diff options
86 files changed, 123 insertions, 323 deletions
diff --git a/etc/akregator.profile b/etc/akregator.profile index 77868dac7..36886b961 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -30,6 +30,3 @@ private-tmp | |||
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
32 | noexec /tmp | 32 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # nosound | ||
diff --git a/etc/amarok.profile b/etc/amarok.profile index 69f41bb1b..28398e2c1 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -17,12 +17,10 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
20 | # seccomp | ||
20 | shell none | 21 | shell none |
21 | 22 | ||
22 | # private-bin amarok | 23 | # private-bin amarok |
23 | private-dev | 24 | private-dev |
24 | # private-etc none | 25 | # private-etc none |
25 | private-tmp | 26 | private-tmp |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # seccomp | ||
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 86e19f838..3f4795195 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -32,6 +32,3 @@ private-dev | |||
32 | # private-tmp | 32 | # private-tmp |
33 | 33 | ||
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/caja.profile b/etc/caja.profile index adbcc09b9..1350b63dd 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/caja.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
9 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
10 | |||
8 | noblacklist ~/.config/caja | 11 | noblacklist ~/.config/caja |
9 | noblacklist ~/.local/share/Trash | 12 | noblacklist ~/.local/share/Trash |
10 | noblacklist ~/.local/share/caja-python | 13 | noblacklist ~/.local/share/caja-python |
@@ -24,12 +27,8 @@ seccomp | |||
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
30 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
27 | # private-bin caja | 31 | # private-bin caja |
28 | # private-dev | 32 | # private-dev |
29 | # private-etc fonts | 33 | # private-etc fonts |
30 | # private-tmp | 34 | # private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
34 | # caja needs to be able to start arbitrary applications so we cannot blacklist their files | ||
35 | # is already a caja process running on MATE desktops firejail will have no effect. | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile index 9fef3dc83..759b5e384 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/catfish.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # We can't blacklist much since catfish | ||
9 | # is for finding files/content | ||
8 | noblacklist ~/.config/catfish | 10 | noblacklist ~/.config/catfish |
9 | 11 | ||
10 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
@@ -22,12 +24,8 @@ seccomp | |||
22 | shell none | 24 | shell none |
23 | tracelog | 25 | tracelog |
24 | 26 | ||
27 | # These options work but are disabled in case | ||
28 | # a users wants to search in these directories. | ||
25 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | 29 | # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m |
26 | # private-dev | 30 | # private-dev |
27 | # private-tmp | 31 | # private-tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # These options work but are disabled in case | ||
31 | # We can't blacklist much since catfish | ||
32 | # a users wants to search in these directories. | ||
33 | # is for finding files/content | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 8aa11a0e6..fe0153959 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -32,6 +32,3 @@ private-tmp | |||
32 | 32 | ||
33 | noexec ${HOME} | 33 | noexec ${HOME} |
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # cherrytree note taking application | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 97149d4d4..cec5366d9 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf | |||
11 | noblacklist ~/.pki | 11 | noblacklist ~/.pki |
12 | 12 | ||
13 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
14 | # chromium is distributed with a perl script on Arch | ||
14 | # include /etc/firejail/disable-devel.inc | 15 | # include /etc/firejail/disable-devel.inc |
15 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
16 | 17 | ||
@@ -34,8 +35,3 @@ private-dev | |||
34 | 35 | ||
35 | noexec ${HOME} | 36 | noexec ${HOME} |
36 | noexec /tmp | 37 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # chromium is distributed with a perl script on Arch | ||
40 | # disable-mnt | ||
41 | # specific to Arch | ||
diff --git a/etc/clementine.profile b/etc/clementine.profile index a69be26df..13a14af3b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -16,7 +16,5 @@ nonewprivs | |||
16 | noroot | 16 | noroot |
17 | novideo | 17 | novideo |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
19 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
20 | |||
21 | # CLOBBERED COMMENTS | ||
22 | # Clementine makes ioprio_set system calls, which are blacklisted by default. | 19 | # Clementine makes ioprio_set system calls, which are blacklisted by default. |
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index cd9b9ad7c..c5d7680a3 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -25,7 +25,3 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # /boot is not visible and /var is heavily modified | ||
31 | # /sbin and /usr/sbin are visible inside the sandbox | ||
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 0b63151a8..460966321 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -22,11 +22,9 @@ seccomp | |||
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | # clvc doesn't like private-bin | ||
25 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 26 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
