diff options
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/chromium.profile | 13 | ||||
-rw-r--r-- | etc/disable-common.inc | 21 | ||||
-rw-r--r-- | etc/firefox.profile | 23 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 11 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 11 | ||||
-rw-r--r-- | etc/google-chrome.profile | 13 | ||||
-rw-r--r-- | etc/opera-beta.profile | 14 | ||||
-rw-r--r-- | etc/opera.profile | 14 | ||||
-rw-r--r-- | etc/seamonkey-bin.profile | 39 | ||||
-rw-r--r-- | etc/seamonkey.profile | 26 | ||||
-rw-r--r-- | etc/vivaldi.profile | 19 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 1 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 |
17 files changed, 157 insertions, 55 deletions
diff --git a/Makefile.in b/Makefile.in index 561dea897..e60fde529 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -145,6 +145,7 @@ realinstall: | |||
145 | install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 145 | install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
146 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 146 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
147 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 147 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
148 | install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
148 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 149 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
149 | rm -fr .etc | 150 | rm -fr .etc |
150 | # man pages | 151 | # man pages |
@@ -19,7 +19,7 @@ Firejail Authors: | |||
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | Fred-Barclay (https://github.com/Fred-Barclay) | 21 | Fred-Barclay (https://github.com/Fred-Barclay) |
22 | - added Vivaldi profiles | 22 | - added Vivaldi, Atril profiles |
23 | yumkam (https://github.com/yumkam) | 23 | yumkam (https://github.com/yumkam) |
24 | - add compile-time option to restrict --net= to root only | 24 | - add compile-time option to restrict --net= to root only |
25 | - man page fixes | 25 | - man page fixes |
@@ -7,7 +7,7 @@ firejail (0.9.39) baseline; urgency=low | |||
7 | * --version also prints compile options | 7 | * --version also prints compile options |
8 | * added compile-time option to restrict --net= to root only | 8 | * added compile-time option to restrict --net= to root only |
9 | * build rpm packages using "make rpms" | 9 | * build rpm packages using "make rpms" |
10 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi | 10 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
11 | * bugfixes | 11 | * bugfixes |
12 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Mar 2016 08:00:00 -0500 | 12 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Mar 2016 08:00:00 -0500 |
13 | 13 | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 78cee3920..b58931b8d 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Chromium browser profile | 1 | # Chromium browser profile |
2 | noblacklist ${HOME}/.config/chromium | 2 | noblacklist ~/.config/chromium |
3 | noblacklist ~/.cache/chromium | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
@@ -10,6 +12,7 @@ include /etc/firejail/disable-terminals.inc | |||
10 | # | 12 | # |
11 | 13 | ||
12 | netfilter | 14 | netfilter |
15 | |||
13 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 17 | mkdir ~/.config |
15 | mkdir ~/.config/chromium | 18 | mkdir ~/.config/chromium |
@@ -19,4 +22,12 @@ mkdir ~/.cache/chromium | |||
19 | whitelist ~/.cache/chromium | 22 | whitelist ~/.cache/chromium |
20 | mkdir ~/.pki | 23 | mkdir ~/.pki |
21 | whitelist ~/.pki | 24 | whitelist ~/.pki |
25 | |||
26 | # lastpass, keepassx | ||
27 | whitelist ~/.keepassx | ||
28 | whitelist ~/.config/keepassx | ||
29 | whitelist ~/keepassx.kdbx | ||
30 | whitelist ~/.lastpass | ||
31 | whitelist ~/.config/lastpass | ||
32 | |||
22 | include /etc/firejail/whitelist-common.inc | 33 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d97740860..88ce42976 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,3 +1,6 @@ | |||
