 | # Firejail profile alias for calligra |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include calligrawords.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index d379651c7..6a76dc129 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/celluloid | |||
10 | noblacklist ${HOME}/.config/gnome-mpv | 10 | noblacklist ${HOME}/.config/gnome-mpv |
11 | noblacklist ${HOME}/.config/youtube-dl | 11 | noblacklist ${HOME}/.config/youtube-dl |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | ||
15 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
17 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
18 | include allow-lua.inc | ||
19 | |||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | 22 | include disable-exec.inc |
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 337117c4a..aca1f5876 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -19,7 +19,10 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | whitelist ${VIDEOS} | 20 | whitelist ${VIDEOS} |
21 | whitelist ${PICTURES} | 21 | whitelist ${PICTURES} |
22 | whitelist /usr/share/gnome-video-effects | ||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
24 | 27 | ||
25 | apparmor | 28 | apparmor |
@@ -43,5 +46,6 @@ private-cache | |||
43 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 | 46 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 |
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | dbus-user none | 49 | dbus-user filter |
50 | dbus-user.talk ca.desrt.dconf | ||
47 | dbus-system none | 51 | dbus-system none |
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile index f83052d9a..c782a4d78 100644 --- a/etc/profile-a-l/chromium-browser.profile +++ b/etc/profile-a-l/chromium-browser.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for chromium | 1 | # Firejail profile alias for chromium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include chromium-browser.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include chromium.profile | 8 | include chromium.profile |
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile index a1de85afa..5d1f3c11c 100644 --- a/etc/profile-a-l/chromium-freeworld.profile +++ b/etc/profile-a-l/chromium-freeworld.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile for chromium-freeworld | 1 | # Firejail profile for chromium-freeworld |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include chromium-freeworld.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include chromium.profile | 8 | include chromium.profile |
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile index 88a65037e..823375049 100644 --- a/etc/profile-a-l/cinelerra.profile +++ b/etc/profile-a-l/cinelerra.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for cin | 1 | # Firejail profile alias for cin |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include cinelerra.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include cin.profile | 8 | include cin.profile |
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile index 4c6c56c5f..1a89a927d 100644 --- a/etc/profile-a-l/clamdscan.profile +++ b/etc/profile-a-l/clamdscan.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include clamdscan.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include clamav.profile | 8 | include clamav.profile |
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile index 4c6c56c5f..96f68b8f6 100644 --- a/etc/profile-a-l/clamdtop.profile +++ b/etc/profile-a-l/clamdtop.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include clamdtop.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include clamav.profile | 8 | include clamav.profile |
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile index 4c6c56c5f..ec435a50a 100644 --- a/etc/profile-a-l/clamscan.profile +++ b/etc/profile-a-l/clamscan.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include clamscan.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include clamav.profile | 8 | include clamav.profile |
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile index da50e7d49..c180e6faa 100644 --- a/etc/profile-a-l/clocks.profile +++ b/etc/profile-a-l/clocks.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-clocks | 1 | # Firejail profile for gnome-clocks |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include clocks.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-clocks.profile | 9 | include gnome-clocks.profile |
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile index 0628d3d01..26f99428c 100644 --- a/etc/profile-a-l/com.gitlab.newsflash.profile +++ b/etc/profile-a-l/com.gitlab.newsflash.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for newsflash | 1 | # Firejail profile alias for newsflash |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include com.gitlab.newsflash.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include newsflash.profile | 8 | include newsflash.profile |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile new file mode 100644 index 000000000..75813c494 --- /dev/null +++ b/etc/profile-a-l/coyim.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for coyim | ||
2 | # Description: GTK Jabber client written in Go | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include coyim.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/coyim | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/coyim | ||
21 | whitelist ${HOME}/.config/coyim | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl | ||
44 | private-tmp | ||
45 | |||
46 | dbus-user none | ||
47 | dbus-system none | ||
48 | |||
49 | #memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile index 39151865e..b384e42ae 100644 --- a/etc/profile-a-l/crawl-tiles.profile +++ b/etc/profile-a-l/crawl-tiles.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for crawl | 1 | # Firejail profile alias for crawl |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include crawl-titles.local | ||
6 | |||
4 | ignore no3d | 7 | ignore no3d |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile index 69aa39de2..b208b21a0 100644 --- a/etc/profile-a-l/cryptocat.profile +++ b/etc/profile-a-l/cryptocat.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for Cryptocat | 1 | # Firejail profile alias for Cryptocat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include cryptocat.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include Cryptocat.profile | 8 | include Cryptocat.profile |
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index e409eb044..31031edeb 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.dia | 9 | noblacklist ${HOME}/.dia |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | include allow-python2.inc | 13 | include allow-python2.inc |
13 | include allow-python3.inc | 14 | include allow-python3.inc |
14 | 15 | ||
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile index 70a21e11c..c21df94c5 100644 --- a/etc/profile-a-l/dooble-qt4.profile +++ b/etc/profile-a-l/dooble-qt4.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for dooble | 1 | # Firejail profile alias for dooble |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include dooble-qt4.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include dooble.profile | 8 | include dooble.profile |
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index 24339953b..face34c40 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile | |||
@@ -15,7 +15,7 @@ ignore noexec ${HOME} | |||
15 | # Allow lua (blacklisted by disable-interpreters.inc) | 15 | # Allow lua (blacklisted by disable-interpreters.inc) |
16 | include allow-lua.inc | 16 | include allow-lua.inc |
17 | 17 | ||
18 | # Allow perl | 18 | # Allow perl (blacklisted by disable-interpreters.inc) |
19 | include allow-perl.inc | 19 | include allow-perl.inc |
20 | 20 | ||
21 | # Allow python (blacklisted by disable-interpreters.inc) | 21 | # Allow python (blacklisted by disable-interpreters.inc) |
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile index c296c0491..1210f365c 100644 --- a/etc/profile-a-l/fluxbox.profile +++ b/etc/profile-a-l/fluxbox.profile | |||
@@ -6,7 +6,7 @@ include fluxbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in fluxbox will run in this profile |
10 | noblacklist ${HOME}/.fluxbox | 10 | noblacklist ${HOME}/.fluxbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile index dc8d6e3ad..dede61b71 100644 --- a/etc/profile-a-l/fractal.profile +++ b/etc/profile-a-l/fractal.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/fractal | 9 | noblacklist ${HOME}/.cache/fractal |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | 12 | include allow-python2.inc |
12 | include allow-python3.inc | 13 | include allow-python3.inc |
13 | 14 | ||
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile index 44bf62cfe..573029add 100644 --- a/etc/profile-a-l/freecadcmd.profile +++ b/etc/profile-a-l/freecadcmd.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for freecad | 1 | # Firejail profile alias for freecad |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include freecadcms.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include freecad.profile | 8 | include freecad.profile |
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile index fa36459e7..d8d1592c5 100644 --- a/etc/profile-a-l/freeciv-gtk3.profile +++ b/etc/profile-a-l/freeciv-gtk3.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for freeciv | 1 | # Firejail profile alias for freeciv |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include freeciv-gtk3.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include freeciv.profile | 8 | include freeciv.profile |
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile index fa36459e7..16bc87848 100644 --- a/etc/profile-a-l/freeciv-mp-gtk3.profile +++ b/etc/profile-a-l/freeciv-mp-gtk3.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for freeciv | 1 | # Firejail profile alias for freeciv |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include freeciv-mp-gtk3.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include freeciv.profile | 8 | include freeciv.profile |
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile index 2ae6dd9d8..2f4f2c548 100644 --- a/etc/profile-a-l/gajim-history-manager.profile +++ b/etc/profile-a-l/gajim-history-manager.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for gajim-history-manager | 1 | # Firejail profile alias for gajim-history-manager |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include gajim-history-manager.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include gajim.profile | 8 | include gajim.profile |
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index b8d1b9608..caeb3ce51 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.cache/gfeeds | 9 | noblacklist ${HOME}/.cache/gfeeds |
10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | 10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds |
11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | 11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json |
12 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
12 | 13 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python3.inc | 15 | include allow-python3.inc |
@@ -25,9 +26,11 @@ include disable-xdg.inc | |||
25 | mkdir ${HOME}/.cache/gfeeds | 26 | mkdir ${HOME}/.cache/gfeeds |
26 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | 27 | mkdir ${HOME}/.cache/org.gabmus.gfeeds |
27 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | 28 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json |
29 | mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
28 | whitelist ${HOME}/.cache/gfeeds | 30 | whitelist ${HOME}/.cache/gfeeds |
29 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | 31 | whitelist ${HOME}/.cache/org.gabmus.gfeeds |
30 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 32 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
33 | whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles | ||
31 | whitelist /usr/share/gfeeds | 34 | whitelist /usr/share/gfeeds |
32 | include whitelist-common.inc | 35 | include whitelist-common.inc |
33 | include whitelist-runuser-common.inc | 36 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile index 1e7ce2350..809328448 100644 --- a/etc/profile-a-l/ghb.profile +++ b/etc/profile-a-l/ghb.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for handbrake | 1 | # Firejail profile alias for handbrake |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include ghb.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include handbrake.profile | 8 | include handbrake.profile |
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile index dbf49ac22..89616a537 100644 --- a/etc/profile-a-l/gimp-2.10.profile +++ b/etc/profile-a-l/gimp-2.10.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for gimp | 1 | # Firejail profile alias for gimp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include gimp-2.10.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include gimp.profile | 8 | include gimp.profile |
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile index dbf49ac22..30449e6f4 100644 --- a/etc/profile-a-l/gimp-2.8.profile +++ b/etc/profile-a-l/gimp-2.8.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for gimp | 1 | # Firejail profile alias for gimp |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include gimp-2.8.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include gimp.profile | 8 | include gimp.profile |
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile index f5d652732..2620d1558 100644 --- a/etc/profile-a-l/gnome-mpv.profile +++ b/etc/profile-a-l/gnome-mpv.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for celluloid (formerly GNOME MPV) | 1 | # Firejail profile alias for celluloid (formerly GNOME MPV) |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include gnome-mpv.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include celluloid.profile | 8 | include celluloid.profile |
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile index a456e8d61..7c54a0888 100644 --- a/etc/profile-a-l/google-chrome-stable.profile +++ b/etc/profile-a-l/google-chrome-stable.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for google-chrome | 1 | # Firejail profile alias for google-chrome |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include google-chrome-stable.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include google-chrome.profile | 8 | include google-chrome.profile |
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index c1f919769..1240dc3b7 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile | |||
@@ -1,7 +1,30 @@ | |||
1 | # Firejail profile alias for google-earth | 1 | # Firejail profile for google-earth-pro |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include google-earth-pro.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | private-bin google-earth-pro | 9 | # Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed. |
10 | # See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details. | ||
11 | # Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906). | ||
12 | # As an alternative one could use the web version: https://earth.google.com/web/. | ||
13 | # The desktop version from the AUR can be made to work with firejail by appending the below snippet | ||
14 | # to /usr/bin/googleearth-pro: | ||
15 | # <--- snippet ---> | ||
16 | # Post-shutdown cleaning | ||
17 | #_lock_app_running="${HOME}/.googleearth/instance-running-lock" | ||
18 | #[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}" | ||
19 | #_lock_collada_cache="/tmp/geColladaModelCacheLock" | ||
20 | #[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}" | ||
21 | #_lock_icon_cache="/tmp/geIconCacheLock" | ||
22 | #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" | ||
23 | # <--- end of snippet ---> | ||
24 | |||
25 | # If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local | ||
26 | #ignore private-bin | ||
27 | private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings | ||
5 | 28 | ||
6 | # Redirect | 29 | # Redirect |
7 | include google-earth.profile | 30 | include google-earth.profile |
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index a331ef8d2..12b1cbafd 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile | |||
@@ -6,10 +6,7 @@ include google-earth.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/Google | 8 | noblacklist ${HOME}/.config/Google |
9 | noblacklist ${HOME}/.googleearth/Cache | 9 | noblacklist ${HOME}/.googleearth |
10 | noblacklist ${HOME}/.googleearth/Temp | ||
11 | noblacklist ${HOME}/.googleearth/myplaces.backup.kml | ||
12 | noblacklist ${HOME}/.googleearth/myplaces.kml | ||
13 | 10 | ||
14 | include disable-common.inc | 11 | include disable-common.inc |
15 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -19,15 +16,9 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 16 | include disable-programs.inc |
20 | 17 | ||
21 | mkdir ${HOME}/.config/Google | 18 | mkdir ${HOME}/.config/Google |
22 | mkdir ${HOME}/.googleearth/Cache | 19 | mkdir ${HOME}/.googleearth |
23 | mkdir ${HOME}/.googleearth/Temp | ||
24 | mkfile ${HOME}/.googleearth/myplaces.backup.kml | ||
25 | mkfile ${HOME}/.googleearth/myplaces.kml | ||
26 | whitelist ${HOME}/.config/Google | 20 | whitelist ${HOME}/.config/Google |
27 | whitelist ${HOME}/.googleearth/Cache | 21 | whitelist ${HOME}/.googleearth |
28 | whitelist ${HOME}/.googleearth/Temp | ||
29 | whitelist ${HOME}/.googleearth/myplaces.backup.kml | ||