26 | private-dev | 27 | private-dev |
27 | private-tmp | 28 | private-tmp |
28 | 29 | ||
29 | memory-deny-write-execute | 30 | memory-deny-write-execute |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # clvc doesn't like private-bin | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index ed115b024..bb45c4371 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -27,9 +27,7 @@ protocol unix,inet,inet6 | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | # deluge is using python on Debian | ||
30 | # private-bin deluge,sh,python,uname | 31 | # private-bin deluge,sh,python,uname |
31 | private-dev | 32 | private-dev |
32 | private-tmp | 33 | private-tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # deluge is using python on Debian | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index 0ff437608..35365984e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
23 | seccomp | 23 | seccomp |
24 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
24 | shell none | 25 | shell none |
25 | 26 | ||
26 | # private-bin program | 27 | # private-bin program |
@@ -30,6 +31,3 @@ private-tmp | |||
30 | 31 | ||
31 | noexec ${HOME} | 32 | noexec ${HOME} |
32 | noexec /tmp | 33 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 5760f6811..93acbd09e 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
9 | |||
8 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
9 | noblacklist ~/.config/dolphinrc | 11 | noblacklist ~/.config/dolphinrc |
10 | noblacklist ~/.local/share/dolphin | 12 | noblacklist ~/.local/share/dolphin |
@@ -23,11 +25,8 @@ protocol unix | |||
23 | seccomp | 25 | seccomp |
24 | shell none | 26 | shell none |
25 | 27 | ||
28 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
26 | # private-bin | 29 | # private-bin |
27 | # private-dev | 30 | # private-dev |
28 | # private-etc | 31 | # private-etc |
29 | # private-tmp | 32 | # private-tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files | ||
33 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | ||
diff --git a/etc/etr.profile b/etc/etr.profile index 6ed9a274d..dedc1e224 100644 --- a/etc/etr.profile +++ b/etc/etr.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/evince.profile b/etc/evince.profile index e58cef336..1a2b04160 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -28,11 +28,9 @@ tracelog | |||
28 | private-bin evince,evince-previewer,evince-thumbnailer | 28 | private-bin evince,evince-previewer,evince-thumbnailer |
29 | private-dev | 29 | private-dev |
30 | private-etc fonts | 30 | private-etc fonts |
31 | # evince needs access to /tmp/mozilla* to work in firefox | ||
31 | # private-tmp | 32 | # private-tmp |
32 | 33 | ||
33 | memory-deny-write-execute | 34 | memory-deny-write-execute |
34 | noexec ${HOME} | 35 | noexec ${HOME} |
35 | noexec /tmp | 36 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # evince needs access to /tmp/mozilla* to work in firefox | ||
diff --git a/etc/file.profile b/etc/file.profile index 6e8280c3b..99d2fd865 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -28,6 +28,3 @@ x11 none | |||
28 | private-bin file | 28 | private-bin file |
29 | private-dev | 29 | private-dev |
30 | private-etc magic.mgc,magic,localtime | 30 | private-etc magic.mgc,magic,localtime |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # noroot | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 8d48a4704..27f436c4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -68,6 +68,3 @@ private-tmp | |||
68 | 68 | ||
69 | noexec ${HOME} | 69 | noexec ${HOME} |
70 | noexec /tmp | 70 | noexec /tmp |
71 | |||
72 | # CLOBBERED COMMENTS | ||
73 | # disable-mnt | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b3aa80f85..be06dc460 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # This is a whitelisted profile, the internal browser sandbox | ||
9 | # is disabled because it requires sudo password. The command | ||
10 | # to run it is as follows: | ||
11 | # firejail flashpeak-slimjet --no-sandbox | ||
12 | |||
8 | noblacklist ~/.cache/slimjet | 13 | noblacklist ~/.cache/slimjet |
9 | noblacklist ~/.config/slimjet | 14 | noblacklist ~/.config/slimjet |
10 | noblacklist ~/.pki | 15 | noblacklist ~/.pki |
11 | 16 | ||
12 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
18 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
15 | 21 | ||
@@ -28,9 +34,3 @@ nonewprivs | |||
28 | noroot | 34 | noroot |
29 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
30 | seccomp | 36 | seccomp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # firejail flashpeak-slimjet --no-sandbox | ||
34 | # chromium is distributed with a perl script on Arch | ||
35 | # is disabled because it requires sudo password. The command | ||
36 | # to run it is as follows: | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 486326fe0..82bdabfcd 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -37,6 +37,3 @@ private-tmp | |||
37 | 37 | ||
38 | noexec ${HOME} | 38 | noexec ${HOME} |
39 | noexec /tmp | 39 | noexec /tmp |
40 | |||
41 | # CLOBBERED COMMENTS | ||
42 | # tracelog | ||
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index dc8ad3e08..b1d9798bc 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index d8ca7424c..451a93c31 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -40,7 +40,5 @@ disable-mnt | |||
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts | 41 | # private-etc fonts |
42 | # private-tmp | 42 | # private-tmp |
43 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
44 | |||
45 | # CLOBBERED COMMENTS | ||
46 | # Allow the local python 2.7 site packages, in case any plugins are using these | 43 | # Allow the local python 2.7 site packages, in case any plugins are using these |