1 | # various programs | ||
2 | blacklist ${HOME}/.config/vlc | ||
3 | |||
1 | # History files in $HOME | 4 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 5 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
@@ -5,17 +8,20 @@ blacklist-nolog ${HOME}/.*_history | |||
5 | # HTTP / FTP / Mail | 8 | # HTTP / FTP / Mail |
6 | blacklist-nolog ${HOME}/.adobe | 9 | blacklist-nolog ${HOME}/.adobe |
7 | blacklist-nolog ${HOME}/.macromedia | 10 | blacklist-nolog ${HOME}/.macromedia |
8 | blacklist ${HOME}/.mozilla | ||
9 | blacklist ${HOME}/.icedove | 11 | blacklist ${HOME}/.icedove |
10 | blacklist ${HOME}/.thunderbird | 12 | blacklist ${HOME}/.thunderbird |
11 | blacklist ${HOME}/.sylpheed-2.0 | 13 | blacklist ${HOME}/.sylpheed-2.0 |
12 | blacklist ${HOME}/.config/midori | 14 | blacklist ${HOME}/.config/midori |
13 | blacklist ${HOME}/.config/opera | 15 | |
14 | blacklist ${HOME}/.config/opera-beta | 16 | blacklist ${HOME}/.mozilla |
15 | blacklist ${HOME}/.config/chromium | 17 | blacklist ${HOME}/.config/chromium |
16 | blacklist ${HOME}/.config/google-chrome | 18 | blacklist ${HOME}/.config/google-chrome |
17 | blacklist ${HOME}/.config/google-chrome-beta | 19 | blacklist ${HOME}/.config/google-chrome-beta |
18 | blacklist ${HOME}/.config/google-chrome-unstable | 20 | blacklist ${HOME}/.config/google-chrome-unstable |
21 | blacklist ${HOME}/.config/opera | ||
22 | blacklist ${HOME}/.config/opera-beta | ||
23 | blacklist ~/.config/vivaldi | ||
24 | |||
19 | blacklist ${HOME}/.filezilla | 25 | blacklist ${HOME}/.filezilla |
20 | blacklist ${HOME}/.config/filezilla | 26 | blacklist ${HOME}/.config/filezilla |
21 | blacklist ${HOME}/.local/share/systemd | 27 | blacklist ${HOME}/.local/share/systemd |
@@ -125,3 +131,12 @@ read-only ${HOME}/.xscreensaver | |||
125 | # The user ~/bin directory can override commands such as ls | 131 | # The user ~/bin directory can override commands such as ls |
126 | read-only ${HOME}/bin | 132 | read-only ${HOME}/bin |
127 | 133 | ||
134 | # cache | ||
135 | blacklist ~/.cache/mozilla | ||
136 | blacklist ~/.cache/chromium | ||
137 | blacklist ~/.cache/google-chrome | ||
138 | blacklist ~/.cache/google-chrome-beta | ||
139 | blacklist ~/.cache/google-chrome-unstable | ||
140 | blacklist ~/.cache/opera | ||
141 | blacklist ~/.cache/opera-beta | ||
142 | blacklist ~/.cache/vivaldi | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 0b082f216..b06dfa6da 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,16 +1,21 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | noblacklist ${HOME}/.mozilla | 2 | |
3 | noblacklist ~/.mozilla | ||
4 | noblacklist ~/.cache/mozilla | ||
5 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 6 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 10 | include /etc/firejail/disable-terminals.inc |
11 | |||
8 | caps.drop all | 12 | caps.drop all |
9 | seccomp | 13 | seccomp |
10 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
11 | netfilter | 15 | netfilter |
12 | tracelog | 16 | tracelog |
13 | noroot | 17 | noroot |
18 | |||
14 | whitelist ${DOWNLOADS} | 19 | whitelist ${DOWNLOADS} |
15 | mkdir ~/.mozilla | 20 | mkdir ~/.mozilla |
16 | whitelist ~/.mozilla | 21 | whitelist ~/.mozilla |
@@ -20,7 +25,6 @@ mkdir ~/.cache/mozilla/firefox | |||
20 | whitelist ~/.cache/mozilla/firefox | 25 | whitelist ~/.cache/mozilla/firefox |
21 | whitelist ~/dwhelper | 26 | whitelist ~/dwhelper |
22 | whitelist ~/.zotero | 27 | whitelist ~/.zotero |
23 | whitelist ~/.lastpass | ||
24 | whitelist ~/.vimperatorrc | 28 | whitelist ~/.vimperatorrc |
25 | whitelist ~/.vimperator | 29 | whitelist ~/.vimperator |
26 | whitelist ~/.pentadactylrc | 30 | whitelist ~/.pentadactylrc |
@@ -29,6 +33,21 @@ whitelist ~/.keysnail.js | |||
29 | whitelist ~/.config/gnome-mplayer | 33 | whitelist ~/.config/gnome-mplayer |
30 | whitelist ~/.cache/gnome-mplayer/plugin | 34 | whitelist ~/.cache/gnome-mplayer/plugin |
31 | whitelist ~/.pki | 35 | whitelist ~/.pki |
36 | |||