30 | whitelist ${HOME}/.googleearth/myplaces.kml | ||
31 | include whitelist-common.inc | 22 | include whitelist-common.inc |
32 | 23 | ||
33 | caps.drop all | 24 | caps.drop all |
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile index 2391c121b..ccb97265e 100644 --- a/etc/profile-a-l/gtar.profile +++ b/etc/profile-a-l/gtar.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for tar | 1 | # Firejail profile alias for tar |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include gtar.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include tar.profile | 8 | include tar.profile |
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile index 40c268c46..2223c37a1 100644 --- a/etc/profile-a-l/gummi.profile +++ b/etc/profile-a-l/gummi.profile | |||
@@ -8,8 +8,13 @@ include globals.local | |||
8 | noblacklist ${HOME}/.cache/gummi | 8 | noblacklist ${HOME}/.cache/gummi |
9 | noblacklist ${HOME}/.config/gummi | 9 | noblacklist ${HOME}/.config/gummi |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
11 | include allow-lua.inc | 12 | include allow-lua.inc |
13 | |||
14 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | 15 | include allow-perl.inc |
16 | |||
17 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | 18 | include allow-python3.inc |
14 | 19 | ||
15 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex | 20 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile new file mode 100644 index 000000000..46fc06940 --- /dev/null +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for guvcview | ||
2 | # Description: GTK+ base UVC Viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include guvcview.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/guvcview2 | ||
10 | |||
11 | noblacklist ${PICTURES} | ||
12 | noblacklist ${VIDEOS} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/guvcview2 | ||
24 | whitelist ${HOME}/.config/guvcview2 | ||
25 | whitelist ${PICTURES} | ||
26 | whitelist ${VIDEOS} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | net none | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | protocol unix,netlink | ||
42 | seccomp | ||
43 | seccomp.block-secondary | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin guvcview | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11 | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile index 1e7ce2350..317ebc99d 100644 --- a/etc/profile-a-l/handbrake-gtk.profile +++ b/etc/profile-a-l/handbrake-gtk.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for handbrake | 1 | # Firejail profile alias for handbrake |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include handbrake-gtk.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include handbrake.profile | 8 | include handbrake.profile |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index 86527aa1f..c60510260 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -8,13 +8,13 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
10 | 10 | ||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | ||
13 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python2.inc | 15 | include allow-python2.inc |
13 | include allow-python3.inc | 16 | include allow-python3.inc |
14 | 17 | ||
15 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
16 | include allow-perl.inc | ||
17 | |||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index c1ca0e413..e96b1843c 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
@@ -6,7 +6,7 @@ include i3.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in awesome will run in this profile | 9 | # all applications started in i3 will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile index c7ee64d56..e83a1132d 100644 --- a/etc/profile-a-l/iridium-browser.profile +++ b/etc/profile-a-l/iridium-browser.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for iridium | 1 | # Firejail profile alias for iridium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include iridium-browser.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include iridium.profile | 8 | include iridium.profile |
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index b1852b015..8d391b90f 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile | |||
@@ -7,6 +7,7 @@ include jumpnbump-menu.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
12 | private-bin jumpnbump-menu,python3* | 13 | private-bin jumpnbump-menu,python3* |
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile index d2394fe20..c7bd9c105 100644 --- a/etc/profile-a-l/kalgebramobile.profile +++ b/etc/profile-a-l/kalgebramobile.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile for kalgebramobile | 1 | # Firejail profile for kalgebramobile |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include kalgebramobile.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include kalgebra.profile | 8 | include kalgebra.profile |
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile index d54d6d3d0..54d029c1a 100644 --- a/etc/profile-a-l/karbon.profile +++ b/etc/profile-a-l/karbon.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for krita | 1 | # Firejail profile alias for krita |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include karbon.local | ||
6 | |||
4 | noblacklist ${HOME}/.local/share/kxmlgui5/karbon | 7 | noblacklist ${HOME}/.local/share/kxmlgui5/karbon |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 9c095e106..7d9f4c22f 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
13 | noblacklist ${HOME}/.config/kazam | 13 | noblacklist ${HOME}/.config/kazam |
14 | 14 | ||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 16 | include allow-python2.inc |
16 | include allow-python3.inc | 17 | include allow-python3.inc |
17 | 18 | ||
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile new file mode 100644 index 000000000..8290e07f2 --- /dev/null +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for kdiff3 | ||
2 | # Description: KDiff3 is a file and folder diff and merge tool. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kdiff3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/kdiff3fileitemactionrc | ||
10 | noblacklist ${HOME}/.config/kdiff3rc | ||
11 | |||
12 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. | ||
13 | #include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. | ||
19 | #include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-runuser-common.inc | ||
24 | # Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. | ||
25 | #include whitelist-usr-share-common.inc | ||
26 | # Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. | ||
27 | #include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | machine-id | ||
32 | net none | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | seccomp | ||
42 | seccomp.block-secondary | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin kdiff3 | ||
48 | private-cache | ||
49 | private-dev | ||
50 | |||
51 | dbus-user none | ||
52 | dbus-system none | ||
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile index aef236ccc..97fe987dd 100644 --- a/etc/profile-a-l/keepass2.profile +++ b/etc/profile-a-l/keepass2.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for keepass | 1 | # Firejail profile alias for keepass |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include keepass2.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include keepass.profile | 8 | include keepass.profile |
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile index fdd27e9f9..ed3d6701a 100644 --- a/etc/profile-a-l/keepassx2.profile +++ b/etc/profile-a-l/keepassx2.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Cross platform password manager | 2 | # Description: Cross platform password manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include keepassx2.local | ||
7 | |||
5 | # Redirects | 8 | # Redirects |
6 | include keepassx.profile | 9 | include keepassx.profile |
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile index 9137963c4..d599a80d0 100644 --- a/etc/profile-a-l/klatexformula_cmdl.profile +++ b/etc/profile-a-l/klatexformula_cmdl.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for klatexformula_cmdl | 1 | # Firejail profile alias for klatexformula_cmdl |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include klatexformula_cmdl.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include klatexformula.profile | 8 | include klatexformula.profile |
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index c64113c15..9cb5eff87 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile | |||
@@ -6,9 +6,9 @@ include krunner.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # - programs started in krunner run with this generic profile. | 9 | # - programs started in krunner run with this generic profile |
10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox | 10 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
11 | # with its own profile, if it is sandboxed automatically. | 11 | # with its own profile, if it is sandboxed automatically |
12 | 12 | ||
13 | # noblacklist ${HOME}/.cache/krunner | 13 | # noblacklist ${HOME}/.cache/krunner |
14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | 14 | # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* |
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile index 338d8c8bb..822383ff4 100644 --- a/etc/profile-a-l/lbunzip2.profile +++ b/etc/profile-a-l/lbunzip2.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include lbunzip2.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include gzip.profile | 9 | include gzip.profile |
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile index 338d8c8bb..fe8badb58 100644 --- a/etc/profile-a-l/lbzcat.profile +++ b/etc/profile-a-l/lbzcat.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include lbzcat.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include gzip.profile | 9 | include gzip.profile |
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile index 338d8c8bb..3f986fa44 100644 --- a/etc/profile-a-l/lbzip2.profile +++ b/etc/profile-a-l/lbzip2.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: GNU compression utilities | 2 | # Description: GNU compression utilities |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include lbzip2.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include gzip.profile | 9 | include gzip.profile |
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile index 8348a57fe..51d76cae7 100644 --- a/etc/profile-a-l/lobase.profile +++ b/etc/profile-a-l/lobase.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include lobase.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile index 8348a57fe..df48a320c 100644 --- a/etc/profile-a-l/localc.profile +++ b/etc/profile-a-l/localc.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include localc.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile index 8348a57fe..bf5c8c456 100644 --- a/etc/profile-a-l/lodraw.profile +++ b/etc/profile-a-l/lodraw.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include lodraw.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile index 8348a57fe..5fbfdf443 100644 --- a/etc/profile-a-l/loffice.profile +++ b/etc/profile-a-l/loffice.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include loffice.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile index 8348a57fe..3decca6a8 100644 --- a/etc/profile-a-l/lofromtemplate.profile +++ b/etc/profile-a-l/lofromtemplate.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include lofromtemplate.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile index 8348a57fe..cc812d9a4 100644 --- a/etc/profile-a-l/loimpress.profile +++ b/etc/profile-a-l/loimpress.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include loimpress.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile index 8348a57fe..20c316568 100644 --- a/etc/profile-a-l/lomath.profile +++ b/etc/profile-a-l/lomath.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include lomath.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile index 8348a57fe..b44c545e8 100644 --- a/etc/profile-a-l/loweb.profile +++ b/etc/profile-a-l/loweb.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include loweb.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile index 8348a57fe..29f7cd89b 100644 --- a/etc/profile-a-l/lowriter.profile +++ b/etc/profile-a-l/lowriter.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include lowriter.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile new file mode 100644 index 000000000..faf5bb7f9 --- /dev/null +++ b/etc/profile-a-l/lsar.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for lsar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include lsar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin lsar | ||
11 | |||
12 | # Redirect | ||
13 | include ar.profile | ||
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index ffde057d5..fa69463d1 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -11,8 +11,13 @@ ignore private-tmp | |||
11 | noblacklist ${HOME}/.config/LyX | 11 | noblacklist ${HOME}/.config/LyX |
12 | noblacklist ${HOME}/.lyx | 12 | noblacklist ${HOME}/.lyx |
13 | 13 | ||
14 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
14 | include allow-lua.inc | 15 | include allow-lua.inc |
16 | |||
17 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
15 | include allow-perl.inc | 18 | include allow-perl.inc |
19 | |||
20 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | 21 | include allow-python2.inc |
17 | include allow-python3.inc | 22 | include allow-python3.inc |
18 | 23 | ||
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile index d9c72407f..5370b0c0a 100644 --- a/etc/profile-a-l/lzcat.profile +++ b/etc/profile-a-l/lzcat.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzcat.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile index d9c72407f..2d963268e 100644 --- a/etc/profile-a-l/lzcmp.profile +++ b/etc/profile-a-l/lzcmp.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzcmp.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile index f7410b928..9baf94992 100644 --- a/etc/profile-a-l/lzdiff.profile +++ b/etc/profile-a-l/lzdiff.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include lzdiff.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include cpio.profile | 9 | include cpio.profile |
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile index d9c72407f..7ca4615c4 100644 --- a/etc/profile-a-l/lzegrep.profile +++ b/etc/profile-a-l/lzegrep.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzegrep.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile index d9c72407f..8d2e498fb 100644 --- a/etc/profile-a-l/lzfgrep.profile +++ b/etc/profile-a-l/lzfgrep.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzfgrep.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile index d9c72407f..b66b2fb17 100644 --- a/etc/profile-a-l/lzgrep.profile +++ b/etc/profile-a-l/lzgrep.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzgrep.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile index d9c72407f..a7341b012 100644 --- a/etc/profile-a-l/lzip.profile +++ b/etc/profile-a-l/lzip.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzip.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile index d9c72407f..5730a332f 100644 --- a/etc/profile-a-l/lzless.profile +++ b/etc/profile-a-l/lzless.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzless.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile index d9c72407f..051dbe546 100644 --- a/etc/profile-a-l/lzma.profile +++ b/etc/profile-a-l/lzma.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzma.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile index 0c5ec1b09..b82ce69ae 100644 --- a/etc/profile-a-l/lzmadec.profile +++ b/etc/profile-a-l/lzmadec.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include lzmadec.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include xzdec.profile | 9 | include xzdec.profile |
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile index d9c72407f..0ab98429e 100644 --- a/etc/profile-a-l/lzmainfo.profile +++ b/etc/profile-a-l/lzmainfo.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzmainfo.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile index d9c72407f..df1867da0 100644 --- a/etc/profile-a-l/lzmore.profile +++ b/etc/profile-a-l/lzmore.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include lzmore.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile index c52d2f2da..109ce6859 100644 --- a/etc/profile-m-z/Maps.profile +++ b/etc/profile-m-z/Maps.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-maps | 1 | # Firejail profile for gnome-maps |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Maps.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-maps.profile | 9 | include gnome-maps.profile |
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile index 42c22bf67..7923d01a7 100644 --- a/etc/profile-m-z/Natron.profile +++ b/etc/profile-m-z/Natron.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for natron | 1 | # Firejail profile alias for natron |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Natron.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include natron.profile | 8 | include natron.profile |
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile index d4b083736..787ce8494 100644 --- a/etc/profile-m-z/Screenshot.profile +++ b/etc/profile-m-z/Screenshot.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile for gnome-screenshot | 1 | # Firejail profile for gnome-screenshot |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Screenshot.local | ||