44 | read-only ${HOME}/.local/lib/python2.7/site-packages/ | ||
diff --git a/etc/geary.profile b/etc/geary.profile index 5833e51cf..3f9faf058 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/geary.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have Geary set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.gnupg | 11 | noblacklist ~/.gnupg |
9 | noblacklist ~/.local/share/geary | 12 | noblacklist ~/.local/share/geary |
10 | 13 | ||
@@ -21,9 +24,5 @@ ignore private-tmp | |||
21 | read-only ~/.config/mimeapps.list | 24 | read-only ~/.config/mimeapps.list |
22 | read-only ~/.local/share/applications | 25 | read-only ~/.local/share/applications |
23 | 26 | ||
24 | include /etc/firejail/firefox.profile | ||
25 | |||
26 | # CLOBBERED COMMENTS | ||
27 | # Users have Geary set to open a browser by clicking a link in an email | ||
28 | # We are not allowed to blacklist browser-specific directories | ||
29 | # allow browsers | 27 | # allow browsers |
28 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index 2fd7f20fe..aa91d9518 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gedit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
9 | |||
8 | noblacklist ~/.config/gedit | 10 | noblacklist ~/.config/gedit |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -31,6 +33,3 @@ private-tmp | |||
31 | 33 | ||
32 | noexec ${HOME} | 34 | noexec ${HOME} |
33 | noexec /tmp | 35 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 9434d49b8..5936787dd 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -26,6 +26,3 @@ shell none | |||
26 | # private-bin geeqie | 26 | # private-bin geeqie |
27 | private-dev | 27 | private-dev |
28 | # private-etc X11 | 28 | # private-etc X11 |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # Experimental: | ||
diff --git a/etc/ghb.profile b/etc/ghb.profile index 80291223c..9437cea9e 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile | |||
@@ -3,6 +3,3 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index e63d10d35..d77c4df8d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -24,10 +24,7 @@ shell none | |||
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
26 | 26 | ||
27 | noexec /tmp | ||
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # gimp | ||
31 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory | 27 | # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory |
32 | # if you are not using external plugins, you can enable noexec statement below | 28 | # if you are not using external plugins, you can enable noexec statement below |
33 | # noexec ${HOME} | 29 | # noexec ${HOME} |
30 | noexec /tmp | ||
diff --git a/etc/gjs.profile b/etc/gjs.profile index 443dccfea..739100888 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gjs.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/libgweather | 10 | noblacklist ~/.cache/libgweather |
9 | noblacklist ~/.cache/org.gnome.Books | 11 | noblacklist ~/.cache/org.gnome.Books |
10 | noblacklist ~/.config/libreoffice | 12 | noblacklist ~/.config/libreoffice |
@@ -29,6 +31,3 @@ tracelog | |||
29 | private-dev | 31 | private-dev |
30 | # private-etc fonts | 32 | # private-etc fonts |
31 | private-tmp | 33 | private-tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 480c6a35f..996c8e1f4 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -31,6 +31,3 @@ private-tmp | |||
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
33 | noexec /tmp | 33 | noexec /tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound | ||
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e934b48a5..60bd2f68d 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/org.gnome.Books | 10 | noblacklist ~/.cache/org.gnome.Books |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -32,6 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 2e949271b..995415edc 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -33,6 +33,3 @@ private-tmp | |||
33 | memory-deny-write-execute | 33 | memory-deny-write-execute |
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # net none | ||
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2c77c32ae..e56a32a4a 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.config/libreoffice | 10 | noblacklist ~/.config/libreoffice |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -30,6 +32,3 @@ private-tmp | |||
30 | 32 | ||
31 | noexec ${HOME} | 33 | noexec ${HOME} |
32 | noexec /tmp | 34 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 79ea783a6..1e60c4470 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ${HOME}/.cache/champlain | 10 | noblacklist ${HOME}/.cache/champlain |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -32,6 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index bb13672f4..5982b9dbd 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.local/share/gnome-photos | 10 | noblacklist ~/.local/share/gnome-photos |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -30,6 +32,3 @@ private-tmp | |||
30 | 32 | ||
31 | noexec ${HOME} | 33 | noexec ${HOME} |
32 | noexec /tmp | 34 | noexec /tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 77538ad6e..514ef6f15 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
9 | |||
8 | noblacklist ~/.cache/libgweather | 10 | noblacklist ~/.cache/libgweather |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -33,6 +35,3 @@ private-tmp | |||
33 | 35 | ||
34 | noexec ${HOME} | 36 | noexec ${HOME} |
35 | noexec /tmp | 37 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 53220997a..b6c39bfd2 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 6f4ec9101..ea111c7f6 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84fdcdd21..f0d452841 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome | |||
