diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/bzflag.profile | 44 | ||||
-rw-r--r-- | etc/disable-programs.inc | 6 | ||||
-rw-r--r-- | etc/freeciv-gtk3.profile | 5 | ||||
-rw-r--r-- | etc/freeciv-mp-gtk3.profile | 5 | ||||
-rw-r--r-- | etc/freeciv.profile | 44 | ||||
-rw-r--r-- | etc/lincity-ng.profile | 44 | ||||
-rw-r--r-- | etc/megaglest.profile | 44 | ||||
-rw-r--r-- | etc/megaglest_editor.profile | 5 | ||||
-rw-r--r-- | etc/openttd.profile | 44 | ||||
-rw-r--r-- | etc/ostrichriders.profile | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 8 |
13 files changed, 253 insertions, 4 deletions
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
102 | ## Current development version: 0.9.59 | 102 | ## Current development version: 0.9.59 |
103 | 103 | ||
104 | ## New profiles: | 104 | ## New profiles: |
105 | crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders | 105 | crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders, bzflag, freeciv, lincity-ng, megaglest, openttd |
@@ -6,7 +6,8 @@ firejail (0.9.59) baseline; urgency=low | |||
6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader | 6 | * new profiles: netactview, redshift, devhelp, assogiate, subdownloader |
7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor | 7 | * new profiles: font-manager, exfalso, gconf-editor, dconf-editor |
8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings | 8 | * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings |
9 | * new profiles: code-oss, pragha, Maelstrom, ostrichriders | 9 | * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag |
10 | * new profiles: freeciv, lincity-ng, megaglest, openttd | ||
10 | * memory-deny-write-execute now also blocks memfd_create | 11 | * memory-deny-write-execute now also blocks memfd_create |
11 | * drop support for flatpak/snap packages | 12 | * drop support for flatpak/snap packages |
12 | 13 | ||
diff --git a/etc/bzflag.profile b/etc/bzflag.profile new file mode 100644 index 000000000..94cd40899 --- /dev/null +++ b/etc/bzflag.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for bzflag | ||
2 | # Description: 3D multi-player tank battle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzflag.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bzf | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.bzf | ||
20 | whitelist ${HOME}/.bzf | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin bzflag,bzflag-wrapper,bzfs,bzadmin | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b8ecd4b13..0237ad2ba 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -48,6 +48,7 @@ blacklist ${HOME}/.bcast5 | |||
48 | blacklist ${HOME}/.bibletime | 48 | blacklist ${HOME}/.bibletime |
49 | blacklist ${HOME}/.bitcoin | 49 | blacklist ${HOME}/.bitcoin |
50 | blacklist ${HOME}/.bogofilter | 50 | blacklist ${HOME}/.bogofilter |
51 | blacklist ${HOME}/.bzf | ||
51 | blacklist ${HOME}/.claws-mail | 52 | blacklist ${HOME}/.claws-mail |
52 | blacklist ${HOME}/.cliqz | 53 | blacklist ${HOME}/.cliqz |
53 | blacklist ${HOME}/.config/0ad | 54 | blacklist ${HOME}/.config/0ad |
@@ -296,6 +297,7 @@ blacklist ${HOME}/.config/yandex-browser-beta | |||
296 | blacklist ${HOME}/.config/zathura | 297 | blacklist ${HOME}/.config/zathura |
297 | blacklist ${HOME}/.config/zoomus.conf | 298 | blacklist ${HOME}/.config/zoomus.conf |
298 | blacklist ${HOME}/.conkeror.mozdev.org | 299 | blacklist ${HOME}/.conkeror.mozdev.org |
300 | blacklist ${HOME}/.crawl | ||
299 | blacklist ${HOME}/.curlrc | 301 | blacklist ${HOME}/.curlrc |
300 | blacklist ${HOME}/.dashcore | 302 | blacklist ${HOME}/.dashcore |
301 | blacklist ${HOME}/.devilspie | 303 | blacklist ${HOME}/.devilspie |
@@ -318,6 +320,7 @@ blacklist ${HOME}/.filezilla | |||
318 | blacklist ${HOME}/.flowblade | 320 | blacklist ${HOME}/.flowblade |
319 | blacklist ${HOME}/.fltk | 321 | blacklist ${HOME}/.fltk |
320 | blacklist ${HOME}/.fossamail | 322 | blacklist ${HOME}/.fossamail |
323 | blacklist ${HOME}/.freeciv | ||
321 | blacklist ${HOME}/.frozen-bubble | 324 | blacklist ${HOME}/.frozen-bubble |
322 | blacklist ${HOME}/.gimp* | 325 | blacklist ${HOME}/.gimp* |
323 | blacklist ${HOME}/.git-credential-cache | 326 | blacklist ${HOME}/.git-credential-cache |
@@ -404,6 +407,7 @@ blacklist ${HOME}/.killingfloor | |||
404 | blacklist ${HOME}/.kino-history | 407 | blacklist ${HOME}/.kino-history |
405 | blacklist ${HOME}/.kinorc | 408 | blacklist ${HOME}/.kinorc |
406 | blacklist ${HOME}/.kodi | 409 | blacklist ${HOME}/.kodi |
410 | blacklist ${HOME}/.lincity-ng | ||
407 | blacklist ${HOME}/.linphone-history.db | 411 | blacklist ${HOME}/.linphone-history.db |
408 | blacklist ${HOME}/.linphonerc | 412 | blacklist ${HOME}/.linphonerc |
409 | blacklist ${HOME}/.lmmsrc.xml | 413 | blacklist ${HOME}/.lmmsrc.xml |
@@ -519,6 +523,7 @@ blacklist ${HOME}/.masterpdfeditor | |||
519 | blacklist ${HOME}/.mcabber | 523 | blacklist ${HOME}/.mcabber |
520 | blacklist ${HOME}/.mcabberrc | 524 | blacklist ${HOME}/.mcabberrc |
521 | blacklist ${HOME}/.mediathek3 | 525 | blacklist ${HOME}/.mediathek3 |
526 | blacklist ${HOME}/.megaglest | ||
522 | blacklist ${HOME}/.minetest | 527 | blacklist ${HOME}/.minetest |
523 | blacklist ${HOME}/.moonchild productions/basilisk | 528 | blacklist ${HOME}/.moonchild productions/basilisk |