6 | |||
4 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 7 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
5 | # Redirect | 8 | # Redirect |
6 | include gnome-screenshot.profile | 9 | include gnome-screenshot.profile |
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile index 310e0237e..7600b1aa6 100644 --- a/etc/profile-m-z/Telegram.profile +++ b/etc/profile-m-z/Telegram.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for telegram | 1 | # Firejail profile alias for telegram |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include Telegram.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include telegram.profile | 8 | include telegram.profile |
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile index 4c99ae9a3..4384b7647 100644 --- a/etc/profile-m-z/VirtualBox.profile +++ b/etc/profile-m-z/VirtualBox.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: x86 virtualization solution | 2 | # Description: x86 virtualization solution |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include VirtualBox.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include virtualbox.profile | 9 | include virtualbox.profile |
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile index bb438f5f0..e8320df63 100644 --- a/etc/profile-m-z/mate-calculator.profile +++ b/etc/profile-m-z/mate-calculator.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for mate-calc | 1 | # Firejail profile alias for mate-calc |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include mate-calculator.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include mate-calc.profile | 8 | include mate-calc.profile |
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile index 964060350..cee16eedc 100644 --- a/etc/profile-m-z/mathematica.profile +++ b/etc/profile-m-z/mathematica.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for Mathematica | 1 | # Firejail profile alias for Mathematica |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include mathematica.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include Mathematica.profile | 8 | include Mathematica.profile |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile new file mode 100644 index 000000000..fb97daa27 --- /dev/null +++ b/etc/profile-m-z/mdr.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for mdr | ||
2 | # Description: A standalone Markdown renderer for the terminal | ||
3 | # Persistent local customizations | ||
4 | include mdr.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | blacklist ${RUNUSER}/wayland-* | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist ${DOWNLOADS} | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | hostname mdr | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix | ||
39 | seccomp | ||
40 | shell none | ||
41 | tracelog | ||
42 | x11 none | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin mdr | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-etc none | ||
49 | private-lib | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile index 02aad8084..304285915 100644 --- a/etc/profile-m-z/megaglest_editor.profile +++ b/etc/profile-m-z/megaglest_editor.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for megaglest | 1 | # Firejail profile alias for megaglest |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include megaglest_editor.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include megaglest.profile | 8 | include megaglest.profile |
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index a5c74047a..d76522fce 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -6,11 +6,11 @@ include meld.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need | 9 | # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need |
10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path | 10 | # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path |
11 | # Removing the symlink: | 11 | # Removing the symlink: |
12 | # sudo rm /usr/local/bin/meld | 12 | # sudo rm /usr/local/bin/meld |
13 | # Calling by its absolute path (example for git-mergetool): | 13 | # Calling it by its absolute path (example for git mergetool): |
14 | # git config --global mergetool.meld.cmd /usr/bin/meld | 14 | # git config --global mergetool.meld.cmd /usr/bin/meld |
15 | 15 | ||
16 | noblacklist ${HOME}/.config/meld | 16 | noblacklist ${HOME}/.config/meld |
@@ -21,10 +21,9 @@ noblacklist ${HOME}/.local/share/meld | |||
21 | noblacklist ${HOME}/.subversion | 21 | noblacklist ${HOME}/.subversion |
22 | 22 | ||
23 | # Allow python (blacklisted by disable-interpreters.inc) | 23 | # Allow python (blacklisted by disable-interpreters.inc) |
24 | include allow-python3.inc | ||
25 | |||
26 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. | 24 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. |
27 | #include allow-python2.inc | 25 | #include allow-python2.inc |
26 | include allow-python3.inc | ||
28 | 27 | ||
29 | # Allow ssh (blacklisted by disable-common.inc) | 28 | # Allow ssh (blacklisted by disable-common.inc) |
30 | include allow-ssh.inc | 29 | include allow-ssh.inc |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 8a98209a2..e29e4bc70 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -6,6 +6,7 @@ include menulibre.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
9 | include allow-python2.inc | 10 | include allow-python2.inc |
10 | include allow-python3.inc | 11 | include allow-python3.inc |
11 | 12 | ||
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile index 7130267e8..e0ebb4895 100644 --- a/etc/profile-m-z/mirage.profile +++ b/etc/profile-m-z/mirage.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/mirage | |||
11 | noblacklist ${HOME}/.local/share/mirage | 11 | noblacklist ${HOME}/.local/share/mirage |
12 | noblacklist /sbin | 12 | noblacklist /sbin |
13 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | 15 | include allow-python2.inc |
15 | include allow-python3.inc | 16 | include allow-python3.inc |
16 | 17 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 1d87eeb48..1804389c3 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -21,7 +21,7 @@ include globals.local | |||
21 | # - ... | 21 | # - ... |
22 | # | 22 | # |
23 | # Often these scripts require a shell: | 23 | # Often these scripts require a shell: |
24 | #noblacklist ${PATH}/sh | 24 | #include allow-bin-sh.inc |
25 | #private-bin sh | 25 | #private-bin sh |
26 | 26 | ||
27 | noblacklist ${HOME}/.config/mpv | 27 | noblacklist ${HOME}/.config/mpv |
@@ -30,6 +30,7 @@ noblacklist ${HOME}/.netrc | |||
30 | 30 | ||
31 | # Allow lua (blacklisted by disable-interpreters.inc) | 31 | # Allow lua (blacklisted by disable-interpreters.inc) |
32 | include allow-lua.inc | 32 | include allow-lua.inc |
33 | |||
33 | # Allow python (blacklisted by disable-interpreters.inc) | 34 | # Allow python (blacklisted by disable-interpreters.inc) |
34 | include allow-python2.inc | 35 | include allow-python2.inc |
35 | include allow-python3.inc | 36 | include allow-python3.inc |
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile index 338f494c9..bd9e3adce 100644 --- a/etc/profile-m-z/multimc.profile +++ b/etc/profile-m-z/multimc.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for multimc5 | 1 | # Firejail profile alias for multimc5 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include multimc.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include multimc5.profile | 8 | include multimc5.profile |
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile index 59b3024ed..66500048e 100644 --- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile +++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for mypaint-ora-thumbnailer | 1 | # Firejail profile alias for mypaint-ora-thumbnailer |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include mypaint-ora-thumbnailer.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include mypaint.profile | 8 | include mypaint.profile |
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index a7bac6286..85b780ced 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -38,10 +38,10 @@ seccomp | |||
38 | shell none | 38 | shell none |
39 | 39 | ||
40 | disable-mnt | 40 | disable-mnt |
41 | private-bin newsboat | 41 | private-bin gzip,lynx,newsboat,sh |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo | 44 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index 6c363345e..3bf32a3db 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.nicotine | 9 | noblacklist ${HOME}/.nicotine |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | 12 | include allow-python2.inc |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile index d9cb2edc5..6e73afe9e 100644 --- a/etc/profile-m-z/nitroshare-cli.profile +++ b/etc/profile-m-z/nitroshare-cli.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include nitroshare-cli.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include nitroshare.profile | 9 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile index d9cb2edc5..bda2c193d 100644 --- a/etc/profile-m-z/nitroshare-nmh.profile +++ b/etc/profile-m-z/nitroshare-nmh.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include nitroshare-nmh.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include nitroshare.profile | 9 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile index d9cb2edc5..659742469 100644 --- a/etc/profile-m-z/nitroshare-send.profile +++ b/etc/profile-m-z/nitroshare-send.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include nitroshare-send.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include nitroshare.profile | 9 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile index d9cb2edc5..ccda2b58b 100644 --- a/etc/profile-m-z/nitroshare-ui.profile +++ b/etc/profile-m-z/nitroshare-ui.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network File Transfer Application | 2 | # Description: Network File Transfer Application |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include nitroshare-ui.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include nitroshare.profile | 9 | include nitroshare.profile |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index acef622c2..c12fc9a78 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -12,9 +12,7 @@ blacklist ${RUNUSER} | |||
12 | 12 | ||
13 | ignore noexec ${HOME} | 13 | ignore noexec ${HOME} |
14 | 14 | ||
15 | noblacklist ${PATH}/bash | 15 | include allow-bin-sh.inc |
16 | noblacklist ${PATH}/dash | ||
17 | noblacklist ${PATH}/sh | ||
18 | 16 | ||
19 | include disable-common.inc | 17 | include disable-common.inc |
20 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index f7cb8790b..152bd7ac5 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/onboard | 9 | noblacklist ${HOME}/.config/onboard |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python2.inc | 12 | include allow-python2.inc |
12 | include allow-python3.inc | 13 | include allow-python3.inc |
13 | 14 | ||
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile index 8348a57fe..ba8bdae01 100644 --- a/etc/profile-m-z/ooffice.profile +++ b/etc/profile-m-z/ooffice.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include ooffice.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile index 8348a57fe..4a9f434f7 100644 --- a/etc/profile-m-z/ooviewdoc.profile +++ b/etc/profile-m-z/ooviewdoc.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include ooviewdoc.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile index c529e7e11..f8dbf792d 100644 --- a/etc/profile-m-z/openarena_ded.profile +++ b/etc/profile-m-z/openarena_ded.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for openarena | 1 | # Firejail profile alias for openarena |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include openarena_ded.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include openarena.profile | 8 | include openarena.profile |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 1fb93c79c..b49fd9932 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -6,7 +6,7 @@ include openbox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # all applications started in OpenBox will run in this profile | 9 | # all applications started in openbox will run in this profile |
10 | noblacklist ${HOME}/.config/openbox | 10 | noblacklist ${HOME}/.config/openbox |
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | 12 | ||
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile index 8348a57fe..189867742 100644 --- a/etc/profile-m-z/openoffice.org.profile +++ b/etc/profile-m-z/openoffice.org.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include openoffice.org.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile index 2f886d2ac..833a375f6 100644 --- a/etc/profile-m-z/openshot-qt.profile +++ b/etc/profile-m-z/openshot-qt.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for openshot | 1 | # Firejail profile alias for openshot |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include openshot-qt.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include openshot.profile | 8 | include openshot.profile |
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile new file mode 100644 index 000000000..cc4f016c5 --- /dev/null +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for pklog | ||
2 | # Description: Reports log of package updates | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pkglog.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Allow python (blacklisted by disable-interpreters.inc) | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | whitelist /var/log/apt/history.log | ||
21 | whitelist /var/log/dnf.rpm.log | ||
22 | whitelist /var/log/pacman.log | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private | ||
44 | private-bin pkglog,python* | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives | ||
48 | private-opt none | ||
49 | private-tmp | ||
50 | writable-var-log | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
54 | |||
55 | memory-deny-write-execute | ||
56 | read-only ${HOME} | ||
57 | read-only /var/log/apt/history.log | ||
58 | read-only /var/log/dnf.rpm.log | ||
59 | read-only /var/log/pacman.log | ||
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile index 0ebef226a..8e98905b5 100644 --- a/etc/profile-m-z/playonlinux.profile +++ b/etc/profile-m-z/playonlinux.profile | |||
@@ -12,9 +12,12 @@ noblacklist ${HOME}/.PlayOnLinux | |||
12 | # nc is needed to run playonlinux | 12 | # nc is needed to run playonlinux |
13 | noblacklist ${PATH}/nc | 13 | noblacklist ${PATH}/nc |
14 | 14 | ||
15 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
16 | include allow-perl.inc | ||
17 | |||
18 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 19 | include allow-python2.inc |
16 | include allow-python3.inc | 20 | include allow-python3.inc |
17 | include allow-perl.inc | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include wine.profile | 23 | include wine.profile |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 7ff59ea77..7f7ae4204 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -18,7 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/PacmanLogViewer | 19 | mkdir ${HOME}/.config/PacmanLogViewer |
20 | whitelist ${HOME}/.config/PacmanLogViewer | 20 | whitelist ${HOME}/.config/PacmanLogViewer |
21 | whitelist /var/log/pacman* | 21 | whitelist /var/log/pacman.log |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
24 | include whitelist-runuser-common.inc | 24 | include whitelist-runuser-common.inc |
@@ -57,3 +57,4 @@ dbus-system none | |||
57 | #memory-deny-write-execute - breaks opening file-chooser | 57 | #memory-deny-write-execute - breaks opening file-chooser |
58 | read-only ${HOME} | 58 | read-only ${HOME} |
59 | read-write ${HOME}/.config/PacmanLogViewer | 59 | read-write ${HOME}/.config/PacmanLogViewer |
60 | read-only /var/log/pacman.log | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index a14d0268b..72f9c2dc3 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profilen alias for pycharm-professional | 1 | # Firejail profilen alias for pycharm-professional |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include pyucharm-professional.local | ||
6 | |||
4 | noblacklist ${HOME}/.PyCharm* | 7 | noblacklist ${HOME}/.PyCharm* |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile index ce9af3286..0c83e561c 100644 --- a/etc/profile-m-z/pzstd.profile +++ b/etc/profile-m-z/pzstd.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include pzstd.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile new file mode 100644 index 000000000..0d1f9c3de --- /dev/null +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for qnapi | ||
2 | # Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24 | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qnapi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/qnapi.ini | ||
10 | |||
11 | ignore noexec /tmp | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkfile ${HOME}/.config/qnapi.ini | ||
23 | whitelist ${HOME}/.config/qnapi.ini | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6,netlink | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | private-bin 7z,qnapi | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alternatives,fonts | ||