37 | # lastpass, keepassx | ||
38 | whitelist ~/.keepassx | ||
39 | whitelist ~/.config/keepassx | ||
40 | whitelist ~/keepassx.kdbx | ||
41 | whitelist ~/.lastpass | ||
42 | whitelist ~/.config/lastpass | ||
43 | |||
44 | |||
45 | #silverlight | ||
46 | whitelist ~/.wine-pipelight | ||
47 | whitelist ~/.wine-pipelight64 | ||
48 | whitelist ~/.config/pipelight-widevine | ||
49 | whitelist ~/.config/pipelight-silverlight5.1 | ||
50 | |||
32 | include /etc/firejail/whitelist-common.inc | 51 | include /etc/firejail/whitelist-common.inc |
33 | 52 | ||
34 | # experimental features | 53 | # experimental features |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index d57728139..3396585eb 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Google Chrome beta browser profile | 1 | # Google Chrome beta browser profile |
2 | noblacklist ${HOME}/.config/google-chrome-beta | 2 | noblacklist ~/.config/google-chrome-beta |
3 | noblacklist ~/.cache/google-chrome-beta | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
@@ -10,6 +12,7 @@ include /etc/firejail/disable-terminals.inc | |||
10 | # | 12 | # |
11 | 13 | ||
12 | netfilter | 14 | netfilter |
15 | |||
13 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 17 | mkdir ~/.config |
15 | mkdir ~/.config/google-chrome-beta | 18 | mkdir ~/.config/google-chrome-beta |
@@ -21,3 +24,9 @@ mkdir ~/.pki | |||
21 | whitelist ~/.pki | 24 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
23 | 26 | ||
27 | # lastpass, keepassx | ||
28 | whitelist ~/.keepassx | ||
29 | whitelist ~/.config/keepassx | ||
30 | whitelist ~/keepassx.kdbx | ||
31 | whitelist ~/.lastpass | ||
32 | whitelist ~/.config/lastpass | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 36a1fb456..ed4332862 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Google Chrome unstable browser profile | 1 | # Google Chrome unstable browser profile |
2 | noblacklist ${HOME}/.config/google-chrome-unstable | 2 | noblacklist ~/.config/google-chrome-unstable |
3 | noblacklist ~/.cache/google-chrome-unstable | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
@@ -10,6 +12,7 @@ include /etc/firejail/disable-terminals.inc | |||
10 | # | 12 | # |
11 | 13 | ||
12 | netfilter | 14 | netfilter |
15 | |||
13 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 17 | mkdir ~/.config |
15 | mkdir ~/.config/google-chrome-unstable | 18 | mkdir ~/.config/google-chrome-unstable |
@@ -21,3 +24,9 @@ mkdir ~/.pki | |||
21 | whitelist ~/.pki | 24 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
23 | 26 | ||
27 | # lastpass, keepassx | ||
28 | whitelist ~/.keepassx | ||
29 | whitelist ~/.config/keepassx | ||
30 | whitelist ~/keepassx.kdbx | ||
31 | whitelist ~/.lastpass | ||
32 | whitelist ~/.config/lastpass | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 3b73738a6..985af38eb 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Google Chrome browser profile | 1 | # Google Chrome browser profile |
2 | noblacklist ${HOME}/.config/google-chrome | 2 | noblacklist ~/.config/google-chrome |
3 | noblacklist ~/.cache/google-chrome | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
@@ -10,6 +12,7 @@ include /etc/firejail/disable-terminals.inc | |||
10 | # | 12 | # |
11 | 13 | ||
12 | netfilter | 14 | netfilter |
15 | |||
13 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 17 | mkdir ~/.config |
15 | mkdir ~/.config/google-chrome | 18 | mkdir ~/.config/google-chrome |
@@ -20,3 +23,11 @@ whitelist ~/.cache/google-chrome | |||
20 | mkdir ~/.pki | 23 | mkdir ~/.pki |
21 | whitelist ~/.pki | 24 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | |||
27 | # lastpass, keepassx | ||
28 | whitelist ~/.keepassx | ||
29 | whitelist ~/.config/keepassx | ||
30 | whitelist ~/keepassx.kdbx | ||
31 | whitelist ~/.lastpass | ||
32 | whitelist ~/.config/lastpass | ||
33 | |||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index a65c7cef1..91eb10787 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,15 +1,19 @@ | |||
