diff options
-rw-r--r-- | etc/profile-a-l/electron-mail.profile | 68 | ||||
-rw-r--r-- | etc/profile-m-z/qutebrowser.profile | 27 | ||||
-rw-r--r-- | src/man/firejail.txt | 6 |
3 files changed, 58 insertions, 43 deletions
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 0e5c35167..d0d0f2168 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -1,55 +1,43 @@ | |||
1 | # Firejail profile for electron-mail | 1 | # Firejail profile for ElectronMail |
2 | # Description: Unofficial desktop app for several E2E encrypted email providers | 2 | # Description: Unofficial desktop app for the Proton Mail E2E encrypted email provider |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include electron-mail.local | 5 | include electron-mail.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore dbus-user none | ||
10 | ignore disable-mnt | ||
11 | |||
9 | noblacklist ${HOME}/.config/electron-mail | 12 | noblacklist ${HOME}/.config/electron-mail |
10 | 13 | ||
11 | include disable-common.inc | 14 | # sh is needed to allow Firefox to open links |
12 | include disable-devel.inc | 15 | include allow-bin-sh.inc |
13 | include disable-exec.inc | 16 | |
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | 17 | include disable-shell.inc |
17 | include disable-xdg.inc | ||
18 | 18 | ||
19 | mkdir ${HOME}/.config/electron-mail | 19 | mkdir ${HOME}/.config/electron-mail |
20 | whitelist ${HOME}/.config/electron-mail | 20 | whitelist ${HOME}/.config/electron-mail |
21 | whitelist ${DOWNLOADS} | 21 | |
22 | 22 | # The lines below are needed to find the default Firefox profile name, to allow | |
23 | include whitelist-common.inc | 23 | # opening links in an existing instance of Firefox (note that it still fails if |
24 | include whitelist-runuser-common.inc | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | include whitelist-usr-share-common.inc | 25 | noblacklist ${HOME}/.mozilla |
26 | include whitelist-var-common.inc | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | 27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | |
28 | apparmor | 28 | |
29 | caps.drop all | 29 | machine-id |
30 | netfilter | 30 | nosound |
31 | no3d | 31 | |
32 | nodvd | 32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
33 | nogroups | ||
34 | noinput | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp !chroot | ||
42 | # tracelog - breaks on Arch | ||
43 | |||
44 | private-bin electron-mail | ||
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg | ||
48 | private-opt ElectronMail | 33 | private-opt ElectronMail |
49 | private-tmp | ||
50 | 34 | ||
51 | # breaks tray functionality | 35 | dbus-user filter |
52 | # dbus-user none | 36 | dbus-user.talk org.freedesktop.Notifications |
53 | dbus-system none | 37 | dbus-user.talk org.freedesktop.secrets |
38 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
39 | # allow D-Bus communication with firefox for opening links | ||
40 | dbus-user.talk org.mozilla.* | ||
54 | 41 | ||
55 | # memory-deny-write-execute - breaks on Arch | 42 | # Redirect |
43 | include electron.profile | ||
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index fc910b589..ae62c0b89 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile | |||
@@ -10,14 +10,19 @@ noblacklist ${HOME}/.cache/qutebrowser | |||
10 | noblacklist ${HOME}/.config/qutebrowser | 10 | noblacklist ${HOME}/.config/qutebrowser |
11 | noblacklist ${HOME}/.local/share/qutebrowser | 11 | noblacklist ${HOME}/.local/share/qutebrowser |
12 | 12 | ||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | include allow-python2.inc | 17 | include allow-python2.inc |
15 | include allow-python3.inc | 18 | include allow-python3.inc |
16 | 19 | ||
17 | include disable-common.inc | 20 | include disable-common.inc |
18 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
20 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-shell.inc | ||
21 | 26 | ||
22 | mkdir ${HOME}/.cache/qutebrowser | 27 | mkdir ${HOME}/.cache/qutebrowser |
23 | mkdir ${HOME}/.config/qutebrowser | 28 | mkdir ${HOME}/.config/qutebrowser |
@@ -26,8 +31,14 @@ whitelist ${DOWNLOADS} | |||
26 | whitelist ${HOME}/.cache/qutebrowser | 31 | whitelist ${HOME}/.cache/qutebrowser |
27 | whitelist ${HOME}/.config/qutebrowser | 32 | whitelist ${HOME}/.config/qutebrowser |
28 | whitelist ${HOME}/.local/share/qutebrowser | 33 | whitelist ${HOME}/.local/share/qutebrowser |
34 | whitelist /usr/share/qtbrowser | ||
29 | include whitelist-common.inc | 35 | include whitelist-common.inc |
36 | include whitelist-run-common.inc | ||
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
30 | 40 | ||
41 | apparmor | ||
31 | caps.drop all | 42 | caps.drop all |
32 | netfilter | 43 | netfilter |
33 | nodvd | 44 | nodvd |
@@ -38,3 +49,19 @@ protocol unix,inet,inet6,netlink | |||
38 | # blacklisting of chroot system calls breaks qt webengine | 49 | # blacklisting of chroot system calls breaks qt webengine |
39 | seccomp !chroot,!name_to_handle_at | 50 | seccomp !chroot,!name_to_handle_at |
40 | # tracelog | 51 | # tracelog |
52 | |||
53 | disable-mnt | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl | ||
57 | private-tmp | ||
58 | |||
59 | dbus-user filter | ||
60 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* | ||
61 | dbus-user.talk org.freedesktop.Notifications | ||
62 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. | ||
63 | #dbus-user.talk org.freedesktop.portal.Desktop | ||
64 | # Add the next line to your qutebrowser.local if screen sharing sharing still does not work | ||
65 | # with the above lines (might depend on the portal implementation). | ||
66 | #ignore noroot | ||
67 | dbus-system none | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3b743386e..c26d21ec9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -164,12 +164,12 @@ private-bin and private-lib are disabled by default when running appimages. | |||
164 | .br | 164 | .br |
165 | Example: | 165 | Example: |
166 | .br | 166 | .br |
167 | $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage | 167 | $ firejail --profile=krita --appimage krita-3.0-x86_64.appimage |
168 | .br | 168 | .br |
169 | $ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage | 169 | $ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage |
170 | .br | 170 | .br |
171 | #ifdef HAVE_X11 | 171 | #ifdef HAVE_X11 |
172 | $ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage | 172 | $ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage |
173 | #endif | 173 | #endif |
174 | .TP | 174 | .TP |
175 | #ifdef HAVE_NETWORK | 175 | #ifdef HAVE_NETWORK |