51 | private-opt none | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile index 64432c171..d4c4f9234 100644 --- a/etc/profile-m-z/runenpass.sh.profile +++ b/etc/profile-m-z/runenpass.sh.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail alias profile for enpass | 1 | # Firejail alias profile for enpass |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include runenpass.sh.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include enpass.profile | 8 | include enpass.profile |
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile index 532294950..accb0a750 100644 --- a/etc/profile-m-z/seamonkey-bin.profile +++ b/etc/profile-m-z/seamonkey-bin.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for seamonkey | 1 | # Firejail profile alias for seamonkey |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include seamonkey-bin.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include seamonkey.profile | 8 | include seamonkey.profile |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile new file mode 100644 index 000000000..749029530 --- /dev/null +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for shotwell | ||
2 | # Description: A digital photo organizer designed for the GNOME desktop environment | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include shotwell.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/shotwell | ||
10 | noblacklist ${HOME}/.local/share/shotwell | ||
11 | |||
12 | noblacklist ${PICTURES} | ||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/shotwell | ||
23 | mkdir ${HOME}/.local/share/shotwell | ||
24 | whitelist ${HOME}/.cache/shotwell | ||
25 | whitelist ${HOME}/.local/share/shotwell | ||
26 | whitelist ${PICTURES} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | private-bin shotwell | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,fonts,machine-id | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user filter | ||
57 | dbus-user.own org.gnome.Shotwell | ||
58 | dbus-user.talk ca.desrt.dconf | ||
59 | dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor | ||
60 | dbus-system none | ||
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 8ffc47ff6..9d6db4cdb 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -10,7 +10,10 @@ noblacklist ${HOME}/.config/smplayer | |||
10 | noblacklist ${HOME}/.config/youtube-dl | 10 | noblacklist ${HOME}/.config/youtube-dl |
11 | noblacklist ${HOME}/.mplayer | 11 | noblacklist ${HOME}/.mplayer |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile index 8348a57fe..382030a9e 100644 --- a/etc/profile-m-z/soffice.profile +++ b/etc/profile-m-z/soffice.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for libreoffice | 1 | # Firejail profile alias for libreoffice |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include soffice.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include libreoffice.profile | 8 | include libreoffice.profile |
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile index 47608ad28..c7cec55c7 100644 --- a/etc/profile-m-z/steam-native.profile +++ b/etc/profile-m-z/steam-native.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for steam | 1 | # Firejail profile alias for steam |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include steam-native.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include steam.profile | 8 | include steam.profile |
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile index 47608ad28..d1cf6d7f0 100644 --- a/etc/profile-m-z/steam-runtime.profile +++ b/etc/profile-m-z/steam-runtime.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for steam | 1 | # Firejail profile alias for steam |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include steam-runtime.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include steam.profile | 8 | include steam.profile |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index 721ad38ee..2ae35d211 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -10,8 +10,13 @@ include globals.local | |||
10 | noblacklist ${HOME}/.cache/straw-viewer | 10 | noblacklist ${HOME}/.cache/straw-viewer |
11 | noblacklist ${HOME}/.config/straw-viewer | 11 | noblacklist ${HOME}/.config/straw-viewer |
12 | 12 | ||
13 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | |||
16 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
14 | include allow-perl.inc | 17 | include allow-perl.inc |
18 | |||
19 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python2.inc | 20 | include allow-python2.inc |
16 | include allow-python3.inc | 21 | include allow-python3.inc |
17 | 22 | ||
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile index 79e879f36..d23de7c05 100644 --- a/etc/profile-m-z/studio.sh.profile +++ b/etc/profile-m-z/studio.sh.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for Android Studio | 1 | # Firejail profile alias for Android Studio |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include studio.sh.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include android-studio.profile | 8 | include android-studio.profile |
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile index 0cfa7114b..bf3a1ca81 100644 --- a/etc/profile-m-z/telegram-desktop.profile +++ b/etc/profile-m-z/telegram-desktop.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Official Telegram Desktop client | 2 | # Description: Official Telegram Desktop client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include tekegram-desktop.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include telegram.profile | 9 | include telegram.profile |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 0e7413fc9..fce7dc461 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -12,8 +12,22 @@ include disable-common.inc | |||
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
16 | 19 | ||
20 | mkdir ${HOME}/.TelegramDesktop | ||
21 | mkdir ${HOME}/.local/share/TelegramDesktop | ||
22 | whitelist ${HOME}/.TelegramDesktop | ||
23 | whitelist ${HOME}/.local/share/TelegramDesktop | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
17 | caps.drop all | 31 | caps.drop all |
18 | netfilter | 32 | netfilter |
19 | nodvd | 33 | nodvd |
@@ -22,8 +36,10 @@ noroot | |||
22 | notv | 36 | notv |
23 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
24 | seccomp | 38 | seccomp |
39 | shell none | ||
25 | 40 | ||
26 | disable-mnt | 41 | disable-mnt |
27 | private-cache | 42 | private-cache |
28 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg | 43 | private-dev |
44 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | ||
29 | private-tmp | 45 | private-tmp |
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile index 19993016a..49492c88f 100644 --- a/etc/profile-m-z/thunar.profile +++ b/etc/profile-m-z/thunar.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Modern file manager for Xfce | 2 | # Description: Modern file manager for Xfce |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include thunar.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include Thunar.profile | 9 | include Thunar.profile |
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile index 6450e40d6..cec98ce12 100644 --- a/etc/profile-m-z/thunderbird-beta.profile +++ b/etc/profile-m-z/thunderbird-beta.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for thunderbird-beta | 1 | # Firejail profile alias for thunderbird-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include thunderbird-beta.local | ||
6 | |||
4 | private-opt thunderbird-beta | 7 | private-opt thunderbird-beta |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile index 612b2d01b..7254d20fb 100644 --- a/etc/profile-m-z/tor-browser-ar.profile +++ b/etc/profile-m-z/tor-browser-ar.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ar.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ar | 7 | noblacklist ${HOME}/.tor-browser-ar |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ar | 9 | mkdir ${HOME}/.tor-browser-ar |
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile index db70a7109..bf6bfc9f6 100644 --- a/etc/profile-m-z/tor-browser-ca.profile +++ b/etc/profile-m-z/tor-browser-ca.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ca.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ca | 7 | noblacklist ${HOME}/.tor-browser-ca |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ca | 9 | mkdir ${HOME}/.tor-browser-ca |
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile index 77b271b68..caf8f32c7 100644 --- a/etc/profile-m-z/tor-browser-cs.profile +++ b/etc/profile-m-z/tor-browser-cs.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-cs.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-cs | 7 | noblacklist ${HOME}/.tor-browser-cs |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-cs | 9 | mkdir ${HOME}/.tor-browser-cs |
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile index 3b9fff9a4..965036212 100644 --- a/etc/profile-m-z/tor-browser-da.profile +++ b/etc/profile-m-z/tor-browser-da.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-da.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-da | 7 | noblacklist ${HOME}/.tor-browser-da |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-da | 9 | mkdir ${HOME}/.tor-browser-da |
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile index 3b4f7f94f..913dc4771 100644 --- a/etc/profile-m-z/tor-browser-de.profile +++ b/etc/profile-m-z/tor-browser-de.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-de.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-de | 7 | noblacklist ${HOME}/.tor-browser-de |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-de | 9 | mkdir ${HOME}/.tor-browser-de |
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile index b978b6042..c0a3b64ad 100644 --- a/etc/profile-m-z/tor-browser-el.profile +++ b/etc/profile-m-z/tor-browser-el.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-el.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-el | 7 | noblacklist ${HOME}/.tor-browser-el |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-el | 9 | mkdir ${HOME}/.tor-browser-el |
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile index db56dda1b..662bc6b18 100644 --- a/etc/profile-m-z/tor-browser-en-us.profile +++ b/etc/profile-m-z/tor-browser-en-us.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-en-us.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-en-us | 7 | noblacklist ${HOME}/.tor-browser-en-us |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-en-us | 9 | mkdir ${HOME}/.tor-browser-en-us |
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile index ad4110c0e..1bbd88f91 100644 --- a/etc/profile-m-z/tor-browser-en.profile +++ b/etc/profile-m-z/tor-browser-en.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-en.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-en | 7 | noblacklist ${HOME}/.tor-browser-en |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-en | 9 | mkdir ${HOME}/.tor-browser-en |
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile index 1aa586658..ac5aa1247 100644 --- a/etc/profile-m-z/tor-browser-es-es.profile +++ b/etc/profile-m-z/tor-browser-es-es.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-es-es.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-es-es | 7 | noblacklist ${HOME}/.tor-browser-es-es |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-es-es | 9 | mkdir ${HOME}/.tor-browser-es-es |
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile index a386e3387..8ff12eedf 100644 --- a/etc/profile-m-z/tor-browser-es.profile +++ b/etc/profile-m-z/tor-browser-es.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-es.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-es | 7 | noblacklist ${HOME}/.tor-browser-es |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-es | 9 | mkdir ${HOME}/.tor-browser-es |
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile index 7f847a7c2..f897c5708 100644 --- a/etc/profile-m-z/tor-browser-fa.profile +++ b/etc/profile-m-z/tor-browser-fa.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-fa.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-fa | 7 | noblacklist ${HOME}/.tor-browser-fa |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-fa | 9 | mkdir ${HOME}/.tor-browser-fa |
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile index bce470ec8..f4dcd579e 100644 --- a/etc/profile-m-z/tor-browser-fr.profile +++ b/etc/profile-m-z/tor-browser-fr.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-fr.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-fr | 7 | noblacklist ${HOME}/.tor-browser-fr |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-fr | 9 | mkdir ${HOME}/.tor-browser-fr |
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile index 994897a87..6dddef637 100644 --- a/etc/profile-m-z/tor-browser-ga-ie.profile +++ b/etc/profile-m-z/tor-browser-ga-ie.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ga-ie.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | 7 | noblacklist ${HOME}/.tor-browser-ga-ie |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ga-ie | 9 | mkdir ${HOME}/.tor-browser-ga-ie |
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile index 6367b4c0a..c3e2dd11c 100644 --- a/etc/profile-m-z/tor-browser-he.profile +++ b/etc/profile-m-z/tor-browser-he.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-he.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-he | 7 | noblacklist ${HOME}/.tor-browser-he |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-he | 9 | mkdir ${HOME}/.tor-browser-he |
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile index 68e79833e..469db7374 100644 --- a/etc/profile-m-z/tor-browser-hu.profile +++ b/etc/profile-m-z/tor-browser-hu.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-hu.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-hu | 7 | noblacklist ${HOME}/.tor-browser-hu |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-hu | 9 | mkdir ${HOME}/.tor-browser-hu |
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile index 85b455ba2..db111c92c 100644 --- a/etc/profile-m-z/tor-browser-id.profile +++ b/etc/profile-m-z/tor-browser-id.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-id.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-id | 7 | noblacklist ${HOME}/.tor-browser-id |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-id | 9 | mkdir ${HOME}/.tor-browser-id |
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile index 48e88db71..32a8c9ca7 100644 --- a/etc/profile-m-z/tor-browser-is.profile +++ b/etc/profile-m-z/tor-browser-is.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-is.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-is | 7 | noblacklist ${HOME}/.tor-browser-is |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-is | 9 | mkdir ${HOME}/.tor-browser-is |
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile index 3c239ca29..d53dd9136 100644 --- a/etc/profile-m-z/tor-browser-it.profile +++ b/etc/profile-m-z/tor-browser-it.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-it.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-it | 7 | noblacklist ${HOME}/.tor-browser-it |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-it | 9 | mkdir ${HOME}/.tor-browser-it |
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile index c52e0f64e..8886d3ff0 100644 --- a/etc/profile-m-z/tor-browser-ja.profile +++ b/etc/profile-m-z/tor-browser-ja.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ja.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ja | 7 | noblacklist ${HOME}/.tor-browser-ja |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ja | 9 | mkdir ${HOME}/.tor-browser-ja |
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile index 173b85e5c..d3d36c426 100644 --- a/etc/profile-m-z/tor-browser-ka.profile +++ b/etc/profile-m-z/tor-browser-ka.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ka.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ka | 7 | noblacklist ${HOME}/.tor-browser-ka |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ka | 9 | mkdir ${HOME}/.tor-browser-ka |
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile index 8faa5afa1..59f9f966f 100644 --- a/etc/profile-m-z/tor-browser-ko.profile +++ b/etc/profile-m-z/tor-browser-ko.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ko.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ko | 7 | noblacklist ${HOME}/.tor-browser-ko |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ko | 9 | mkdir ${HOME}/.tor-browser-ko |
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile index d1352dd80..c133ca673 100644 --- a/etc/profile-m-z/tor-browser-nb.profile +++ b/etc/profile-m-z/tor-browser-nb.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-nb.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-nb | 7 | noblacklist ${HOME}/.tor-browser-nb |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-nb | 9 | mkdir ${HOME}/.tor-browser-nb |
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile index d4443cca2..1bebc1ffb 100644 --- a/etc/profile-m-z/tor-browser-nl.profile +++ b/etc/profile-m-z/tor-browser-nl.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-nl.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-nl | 7 | noblacklist ${HOME}/.tor-browser-nl |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-nl | 9 | mkdir ${HOME}/.tor-browser-nl |
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile index 08ddd4ae7..a83c0b6f3 100644 --- a/etc/profile-m-z/tor-browser-pl.profile +++ b/etc/profile-m-z/tor-browser-pl.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-pl.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-pl | 7 | noblacklist ${HOME}/.tor-browser-pl |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-pl | 9 | mkdir ${HOME}/.tor-browser-pl |