10 | noblacklist ~/.pki | 10 | noblacklist ~/.pki |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | # chromium is distributed with a perl script on Arch | ||
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -32,7 +33,3 @@ private-dev | |||
32 | 33 | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # chromium is distributed with a perl script on Arch | ||
38 | # disable-mnt | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index e326c8083..9c6c70f9f 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # whitelist ~/.config/pulse | ||
16 | # whitelist ~/.pulse | ||
15 | whitelist ~/.config/Google Play Music Desktop Player | 17 | whitelist ~/.config/Google Play Music Desktop Player |
16 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
17 | 19 | ||
@@ -32,7 +34,3 @@ private-tmp | |||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # whitelist ~/.config/pulse | ||
38 | # whitelist ~/.pulse | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 19d83866e..0f2be604b 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -34,6 +34,3 @@ private-dev | |||
34 | 34 | ||
35 | noexec ${HOME} | 35 | noexec ${HOME} |
36 | noexec /tmp | 36 | noexec /tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # Experimental: | ||
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index 80291223c..9437cea9e 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile | |||
@@ -3,6 +3,3 @@ | |||
3 | 3 | ||
4 | 4 | ||
5 | include /etc/firejail/handbrake.profile | 5 | include /etc/firejail/handbrake.profile |
6 | |||
7 | # CLOBBERED COMMENTS | ||
8 | # HandBrake | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index f070937ef..ceebb6d18 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
9 | # noblacklist /usr/lib/python2* | ||
10 | # noblacklist /usr/lib/python3* | ||
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
@@ -29,15 +31,10 @@ shell none | |||
29 | tracelog | 31 | tracelog |
30 | 32 | ||
31 | disable-mnt | 33 | disable-mnt |
34 | # debug note: private-bin requires perl, python, etc on some systems | ||
32 | private-bin hexchat | 35 | private-bin hexchat |
33 | private-dev | 36 | private-dev |
34 | private-tmp | 37 | private-tmp |
35 | 38 | ||
36 | noexec ${HOME} | 39 | noexec ${HOME} |
37 | noexec /tmp | 40 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Currently in testing (may not work for all users) | ||
41 | # debug note: private-bin requires perl, python, etc on some systems | ||
42 | # noblacklist /usr/lib/python2* | ||
43 | # noblacklist /usr/lib/python3* | ||
diff --git a/etc/icedove.profile b/etc/icedove.profile index 8cb4ec1ea..3931fd0c0 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/icedove.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have icedove set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.cache/icedove | 11 | noblacklist ~/.cache/icedove |
9 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
10 | noblacklist ~/.icedove | 13 | noblacklist ~/.icedove |
@@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc | |||
19 | 22 | ||
20 | ignore private-tmp | 23 | ignore private-tmp |
21 | 24 | ||
22 | include /etc/firejail/firefox.profile | ||
23 | |||
24 | # CLOBBERED COMMENTS | ||
25 | # Users have icedove set to open a browser by clicking a link in an email | ||
26 | # We are not allowed to blacklist browser-specific directories | ||
27 | # allow browsers | 25 | # allow browsers |
26 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 2ca4cba69..f0f0637d9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -32,6 +32,3 @@ private-dev | |||
32 | # private-tmp | 32 | # private-tmp |
33 | 33 | ||
34 | noexec /tmp | 34 | noexec /tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # nosound | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cde845907..6bba90d14 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -28,6 +28,3 @@ private-tmp | |||
28 | 28 | ||
29 | noexec ${HOME} | 29 | noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # inkscape | ||
diff --git a/etc/iridium.profile b/etc/iridium.profile index 03fae05dc..95e94cbf9 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
@@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium | |||
9 | noblacklist ~/.config/iridium | 9 | noblacklist ~/.config/iridium |
10 | 10 | ||
11 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
12 | # chromium/iridium is distributed with a perl script on Arch | ||
12 | # include /etc/firejail/disable-devel.inc | 13 | # include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
14 | 15 | ||
@@ -22,6 +23,3 @@ whitelist ~/.pki | |||
22 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
23 | 24 | ||
24 | netfilter | 25 | netfilter |
25 | |||
26 | # CLOBBERED COMMENTS | ||
27 | # chromium/iridium is distributed with a perl script on Arch | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index f3eb6867f..06db44132 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -27,6 +27,3 @@ private-tmp | |||
27 | 27 | ||
28 | noexec ${HOME} | 28 | noexec ${HOME} |
29 | noexec /tmp | 29 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # novideo | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 3b3045e07..b6406cc0d 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -22,6 +22,7 @@ netfilter | |||
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
24 | noroot | 24 | noroot |
25 | # nosound - KWrite is using ALSA! | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
@@ -31,6 +32,3 @@ tracelog | |||
31 | private-dev | 32 | private-dev |