524 | blacklist ${HOME}/.moonchild productions/pale moon | 529 | blacklist ${HOME}/.moonchild productions/pale moon |
@@ -536,6 +541,7 @@ blacklist ${HOME}/.nylas-mail | |||
536 | blacklist ${HOME}/.openinvaders | 541 | blacklist ${HOME}/.openinvaders |
537 | blacklist ${HOME}/.openshot | 542 | blacklist ${HOME}/.openshot |
538 | blacklist ${HOME}/.openshot_qt | 543 | blacklist ${HOME}/.openshot_qt |
544 | blacklist ${HOME}/.openttd | ||
539 | blacklist ${HOME}/.opera | 545 | blacklist ${HOME}/.opera |
540 | blacklist ${HOME}/.opera-beta | 546 | blacklist ${HOME}/.opera-beta |
541 | blacklist ${HOME}/.ostrichriders | 547 | blacklist ${HOME}/.ostrichriders |
diff --git a/etc/freeciv-gtk3.profile b/etc/freeciv-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/freeciv-mp-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-mp-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv.profile b/etc/freeciv.profile new file mode 100644 index 000000000..4813379a7 --- /dev/null +++ b/etc/freeciv.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for freeciv | ||
2 | # Description: A multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeciv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freeciv | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.freeciv | ||
20 | whitelist ${HOME}/.freeciv | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile new file mode 100644 index 000000000..b55ac9a15 --- /dev/null +++ b/etc/lincity-ng.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for lincity-ng | ||
2 | # Description: City simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lincity-ng.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.lincity-ng | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.lincity-ng | ||
20 | whitelist ${HOME}/.lincity-ng | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin lincity-ng | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/megaglest.profile b/etc/megaglest.profile new file mode 100644 index 000000000..08eae6dfc --- /dev/null +++ b/etc/megaglest.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for megaglest | ||
2 | # Description: 3D multi-player real time strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include megaglest.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.megaglest | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.megaglest | ||
20 | whitelist ${HOME}/.megaglest | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin megaglest,megaglest_editor,megaglest_g3dviewer | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/megaglest_editor.profile b/etc/megaglest_editor.profile new file mode 100644 index 000000000..02aad8084 --- /dev/null +++ b/etc/megaglest_editor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for megaglest | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include megaglest.profile | ||
diff --git a/etc/openttd.profile b/etc/openttd.profile new file mode 100644 index 000000000..5de4d325d --- /dev/null +++ b/etc/openttd.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for openttd | ||
2 | # Description: Transport system simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openttd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openttd | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.openttd | ||
20 | whitelist ${HOME}/.openttd | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openttd | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/ostrichriders.profile b/etc/ostrichriders.profile index 4eedddefd..bef784126 100644 --- a/etc/ostrichriders.profile +++ b/etc/ostrichriders.profile | |||
@@ -32,8 +32,7 @@ noroot | |||
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | # protocol seems to have a huge impact on performance | 35 | protocol unix,netlink |
36 | #protocol unix | ||
37 | seccomp | 36 | seccomp |
38 | shell none | 37 | shell none |
39 | tracelog | 38 | tracelog |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1e59bbb4f..790768290 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -70,6 +70,7 @@ brasero | |||
70 | brave | 70 | brave |
71 | brave-browser | 71 | brave-browser |
72 | bunzip2 | 72 | bunzip2 |
73 | bzflag | ||
73 | bzip2 | 74 | bzip2 |
74 | calibre | 75 | calibre |
75 | calligra | 76 | calligra |
@@ -180,6 +181,9 @@ fossamail | |||
180 | franz | 181 | franz |
181 | freecad | 182 | freecad |
182 | freecadcmd | 183 | freecadcmd |
184 | freeciv | ||
185 | freeciv-gtk3 | ||
186 | freeciv-mp-gtk3 | ||
183 | freshclam | 187 | freshclam |
184 | frozen-bubble | 188 | frozen-bubble |
185 | gajim | 189 | gajim |
@@ -291,6 +295,7 @@ leafpad | |||
291 | less | 295 | less |
292 | libreoffice | 296 | libreoffice |
293 | liferea | 297 | liferea |
298 | lincity-ng | ||
294 | linphone | 299 | linphone |
295 | lmms | 300 | lmms |
296 | lobase | 301 | lobase |
@@ -325,6 +330,8 @@ mathematica | |||
325 | mcabber | 330 | mcabber |
326 | mediainfo | 331 | mediainfo |
327 | mediathekview | 332 | mediathekview |
333 | megaglest | ||
334 | megaglest_editor | ||
328 | meld | 335 | meld |
329 | mencoder | 336 | mencoder |
330 | mendeleydesktop | 337 | mendeleydesktop |
@@ -375,6 +382,7 @@ onionshare-gui | |||
375 | open-invaders | 382 | open-invaders |
376 | openshot | 383 | openshot |
377 | openshot-qt | 384 | openshot-qt |
385 | openttd | ||
378 | opera | 386 | opera |
379 | opera-beta | 387 | opera-beta |
380 | orage | 388 | orage |