diff options
-rw-r--r-- | README.md | 15 | ||||
-rw-r--r-- | etc/darktable.profile | 30 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/vym.profile | 30 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 |
6 files changed, 76 insertions, 4 deletions
@@ -64,9 +64,16 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
64 | ````` | 64 | ````` |
65 | # Current development version: 0.9.47 | 65 | # Current development version: 0.9.47 |
66 | 66 | ||
67 | Release 0.9.46 was moved on 0.9.46-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.46-bugfixes | 67 | ## Profile changes |
68 | |||
69 | # Global customizations | ||
70 | 68 | ||
71 | All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you | 69 | All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you |
72 | can set here a global DNS "dns 8.8.8.8". The file is not overwritten during install. | 70 | can set here a global DNS "dns 8.8.8.8". The file is not overwritten during software install. |
71 | |||
72 | ** The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent. Configuration files and | ||
73 | ~/Downloads directory are real, everything else is placed on a temporary filesystem and discarded when the | ||
74 | sandboxed is closed. Please configure your client to put downloaded files in ~/Download directory. | ||
75 | The plan is to have all bittorrent clients whitelisted in the next release.** | ||
76 | |||
77 | ## New profiles | ||
78 | |||
79 | vym, darktable | ||
diff --git a/etc/darktable.profile b/etc/darktable.profile new file mode 100644 index 000000000..29630a746 --- /dev/null +++ b/etc/darktable.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/darktable.local | ||
7 | |||
8 | noblacklist ~/.cache/darktable | ||
9 | noblacklist ~/.config/darktable | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | # nogroups | ||
25 | shell none | ||
26 | # private-bin program | ||
27 | # private-etc none | ||
28 | # private-dev | ||
29 | private-tmp | ||
30 | nosound | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 12f6d6d6d..af0bbfce6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -35,6 +35,7 @@ blacklist ${HOME}/.config/Gitter | |||
35 | blacklist ${HOME}/.config/Google | 35 | blacklist ${HOME}/.config/Google |
36 | blacklist ${HOME}/.config/Gpredict | 36 | blacklist ${HOME}/.config/Gpredict |
37 | blacklist ${HOME}/.config/INRIA | 37 | blacklist ${HOME}/.config/INRIA |
38 | blacklist ${HOME}/.config/InSilmaril | ||
38 | blacklist ${HOME}/.config/Luminance | 39 | blacklist ${HOME}/.config/Luminance |
39 | blacklist ${HOME}/.config/Meltytech | 40 | blacklist ${HOME}/.config/Meltytech |
40 | blacklist ${HOME}/.config/Mousepad | 41 | blacklist ${HOME}/.config/Mousepad |
diff --git a/etc/vym.profile b/etc/vym.profile new file mode 100644 index 000000000..4139ea901 --- /dev/null +++ b/etc/vym.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/vym.local | ||
7 | |||
8 | noblacklist ./.config/InSilmaril | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | # no network connectivity | ||
18 | protocol unix | ||
19 | seccomp | ||
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | ||
26 | # private-bin vym | ||
27 | # private-etc none | ||
28 | private-dev | ||
29 | private-tmp | ||
30 | nosound | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3293f692d..9c99a918a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -301,3 +301,5 @@ | |||
301 | /etc/firejail/youtube-dl.profile | 301 | /etc/firejail/youtube-dl.profile |
302 | /etc/firejail/zathura.profile | 302 | /etc/firejail/zathura.profile |
303 | /etc/firejail/zoom.profile | 303 | /etc/firejail/zoom.profile |
304 | /etc/firejail/vym.profile | ||
305 | /etc/firejail/darktable.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f46fdea35..e58c8ee52 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -35,6 +35,7 @@ corebird | |||
35 | # Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this | 35 | # Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this |
36 | cvlc | 36 | cvlc |
37 | cyberfox | 37 | cyberfox |
38 | darktable | ||
38 | deadbeef | 39 | deadbeef |
39 | deluge | 40 | deluge |
40 | dia | 41 | dia |
@@ -220,6 +221,7 @@ vivaldi | |||
220 | vivaldi-beta | 221 | vivaldi-beta |
221 | vivaldi-stable | 222 | vivaldi-stable |
222 | vlc | 223 | vlc |
224 | vym | ||
223 | w3m | 225 | w3m |
224 | warzone2100 | 226 | warzone2100 |
225 | weechat | 227 | weechat |