diff options
-rw-r--r-- | etc/gedit.profile | 2 | ||||
-rw-r--r-- | etc/gitter.profile | 11 | ||||
-rw-r--r-- | etc/google-chrome.profile | 1 | ||||
-rw-r--r-- | etc/handbrake.profile | 1 | ||||
-rw-r--r-- | etc/hexchat.profile | 3 | ||||
-rw-r--r-- | etc/keepassx.profile | 3 | ||||
-rw-r--r-- | etc/keepassx2.profile | 37 | ||||
-rw-r--r-- | etc/keepassxc.profile | 2 | ||||
-rw-r--r-- | etc/libreoffice.profile | 2 | ||||
-rw-r--r-- | etc/pluma.profile | 4 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 5 | ||||
-rw-r--r-- | etc/stellarium.profile | 5 | ||||
-rw-r--r-- | etc/thunderbird.profile | 4 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | etc/xed.profile | 4 |
15 files changed, 48 insertions, 37 deletions
diff --git a/etc/gedit.profile b/etc/gedit.profile index 928006d08..5bf246d66 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -19,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
22 | machine-id | ||
22 | no3d | 23 | no3d |
23 | nodvd | 24 | nodvd |
24 | nogroups | 25 | nogroups |
@@ -37,5 +38,6 @@ private-dev | |||
37 | # private-etc fonts | 38 | # private-etc fonts |
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
41 | memory-deny-write-execute | ||
40 | noexec ${HOME} | 42 | noexec ${HOME} |
41 | noexec /tmp | 43 | noexec /tmp |
diff --git a/etc/gitter.profile b/etc/gitter.profile index 0a47bf888..3e84455f1 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -13,7 +13,13 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | ||
17 | whitelist ~/.config/autostart | ||
18 | whitelist ~/.config/Gitter | ||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
16 | caps.drop all | 21 | caps.drop all |
22 | machine-id | ||
17 | netfilter | 23 | netfilter |
18 | nodvd | 24 | nodvd |
19 | nogroups | 25 | nogroups |
@@ -25,7 +31,12 @@ protocol unix,inet,inet6,netlink | |||
25 | seccomp | 31 | seccomp |
26 | shell none | 32 | shell none |
27 | 33 | ||
34 | disable-mnt | ||
28 | private-bin bash,env,gitter | 35 | private-bin bash,env,gitter |
36 | private-etc fonts,pulse,resolv.conf | ||
29 | private-opt Gitter | 37 | private-opt Gitter |
30 | private-dev | 38 | private-dev |
31 | private-tmp | 39 | private-tmp |
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index a50e0e89d..6e5175989 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -21,6 +21,7 @@ whitelist ~/.cache/google-chrome | |||
21 | whitelist ~/.config/google-chrome | 21 | whitelist ~/.config/google-chrome |
22 | whitelist ~/.pki | 22 | whitelist ~/.pki |
23 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
24 | include /etc/firejail/whitelist-var-common.inc | ||
24 | 25 | ||
25 | caps.keep sys_chroot,sys_admin | 26 | caps.keep sys_chroot,sys_admin |
26 | netfilter | 27 | netfilter |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index f5e7bc329..5235e91f2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -19,7 +19,6 @@ netfilter | |||
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | ||
23 | novideo | 22 | novideo |
24 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
25 | seccomp | 24 | seccomp |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index fc817d9f9..47d39e8c4 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -16,8 +16,10 @@ include /etc/firejail/disable-programs.inc | |||
16 | mkdir ~/.config/hexchat | 16 | mkdir ~/.config/hexchat |
17 | whitelist ~/.config/hexchat | 17 | whitelist ~/.config/hexchat |
18 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
19 | include /etc/firejail/whitelist-var-common.inc | ||
19 | 20 | ||
20 | caps.drop all | 21 | caps.drop all |
22 | machine-id | ||
21 | netfilter | 23 | netfilter |
22 | no3d | 24 | no3d |
23 | nodvd | 25 | nodvd |
@@ -38,5 +40,6 @@ private-bin hexchat | |||
38 | private-dev | 40 | private-dev |
39 | private-tmp | 41 | private-tmp |
40 | 42 | ||
43 | memory-deny-write-execute | ||
41 | noexec ${HOME} | 44 | noexec ${HOME} |
42 | noexec /tmp | 45 | noexec /tmp |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 9d943d89c..27ca408f5 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | machine-id | 21 | machine-id |
20 | net none | 22 | net none |
@@ -36,5 +38,6 @@ private-dev | |||
36 | private-etc fonts,machine-id | 38 | private-etc fonts,machine-id |
37 | private-tmp | 39 | private-tmp |
38 | 40 | ||
41 | memory-deny-write-execute | ||
39 | noexec ${HOME} | 42 | noexec ${HOME} |
40 | noexec /tmp | 43 | noexec /tmp |
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index e20e06b76..ba98df19d 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -1,38 +1,5 @@ | |||
1 | # Firejail profile for keepassx2 | 1 | # Firejail profile for keepassx2 |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include /etc/firejail/keepassx2.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | 3 | ||
8 | noblacklist ${HOME}/*.kdb | 4 | # Redirects |