1 | # Opera-beta browser profile | 1 | # Opera-beta browser profile |
2 | noblacklist ${HOME}/.config/opera-beta | 2 | noblacklist ~/.config/opera-beta |
3 | noblacklist ~/.cache/opera-beta | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 9 | include /etc/firejail/disable-terminals.inc |
10 | |||
8 | netfilter | 11 | netfilter |
12 | |||
13 | whitelist ${DOWNLOADS} | ||
9 | mkdir ~/.config | 14 | mkdir ~/.config |
10 | mkdir ~/.config/opera-beta | 15 | mkdir ~/.config/opera-beta |
11 | whitelist ~/.config/opera-beta | 16 | whitelist ~/.config/opera-beta |
12 | whitelist ${DOWNLOADS} | ||
13 | mkdir ~/.cache | 17 | mkdir ~/.cache |
14 | mkdir ~/.cache/opera-beta | 18 | mkdir ~/.cache/opera-beta |
15 | whitelist ~/.cache/opera-beta | 19 | whitelist ~/.cache/opera-beta |
@@ -17,4 +21,10 @@ mkdir ~/.pki | |||
17 | whitelist ~/.pki | 21 | whitelist ~/.pki |
18 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
19 | 23 | ||
24 | # lastpass, keepassx | ||
25 | whitelist ~/.keepassx | ||
26 | whitelist ~/.config/keepassx | ||
27 | whitelist ~/keepassx.kdbx | ||
28 | whitelist ~/.lastpass | ||
29 | whitelist ~/.config/lastpass | ||
20 | 30 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index 032b3ece7..08bbd5a06 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,15 +1,19 @@ | |||
1 | # Opera browser profile | 1 | # Opera browser profile |
2 | noblacklist ${HOME}/.config/opera | 2 | noblacklist ~/.config/opera |
3 | noblacklist ~/.cache/opera | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 9 | include /etc/firejail/disable-terminals.inc |
10 | |||
8 | netfilter | 11 | netfilter |
12 | |||
13 | whitelist ${DOWNLOADS} | ||
9 | mkdir ~/.config | 14 | mkdir ~/.config |
10 | mkdir ~/.config/opera | 15 | mkdir ~/.config/opera |
11 | whitelist ~/.config/opera | 16 | whitelist ~/.config/opera |
12 | whitelist ${DOWNLOADS} | ||
13 | mkdir ~/.cache | 17 | mkdir ~/.cache |
14 | mkdir ~/.cache/opera | 18 | mkdir ~/.cache/opera |
15 | whitelist ~/.cache/opera | 19 | whitelist ~/.cache/opera |
@@ -17,4 +21,10 @@ mkdir ~/.pki | |||
17 | whitelist ~/.pki | 21 | whitelist ~/.pki |
18 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
19 | 23 | ||
24 | # lastpass, keepassx | ||
25 | whitelist ~/.keepassx | ||
26 | whitelist ~/.config/keepassx | ||
27 | whitelist ~/keepassx.kdbx | ||
28 | whitelist ~/.lastpass | ||
29 | whitelist ~/.config/lastpass | ||
20 | 30 | ||
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index 74b9b591b..fff8c1258 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -1,38 +1,3 @@ | |||
1 | # Firejail profile for Seamoneky based off Mozilla Firefox | 1 | # Firejail profile for Seamonkey based off Mozilla Firefox |
2 | noblacklist ${HOME}/.mozilla | 2 | include /etc/firejail/seamonkey.profile |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | caps.drop all | ||
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | ||
12 | tracelog | ||
13 | noroot | ||
14 | whitelist ${DOWNLOADS} | ||
15 | mkdir ~/.mozilla | ||
16 | mkdir ~/.mozilla/seamonkey | ||
17 | whitelist ~/.mozilla/seamonkey | ||
18 | mkdir ~/.cache | ||
19 | mkdir ~/.cache/mozilla | ||
20 | mkdir ~/.cache/mozilla/seamonkey | ||
21 | whitelist ~/.cache/mozilla/seamonkey | ||
22 | whitelist ~/dwhelper | ||
23 | whitelist ~/.zotero | ||
24 | whitelist ~/.lastpass | ||
25 | whitelist ~/.vimperatorrc | ||
26 | whitelist ~/.vimperator | ||
27 | whitelist ~/.pentadactylrc | ||
28 | whitelist ~/.pentadactyl | ||
29 | whitelist ~/.keysnail.js | ||
30 | whitelist ~/.config/gnome-mplayer | ||
31 | whitelist ~/.cache/gnome-mplayer/plugin | ||
32 | mkdir ~/.pki | ||
33 | whitelist ~/.pki | ||
34 | include /etc/firejail/whitelist-common.inc | ||
35 | |||
36 | # experimental features | ||
37 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
38 | 3 | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index d585c719b..b896af97a 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,18 +1,27 @@ | |||
1 | # Firejail profile for Seamoneky based off Mozilla Firefox | 1 | # Firejail profile for Seamoneky based off Mozilla Firefox |