32 | # private-etc fonts | 33 | # private-etc fonts |
33 | private-tmp | 34 | private-tmp |
34 | |||
35 | # CLOBBERED COMMENTS | ||
36 | # nosound - KWrite is using ALSA! | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index e2c8d0878..8387fef98 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -28,6 +28,3 @@ private-dev | |||
28 | 28 | ||
29 | noexec ${HOME} | 29 | noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # whitelist /tmp/.X11-unix/ | ||
diff --git a/etc/liferea.profile b/etc/liferea.profile index a0dd1a1ff..f9c050acb 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc | |||
24 | 24 | ||
25 | caps.drop all | 25 | caps.drop all |
26 | netfilter | 26 | netfilter |
27 | # no3d | ||
27 | nogroups | 28 | nogroups |
28 | nonewprivs | 29 | nonewprivs |
29 | noroot | 30 | noroot |
31 | # nosound | ||
30 | novideo | 32 | novideo |
31 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
32 | seccomp | 34 | seccomp |
@@ -38,7 +40,3 @@ private-tmp | |||
38 | 40 | ||
39 | noexec ${HOME} | 41 | noexec ${HOME} |
40 | noexec /tmp | 42 | noexec /tmp |
41 | |||
42 | # CLOBBERED COMMENTS | ||
43 | # no3d | ||
44 | # nosound | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 961fca905..bbceee7c7 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -29,6 +29,3 @@ private-tmp | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # luminance-hdr | ||
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 22ecbaa6f..771211b31 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | netfilter | 14 | netfilter |
15 | # noroot - somehow this breaks on Debian Jessie! | ||
15 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
16 | seccomp | 17 | seccomp |
17 | |||
18 | # CLOBBERED COMMENTS | ||
19 | # noroot - somehow this breaks on Debian Jessie! | ||
diff --git a/etc/midori.profile b/etc/midori.profile index f3a219f52..5b390a170 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc | |||
36 | caps.drop all | 36 | caps.drop all |
37 | netfilter | 37 | netfilter |
38 | nonewprivs | 38 | nonewprivs |
39 | # noroot - problems on Ubuntu 14.04 | ||
39 | protocol unix,inet,inet6,netlink | 40 | protocol unix,inet,inet6,netlink |
40 | seccomp | 41 | seccomp |
41 | tracelog | 42 | tracelog |
42 | |||
43 | # CLOBBERED COMMENTS | ||
44 | # noroot - porblems on Ubuntu 14.04 | ||
diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 25bcef47a..b431e4695 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | # nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
@@ -26,6 +27,3 @@ private-tmp | |||
26 | 27 | ||
27 | noexec ${HOME} | 28 | noexec ${HOME} |
28 | noexec /tmp | 29 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # nogroups | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index 7c1e5ea27..56192ac17 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -25,6 +25,3 @@ tracelog | |||
25 | 25 | ||
26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env | 26 | private-bin mpv,youtube-dl,python,python2.7,python3.6,env |
27 | private-dev | 27 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # to test | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 882f17485..a2f5d46b4 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | novideo | 28 | novideo |
29 | protocol unix,inet,inet6 | 29 | protocol unix,inet,inet6 |
30 | # seccomp | ||
30 | shell none | 31 | shell none |
31 | 32 | ||
32 | disable-mnt | 33 | disable-mnt |
@@ -35,6 +36,3 @@ private-tmp | |||
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |
37 | noexec /tmp | 38 | noexec /tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # seccomp | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index a55a01206..4b98552c4 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -19,6 +19,7 @@ noroot | |||
19 | nosound | 19 | nosound |
20 | protocol unix | 20 | protocol unix |
21 | seccomp | 21 | seccomp |
22 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
22 | shell none | 23 | shell none |
23 | tracelog | 24 | tracelog |
24 | 25 | ||
@@ -26,9 +27,5 @@ tracelog | |||
26 | private-dev | 27 | private-dev |
27 | private-etc fonts | 28 | private-etc fonts |
28 | private-tmp | 29 | private-tmp |
29 | read-only ${HOME} | ||
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # Experimental: | ||
33 | # mupdf will never write anything | 30 | # mupdf will never write anything |
34 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | 31 | read-only ${HOME} |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 9c3bfe658..f0680c4ce 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | # you'll need to manually whitelist ROM files | ||
16 | mkdir ${HOME}/.config/mupen64plus | 17 | mkdir ${HOME}/.config/mupen64plus |
17 | mkdir ${HOME}/.local/share/mupen64plus | 18 | mkdir ${HOME}/.local/share/mupen64plus |
18 | whitelist ${HOME}/.config/mupen64plus/ | 19 | whitelist ${HOME}/.config/mupen64plus/ |
@@ -24,6 +25,3 @@ net none | |||
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | seccomp | 27 | seccomp |
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # manually whitelist ROM files | ||
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 350e7f9b6..2da8f32d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/nautilus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
9 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
10 | |||
8 | noblacklist ~/.config/nautilus | 11 | noblacklist ~/.config/nautilus |
9 | noblacklist ~/.local/share/Trash | 12 | noblacklist ~/.local/share/Trash |
10 | noblacklist ~/.local/share/nautilus | 13 | noblacklist ~/.local/share/nautilus |
@@ -25,12 +28,8 @@ seccomp | |||
25 | shell none | 28 | shell none |
26 | tracelog | 29 | tracelog |