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile index 9942a3fe8..7c0ba0879 100644 --- a/etc/profile-m-z/tor-browser-pt-br.profile +++ b/etc/profile-m-z/tor-browser-pt-br.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-pt-br.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-pt-br | 7 | noblacklist ${HOME}/.tor-browser-pt-br |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-pt-br | 9 | mkdir ${HOME}/.tor-browser-pt-br |
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile index 6294f8ca0..374caa4fe 100644 --- a/etc/profile-m-z/tor-browser-ru.profile +++ b/etc/profile-m-z/tor-browser-ru.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-ru.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-ru | 7 | noblacklist ${HOME}/.tor-browser-ru |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-ru | 9 | mkdir ${HOME}/.tor-browser-ru |
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile index c8544262f..41dbaf792 100644 --- a/etc/profile-m-z/tor-browser-sv-se.profile +++ b/etc/profile-m-z/tor-browser-sv-se.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-sv-se.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-sv-se | 7 | noblacklist ${HOME}/.tor-browser-sv-se |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-sv-se | 9 | mkdir ${HOME}/.tor-browser-sv-se |
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile index 2343fa8de..0981caa73 100644 --- a/etc/profile-m-z/tor-browser-tr.profile +++ b/etc/profile-m-z/tor-browser-tr.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-tr.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-tr | 7 | noblacklist ${HOME}/.tor-browser-tr |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-tr | 9 | mkdir ${HOME}/.tor-browser-tr |
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile index 734c38698..3d321787a 100644 --- a/etc/profile-m-z/tor-browser-vi.profile +++ b/etc/profile-m-z/tor-browser-vi.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-vi.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-vi | 7 | noblacklist ${HOME}/.tor-browser-vi |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-vi | 9 | mkdir ${HOME}/.tor-browser-vi |
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile index 21e813e45..977993f26 100644 --- a/etc/profile-m-z/tor-browser-zh-cn.profile +++ b/etc/profile-m-z/tor-browser-zh-cn.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-zh-cn.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-cn | 7 | noblacklist ${HOME}/.tor-browser-zh-cn |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-zh-cn | 9 | mkdir ${HOME}/.tor-browser-zh-cn |
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile index 6fe09c6c1..e589dc552 100644 --- a/etc/profile-m-z/tor-browser-zh-tw.profile +++ b/etc/profile-m-z/tor-browser-zh-tw.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser-zh-tw.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | 7 | noblacklist ${HOME}/.tor-browser-zh-tw |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser-zh-tw | 9 | mkdir ${HOME}/.tor-browser-zh-tw |
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile index 0cd84abf5..f7c3a5d24 100644 --- a/etc/profile-m-z/tor-browser.profile +++ b/etc/profile-m-z/tor-browser.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser | 7 | noblacklist ${HOME}/.tor-browser |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser | 9 | mkdir ${HOME}/.tor-browser |
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile index 1e1f5ce35..86839a849 100644 --- a/etc/profile-m-z/tor-browser_ar.profile +++ b/etc/profile-m-z/tor-browser_ar.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ar.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ar | 7 | noblacklist ${HOME}/.tor-browser_ar |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ar | 9 | mkdir ${HOME}/.tor-browser_ar |
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile index e114b6051..9d9fc8d31 100644 --- a/etc/profile-m-z/tor-browser_ca.profile +++ b/etc/profile-m-z/tor-browser_ca.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ca.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ca | 7 | noblacklist ${HOME}/.tor-browser_ca |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ca | 9 | mkdir ${HOME}/.tor-browser_ca |
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile index 498068bc6..25d676537 100644 --- a/etc/profile-m-z/tor-browser_cs.profile +++ b/etc/profile-m-z/tor-browser_cs.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_cs.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_cs | 7 | noblacklist ${HOME}/.tor-browser_cs |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_cs | 9 | mkdir ${HOME}/.tor-browser_cs |
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile index 5c25c03c8..885a00979 100644 --- a/etc/profile-m-z/tor-browser_da.profile +++ b/etc/profile-m-z/tor-browser_da.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_da.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_da | 7 | noblacklist ${HOME}/.tor-browser_da |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_da | 9 | mkdir ${HOME}/.tor-browser_da |
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile index d530e7dbe..505161073 100644 --- a/etc/profile-m-z/tor-browser_de.profile +++ b/etc/profile-m-z/tor-browser_de.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_de.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_de | 7 | noblacklist ${HOME}/.tor-browser_de |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_de | 9 | mkdir ${HOME}/.tor-browser_de |
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile index 67d5ab440..4efbbef4d 100644 --- a/etc/profile-m-z/tor-browser_el.profile +++ b/etc/profile-m-z/tor-browser_el.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_el.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_el | 7 | noblacklist ${HOME}/.tor-browser_el |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_el | 9 | mkdir ${HOME}/.tor-browser_el |
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile index b298ab2b8..faa6979be 100644 --- a/etc/profile-m-z/tor-browser_en-US.profile +++ b/etc/profile-m-z/tor-browser_en-US.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_en-US.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_en-US | 7 | noblacklist ${HOME}/.tor-browser_en-US |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_en-US | 9 | mkdir ${HOME}/.tor-browser_en-US |
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile index 6bb0616b1..579af4be1 100644 --- a/etc/profile-m-z/tor-browser_en.profile +++ b/etc/profile-m-z/tor-browser_en.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_en.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_en | 7 | noblacklist ${HOME}/.tor-browser_en |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_en | 9 | mkdir ${HOME}/.tor-browser_en |
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile index 78f57ffe5..7d2f28844 100644 --- a/etc/profile-m-z/tor-browser_es-ES.profile +++ b/etc/profile-m-z/tor-browser_es-ES.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_es-ES.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_es-ES | 7 | noblacklist ${HOME}/.tor-browser_es-ES |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_es-ES | 9 | mkdir ${HOME}/.tor-browser_es-ES |
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile index ea34a07c9..c3d5695ce 100644 --- a/etc/profile-m-z/tor-browser_es.profile +++ b/etc/profile-m-z/tor-browser_es.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_es.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_es | 7 | noblacklist ${HOME}/.tor-browser_es |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_es | 9 | mkdir ${HOME}/.tor-browser_es |
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile index fbc416ce5..5d2a81976 100644 --- a/etc/profile-m-z/tor-browser_fa.profile +++ b/etc/profile-m-z/tor-browser_fa.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_fa.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_fa | 7 | noblacklist ${HOME}/.tor-browser_fa |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_fa | 9 | mkdir ${HOME}/.tor-browser_fa |
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile index caea6db5b..10a1cd054 100644 --- a/etc/profile-m-z/tor-browser_fr.profile +++ b/etc/profile-m-z/tor-browser_fr.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_fr.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_fr | 7 | noblacklist ${HOME}/.tor-browser_fr |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_fr | 9 | mkdir ${HOME}/.tor-browser_fr |
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile index 6342daebf..c2f3e6f91 100644 --- a/etc/profile-m-z/tor-browser_ga-IE.profile +++ b/etc/profile-m-z/tor-browser_ga-IE.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ga-IE.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | 7 | noblacklist ${HOME}/.tor-browser_ga-IE |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ga-IE | 9 | mkdir ${HOME}/.tor-browser_ga-IE |
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile index cc4150620..2415a0ebd 100644 --- a/etc/profile-m-z/tor-browser_he.profile +++ b/etc/profile-m-z/tor-browser_he.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_he.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_he | 7 | noblacklist ${HOME}/.tor-browser_he |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_he | 9 | mkdir ${HOME}/.tor-browser_he |
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile index 952a0b68a..d356c2b74 100644 --- a/etc/profile-m-z/tor-browser_hu.profile +++ b/etc/profile-m-z/tor-browser_hu.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_hu.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_hu | 7 | noblacklist ${HOME}/.tor-browser_hu |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_hu | 9 | mkdir ${HOME}/.tor-browser_hu |
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile index a006b27c0..0551bef1c 100644 --- a/etc/profile-m-z/tor-browser_id.profile +++ b/etc/profile-m-z/tor-browser_id.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_id.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_id | 7 | noblacklist ${HOME}/.tor-browser_id |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_id | 9 | mkdir ${HOME}/.tor-browser_id |
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile index 038e0fabb..a9adf462d 100644 --- a/etc/profile-m-z/tor-browser_is.profile +++ b/etc/profile-m-z/tor-browser_is.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_is.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_is | 7 | noblacklist ${HOME}/.tor-browser_is |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_is | 9 | mkdir ${HOME}/.tor-browser_is |
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile index 3d2566994..2237e2267 100644 --- a/etc/profile-m-z/tor-browser_it.profile +++ b/etc/profile-m-z/tor-browser_it.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_it.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_it | 7 | noblacklist ${HOME}/.tor-browser_it |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_it | 9 | mkdir ${HOME}/.tor-browser_it |
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile index 08c942bcd..494af455a 100644 --- a/etc/profile-m-z/tor-browser_ja.profile +++ b/etc/profile-m-z/tor-browser_ja.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ja.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ja | 7 | noblacklist ${HOME}/.tor-browser_ja |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ja | 9 | mkdir ${HOME}/.tor-browser_ja |
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile index 97664be4d..7a32fc6f7 100644 --- a/etc/profile-m-z/tor-browser_ka.profile +++ b/etc/profile-m-z/tor-browser_ka.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ka.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ka | 7 | noblacklist ${HOME}/.tor-browser_ka |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ka | 9 | mkdir ${HOME}/.tor-browser_ka |
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile index 98cf1e3e1..b7725270f 100644 --- a/etc/profile-m-z/tor-browser_ko.profile +++ b/etc/profile-m-z/tor-browser_ko.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ko.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ko | 7 | noblacklist ${HOME}/.tor-browser_ko |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ko | 9 | mkdir ${HOME}/.tor-browser_ko |
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile index 6df840573..b781e05a8 100644 --- a/etc/profile-m-z/tor-browser_nb.profile +++ b/etc/profile-m-z/tor-browser_nb.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_nb.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_nb | 7 | noblacklist ${HOME}/.tor-browser_nb |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_nb | 9 | mkdir ${HOME}/.tor-browser_nb |
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile index 3f545f888..67df58d8c 100644 --- a/etc/profile-m-z/tor-browser_nl.profile +++ b/etc/profile-m-z/tor-browser_nl.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_nl.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_nl | 7 | noblacklist ${HOME}/.tor-browser_nl |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_nl | 9 | mkdir ${HOME}/.tor-browser_nl |
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile index 4e04dc027..3caa90133 100644 --- a/etc/profile-m-z/tor-browser_pl.profile +++ b/etc/profile-m-z/tor-browser_pl.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_pl.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_pl | 7 | noblacklist ${HOME}/.tor-browser_pl |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_pl | 9 | mkdir ${HOME}/.tor-browser_pl |
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile index 7f864886c..01e8651d5 100644 --- a/etc/profile-m-z/tor-browser_pt-BR.profile +++ b/etc/profile-m-z/tor-browser_pt-BR.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_pt-BR.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | 7 | noblacklist ${HOME}/.tor-browser_pt-BR |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_pt-BR | 9 | mkdir ${HOME}/.tor-browser_pt-BR |
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile index 2fae6fbe7..fd6f2047d 100644 --- a/etc/profile-m-z/tor-browser_ru.profile +++ b/etc/profile-m-z/tor-browser_ru.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_ru.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_ru | 7 | noblacklist ${HOME}/.tor-browser_ru |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_ru | 9 | mkdir ${HOME}/.tor-browser_ru |
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile index 2157f8d2b..029f1edea 100644 --- a/etc/profile-m-z/tor-browser_sv-SE.profile +++ b/etc/profile-m-z/tor-browser_sv-SE.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_sv-SE.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | 7 | noblacklist ${HOME}/.tor-browser_sv-SE |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_sv-SE | 9 | mkdir ${HOME}/.tor-browser_sv-SE |
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile index 20ac246ca..7707e3454 100644 --- a/etc/profile-m-z/tor-browser_tr.profile +++ b/etc/profile-m-z/tor-browser_tr.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_tr.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_tr | 7 | noblacklist ${HOME}/.tor-browser_tr |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_tr | 9 | mkdir ${HOME}/.tor-browser_tr |
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile index 4faa06ff6..b277343dc 100644 --- a/etc/profile-m-z/tor-browser_vi.profile +++ b/etc/profile-m-z/tor-browser_vi.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_vi.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_vi | 7 | noblacklist ${HOME}/.tor-browser_vi |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_vi | 9 | mkdir ${HOME}/.tor-browser_vi |
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile index e4d8215e6..e614d00ae 100644 --- a/etc/profile-m-z/tor-browser_zh-CN.profile +++ b/etc/profile-m-z/tor-browser_zh-CN.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_zh-CN.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | 7 | noblacklist ${HOME}/.tor-browser_zh-CN |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_zh-CN | 9 | mkdir ${HOME}/.tor-browser_zh-CN |
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile index 8a28015a6..21c3445c9 100644 --- a/etc/profile-m-z/tor-browser_zh-TW.profile +++ b/etc/profile-m-z/tor-browser_zh-TW.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent global definitions | ||
5 | include tor-browser_zh-TW.local | ||
6 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | 7 | noblacklist ${HOME}/.tor-browser_zh-TW |
5 | 8 | ||
6 | mkdir ${HOME}/.tor-browser_zh-TW | 9 | mkdir ${HOME}/.tor-browser_zh-TW |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index 36495064e..90c45c7d0 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -6,7 +6,8 @@ include totem.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow lua (required for youtube video) | 9 | # Allow lua (blacklisted by disable-interpreters.inc) |
10 | # required for youtube video | ||
10 | include allow-lua.inc | 11 | include allow-lua.inc |
11 | 12 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index a5cefb47a..af5442672 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include tshark.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include wireshark.profile | 9 | include wireshark.profile |