2 | noblacklist ${HOME}/.mozilla | 2 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 9 | include /etc/firejail/disable-terminals.inc |
10 | |||
8 | caps.drop all | 11 | caps.drop all |
9 | seccomp | 12 | seccomp |
10 | protocol unix,inet,inet6,netlink | 13 | protocol unix,inet,inet6,netlink |
11 | netfilter | 14 | netfilter |
12 | tracelog | 15 | tracelog |
13 | noroot | 16 | noroot |
17 | |||
14 | whitelist ${DOWNLOADS} | 18 | whitelist ${DOWNLOADS} |
19 | mkdir ~/.mozilla | ||
20 | mkdir ~/.mozilla/seamonkey | ||
15 | whitelist ~/.mozilla/seamonkey | 21 | whitelist ~/.mozilla/seamonkey |
22 | mkdir ~/.cache | ||
23 | mkdir ~/.cache/mozilla | ||
24 | mkdir ~/.cache/mozilla/seamonkey | ||
16 | whitelist ~/.cache/mozilla/seamonkey | 25 | whitelist ~/.cache/mozilla/seamonkey |
17 | whitelist ~/dwhelper | 26 | whitelist ~/dwhelper |
18 | whitelist ~/.zotero | 27 | whitelist ~/.zotero |
@@ -27,6 +36,21 @@ whitelist ~/.cache/gnome-mplayer/plugin | |||
27 | whitelist ~/.pki | 36 | whitelist ~/.pki |
28 | include /etc/firejail/whitelist-common.inc | 37 | include /etc/firejail/whitelist-common.inc |
29 | 38 | ||
39 | # lastpass, keepassx | ||
40 | whitelist ~/.keepassx | ||
41 | whitelist ~/.config/keepassx | ||
42 | whitelist ~/keepassx.kdbx | ||
43 | whitelist ~/.lastpass | ||
44 | whitelist ~/.config/lastpass | ||
45 | |||
46 | #silverlight | ||
47 | whitelist ~/.wine-pipelight | ||
48 | whitelist ~/.wine-pipelight64 | ||
49 | whitelist ~/.config/pipelight-widevine | ||
50 | whitelist ~/.config/pipelight-silverlight5.1 | ||
51 | |||
52 | |||
53 | |||
30 | # experimental features | 54 | # experimental features |
31 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 55 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
32 | 56 | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index b8263629a..408a1898c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,14 +1,29 @@ | |||
1 | # Vivaldi browser profile | 1 | # Vivaldi browser profile |
2 | noblacklist ${HOME}/.config/vivaldi | 2 | noblacklist ~/.config/vivaldi |
3 | noblacklist ~/.cache/vivaldi | ||
4 | noblacklist ~/keepassx.kdbx | ||
3 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
7 | 10 | ||
8 | netfilter | 11 | netfilter |
9 | whitelist ~/.config/vivaldi | 12 | tracelog |
13 | |||
10 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/vivaldi | ||
17 | whitelist ~/.config/vivaldi | ||
18 | mkdir ~/.cache | ||
19 | mkdir ~/.cache/vivaldi | ||
11 | whitelist ~/.cache/vivaldi | 20 | whitelist ~/.cache/vivaldi |
12 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
13 | 22 | ||
23 | # lastpass, keepassx | ||
24 | whitelist ~/.keepassx | ||
25 | whitelist ~/.config/keepassx | ||
26 | whitelist ~/keepassx.kdbx | ||
27 | whitelist ~/.lastpass | ||
28 | whitelist ~/.config/lastpass | ||
14 | 29 | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 028de0ad1..dd0a70353 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # VLC profile | 1 | # VLC profile |
2 | noblacklist ${HOME}/.config/vlc | ||
2 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 54e549e1a..9d5ef3d96 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -5,6 +5,7 @@ whitelist ~/.icons | |||
5 | whitelist ~/.config/user-dirs.dirs | 5 | whitelist ~/.config/user-dirs.dirs |
6 | read-only ~/.config/user-dirs.dirs | 6 | read-only ~/.config/user-dirs.dirs |
7 | whitelist ~/.asoundrc | 7 | whitelist ~/.asoundrc |
8 | whitelist ~/.config/Trolltech.conf | ||
8 | 9 | ||
9 | # fonts | 10 | # fonts |
10 | whitelist ~/.fonts | 11 | whitelist ~/.fonts |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7c5cba882..5240d87a6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -71,3 +71,4 @@ | |||
71 | /etc/firejail/hedgewars.profile | 71 | /etc/firejail/hedgewars.profile |
72 | /etc/firejail/vivaldi.profile | 72 | /etc/firejail/vivaldi.profile |
73 | /etc/firejail/vivaldi-beta.profile | 73 | /etc/firejail/vivaldi-beta.profile |
74 | /etc/firejail/atril.profile | ||