27 | 30 | ||
31 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
28 | # private-bin nautilus | 32 | # private-bin nautilus |
29 | # private-dev | 33 | # private-dev |
30 | # private-etc fonts | 34 | # private-etc fonts |
31 | # private-tmp | 35 | # private-tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there | ||
35 | # is already a nautilus process running on gnome desktops firejail will have no effect. | ||
36 | # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files | ||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index e4c87e5b9..2587027ab 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ab72497c0..e3e498195 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -12,6 +12,26 @@ include /etc/firejail/disable-common.inc | |||
12 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
16 | # want to uncomment (some of) them. | ||
17 | #whitelist ~/dwhelper | ||
18 | #whitelist ~/.zotero | ||
19 | #whitelist ~/.vimperatorrc | ||
20 | #whitelist ~/.vimperator | ||
21 | #whitelist ~/.pentadactylrc | ||
22 | #whitelist ~/.pentadactyl | ||
23 | #whitelist ~/.keysnail.js | ||
24 | #whitelist ~/.config/gnome-mplayer | ||
25 | #whitelist ~/.cache/gnome-mplayer/plugin | ||
26 | #whitelist ~/.pki | ||
27 | #whitelist ~/.lastpass | ||
28 | |||
29 | # For silverlight | ||
30 | #whitelist ~/.wine-pipelight | ||
31 | #whitelist ~/.wine-pipelight64 | ||
32 | #whitelist ~/.config/pipelight-widevine | ||
33 | #whitelist ~/.config/pipelight-silverlight5.1 | ||
34 | |||
15 | mkdir ~/.cache/moonchild productions/pale moon | 35 | mkdir ~/.cache/moonchild productions/pale moon |
16 | mkdir ~/.moonchild productions | 36 | mkdir ~/.moonchild productions |
17 | whitelist ${DOWNLOADS} | 37 | whitelist ${DOWNLOADS} |
@@ -34,22 +54,3 @@ tracelog | |||
34 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 54 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
35 | # private-opt palemoon | 55 | # private-opt palemoon |
36 | private-tmp | 56 | private-tmp |
37 | |||
38 | # CLOBBERED COMMENTS | ||
39 | # For silverlight | ||
40 | # want to uncomment (some of) them. | ||
41 | # whitelist ~/.cache/gnome-mplayer/plugin | ||
42 | # whitelist ~/.config/gnome-mplayer | ||
43 | # whitelist ~/.config/pipelight-silverlight5.1 | ||
44 | # whitelist ~/.config/pipelight-widevine | ||
45 | # whitelist ~/.keysnail.js | ||
46 | # whitelist ~/.lastpass | ||
47 | # whitelist ~/.pentadactyl | ||
48 | # whitelist ~/.pentadactylrc | ||
49 | # whitelist ~/.pki | ||
50 | # whitelist ~/.vimperator | ||
51 | # whitelist ~/.vimperatorrc | ||
52 | # whitelist ~/.wine-pipelight | ||
53 | # whitelist ~/.wine-pipelight64 | ||
54 | # whitelist ~/.zotero | ||
55 | # whitelist ~/dwhelper | ||
diff --git a/etc/pingus.profile b/etc/pingus.profile index 6699b7944..848bf88ad 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 5dcba0825..025a6fa61 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -35,12 +35,9 @@ noroot | |||
35 | nosound | 35 | nosound |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp | 37 | seccomp |
38 | # shell none | ||
38 | 39 | ||
39 | # private-bin qbittorrent | 40 | # private-bin qbittorrent |
40 | private-dev | 41 | private-dev |
41 | # private-etc X11,fonts,xdg,resolv.conf | 42 | # private-etc X11,fonts,xdg,resolv.conf |
42 | private-tmp | 43 | private-tmp |
43 | |||
44 | # CLOBBERED COMMENTS | ||
45 | # shell none | ||
46 | # there are some problems with "Open destination folder", see bug # 536 | ||
diff --git a/etc/rambox.profile b/etc/rambox.profile index ea88b472c..a5b87e901 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile | |||
@@ -26,6 +26,4 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
28 | seccomp | 28 | seccomp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # tracelog | 29 | # tracelog |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 3915cffb6..3767c7ba8 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # noblacklist /usr/bin/cpan* | ||
8 | noblacklist /usr/bin/perl | 9 | noblacklist /usr/bin/perl |
9 | noblacklist /usr/lib/perl* | 10 | noblacklist /usr/lib/perl* |
10 | noblacklist /usr/share/perl* | 11 | noblacklist /usr/share/perl* |
@@ -25,6 +26,3 @@ protocol unix | |||
25 | seccomp | 26 | seccomp |
26 | 27 | ||
27 | private-dev | 28 | private-dev |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # noblacklist /usr/bin/cpan* | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f8e8fb1a..ac8882165 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | # no3d | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
@@ -28,6 +29,3 @@ private-tmp | |||
28 | 29 | ||
29 | noexec ${HOME} | 30 | noexec ${HOME} |
30 | noexec /tmp | 31 | noexec /tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # no3d | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index 73343f5da..7e117dcd1 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/scribus.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Support for PDF readers (Scribus 1.5 and higher) | ||
8 | noblacklist ~/.config/okularpartrc | 9 | noblacklist ~/.config/okularpartrc |
9 | noblacklist ~/.config/okularrc | 10 | noblacklist ~/.config/okularrc |
10 | noblacklist ~/.config/scribus | 11 | noblacklist ~/.config/scribus |
@@ -35,6 +36,3 @@ tracelog | |||
35 | 36 | ||
36 | private-dev | 37 | private-dev |
37 | # private-tmp | 38 | # private-tmp |
38 | |||
39 | # CLOBBERED COMMENTS | ||
40 | # Support for PDF readers (Scribus 1.5 and higher) | ||
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index d6c6886c7..a55388fee 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -20,12 +20,10 @@ noroot | |||