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile new file mode 100644 index 000000000..0226a7de8 --- /dev/null +++ b/etc/profile-m-z/unar.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for unar | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include unar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin unar | ||
11 | |||
12 | # Redirect | ||
13 | include ar.profile | ||
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile index d9c72407f..d7f187e5c 100644 --- a/etc/profile-m-z/unlzma.profile +++ b/etc/profile-m-z/unlzma.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include unlzma.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile index d9c72407f..d93fc3cb3 100644 --- a/etc/profile-m-z/unxz.profile +++ b/etc/profile-m-z/unxz.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include unxz.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile index ce9af3286..698301131 100644 --- a/etc/profile-m-z/unzstd.profile +++ b/etc/profile-m-z/unzstd.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include unzstd.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 493c53936..d841d50b7 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -26,7 +26,7 @@ include whitelist-runuser-common.inc | |||
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
29 | caps.keep chown,net_raw,sys_nice,sys_rawio | 29 | caps.keep chown,net_raw,sys_nice |
30 | netfilter | 30 | netfilter |
31 | nogroups | 31 | nogroups |
32 | notv | 32 | notv |
@@ -34,6 +34,7 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | #disable-mnt | 36 | #disable-mnt |
37 | #private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 37 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
38 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | ||
38 | dbus-user none | 39 | dbus-user none |
39 | dbus-system none | 40 | dbus-system none |
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index b4728fb72..e329e77ad 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | 1 | # Firejail profile alias for Visual Studio Code |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include vscodium.local | ||
6 | |||
4 | noblacklist ${HOME}/.VSCodium | 7 | noblacklist ${HOME}/.VSCodium |
5 | 8 | ||
6 | # Redirect | 9 | # Redirect |
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile index 2e9078a7b..8c46c8aef 100644 --- a/etc/profile-m-z/vulturesclaw.profile +++ b/etc/profile-m-z/vulturesclaw.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for nethack-vultures | 1 | # Firejail profile alias for nethack-vultures |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include vulturesclaw.local | ||
6 | |||
4 | noblacklist /var/games/vulturesclaw | 7 | noblacklist /var/games/vulturesclaw |
5 | whitelist /var/games/vulturesclaw | 8 | whitelist /var/games/vulturesclaw |
6 | 9 | ||
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile index 44c263cfc..a9d49dae2 100644 --- a/etc/profile-m-z/vultureseye.profile +++ b/etc/profile-m-z/vultureseye.profile | |||
@@ -1,6 +1,9 @@ | |||
1 | # Firejail profile alias for nethack-vultures | 1 | # Firejail profile alias for nethack-vultures |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include vultureseye.local | ||
6 | |||
4 | noblacklist /var/games/vultureseye | 7 | noblacklist /var/games/vultureseye |
5 | whitelist /var/games/vultureseye | 8 | whitelist /var/games/vultureseye |
6 | 9 | ||
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 369c9cc1d..06a7c3412 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | 17 | include disable-shell.inc |
18 | 18 | ||
19 | # mkdir ${HOME}/.warzone2100-3.1 | 19 | mkdir ${HOME}/.warzone2100-3.1 |
20 | # mkdir ${HOME}/.warzone2100-3.2 | 20 | mkdir ${HOME}/.warzone2100-3.2 |
21 | whitelist ${HOME}/.warzone2100-3.1 | 21 | whitelist ${HOME}/.warzone2100-3.1 |
22 | whitelist ${HOME}/.warzone2100-3.2 | 22 | whitelist ${HOME}/.warzone2100-3.2 |
23 | whitelist /usr/share/games | 23 | whitelist /usr/share/games |
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile index 4719b9788..cd99c4730 100644 --- a/etc/profile-m-z/weechat-curses.profile +++ b/etc/profile-m-z/weechat-curses.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for weechat | 1 | # Firejail profile alias for weechat |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include weechat-curses.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include weechat.profile | 8 | include weechat.profile |
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile index 3e2e1807e..409f2a8b5 100644 --- a/etc/profile-m-z/wireshark-gtk.profile +++ b/etc/profile-m-z/wireshark-gtk.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network protocol analyzer | 2 | # Description: Network protocol analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include wireshark-gtk.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include wireshark.profile | 9 | include wireshark.profile |
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile index 3e2e1807e..809108af7 100644 --- a/etc/profile-m-z/wireshark-qt.profile +++ b/etc/profile-m-z/wireshark-qt.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Network protocol analyzer | 2 | # Description: Network protocol analyzer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include wireshark-qt.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include wireshark.profile | 9 | include wireshark.profile |
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile index abb91e1ec..57af3a8e4 100644 --- a/etc/profile-m-z/xonotic-glx.profile +++ b/etc/profile-m-z/xonotic-glx.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for xonotic | 1 | # Firejail profile alias for xonotic |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include xonotic-glx.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include xonotic.profile | 8 | include xonotic.profile |
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile index abb91e1ec..a2511a9da 100644 --- a/etc/profile-m-z/xonotic-sdl.profile +++ b/etc/profile-m-z/xonotic-sdl.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for xonotic | 1 | # Firejail profile alias for xonotic |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include xonotic-sdl.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include xonotic.profile | 8 | include xonotic.profile |
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile index d9c72407f..0310743c7 100644 --- a/etc/profile-m-z/xz.profile +++ b/etc/profile-m-z/xz.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xz.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile index d9c72407f..1c6851189 100644 --- a/etc/profile-m-z/xzcat.profile +++ b/etc/profile-m-z/xzcat.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzcat.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile index d9c72407f..214f714ce 100644 --- a/etc/profile-m-z/xzcmp.profile +++ b/etc/profile-m-z/xzcmp.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzcmp.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile index d9c72407f..19a4c853f 100644 --- a/etc/profile-m-z/xzdiff.profile +++ b/etc/profile-m-z/xzdiff.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzdiff.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile index d9c72407f..998fab02c 100644 --- a/etc/profile-m-z/xzegrep.profile +++ b/etc/profile-m-z/xzegrep.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzegrep.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile index d9c72407f..4301f5c96 100644 --- a/etc/profile-m-z/xzfgrep.profile +++ b/etc/profile-m-z/xzfgrep.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzfgrep.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile index f7410b928..2def07549 100644 --- a/etc/profile-m-z/xzgrep.profile +++ b/etc/profile-m-z/xzgrep.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include xzgrep.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include cpio.profile | 9 | include cpio.profile |
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile index f7410b928..d55a4c6c9 100644 --- a/etc/profile-m-z/xzless.profile +++ b/etc/profile-m-z/xzless.profile | |||
@@ -2,5 +2,8 @@ | |||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | 2 | # Description: Library and command line tools for XZ and LZMA compressed files |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | 4 | ||
5 | # Persistent local customizations | ||
6 | include xzless.local | ||
7 | |||
5 | # Redirect | 8 | # Redirect |
6 | include cpio.profile | 9 | include cpio.profile |
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile index d9c72407f..f847c7006 100644 --- a/etc/profile-m-z/xzmore.profile +++ b/etc/profile-m-z/xzmore.profile | |||
@@ -3,5 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | 4 | quiet |
5 | 5 | ||
6 | # Persistent local customizations | ||
7 | include xzmore.local | ||
8 | |||
6 | # Redirect | 9 | # Redirect |
7 | include cpio.profile | 10 | include cpio.profile |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index a3a2afa29..e8fe4a360 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -9,7 +9,10 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.config/youtube-viewer | 10 | noblacklist ${HOME}/.config/youtube-viewer |
11 | 11 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
12 | include allow-perl.inc | 13 | include allow-perl.inc |
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | 16 | include allow-python2.inc |
14 | include allow-python3.inc | 17 | include allow-python3.inc |
15 | 18 | ||
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile index ce9af3286..e7c37f58c 100644 --- a/etc/profile-m-z/zstdcat.profile +++ b/etc/profile-m-z/zstdcat.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include zstdcat.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile index ce9af3286..604e3524e 100644 --- a/etc/profile-m-z/zstdgrep.profile +++ b/etc/profile-m-z/zstdgrep.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include zstdgrep.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile index ce9af3286..efe688856 100644 --- a/etc/profile-m-z/zstdless.profile +++ b/etc/profile-m-z/zstdless.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include zstdless.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile index ce9af3286..cdd93f688 100644 --- a/etc/profile-m-z/zstdmt.profile +++ b/etc/profile-m-z/zstdmt.profile | |||
@@ -1,5 +1,8 @@ | |||
1 | # Firejail profile alias for zstd | 1 | # Firejail profile alias for zstd |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | ||
4 | # Persistent local customizations | ||
5 | include zstdmt.local | ||
6 | |||
4 | # Redirect | 7 | # Redirect |
5 | include zstd.profile | 8 | include zstd.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9435fffae..9e9fc3fe9 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -161,6 +161,7 @@ include globals.local | |||
161 | ##seccomp !chroot | 161 | ##seccomp !chroot |
162 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
163 | #seccomp.block-secondary | 163 | #seccomp.block-secondary |
164 | ##seccomp-error-action log (Only for debugging seccomp issues) | ||
164 | #shell none | 165 | #shell none |
165 | #tracelog | 166 | #tracelog |
166 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
diff --git a/mkdeb.sh.in b/mkdeb.sh.in index a19dee620..5b68175fd 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in | |||
@@ -64,7 +64,7 @@ chmod 644 $DEBIAN_CTRL_DIR/conffiles | |||
64 | find $INSTALL_DIR -type d | xargs chmod 755 | 64 | find $INSTALL_DIR -type d | xargs chmod 755 |
65 | cd $CODE_DIR | 65 | cd $CODE_DIR |
66 | fakeroot dpkg-deb --build debian | 66 | fakeroot dpkg-deb --build debian |
67 | lintian debian.deb | 67 | lintian --no-tag-display-limit debian.deb |
68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb | 68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb |
69 | cd .. | 69 | cd .. |
70 | rm -fr $CODE_DIR | 70 | rm -fr $CODE_DIR |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 1b8231033..0bc4a0ee2 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -217,6 +217,10 @@ void build_share(const char *fname, FILE *fp) { | |||
217 | //******************************************* | 217 | //******************************************* |
218 | static FileDB *tmp_out = NULL; | 218 | static FileDB *tmp_out = NULL; |
219 | static void tmp_callback(char *ptr) { | 219 | static void tmp_callback(char *ptr) { |
220 | // skip strace file | ||
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | ||
222 | return; | ||
223 | |||
220 | tmp_out = filedb_add(tmp_out, ptr); | 224 | tmp_out = filedb_add(tmp_out, ptr); |
221 | } | 225 | } |
222 | 226 | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0517c837e..09f41a838 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -85,12 +85,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
85 | int have_yama_permission = 1; | 85 | int have_yama_permission = 1; |
86 | if (access("/usr/bin/strace", X_OK) == 0) { | 86 | if (access("/usr/bin/strace", X_OK) == 0) { |
87 | have_strace = 1; | 87 | have_strace = 1; |
88 | FILE *fp = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); | 88 | FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); |
89 | if (fp) { | 89 | if (ps) { |
90 | unsigned val; | 90 | unsigned val; |
91 | if (fscanf(fp, "%u", &val) == 1) | 91 | if (fscanf(ps, "%u", &val) == 1) |
92 | have_yama_permission = (val < 2); | 92 | have_yama_permission = (val < 2); |
93 | fclose(fp); | 93 | fclose(ps); |
94 | } | 94 | } |
95 | } | 95 | } |
96 | 96 | ||
@@ -102,10 +102,10 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
102 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error | 102 | cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error |
103 | 103 | ||
104 | // build command | 104 | // build command |
105 | // skip strace if not installed, or no permission to use it | ||
105 | int skip_strace = !(have_strace && have_yama_permission); | 106 | int skip_strace = !(have_strace && have_yama_permission); |
106 | unsigned i = 0; | 107 | unsigned i = 0; |
107 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 108 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { |
108 | // skip strace if not installed, or no permission to use it | ||
109 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) | 109 | if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) |
110 | break; | 110 | break; |
111 | cmd[i] = cmdlist[i]; | 111 | cmd[i] = cmdlist[i]; |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 64e277e2d..85f84aa32 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fcopy: $(OBJS) | 8 | fcopy: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 67237b4ea..e65501d6d 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | #include <sys/prctl.h> | ||
27 | 26 | ||
28 | #if HAVE_SELINUX | 27 | #if HAVE_SELINUX |
29 | #include <sys/stat.h> | 28 | #include <sys/stat.h> |
@@ -112,7 +111,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui | |||
112 | } | 111 | } |
113 | 112 | ||
114 | // open destination | 113 | // open destination |
115 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); | 114 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR); |
116 | if (dst < 0) { | 115 | if (dst < 0) { |
117 | if (!arg_quiet) | 116 | if (!arg_quiet) |
118 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); | 117 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); |
@@ -133,7 +132,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui | |||
133 | done += rv; | 132 | done += rv; |
134 | } | 133 | } |
135 | } | 134 | } |
136 | fflush(0); | 135 | if (len < 0) |
136 | goto errexit; | ||
137 | 137 | ||
138 | if (fchown(dst, uid, gid) == -1) | 138 | if (fchown(dst, uid, gid) == -1) |
139 | goto errexit; | 139 | goto errexit; |
@@ -180,7 +180,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
180 | 180 | ||
181 | // if the link is already there, don't create it | 181 | // if the link is already there, don't create it |
182 | struct stat s; | 182 | struct stat s; |
183 | if (stat(linkpath, &s) == 0) | 183 | if (lstat(linkpath, &s) == 0) |
184 | return; | 184 | return; |
185 | 185 | ||
186 | char *rp = realpath(target, NULL); | 186 | char *rp = realpath(target, NULL); |
@@ -412,30 +412,21 @@ int main(int argc, char **argv) { | |||
412 | exit(1); | 412 | exit(1); |
413 | } | 413 | } |
414 | 414 | ||
415 | #ifdef WARN_DUMPABLE | 415 | warn_dumpable(); |
416 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
417 | fprintf(stderr, "Error fcopy: I am dumpable\n"); | ||
418 | #endif | ||
419 | |||
420 | // trim trailing chars | ||
421 | if (src[strlen(src) - 1] == '/') | ||
422 | src[strlen(src) - 1] = '\0'; | ||
423 | if (dest[strlen(dest) - 1] == '/') | ||
424 | dest[strlen(dest) - 1] = '\0'; | ||
425 | 416 | ||
426 | // check the two files; remove ending / | 417 | // check the two files; remove ending / |
427 | int len = strlen(src); | 418 | size_t len = strlen(src); |
428 | if (src[len - 1] == '/') | 419 | while (len > 1 && src[len - 1] == '/') |
429 | src[len - 1] = '\0'; | 420 | src[--len] = '\0'; |
430 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { | 421 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) { |
431 | fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); | 422 | fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); |
432 | exit(1); | 423 | exit(1); |
433 | } | 424 | } |
434 | 425 | ||
435 | len = strlen(dest); | 426 | len = strlen(dest); |