9 | noblacklist ${HOME}/*.kdbx | 5 | include /etc/firejail/keepassx.profile |
10 | noblacklist ${HOME}/.config/keepassx | ||
11 | noblacklist ${HOME}/.keepassx | ||
12 | |||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | net none | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | novideo | ||
28 | protocol unix | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | private-bin keepassx2 | ||
33 | private-dev | ||
34 | private-etc fonts | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index f79cda80d..a8c6d65f5 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | net none | 21 | net none |
20 | no3d | 22 | no3d |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8d05a557c..214b49c65 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | machine-id | ||
20 | netfilter | 21 | netfilter |
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
@@ -29,6 +30,7 @@ shell none | |||
29 | tracelog | 30 | tracelog |
30 | 31 | ||
31 | private-dev | 32 | private-dev |
33 | private-tmp | ||
32 | 34 | ||
33 | noexec ${HOME} | 35 | noexec ${HOME} |
34 | noexec /tmp | 36 | noexec /tmp |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 718dee440..56786fda7 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | # net none - makes settings immutable | 18 | # net none - makes settings immutable |
19 | machine-id | ||
17 | no3d | 20 | no3d |
18 | nodvd | 21 | nodvd |
19 | nogroups | 22 | nogroups |
@@ -32,5 +35,6 @@ private-dev | |||
32 | # private-etc fonts | 35 | # private-etc fonts |
33 | private-tmp | 36 | private-tmp |
34 | 37 | ||
38 | memory-deny-write-execute | ||
35 | noexec ${HOME} | 39 | noexec ${HOME} |
36 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 86db5c26c..aeb52b991 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -25,6 +25,7 @@ whitelist ~/.config/qBittorrentrc | |||
25 | whitelist ~/.config/qt5ct | 25 | whitelist ~/.config/qt5ct |
26 | whitelist ~/.local/share/data/qBittorrent | 26 | whitelist ~/.local/share/data/qBittorrent |
27 | include /etc/firejail/whitelist-common.inc | 27 | include /etc/firejail/whitelist-common.inc |
28 | include /etc/firejail/whitelist-var-common.inc | ||
28 | 29 | ||
29 | caps.drop all | 30 | caps.drop all |
30 | machine-id | 31 | machine-id |
@@ -44,3 +45,7 @@ seccomp | |||
44 | private-dev | 45 | private-dev |
45 | # private-etc X11,fonts,xdg,resolv.conf | 46 | # private-etc X11,fonts,xdg,resolv.conf |
46 | private-tmp | 47 | private-tmp |
48 | |||
49 | memory-deny-write-execute | ||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 89e2d1a30..360b9f881 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -18,8 +18,10 @@ mkdir ~/.stellarium | |||
18 | whitelist ~/.config/stellarium | 18 | whitelist ~/.config/stellarium |
19 | whitelist ~/.stellarium | 19 | whitelist ~/.stellarium |
20 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
21 | include /etc/firejail/whitelist-var-common.inc | ||
21 | 22 | ||
22 | caps.drop all | 23 | caps.drop all |
24 | machine-id | ||
23 | netfilter | 25 | netfilter |
24 | nodvd | 26 | nodvd |
25 | nogroups | 27 | nogroups |
@@ -36,3 +38,6 @@ disable-mnt | |||
36 | private-bin stellarium | 38 | private-bin stellarium |
37 | private-dev | 39 | private-dev |
38 | private-tmp | 40 | private-tmp |
41 | |||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 8e878eb1c..db944a2c0 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -22,9 +22,11 @@ whitelist ~/.gnupg | |||
22 | whitelist ~/.icedove | 22 | whitelist ~/.icedove |
23 | whitelist ~/.thunderbird | 23 | whitelist ~/.thunderbird |
24 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
25 | include /etc/firejail/whitelist-var-common.inc | ||
25 | 26 | ||
26 | ignore private-tmp | 27 | ignore private-tmp |
27 | 28 | machine-id | |
29 | disable-mnt | ||
28 | read-only ~/.config/mimeapps.list | 30 | read-only ~/.config/mimeapps.list |
29 | 31 | ||
30 | # allow browsers | 32 | # allow browsers |
diff --git a/etc/vlc.profile b/etc/vlc.profile index c3a4d58d0..4e6d37fc5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | ||
18 | netfilter | 19 | netfilter |
19 | # nogroups | 20 | # nogroups |
20 | nonewprivs | 21 | nonewprivs |
diff --git a/etc/xed.profile b/etc/xed.profile index 42a42ef5f..bb8b0bf23 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -12,8 +12,11 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | # net none - makes settings immutable | 18 | # net none - makes settings immutable |
19 | machine-id | ||
17 | no3d | 20 | no3d |
18 | nodvd | 21 | nodvd |
19 | nogroups | 22 | nogroups |
@@ -32,5 +35,6 @@ private-dev | |||
32 | # private-etc fonts | 35 | # private-etc fonts |
33 | private-tmp | 36 | private-tmp |
34 | 37 | ||
38 | memory-deny-write-execute | ||
35 | noexec ${HOME} | 39 | noexec ${HOME} |
36 | noexec /tmp | 40 | noexec /tmp |