20 | nosound | 20 | nosound |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | shell none | 22 | shell none |
23 | # seccomp | ||
23 | tracelog | 24 | tracelog |
24 | 25 | ||
25 | # private-bin simple-scan | 26 | # private-bin simple-scan |
26 | # private-dev | 27 | # private-dev |
27 | # private-etc fonts | 28 | # private-etc fonts |
28 | # private-tmp | 29 | # private-tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # seccomp | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 32c0436f8..d67d2a575 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index f6e27a474..25f0107f8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -17,6 +17,7 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | # protocol unix,inet,inet6 | ||
20 | seccomp | 21 | seccomp |
21 | shell none | 22 | shell none |
22 | 23 | ||
@@ -24,6 +25,3 @@ shell none | |||
24 | # private-dev | 25 | # private-dev |
25 | # private-etc | 26 | # private-etc |
26 | # private-tmp | 27 | # private-tmp |
27 | |||
28 | # CLOBBERED COMMENTS | ||
29 | # protocol unix,inet,inet6 | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index d3ff02ddf..d8861f937 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | # nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | protocol unix,inet,inet6,netlink | 21 | protocol unix,inet,inet6,netlink |
@@ -27,6 +28,3 @@ private-tmp | |||
27 | 28 | ||
28 | noexec ${HOME} | 29 | noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # nogroups | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 520524192..f2c88c943 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -23,6 +23,3 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
25 | seccomp | 25 | seccomp |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # ssh-agent | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile index 0f9950a81..ac3b7a0ba 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -33,6 +33,3 @@ private-dev | |||
33 | memory-deny-write-execute | 33 | memory-deny-write-execute |
34 | noexec ${HOME} | 34 | noexec ${HOME} |
35 | noexec /tmp | 35 | noexec /tmp |
36 | |||
37 | # CLOBBERED COMMENTS | ||
38 | # ssh client | ||
diff --git a/etc/steam.profile b/etc/steam.profile index b3b62471d..d928e660d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/steam | |||
14 | noblacklist ${HOME}/.steam | 14 | noblacklist ${HOME}/.steam |
15 | noblacklist ${HOME}/.steampath | 15 | noblacklist ${HOME}/.steampath |
16 | noblacklist ${HOME}/.steampid | 16 | noblacklist ${HOME}/.steampid |
17 | # with >=llvm-4 mesa drivers need llvm stuff | ||
17 | noblacklist /usr/lib/llvm* | 18 | noblacklist /usr/lib/llvm* |
18 | 19 | ||
19 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
@@ -26,15 +27,12 @@ netfilter | |||
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
30 | # novideo | ||
29 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
30 | seccomp | 32 | seccomp |
31 | shell none | 33 | shell none |
34 | # tracelog disabled as it breaks integrated browser | ||
35 | # tracelog | ||
32 | 36 | ||
33 | private-dev | 37 | private-dev |
34 | private-tmp | 38 | private-tmp |
35 | |||
36 | # CLOBBERED COMMENTS | ||
37 | # novideo | ||
38 | # tracelog | ||
39 | # tracelog disabled as it breaks integrated browser | ||
40 | # with >=llvm-4 mesa drivers need llvm stuff | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 87ad8da7f..4e70f9e8c 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -28,7 +28,3 @@ shell none | |||
28 | private-dev | 28 | private-dev |
29 | # private-etc none | 29 | # private-etc none |
30 | private-tmp | 30 | private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # depending on your usage, you can enable some of the commands below: | ||
34 | # nosound | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 02db74df3..6861e6efb 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -29,6 +29,3 @@ private-tmp | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # synfigstudio | ||
diff --git a/etc/tar.profile b/etc/tar.profile index c3b5aa0e6..817e51542 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -16,11 +16,9 @@ nosound | |||
16 | shell none | 16 | shell none |
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | # support compressed archives | ||
19 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 20 | private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
20 | private-dev | 21 | private-dev |
21 | private-etc passwd,group,localtime | 22 | private-etc passwd,group,localtime |
22 | 23 | ||
23 | include /etc/firejail/default.profile | 24 | include /etc/firejail/default.profile |
24 | |||
25 | # CLOBBERED COMMENTS | ||
26 | # support compressed archives | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c80f76aa8..d3b7ee871 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/thunderbird.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
9 | # We are not allowed to blacklist browser-specific directories | ||
10 | |||
8 | noblacklist ~/.cache/thunderbird | 11 | noblacklist ~/.cache/thunderbird |
9 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
10 | noblacklist ~/.icedove | 13 | noblacklist ~/.icedove |
@@ -27,9 +30,5 @@ ignore private-tmp | |||
27 | read-only ~/.config/mimeapps.list | 30 | read-only ~/.config/mimeapps.list |
28 | read-only ~/.local/share/applications | 31 | read-only ~/.local/share/applications |
29 | 32 | ||
30 | include /etc/firejail/firefox.profile | ||
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Users have thunderbird set to open a browser by clicking a link in an email | ||
34 | # We are not allowed to blacklist browser-specific directories | ||
35 | # allow browsers | 33 | # allow browsers |