436 | if (dest[len - 1] == '/') | 427 | while (len > 1 && dest[len - 1] == '/') |
437 | dest[len - 1] = '\0'; | 428 | dest[--len] = '\0'; |
438 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { | 429 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) { |
439 | fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); | 430 | fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); |
440 | exit(1); | 431 | exit(1); |
441 | } | 432 | } |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3ebf6fca9..e924ef2ec 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -149,6 +149,7 @@ conkeror | |||
149 | conky | 149 | conky |
150 | conplay | 150 | conplay |
151 | corebird | 151 | corebird |
152 | coyim | ||
152 | crawl | 153 | crawl |
153 | crawl-tiles | 154 | crawl-tiles |
154 | crow | 155 | crow |
@@ -390,6 +391,7 @@ kazam | |||
390 | kcalc | 391 | kcalc |
391 | # kdeinit4 | 392 | # kdeinit4 |
392 | kdenlive | 393 | kdenlive |
394 | kdiff3 | ||
393 | keepass | 395 | keepass |
394 | keepass2 | 396 | keepass2 |
395 | keepassx | 397 | keepassx |
@@ -622,6 +624,7 @@ qemu-launcher | |||
622 | qgis | 624 | qgis |
623 | qlipper | 625 | qlipper |
624 | qmmp | 626 | qmmp |
627 | qnapi | ||
625 | qpdfview | 628 | qpdfview |
626 | qt-faststart | 629 | qt-faststart |
627 | qtox | 630 | qtox |
@@ -663,6 +666,7 @@ secret-tool | |||
663 | shellcheck | 666 | shellcheck |
664 | shortwave | 667 | shortwave |
665 | shotcut | 668 | shotcut |
669 | shotwell | ||
666 | signal-cli | 670 | signal-cli |
667 | signal-desktop | 671 | signal-desktop |
668 | silentarmy | 672 | silentarmy |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 80987e494..9ea3edcd0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -513,7 +513,6 @@ void check_private_dir(void); | |||
513 | void update_map(char *mapping, char *map_file); | 513 | void update_map(char *mapping, char *map_file); |
514 | void wait_for_other(int fd); | 514 | void wait_for_other(int fd); |
515 | void notify_other(int fd); | 515 | void notify_other(int fd); |
516 | const char *gnu_basename(const char *path); | ||
517 | uid_t pid_get_uid(pid_t pid); | 516 | uid_t pid_get_uid(pid_t pid); |
518 | uid_t get_group_id(const char *group); | 517 | uid_t get_group_id(const char *group); |
519 | int remove_overlay_directory(void); | 518 | int remove_overlay_directory(void); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0d4e496e8..4e6c1adc3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -795,6 +795,8 @@ void disable_config(void) { | |||
795 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); | 795 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); |
796 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | 796 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) |
797 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | 797 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); |
798 | if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0) | ||
799 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR); | ||
798 | } | 800 | } |
799 | 801 | ||
800 | 802 | ||
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index d5b392d71..b8c1b21b1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -33,6 +33,52 @@ extern void fslib_install_system(void); | |||
33 | static int lib_cnt = 0; | 33 | static int lib_cnt = 0; |
34 | static int dir_cnt = 0; | 34 | static int dir_cnt = 0; |
35 | 35 | ||
36 | char *find_in_path(const char *program) { | ||
37 | EUID_ASSERT(); | ||
38 | if (arg_debug) | ||
39 | printf("Searching $PATH for %s\n", program); | ||
40 | |||
41 | char self[MAXBUF]; | ||
42 | ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1); | ||
43 | if (len < 0) | ||
44 | errExit("readlink"); | ||
45 | self[len] = '\0'; | ||
46 | |||
47 | char *path = getenv("PATH"); | ||
48 | if (!path) | ||
49 | return NULL; | ||
50 | char *dup = strdup(path); | ||
51 | if (!dup) | ||
52 | errExit("strdup"); | ||
53 | char *tok = strtok(dup, ":"); | ||
54 | while (tok) { | ||
55 | char *fname; | ||
56 | if (asprintf(&fname, "%s/%s", tok, program) == -1) | ||
57 | errExit("asprintf"); | ||
58 | |||
59 | if (arg_debug) | ||
60 | printf("trying #%s#\n", fname); | ||
61 | struct stat s; | ||
62 | if (stat(fname, &s) == 0) { | ||
63 | // but skip links created by firecfg | ||
64 | char *rp = realpath(fname, NULL); | ||
65 | if (!rp) | ||
66 | errExit("realpath"); | ||
67 | if (strcmp(self, rp) != 0) { | ||
68 | free(rp); | ||
69 | free(dup); | ||
70 | return fname; | ||
71 | } | ||
72 | free(rp); | ||
73 | } | ||
74 | free(fname); | ||
75 | tok = strtok(NULL, ":"); | ||
76 | } | ||
77 | |||
78 | free(dup); | ||
79 | return NULL; | ||
80 | } | ||
81 | |||
36 | static void report_duplication(const char *full_path) { | 82 | static void report_duplication(const char *full_path) { |
37 | char *fname = strrchr(full_path, '/'); | 83 | char *fname = strrchr(full_path, '/'); |
38 | if (fname && *(++fname) != '\0') { | 84 | if (fname && *(++fname) != '\0') { |
@@ -336,11 +382,40 @@ void fs_private_lib(void) { | |||
336 | // start timetrace | 382 | // start timetrace |
337 | timetrace_start(); | 383 | timetrace_start(); |
338 | 384 | ||
385 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
386 | if (arg_debug || arg_debug_private_lib) | ||
387 | printf("Installing Firejail libraries\n"); | ||
388 | fslib_install_list(PATH_FIREJAIL); | ||
389 | |||
390 | // bring in firejail directory | ||
391 | fslib_install_list(LIBDIR "/firejail"); | ||
392 | |||
393 | // bring in dhclient libraries | ||
394 | if (any_dhcp()) { | ||
395 | if (arg_debug || arg_debug_private_lib) | ||
396 | printf("Installing dhclient libraries\n"); | ||
397 | fslib_install_list(RUN_MNT_DIR "/dhclient"); | ||
398 | } | ||
399 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | ||
400 | |||
401 | timetrace_start(); | ||
402 | |||
339 | // copy the libs in the new lib directory for the main exe | 403 | // copy the libs in the new lib directory for the main exe |
340 | if (cfg.original_program_index > 0) { | 404 | if (cfg.original_program_index > 0) { |
341 | if (arg_debug || arg_debug_private_lib) | 405 | if (arg_debug || arg_debug_private_lib) |
342 | printf("Installing sandboxed program libraries\n"); | 406 | printf("Installing sandboxed program libraries\n"); |
343 | fslib_install_list(cfg.original_argv[cfg.original_program_index]); | 407 | |
408 | if (strchr(cfg.original_argv[cfg.original_program_index], '/')) | ||
409 | fslib_install_list(cfg.original_argv[cfg.original_program_index]); | ||
410 | else { // search executable in $PATH | ||
411 | EUID_USER(); | ||
412 | char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]); | ||
413 | EUID_ROOT(); | ||
414 | if (fname) { | ||
415 | fslib_install_list(fname); | ||
416 | free(fname); | ||
417 | } | ||
418 | } | ||
344 | } | 419 | } |
345 | 420 | ||
346 | // for the shell | 421 | // for the shell |
@@ -369,18 +444,11 @@ void fs_private_lib(void) { | |||
369 | } | 444 | } |
370 | fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); | 445 | fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); |
371 | 446 | ||
372 | // install the reset of the system libraries | 447 | // install the rest of the system libraries |
373 | if (arg_debug || arg_debug_private_lib) | 448 | if (arg_debug || arg_debug_private_lib) |
374 | printf("Installing system libraries\n"); | 449 | printf("Installing system libraries\n"); |
375 | fslib_install_system(); | 450 | fslib_install_system(); |
376 | 451 | ||
377 | // bring in firejail directory for --trace and seccomp post exec | ||
378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | ||
379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable | ||
380 | |||
381 | // install libraries needed by fcopy | ||
382 | fslib_install_list(PATH_FCOPY); | ||
383 | |||
384 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", | 452 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
385 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | 453 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); |
386 | 454 | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index b2ae07f3e..95e10ee05 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path); | |||
30 | //*************************************************************** | 30 | //*************************************************************** |
31 | // standard libc libraries based on Debian's libc6 package | 31 | // standard libc libraries based on Debian's libc6 package |
32 | // selinux seems to be linked in most command line utilities | 32 | // selinux seems to be linked in most command line utilities |
33 | // libpcre2 is a dependency of selinux | ||
33 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale | 34 | // locale (/usr/lib/locale) - without it, the program will default to "C" locale |
34 | typedef struct liblist_t { | 35 | typedef struct liblist_t { |
35 | const char *name; | 36 | const char *name; |
@@ -38,6 +39,7 @@ typedef struct liblist_t { | |||
38 | 39 | ||
39 | static LibList libc_list[] = { | 40 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 41 | { "libselinux.so.", 0 }, |
42 | { "libpcre2-8.so.", 0 }, | ||
41 | { "libapparmor.so.", 0}, | 43 | { "libapparmor.so.", 0}, |
42 | { "ld-linux-x86-64.so.", 0 }, | 44 | { "ld-linux-x86-64.so.", 0 }, |
43 | { "libanl.so.", 0 }, | 45 | { "libanl.so.", 0 }, |
@@ -104,17 +106,15 @@ static void stdc(const char *dirname) { | |||
104 | 106 | ||
105 | void fslib_install_stdc(void) { | 107 | void fslib_install_stdc(void) { |
106 | // install standard C libraries | 108 | // install standard C libraries |
109 | timetrace_start(); | ||
107 | struct stat s; | 110 | struct stat s; |
108 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch | ||
109 | |||
110 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends | 111 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends |
111 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); | 112 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); |
112 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); | 113 | selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); |
113 | stdclib = "/lib/x86_64-linux-gnu"; | 114 | stdc("/lib/x86_64-linux-gnu"); |
114 | } | 115 | } |
115 | 116 | ||
116 | timetrace_start(); | 117 | stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends |
117 | stdc(stdclib); | ||
118 | 118 | ||
119 | // install locale | 119 | // install locale |
120 | if (stat("/usr/lib/locale", &s) == 0) | 120 | if (stat("/usr/lib/locale", &s) == 0) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e5d8a4720..0f0086a6e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) { | |||
1231 | } | 1231 | } |
1232 | EUID_ASSERT(); | 1232 | EUID_ASSERT(); |
1233 | 1233 | ||
1234 | #ifdef WARN_DUMPABLE | ||
1235 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
1236 | fprintf(stderr, "Error: Firejail is dumpable\n"); | ||
1237 | #endif | ||
1238 | |||
1239 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1234 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1240 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1235 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
1241 | arg_nonewprivs = 1; | 1236 | arg_nonewprivs = 1; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index ea3889024..b38cc0ca6 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -22,6 +22,8 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | extern char *find_in_path(const char *program); | ||
26 | |||
25 | void run_symlink(int argc, char **argv, int run_as_is) { | 27 | void run_symlink(int argc, char **argv, int run_as_is) { |
26 | EUID_ASSERT(); | 28 | EUID_ASSERT(); |
27 | 29 | ||
@@ -40,54 +42,17 @@ void run_symlink(int argc, char **argv, int run_as_is) { | |||
40 | errExit("setresuid"); | 42 | errExit("setresuid"); |
41 | 43 | ||
42 | // find the real program by looking in PATH | 44 | // find the real program by looking in PATH |
43 | char *p = getenv("PATH"); | 45 | if (!getenv("PATH")) { |
44 | if (!p) { | ||
45 | fprintf(stderr, "Error: PATH environment variable not set\n"); | 46 | fprintf(stderr, "Error: PATH environment variable not set\n"); |
46 | exit(1); | 47 | exit(1); |
47 | } | 48 | } |
48 | 49 | ||
49 | char *path = strdup(p); | 50 | char *p = find_in_path(program); |
50 | if (!path) | 51 | if (!p) { |
51 | errExit("strdup"); | ||
52 | |||
53 | char *selfpath = realpath("/proc/self/exe", NULL); | ||
54 | if (!selfpath) | ||
55 | errExit("realpath"); | ||
56 | |||
57 | // look in path for our program | ||
58 | char *tok = strtok(path, ":"); | ||
59 | int found = 0; | ||
60 | while (tok) { | ||
61 | char *name; | ||
62 | if (asprintf(&name, "%s/%s", tok, program) == -1) | ||
63 | errExit("asprintf"); | ||
64 | |||
65 | struct stat s; | ||
66 | if (stat(name, &s) == 0) { | ||
67 | /* coverity[toctou] */ | ||
68 | char* rp = realpath(name, NULL); | ||
69 | if (!rp) | ||
70 | errExit("realpath"); | ||
71 | |||
72 | if (strcmp(selfpath, rp) != 0) { | ||
73 | program = strdup(name); | ||
74 | found = 1; | ||
75 | free(rp); | ||
76 | break; | ||
77 | } | ||
78 | |||
79 | free(rp); | ||
80 | } | ||
81 | |||
82 | free(name); | ||
83 | tok = strtok(NULL, ":"); | ||
84 | } | ||
85 | if (!found) { | ||
86 | fprintf(stderr, "Error: cannot find the program in the path\n"); | 52 | fprintf(stderr, "Error: cannot find the program in the path\n"); |
87 | exit(1); | 53 | exit(1); |
88 | } | 54 | } |
89 | 55 | program = p; | |
90 | free(selfpath); | ||
91 | 56 | ||
92 | // restore original umask | 57 | // restore original umask |
93 | umask(orig_umask); | 58 | umask(orig_umask); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 6cac535db..911c8bd94 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -811,20 +811,6 @@ void notify_other(int fd) { | |||
811 | fclose(stream); | 811 | fclose(stream); |
812 | } | 812 | } |
813 | 813 | ||
814 | |||
815 | |||
816 | |||
817 | // Equivalent to the GNU version of basename, which is incompatible with | ||
818 | // the POSIX basename. A few lines of code saves any portability pain. | ||
819 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
820 | const char *gnu_basename(const char *path) { | ||
821 | const char *last_slash = strrchr(path, '/'); | ||
822 | if (!last_slash) | ||
823 | return path; | ||
824 | return last_slash+1; | ||
825 | } | ||
826 | |||
827 | |||
828 | uid_t pid_get_uid(pid_t pid) { | 814 | uid_t pid_get_uid(pid_t pid) { |
829 | EUID_ASSERT(); | 815 | EUID_ASSERT(); |
830 | uid_t rv = 0; | 816 | uid_t rv = 0; |
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 53382c2df..37b139d38 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fldd: $(OBJS) ../lib/ldd_utils.o | 8 | fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fldd/main.c b/src/fldd/main.c index d68504f6b..55a0dfcce 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -24,7 +24,6 @@ | |||
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/mount.h> | 26 | #include <sys/mount.h> |
27 | #include <sys/prctl.h> | ||
28 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
29 | #include <sys/types.h> | 28 | #include <sys/types.h> |
30 | #include <unistd.h> | 29 | #include <unistd.h> |
@@ -303,10 +302,7 @@ printf("\n"); | |||
303 | return 0; | 302 | return 0; |
304 | } | 303 | } |
305 | 304 | ||
306 | #ifdef WARN_DUMPABLE | 305 | warn_dumpable(); |
307 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
308 | fprintf(stderr, "Error fldd: I am dumpable\n"); | ||
309 | #endif | ||
310 | 306 | ||
311 | // check program access | 307 | // check program access |
312 | if (access(argv[1], R_OK)) { | 308 | if (access(argv[1], R_OK)) { |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 37566db72..bd5fe9e7a 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fnet: $(OBJS) ../lib/libnetlink.o | 8 | fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fnet/main.c b/src/fnet/main.c index f6316a7fe..db090fb95 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -21,7 +21,6 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/utsname.h> | 23 | #include <sys/utsname.h> |
24 | #include <sys/prctl.h> | ||
25 | 24 | ||
26 | int arg_quiet = 0; | 25 | int arg_quiet = 0; |
27 | 26 | ||
@@ -69,10 +68,9 @@ printf("\n"); | |||
69 | usage(); | 68 | usage(); |
70 | return 0; | 69 | return 0; |
71 | } | 70 | } |
72 | #ifdef WARN_DUMPABLE | 71 | |
73 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | 72 | warn_dumpable(); |
74 | fprintf(stderr, "Error fnet: I am dumpable\n"); | 73 | |
75 | #endif | ||
76 | char *quiet = getenv("FIREJAIL_QUIET"); | 74 | char *quiet = getenv("FIREJAIL_QUIET"); |
77 | if (quiet && strcmp(quiet, "yes") == 0) | 75 | if (quiet && strcmp(quiet, "yes") == 0) |
78 | arg_quiet = 1; | 76 | arg_quiet = 1; |
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 055167192..6fe650a17 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fnetfilter: $(OBJS) | 8 | fnetfilter: $(OBJS) ../lib/common.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 1ca35ab56..381d0d36e 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "../include/common.h" | 20 | #include "../include/common.h" |
21 | #include <sys/prctl.h> | ||
22 | 21 | ||
23 | #define MAXBUF 4098 | 22 | #define MAXBUF 4098 |
24 | #define MAXARGS 16 | 23 | #define MAXARGS 16 |
@@ -181,10 +180,9 @@ printf("\n"); | |||
181 | usage(); | 180 | usage(); |
182 | return 1; | 181 | return 1; |
183 | } | 182 | } |
184 | #ifdef WARN_DUMPABLE | 183 | |
185 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | 184 | warn_dumpable(); |