34 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index 98040133c..feb8b4fd3 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -5,6 +5,8 @@ include /etc/firejail/tracker.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
9 | |||
8 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
@@ -28,6 +30,3 @@ tracelog | |||
28 | # private-dev | 30 | # private-dev |
29 | # private-etc fonts | 31 | # private-etc fonts |
30 | # private-tmp | 32 | # private-tmp |
31 | |||
32 | # CLOBBERED COMMENTS | ||
33 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | ||
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index fc24fc04d..e09b65632 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile | |||
@@ -27,7 +27,3 @@ shell none | |||
27 | private-dev | 27 | private-dev |
28 | # private-etc none | 28 | # private-etc none |
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | # CLOBBERED COMMENTS | ||
32 | # depending on your usage, you can enable some of the commands below: | ||
33 | # nosound | ||
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index ca7987932..e94dec35c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.VirtualBox | 8 | noblacklist ${HOME}/.VirtualBox |
9 | noblacklist ${HOME}/.config/VirtualBox | 9 | noblacklist ${HOME}/.config/VirtualBox |
10 | noblacklist ${HOME}/VirtualBox VMs | 10 | noblacklist ${HOME}/VirtualBox VMs |
11 | # noblacklist /usr/bin/virtualbox | ||
11 | noblacklist /usr/lib/virtualbox | 12 | noblacklist /usr/lib/virtualbox |
12 | noblacklist /usr/lib64/virtualbox | 13 | noblacklist /usr/lib64/virtualbox |
13 | 14 | ||
@@ -23,6 +24,3 @@ include /etc/firejail/whitelist-common.inc | |||
23 | 24 | ||
24 | caps.drop all | 25 | caps.drop all |
25 | netfilter | 26 | netfilter |
26 | |||
27 | # CLOBBERED COMMENTS | ||
28 | # noblacklist /usr/bin/virtualbox | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 1b63f1573..ae9b49e8c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -29,6 +29,3 @@ private-dev | |||
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
32 | |||
33 | # CLOBBERED COMMENTS | ||
34 | # disable-mnt | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index c95f6f048..a41f367dd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | # nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
@@ -26,7 +27,3 @@ private-tmp | |||
26 | 27 | ||
27 | noexec ${HOME} | 28 | noexec ${HOME} |
28 | noexec /tmp | 29 | noexec /tmp |
29 | |||
30 | # CLOBBERED COMMENTS | ||
31 | # memory-deny-write-execute - breaks playing videos | ||
32 | # nogroups | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 157fe3e81..9569226aa 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # mkdir ~/.warzone2100-3.1 | ||
16 | # mkdir ~/.warzone2100-3.2 | ||
15 | whitelist ~/.warzone2100-3.1 | 17 | whitelist ~/.warzone2100-3.1 |
16 | whitelist ~/.warzone2100-3.2 | 18 | whitelist ~/.warzone2100-3.2 |
17 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
@@ -30,8 +32,3 @@ disable-mnt | |||
30 | private-bin warzone2100 | 32 | private-bin warzone2100 |
31 | private-dev | 33 | private-dev |
32 | private-tmp | 34 | private-tmp |
33 | |||
34 | # CLOBBERED COMMENTS | ||
35 | # Call these options | ||
36 | # mkdir ~/.warzone2100-3.1 | ||
37 | # mkdir ~/.warzone2100-3.2 | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 75a4dc4a7..833414f3e 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -17,7 +17,6 @@ noroot | |||
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
19 | 19 | ||
20 | # CLOBBERED COMMENTS | 20 | # no private-bin support for various reasons: |
21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | 21 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, |
22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins | 22 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins |
23 | # no private-bin support for various reasons: | ||
diff --git a/etc/wire.profile b/etc/wire.profile index f20dfe8e2..aacea9940 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -5,6 +5,9 @@ include /etc/firejail/wire.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | ||
9 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
10 | |||
8 | noblacklist ~/.config/Wire | 11 | noblacklist ~/.config/Wire |
9 | noblacklist ~/.config/wire | 12 | noblacklist ~/.config/wire |
10 | 13 | ||
@@ -25,7 +28,3 @@ shell none | |||
25 | disable-mnt | 28 | disable-mnt |
26 | private-dev | 29 | private-dev |
27 | private-tmp | 30 | private-tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. | ||
31 | # To use wire with firejail run "firejail /opt/Wire/wire" | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 0c4bc8029..8a25ec011 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -12,9 +12,15 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # caps.drop all | ||
15 | netfilter | 16 | netfilter |
16 | no3d | 17 | no3d |
18 | # nogroups - breaks unprivileged wireshark usage | ||
19 | # nonewprivs - breaks unprivileged wireshark usage | ||
20 | # noroot | ||
17 | nosound | 21 | nosound |
22 | # protocol unix,inet,inet6,netlink | ||
23 | # seccomp - breaks unprivileged wireshark usage | ||
18 | shell none | 24 | shell none |
19 | tracelog | 25 | tracelog |
20 | 26 | ||
@@ -25,11 +31,3 @@ private-tmp | |||
25 | 31 | ||
26 | noexec ${HOME} | 32 | noexec ${HOME} |
27 | noexec /tmp | 33 | noexec /tmp |
28 | |||
29 | # CLOBBERED COMMENTS | ||
30 | # caps.drop all | ||
31 | # nogroups - breaks unprivileged wireshark usage | ||
32 | # nonewprivs - breaks unprivileged wireshark usage | ||
33 | # noroot | ||
34 | # protocol unix,inet,inet6,netlink | ||
35 | # seccomp - breaks unprivileged wireshark usage | ||