186 | fprintf(stderr, "Error fnetfilter: I am dumpable\n"); | 185 | |
187 | #endif | ||
188 | char *destfile = (argc == 3)? argv[2]: argv[1]; | 186 | char *destfile = (argc == 3)? argv[2]: argv[1]; |
189 | char *command = (argc == 3)? argv[1]: NULL; | 187 | char *command = (argc == 3)? argv[1]: NULL; |
190 | //printf("command %s\n", command); | 188 | //printf("command %s\n", command); |
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index 0387f7ec7..b6a28fdd8 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-optimize: $(OBJS) ../lib/libnetlink.o | 8 | fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 034fde2ac..211111641 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -22,7 +22,6 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | #include <sys/prctl.h> | ||
26 | 25 | ||
27 | // optimize.c | 26 | // optimize.c |
28 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); | 27 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index fb13eeca8..74aebc9e0 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -44,11 +44,7 @@ printf("\n"); | |||
44 | return 0; | 44 | return 0; |
45 | } | 45 | } |
46 | 46 | ||
47 | #ifdef WARN_DUMPABLE | 47 | warn_dumpable(); |
48 | // check FIREJAIL_PLUGIN in order to not print a warning during make | ||
49 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
50 | fprintf(stderr, "Error fsec-optimize: I am dumpable\n"); | ||
51 | #endif | ||
52 | 48 | ||
53 | char *fname = argv[1]; | 49 | char *fname = argv[1]; |
54 | 50 | ||
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index a30ff4ba3..bf39a8c77 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o | 8 | fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 9d17e3f18..337199288 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h | |||
@@ -23,7 +23,6 @@ | |||
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/prctl.h> | ||
27 | 26 | ||
28 | // print.c | 27 | // print.c |
29 | void print(struct sock_filter *filter, int entries); | 28 | void print(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index d1f056e47..ed030db21 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -61,10 +61,7 @@ printf("\n"); | |||
61 | return 0; | 61 | return 0; |
62 | } | 62 | } |
63 | 63 | ||
64 | #ifdef WARN_DUMPABLE | 64 | warn_dumpable(); |
65 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
66 | fprintf(stderr, "Error fsec-print: I am dumpable\n"); | ||
67 | #endif | ||
68 | 65 | ||
69 | char *fname = argv[1]; | 66 | char *fname = argv[1]; |
70 | 67 | ||
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 8623db6f8..b776a73ce 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -5,8 +5,8 @@ include ../common.mk | |||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o | 8 | fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o |
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) | 9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) |
10 | 10 | ||
11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist | 11 | clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist |
12 | 12 | ||
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e40999938..e8dd083b6 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <stdlib.h> | 23 | #include <stdlib.h> |
24 | #include <string.h> | 24 | #include <string.h> |
25 | #include <assert.h> | 25 | #include <assert.h> |
26 | #include <sys/prctl.h> | ||
27 | #include "../include/common.h" | 26 | #include "../include/common.h" |
28 | #include "../include/syscall.h" | 27 | #include "../include/syscall.h" |
29 | 28 | ||
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index f505ca0f3..c8259b079 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -69,11 +69,7 @@ printf("\n"); | |||
69 | return 0; | 69 | return 0; |
70 | } | 70 | } |
71 | 71 | ||
72 | #ifdef WARN_DUMPABLE | 72 | warn_dumpable(); |
73 | // check FIREJAIL_PLUGIN in order to not print a warning during make | ||
74 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
75 | fprintf(stderr, "Error fseccomp: I am dumpable\n"); | ||
76 | #endif | ||
77 | 73 | ||
78 | char *quiet = getenv("FIREJAIL_QUIET"); | 74 | char *quiet = getenv("FIREJAIL_QUIET"); |
79 | if (quiet && strcmp(quiet, "yes") == 0) | 75 | if (quiet && strcmp(quiet, "yes") == 0) |
diff --git a/src/include/common.h b/src/include/common.h index 5df51c5a9..5497929c7 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -38,11 +38,6 @@ | |||
38 | 38 | ||
39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) |
40 | 40 | ||
41 | // check if processes run with dumpable flag set | ||
42 | // currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8, | ||
43 | // regardless what Debian version we run the build on | ||
44 | //#define WARN_DUMPABLE | ||
45 | |||
46 | // macro to print ip addresses in a printf statement | 41 | // macro to print ip addresses in a printf statement |
47 | #define PRINT_IP(A) \ | 42 | #define PRINT_IP(A) \ |
48 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) | 43 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) |
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid); | |||
126 | char *pid_proc_cmdline(const pid_t pid); | 121 | char *pid_proc_cmdline(const pid_t pid); |
127 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); | 122 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); |
128 | int pid_hidepid(void); | 123 | int pid_hidepid(void); |
124 | void warn_dumpable(void); | ||
125 | const char *gnu_basename(const char *path); | ||
129 | #endif | 126 | #endif |
diff --git a/src/lib/common.c b/src/lib/common.c index 823442835..ace5cb87e 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | |||
267 | } | 267 | } |
268 | 268 | ||
269 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied | 269 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied |
270 | #define BUFLEN 4096 | ||
271 | int pid_hidepid(void) { | 270 | int pid_hidepid(void) { |
272 | FILE *fp = fopen("/proc/mounts", "r"); | 271 | FILE *fp = fopen("/proc/mounts", "r"); |
273 | if (!fp) | 272 | if (!fp) |
@@ -288,6 +287,39 @@ int pid_hidepid(void) { | |||
288 | return 0; | 287 | return 0; |
289 | } | 288 | } |
290 | 289 | ||
290 | // print error if unprivileged users can trace the process | ||
291 | void warn_dumpable(void) { | ||
292 | if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) { | ||
293 | fprintf(stderr, "Error: dumpable process\n"); | ||
294 | |||
295 | // best effort to provide detailed debug information | ||
296 | // cannot use process name, it is just a file descriptor number | ||
297 | char path[BUFLEN]; | ||
298 | ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1); | ||
299 | if (len < 0) | ||
300 | return; | ||
301 | path[len] = '\0'; | ||
302 | // path can refer to a sandbox mount namespace, use basename only | ||
303 | const char *base = gnu_basename(path); | ||
304 | |||
305 | struct stat s; | ||
306 | if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0) | ||
307 | fprintf(stderr, "Change owner of %s executable to root\n", base); | ||
308 | else if (access("/proc/self/exe", R_OK) == 0) | ||
309 | fprintf(stderr, "Remove read permission on %s executable\n", base); | ||
310 | } | ||
311 | } | ||
312 | |||
313 | // Equivalent to the GNU version of basename, which is incompatible with | ||
314 | // the POSIX basename. A few lines of code saves any portability pain. | ||
315 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
316 | const char *gnu_basename(const char *path) { | ||
317 | const char *last_slash = strrchr(path, '/'); | ||
318 | if (!last_slash) | ||
319 | return path; | ||
320 | return last_slash+1; | ||
321 | } | ||
322 | |||
291 | //************************** | 323 | //************************** |
292 | // time trace based on getticks function | 324 | // time trace based on getticks function |
293 | //************************** | 325 | //************************** |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e72ef48c2..8958dfaee 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1317,7 +1317,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ | |||
1317 | .br | 1317 | .br |
1318 | 1318 | ||
1319 | .br | 1319 | .br |
1320 | .B nolocal.net | 1320 | .B nolocal.net/nolocal6.net |
1321 | is a desktop client firewall that disable access to local network. Example: | 1321 | is a desktop client firewall that disable access to local network. Example: |
1322 | .br | 1322 | .br |
1323 | 1323 | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c index 4c1221464..68f62831b 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0; | |||
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | 31 | static int cnt_dbus_system_none = 0; |
32 | static int cnt_dbus_user_none = 0; | 32 | static int cnt_dbus_user_none = 0; |
33 | static int cnt_dbus_system_filter = 0; | ||
34 | static int cnt_dbus_user_filter = 0; | ||
33 | static int cnt_dotlocal = 0; | 35 | static int cnt_dotlocal = 0; |
34 | static int cnt_globalsdotlocal = 0; | 36 | static int cnt_globalsdotlocal = 0; |
35 | static int cnt_netnone = 0; | 37 | static int cnt_netnone = 0; |
@@ -107,6 +109,7 @@ void process_file(const char *fname) { | |||
107 | return; | 109 | return; |
108 | } | 110 | } |
109 | 111 | ||
112 | int have_include_local = 0; | ||
110 | char buf[MAXBUF]; | 113 | char buf[MAXBUF]; |
111 | while (fgets(buf, MAXBUF, fp)) { | 114 | while (fgets(buf, MAXBUF, fp)) { |
112 | char *ptr = strchr(buf, '\n'); | 115 | char *ptr = strchr(buf, '\n'); |
@@ -152,11 +155,16 @@ void process_file(const char *fname) { | |||
152 | cnt_privateetc++; | 155 | cnt_privateetc++; |
153 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | 156 | else if (strncmp(ptr, "dbus-system none", 16) == 0) |
154 | cnt_dbus_system_none++; | 157 | cnt_dbus_system_none++; |
158 | else if (strncmp(ptr, "dbus-system", 11) == 0) | ||
159 | cnt_dbus_system_filter++; | ||
155 | else if (strncmp(ptr, "dbus-user none", 14) == 0) | 160 | else if (strncmp(ptr, "dbus-user none", 14) == 0) |
156 | cnt_dbus_user_none++; | 161 | cnt_dbus_user_none++; |
162 | else if (strncmp(ptr, "dbus-user", 9) == 0) | ||
163 | cnt_dbus_user_filter++; | ||
157 | else if (strncmp(ptr, "include ", 8) == 0) { | 164 | else if (strncmp(ptr, "include ", 8) == 0) { |
158 | // not processing .local files | 165 | // not processing .local files |
159 | if (strstr(ptr, ".local")) { | 166 | if (strstr(ptr, ".local")) { |
167 | have_include_local = 1; | ||
160 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); | 168 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); |
161 | if (strstr(ptr, "globals.local")) | 169 | if (strstr(ptr, "globals.local")) |
162 | cnt_globalsdotlocal++; | 170 | cnt_globalsdotlocal++; |
@@ -174,6 +182,8 @@ void process_file(const char *fname) { | |||
174 | } | 182 | } |
175 | 183 | ||
176 | fclose(fp); | 184 | fclose(fp); |
185 | if (!have_include_local) | ||
186 | printf("No include .local found in %s\n", fname); | ||
177 | level--; | 187 | level--; |
178 | } | 188 | } |
179 | 189 | ||
@@ -257,7 +267,9 @@ int main(int argc, char **argv) { | |||
257 | int whitelistrunuser = cnt_whitelistrunuser; | 267 | int whitelistrunuser = cnt_whitelistrunuser; |
258 | int whitelistusrshare = cnt_whitelistusrshare; | 268 | int whitelistusrshare = cnt_whitelistusrshare; |
259 | int dbussystemnone = cnt_dbus_system_none; | 269 | int dbussystemnone = cnt_dbus_system_none; |
270 | int dbussystemfilter = cnt_dbus_system_filter; | ||
260 | int dbususernone = cnt_dbus_user_none; | 271 | int dbususernone = cnt_dbus_user_none; |
272 | int dbususerfilter = cnt_dbus_user_filter; | ||
261 | int ssh = cnt_ssh; | 273 | int ssh = cnt_ssh; |
262 | int mdwx = cnt_mdwx; | 274 | int mdwx = cnt_mdwx; |
263 | 275 | ||
@@ -278,6 +290,16 @@ int main(int argc, char **argv) { | |||
278 | cnt_globalsdotlocal = globalsdotlocal + 1; | 290 | cnt_globalsdotlocal = globalsdotlocal + 1; |
279 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) | 291 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) |
280 | cnt_whitelistrunuser = whitelistrunuser + 1; | 292 | cnt_whitelistrunuser = whitelistrunuser + 1; |
293 | if (cnt_seccomp > (seccomp + 1)) | ||
294 | cnt_seccomp = seccomp + 1; | ||
295 | if (cnt_dbus_user_none > (dbususernone + 1)) | ||
296 | cnt_dbus_user_none = dbususernone + 1; | ||
297 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | ||
298 | cnt_dbus_user_filter = dbususerfilter + 1; | ||
299 | if (cnt_dbus_system_none > (dbussystemnone + 1)) | ||
300 | cnt_dbus_system_none = dbussystemnone + 1; | ||
301 | if (cnt_dbus_system_filter > (dbussystemfilter + 1)) | ||
302 | cnt_dbus_system_filter = dbussystemfilter + 1; | ||
281 | 303 | ||
282 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | 304 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) |
283 | printf("No dbus-system none found in %s\n", argv[i]); | 305 | printf("No dbus-system none found in %s\n", argv[i]); |
@@ -337,7 +359,9 @@ int main(int argc, char **argv) { | |||
337 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 359 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
338 | printf(" net none\t\t\t%d\n", cnt_netnone); | 360 | printf(" net none\t\t\t%d\n", cnt_netnone); |
339 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); | 361 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); |
362 | printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter); | ||
340 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | 363 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); |
364 | printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter); | ||
341 | printf("\n"); | 365 | printf("\n"); |
342 | return 0; | 366 | return 0; |
343 | } | 367 | } |
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 91fcfb85d..04819d95d 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -3,6 +3,16 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # not currently covered | ||
7 | # --disable-suid install as a non-SUID executable | ||
8 | # --enable-fatal-warnings -W -Wall -Werror | ||
9 | # --enable-gcov Gcov instrumentation | ||
10 | # --enable-contrib-install | ||
11 | # install contrib scripts | ||
12 | # --enable-analyzer enable GCC 10 static analyzer | ||
13 | |||
14 | |||
15 | |||
6 | arr[1]="TEST 1: standard compilation" | 16 | arr[1]="TEST 1: standard compilation" |
7 | arr[2]="TEST 2: compile dbus proxy disabled" | 17 | arr[2]="TEST 2: compile dbus proxy disabled" |
8 | arr[3]="TEST 3: compile chroot disabled" | 18 | arr[3]="TEST 3: compile chroot disabled" |
@@ -18,7 +28,9 @@ arr[12]="TEST 12: compile apparmor" | |||
18 | arr[13]="TEST 13: compile busybox" | 28 | arr[13]="TEST 13: compile busybox" |
19 | arr[14]="TEST 14: compile overlayfs disabled" | 29 | arr[14]="TEST 14: compile overlayfs disabled" |
20 | arr[15]="TEST 15: compile private-home disabled" | 30 | arr[15]="TEST 15: compile private-home disabled" |
21 | arr[15]="TEST 16: compile disable manpages" | 31 | arr[16]="TEST 16: compile disable manpages" |
32 | arr[17]="TEST 17: disable tmpfs as regular user" | ||
33 | arr[18]="TEST 18: disable private home" | ||
22 | 34 | ||
23 | # remove previous reports and output file | 35 | # remove previous reports and output file |
24 | cleanup() { | 36 | cleanup() { |
@@ -334,6 +346,40 @@ cp output-make om16 | |||
334 | rm output-configure output-make | 346 | rm output-configure output-make |
335 | 347 | ||
336 | #***************************************************************** | 348 | #***************************************************************** |
349 | # TEST 17 | ||
350 | #***************************************************************** | ||
351 | # - disable tmpfs as regular user" | ||
352 | #***************************************************************** | ||
353 | print_title "${arr[17]}" | ||
354 | cd firejail | ||
355 | make distclean | ||
356 | ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
357 | make -j4 2>&1 | tee ../output-make | ||
358 | cd .. | ||
359 | grep Warning output-configure output-make > ./report-test17 | ||
360 | grep Error output-configure output-make >> ./report-test17 | ||
361 | cp output-configure oc17 | ||
362 | cp output-make om17 | ||
363 | rm output-configure output-make | ||
364 | |||
365 | #***************************************************************** | ||
366 | # TEST 18 | ||
367 | #***************************************************************** | ||
368 | # - disable private home feature | ||
369 | #***************************************************************** | ||
370 | print_title "${arr[18]}" | ||
371 | cd firejail | ||
372 | make distclean | ||
373 | ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
374 | make -j4 2>&1 | tee ../output-make | ||
375 | cd .. | ||
376 | grep Warning output-configure output-make > ./report-test18 | ||
377 | grep Error output-configure output-make >> ./report-test18 | ||
378 | cp output-configure oc18 | ||
379 | cp output-make om18 | ||
380 | rm output-configure output-make | ||
381 | |||
382 | #***************************************************************** | ||
337 | # PRINT REPORTS | 383 | # PRINT REPORTS |
338 | #***************************************************************** | 384 | #***************************************************************** |
339 | echo | 385 | echo |
@@ -363,3 +409,5 @@ echo ${arr[13]} | |||
363 | echo ${arr[14]} | 409 | echo ${arr[14]} |
364 | echo ${arr[15]} | 410 | echo ${arr[15]} |
365 | echo ${arr[16]} | 411 | echo ${arr[16]} |
412 | echo ${arr[17]} | ||
413 | echo ${arr[18]} | ||